BIND9 sources updated to 9.11.36

3628 files changed, 43472 insertions, 47193 deletions

diff --git a/bind/bind9/.gitattributes b/bind/bind9/.gitattributes
index 69799eaa..855a2a48 100644
--- a/bind/bind9/.gitattributes
+++ b/bind/bind9/.gitattributes
@@ -15,4 +15,5 @@ win32utils/**.txt eol=crlf
 /lib/lwres/man/resolver.5	 export-ignore
 /util/**			 export-ignore
 /util/bindkeys.pl		-export-ignore
+/util/check-make-install.in	-export-ignore
 /util/mksymtbl.pl		-export-ignore
diff --git a/bind/bind9/.gitignore b/bind/bind9/.gitignore
index 55bc4ffd..c2dcd91c 100644
--- a/bind/bind9/.gitignore
+++ b/bind/bind9/.gitignore
@@ -59,3 +59,4 @@ timestamp
 /compile_commands.json
 /cppcheck_html/
 /cppcheck.results
+/util/check-make-install
diff --git a/bind/bind9/.gitlab-ci.yml b/bind/bind9/.gitlab-ci.yml
index 8e075a3d..e59ddef5 100644
--- a/bind/bind9/.gitlab-ci.yml
+++ b/bind/bind9/.gitlab-ci.yml
@@ -15,23 +15,33 @@ variables:
   BUILD_PARALLEL_JOBS: 6
   TEST_PARALLEL_JOBS: 6
 
-  MAKE: make
   CONFIGURE: ./configure
-  SCAN_BUILD: scan-build-9
+  CLANG: clang-12
+  SCAN_BUILD: scan-build-12
+  ASAN_SYMBOLIZER_PATH: /usr/lib/llvm-12/bin/llvm-symbolizer
+  CLANG_FORMAT: clang-format-12
 
   CFLAGS_COMMON: -fno-omit-frame-pointer -fno-optimize-sibling-calls -O1 -g -Wall -Wextra 
 
   # Pass run-time flags to AddressSanitizer to get core dumps on error.
   ASAN_OPTIONS_COMMON: abort_on_error=1:disable_coredump=0:unmap_shadow_on_exit=1
+  TSAN_OPTIONS_COMMON: "second_deadlock_stack=1 history_size=7 log_exe_name=true log_path=tsan external_symbolizer_path=/usr/lib/llvm-12/bin/llvm-symbolizer"
 
   TARBALL_COMPRESSOR: gzip
   TARBALL_EXTENSION: gz
 
+  INSTALL_PATH: "${CI_PROJECT_DIR}/.local"
+
+  # Default platforms to run "stress" tests on
+  BIND_STRESS_TEST_OS: linux
+  BIND_STRESS_TEST_ARCH: amd64
+
 stages:
   - precheck
   - build
   - unit
   - system
+  - performance
   - docs
   - push
   - postcheck
@@ -39,11 +49,9 @@ stages:
 
 ### Runner Tag Templates
 
-# Note: BSD runners extract the operating system version to use from job name
-
-.freebsd-amd64: &freebsd_amd64
+.libvirt-amd64: &libvirt_amd64
   tags:
-    - freebsd
+    - libvirt
     - amd64
 
 .linux-amd64: &linux_amd64
@@ -56,47 +64,64 @@ stages:
     - linux
     - i386
 
-.openbsd-amd64: &openbsd_amd64
+.linux-stress-amd64: &linux_stress_amd64
+  tags:
+    - amd64
+    - aws
+    - linux-stress
+    - stress
+
+.linux-stress-arm64: &linux_stress_arm64
+  tags:
+    - aarch64
+    - aws
+    - linux-stress
+    - stress
+
+.freebsd-stress-amd64: &freebsd_stress_amd64
   tags:
-    - openbsd
+    - amd64
+    - aws
+    - bsd-stress
+    - stress
+
+.windows-amd64: &windows_amd64
+  tags:
+    - windows
     - amd64
 
 ### Docker Image Templates
 
 # Alpine Linux
 
-.alpine-3.11-amd64: &alpine_3_11_amd64_image
-  image: "$CI_REGISTRY_IMAGE:alpine-3.11-amd64"
+.alpine-3.14-amd64: &alpine_3_14_amd64_image
+  image: "$CI_REGISTRY_IMAGE:alpine-3.14-amd64"
   <<: *linux_amd64
 
-# CentOS
+# Oracle Linux
+
+.centos-centos6-i386: &centos_centos6_i386_image
+  image: "$CI_REGISTRY_IMAGE:centos-centos6-i386"
+  <<: *linux_i386
 
 .centos-centos6-amd64: &centos_centos6_amd64_image
   image: "$CI_REGISTRY_IMAGE:centos-centos6-amd64"
   <<: *linux_amd64
 
-.centos-centos7-amd64: &centos_centos7_amd64_image
-  image: "$CI_REGISTRY_IMAGE:centos-centos7-amd64"
+.oraclelinux-7-amd64: &oraclelinux_7_amd64_image
+  image: "$CI_REGISTRY_IMAGE:oraclelinux-7-amd64"
   <<: *linux_amd64
 
-.centos-centos8-amd64: &centos_centos8_amd64_image
-  image: "$CI_REGISTRY_IMAGE:centos-centos8-amd64"
+.oraclelinux-8-amd64: &oraclelinux_8_amd64_image
+  image: "$CI_REGISTRY_IMAGE:oraclelinux-8-amd64"
   <<: *linux_amd64
 
 # Debian
 
-.debian-jessie-amd64: &debian_jessie_amd64_image
-  image: "$CI_REGISTRY_IMAGE:debian-jessie-amd64"
-  <<: *linux_amd64
-
 .debian-stretch-amd64: &debian_stretch_amd64_image
   image: "$CI_REGISTRY_IMAGE:debian-stretch-amd64"
   <<: *linux_amd64
 
-.debian-stretch-i386: &debian_stretch_i386_image
-  image: "$CI_REGISTRY_IMAGE:debian-stretch-i386"
-  <<: *linux_i386
-
 .debian-buster-amd64: &debian_buster_amd64_image
   image: "$CI_REGISTRY_IMAGE:debian-buster-amd64"
   <<: *linux_amd64
@@ -105,10 +130,6 @@ stages:
   image: "$CI_REGISTRY_IMAGE:debian-sid-amd64"
   <<: *linux_amd64
 
-.debian-sid-i386: &debian_sid_i386_image
-  image: "$CI_REGISTRY_IMAGE:debian-sid-i386"
-  <<: *linux_i386
-
 # openSUSE Tumbleweed
 
 .tumbleweed-latest-amd64: &tumbleweed_latest_amd64_image
@@ -117,27 +138,53 @@ stages:
 
 # Fedora
 
-.fedora-31-amd64: &fedora_31_amd64_image
-  image: "$CI_REGISTRY_IMAGE:fedora-31-amd64"
+.fedora-34-amd64: &fedora_34_amd64_image
+  image: "$CI_REGISTRY_IMAGE:fedora-34-amd64"
   <<: *linux_amd64
 
-# Ubuntu
+.fedora-34-arm64: &fedora_34_arm64_image
+  image: "$CI_REGISTRY_IMAGE:fedora-34-arm64"
+  <<: *linux_stress_arm64
 
-.ubuntu-xenial-amd64: &ubuntu_xenial_amd64_image
-  image: "$CI_REGISTRY_IMAGE:ubuntu-xenial-amd64"
-  <<: *linux_amd64
-
-.ubuntu-xenial-i386: &ubuntu_xenial_i386_image
-  image: "$CI_REGISTRY_IMAGE:ubuntu-xenial-i386"
-  <<: *linux_i386
+# Ubuntu
 
 .ubuntu-bionic-amd64: &ubuntu_bionic_amd64_image
   image: "$CI_REGISTRY_IMAGE:ubuntu-bionic-amd64"
   <<: *linux_amd64
 
-.ubuntu-bionic-i386: &ubuntu_bionic_i386_image
-  image: "$CI_REGISTRY_IMAGE:ubuntu-bionic-i386"
-  <<: *linux_i386
+.ubuntu-focal-amd64: &ubuntu_focal_amd64_image
+  image: "$CI_REGISTRY_IMAGE:ubuntu-focal-amd64"
+  <<: *linux_amd64
+
+# Windows
+
+.windows-server-2016-amd64: &windows_server_2016_amd64_image
+  image: "$CI_REGISTRY_IMAGE:windows-server-2016-amd64"
+  <<: *windows_amd64
+
+# Base image
+# This is a meta image that is used as a base for non-specific jobs
+
+.base: &base_image
+  <<: *debian_buster_amd64_image
+
+### QCOW2 Image Templates
+
+.freebsd-11-amd64: &freebsd_11_amd64_image
+  image: "freebsd-11.4-x86_64"
+  <<: *libvirt_amd64
+
+.freebsd-12-amd64: &freebsd_12_amd64_image
+  image: "freebsd-12.2-x86_64"
+  <<: *libvirt_amd64
+
+.freebsd-13-amd64: &freebsd_13_amd64_image
+  image: "freebsd-13.0-x86_64"
+  <<: *libvirt_amd64
+
+.openbsd-amd64: &openbsd_amd64_image
+  image: "openbsd-6.9-x86_64"
+  <<: *libvirt_amd64
 
 ### Job Templates
 
@@ -154,43 +201,46 @@ stages:
     - tags
     - web
     - schedules
-    - master@isc-projects/bind9
+    - main@isc-projects/bind9
     - /^v9_[1-9][0-9]$/@isc-projects/bind9
 
+.schedules-tags-web-triggering-rules: &schedules_tags_web_triggering_rules
+  only:
+    - schedules
+    - tags
+    - web
+
 .precheck: &precheck_job
   <<: *default_triggering_rules
-  <<: *debian_sid_amd64_image
+  <<: *base_image
   stage: precheck
 
 .autoconf: &autoconf_job
   <<: *release_branch_triggering_rules
-  <<: *debian_sid_amd64_image
+  <<: *base_image
   stage: precheck
   script:
     - autoreconf -fi
   artifacts:
-    paths:
-      - aclocal.m4
-      - configure
-      - ltmain.sh
-      - m4/libtool.m4
-    expire_in: "1 week"
-
-.configure: &configure |
-    ${CONFIGURE} \
-    --disable-maintainer-mode \
-    --enable-developer \
-    --with-randomdev=/dev/urandom \
-    --with-libtool \
-    --with-geoip2=auto \
-    --disable-static \
-    --with-cmocka \
-    --with-libxml2 \
-    --with-json \
-    --prefix=$HOME/.local \
-    --without-make-clean \
-    $EXTRA_CONFIGURE \
-    || cat config.log
+    untracked: true
+    expire_in: "1 day"
+
+.configure: &configure
+    - ${CONFIGURE}
+      --enable-developer
+      --with-randomdev=/dev/urandom
+      --with-libtool
+      --with-geoip2=auto
+      --disable-static
+      --enable-option-checking=fatal
+      --enable-dnstap
+      --with-cmocka
+      --with-libxml2
+      --with-libjson
+      --prefix=/usr/local
+      --without-make-clean
+      $EXTRA_CONFIGURE
+      || (test -s config.log && cat config.log; exit 1)
 
 .build: &build_job
   <<: *default_triggering_rules
@@ -200,21 +250,22 @@ stages:
     - test -n "${OOT_BUILD_WORKSPACE}" && mkdir "${OOT_BUILD_WORKSPACE}" && cd "${OOT_BUILD_WORKSPACE}"
   script:
     - *configure
-    - ${MAKE} -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
-    - test -z "${RUN_MAKE_INSTALL}" || make install
-  dependencies:
-    - autoreconf:sid:amd64
+    - test -n "${SKIP_MAKE_DEPEND}" || make -j${BUILD_PARALLEL_JOBS:-1} depend 2>&1 | tee make-depend.log
+    - test -n "${SKIP_MAKE_DEPEND}" || ( ! grep -F "error:" make-depend.log )
+    - make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
+    - test -z "${RUN_MAKE_INSTALL}" || make DESTDIR="${INSTALL_PATH}" install
+    - test -z "${RUN_MAKE_INSTALL}" || DESTDIR="${INSTALL_PATH}" sh util/check-make-install
+    - if [[ "${CFLAGS}" == *"-fsanitize=address"* ]]; then ( ! grep -F AddressSanitizer config.log ); fi
   needs:
-    - autoreconf:sid:amd64
+    - job: autoreconf
+      artifacts: true
   artifacts:
     untracked: true
-    expire_in: "1 week"
+    expire_in: "1 day"
+    when: always
 
 .windows_build: &windows_build_job
   stage: build
-  tags:
-    - windows
-    - amd64
   script:
     - 'Push-Location "C:/Program Files (x86)/Microsoft Visual Studio/2017/BuildTools/VC/Auxiliary/Build"'
     - '& cmd.exe /C "vcvarsall.bat x64 & set" | Foreach-Object { if ($_ -match "(.*?)=(.*)") { Set-Item -force -path "Env:\$($matches[1])" -value "$($matches[2])" } }'
@@ -232,24 +283,23 @@ stages:
          x64'
     - 'Set-Item -path "Env:CL" -value "/MP$([Math]::Truncate($BUILD_PARALLEL_JOBS/2))"'
     - '& msbuild.exe /maxCpuCount:2 /t:Build /p:Configuration=$VSCONF bind9.sln'
-  dependencies: []
-  needs:
-    - autoreconf:sid:amd64
+  needs: []
   artifacts:
     untracked: true
-    expire_in: "1 week"
+    expire_in: "1 day"
 
-.setup_interfaces: &setup_interfaces |
-    if [ "$(id -u)" -eq "0" ]; then
-      sh -x bin/tests/system/ifconfig.sh up;
-    else
-      sudo sh -x bin/tests/system/ifconfig.sh up;
-    fi
+.setup_interfaces: &setup_interfaces
+    - if [ "$(id -u)" -eq "0" ]; then
+        sh -x bin/tests/system/ifconfig.sh up;
+      else
+        sudo sh -x bin/tests/system/ifconfig.sh up;
+      fi
 
-.setup_softhsm: &setup_softhsm |
-    sh -x bin/tests/prepare-softhsm2.sh
+.setup_softhsm: &setup_softhsm
+    - export SLOT=$(sh -x bin/tests/prepare-softhsm2.sh)
+    - test -n "${SLOT}" && test "${SLOT}" -gt 0
 
-.system_test: &system_test_job
+.system_test_common: &system_test_common
   <<: *default_triggering_rules
   stage: system
   before_script:
@@ -258,23 +308,42 @@ stages:
   script:
     - ( cd bin/tests/system && make -j${TEST_PARALLEL_JOBS:-1} -k test V=1 )
     - test -s bin/tests/system/systests.output
+    - if git rev-parse > /dev/null 2>&1; then ( ! grep "^I:.*:file.*not removed$" bin/tests/system/systests.output ); fi
+
+.system_test: &system_test_job
+  <<: *system_test_common
   artifacts:
     untracked: true
-    expire_in: "1 week"
+    expire_in: "1 day"
+    when: on_failure
+
+.system_test_gcov: &system_test_gcov_job
+  <<: *system_test_common
+  artifacts:
+    untracked: true
+    expire_in: "1 day"
+    when: always
+
+.system_test_tsan: &system_test_tsan_job
+  <<: *system_test_common
+  allow_failure: true
+  after_script:
+    - find bin -name 'tsan.*' -exec python3 util/parse_tsan.py {} \;
+  artifacts:
+    expire_in: "1 day"
+    untracked: true
     when: on_failure
 
-.kyua_report: &kyua_report_html |
-  kyua --logfile /dev/null report-html \
-       --force \
-       --results-file "$KYUA_RESULT" \
-       --results-filter "" \
-       --output kyua_html
+.kyua_report: &kyua_report_html
+  - kyua --logfile /dev/null report-html
+         --force
+         --results-file "$KYUA_RESULT"
+         --results-filter ""
+         --output kyua_html > /dev/null
 
 .windows_system_test: &windows_system_test_job
+  <<: *schedules_tags_web_triggering_rules
   stage: system
-  tags:
-    - windows
-    - amd64
   script:
     - 'Push-Location bin/tests/system'
     - '$ifIndex = Get-NetIPInterface -AddressFamily IPv4 -InterfaceMetric 75 | Select-Object -ExpandProperty ifIndex'
@@ -287,14 +356,10 @@ stages:
     - 'If (Test-Path C:/CrashDumps/*) { dir C:/CrashDumps; Throw }'
   artifacts:
     untracked: true
-    expire_in: "1 week"
+    expire_in: "1 day"
     when: on_failure
-  only:
-    - tags
-    - web
-    - schedules
 
-.unit_test: &unit_test_job
+.unit_test_common: &unit_test_common
   <<: *default_triggering_rules
   stage: unit
   before_script:
@@ -303,38 +368,51 @@ stages:
     - make unit
   after_script:
     - *kyua_report_html
+
+.unit_test: &unit_test_job
+  <<: *unit_test_common
+  artifacts:
+    untracked: true
+    expire_in: "1 day"
+    when: on_failure
+
+.unit_test_gcov: &unit_test_gcov_job
+  <<: *unit_test_common
+  artifacts:
+    untracked: true
+    expire_in: "1 day"
+    when: always
+
+.unit_test_tsan: &unit_test_tsan_job
+  <<: *unit_test_common
+  after_script:
+    - *kyua_report_html
+    - for f in tsan.* ; do test -f "$f" && python3 util/parse_tsan.py "$f" ; done
+    - find lib -name 'tsan.*' -exec python3 util/parse_tsan.py {} \;
   artifacts:
+    expire_in: "1 day"
     paths:
+      - lib/*/tests/tsan.*
+      - tsan/
       - kyua.log
       - kyua.results
       - kyua_html/
-    expire_in: "1 week"
     when: on_failure
 
-.cppcheck_args: &run_cppcheck |
-  cppcheck --enable=warning,performance,portability,information,missingInclude \
-           --include=config.h \
-           --quiet \
-           --std=c11 \
-           --language=c \
-           --project=compile_commands.json \
-           --error-exitcode=2 \
-           -j ${TEST_PARALLEL_JOBS:-1} \
-           --xml \
-           --output-file=cppcheck.results \
-           --relative-paths="$CI_PROJECT_DIR" \
-           --inline-suppr \
-           --suppressions-list=util/suppressions.txt
-
-.cppcheck_report: &cppcheck_report_html |
-  cppcheck-htmlreport --title="BIND 9 ($CI_COMMIT_SHORT_SHA) Cppcheck Report" \
-                      --file=cppcheck.results \
-                      --report-dir=cppcheck_html/
+.cppcheck_args: &run_cppcheck
+  - cppcheck --enable=warning,performance,portability,information,missingInclude --include=config.h --std=c11 --language=c --project=compile_commands.json --error-exitcode=2 -j ${TEST_PARALLEL_JOBS:-1} --xml --output-file=cppcheck.results --relative-paths="$CI_PROJECT_DIR" --inline-suppr --suppressions-list=util/suppressions.txt
+
+.cppcheck_report: &cppcheck_report_html
+  - cppcheck-htmlreport --title="BIND 9 ($CI_COMMIT_SHORT_SHA) Cppcheck Report" --file=cppcheck.results --report-dir=cppcheck_html/
 
 .cppcheck: &cppcheck_job
   <<: *default_triggering_rules
   stage: postcheck
   script:
+    - *configure
+    - (make -nwk all || true) | compiledb
+    - export GCC_VERSION=$(gcc --version | sed -n 's/.* \([0-9]\+\)\.[0-9]\+\.[0-9]\+.*/\1/p')
+    - sed -i "/gcc\",/a\"-DCPPCHECK\", \"-D__STDC__\", \"-D__GNUC__=${GCC_VERSION}\"," compile_commands.json
     - *run_cppcheck
   after_script:
     - *cppcheck_report_html
@@ -343,50 +421,103 @@ stages:
       - compile_commands.json
       - cppcheck.results
       - cppcheck_html/
-    expire_in: "1 week"
+    expire_in: "1 day"
     when: on_failure
+  needs:
+    - job: autoreconf
+      artifacts: true
 
 ### Job Definitions
 
 # Jobs in the precheck stage
 
-autoreconf:sid:amd64:
+autoreconf:
   <<: *autoconf_job
 
-misc:sid:amd64:
+misc:
   <<: *precheck_job
   script:
     - sh util/check-ans-prereq.sh
     - sh util/checklibs.sh > checklibs.out
     - sh util/tabify-changes < CHANGES > CHANGES.tmp
     - diff -urNap CHANGES CHANGES.tmp
-    - rm CHANGES.tmp
     - perl util/check-changes CHANGES
+    - sh util/check-line-length.sh CHANGES
+    - test ! -f CHANGES.SE || sh util/tabify-changes < CHANGES.SE > CHANGES.tmp
+    - test ! -f CHANGES.SE || diff -urNap CHANGES.SE CHANGES.tmp
+    - test ! -f CHANGES.SE || perl util/check-changes master=0 CHANGES.SE
+    - test ! -f CHANGES.SE || sh util/check-line-length.sh CHANGES.SE
+    - rm CHANGES.tmp
     - perl -w util/merge_copyrights
     - diff -urNap util/copyrights util/newcopyrights
     - rm util/newcopyrights
     - perl -w util/update_copyrights < util/copyrights
     - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
     - xmllint --noout --nonet `git ls-files '*.xml' '*.docbook'`
-    - xmllint --noout --nonet --html `git ls-files '*.html'`
+    - sh util/xmllint-html.sh
     - sh util/check-win32util-configure
+    - sh util/check-categories.sh
+  needs: []
   artifacts:
     paths:
       - util/newcopyrights
       - checklibs.out
-    expire_in: "1 week"
+    expire_in: "1 day"
     when: on_failure
 
-�:sid:amd64:
+clang-format:
   <<: *precheck_job
-  <<: *debian_buster_amd64_image
+  needs: []
+  script:
+    - if [ -r .clang-format ]; then "${CLANG_FORMAT}" -i -style=file $(git ls-files '*.c' '*.h'); fi
+    - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
+
+coccinelle:
+  <<: *precheck_job
+  needs: []
   script:
     - util/check-cocci
     - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
 
-tarball-create:sid:amd64:
-  <<: *debian_sid_amd64_image
+danger:
+  <<: *precheck_job
+  needs: []
+  script:
+    - danger-python ci -f
+  only:
+    refs:
+      - merge_requests
+    variables:
+      - $DANGER_GITLAB_API_TOKEN
+
+flake8:
+  <<: *default_triggering_rules
+  <<: *base_image
+  stage: postcheck
+  needs:
+    - job: autoreconf
+      artifacts: true
+  script:
+    - *configure
+    - flake8 --max-line-length=80 $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py)')
+
+pylint:
+  <<: *default_triggering_rules
+  <<: *base_image
+  stage: postcheck
+  needs:
+    - job: autoreconf
+      artifacts: true
+  before_script:
+  script:
+    - *configure
+    - PYTHONPATH="$PYTHONPATH:$CI_PROJECT_DIR/bin/python"
+    - pylint --rcfile $CI_PROJECT_DIR/.pylintrc $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py|contrib/queryperf/)')
+
+tarball-create:
   stage: precheck
+  <<: *base_image
+  <<: *default_triggering_rules
   script:
     - source version
     - export BIND_DIRECTORY="bind-${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
@@ -398,157 +529,157 @@ tarball-create:sid:amd64:
   artifacts:
     paths:
       - bind-*.tar.${TARBALL_EXTENSION}
-  only:
-    - tags
 
 # Jobs for doc builds on Debian Sid (amd64)
 
-docs:sid:amd64:
+docs:
   <<: *release_branch_triggering_rules
-  <<: *debian_sid_amd64_image
+  <<: *base_image
   stage: docs
   script:
     - ./configure || cat config.log
     - make -C doc/misc docbook
     - make -C doc/arm Bv9ARM.html
-  dependencies:
-    - autoreconf:sid:amd64
+    - qpdf --check doc/arm/Bv9ARM.pdf
+    - find bin/ lib/ isc-config.sh.1 -not -path "bin/tests/*" -name "*.[0-9]" -exec mandoc -T lint -Werror "{}" \;
   needs:
-    - autoreconf:sid:amd64
+    - job: autoreconf
+      artifacts: true
   artifacts:
     paths:
       - doc/arm/
     expire_in: "1 month"
 
-push:docs:sid:amd64:
-  <<: *debian_sid_amd64_image
+push:docs:
+  <<: *base_image
   stage: push
-  dependencies: []
+  needs:
+    - job: docs
+      artifacts: false
   script:
-    - curl -X POST -F token=$GITLAB_PAGES_DOCS_TRIGGER_TOKEN -F ref=master $GITLAB_PAGES_DOCS_TRIGGER_URL
+    - curl -X POST -F token=$GITLAB_PAGES_DOCS_TRIGGER_TOKEN -F ref=main $GITLAB_PAGES_DOCS_TRIGGER_URL
   only:
-    - master@isc-projects/bind9
+    - main@isc-projects/bind9
     - /^v9_[1-9][0-9]$/@isc-projects/bind9
 
-# Jobs for regular GCC builds on Alpine Linux 3.11 (amd64)
+# Jobs for regular GCC builds on Alpine Linux 3.14 (amd64)
 
-gcc:alpine3.11:amd64:
+gcc:alpine3.14:amd64:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON}"
-    EXTRA_CONFIGURE: "--enable-dnstap"
-  <<: *alpine_3_11_amd64_image
+  <<: *alpine_3_14_amd64_image
   <<: *build_job
 
-system:gcc:alpine3.11:amd64:
-  <<: *alpine_3_11_amd64_image
+system:gcc:alpine3.14:amd64:
+  <<: *alpine_3_14_amd64_image
   <<: *system_test_job
-  dependencies:
-    - gcc:alpine3.11:amd64
-  needs: ["gcc:alpine3.11:amd64"]
+  needs:
+    - job: gcc:alpine3.14:amd64
+      artifacts: true
 
-unit:gcc:alpine3.11:amd64:
-  <<: *alpine_3_11_amd64_image
+unit:gcc:alpine3.14:amd64:
+  <<: *alpine_3_14_amd64_image
   <<: *unit_test_job
-  dependencies:
-    - gcc:alpine3.11:amd64
-  needs: ["gcc:alpine3.11:amd64"]
+  needs:
+    - job: gcc:alpine3.14:amd64
+      artifacts: true
 
-# Jobs for regular GCC builds on CentOS 6 (amd64)
+# Jobs for regular GCC builds on CentOS 6 (i386)
 
-gcc:centos6:amd64:
+gcc:centos6:i386:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON}"
-    EXTRA_CONFIGURE: "--with-libidn2 --disable-warn-error"
-  <<: *centos_centos6_amd64_image
+    EXTRA_CONFIGURE: "--with-libidn2 --without-python --disable-warn-error --disable-dnstap"
+  <<: *centos_centos6_i386_image
   <<: *build_job
 
-system:gcc:centos6:amd64:
-  <<: *centos_centos6_amd64_image
+system:gcc:centos6:i386:
+  <<: *centos_centos6_i386_image
   <<: *system_test_job
-  dependencies:
-    - gcc:centos6:amd64
-  needs: ["gcc:centos6:amd64"]
+  needs:
+    - job: gcc:centos6:i386
+      artifacts: true
 
-unit:gcc:centos6:amd64:
-  <<: *centos_centos6_amd64_image
+unit:gcc:centos6:i386:
+  <<: *centos_centos6_i386_image
   <<: *unit_test_job
-  dependencies:
-    - gcc:centos6:amd64
-  needs: ["gcc:centos6:amd64"]
+  needs:
+    - job: gcc:centos6:i386
+      artifacts: true
 
-# Jobs for regular GCC builds on CentOS 7 (amd64)
+# Jobs for regular GCC builds on CentOS 6 (amd64)
 
-gcc:centos7:amd64:
+gcc:centos6:amd64:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON}"
-    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
-  <<: *centos_centos7_amd64_image
+    EXTRA_CONFIGURE: "--with-libidn2 --disable-warn-error --disable-dnstap"
+  <<: *centos_centos6_amd64_image
   <<: *build_job
 
-system:gcc:centos7:amd64:
-  <<: *centos_centos7_amd64_image
+system:gcc:centos6:amd64:
+  <<: *centos_centos6_amd64_image
   <<: *system_test_job
-  dependencies:
-    - gcc:centos7:amd64
-  needs: ["gcc:centos7:amd64"]
+  needs:
+    - job: gcc:centos6:amd64
+      artifacts: true
 
-unit:gcc:centos7:amd64:
-  <<: *centos_centos7_amd64_image
+unit:gcc:centos6:amd64:
+  <<: *centos_centos6_amd64_image
   <<: *unit_test_job
-  dependencies:
-    - gcc:centos7:amd64
-  needs: ["gcc:centos7:amd64"]
+  needs:
+    - job: gcc:centos6:amd64
+      artifacts: true
 
-# Jobs for regular GCC builds on CentOS 8 (amd64)
+# Jobs for regular GCC builds on Oracle Linux 7 (amd64)
 
-gcc:centos8:amd64:
+gcc:oraclelinux7:amd64:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON}"
     EXTRA_CONFIGURE: "--with-libidn2"
-  <<: *centos_centos8_amd64_image
+  <<: *oraclelinux_7_amd64_image
   <<: *build_job
 
-system:gcc:centos8:amd64:
-  <<: *centos_centos8_amd64_image
+system:gcc:oraclelinux7:amd64:
+  <<: *oraclelinux_7_amd64_image
   <<: *system_test_job
-  dependencies:
-    - gcc:centos8:amd64
-  needs: ["gcc:centos8:amd64"]
+  needs:
+    - job: gcc:oraclelinux7:amd64
+      artifacts: true
 
-unit:gcc:centos8:amd64:
-  <<: *centos_centos8_amd64_image
+unit:gcc:oraclelinux7:amd64:
+  <<: *oraclelinux_7_amd64_image
   <<: *unit_test_job
-  dependencies:
-    - gcc:centos8:amd64
-  needs: ["gcc:centos8:amd64"]
+  needs:
+    - job: gcc:oraclelinux7:amd64
+      artifacts: true
 
-# Jobs for regular GCC builds on Debian 8 Jessie (amd64)
+# Jobs for regular GCC builds on Oracle Linux 8 (amd64)
 
-gcc:jessie:amd64:
+gcc:oraclelinux8:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} -O2"
-    EXTRA_CONFIGURE: "--without-cmocka --with-python --disable-geoip"
-  <<: *debian_jessie_amd64_image
+    CFLAGS: "${CFLAGS_COMMON}"
+    EXTRA_CONFIGURE: "--enable-buffer-useinline --with-libidn2"
+  <<: *oraclelinux_8_amd64_image
   <<: *build_job
 
-system:gcc:jessie:amd64:
-  <<: *debian_jessie_amd64_image
+system:gcc:oraclelinux8:amd64:
+  <<: *oraclelinux_8_amd64_image
   <<: *system_test_job
-  dependencies:
-    - gcc:jessie:amd64
-  needs: ["gcc:jessie:amd64"]
+  needs:
+    - job: gcc:oraclelinux8:amd64
+      artifacts: true
 
-unit:gcc:jessie:amd64:
-  <<: *debian_jessie_amd64_image
+unit:gcc:oraclelinux8:amd64:
+  <<: *oraclelinux_8_amd64_image
   <<: *unit_test_job
-  dependencies:
-    - gcc:jessie:amd64
-  needs: ["gcc:jessie:amd64"]
+  needs:
+    - job: gcc:oraclelinux8:amd64
+      artifacts: true
 
 # Jobs for regular GCC builds on Debian 9 Stretch (amd64)
 
@@ -556,196 +687,168 @@ gcc:stretch:amd64:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -O2"
+    EXTRA_CONFIGURE: "--without-gssapi"
   <<: *debian_stretch_amd64_image
   <<: *build_job
 
 system:gcc:stretch:amd64:
   <<: *debian_stretch_amd64_image
   <<: *system_test_job
-  dependencies:
-    - gcc:stretch:amd64
-  needs: ["gcc:stretch:amd64"]
+  needs:
+    - job: gcc:stretch:amd64
+      artifacts: true
 
 unit:gcc:stretch:amd64:
   <<: *debian_stretch_amd64_image
   <<: *unit_test_job
-  dependencies:
-    - gcc:stretch:amd64
-  needs: ["gcc:stretch:amd64"]
+  needs:
+    - job: gcc:stretch:amd64
+      artifacts: true
 
 # Jobs for regular GCC builds on Debian 10 Buster (amd64)
 
 gcc:buster:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON}"
+    CFLAGS: "${CFLAGS_COMMON} --coverage -O0"
+    LDFLAGS: "--coverage"
+    EXTRA_CONFIGURE: "--with-libidn2"
   <<: *debian_buster_amd64_image
   <<: *build_job
 
 system:gcc:buster:amd64:
   <<: *debian_buster_amd64_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:buster:amd64
-  needs: ["gcc:buster:amd64"]
+  <<: *system_test_gcov_job
+  needs:
+    - job: unit:gcc:buster:amd64
+      artifacts: true
 
 unit:gcc:buster:amd64:
   <<: *debian_buster_amd64_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:buster:amd64
-  needs: ["gcc:buster:amd64"]
+  <<: *unit_test_gcov_job
+  needs:
+    - job: gcc:buster:amd64
+      artifacts: true
 
 # Jobs for scan-build builds on Debian Buster (amd64)
 
-.scan_build: &scan_build |
-  ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)" \
-                --keep-cc \
-                --status-bugs \
-                --keep-going \
-                -o scan-build.reports \
-                make -j${BUILD_PARALLEL_JOBS:-1} all V=1
+.scan_build: &scan_build
+  - ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)"
+                  --keep-cc
+                  --status-bugs
+                  --keep-going
+                  -o scan-build.reports make -j${BUILD_PARALLEL_JOBS:-1} all V=1
 
-scan-build:buster:amd64:
+scan-build:
   <<: *default_triggering_rules
-  <<: *debian_buster_amd64_image
+  <<: *base_image
   stage: postcheck
   variables:
-    CC: clang-9
+    CC: "${CLANG}"
     CFLAGS: "${CFLAGS_COMMON}"
     CONFIGURE: "${SCAN_BUILD} ./configure"
-    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
+    EXTRA_CONFIGURE: "--with-libidn2"
   script:
     - *configure
     - *scan_build
-  dependencies:
-    - autoreconf:sid:amd64
   needs:
-    - autoreconf:sid:amd64
+    - job: autoreconf
+      artifacts: true
   artifacts:
     paths:
       - scan-build.reports/
-    expire_in: "1 week"
+    expire_in: "1 day"
     when: on_failure
 
 # Jobs for regular GCC builds on Debian Sid (amd64)
+# Also tests configration option: --without-lmdb.
 
 gcc:sid:amd64:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -O3"
-    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
+    EXTRA_CONFIGURE: "--with-libidn2 --without-lmdb"
     RUN_MAKE_INSTALL: 1
-    MAKE: bear make
   <<: *debian_sid_amd64_image
   <<: *build_job
 
 system:gcc:sid:amd64:
   <<: *debian_sid_amd64_image
   <<: *system_test_job
-  dependencies:
-    - gcc:sid:amd64
-  needs: ["gcc:sid:amd64"]
+  needs:
+    - job: gcc:sid:amd64
+      artifacts: true
 
 unit:gcc:sid:amd64:
   <<: *debian_sid_amd64_image
   <<: *unit_test_job
-  dependencies:
-    - gcc:sid:amd64
-  needs: ["gcc:sid:amd64"]
+  needs:
+    - job: gcc:sid:amd64
+      artifacts: true
 
-cppcheck:gcc:sid:amd64:
-  <<: *debian_sid_amd64_image
+cppcheck:
+  <<: *base_image
   <<: *cppcheck_job
-  dependencies:
-    - gcc:sid:amd64
-  needs: ["gcc:sid:amd64"]
 
 # Job for out-of-tree GCC build on Debian Sid (amd64)
+# Also tests configration option: --with-lmdb.
 
-oot:sid:amd64:
+gcc:out-of-tree:
   variables:
     CC: gcc
-    CFLAGS: "-Wall -Wextra -O3 -g"
+    CFLAGS: "${CFLAGS_COMMON} -Og"
     CONFIGURE: ../configure
-    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
+    EXTRA_CONFIGURE: "--with-libidn2 --with-lmdb"
+    SKIP_MAKE_DEPEND: 1
     RUN_MAKE_INSTALL: 1
     OOT_BUILD_WORKSPACE: workspace
-  <<: *debian_sid_amd64_image
+  <<: *base_image
   <<: *build_job
 
 # Jobs for tarball GCC builds on Debian Sid (amd64)
 
-tarball:sid:amd64:
+gcc:tarball:
   variables:
     CC: gcc
-    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
+    EXTRA_CONFIGURE: "--with-libidn2"
     RUN_MAKE_INSTALL: 1
-  <<: *debian_sid_amd64_image
+  <<: *base_image
   <<: *build_job
   before_script:
     - tar --extract --file bind-*.tar.${TARBALL_EXTENSION}
     - rm -f bind-*.tar.${TARBALL_EXTENSION}
     - cd bind-*
-  dependencies:
-    - tarball-create:sid:amd64
-  needs: ["tarball-create:sid:amd64"]
-  only:
-    - tags
+  needs:
+    - job: tarball-create
+      artifacts: true
 
-system:tarball:sid:amd64:
-  <<: *debian_sid_amd64_image
+system:gcc:tarball:
+  <<: *base_image
   <<: *system_test_job
+  <<: *schedules_tags_web_triggering_rules
   before_script:
     - cd bind-*
     - *setup_interfaces
-  dependencies:
-    - tarball:sid:amd64
-  needs: ["tarball:sid:amd64"]
-  only:
-    - tags
+  needs:
+    - job: gcc:tarball
+      artifacts: true
 
-unit:tarball:sid:amd64:
-  <<: *debian_sid_amd64_image
+unit:gcc:tarball:
+  <<: *base_image
   <<: *unit_test_job
+  <<: *schedules_tags_web_triggering_rules
   before_script:
     - cd bind-*
-  dependencies:
-    - tarball:sid:amd64
-  needs: ["tarball:sid:amd64"]
-  only:
-    - tags
-
-# Jobs for regular GCC builds on Debian Sid (i386)
-
-gcc:sid:i386:
-  variables:
-    CC: gcc
-    CFLAGS: "${CFLAGS_COMMON}"
-    EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2 --without-python"
-  <<: *debian_sid_i386_image
-  <<: *build_job
-
-system:gcc:sid:i386:
-  <<: *debian_sid_i386_image
-  <<: *system_test_job
-  dependencies:
-    - gcc:sid:i386
-  needs: ["gcc:sid:i386"]
-
-unit:gcc:sid:i386:
-  <<: *debian_sid_i386_image
-  <<: *unit_test_job
-  dependencies:
-    - gcc:sid:i386
-  needs: ["gcc:sid:i386"]
+  needs:
+    - job: gcc:tarball
+      artifacts: true
 
-# Jobs for regular GCC builds on openSUSE Tumbleweed (amd64)
+# Jobs for debug GCC builds on openSUSE Tumbleweed (amd64)
 
 gcc:tumbleweed:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON}"
+    CFLAGS: "${CFLAGS_COMMON} -DDEBUG"
     EXTRA_CONFIGURE: "--with-libidn2"
   <<: *tumbleweed_latest_amd64_image
   <<: *build_job
@@ -753,253 +856,431 @@ gcc:tumbleweed:amd64:
 system:gcc:tumbleweed:amd64:
   <<: *tumbleweed_latest_amd64_image
   <<: *system_test_job
-  dependencies:
-    - gcc:tumbleweed:amd64
-  needs: ["gcc:tumbleweed:amd64"]
+  needs:
+    - job: gcc:tumbleweed:amd64
+      artifacts: true
 
 unit:gcc:tumbleweed:amd64:
   <<: *tumbleweed_latest_amd64_image
   <<: *unit_test_job
-  dependencies:
-    - gcc:tumbleweed:amd64
-  needs: ["gcc:tumbleweed:amd64"]
+  needs:
+    - job: gcc:tumbleweed:amd64
+      artifacts: true
 
-# Jobs for regular GCC builds on Fedora 31 (amd64)
+# Jobs for regular GCC builds on Fedora 34 (amd64)
 
-gcc:fedora31:amd64:
+gcc:fedora34:amd64:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -O1"
     EXTRA_CONFIGURE: "--with-libidn2"
-  <<: *fedora_31_amd64_image
+  <<: *fedora_34_amd64_image
   <<: *build_job
 
-system:gcc:fedora31:amd64:
-  <<: *fedora_31_amd64_image
+system:gcc:fedora34:amd64:
+  <<: *fedora_34_amd64_image
   <<: *system_test_job
-  dependencies:
-    - gcc:fedora31:amd64
-  needs: ["gcc:fedora31:amd64"]
+  needs:
+    - job: gcc:fedora34:amd64
+      artifacts: true
 
-unit:gcc:fedora31:amd64:
-  <<: *fedora_31_amd64_image
+unit:gcc:fedora34:amd64:
+  <<: *fedora_34_amd64_image
   <<: *unit_test_job
-  dependencies:
-    - gcc:fedora31:amd64
-  needs: ["gcc:fedora31:amd64"]
+  needs:
+    - job: gcc:fedora34:amd64
+      artifacts: true
 
-# Jobs for regular GCC builds on Ubuntu 16.04 Xenial Xerus (amd64)
+# Jobs for regular GCC builds on Ubuntu 18.04 Bionic Beaver (amd64)
 
-gcc:xenial:amd64:
+gcc:bionic:amd64:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -O2"
-    EXTRA_CONFIGURE: "--disable-geoip"
-  <<: *ubuntu_xenial_amd64_image
+    EXTRA_CONFIGURE: "--without-geoip2 --with-geoip --disable-dnstap --with-gssapi"
+  <<: *ubuntu_bionic_amd64_image
   <<: *build_job
 
-system:gcc:xenial:amd64:
-  <<: *ubuntu_xenial_amd64_image
+system:gcc:bionic:amd64:
+  <<: *ubuntu_bionic_amd64_image
   <<: *system_test_job
-  dependencies:
-    - gcc:xenial:amd64
-  needs: ["gcc:xenial:amd64"]
+  needs:
+    - job: gcc:bionic:amd64
+      artifacts: true
 
-unit:gcc:xenial:amd64:
-  <<: *ubuntu_xenial_amd64_image
+unit:gcc:bionic:amd64:
+  <<: *ubuntu_bionic_amd64_image
   <<: *unit_test_job
-  dependencies:
-    - gcc:xenial:amd64
-  needs: ["gcc:xenial:amd64"]
+  needs:
+    - job: gcc:bionic:amd64
+      artifacts: true
 
-# Jobs for regular GCC builds on Ubuntu 18.04 Bionic Beaver (amd64)
+# Jobs for regular GCC builds on Ubuntu 20.04 Focal Fossa (amd64)
 
-gcc:bionic:amd64:
+gcc:focal:amd64:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -Og"
-    EXTRA_CONFIGURE: "--with-libidn2"
-  <<: *ubuntu_bionic_amd64_image
+    EXTRA_CONFIGURE: "--with-libidn2 --with-gssapi=/usr"
+  <<: *ubuntu_focal_amd64_image
   <<: *build_job
 
-system:gcc:bionic:amd64:
-  <<: *ubuntu_bionic_amd64_image
+system:gcc:focal:amd64:
+  <<: *ubuntu_focal_amd64_image
   <<: *system_test_job
-  dependencies:
-    - gcc:bionic:amd64
-  needs: ["gcc:bionic:amd64"]
+  needs:
+    - job: gcc:focal:amd64
+      artifacts: true
 
-unit:gcc:bionic:amd64:
-  <<: *ubuntu_bionic_amd64_image
+unit:gcc:focal:amd64:
+  <<: *ubuntu_focal_amd64_image
   <<: *unit_test_job
-  dependencies:
-    - gcc:bionic:amd64
-  needs: ["gcc:bionic:amd64"]
+  needs:
+    - job: gcc:focal:amd64
+      artifacts: true
 
-# Jobs for GCC builds with ASAN enabled on Debian Sid (amd64)
+# Jobs for builds with ASAN enabled
 
-asan:sid:amd64:
+gcc:asan:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0"
     LDFLAGS: "-fsanitize=address,undefined"
     EXTRA_CONFIGURE: "--with-libidn2"
-  <<: *debian_sid_amd64_image
+  <<: *base_image
   <<: *build_job
 
-system:asan:sid:amd64:
+system:gcc:asan:
   variables:
     ASAN_OPTIONS: ${ASAN_OPTIONS_COMMON}
-  <<: *debian_sid_amd64_image
+  <<: *base_image
   <<: *system_test_job
-  dependencies:
-    - asan:sid:amd64
-  needs: ["asan:sid:amd64"]
+  needs:
+    - job: gcc:asan
+      artifacts: true
 
-unit:asan:sid:amd64:
+unit:gcc:asan:
   variables:
     ASAN_OPTIONS: ${ASAN_OPTIONS_COMMON}
-  <<: *debian_sid_amd64_image
+  <<: *base_image
   <<: *unit_test_job
-  dependencies:
-    - asan:sid:amd64
-  needs: ["asan:sid:amd64"]
-
-# Jobs for Clang builds on Debian Stretch (amd64)
+  needs:
+    - job: gcc:asan
+      artifacts: true
 
-clang:stretch:amd64:
+clang:asan:
   variables:
-    CC: clang
-    CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion"
-    EXTRA_CONFIGURE: "--with-python=python3"
-  <<: *debian_stretch_amd64_image
+    CC: ${CLANG}
+    CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0"
+    LDFLAGS: "-fsanitize=address,undefined"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  <<: *base_image
   <<: *build_job
 
-unit:clang:stretch:amd64:
-  <<: *debian_stretch_amd64_image
+system:clang:asan:
+  variables:
+    ASAN_OPTIONS: ${ASAN_OPTIONS_COMMON}
+  <<: *base_image
+  <<: *system_test_job
+  needs:
+    - job: clang:asan
+      artifacts: true
+
+unit:clang:asan:
+  variables:
+    ASAN_OPTIONS: ${ASAN_OPTIONS_COMMON}
+  <<: *base_image
   <<: *unit_test_job
-  dependencies:
-    - clang:stretch:amd64
-  needs: ["clang:stretch:amd64"]
+  needs:
+    - job: clang:asan
+      artifacts: true
 
-# Jobs for Clang builds on Debian Stretch (i386)
+# Jobs for builds with TSAN enabled
 
-clang:stretch:i386:
+gcc:tsan:
+  <<: *base_image
+  <<: *build_job
   variables:
-    CC: clang
-    CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion"
-    EXTRA_CONFIGURE: "--with-python=python2"
-  <<: *debian_stretch_i386_image
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0"
+    LDFLAGS: "-fsanitize=thread"
+    EXTRA_CONFIGURE: "--with-libidn2"
+
+system:gcc:tsan:
+  variables:
+    TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON}
+  <<: *base_image
+  <<: *system_test_tsan_job
+  needs:
+    - job: gcc:tsan
+      artifacts: true
+
+unit:gcc:tsan:
+  variables:
+    TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON} suppressions=$CI_PROJECT_DIR/tsan-suppressions.txt
+  <<: *base_image
+  <<: *unit_test_tsan_job
+  needs:
+    - job: gcc:tsan
+      artifacts: true
+
+clang:tsan:
+  <<: *base_image
   <<: *build_job
+  variables:
+    CC: "${CLANG}"
+    CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0"
+    LDFLAGS: "-fsanitize=thread"
+    EXTRA_CONFIGURE: "--with-libidn2"
+
+system:clang:tsan:
+  variables:
+    TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON}
+  <<: *base_image
+  <<: *system_test_tsan_job
+  needs:
+    - job: clang:tsan
+      artifacts: true
 
-# Jobs for nocrypt builds on Debian Sid (amd64)
+unit:clang:tsan:
+  variables:
+    TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON} suppressions=$CI_PROJECT_DIR/tsan-suppressions.txt
+  <<: *base_image
+  <<: *unit_test_tsan_job
+  needs:
+    - job: clang:tsan
+      artifacts: true
 
-nocrypto:sid:amd64:
+# Jobs for builds with TSAN enabled --disable-atomics
+
+gcc:tsan:noatomics:
+  <<: *base_image
+  <<: *build_job
   variables:
     CC: gcc
-    CFLAGS: "-Wall -Wextra -O2 -g"
-    EXTRA_CONFIGURE: "--with-openssl=no"
-  <<: *debian_sid_amd64_image
+    CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0"
+    LDFLAGS: "-fsanitize=thread"
+    EXTRA_CONFIGURE: "--with-libidn2 --disable-atomic --disable-dnstap"
+
+system:gcc:tsan:noatomics:
+  variables:
+    TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON}
+  <<: *base_image
+  <<: *system_test_tsan_job
+  needs:
+    - job: gcc:tsan:noatomics
+      artifacts: true
+
+unit:gcc:tsan:noatomics:
+  variables:
+    TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON}
+  <<: *base_image
+  <<: *unit_test_tsan_job
+  needs:
+    - job: gcc:tsan:noatomics
+      artifacts: true
+
+clang:tsan:noatomics:
+  <<: *base_image
   <<: *build_job
+  variables:
+    CC: "${CLANG}"
+    CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0"
+    LDFLAGS: "-fsanitize=thread"
+    EXTRA_CONFIGURE: "--with-libidn2 --disable-atomic --disable-dnstap"
 
-system:nocrypto:sid:amd64:
-  <<: *debian_sid_amd64_image
+system:clang:tsan:noatomics:
+  variables:
+    TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON}
+  <<: *base_image
+  <<: *system_test_tsan_job
+  needs:
+    - job: clang:tsan:noatomics
+      artifacts: true
+
+unit:clang:tsan:noatomics:
+  variables:
+    TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON}
+  <<: *base_image
+  <<: *unit_test_tsan_job
+  needs:
+    - job: clang:tsan:noatomics
+      artifacts: true
+
+# Jobs for builds without atomics and threads
+
+gcc:noatomics:
+  variables:
+    CC: gcc
+    EXTRA_CONFIGURE: "--disable-atomic --disable-threads --disable-dnstap"
+  <<: *base_image
+  <<: *build_job
+
+system:gcc:noatomics:
+  <<: *base_image
   <<: *system_test_job
-  dependencies:
-    - nocrypto:sid:amd64
+  needs:
+    - job: gcc:noatomics
+      artifacts: true
 
-unit:nocrypto:sid:amd64:
-  <<: *debian_sid_amd64_image
+unit:gcc:noatomics:
+  <<: *base_image
+  <<: *unit_test_job
+  needs:
+    - job: gcc:noatomics
+      artifacts: true
+
+# Jobs for Clang builds on Debian Buster (amd64)
+
+clang:buster:amd64:
+  variables:
+    CC: ${CLANG}
+    CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion"
+    EXTRA_CONFIGURE: "--with-python=python3"
+  <<: *debian_buster_amd64_image
+  <<: *build_job
+
+system:clang:buster:amd64:
+  <<: *debian_buster_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: clang:buster:amd64
+      artifacts: true
+
+unit:clang:buster:amd64:
+  <<: *debian_buster_amd64_image
   <<: *unit_test_job
-  dependencies:
-    - nocrypto:sid:amd64
+  needs:
+    - job: clang:buster:amd64
+      artifacts: true
 
 # Jobs for PKCS#11-enabled GCC builds on Debian Sid (amd64)
 
-pkcs11:sid:amd64:
+gcc:pkcs11:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON}"
     EXTRA_CONFIGURE: "--enable-native-pkcs11 --with-pkcs11=/usr/lib/softhsm/libsofthsm2.so"
-  <<: *debian_sid_amd64_image
+  <<: *base_image
   <<: *build_job
 
-system:pkcs11:sid:amd64:
-  <<: *debian_sid_amd64_image
+system:gcc:pkcs11:
+  <<: *base_image
   <<: *system_test_job
-  dependencies:
-    - pkcs11:sid:amd64
-  needs: ["pkcs11:sid:amd64"]
+  needs:
+    - job: gcc:pkcs11
+      artifacts: true
 
-unit:pkcs11:sid:amd64:
-  <<: *debian_sid_amd64_image
+unit:gcc:pkcs11:
+  <<: *base_image
   <<: *unit_test_job
-  dependencies:
-    - pkcs11:sid:amd64
-  needs: ["pkcs11:sid:amd64"]
+  needs:
+    - job: gcc:pkcs11
+      artifacts: true
 
-# Jobs for Clang builds on FreeBSD 11.3 (amd64)
+# Jobs for Clang builds on FreeBSD 11 (amd64)
 
-clang:freebsd11.3:amd64:
+clang:freebsd11:amd64:
   variables:
     CFLAGS: "${CFLAGS_COMMON}"
-  <<: *freebsd_amd64
+    USER: gitlab-runner
+  <<: *freebsd_11_amd64_image
   <<: *build_job
+  <<: *schedules_tags_web_triggering_rules
 
-system:clang:freebsd11.3:amd64:
-  <<: *freebsd_amd64
+system:clang:freebsd11:amd64:
+  <<: *freebsd_11_amd64_image
   <<: *system_test_job
-  dependencies:
-    - clang:freebsd11.3:amd64
-  needs: ["clang:freebsd11.3:amd64"]
+  <<: *schedules_tags_web_triggering_rules
+  variables:
+    USER: gitlab-runner
+    TEST_PARALLEL_JOBS: 4
+  needs:
+    - job: clang:freebsd11:amd64
+      artifacts: true
 
-unit:clang:freebsd11.3:amd64:
-  <<: *freebsd_amd64
+unit:clang:freebsd11:amd64:
+  <<: *freebsd_11_amd64_image
   <<: *unit_test_job
-  dependencies:
-    - clang:freebsd11.3:amd64
-  needs: ["clang:freebsd11.3:amd64"]
+  <<: *schedules_tags_web_triggering_rules
+  needs:
+    - job: clang:freebsd11:amd64
+      artifacts: true
 
-# Jobs for Clang builds on FreeBSD 12.0 (amd64)
+# Jobs for Clang builds on FreeBSD 12 (amd64)
 
-clang:freebsd12.0:amd64:
+clang:freebsd12:amd64:
   variables:
     CFLAGS: "${CFLAGS_COMMON}"
-    EXTRA_CONFIGURE: "--enable-dnstap"
-  <<: *freebsd_amd64
+    EXTRA_CONFIGURE: "--with-gssapi=krb5-config"
+    USER: gitlab-runner
+  <<: *freebsd_12_amd64_image
   <<: *build_job
 
-system:clang:freebsd12.0:amd64:
-  <<: *freebsd_amd64
+system:clang:freebsd12:amd64:
+  <<: *freebsd_12_amd64_image
   <<: *system_test_job
-  dependencies:
-    - clang:freebsd12.0:amd64
-  needs: ["clang:freebsd12.0:amd64"]
+  variables:
+    USER: gitlab-runner
+    TEST_PARALLEL_JOBS: 4
+  needs:
+    - job: clang:freebsd12:amd64
+      artifacts: true
 
-unit:clang:freebsd12.0:amd64:
-  <<: *freebsd_amd64
+unit:clang:freebsd12:amd64:
+  <<: *freebsd_12_amd64_image
   <<: *unit_test_job
-  dependencies:
-    - clang:freebsd12.0:amd64
-  needs: ["clang:freebsd12.0:amd64"]
+  needs:
+    - job: clang:freebsd12:amd64
+      artifacts: true
 
-# Jobs for Clang builds on OpenBSD 6.5 (amd64)
+# Jobs for Clang builds on FreeBSD 13 (amd64)
 
-clang:openbsd6.5:amd64:
+clang:freebsd13:amd64:
+  variables:
+    CFLAGS: "${CFLAGS_COMMON}"
+    EXTRA_CONFIGURE: "${WITH_READLINE_LIBEDIT} --with-gssapi=/usr/bin/krb5-config"
+    USER: gitlab-runner
+  <<: *freebsd_13_amd64_image
+  <<: *build_job
+
+system:clang:freebsd13:amd64:
+  <<: *freebsd_13_amd64_image
+  <<: *system_test_job
+  variables:
+    USER: gitlab-runner
+    TEST_PARALLEL_JOBS: 4
+  needs:
+    - job: clang:freebsd13:amd64
+      artifacts: true
+
+unit:clang:freebsd13:amd64:
+  <<: *freebsd_13_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: clang:freebsd13:amd64
+      artifacts: true
+
+# Jobs for Clang builds on OpenBSD (amd64)
+
+clang:openbsd:amd64:
   variables:
     CC: clang
-  <<: *openbsd_amd64
+    USER: gitlab-runner
+    EXTRA_CONFIGURE: "--disable-dnstap"
+  <<: *openbsd_amd64_image
   <<: *build_job
 
-system:clang:openbsd6.5:amd64:
-  <<: *openbsd_amd64
+system:clang:openbsd:amd64:
+  <<: *openbsd_amd64_image
   <<: *system_test_job
-  dependencies:
-    - clang:openbsd6.5:amd64
-  needs: ["clang:openbsd6.5:amd64"]
+  variables:
+    USER: gitlab-runner
+  needs:
+    - job: clang:openbsd:amd64
+      artifacts: true
   only:
     - schedules
-    - tags
     - web
 
 # Jobs with libtool disabled
@@ -1015,54 +1296,55 @@ nolibtool:sid:amd64:
 system:nolibtool:sid:amd64:
   <<: *debian_sid_amd64_image
   <<: *system_test_job
-  dependencies:
-    - nolibtool:sid:amd64
-  needs: ["nolibtool:sid:amd64"]
+  needs:
+    - job: nolibtool:sid:amd64
+      artifacts: true
 
 unit:nolibtool:sid:amd64:
   <<: *debian_sid_amd64_image
   <<: *unit_test_job
-  dependencies:
-    - nolibtool:sid:amd64
-  needs: ["nolibtool:sid:amd64"]
+  needs:
+    - job: nolibtool:sid:amd64
+      artifacts: true
 
 # Jobs for Visual Studio 2017 builds on Windows (amd64)
 
 msvc:windows:amd64:
+  <<: *windows_server_2016_amd64_image
   <<: *windows_build_job
   <<: *default_triggering_rules
   variables:
     VSCONF: Release
 
 system:msvc:windows:amd64:
+  <<: *windows_server_2016_amd64_image
   <<: *windows_system_test_job
   variables:
     VSCONF: Release
-  dependencies:
-    - msvc:windows:amd64
-  needs: ["msvc:windows:amd64"]
+  needs:
+    - job: msvc:windows:amd64
+      artifacts: true
 
 msvc-debug:windows:amd64:
+  <<: *windows_server_2016_amd64_image
   <<: *windows_build_job
+  <<: *schedules_tags_web_triggering_rules
   variables:
     VSCONF: Debug
-  only:
-    - schedules
-    - tags
-    - web
 
 system:msvc-debug:windows:amd64:
+  <<: *windows_server_2016_amd64_image
   <<: *windows_system_test_job
   variables:
     VSCONF: Debug
-  dependencies:
-    - msvc-debug:windows:amd64
-  needs: ["msvc-debug:windows:amd64"]
+  needs:
+    - job: msvc-debug:windows:amd64
+      artifacts: true
 
 # Job producing a release tarball
 
-release:sid:amd64:
-  <<: *debian_sid_amd64_image
+release:
+  <<: *base_image
   stage: release
   script:
     # Determine BIND version
@@ -1090,13 +1372,305 @@ release:sid:amd64:
     - popd
     # Create release tarball
     - tar --create --file="${CI_COMMIT_TAG}.tar.gz" --gzip release/
-  dependencies:
-    - tarball-create:sid:amd64
-    - msvc:windows:amd64
-    - msvc-debug:windows:amd64
+  needs:
+    - job: tarball-create
+      artifacts: true
+    - job: msvc:windows:amd64
+      artifacts: true
+    - job: msvc-debug:windows:amd64
+      artifacts: true
   only:
     - tags
   artifacts:
     paths:
       - "*.tar.gz"
+    expire_in: "1 day"
+
+# Coverity Scan analysis upload
+
+.coverity_cache_prep: &coverity_cache_prep
+  - test -f cov-analysis-linux64.md5 && test -f cov-analysis-linux64.tgz || (
+    curl --output cov-analysis-linux64.md5 https://scan.coverity.com/download/linux64
+         --form project=$COVERITY_SCAN_PROJECT_NAME
+         --form token=$COVERITY_SCAN_TOKEN
+         --form md5=1;
+    curl --output cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
+         --form project=$COVERITY_SCAN_PROJECT_NAME
+         --form token=$COVERITY_SCAN_TOKEN;
+    )
+  - test "$(md5sum cov-analysis-linux64.tgz | awk '{ print $1 }')" = "$(cat cov-analysis-linux64.md5)"
+  - tar --extract --gzip --file=cov-analysis-linux64.tgz
+  - test -d cov-analysis-linux64-2020.09
+
+.coverity_build: &coverity_build
+  - cov-analysis-linux64-2020.09/bin/cov-build --dir cov-int sh -c 'make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1'
+  - tar --create --gzip --file=cov-int.tar.gz cov-int/
+  - curl -v https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
+        --form token=$COVERITY_SCAN_TOKEN
+        --form email=bind-changes@isc.org
+        --form file=@cov-int.tar.gz
+        --form version="$(git rev-parse --short HEAD)"
+        --form description="$(git rev-parse --short HEAD) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID" 2>&1
+        | tee curl-response.txt
+  - grep -q 'Build successfully submitted' curl-response.txt
+
+coverity:
+  <<: *base_image
+  stage: postcheck
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  script:
+    - *coverity_cache_prep
+    - *configure
+    - *coverity_build
+  needs:
+    - job: autoreconf
+      artifacts: true
+  artifacts:
+    paths:
+      - curl-response.txt
+      - cov-int.tar.gz
+    expire_in: "1 week"
+    when: on_failure
+  only:
+    variables:
+      - $COVERITY_SCAN_PROJECT_NAME
+      - $COVERITY_SCAN_TOKEN
+  cache:
+    key: cov-analysis-linux64-2020.09
+    paths:
+      - cov-analysis-linux64.md5
+      - cov-analysis-linux64.tgz
+
+# Respdiff test
+
+respdiff:
+  <<: *base_image
+  <<: *schedules_tags_web_triggering_rules
+  stage: system
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    BIND_BASELINE_VERSION: v9_11_24
+    MAX_DISAGREEMENTS_PERCENTAGE: "0.1"
+  script:
+    - ./configure --without-make-clean
+    - make -j${BUILD_PARALLEL_JOBS:-1} V=1
+    - *setup_interfaces
+    - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git
+    - git clone --branch "${BIND_BASELINE_VERSION}" --depth 1 https://gitlab.isc.org/isc-projects/bind9.git refbind
+    - cd refbind/
+    - ./configure --without-make-clean
+    - make -j${BUILD_PARALLEL_JOBS:-1} V=1
+    - cd ../bind-qa/bind9/respdiff
+    - bash respdiff.sh -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}/refbind" "${CI_PROJECT_DIR}"
+  needs:
+    - job: tarball-create
+      artifacts: true
+  artifacts:
+    paths:
+      - refbind
+      - bind-qa/bind9/respdiff
+    untracked: true
+    expire_in: "1 day"
+    when: always
+
+# "Stress" tests
+
+.stress: &stress_job
+  stage: performance
+  script:
+    - *configure
+    - *setup_interfaces
+    - *setup_softhsm
+    - make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
+    - make DESTDIR="${INSTALL_PATH}" install
+    - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git
+    - cd bind-qa/bind9/stress
+    - LD_LIBRARY_PATH="${INSTALL_PATH}/usr/local/lib" BIND_INSTALL_PATH="${INSTALL_PATH}/usr/local" WORKSPACE="${CI_PROJECT_DIR}" bash stress.sh
+  needs:
+    - job: autoreconf
+      artifacts: true
+  artifacts:
+    untracked: true
+    expire_in: "1 day"
+    when: always
+  timeout: 2h
+
+stress:authoritative:fedora:34:amd64:
+  <<: *fedora_34_amd64_image
+  <<: *linux_stress_amd64
+  <<: *stress_job
+  variables:
+    CC: gcc
+    FLAME: /usr/bin/flame
+    MODE: authoritative
+    RATE: 10000
+    RUN_TIME: 1
+  only:
+    variables:
+      - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /authoritative/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i)
+
+stress:recursive:fedora:34:amd64:
+  <<: *fedora_34_amd64_image
+  <<: *linux_stress_amd64
+  <<: *stress_job
+  variables:
+    CC: gcc
+    FLAME: /usr/bin/flame
+    MODE: recursive
+    RATE: 10000
+    RUN_TIME: 1
+  only:
+    variables:
+      - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i)
+
+stress:authoritative:fedora:34:arm64:
+  <<: *fedora_34_arm64_image
+  <<: *linux_stress_arm64
+  <<: *stress_job
+  variables:
+    CC: gcc
+    FLAME: /usr/bin/flame
+    MODE: authoritative
+    RATE: 10000
+    RUN_TIME: 1
+  only:
+    variables:
+      - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /authoritative/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i)
+
+stress:recursive:fedora:34:arm64:
+  <<: *fedora_34_arm64_image
+  <<: *linux_stress_arm64
+  <<: *stress_job
+  variables:
+    CC: gcc
+    FLAME: /usr/bin/flame
+    MODE: recursive
+    RATE: 10000
+    RUN_TIME: 1
+  only:
+    variables:
+      - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i)
+
+stress:authoritative:freebsd12:amd64:
+  <<: *freebsd_12_amd64_image
+  <<: *freebsd_stress_amd64
+  <<: *stress_job
+  variables:
+    CC: clang
+    FLAME: /usr/local/bin/flame
+    MODE: authoritative
+    RATE: 10000
+    RUN_TIME: 1
+  only:
+    variables:
+      - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /freebsd/i && $BIND_STRESS_TEST_MODE =~ /authoritative/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i)
+  # See: https://gitlab.isc.org/isc-projects/bind9/-/issues/1941
+  allow_failure: true
+
+stress:recursive:freebsd12:amd64:
+  <<: *freebsd_12_amd64_image
+  <<: *freebsd_stress_amd64
+  <<: *stress_job
+  variables:
+    CC: clang
+    FLAME: /usr/local/bin/flame
+    MODE: recursive
+    RATE: 10000
+    RUN_TIME: 1
+  only:
+    variables:
+      - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /freebsd/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i)
+  # See: https://gitlab.isc.org/isc-projects/bind9/-/issues/1941
+  allow_failure: true
+
+# ABI check
+
+abi-check:
+  <<: *base_image
+  stage: build
+  needs:
+    - job: autoreconf
+      artifacts: true
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    EXTRA_CONFIGURE: "--with-libidn2"
+    BIND_BASELINE_VERSION: v9_11_35
+  script:
+    - *configure
+    - make -j${BUILD_PARALLEL_JOBS:-1} V=1
+    - git clone --branch "${BIND_BASELINE_VERSION}" --depth 1 https://gitlab.isc.org/isc-projects/bind9.git refbind
+    - cd refbind/
+    - *configure
+    - make -j${BUILD_PARALLEL_JOBS:-1} V=1
+    - cd ..
+    - util/api-checker.sh . refbind
+  artifacts:
+    paths:
+      - "*-lib*.html"
+      - "*-lib*.txt"
+      - "abi-*.dump"
     expire_in: "1 week"
+  only:
+    - main@isc-projects/bind9
+    - /^v9_[1-9][0-9]$/@isc-projects/bind9
+
+gcov:
+  <<: *base_image
+  <<: *default_triggering_rules
+  stage: postcheck
+  needs:
+    - job: system:gcc:buster:amd64
+      artifacts: true
+  script:
+    # *.gcno and *.gcda files generated for shared library objects are created
+    # in directories in which gcovr is unable to process them properly
+    # (.../.libs/...).  Move such *.gcno and *.gcda files one level higher.
+    - find . -regex ".*/\.libs/.*\.\(gcda\|gcno\)" -execdir mv "{}" .. \;
+    # Help gcovr process the nasty tricks in lib/dns/code.h, where we include C
+    # source files from lib/dns/rdata/*/, using an even nastier trick.
+    - find lib/dns/rdata/* -name "*.c" -execdir cp -f "{}" ../../ \;
+    # These drivers are built into bin/named/named in a way which trips up
+    # gcovr.  Copy them to where gcovr expects them.
+    - cp contrib/dlz/drivers/dlz_drivers.c contrib/dlz/drivers/dlz_filesystem_driver.c contrib/dlz/drivers/sdlz_helper.c bin/named/
+    # The same reasoning applies for some libisc source files.
+    - cp lib/isc/app_api.c lib/isc/socket_api.c lib/isc/unix/
+    - cp lib/isc/x86_64/include/isc/atomic.h lib/dns/
+    # Generate XML file in the Cobertura XML format suitable for use by GitLab
+    # for the purpose of displaying code coverage information in the diff view
+    # of a given merge request.
+    - gcovr --root . --exclude-directories bin/tests --exclude-directories doc --exclude-directories libltdl --exclude-directories lib/samples --exclude 'lib/.*/tests/.*' --xml -o coverage.xml
+    - gcovr --root . --exclude-directories bin/tests --exclude-directories doc --exclude-directories libltdl --exclude-directories lib/samples --exclude 'lib/.*/tests/.*' --html-details -o coverage.html
+    - gcovr --root . --exclude-directories bin/tests --exclude-directories doc --exclude-directories libltdl --exclude-directories lib/samples --exclude 'lib/.*/tests/.*' -o coverage.txt
+    - tail -n 3 coverage.txt
+  artifacts:
+    paths:
+      - coverage*.html
+      - coverage.txt
+      - coverage.xml
+    reports:
+      cobertura: coverage.xml
+
+# Pairwise testing of ./configure options
+
+pairwise:
+  <<: *base_image
+  stage: build
+  needs:
+    - job: autoreconf
+      artifacts: true
+  script:
+      - util/pairwise-testing.sh
+  artifacts:
+    paths:
+      - pairwise-commands.txt
+      - pairwise-model.txt
+      - pairwise-output.*.txt
+    when: on_failure
+  only:
+    variables:
+      - $PAIRWISE_TESTING
diff --git a/bind/bind9/.pylintrc b/bind/bind9/.pylintrc
new file mode 100644
index 00000000..62cbfae3
--- /dev/null
+++ b/bind/bind9/.pylintrc
@@ -0,0 +1,6 @@
+[MASTER]
+disable=
+    C0114, # missing-module-docstring
+    C0115, # missing-class-docstring
+    C0116, # missing-function-docstring
+    R0801, # duplicate-code
diff --git a/bind/bind9/CHANGES b/bind/bind9/CHANGES
index 8e6a48ef..0ebef399 100644
--- a/bind/bind9/CHANGES
+++ b/bind/bind9/CHANGES
@@ -1,3 +1,347 @@
+	--- 9.11.36 released ---
+
+5736.	[security]	The "lame-ttl" option is now forcibly set to 0. This
+			effectively disables the lame server cache, as it could
+			previously be abused by an attacker to significantly
+			degrade resolver performance. (CVE-2021-25219)
+			[GL #2899]
+
+5716.	[bug]		Multiple library names were mistakenly passed to the
+			krb5-config utility when ./configure was invoked with
+			the --with-gssapi=[/path/to/]krb5-config option. This
+			has been fixed by invoking krb5-config separately for
+			each required library. [GL #2866]
+
+	--- 9.11.35 released ---
+
+5685.	[bug]		named failed to check the opcode of responses when
+			performing zone refreshes, stub zone updates, and UPDATE
+			forwarding. This has been fixed. [GL #2762]
+
+	--- 9.11.34 released ---
+
+	--- 9.11.33 released ---
+
+	--- 9.11.32 released ---
+
+5631.	[protocol]	Update the implementation of the ZONEMD RR type to match
+			RFC 8976. [GL #2658]
+
+5630.	[func]		Treat DNSSEC responses containing NSEC3 records with
+			iteration counts greater than 150 as insecure.
+			[GL #2445]
+
+5629.	[func]		Reduce the maximum supported number of NSEC3 iterations
+			that can be configured for a zone to 150. [GL #2642]
+
+	--- 9.11.31 released ---
+
+5621.	[bug]		Due to a backporting mistake in change 5609, named
+			binaries built against a Kerberos/GSSAPI library whose
+			header files did not define the GSS_SPNEGO_MECHANISM
+			preprocessor macro were not able to start if their
+			configuration included the "tkey-gssapi-credential"
+			option. This has been fixed. [GL #2634]
+
+	--- 9.11.30 released ---
+
+5617.	[security]	A specially crafted GSS-TSIG query could cause a buffer
+			overflow in the ISC implementation of SPNEGO.
+			(CVE-2021-25216) [GL #2604]
+
+5616.	[security]	named crashed when a DNAME record placed in the ANSWER
+			section during DNAME chasing turned out to be the final
+			answer to a client query. (CVE-2021-25215) [GL #2540]
+
+5615.	[security]	Insufficient IXFR checks could result in named serving a
+			zone without an SOA record at the apex, leading to a
+			RUNTIME_CHECK assertion failure when the zone was
+			subsequently refreshed. This has been fixed by adding an
+			owner name check for all SOA records which are included
+			in a zone transfer. (CVE-2021-25214) [GL #2467]
+
+5614.	[bug]		Ensure all resources are properly cleaned up when a call
+			to gss_accept_sec_context() fails. [GL #2620]
+
+5609.	[func]		The ISC implementation of SPNEGO was removed from BIND 9
+			source code. It was no longer necessary as all major
+			contemporary Kerberos/GSSAPI libraries include support
+			for SPNEGO. [GL #2607]
+
+	--- 9.11.29 released ---
+
+5586.	[bug]		An invalid direction field in a LOC record resulted in
+			an INSIST failure when a zone file containing such a
+			record was loaded. [GL #2499]
+
+	--- 9.11.28 released ---
+
+5562.	[security]	Fix off-by-one bug in ISC SPNEGO implementation.
+			(CVE-2020-8625) [GL #2354]
+
+	--- 9.11.27 released ---
+
+5559.	[bug]		The --with-maxminddb=PATH form of the build-time option
+			enabling support for libmaxminddb was not working
+			correctly. This has been fixed. [GL #2366]
+
+5557.	[bug]		Prevent RBTDB instances from being destroyed by multiple
+			threads at the same time. [GL #2317]
+
+5548.	[bug]		named exited with an assertion failure upon startup when
+			compiled with --disable-threads and --with-epoll.
+			[GL !4454]
+
+5547.	[bug]		BIND 9 failed to build with --disable-threads and
+			--with-geoip2. [GL #2324]
+
+	--- 9.11.26 released ---
+
+5544.	[func]		Restore the default value of "nocookie-udp-size" to 4096
+			bytes. [GL #2250]
+
+5541.	[func]		Adjust the "max-recursion-queries" default from 75 to
+			100. [GL #2305]
+
+5540.	[port]		Fix building with native PKCS#11 support for AEP Keyper.
+			[GL #2315]
+
+5539.	[bug]		Tighten handling of missing DNS COOKIE responses over
+			UDP by falling back to TCP. [GL #2275]
+
+5534.	[bug]		The CNAME synthesized from a DNAME was incorrectly
+			followed when the QTYPE was CNAME or ANY. [GL #2280]
+
+	--- 9.11.25 released ---
+
+5527.	[bug]		A NULL pointer dereference occurred when creating an NTA
+			recheck query failed. [GL #2244]
+
+5523.	[bug]		The initial lookup in a zone transitioning to/from a
+			signed state could fail if the DNSKEY RRset was not
+			found. [GL #2236]
+
+5518.	[bug]		Stub zones now work correctly with primary servers using
+			"minimal-responses yes". [GL #1736]
+
+	--- 9.11.24 released ---
+
+5516.	[func]		The default EDNS buffer size has been changed from 4096
+			to 1232 bytes. [GL #2183]
+
+5513.	[doc]		The ARM section describing the "rrset-order" statement
+			was rewritten to make it unambiguous and up-to-date with
+			the source code. [GL #2139]
+
+5510.	[bug]		Implement the attach/detach semantics for dns_message_t
+			to fix a data race in accessing an already-destroyed
+			fctx->rmessage. [GL #2124]
+
+5506.	[bug]		Properly handle failed sysconf() calls, so we don't
+			report invalid memory size. [GL #2166]
+
+	--- 9.11.23 released ---
+
+5497.	[bug]		'dig +bufsize=0' failed to disable EDNS. [GL #2054]
+
+5496.	[bug]		Address a TSAN report by ensuring each rate limiter
+			object holds a reference to its task. [GL #2081]
+
+5492.	[bug]		Tighten LOC parsing to reject a period (".") and/or "m"
+			as a value. Fix handling of negative altitudes which are
+			not whole meters. [GL #2074]
+
+5489.	[bug]		Named erroneously accepted certain invalid resource
+			records that were incorrectly processed after
+			subsequently being written to disk and loaded back, as
+			the wire format differed. Such records include: CERT,
+			IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
+			X25. [GL !3953]
+
+5488.	[bug]		NTA code needed to have a weak reference on its
+			associated view to prevent the latter from being deleted
+			while NTA tests were being performed. [GL #2067]
+
+	--- 9.11.22 released ---
+
+5481.	[security]	"update-policy" rules of type "subdomain" were
+			incorrectly treated as "zonesub" rules, which allowed
+			keys used in "subdomain" rules to update names outside
+			of the specified subdomains. The problem was fixed by
+			making sure "subdomain" rules are again processed as
+			described in the ARM. (CVE-2020-8624) [GL #2055]
+
+5480.	[security]	When BIND 9 was compiled with native PKCS#11 support, it
+			was possible to trigger an assertion failure in code
+			determining the number of bits in the PKCS#11 RSA public
+			key with a specially crafted packet. (CVE-2020-8623)
+			[GL #2037]
+
+5476.	[security]	It was possible to trigger an assertion failure when
+			verifying the response to a TSIG-signed request.
+			(CVE-2020-8622) [GL #2028]
+
+5475.	[bug]		Wildcard RPZ passthru rules could incorrectly be
+			overridden by other rules that were loaded from RPZ
+			zones which appeared later in the "response-policy"
+			statement. This has been fixed. [GL #1619]
+
+5474.	[bug]		dns_rdata_hip_next() failed to return ISC_R_NOMORE
+			when it should have. [GL !3880]
+
+5465.	[func]		Added fallback to built-in trust-anchors, managed-keys,
+			or trusted-keys if the bindkeys-file (bind.keys) cannot
+			be parsed. [GL #1235]
+
+5463.	[bug]		Address a potential NULL pointer dereference when out of
+			memory in dnstap.c. [GL #2010]
+
+5462.	[bug]		Move LMDB locking from LMDB itself to named. [GL #1976]
+
+	--- 9.11.21 released ---
+
+5458.	[bug]		Prevent a theoretically possible NULL dereference caused
+			by a data race between zone_maintenance() and
+			dns_zone_setview_helper(). [GL #1627]
+
+5455.	[bug]		named could crash when cleaning dead nodes in
+			lib/dns/rbtdb.c that were being reused. [GL #1968]
+
+5447.	[bug]		IPv6 addresses ending in "::" could break YAML
+			parsing. A "0" is now appended to such addresses
+			in YAML output from dig, mdig, delv, and dnstap-read.
+			[GL #1952]
+
+5446.	[bug]		The validator could fail to accept a properly signed
+			RRset if an unsupported algorithm appeared earlier in
+			the DNSKEY RRset than a supported algorithm. It could
+			also stop if it detected a malformed public key.
+			[GL #1689]
+
+5440.	[test]		Properly handle missing kyua. [GL #1950]
+
+	--- 9.11.20 released ---
+
+5437.	[bug]		Fix a data race in lib/dns/resolver.c:log_formerr().
+			[GL #1808]
+
+5434.	[security]	It was possible to trigger an INSIST in
+			lib/dns/rbtdb.c:new_reference() with a particular zone
+			content and query patterns. (CVE-2020-8619) [GL #1111]
+			[GL #1718]
+
+5433.	[test]		Prevent the resolver system test for change #5395
+			(max-recursion-queries) from failing on systems without
+			IPv6 support. [GL #1873]
+
+5428.	[bug]		Clean up GSSAPI resources in nsupdate only after taskmgr
+			has been destroyed. Thanks to Petr Menšík. [GL !3316]
+
+5427.	[bug]		Fix a regression in address/prefix length checking that
+			should have been a warning instead of an error.
+			[GL #1849]
+
+5415.	[test]		Address race in dnssec system test that led to
+			test failures. [GL #1852]
+
+5413.	[test]		Address race in autosign system test that led to
+			test failures. [GL #1852]
+
+5412.	[bug]		'provide-ixfr no;' failed to return up-to-date responses
+			when the serial was greater than or equal to the
+			current serial. [GL #1714]
+
+5409.	[performance]	When looking up NSEC3 data in a zone database, skip the
+			check for empty non-terminal nodes; the NSEC3 tree does
+			not have any. [GL #1834]
+
+5408.	[protocol]	Print Extended DNS Errors if present in OPT record.
+			[GL #1835]
+
+5405.	[bug]		'named-checkconf -p' could include spurious text in
+			server-addresses statements due to an uninitialized DSCP
+			value. [GL #1812]
+
+	--- 9.11.19 released ---
+
+5404.	[bug]		'named-checkconf -z' could incorrectly indicate
+			success if errors were found in one view but not in a
+			subsequent one. [GL #1807]
+
+5398.	[bug]		Named could fail to restart if a zone with a double
+			quote (") in its name was added with 'rndc addzone'.
+			[GL #1695]
+
+5395.	[security]	Further limit the number of queries that can be
+			triggered from a request.  Root and TLD servers
+			are no longer exempt from max-recursion-queries.
+			Fetches for missing name server address records
+			are limited to 4 for any domain. (CVE-2020-8616)
+			[GL #1388]
+
+5394.	[cleanup]	Named formerly attempted to change the effective UID and
+			GID in named_os_openfile(), which could trigger a
+			spurious log message if they were already set to the
+			desired values. This has been fixed. [GL #1042]
+			[GL #1090]
+
+5390.	[security]	Replaying a TSIG BADTIME response as a request could
+			trigger an assertion failure. (CVE-2020-8617)
+			[GL #1703]
+
+5387.	[func]		Warn about AXFR streams with inconsistent message IDs.
+			[GL #1674]
+
+	--- 9.11.18 released ---
+
+5380.	[contrib]	Fix building MySQL DLZ modules against MySQL 8
+			libraries. [GL #1678]
+
+5379.	[doc]		Clean up serve-stale related options that leaked into
+			the BIND 9.11 release. [GL !3265]
+
+5378.	[bug]		Receiving invalid DNS data was triggering an assertion
+			failure in nslookup. [GL #1652]
+
+5377.	[feature]	Detect atomic operations support on ppc64le. Thanks to
+			Petr Menšík. [GL !3295]
+
+5376.	[bug]		Fix ineffective DNS rebinding protection when BIND is
+			configured as a forwarding DNS server. Thanks to Tobias
+			Klein. [GL #1574]
+
+5368.	[bug]		Named failed to restart if 'rndc addzone' names
+			contained special characters (e.g. '/'). [GL #1655]
+
+	--- 9.11.17 released ---
+
+5358.	[bug]		Inline master zones whose master files were touched
+			but otherwise unchanged and were subsequently reloaded
+			may have stopped re-signing. [GL !3135]
+
+5357.	[bug]		Newly added RRSIG records with expiry times before
+			the previous earliest expiry times might not be
+			re-signed in time.  This was a side effect of 5315.
+			[GL !3137]
+
+	--- 9.11.16 released ---
+
+5353.	[doc]		Document port and dscp parameters in forwarders
+			configuration option. [GL #914]
+
+5352.	[bug]		Correctly handle catalog zone entries containing
+			characters that aren't legal in filenames. [GL #1592]
+
+5351.	[bug]		CDS / CDNSKEY consistency checks failed to handle
+			removal records. [GL #1554]
+
+5350.	[bug]		When a view was configured with class CHAOS,
+			dns_view_findzonecut() could incorrectly return
+			success for non-existent records. [GL #1540]
+
+5348.	[bug]		dnssec-settime -Psync was not being honoured.
+			[GL !2925]
+
 	--- 9.11.15 released ---
 
 5339.	[bug]		With some libmaxminddb versions, named could erroneously
@@ -40,7 +384,7 @@
 
 	--- 9.11.13 released ---
 
-5315.	[bug]		Apply the inital RRSIG expiration spread fixed
+5315.	[bug]		Apply the initial RRSIG expiration spread fixed
 			to all dynamically created records in the zone
 			including NSEC3. Also fix the signature clusters
 			when the server has been offline for prolonged
@@ -672,7 +1016,7 @@
 4965.	[func]		Add support for marking options as deprecated.
 			[GL #322]
 
-4964.	[bug]		Reduce the probabilty of double signature when deleting
+4964.	[bug]		Reduce the probability of double signature when deleting
 			a DNSKEY by checking if the node is otherwise signed
 			by the algorithm of the key to be deleted. [GL #240]
 
@@ -973,7 +1317,7 @@
 			[RT #46725]
 
 4831.	[bug]		Convert the RRSIG expirytime to 64 bits for
-			comparisions in diff.c:resign. [RT #46710]
+			comparisons in diff.c:resign. [RT #46710]
 
 4830.	[bug]		Failure to configure ATF when requested did not cause
 			an error in top-level configure script. [RT #46655]
@@ -1114,7 +1458,7 @@
 			and defaulting to the working directory if not
 			specified) must be writable. [RT #46077]
 
-4766.	[cleanup]	Addresss Coverity warnings. [RT #46150]
+4766.	[cleanup]	Address Coverity warnings. [RT #46150]
 
 4763.	[contrib]	Improve compatibility when building MySQL DLZ
 			module by using mysql_config if available.
@@ -5186,7 +5530,7 @@
 
 3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
 			so that all dns_rrl_rtype_t enum values fit regardless
-			of whether it is teated as signed or unsigned by
+			of whether it is treated as signed or unsigned by
 			the compiler. [RT #32792]
 
 3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]
@@ -6261,7 +6605,7 @@
 
 	--- 9.9.0b1 released ---
 
-3186.	[bug]		Version/db mis-match in rpz code. [RT #26180]
+3186.	[bug]		Version/db mismatch in rpz code. [RT #26180]
 
 3185.	[func]		New 'rndc signing' option for auto-dnssec zones:
 			 - 'rndc signing -list' displays the current
@@ -6926,7 +7270,7 @@
 2998.	[func]		Add isc_task_beginexclusive and isc_task_endexclusive
 			to the task api. [RT #22776]
 
-2997.	[func]		named -V now reports the OpenSSL and libxml2 verions
+2997.	[func]		named -V now reports the OpenSSL and libxml2 versions
 			it was compiled against. [RT #22687]
 
 2996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
@@ -9909,7 +10253,7 @@
 2096.	[bug]		libbind: handle applications that fail to detect
 			res_init() failures better.
 
-2095.	[port]		libbind: alway prototype inet_cidr_ntop_ipv6() and
+2095.	[port]		libbind: always prototype inet_cidr_ntop_ipv6() and
 			net_cidr_ntop_ipv6(). [RT #16388]
 
 2094.	[contrib]	Update named-bootconf.  [RT #16404]
@@ -9965,7 +10309,7 @@
 2076.	[bug]		Several files were missing #include <config.h>
 			causing build failures on OSF. [RT #16341]
 
-2075.	[bug]		The spillat timer event hander could leak memory.
+2075.	[bug]		The spillat timer event handler could leak memory.
 			[RT #16357]
 
 2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
@@ -10727,7 +11071,7 @@
 
 1831.	[doc]		Update named-checkzone documentation. [RT #13604]
 
-1830.	[bug]		adb lame cache has sence of test reversed. [RT #13600]
+1830.	[bug]		adb lame cache has sense of test reversed. [RT #13600]
 
 1829.	[bug]		win32: "pid-file none;" broken. [RT #13563]
 
@@ -10838,7 +11182,7 @@
 1796.	[func]		"rndc freeze/thaw" now freezes/thaws all zones.
 
 1795.	[bug]		"rndc dumpdb" was not fully documented.  Minor
-			formating issues with "rndc dumpdb -all".  [RT #13396]
+			formatting issues with "rndc dumpdb -all".  [RT #13396]
 
 1794.	[func]		Named and named-checkzone can now both check for
 			non-terminal wildcard records.
@@ -12015,7 +12359,7 @@
 			acl.
 
 1393.	[port]		Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
-			is not available in the kernel to prevent accidently
+			is not available in the kernel to prevent accidentally
 			listening on IPv4 interfaces.
 
 1392.	[bug]		named-checkzone: update usage.
@@ -13743,7 +14087,7 @@
  839.	[func]		Dump packets for which there was no view or that the
 			class could not be determined to category "unmatched".
 
- 838.	[port]		UnixWare 7.x.x is now suported by
+ 838.	[port]		UnixWare 7.x.x is now supported by
 			bin/tests/system/ifconfig.sh.
 
  837.	[cleanup]	Multi-threading is now enabled by default only on
diff --git a/bind/bind9/CONTRIBUTING b/bind/bind9/CONTRIBUTING
index 288bcab9..a60bb03e 100644
--- a/bind/bind9/CONTRIBUTING
+++ b/bind/bind9/CONTRIBUTING
@@ -31,20 +31,18 @@ BIND is maintained by the Internet Systems Consortium, a public-benefit
 see the source, but only ISC employees have commit access. Until recently,
 the source could only be seen once ISC had published a release: read
 access to the source repository was restricted just as commit access was.
-That's now changing, with the opening of a public git mirror to the BIND
-source tree (see below).
+That's now changing, with the opening of a public git repository of the
+BIND source tree (see below).
 
 Access to source code
 
 Public BIND releases are always available from the ISC FTP site.
 
-A public-access GIT repository is also available at https://gitlab.isc.org
-. This repository is a mirror, updated several times per day, of the
-source repository maintained by ISC. It contains all the public release
-branches; upcoming releases can be viewed in their current state at any
-time. It does not contain development branches or unreviewed work in
-progress. Commits which address security vulnerablilities are withheld
-until after public disclosure.
+A public-access git repository is also available at https://gitlab.isc.org
+. This repository contains all public release branches. Upcoming releases
+can be viewed in their current state at any time. Short-lived development
+branches contain unreviewed work in progress. Commits which address
+security vulnerablilities are withheld until after public disclosure.
 
 You can browse the source online via https://gitlab.isc.org/isc-projects/
 bind9
@@ -63,7 +61,7 @@ Whenever a branch is ready for publication, a tag will be placed of the
 form v9_X_Y. The 9.12.0 release, for instance, is tagged as v9_12_0.
 
 The branch in which the next major release is being developed is called
-master.
+main.
 
 Reporting bugs
 
@@ -91,19 +89,19 @@ e-mail is not a secure choice for communications concerning undisclosed
 security issues so please encrypt your communications to us if possible,
 using the ISC Security Officer public key.
 
-Do not discuss undisclosed security vulnerabilites on any public mailing
+Do not discuss undisclosed security vulnerabilities on any public mailing
 list. ISC has a long history of handling reported vulnerabilities promptly
 and effectively and we respect and acknowledge responsible reporters.
 
-ISC's Security Vulnerability Disclosure Policy is documented at https://
-kb.isc.org/article/AA-00861/0.
+ISC's Security Vulnerability Disclosure Policy is documented at
+https://kb.isc.org/docs/aa-00861.
 
-If you have a crash, you may want to consult ?What to do if your BIND or
-DHCP server has crashed.?
+If you have a crash, you may want to consult ‘What to do if your BIND or
+DHCP server has crashed.’
 
 Contributing code
 
-BIND is licensed under the Mozilla Public License 2.0. Earier versions
+BIND is licensed under the Mozilla Public License 2.0. Earlier versions
 (BIND 9.10 and earlier) were licensed under the ISC License
 
 ISC does not require an explicit copyright assignment for patch
@@ -119,7 +117,7 @@ Patches for BIND may be submitted directly via merge requests in ISC's
 Gitlab source repository for BIND.
 
 Patches can also be submitted as diffs against a specific version of BIND
--- preferably the current top of the master branch. Diffs may be generated
+-- preferably the current top of the main branch. Diffs may be generated
 using either git format-patch or git diff.
 
 Those wanting to write code for BIND may be interested in the developer
@@ -137,12 +135,12 @@ we're busy with other work, it may take us a long time to get to it.
 
 To ensure your patch is acted on as promptly as possible, please:
 
-  * Try to adhere to the BIND 9 coding style.
-  * Run make check to ensure your change hasn't caused any functional
+  • Try to adhere to the BIND 9 coding style.
+  • Run make check to ensure your change hasn't caused any functional
     regressions.
-  * Document your work, both in the patch itself and in the accompanying
+  • Document your work, both in the patch itself and in the accompanying
     email.
-  * In patches that make non-trivial functional changes, include system
+  • In patches that make non-trivial functional changes, include system
     tests if possible; when introducing or substantially altering a
     library API, include unit tests. See Testing for more information.
 
@@ -161,12 +159,12 @@ Documentation
 All functional changes should be documented. There are three types of
 documentation in the BIND source tree:
 
-  * Man pages are kept alongside the source code for the commands they
+  • Man pages are kept alongside the source code for the commands they
     document, in files ending in .docbook; for example, the named man page
     is bin/named/named.docbook.
-  * The BIND 9 Administrator Reference Manual is mostly in doc/arm/
+  • The BIND 9 Administrator Reference Manual is mostly in doc/arm/
     Bv9ARM-book.xml, plus a few other XML files that are included in it.
-  * API documentation is in the header file describing the API, in
+  • API documentation is in the header file describing the API, in
     Doxygen-formatted comments.
 
 It is not necessary to edit any documentation files other than these; all
diff --git a/bind/bind9/CONTRIBUTING.md b/bind/bind9/CONTRIBUTING.md
index c00f4fcf..6873d979 100644
--- a/bind/bind9/CONTRIBUTING.md
+++ b/bind/bind9/CONTRIBUTING.md
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
@@ -39,21 +39,19 @@ anyone can see the source, but only ISC employees have commit access.
 Until recently, the source could only be seen once ISC had published
 a release: read access to the source repository was restricted just
 as commit access was.  That's now changing, with the opening of a
-public git mirror to the BIND source tree (see below).
+public git repository of the BIND source tree (see below).
 
 ### <a name="access"></a>Access to source code
 
 Public BIND releases are always available from the
 [ISC FTP site](ftp://ftp.isc.org/isc/bind9).
 
-A public-access GIT repository is also available at
-[https://gitlab.isc.org](https://gitlab.isc.org).
-This repository is a mirror, updated several times per day, of the
-source repository maintained by ISC.  It contains all the public release
-branches; upcoming releases can be viewed in their current state at any
-time.  It does *not* contain development branches or unreviewed work in
-progress.  Commits which address security vulnerablilities are withheld
-until after public disclosure.
+A public-access git repository is also available at
+[https://gitlab.isc.org](https://gitlab.isc.org).  This repository
+contains all public release branches. Upcoming releases can be viewed in
+their current state at any time.  Short-lived development branches
+contain unreviewed work in progress.  Commits which address security
+vulnerablilities are withheld until after public disclosure.
 
 You can browse the source online via
 [https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9)
@@ -72,7 +70,7 @@ Whenever a branch is ready for publication, a tag will be placed of the
 form `v9_X_Y`.  The 9.12.0 release, for instance, is tagged as `v9_12_0`.
 
 The branch in which the next major release is being developed is called
-`master`.
+`main`.
 
 ### <a name="bugs"></a>Reporting bugs
 
@@ -92,6 +90,7 @@ use credentials from an existing account at GitHub, GitLab, Google,
 Twitter, or Facebook.
 
 ### Reporting possible security issues
+
 If you think you may be seeing a potential security vulnerability in BIND
 (for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
 report it immediately by emailing to security-officer@isc.org. Plain-text
@@ -99,11 +98,12 @@ e-mail is not a secure choice for communications concerning undisclosed
 security issues so please encrypt your communications to us if possible,
 using the [ISC Security Officer public key](https://www.isc.org/downloads/software-support-policy/openpgp-key/).
 
-Do not discuss undisclosed security vulnerabilites on any public mailing list.
+Do not discuss undisclosed security vulnerabilities on any public mailing list.
 ISC has a long history of handling reported vulnerabilities promptly and
 effectively and we respect and acknowledge responsible reporters.
 
-ISC's Security Vulnerability Disclosure Policy is documented at [https://kb.isc.org/article/AA-00861/0](https://kb.isc.org/article/AA-00861/0).
+ISC's Security Vulnerability Disclosure Policy is documented at
+[https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
 
 If you have a crash, you may want to consult
 [‘What to do if your BIND or DHCP server has crashed.’](https://kb.isc.org/article/AA-00340/89/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html)
@@ -112,7 +112,8 @@ If you have a crash, you may want to consult
 
 BIND is licensed under the
 [Mozilla Public License 2.0](http://www.isc.org/downloads/software-support-policy/isc-license/).
-Earier versions (BIND 9.10 and earlier) were licensed under the [ISC License](http://www.isc.org/downloads/software-support-policy/isc-license/)
+Earlier versions (BIND 9.10 and earlier) were licensed under the
+[ISC License](https://www.isc.org/licenses/)
 
 ISC does not require an explicit copyright assignment for patch
 contributions.  However, by submitting a patch to ISC, you implicitly
@@ -128,7 +129,7 @@ Patches for BIND may be submitted directly via merge requests in
 repository for BIND.
 
 Patches can also be submitted as diffs against a specific version of
-BIND -- preferably the current top of the `master` branch.  Diffs may
+BIND -- preferably the current top of the `main` branch.  Diffs may
 be generated using either `git format-patch` or `git diff`.
 
 Those wanting to write code for BIND may be interested in the
diff --git a/bind/bind9/COPYRIGHT b/bind/bind9/COPYRIGHT
index 4fd420b4..0e9976ad 100644
--- a/bind/bind9/COPYRIGHT
+++ b/bind/bind9/COPYRIGHT
@@ -1,8 +1,8 @@
-Copyright (C) 1996-2020  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2021  Internet Systems Consortium, Inc. ("ISC")
 
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
-file, You can obtain one at http://mozilla.org/MPL/2.0/.
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
 
  -----------------------------------------------------------------------------
 
diff --git a/bind/bind9/HISTORY b/bind/bind9/HISTORY
index ca6cdfbb..87dc460b 100644
--- a/bind/bind9/HISTORY
+++ b/bind/bind9/HISTORY
@@ -7,10 +7,10 @@ BIND 9.10.0
 BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
 releases. New features include:
 
-  * DNS Response-rate limiting (DNS RRL), which blunts the impact of
+  • DNS Response-rate limiting (DNS RRL), which blunts the impact of
     reflection and amplification attacks, is always compiled in and no
     longer requires a compile-time option to enable it.
-  * An experimental "Source Identity Token" (SIT) EDNS option is now
+  • An experimental "Source Identity Token" (SIT) EDNS option is now
     available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
     these are designed to enable clients to detect off-path spoofed
     responses, and to enable servers to detect spoofed-source queries.
@@ -20,10 +20,10 @@ releases. New features include:
     updated; clients proven to be legitimate via SIT are not subject to
     rate limiting. Use "configure --enable-sit" to enable this feature in
     BIND.
-  * A new zone file format, "map", stores zone data in a format that can
+  • A new zone file format, "map", stores zone data in a format that can
     be mapped directly into memory, allowing significantly faster zone
     loading.
-  * "delv" (domain entity lookup and validation) is a new tool with
+  • "delv" (domain entity lookup and validation) is a new tool with
     dig-like semantics for looking up DNS data and performing internal
     DNSSEC validation. This allows easy validation in environments where
     the resolver may not be trustworthy, and assists with troubleshooting
@@ -31,41 +31,41 @@ releases. New features include:
     9.10, this utility was called "delve". The spelling has been changed
     to avoid confusion with the "delve" utility included with the Xapian
     search engine.)
-  * Improved EDNS(0) processing for better resolver performance and
+  • Improved EDNS(0) processing for better resolver performance and
     reliability over slow or lossy connections.
-  * A new "configure --with-tuning=large" option tunes certain compiled-in
+  • A new "configure --with-tuning=large" option tunes certain compiled-in
     constants and default settings to values better suited to large
     servers with abundant memory. This can improve performance on such
     servers, but will consume more memory and may degrade performance on
     smaller systems.
-  * Substantial improvement in response-policy zone (RPZ) performance. Up
+  • Substantial improvement in response-policy zone (RPZ) performance. Up
     to 32 response-policy zones can be configured with minimal performance
     loss.
-  * To improve recursive resolver performance, cache records which are
+  • To improve recursive resolver performance, cache records which are
     still being requested by clients can now be automatically refreshed
     from the authoritative server before they expire, reducing or
     eliminating the time window in which no answer is available in the
     cache.
-  * New "rpz-client-ip" triggers and drop policies allowing response
+  • New "rpz-client-ip" triggers and drop policies allowing response
     policies based on the IP address of the client.
-  * ACLs can now be specified based on geographic location using the
+  • ACLs can now be specified based on geographic location using the
     MaxMind GeoIP databases. Use "configure --with-geoip" to enable.
-  * Zone data can now be shared between views, allowing multiple views to
+  • Zone data can now be shared between views, allowing multiple views to
     serve the same zones authoritatively without storing multiple copies
     in memory.
-  * New XML schema (version 3) for the statistics channel includes many
+  • New XML schema (version 3) for the statistics channel includes many
     new statistics and uses a flattened XML tree for faster parsing. The
     older schema is now deprecated.
-  * A new stylesheet, based on the Google Charts API, displays XML
+  • A new stylesheet, based on the Google Charts API, displays XML
     statistics in charts and graphs on javascript-enabled browsers.
-  * The statistics channel can now provide data in JSON format as well as
+  • The statistics channel can now provide data in JSON format as well as
     XML.
-  * New stats counters track TCP and UDP queries received per zone, and
+  • New stats counters track TCP and UDP queries received per zone, and
     EDNS options received in total.
-  * The internal and export versions of the BIND libraries (libisc,
+  • The internal and export versions of the BIND libraries (libisc,
     libdns, etc) have been unified so that external library clients can
     use the same libraries as BIND itself.
-  * A new compile-time option, "configure --enable-native-pkcs11", allows
+  • A new compile-time option, "configure --enable-native-pkcs11", allows
     BIND 9 cryptography functions to use the PKCS#11 API natively, so that
     BIND can drive a cryptographic hardware service module (HSM) directly
     instead of using a modified OpenSSL as an intermediary. (Note: This
@@ -74,27 +74,27 @@ releases. New features include:
     "pkcs11-tokens" command can be used to check API completeness. Native
     PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
     version 2 from the Open DNSSEC project.)
-  * The new "max-zone-ttl" option enforces maximum TTLs for zones. This
+  • The new "max-zone-ttl" option enforces maximum TTLs for zones. This
     can simplify the process of rolling DNSSEC keys by guaranteeing that
     cached signatures will have expired within the specified amount of
     time.
-  * "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying.
-  * "dig +expire" sends an EDNS EXPIRE option when querying. When this
+  • "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying.
+  • "dig +expire" sends an EDNS EXPIRE option when querying. When this
     option is sent with an SOA query to a server that supports it, it will
     report the expiry time of a slave zone.
-  * New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and
+  • New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and
     report if a lapse in signing coverage has been inadvertently
     scheduled.
-  * Signing algorithm flexibility and other improvements for the "rndc"
+  • Signing algorithm flexibility and other improvements for the "rndc"
     control channel.
-  * "named-checkzone" and "named-compilezone" can now read journal files,
+  • "named-checkzone" and "named-compilezone" can now read journal files,
     allowing them to process dynamic zones.
-  * Multiple DLZ databases can now be configured. Individual zones can be
+  • Multiple DLZ databases can now be configured. Individual zones can be
     configured to be served from a specific DLZ database. DLZ databases
     now serve zones of type "master" and "redirect".
-  * "rndc zonestatus" reports information about a specified zone.
-  * "named" now listens on IPv6 as well as IPv4 interfaces by default.
-  * "named" now preserves the capitalization of names when responding to
+  • "rndc zonestatus" reports information about a specified zone.
+  • "named" now listens on IPv6 as well as IPv4 interfaces by default.
+  • "named" now preserves the capitalization of names when responding to
     queries: for instance, a query for "example.com" may be answered with
     "example.COM" if the name was configured that way in the zone file.
     Some clients have a bug causing them to depend on the older behavior,
@@ -102,22 +102,22 @@ releases. New features include:
     rather than the case of the name configured in the DNS. Such clients
     can now be specified in the new "no-case-compress" ACL; this will
     restore the older behavior of "named" for those clients only.
-  * new "dnssec-importkey" command allows the use of offline DNSSEC keys
+  • new "dnssec-importkey" command allows the use of offline DNSSEC keys
     with automatic DNSKEY management.
-  * New "named-rrchecker" tool to verify the syntactic correctness of
+  • New "named-rrchecker" tool to verify the syntactic correctness of
     individual resource records.
-  * When re-signing a zone, the new "dnssec-signzone -Q" option drops
+  • When re-signing a zone, the new "dnssec-signzone -Q" option drops
     signatures from keys that are still published but are no longer
     active.
-  * "named-checkconf -px" will print the contents of configuration files
+  • "named-checkconf -px" will print the contents of configuration files
     with the shared secrets obscured, making it easier to share
     configuration (e.g. when submitting a bug report) without revealing
     private information.
-  * "rndc scan" causes named to re-scan network interfaces for changes in
+  • "rndc scan" causes named to re-scan network interfaces for changes in
     local addresses.
-  * On operating systems with support for routing sockets, network
+  • On operating systems with support for routing sockets, network
     interfaces are re-scanned automatically whenever they change.
-  * "tsig-keygen" is now available as an alternate command name to use for
+  • "tsig-keygen" is now available as an alternate command name to use for
     "ddns-confgen".
 
 BIND 9.9.0
@@ -125,68 +125,68 @@ BIND 9.9.0
 BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
 releases. New features include:
 
-  * Inline signing, allowing automatic DNSSEC signing of master zones
+  • Inline signing, allowing automatic DNSSEC signing of master zones
     without modification of the zonefile, or "bump in the wire" signing in
     slaves.
-  * NXDOMAIN redirection.
-  * New 'rndc flushtree' command clears all data under a given name from
+  • NXDOMAIN redirection.
+  • New 'rndc flushtree' command clears all data under a given name from
     the DNS cache.
-  * New 'rndc sync' command dumps pending changes in a dynamic zone to
+  • New 'rndc sync' command dumps pending changes in a dynamic zone to
     disk without a freeze/thaw cycle.
-  * New 'rndc signing' command displays or clears signing status records
+  • New 'rndc signing' command displays or clears signing status records
     in 'auto-dnssec' zones.
-  * NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
+  • NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
     signing, eliminating the need to initially sign with NSEC.
-  * Startup time improvements on large authoritative servers.
-  * Slave zones are now saved in raw format by default.
-  * Several improvements to response policy zones (RPZ).
-  * Improved hardware scalability by using multiple threads to listen for
+  • Startup time improvements on large authoritative servers.
+  • Slave zones are now saved in raw format by default.
+  • Several improvements to response policy zones (RPZ).
+  • Improved hardware scalability by using multiple threads to listen for
     queries and using finer-grained client locking
-  * The 'also-notify' option now takes the same syntax as 'masters', so it
+  • The 'also-notify' option now takes the same syntax as 'masters', so it
     can used named masterlists and TSIG keys.
-  * 'dnssec-signzone -D' writes an output file containing only DNSSEC
+  • 'dnssec-signzone -D' writes an output file containing only DNSSEC
     data, which can be included by the primary zone file.
-  * 'dnssec-signzone -R' forces removal of signatures that are not expired
+  • 'dnssec-signzone -R' forces removal of signatures that are not expired
     but were created by a key which no longer exists.
-  * 'dnssec-signzone -X' allows a separate expiration date to be specified
+  • 'dnssec-signzone -X' allows a separate expiration date to be specified
     for DNSKEY signatures from other signatures.
-  * New '-L' option to dnssec-keygen, dnssec-settime, and
+  • New '-L' option to dnssec-keygen, dnssec-settime, and
     dnssec-keyfromlabel sets the default TTL for the key.
-  * dnssec-dsfromkey now supports reading from standard input, to make it
+  • dnssec-dsfromkey now supports reading from standard input, to make it
     easier to convert DNSKEY to DS.
-  * RFC 1918 reverse zones have been added to the empty-zones table per
+  • RFC 1918 reverse zones have been added to the empty-zones table per
     RFC 6303.
-  * Dynamic updates can now optionally set the zone's SOA serial number to
+  • Dynamic updates can now optionally set the zone's SOA serial number to
     the current UNIX time.
-  * DLZ modules can now retrieve the source IP address of the querying
+  • DLZ modules can now retrieve the source IP address of the querying
     client.
-  * 'request-ixfr' option can now be set at the per-zone level.
-  * 'dig +rrcomments' turns on comments about DNSKEY records, indicating
+  • 'request-ixfr' option can now be set at the per-zone level.
+  • 'dig +rrcomments' turns on comments about DNSKEY records, indicating
     their key ID, algorithm and function
-  * Simplified nsupdate syntax and added readline support
+  • Simplified nsupdate syntax and added readline support
 
 BIND 9.8.0
 
 BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
 releases. New features include:
 
-  * Built-in trust anchor for the root zone, which can be switched on via
+  • Built-in trust anchor for the root zone, which can be switched on via
     "dnssec-validation auto;"
-  * Support for DNS64.
-  * Support for response policy zones (RPZ).
-  * Support for writable DLZ zones.
-  * Improved ease of configuration of GSS/TSIG for interoperability with
+  • Support for DNS64.
+  • Support for response policy zones (RPZ).
+  • Support for writable DLZ zones.
+  • Improved ease of configuration of GSS/TSIG for interoperability with
     Active Directory
-  * Support for GOST signing algorithm for DNSSEC.
-  * Removed RTT Banding from server selection algorithm.
-  * New "static-stub" zone type.
-  * Allow configuration of resolver timeouts via "resolver-query-timeout"
+  • Support for GOST signing algorithm for DNSSEC.
+  • Removed RTT Banding from server selection algorithm.
+  • New "static-stub" zone type.
+  • Allow configuration of resolver timeouts via "resolver-query-timeout"
     option.
-  * The DLZ "dlopen" driver is now built by default.
-  * Added a new include file with function typedefs for the DLZ "dlopen"
+  • The DLZ "dlopen" driver is now built by default.
+  • Added a new include file with function typedefs for the DLZ "dlopen"
     driver.
-  * Made "--with-gssapi" default.
-  * More verbose error reporting from DLZ LDAP.
+  • Made "--with-gssapi" default.
+  • More verbose error reporting from DLZ LDAP.
 
 BIND 9.7.0
 
@@ -194,192 +194,192 @@ BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
 releases. Most are intended to simplify DNSSEC configuration. New features
 include:
 
-  * Fully automatic signing of zones by "named".
-  * Simplified configuration of DNSSEC Lookaside Validation (DLV).
-  * Simplified configuration of Dynamic DNS, using the "ddns-confgen"
+  • Fully automatic signing of zones by "named".
+  • Simplified configuration of DNSSEC Lookaside Validation (DLV).
+  • Simplified configuration of Dynamic DNS, using the "ddns-confgen"
     command line tool or the "local" update-policy option. (As a side
     effect, this also makes it easier to configure automatic zone
     re-signing.)
-  * New named option "attach-cache" that allows multiple views to share a
+  • New named option "attach-cache" that allows multiple views to share a
     single cache.
-  * DNS rebinding attack prevention.
-  * New default values for dnssec-keygen parameters.
-  * Support for RFC 5011 automated trust anchor maintenance
-  * Smart signing: simplified tools for zone signing and key maintenance.
-  * The "statistics-channels" option is now available on Windows.
-  * A new DNSSEC-aware libdns API for use by non-BIND9 applications
-  * On some platforms, named and other binaries can now print out a stack
+  • DNS rebinding attack prevention.
+  • New default values for dnssec-keygen parameters.
+  • Support for RFC 5011 automated trust anchor maintenance
+  • Smart signing: simplified tools for zone signing and key maintenance.
+  • The "statistics-channels" option is now available on Windows.
+  • A new DNSSEC-aware libdns API for use by non-BIND9 applications
+  • On some platforms, named and other binaries can now print out a stack
     backtrace on assertion failure, to aid in debugging.
-  * A "tools only" installation mode on Windows, which only installs dig,
+  • A "tools only" installation mode on Windows, which only installs dig,
     host, nslookup and nsupdate.
-  * Improved PKCS#11 support, including Keyper support and explicit
+  • Improved PKCS#11 support, including Keyper support and explicit
     OpenSSL engine selection.
 
 BIND 9.6.0
 
-  * Full NSEC3 support
-  * Automatic zone re-signing
-  * New update-policy methods tcp-self and 6to4-self
-  * The BIND 8 resolver library, libbind, has been removed from the BIND 9
+  • Full NSEC3 support
+  • Automatic zone re-signing
+  • New update-policy methods tcp-self and 6to4-self
+  • The BIND 8 resolver library, libbind, has been removed from the BIND 9
     distribution and is now available as a separate download.
-  * Change the default pid file location from /var/run to /var/run/
+  • Change the default pid file location from /var/run to /var/run/
     {named,lwresd} for improved chroot/setuid support.
 
 BIND 9.5.0
 
-  * GSS-TSIG support (RFC 3645).
-  * DHCID support.
-  * Experimental http server and statistics support for named via xml.
-  * More detailed statistics counters including those supported in BIND 8.
-  * Faster ACL processing.
-  * Use Doxygen to generate internal documentation.
-  * Efficient LRU cache-cleaning mechanism.
-  * NSID support.
+  • GSS-TSIG support (RFC 3645).
+  • DHCID support.
+  • Experimental http server and statistics support for named via xml.
+  • More detailed statistics counters including those supported in BIND 8.
+  • Faster ACL processing.
+  • Use Doxygen to generate internal documentation.
+  • Efficient LRU cache-cleaning mechanism.
+  • NSID support.
 
 BIND 9.4.0
 
-  * Implemented "additional section caching (or acache)", an internal
+  • Implemented "additional section caching (or acache)", an internal
     cache framework for additional section content to improve response
     performance. Several configuration options were provided to control
     the behavior.
-  * New notify type 'master-only'. Enable notify for master zones only.
-  * Accept 'notify-source' style syntax for query-source.
-  * rndc now allows addresses to be set in the server clauses.
-  * New option "allow-query-cache". This lets "allow-query" be used to
+  • New notify type 'master-only'. Enable notify for master zones only.
+  • Accept 'notify-source' style syntax for query-source.
+  • rndc now allows addresses to be set in the server clauses.
+  • New option "allow-query-cache". This lets "allow-query" be used to
     specify the default zone access level rather than having to have every
     zone override the global value. "allow-query-cache" can be set at both
     the options and view levels. If "allow-query-cache" is not set then
     "allow-recursion" is used if set, otherwise "allow-query" is used if
     set unless "recursion no;" is set in which case "none;" is used,
     otherwise the default (localhost; localnets;) is used.
-  * rndc: the source address can now be specified.
-  * ixfr-from-differences now takes master and slave in addition to yes
+  • rndc: the source address can now be specified.
+  • ixfr-from-differences now takes master and slave in addition to yes
     and no at the options and view levels.
-  * Allow the journal's name to be changed via named.conf.
-  * 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
+  • Allow the journal's name to be changed via named.conf.
+  • 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
     specified zone.
-  * 'dig +trace' now randomly selects the next servers to try. Report if
+  • 'dig +trace' now randomly selects the next servers to try. Report if
     there is a bad delegation.
-  * Improve check-names error messages.
-  * Make public the function to read a key file, dst_key_read_public().
-  * dig now returns the byte count for axfr/ixfr.
-  * allow-update is now settable at the options / view level.
-  * named-checkconf now checks the logging configuration.
-  * host now can turn on memory debugging flags with '-m'.
-  * Don't send notify messages to self.
-  * Perform sanity checks on NS records which refer to 'in zone' names.
-  * New zone option "notify-delay". Specify a minimum delay between sets
+  • Improve check-names error messages.
+  • Make public the function to read a key file, dst_key_read_public().
+  • dig now returns the byte count for axfr/ixfr.
+  • allow-update is now settable at the options / view level.
+  • named-checkconf now checks the logging configuration.
+  • host now can turn on memory debugging flags with '-m'.
+  • Don't send notify messages to self.
+  • Perform sanity checks on NS records which refer to 'in zone' names.
+  • New zone option "notify-delay". Specify a minimum delay between sets
     of NOTIFY messages.
-  * Extend adjusting TTL warning messages.
-  * Named and named-checkzone can now both check for non-terminal wildcard
+  • Extend adjusting TTL warning messages.
+  • Named and named-checkzone can now both check for non-terminal wildcard
     records.
-  * "rndc freeze/thaw" now freezes/thaws all zones.
-  * named-checkconf now check acls to verify that they only refer to
+  • "rndc freeze/thaw" now freezes/thaws all zones.
+  • named-checkconf now check acls to verify that they only refer to
     existing acls.
-  * The server syntax has been extended to support a range of servers.
-  * Report differences between hints and real NS rrset and associated
+  • The server syntax has been extended to support a range of servers.
+  • Report differences between hints and real NS rrset and associated
     address records.
-  * Preserve the case of domain names in rdata during zone transfers.
-  * Restructured the data locking framework using architecture dependent
+  • Preserve the case of domain names in rdata during zone transfers.
+  • Restructured the data locking framework using architecture dependent
     atomic operations (when available), improving response performance on
     multi-processor machines significantly. x86, x86_64, alpha, powerpc,
     and mips are currently supported.
-  * UNIX domain controls are now supported.
-  * Add support for additional zone file formats for improving loading
+  • UNIX domain controls are now supported.
+  • Add support for additional zone file formats for improving loading
     performance. The masterfile-format option in named.conf can be used to
     specify a non-default format. A separate command named-compilezone was
     provided to generate zone files in the new format. Additionally, the
     -I and -O options for dnssec-signzone specify the input and output
     formats.
-  * dnssec-signzone can now randomize signature end times (dnssec-signzone
+  • dnssec-signzone can now randomize signature end times (dnssec-signzone
     -j jitter).
-  * Add support for CH A record.
-  * Add additional zone data constancy checks. named-checkzone has
+  • Add support for CH A record.
+  • Add additional zone data constancy checks. named-checkzone has
     extended checking of NS, MX and SRV record and the hosts they
     reference. named has extended post zone load checks. New zone options:
     check-mx and integrity-check.
-  * edns-udp-size can now be overridden on a per server basis.
-  * dig can now specify the EDNS version when making a query.
-  * Added framework for handling multiple EDNS versions.
-  * Additional memory debugging support to track size and mctx arguments.
-  * Detect duplicates of UDP queries we are recursing on and drop them.
+  • edns-udp-size can now be overridden on a per server basis.
+  • dig can now specify the EDNS version when making a query.
+  • Added framework for handling multiple EDNS versions.
+  • Additional memory debugging support to track size and mctx arguments.
+  • Detect duplicates of UDP queries we are recursing on and drop them.
     New stats category "duplicates".
-  * "USE INTERNAL MALLOC" is now runtime selectable.
-  * The lame cache is now done on a <qname,qclass,qtype> basis as some
+  • "USE INTERNAL MALLOC" is now runtime selectable.
+  • The lame cache is now done on a <qname,qclass,qtype> basis as some
     servers only appear to be lame for certain query types.
-  * Limit the number of recursive clients that can be waiting for a single
+  • Limit the number of recursive clients that can be waiting for a single
     query (<qname,qtype,qclass>) to resolve. New options clients-per-query
     and max-clients-per-query.
-  * dig: report the number of extra bytes still left in the packet after
+  • dig: report the number of extra bytes still left in the packet after
     processing all the records.
-  * Support for IPSECKEY rdata type.
-  * Raise the UDP recieve buffer size to 32k if it is less than 32k.
-  * x86 and x86_64 now have seperate atomic locking implementations.
-  * named-checkconf now validates update-policy entries.
-  * Attempt to make the amount of work performed in a iteration self
+  • Support for IPSECKEY rdata type.
+  • Raise the UDP receive buffer size to 32k if it is less than 32k.
+  • x86 and x86_64 now have separate atomic locking implementations.
+  • named-checkconf now validates update-policy entries.
+  • Attempt to make the amount of work performed in a iteration self
     tuning. The covers nodes clean from the cache per iteration, nodes
     written to disk when rewriting a master file and nodes destroyed per
     iteration when destroying a zone or a cache.
-  * ISC string copy API.
-  * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
+  • ISC string copy API.
+  • Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
     1918 zones are not yet covered by this but are likely to be in a
     future release.
-  * New options: empty-server, empty-contact, empty-zones-enable and
+  • New options: empty-server, empty-contact, empty-zones-enable and
     disable-empty-zone.
-  * dig now has a '-q queryname' and '+showsearch' options.
-  * host/nslookup now continue (default)/fail on SERVFAIL.
-  * dig now warns if 'RA' is not set in the answer when 'RD' was set in
+  • dig now has a '-q queryname' and '+showsearch' options.
+  • host/nslookup now continue (default)/fail on SERVFAIL.
+  • dig now warns if 'RA' is not set in the answer when 'RD' was set in
     the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
     is set unless a server is explicitly set.
-  * Integrate contibuted DLZ code into named.
-  * Integrate contibuted IDN code from JPNIC.
-  * libbind: corresponds to that from BIND 8.4.7.
+  • Integrate contributed DLZ code into named.
+  • Integrate contributed IDN code from JPNIC.
+  • libbind: corresponds to that from BIND 8.4.7.
 
 BIND 9.3.0
 
-  * DNSSEC is now DS based (RFC 3658).
-  * DNSSEC lookaside validation.
-  * check-names is now implemented.
-  * rrset-order is more complete.
-  * IPv4/IPv6 transition support, dual-stack-servers.
-  * IXFR deltas can now be generated when loading master files,
+  • DNSSEC is now DS based (RFC 3658).
+  • DNSSEC lookaside validation.
+  • check-names is now implemented.
+  • rrset-order is more complete.
+  • IPv4/IPv6 transition support, dual-stack-servers.
+  • IXFR deltas can now be generated when loading master files,
     ixfr-from-differences.
-  * It is now possible to specify the size of a journal, max-journal-size.
-  * It is now possible to define a named set of master servers to be used
+  • It is now possible to specify the size of a journal, max-journal-size.
+  • It is now possible to define a named set of master servers to be used
     in masters clause, masters.
-  * The advertised EDNS UDP size can now be set, edns-udp-size.
-  * allow-v6-synthesis has been obsoleted.
-  * Zones containing MD and MF will now be rejected.
-  * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
+  • The advertised EDNS UDP size can now be set, edns-udp-size.
+  • allow-v6-synthesis has been obsoleted.
+  • Zones containing MD and MF will now be rejected.
+  • dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
     NOTIMPL. This will have impact on scripts that are looking for
     NOTIMPL.
-  * libbind: corresponds to that from BIND 8.4.5.
+  • libbind: corresponds to that from BIND 8.4.5.
 
 BIND 9.2.0
 
-  * The size of the cache can now be limited using the "max-cache-size"
+  • The size of the cache can now be limited using the "max-cache-size"
     option.
-  * The server can now automatically convert RFC1886-style recursive
+  • The server can now automatically convert RFC1886-style recursive
     lookup requests into RFC2874-style lookups, when enabled using the new
     option "allow-v6-synthesis". This allows stub resolvers that support
     AAAA records but not A6 record chains or binary labels to perform
     lookups in domains that make use of these IPv6 DNS features.
-  * Performance has been improved.
-  * The man pages now use the more portable "man" macros rather than the
+  • Performance has been improved.
+  • The man pages now use the more portable "man" macros rather than the
     "mandoc" macros, and are installed by "make install".
-  * The named.conf parser has been completely rewritten. It now supports
+  • The named.conf parser has been completely rewritten. It now supports
     "include" directives in more places such as inside "view" statements,
     and it no longer has any reserved words.
-  * The "rndc status" command is now implemented.
-  * rndc can now be configured automatically.
-  * A BIND 8 compatible stub resolver library is now included in lib/bind.
-  * OpenSSL has been removed from the distribution. This means that to use
+  • The "rndc status" command is now implemented.
+  • rndc can now be configured automatically.
+  • A BIND 8 compatible stub resolver library is now included in lib/bind.
+  • OpenSSL has been removed from the distribution. This means that to use
     DNSSEC, OpenSSL must be installed and the --with-openssl option must
     be supplied to configure. This does not apply to the use of TSIG,
     which does not require OpenSSL.
-  * The source distribution now builds on Windows. See win32utils/
+  • The source distribution now builds on Windows. See win32utils/
     readme1.txt and win32utils/win32-build.txt for details.
-  * This distribution also includes a new lightweight stub resolver
+  • This distribution also includes a new lightweight stub resolver
     library and associated resolver daemon that fully support forward and
     reverse lookups of both IPv4 and IPv6 addresses. This library is
     considered experimental and is not a complete replacement for the BIND
@@ -387,11 +387,11 @@ BIND 9.2.0
     to perform DNS lookups or dynamic updates still need to be linked
     against the BIND 8 libraries. For DNS lookups, they can also use the
     new "getrrsetbyname()" API.
-  * BIND 9.2 is capable of acting as an authoritative server for DNSSEC
+  • BIND 9.2 is capable of acting as an authoritative server for DNSSEC
     secured zones. This functionality is believed to be stable and
     complete except for lacking support for verifications involving
     wildcard records in secure zones.
-  * When acting as a caching server, BIND 9.2 can be configured to perform
+  • When acting as a caching server, BIND 9.2 can be configured to perform
     DNSSEC secure resolution on behalf of its clients. This part of the
     DNSSEC implementation is still considered experimental. For detailed
     information about the state of the DNSSEC implementation, see the file
diff --git a/bind/bind9/HISTORY.md b/bind/bind9/HISTORY.md
index 4e1dab32..e0a9cdf1 100644
--- a/bind/bind9/HISTORY.md
+++ b/bind/bind9/HISTORY.md
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
@@ -333,8 +333,8 @@ BIND 9.4.0
 - dig: report the number of extra bytes still left in the packet after
   processing all the records.
 - Support for IPSECKEY rdata type.
-- Raise the UDP recieve buffer size to 32k if it is less than 32k.
-- x86 and x86_64 now have seperate atomic locking implementations.
+- Raise the UDP receive buffer size to 32k if it is less than 32k.
+- x86 and x86_64 now have separate atomic locking implementations.
 - named-checkconf now validates update-policy entries.
 - Attempt to make the amount of work performed in a iteration self tuning.
   The covers nodes clean from the cache per iteration, nodes written to
@@ -351,8 +351,8 @@ BIND 9.4.0
 - dig now warns if 'RA' is not set in the answer when 'RD' was set in the
   query.  host/nslookup skip servers that fail to set 'RA' when 'RD' is set
   unless a server is explicitly set.
-- Integrate contibuted DLZ code into named.
-- Integrate contibuted IDN code from JPNIC.
+- Integrate contributed DLZ code into named.
+- Integrate contributed IDN code from JPNIC.
 - libbind: corresponds to that from BIND 8.4.7.
 
 #### BIND 9.3.0
diff --git a/bind/bind9/Makefile.in b/bind/bind9/Makefile.in
index 9b3d12d8..3eeeaebe 100644
--- a/bind/bind9/Makefile.in
+++ b/bind/bind9/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -96,22 +96,22 @@ test-force:
 
 README: README.md
 	${PANDOC} --email-obfuscation=none -s --metadata title="README" -f markdown-smart -t html README.md | \
-		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		${W3M} -dump -cols 75 -O utf-8 -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
 HISTORY: HISTORY.md
 	${PANDOC} --email-obfuscation=none -s --metadata title="HISTORY" -f markdown-smart -t html HISTORY.md | \
-		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		${W3M} -dump -cols 75 -O utf-8 -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
 OPTIONS: OPTIONS.md
 	${PANDOC} --email-obfuscation=none -s --metadata title="OPTIONS" -f markdown-smart -t html OPTIONS.md | \
-		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		${W3M} -dump -cols 75 -O utf-8 -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
 CONTRIBUTING: CONTRIBUTING.md
 	${PANDOC} --email-obfuscation=none -s --metadata title="CONTRIBUTING" -f markdown-smart -t html CONTRIBUTING.md | \
-		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		${W3M} -dump -cols 75 -O utf-8 -T text/html | \
 		sed -e '$${/^$$/d;}' > $@
 
 unit::
diff --git a/bind/bind9/OPTIONS.md b/bind/bind9/OPTIONS.md
index 6fb9a447..32609892 100644
--- a/bind/bind9/OPTIONS.md
+++ b/bind/bind9/OPTIONS.md
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/README b/bind/bind9/README
index 378aa8d1..53b9e7eb 100644
--- a/bind/bind9/README
+++ b/bind/bind9/README
@@ -68,7 +68,10 @@ named-checkconf -px.
 
 If the bug you are reporting is a potential security issue, such as an
 assertion failure or other crash in named, please do NOT use GitLab to
-report it. Instead, please send mail to security-officer@isc.org.
+report it. Instead, send mail to security-officer@isc.org using our
+OpenPGP key to secure your message. (Information about OpenPGP and links
+to our key can be found at https://www.isc.org/pgpkey.) Please do not
+discuss the bug on any public mailing list.
 
 For a general overview of ISC security policies, read the Knowledge Base
 article at https://kb.isc.org/docs/aa-00861.
@@ -109,124 +112,124 @@ BIND 9.11 features
 BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
 releases. New features include:
 
-  * Added support for Catalog Zones, a new method for provisioning
+  • Added support for Catalog Zones, a new method for provisioning
     servers: a list of zones to be served is stored in a DNS zone, along
     with their configuration parameters. Changes to the catalog zone are
     propagated to slaves via normal AXFR/IXFR, whereupon the zones that
     are listed in it are automatically added, deleted or reconfigured.
-  * Added support for "dnstap", a fast and flexible method of capturing
+  • Added support for "dnstap", a fast and flexible method of capturing
     and logging DNS traffic.
-  * Added support for "dyndb", a new API for loading zone data from an
+  • Added support for "dyndb", a new API for loading zone data from an
     external database, developed by Red Hat for the FreeIPA project.
-  * "fetchlimit" quotas are now compiled in by default. These are for the
+  • "fetchlimit" quotas are now compiled in by default. These are for the
     use of recursive resolvers that are are under high query load for
     domains whose authoritative servers are nonresponsive or are
     experiencing a denial of service attack:
-      + fetches-per-server limits the number of simultaneous queries that
+      â–¡ fetches-per-server limits the number of simultaneous queries that
         can be sent to any single authoritative server. The configured
         value is a starting point; it is automatically adjusted downward
         if the server is partially or completely non-responsive. The
         algorithm used to adjust the quota can be configured via the
         "fetch-quota-params" option.
-      + fetches-per-zone limits the number of simultaneous queries that
+      â–¡ fetches-per-zone limits the number of simultaneous queries that
         can be sent for names within a single domain. (Note: Unlike
         fetches-per-server, this value is not self-tuning.)
-      + New stats counters have been added to count queries spilled due to
+      â–¡ New stats counters have been added to count queries spilled due to
         these quotas.
-  * Added a new dnssec-keymgr key maintenance utility, which can generate
+  • Added a new dnssec-keymgr key maintenance utility, which can generate
     or update keys as needed to ensure that a zone's keys match a defined
     DNSSEC policy.
-  * The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
+  • The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
     and is no longer optional. EDNS COOKIE is a mechanism enabling clients
     to detect off-path spoofed responses, and servers to detect
     spoofed-source queries. Clients that identify themselves using COOKIE
     options are not subject to response rate limiting (RRL) and can
     receive larger UDP responses.
-  * SERVFAIL responses can now be cached for a limited time (defaulting to
+  • SERVFAIL responses can now be cached for a limited time (defaulting to
     1 second, with an upper limit of 30). This can reduce the frequency of
     retries when a query is persistently failing.
-  * Added an nsip-wait-recurse switch to RPZ. This causes NSIP rules to be
+  • Added an nsip-wait-recurse switch to RPZ. This causes NSIP rules to be
     skipped if a name server IP address isn't in the cache yet; the
     address will be looked up and the rule will be applied on future
     queries.
-  * Added a Python RNDC module. This allows multiple commands to sent over
+  • Added a Python RNDC module. This allows multiple commands to sent over
     a persistent RNDC channel, which saves time.
-  * The controls block in named.conf can now grant read-only rndc access
+  • The controls block in named.conf can now grant read-only rndc access
     to specified clients or keys. Read-only clients could, for example,
     check rndc status but could not reconfigure or shut down the server.
-  * rndc commands can now return arbitrarily large amounts of text to the
+  • rndc commands can now return arbitrarily large amounts of text to the
     caller.
-  * The zone serial number of a dynamically updatable zone can now be set
+  • The zone serial number of a dynamically updatable zone can now be set
     via rndc signing -serial <number> <zonename>. This allows
     inline-signing zones to be set to a specific serial number.
-  * The new rndc nta command can be used to set a Negative Trust Anchor
+  • The new rndc nta command can be used to set a Negative Trust Anchor
     (NTA), disabling DNSSEC validation for a specific domain; this can be
     used when responses from a domain are known to be failing validation
     due to administrative error rather than because of a spoofing attack.
     Negative trust anchors are strictly temporary; by default they expire
     after one hour, but can be configured to last up to one week.
-  * rndc delzone can now be used on zones that were not originally created
+  • rndc delzone can now be used on zones that were not originally created
     by "rndc addzone".
-  * rndc modzone reconfigures a single zone, without requiring the entire
+  • rndc modzone reconfigures a single zone, without requiring the entire
     server to be reconfigured.
-  * rndc showzone displays the current configuration of a zone.
-  * rndc managed-keys can be used to check the status of RFC 5001 managed
+  • rndc showzone displays the current configuration of a zone.
+  • rndc managed-keys can be used to check the status of RFC 5001 managed
     trust anchors, or to force trust anchors to be refreshed.
-  * max-cache-size can now be set to a percentage of available memory. The
+  • max-cache-size can now be set to a percentage of available memory. The
     default is 90%.
-  * Update forwarding performance has been improved by allowing a single
+  • Update forwarding performance has been improved by allowing a single
     TCP connection to be shared by multiple updates.
-  * The EDNS Client Subnet (ECS) option is now supported for authoritative
+  • The EDNS Client Subnet (ECS) option is now supported for authoritative
     servers; if a query contains an ECS option then ACLs containing geoip
     or ecs elements can match against the the address encoded in the
     option. This can be used to select a view for a query, so that
     different answers can be provided depending on the client network.
-  * The EDNS EXPIRE option has been implemented on the client side,
+  • The EDNS EXPIRE option has been implemented on the client side,
     allowing a slave server to set the expiration timer correctly when
     transferring zone data from another slave server.
-  * The key generation and manipulation tools (dnssec-keygen,
+  • The key generation and manipulation tools (dnssec-keygen,
     dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take -Psync
     and -Dsync options to set the publication and deletion times of CDS
     and CDNSKEY parent-synchronization records. Both named and
     dnssec-signzone can now publish and remove these records at the
     scheduled times.
-  * A new minimal-any option reduces the size of UDP responses for query
+  • A new minimal-any option reduces the size of UDP responses for query
     type ANY by returning a single arbitrarily selected RRset instead of
     all RRsets.
-  * A new masterfile-style zone option controls the formatting of text
+  • A new masterfile-style zone option controls the formatting of text
     zone files: When set to full, a zone file is dumped in
     single-line-per-record format.
-  * serial-update-method can now be set to date. On update, the serial
+  • serial-update-method can now be set to date. On update, the serial
     number will be set to the current date in YYYYMMDDNN format.
-  * dnssec-signzone -N date sets the serial number to YYYYMMDDNN.
-  * named -L <filename> causes named to send log messages to the specified
+  • dnssec-signzone -N date sets the serial number to YYYYMMDDNN.
+  • named -L <filename> causes named to send log messages to the specified
     file by default instead of to the system log.
-  * dig +ttlunits prints TTL values with time-unit suffixes: w, d, h, m, s
+  • dig +ttlunits prints TTL values with time-unit suffixes: w, d, h, m, s
     for weeks, days, hours, minutes, and seconds.
-  * dig +unknownformat prints dig output in RFC 3597 "unknown record"
+  • dig +unknownformat prints dig output in RFC 3597 "unknown record"
     presentation format.
-  * dig +ednsopt allows dig to set arbitrary EDNS options on requests.
-  * dig +ednsflags allows dig to set yet-to-be-defined EDNS flags on
+  • dig +ednsopt allows dig to set arbitrary EDNS options on requests.
+  • dig +ednsflags allows dig to set yet-to-be-defined EDNS flags on
     requests.
-  * mdig is an alternate version of dig which sends multiple pipelined TCP
+  • mdig is an alternate version of dig which sends multiple pipelined TCP
     queries to a server. Instead of waiting for a response after sending a
     query, it sends all queries immediately and displays responses in the
     order received.
-  * serial-query-rate no longer controls NOTIFY messages. These are
+  • serial-query-rate no longer controls NOTIFY messages. These are
     separately controlled by notify-rate and startup-notify-rate.
-  * nsupdate now performs check-names processing by default on records to
+  • nsupdate now performs check-names processing by default on records to
     be added. This can be disabled with check-names no.
-  * The statistics channel now supports DEFLATE compression, reducing the
+  • The statistics channel now supports DEFLATE compression, reducing the
     size of the data sent over the network when querying statistics.
-  * New counters have been added to the statistics channel to track the
+  • New counters have been added to the statistics channel to track the
     sizes of incoming queries and outgoing responses in histogram buckets,
     as specified in RSSAC002.
-  * A new NXDOMAIN redirect method (option nxdomain-redirect) has been
+  • A new NXDOMAIN redirect method (option nxdomain-redirect) has been
     added, allowing redirection to a specified DNS namespace instead of a
     single redirect zone.
-  * When starting up, named now ensures that no other named process is
+  • When starting up, named now ensures that no other named process is
     already running.
-  * Files created by named to store information, including mkeys and nzf
+  • Files created by named to store information, including mkeys and nzf
     files, are now named after their corresponding views unless the view
     name contains characters incompatible with use as a filename. Old
     style filenames (based on the hash of the view name) will still work.
@@ -263,7 +266,7 @@ BIND 9.11.5
 BIND 9.11.5 is a maintenance release, and also addresses CVE-2018-5741 by
 correcting faulty documentation and introducing the following new feature:
 
-  * New krb5-selfsub and ms-selfsub rule types for update-policy
+  • New krb5-selfsub and ms-selfsub rule types for update-policy
     statements allow updating of subdomains based on a Kerberos or Active
     Directory machine principal.
 
@@ -309,14 +312,110 @@ BIND 9.11.14
 
 BIND 9.11.14 is a maintenance release.
 
+BIND 9.11.15
+
+BIND 9.11.15 is a maintenance release.
+
+BIND 9.11.16
+
+BIND 9.11.16 is a maintenance release.
+
+BIND 9.11.17
+
+BIND 9.11.17 is a maintenance release.
+
+BIND 9.11.18
+
+BIND 9.11.18 is a maintenance release.
+
+BIND 9.11.19
+
+BIND 9.11.19 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617.
+
+BIND 9.11.20
+
+BIND 9.11.20 is a maintenance release, and also addresses the security
+vulnerability disclosed in CVE-2020-8619.
+
+BIND 9.11.21
+
+BIND 9.11.21 is a maintenance release.
+
+BIND 9.11.22
+
+BIND 9.11.22 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2020-8622, CVE-2020-8623, and
+CVE-2020-8624.
+
+BIND 9.11.23
+
+BIND 9.11.23 is a maintenance release.
+
+BIND 9.11.24
+
+BIND 9.11.24 is a maintenance release.
+
+BIND 9.11.25
+
+BIND 9.11.25 is a maintenance release.
+
+BIND 9.11.26
+
+BIND 9.11.26 is a maintenance release.
+
+BIND 9.11.27
+
+BIND 9.11.27 is a maintenance release.
+
+BIND 9.11.28
+
+BIND 9.11.28 is a maintenance release, and also addresses the security
+vulnerability disclosed in CVE-2020-8625.
+
+BIND 9.11.29
+
+BIND 9.11.29 is a maintenance release.
+
+BIND 9.11.30
+
+This release was withdrawn.
+
+BIND 9.11.31
+
+BIND 9.11.31 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2021-25214, CVE-2021-25215, and
+CVE-2021-25216.
+
+BIND 9.11.32
+
+BIND 9.11.32 is a maintenance release.
+
+BIND 9.11.33
+
+BIND 9.11.33 is a maintenance release.
+
+BIND 9.11.34
+
+BIND 9.11.34 is a maintenance release.
+
+BIND 9.11.35
+
+BIND 9.11.35 is a maintenance release.
+
+BIND 9.11.36
+
+BIND 9.11.36 is a maintenance release, and also addresses the security
+vulnerability disclosed in CVE-2021-25219.
+
 Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
 basic POSIX support, and a 64-bit integer type. Successful builds have
-been observed on many versions of Linux and UNIX, including RHEL/CentOS,
-Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD,
-NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and
-OpenWRT.
+been observed on many versions of Linux and UNIX, including RHEL/CentOS/
+Oracle Linux, Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine,
+FreeBSD, NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX,
+and OpenWRT.
 
 BIND is also available for Windows Server 2008 and higher. See win32utils/
 build.txt for details on building for Windows systems.
@@ -330,7 +429,7 @@ If you're planning on making changes to the BIND 9 source, you should run
 make depend. If you're using Emacs, you might find make tags helpful.
 
 Several environment variables that can be set before running configure
-will affect compilation:
+will affect compilation. Significant ones are:
 
    Variable                            Description
 CC             The C compiler to use. configure tries to figure out the
@@ -352,6 +451,11 @@ BUILD_CPPFLAGS CPPFLAGS for the target system during cross-compiling.
 BUILD_LDFLAGS  LDFLAGS for the target system during cross-compiling.
 BUILD_LIBS     LIBS for the target system during cross-compiling.
 
+Additional environment variables affecting the build are listed at the end
+of the configure help text, which can be obtained by running the command:
+
+$ ./configure --help
+
 On platforms where neither the C11 Atomic operations library nor custom
 ISC atomic operations are available, updating the statistics counters is
 not locked due to performance reasons and therefore the counters might be
@@ -361,8 +465,9 @@ C11 compiler with C11 Atomic operations library support.
 macOS
 
 Building on macOS assumes that the "Command Tools for Xcode" is installed.
-This can be downloaded from https://developer.apple.com/download/more/ or
-if you have Xcode already installed you can run xcode-select --install.
+This can be downloaded from https://developer.apple.com/download/more/ or,
+if you have Xcode already installed, you can run xcode-select --install.
+(Note that an Apple ID may be required to access the download page.)
 
 Dependencies
 
@@ -403,8 +508,8 @@ least one of the following libraries: libxml2 http://xmlsoft.org or json-c
 https://github.com/json-c/json-c. If these are installed at a nonstandard
 location, then:
 
-  * for libxml2, specify the prefix using --with-libxml2=/prefix,
-  * for json-c, adjust PKG_CONFIG_PATH.
+  • for libxml2, specify the prefix using --with-libxml2=/prefix,
+  • for json-c, adjust PKG_CONFIG_PATH.
 
 To support compression on the HTTP statistics channel, the server must be
 linked against libzlib. If this is installed in a nonstandard location,
@@ -549,7 +654,7 @@ GitLab instance, which is not visible to the public.
 
 Acknowledgments
 
-  * The original development of BIND 9 was underwritten by the following
+  • The original development of BIND 9 was underwritten by the following
     organizations:
 
       Sun Microsystems, Inc.
@@ -564,11 +669,11 @@ Acknowledgments
       Stichting NLnet - NLnet Foundation
       Nominum, Inc.
 
-  * This product includes software developed by the OpenSSL Project for
+  • This product includes software developed by the OpenSSL Project for
     use in the OpenSSL Toolkit. http://www.OpenSSL.org/
 
-  * This product includes cryptographic software written by Eric Young
+  • This product includes cryptographic software written by Eric Young
     (eay@cryptsoft.com)
 
-  * This product includes software written by Tim Hudson
+  • This product includes software written by Tim Hudson
     (tjh@cryptsoft.com)
diff --git a/bind/bind9/README.md b/bind/bind9/README.md
index ec82fcad..e77cfaa5 100644
--- a/bind/bind9/README.md
+++ b/bind/bind9/README.md
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
@@ -79,8 +79,12 @@ using `named-checkconf -px`.
 
 If the bug you are reporting is a potential security issue, such as an
 assertion failure or other crash in `named`, please do *NOT* use GitLab to
-report it. Instead, please send mail to
-[security-officer@isc.org](mailto:security-officer@isc.org).
+report it. Instead, send mail to
+[security-officer@isc.org](mailto:security-officer@isc.org) using our
+OpenPGP key to secure your message. (Information about OpenPGP and links
+to our key can be found at
+[https://www.isc.org/pgpkey](https://www.isc.org/pgpkey).) Please do not
+discuss the bug on any public mailing list.
 
 For a general overview of ISC security policies, read the Knowledge Base
 article at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
@@ -325,12 +329,108 @@ vulnerability disclosed in CVE-2019-6477.
 
 BIND 9.11.14 is a maintenance release.
 
+#### BIND 9.11.15
+
+BIND 9.11.15 is a maintenance release.
+
+#### BIND 9.11.16
+
+BIND 9.11.16 is a maintenance release.
+
+#### BIND 9.11.17
+
+BIND 9.11.17 is a maintenance release.
+
+#### BIND 9.11.18
+
+BIND 9.11.18 is a maintenance release.
+
+#### BIND 9.11.19
+
+BIND 9.11.19 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617.
+
+#### BIND 9.11.20
+
+BIND 9.11.20 is a maintenance release, and also addresses the security
+vulnerability disclosed in CVE-2020-8619.
+
+#### BIND 9.11.21
+
+BIND 9.11.21 is a maintenance release.
+
+#### BIND 9.11.22
+
+BIND 9.11.22 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2020-8622, CVE-2020-8623, and
+CVE-2020-8624.
+
+#### BIND 9.11.23
+
+BIND 9.11.23 is a maintenance release.
+
+#### BIND 9.11.24
+
+BIND 9.11.24 is a maintenance release.
+
+#### BIND 9.11.25
+
+BIND 9.11.25 is a maintenance release.
+
+#### BIND 9.11.26
+
+BIND 9.11.26 is a maintenance release.
+
+#### BIND 9.11.27
+
+BIND 9.11.27 is a maintenance release.
+
+#### BIND 9.11.28
+
+BIND 9.11.28 is a maintenance release, and also addresses the security
+vulnerability disclosed in CVE-2020-8625.
+
+#### BIND 9.11.29
+
+BIND 9.11.29 is a maintenance release.
+
+#### BIND 9.11.30
+
+This release was withdrawn.
+
+#### BIND 9.11.31
+
+BIND 9.11.31 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2021-25214, CVE-2021-25215, and
+CVE-2021-25216.
+
+#### BIND 9.11.32
+
+BIND 9.11.32 is a maintenance release.
+
+#### BIND 9.11.33
+
+BIND 9.11.33 is a maintenance release.
+
+#### BIND 9.11.34
+
+BIND 9.11.34 is a maintenance release.
+
+#### BIND 9.11.35
+
+BIND 9.11.35 is a maintenance release.
+
+#### BIND 9.11.36
+
+BIND 9.11.36 is a maintenance release, and also addresses the security
+vulnerability disclosed in CVE-2021-25219.
+
 ### <a name="build"/> Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
 basic POSIX support, and a 64-bit integer type. Successful builds have been
-observed on many versions of Linux and UNIX, including RHEL/CentOS, Fedora,
-Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD, NetBSD,
+observed on many versions of Linux and UNIX, including RHEL/CentOS/Oracle Linux,
+Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD, NetBSD,
 OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
 
 BIND is also available for Windows Server 2008 and higher.  See
@@ -346,7 +446,7 @@ If you're planning on making changes to the BIND 9 source, you should run
 `make depend`.  If you're using Emacs, you might find `make tags` helpful.
 
 Several environment variables that can be set before running `configure` will
-affect compilation:
+affect compilation.  Significant ones are:
 
 |Variable|Description |
 |--------------------|-----------------------------------------------|
@@ -361,6 +461,12 @@ affect compilation:
 |`BUILD_LDFLAGS`|`LDFLAGS` for the target system during cross-compiling.|
 |`BUILD_LIBS`|`LIBS` for the target system during cross-compiling.|
 
+Additional environment variables affecting the build are listed at the
+end of the `configure` help text, which can be obtained by running the
+command:
+
+    $ ./configure --help
+
 On platforms where neither the C11 Atomic operations library nor custom ISC
 atomic operations are available, updating the statistics counters is not
 locked due to performance reasons and therefore the counters might be
@@ -370,8 +476,11 @@ C11 compiler with C11 Atomic operations library support.
 #### <a name="macos"> macOS
 
 Building on macOS assumes that the "Command Tools for Xcode" is installed.
-This can be downloaded from [https://developer.apple.com/download/more/](https://developer.apple.com/download/more/)
-or if you have Xcode already installed you can run `xcode-select --install`.
+This can be downloaded from
+[https://developer.apple.com/download/more/](https://developer.apple.com/download/more/)
+or, if you have Xcode already installed, you can run `xcode-select
+--install`.  (Note that an Apple ID may be required to access the download
+page.)
 
 ### <a name="dependencies"/> Dependencies
 
diff --git a/bind/bind9/acconfig.h b/bind/bind9/acconfig.h
index 2513aabf..1a1b5087 100644
--- a/bind/bind9/acconfig.h
+++ b/bind/bind9/acconfig.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/autogen.sh b/bind/bind9/autogen.sh
index 583b00d8..4d219512 100755
--- a/bind/bind9/autogen.sh
+++ b/bind/bind9/autogen.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/Makefile.in b/bind/bind9/bin/Makefile.in
index f0c504a1..a18b2226 100644
--- a/bind/bind9/bin/Makefile.in
+++ b/bind/bind9/bin/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/check/Makefile.in b/bind/bind9/bin/check/Makefile.in
index 3048ec39..6f55fa68 100644
--- a/bind/bind9/bin/check/Makefile.in
+++ b/bind/bind9/bin/check/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/check/check-tool.c b/bind/bind9/bin/check/check-tool.c
index a95c42f9..09f87a14 100644
--- a/bind/bind9/bin/check/check-tool.c
+++ b/bind/bind9/bin/check/check-tool.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/check/check-tool.h b/bind/bind9/bin/check/check-tool.h
index a1acbe27..0964d2c0 100644
--- a/bind/bind9/bin/check/check-tool.h
+++ b/bind/bind9/bin/check/check-tool.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/check/named-checkconf.8 b/bind/bind9/bin/check/named-checkconf.8
index 05eea8bb..629491d7 100644
--- a/bind/bind9/bin/check/named-checkconf.8
+++ b/bind/bind9/bin/check/named-checkconf.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: named-checkconf
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-01-10
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -131,5 +131,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/check/named-checkconf.c b/bind/bind9/bin/check/named-checkconf.c
index ff1c0d26..e5afd52c 100644
--- a/bind/bind9/bin/check/named-checkconf.c
+++ b/bind/bind9/bin/check/named-checkconf.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -490,10 +490,15 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) {
 			continue;
 
 		classobj = cfg_tuple_get(vconfig, "class");
-		CHECK(config_getclass(classobj, dns_rdataclass_in,
-					 &viewclass));
-		if (dns_rdataclass_ismeta(viewclass))
+		tresult = config_getclass(classobj, dns_rdataclass_in,
+					  &viewclass);
+		if (tresult != ISC_R_SUCCESS) {
+			CHECK(tresult);
+		}
+
+		if (dns_rdataclass_ismeta(viewclass)) {
 			CHECK(ISC_R_FAILURE);
+		}
 
 		dns_rdataclass_format(viewclass, buf, sizeof(buf));
 		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
diff --git a/bind/bind9/bin/check/named-checkconf.docbook b/bind/bind9/bin/check/named-checkconf.docbook
index 6230cf66..c70f8b38 100644
--- a/bind/bind9/bin/check/named-checkconf.docbook
+++ b/bind/bind9/bin/check/named-checkconf.docbook
@@ -5,14 +5,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkconf">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkconf">
   <info>
     <date>2014-01-10</date>
   </info>
@@ -42,6 +42,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/check/named-checkconf.html b/bind/bind9/bin/check/named-checkconf.html
index 388ddc94..9f4f8fb1 100644
--- a/bind/bind9/bin/check/named-checkconf.html
+++ b/bind/bind9/bin/check/named-checkconf.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,49 +10,30 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-checkconf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.named-checkconf"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">named-checkconf</span>
-     &#8212; named configuration file syntax checking tool
-  </p>
+<p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
 </div>
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named-checkconf</code> 
-       [<code class="option">-hjvz</code>]
-       [<code class="option">-p</code>
+<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-hjvz</code>] [<code class="option">-p</code>
 	 [<code class="option">-x</code>
-      ]]
-       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
-       {filename}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+      ]] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>named-checkconf</strong></span>
+<p><span class="command"><strong>named-checkconf</strong></span>
       checks the syntax, but not the semantics, of a
       <span class="command"><strong>named</strong></span> configuration file.  The file is parsed
       and checked for syntax errors, along with all files included by it.
       If no file is specified, <code class="filename">/etc/named.conf</code> is read
       by default.
     </p>
-    <p>
+<p>
       Note: files that <span class="command"><strong>named</strong></span> reads in separate
       parser contexts, such as <code class="filename">rndc.key</code> and
       <code class="filename">bind.keys</code>, are not automatically read
@@ -62,50 +43,37 @@
       successful.  <span class="command"><strong>named-checkconf</strong></span> can be run
       on these files explicitly, however.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-h</span></dt>
-<dd>
-          <p>
+<dd><p>
             Print the usage summary and exit.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-j</span></dt>
-<dd>
-          <p>
+<dd><p>
             When loading a zonefile read the journal if it exists.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    Print out the <code class="filename">named.conf</code> and included files
 	    in canonical form if no errors were detected.
             See also the <code class="option">-x</code> option.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Chroot to <code class="filename">directory</code> so that include
             directives in the configuration file are processed as if
             run by a similarly chrooted <span class="command"><strong>named</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-          <p>
+<dd><p>
             Print the version of the <span class="command"><strong>named-checkconf</strong></span>
             program and exit.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-x</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    When printing the configuration files in canonical
             form, obscure shared secrets by replacing them with
             strings of question marks ('?'). This allows the
@@ -113,46 +81,32 @@
             files to be shared &#8212; for example, when submitting
             bug reports &#8212; without compromising private data.
             This option cannot be used without <code class="option">-p</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-z</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    Perform a test load of all master zones found in
 	    <code class="filename">named.conf</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">filename</span></dt>
-<dd>
-          <p>
+<dd><p>
             The name of the configuration file to be checked.  If not
             specified, it defaults to <code class="filename">/etc/named.conf</code>.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>RETURN VALUES</h2>
-
-    <p><span class="command"><strong>named-checkconf</strong></span>
+<p><span class="command"><strong>named-checkconf</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named-checkzone</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/check/named-checkzone.8 b/bind/bind9/bin/check/named-checkzone.8
index 21c15a18..c66044a3 100644
--- a/bind/bind9/bin/check/named-checkzone.8
+++ b/bind/bind9/bin/check/named-checkzone.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: named-checkzone
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-02-19
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -325,5 +325,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/check/named-checkzone.c b/bind/bind9/bin/check/named-checkzone.c
index 76401129..459850d2 100644
--- a/bind/bind9/bin/check/named-checkzone.c
+++ b/bind/bind9/bin/check/named-checkzone.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -75,9 +75,9 @@ usage(void) {
 	fprintf(stderr,
 		"usage: %s [-djqvD] [-c class] "
 		"[-f inputformat] [-F outputformat] [-J filename] "
-		"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
-		"[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] "
-		"[-r (ignore|warn|fail)] "
+		"[-s (full|relative)] [-t directory] [-w directory] "
+		"[-k (ignore|warn|fail)] [-m (ignore|warn|fail)] "
+		"[-n (ignore|warn|fail)] [-r (ignore|warn|fail)] "
 		"[-i (full|full-sibling|local|local-sibling|none)] "
 		"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
 		"[-W (ignore|warn)] "
@@ -502,7 +502,7 @@ main(int argc, char **argv) {
 		dumpzone = 1;
 
 	/*
-	 * If we are outputing to stdout then send the informational
+	 * If we are printing to stdout then send the informational
 	 * output to stderr.
 	 */
 	if (dumpzone &&
diff --git a/bind/bind9/bin/check/named-checkzone.docbook b/bind/bind9/bin/check/named-checkzone.docbook
index 2094d9b3..a5d6ac63 100644
--- a/bind/bind9/bin/check/named-checkzone.docbook
+++ b/bind/bind9/bin/check/named-checkzone.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkzone">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkzone">
   <info>
     <date>2014-02-19</date>
   </info>
@@ -45,6 +45,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/check/named-checkzone.html b/bind/bind9/bin/check/named-checkzone.html
index 5021689e..4830c1d4 100644
--- a/bind/bind9/bin/check/named-checkzone.html
+++ b/bind/bind9/bin/check/named-checkzone.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,98 +10,28 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-checkzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.named-checkzone"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">named-checkzone</span>, 
-    <span class="application">named-compilezone</span>
-     &#8212; zone file validity checking or converting tool
-  </p>
+<p><span class="application">named-checkzone</span>, <span class="application">named-compilezone</span> &#8212; zone file validity checking or converting tool</p>
 </div>
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named-checkzone</code> 
-       [<code class="option">-d</code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-j</code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-v</code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
-       [<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
-       [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
-       [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
-       [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
-       [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-D</code>]
-       [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
-       {zonename}
-       {filename}
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named-compilezone</code> 
-       [<code class="option">-d</code>]
-       [<code class="option">-j</code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-v</code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
-       [<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
-       [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
-       [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-D</code>]
-       [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
-       {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>}
-       {zonename}
-       {filename}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>named-checkzone</strong></span>
+<p><span class="command"><strong>named-checkzone</strong></span>
       checks the syntax and integrity of a zone file.  It performs the
       same checks as <span class="command"><strong>named</strong></span> does when loading a
       zone.  This makes <span class="command"><strong>named-checkzone</strong></span> useful for
       checking zone files before configuring them into a name server.
     </p>
-    <p>
+<p>
         <span class="command"><strong>named-compilezone</strong></span> is similar to
 	<span class="command"><strong>named-checkzone</strong></span>, but it always dumps the
         zone contents to a specified file in a specified format.
@@ -112,62 +42,45 @@
         least be as strict as those specified in the
 	<span class="command"><strong>named</strong></span> configuration file.
      </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-d</span></dt>
-<dd>
-          <p>
+<dd><p>
             Enable debugging.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-          <p>
+<dd><p>
             Print the usage summary and exit.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-q</span></dt>
-<dd>
-          <p>
+<dd><p>
             Quiet mode - exit code only.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-          <p>
+<dd><p>
             Print the version of the <span class="command"><strong>named-checkzone</strong></span>
             program and exit.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-j</span></dt>
-<dd>
-          <p>
+<dd><p>
             When loading a zone file, read the journal if it exists.
             The journal file name is assumed to be the zone file name
 	    appended with the string <code class="filename">.jnl</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-J <em class="replaceable"><code>filename</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             When loading the zone file read the journal from the given
             file, if it exists. (Implies -j.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the class of the zone.  If not specified, "IN" is assumed.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	      Perform post-load zone integrity checks.  Possible modes are
 	      <span class="command"><strong>"full"</strong></span> (default),
 	      <span class="command"><strong>"full-sibling"</strong></span>,
@@ -175,19 +88,19 @@
 	      <span class="command"><strong>"local-sibling"</strong></span> and
 	      <span class="command"><strong>"none"</strong></span>.
 	  </p>
-	  <p>
+<p>
 	      Mode <span class="command"><strong>"full"</strong></span> checks that MX records
 	      refer to A or AAAA record (both in-zone and out-of-zone
 	      hostnames).  Mode <span class="command"><strong>"local"</strong></span> only
 	      checks MX records which refer to in-zone hostnames.
 	  </p>
-	  <p>
+<p>
 	      Mode <span class="command"><strong>"full"</strong></span> checks that SRV records
 	      refer to A or AAAA record (both in-zone and out-of-zone
 	      hostnames).  Mode <span class="command"><strong>"local"</strong></span> only
 	      checks SRV records which refer to in-zone hostnames.
 	  </p>
-	  <p>
+<p>
 	      Mode <span class="command"><strong>"full"</strong></span> checks that delegation NS
 	      records refer to A or AAAA record (both in-zone and out-of-zone
 	      hostnames).  It also checks that glue address records
@@ -196,33 +109,31 @@
 	      refer to in-zone hostnames or that some required glue exists,
 	      that is when the nameserver is in a child zone.
 	  </p>
-	  <p>
+<p>
 	      Mode <span class="command"><strong>"full-sibling"</strong></span> and
 	      <span class="command"><strong>"local-sibling"</strong></span> disable sibling glue
 	      checks but are otherwise the same as <span class="command"><strong>"full"</strong></span>
 	      and <span class="command"><strong>"local"</strong></span> respectively.
 	  </p>
-	  <p>
+<p>
 	      Mode <span class="command"><strong>"none"</strong></span> disables the checks.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specify the format of the zone file.
 	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
 	    <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specify the format of the output file specified.
 	    For <span class="command"><strong>named-checkzone</strong></span>,
 	    this does not cause any effects unless it dumps the zone
 	    contents.
 	  </p>
-	  <p>
+<p>
 	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
 	    which is the standard textual representation of the zone,
 	    and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
@@ -233,10 +144,9 @@
             any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
             can be read by release 9.9.0 or higher; the default is 1.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Perform <span class="command"><strong>"check-names"</strong></span> checks with the
 	    specified failure mode.
             Possible modes are <span class="command"><strong>"fail"</strong></span>
@@ -244,48 +154,38 @@
             <span class="command"><strong>"warn"</strong></span>
 	    (default for <span class="command"><strong>named-checkzone</strong></span>) and
             <span class="command"><strong>"ignore"</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets a maximum permissible TTL for the input file.
             Any record with a TTL higher than this value will cause
             the zone to be rejected.  This is similar to using the
             <span class="command"><strong>max-zone-ttl</strong></span> option in
             <code class="filename">named.conf</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             When compiling a zone to "raw" or "map" format, set the
             "source serial" value in the header to the specified serial
             number.  (This is expected to be used primarily for testing
             purposes.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify whether MX records should be checked to see if they
             are addresses.  Possible modes are <span class="command"><strong>"fail"</strong></span>,
             <span class="command"><strong>"warn"</strong></span> (default) and
             <span class="command"><strong>"ignore"</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Check if a MX record refers to a CNAME.
             Possible modes are <span class="command"><strong>"fail"</strong></span>,
             <span class="command"><strong>"warn"</strong></span> (default) and
             <span class="command"><strong>"ignore"</strong></span>.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify whether NS records should be checked to see if they
             are addresses.
 	    Possible modes are <span class="command"><strong>"fail"</strong></span>
@@ -293,30 +193,24 @@
             <span class="command"><strong>"warn"</strong></span>
 	    (default for <span class="command"><strong>named-checkzone</strong></span>) and
             <span class="command"><strong>"ignore"</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Write zone output to <code class="filename">filename</code>.
 	    If <code class="filename">filename</code> is <code class="filename">-</code> then
 	    write to standard out.
 	    This is mandatory for <span class="command"><strong>named-compilezone</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
             Check for records that are treated as different by DNSSEC but
 	    are semantically equal in plain DNS.
             Possible modes are <span class="command"><strong>"fail"</strong></span>,
             <span class="command"><strong>"warn"</strong></span> (default) and
             <span class="command"><strong>"ignore"</strong></span>.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specify the style of the dumped zone file.
 	    Possible styles are <span class="command"><strong>"full"</strong></span> (default)
 	    and <span class="command"><strong>"relative"</strong></span>.
@@ -329,101 +223,74 @@
 	    contents.
 	    It also does not have any meaning if the output format
 	    is not text.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Check if a SRV record refers to a CNAME.
             Possible modes are <span class="command"><strong>"fail"</strong></span>,
             <span class="command"><strong>"warn"</strong></span> (default) and
             <span class="command"><strong>"ignore"</strong></span>.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Chroot to <code class="filename">directory</code> so that
             include
             directives in the configuration file are processed as if
             run by a similarly chrooted <span class="command"><strong>named</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Check if Sender Policy Framework (SPF) records exist
 	    and issues a warning if an SPF-formatted TXT record is
 	    not also present.  Possible modes are <span class="command"><strong>"warn"</strong></span>
 	    (default), <span class="command"><strong>"ignore"</strong></span>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             chdir to <code class="filename">directory</code> so that
             relative
             filenames in master file $INCLUDE directives work.  This
             is similar to the directory clause in
             <code class="filename">named.conf</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-D</span></dt>
-<dd>
-          <p>
+<dd><p>
             Dump zone file in canonical format.
 	    This is always enabled for <span class="command"><strong>named-compilezone</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify whether to check for non-terminal wildcards.
             Non-terminal wildcards are almost always the result of a
             failure to understand the wildcard matching algorithm (RFC 1034).
             Possible modes are <span class="command"><strong>"warn"</strong></span> (default)
             and
             <span class="command"><strong>"ignore"</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">zonename</span></dt>
-<dd>
-          <p>
+<dd><p>
             The domain name of the zone being checked.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">filename</span></dt>
-<dd>
-          <p>
+<dd><p>
             The name of the zone file.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>RETURN VALUES</h2>
-
-    <p><span class="command"><strong>named-checkzone</strong></span>
+<p><span class="command"><strong>named-checkzone</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named-checkconf</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/check/win32/checkconf.vcxproj.in b/bind/bind9/bin/check/win32/checkconf.vcxproj.in
index fa16d8ee..c92f4662 100644
--- a/bind/bind9/bin/check/win32/checkconf.vcxproj.in
+++ b/bind/bind9/bin/check/win32/checkconf.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>named-$(ProjectName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>named-$(ProjectName)</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/check/win32/checktool.vcxproj.in b/bind/bind9/bin/check/win32/checktool.vcxproj.in
index 8a9ad0f5..d6ee632c 100644
--- a/bind/bind9/bin/check/win32/checktool.vcxproj.in
+++ b/bind/bind9/bin/check/win32/checktool.vcxproj.in
@@ -48,18 +48,21 @@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <OutDir>.\$(Configuration)\</OutDir>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -77,7 +80,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/check/win32/checkzone.vcxproj.in b/bind/bind9/bin/check/win32/checkzone.vcxproj.in
index dbccb09b..1544930c 100644
--- a/bind/bind9/bin/check/win32/checkzone.vcxproj.in
+++ b/bind/bind9/bin/check/win32/checkzone.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>named-$(ProjectName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>named-$(ProjectName)</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -84,7 +87,8 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/confgen/Makefile.in b/bind/bind9/bin/confgen/Makefile.in
index bc7dc5be..57a917f6 100644
--- a/bind/bind9/bin/confgen/Makefile.in
+++ b/bind/bind9/bin/confgen/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/confgen/ddns-confgen.8 b/bind/bind9/bin/confgen/ddns-confgen.8
index fa29dc23..79e8cc82 100644
--- a/bind/bind9/bin/confgen/ddns-confgen.8
+++ b/bind/bind9/bin/confgen/ddns-confgen.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: ddns-confgen
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-03-06
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -155,5 +155,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/confgen/ddns-confgen.c b/bind/bind9/bin/confgen/ddns-confgen.c
index 9e4f6176..5eb21e42 100644
--- a/bind/bind9/bin/confgen/ddns-confgen.c
+++ b/bind/bind9/bin/confgen/ddns-confgen.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/confgen/ddns-confgen.docbook b/bind/bind9/bin/confgen/ddns-confgen.docbook
index a635eb7d..5456ece7 100644
--- a/bind/bind9/bin/confgen/ddns-confgen.docbook
+++ b/bind/bind9/bin/confgen/ddns-confgen.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.ddns-confgen">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.ddns-confgen">
   <info>
     <date>2014-03-06</date>
   </info>
@@ -39,6 +39,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/confgen/ddns-confgen.html b/bind/bind9/bin/confgen/ddns-confgen.html
index b8330bd7..7a5f14cd 100644
--- a/bind/bind9/bin/confgen/ddns-confgen.html
+++ b/bind/bind9/bin/confgen/ddns-confgen.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,67 +10,35 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>ddns-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.ddns-confgen"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">ddns-confgen</span>
-     &#8212; ddns key generation tool
-  </p>
+<p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">tsig-keygen</code> 
-       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
-       [name]
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">ddns-confgen</code> 
-       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
-       [
-         -s <em class="replaceable"><code>name</code></em> 
-         |   -z <em class="replaceable"><code>zone</code></em> 
-      ]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">tsig-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [name]</p></div>
+<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em>  |   -z <em class="replaceable"><code>zone</code></em> ]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       <span class="command"><strong>tsig-keygen</strong></span> and <span class="command"><strong>ddns-confgen</strong></span>
       are invocation methods for a utility that generates keys for use
       in TSIG signing.  The resulting keys can be used, for example,
       to secure dynamic DNS updates to a zone or for the
       <span class="command"><strong>rndc</strong></span> command channel.
     </p>
-
-    <p>
+<p>
       When run as <span class="command"><strong>tsig-keygen</strong></span>, a domain name
       can be specified on the command line which will be used as
       the name of the generated key.  If no name is specified,
       the default is <code class="constant">tsig-key</code>.
     </p>
-
-    <p>
+<p>
       When run as <span class="command"><strong>ddns-confgen</strong></span>, the generated
       key is accompanied by configuration text and instructions
       that can be used with <span class="command"><strong>nsupdate</strong></span> and
@@ -80,8 +48,7 @@
       <span class="command"><strong>rndc-confgen</strong></span> command for setting
       up command channel security.)
     </p>
-
-    <p>
+<p>
       Note that <span class="command"><strong>named</strong></span> itself can configure a
       local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
       it does this when a zone is configured with
@@ -91,32 +58,24 @@
       if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
       system.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
             Specifies the algorithm to use for the TSIG key.  Available
             choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
             hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
             Options are case-insensitive, and the "hmac-" prefix
             may be omitted.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints a short summary of options and arguments.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the key name of the DDNS authentication key.
 	    The default is <code class="constant">ddns-key</code> when neither
 	    the <code class="option">-s</code> nor <code class="option">-z</code> option is
@@ -126,19 +85,15 @@
 	    <code class="constant">ddns-key.example.com.</code>
 	    The key name must have the format of a valid domain name,
 	    consisting of letters, digits, hyphens and periods.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-q</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    (<span class="command"><strong>ddns-confgen</strong></span> only.) Quiet mode:  Print
             only the key, with no explanatory text or usage examples;
             This is essentially identical to <span class="command"><strong>tsig-keygen</strong></span>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
             Specifies a source of random data for generating the
             authorization.  If the operating system does not provide a
             <code class="filename">/dev/random</code> or equivalent device, the
@@ -148,11 +103,9 @@
             instead of the default.  The special value
             <code class="filename">keyboard</code> indicates that keyboard input
             should be used.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
             (<span class="command"><strong>ddns-confgen</strong></span> only.)
 	    Generate configuration example to allow dynamic updates
             of a single hostname.  The example <span class="command"><strong>named.conf</strong></span>
@@ -163,11 +116,9 @@
 	    Note that the "self" nametype cannot be used, since
 	    the name to be updated may differ from the key name.
 	    This option cannot be used with the <code class="option">-z</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
             (<span class="command"><strong>ddns-confgen</strong></span> only.)
 	    Generate configuration example to allow dynamic updates
             of a zone:  The example <span class="command"><strong>named.conf</strong></span> text
@@ -177,26 +128,16 @@
             all subdomain names within that
             <em class="replaceable"><code>zone</code></em>.
 	    This option cannot be used with the <code class="option">-s</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">nsupdate</span>(1)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named.conf</span>(5)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/confgen/include/confgen/os.h b/bind/bind9/bin/confgen/include/confgen/os.h
index 6346b2b4..a65f3836 100644
--- a/bind/bind9/bin/confgen/include/confgen/os.h
+++ b/bind/bind9/bin/confgen/include/confgen/os.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/confgen/keygen.c b/bind/bind9/bin/confgen/keygen.c
index 8931ad58..61254485 100644
--- a/bind/bind9/bin/confgen/keygen.c
+++ b/bind/bind9/bin/confgen/keygen.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/confgen/keygen.h b/bind/bind9/bin/confgen/keygen.h
index 58debab4..3e343959 100644
--- a/bind/bind9/bin/confgen/keygen.h
+++ b/bind/bind9/bin/confgen/keygen.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/confgen/rndc-confgen.8 b/bind/bind9/bin/confgen/rndc-confgen.8
index 70032ffa..d7e9d890 100644
--- a/bind/bind9/bin/confgen/rndc-confgen.8
+++ b/bind/bind9/bin/confgen/rndc-confgen.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: rndc-confgen
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2013-03-14
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -217,5 +217,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/confgen/rndc-confgen.c b/bind/bind9/bin/confgen/rndc-confgen.c
index 5ca3d766..538e730e 100644
--- a/bind/bind9/bin/confgen/rndc-confgen.c
+++ b/bind/bind9/bin/confgen/rndc-confgen.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: rndc-confgen.c,v 1.7 2011/03/12 04:59:46 tbox Exp $ */
-
 /*! \file */
 
 /**
diff --git a/bind/bind9/bin/confgen/rndc-confgen.docbook b/bind/bind9/bin/confgen/rndc-confgen.docbook
index 643051de..6e8260b0 100644
--- a/bind/bind9/bin/confgen/rndc-confgen.docbook
+++ b/bind/bind9/bin/confgen/rndc-confgen.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc-confgen">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc-confgen">
   <info>
     <date>2013-03-14</date>
   </info>
@@ -45,6 +45,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/confgen/rndc-confgen.html b/bind/bind9/bin/confgen/rndc-confgen.html
index c05c8a57..d6aaaa30 100644
--- a/bind/bind9/bin/confgen/rndc-confgen.html
+++ b/bind/bind9/bin/confgen/rndc-confgen.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,47 +10,21 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.rndc-confgen"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">rndc-confgen</span>
-     &#8212; rndc key generation tool
-  </p>
+<p><span class="application">rndc-confgen</span> &#8212; rndc key generation tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">rndc-confgen</code> 
-       [<code class="option">-a</code>]
-       [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>]
-       [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
-       [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>address</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>]
-       [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>rndc-confgen</strong></span>
+<p><span class="command"><strong>rndc-confgen</strong></span>
       generates configuration files
       for <span class="command"><strong>rndc</strong></span>.  It can be used as a
       convenient alternative to writing the
@@ -63,17 +37,13 @@
       avoid the need for a <code class="filename">rndc.conf</code> file
       and a <span class="command"><strong>controls</strong></span> statement altogether.
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a</span></dt>
 <dd>
-          <p>
+<p>
             Do automatic <span class="command"><strong>rndc</strong></span> configuration.
             This creates a file <code class="filename">rndc.key</code>
             in <code class="filename">/etc</code> (or whatever
@@ -88,7 +58,7 @@
             <span class="command"><strong>named</strong></span> on the local host
             with no further configuration.
           </p>
-          <p>
+<p>
             Running <span class="command"><strong>rndc-confgen -a</strong></span> allows
             BIND 9 and <span class="command"><strong>rndc</strong></span> to be used as
             drop-in
@@ -96,7 +66,7 @@
             with no changes to the existing BIND 8
             <code class="filename">named.conf</code> file.
           </p>
-          <p>
+<p>
             If a more elaborate configuration than that
             generated by <span class="command"><strong>rndc-confgen -a</strong></span>
             is required, for example if rndc is to be used remotely,
@@ -107,57 +77,44 @@
             <code class="filename">named.conf</code>
             as directed.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-A <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the algorithm to use for the TSIG key.  Available
             choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
             hmac-sha384 and hmac-sha512.  The default is hmac-md5 or
             if MD5 was disabled hmac-sha256.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the size of the authentication key in bits.
             Must be between 1 and 512 bits; the default is the
             hash size.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Used with the <span class="command"><strong>-a</strong></span> option to specify
             an alternate location for <code class="filename">rndc.key</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-          <p>
+<dd><p>
             Prints a short summary of the options and arguments to
             <span class="command"><strong>rndc-confgen</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the key name of the rndc authentication key.
             This must be a valid domain name.
             The default is <code class="constant">rndc-key</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the command channel port where <span class="command"><strong>named</strong></span>
             listens for connections from <span class="command"><strong>rndc</strong></span>.
             The default is 953.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies a source of random data for generating the
             authorization.  If the operating
             system does not provide a <code class="filename">/dev/random</code>
@@ -168,30 +125,24 @@
             data to be used instead of the default.  The special value
             <code class="filename">keyboard</code> indicates that keyboard
             input should be used.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the IP address where <span class="command"><strong>named</strong></span>
             listens for command channel connections from
             <span class="command"><strong>rndc</strong></span>.  The default is the loopback
             address 127.0.0.1.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Used with the <span class="command"><strong>-a</strong></span> option to specify
             a directory where <span class="command"><strong>named</strong></span> will run
             chrooted.  An additional copy of the <code class="filename">rndc.key</code>
             will be written relative to this directory so that
             it will be found by the chrooted <span class="command"><strong>named</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Used with the <span class="command"><strong>-a</strong></span> option to set the
             owner
             of the <code class="filename">rndc.key</code> file generated.
@@ -199,45 +150,33 @@
             <span class="command"><strong>-t</strong></span> is also specified only the file
             in
             the chroot area has its owner changed.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>EXAMPLES</h2>
-
-    <p>
+<p>
       To allow <span class="command"><strong>rndc</strong></span> to be used with
       no manual configuration, run
     </p>
-    <p><strong class="userinput"><code>rndc-confgen -a</code></strong>
+<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
     </p>
-    <p>
+<p>
       To print a sample <code class="filename">rndc.conf</code> file and
       corresponding <span class="command"><strong>controls</strong></span> and <span class="command"><strong>key</strong></span>
       statements to be manually inserted into <code class="filename">named.conf</code>,
       run
     </p>
-    <p><strong class="userinput"><code>rndc-confgen</code></strong>
+<p><strong class="userinput"><code>rndc-confgen</code></strong>
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">rndc</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">rndc.conf</span>(5)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/confgen/unix/Makefile.in b/bind/bind9/bin/confgen/unix/Makefile.in
index 64e3cb8b..b6fb9cdf 100644
--- a/bind/bind9/bin/confgen/unix/Makefile.in
+++ b/bind/bind9/bin/confgen/unix/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/confgen/unix/os.c b/bind/bind9/bin/confgen/unix/os.c
index b305b340..69569bf5 100644
--- a/bind/bind9/bin/confgen/unix/os.c
+++ b/bind/bind9/bin/confgen/unix/os.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/confgen/util.c b/bind/bind9/bin/confgen/util.c
index 0066e7cb..5ab2109f 100644
--- a/bind/bind9/bin/confgen/util.c
+++ b/bind/bind9/bin/confgen/util.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/confgen/util.h b/bind/bind9/bin/confgen/util.h
index fa4a62b0..41107291 100644
--- a/bind/bind9/bin/confgen/util.h
+++ b/bind/bind9/bin/confgen/util.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/confgen/win32/confgentool.vcxproj.in b/bind/bind9/bin/confgen/win32/confgentool.vcxproj.in
index 20a0d3c2..dbf5bf56 100644
--- a/bind/bind9/bin/confgen/win32/confgentool.vcxproj.in
+++ b/bind/bind9/bin/confgen/win32/confgentool.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>.\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>.\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -73,7 +76,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/confgen/win32/ddnsconfgen.vcxproj.in b/bind/bind9/bin/confgen/win32/ddnsconfgen.vcxproj.in
index 2754d748..b608b92c 100644
--- a/bind/bind9/bin/confgen/win32/ddnsconfgen.vcxproj.in
+++ b/bind/bind9/bin/confgen/win32/ddnsconfgen.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>ddns-confgen</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>ddns-confgen</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -84,7 +87,8 @@ copy /Y ddns-confgen.ilk tsig-keygen.ilk
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/confgen/win32/os.c b/bind/bind9/bin/confgen/win32/os.c
index 4ef9d64e..4af187f6 100644
--- a/bind/bind9/bin/confgen/win32/os.c
+++ b/bind/bind9/bin/confgen/win32/os.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/confgen/win32/rndcconfgen.vcxproj.in b/bind/bind9/bin/confgen/win32/rndcconfgen.vcxproj.in
index 32d31cc2..d8c930b9 100644
--- a/bind/bind9/bin/confgen/win32/rndcconfgen.vcxproj.in
+++ b/bind/bind9/bin/confgen/win32/rndcconfgen.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>rndc-confgen</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>rndc-confgen</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/delv/Makefile.in b/bind/bind9/bin/delv/Makefile.in
index b826223e..83230d41 100644
--- a/bind/bind9/bin/delv/Makefile.in
+++ b/bind/bind9/bin/delv/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/delv/delv.1 b/bind/bind9/bin/delv/delv.1
index 0326a6b9..934704f5 100644
--- a/bind/bind9/bin/delv/delv.1
+++ b/bind/bind9/bin/delv/delv.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: delv
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-04-23
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -437,5 +437,5 @@ RFC5155\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/delv/delv.c b/bind/bind9/bin/delv/delv.c
index b1d6437d..ec330cd9 100644
--- a/bind/bind9/bin/delv/delv.c
+++ b/bind/bind9/bin/delv/delv.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/delv/delv.docbook b/bind/bind9/bin/delv/delv.docbook
index 24b549af..0712d693 100644
--- a/bind/bind9/bin/delv/delv.docbook
+++ b/bind/bind9/bin/delv/delv.docbook
@@ -5,14 +5,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.delv">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.delv">
   <info>
     <date>2014-04-23</date>
   </info>
@@ -41,6 +41,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/delv/delv.html b/bind/bind9/bin/delv/delv.html
index 01f24f24..be14bc58 100644
--- a/bind/bind9/bin/delv/delv.html
+++ b/bind/bind9/bin/delv/delv.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2014-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,76 +10,29 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>delv</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.delv"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    delv
-     &#8212; DNS lookup and validation utility
-  </p>
+<p>delv &#8212; DNS lookup and validation utility</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">delv</code> 
-       [@server]
-       [
-	[<code class="option">-4</code>]
-	 |  [<code class="option">-6</code>]
-      ]
-       [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>]
-       [<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-d <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-i</code>]
-       [<code class="option">-m</code>]
-       [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
-       [<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
-       [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
-       [name]
-       [type]
-       [class]
-       [queryopt...]
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">delv</code> 
-       [<code class="option">-h</code>]
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">delv</code> 
-       [<code class="option">-v</code>]
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">delv</code> 
-       [queryopt...]
-       [query...]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">delv</code>  [@server] [[<code class="option">-4</code>] |  [<code class="option">-6</code>]] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">delv</code>  [<code class="option">-h</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">delv</code>  [<code class="option">-v</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">delv</code>  [queryopt...] [query...]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>delv</strong></span>
+<p><span class="command"><strong>delv</strong></span>
       is a tool for sending
       DNS queries and validating the results, using the same internal
       resolver and validator logic as <span class="command"><strong>named</strong></span>.
     </p>
-    <p>
+<p>
       <span class="command"><strong>delv</strong></span> will send to a specified name server all
       queries needed to fetch and validate the requested data; this
       includes the original requested query, subsequent queries to follow
@@ -89,7 +42,7 @@
       behavior of a name server configured for DNSSEC validating and
       forwarding.
     </p>
-    <p>
+<p>
       By default, responses are validated using built-in DNSSEC trust
       anchor for the root zone (".").  Records returned by
       <span class="command"><strong>delv</strong></span> are either fully validated or
@@ -100,7 +53,7 @@
       be used to check the validity of DNS responses in environments
       where local name servers may not be trustworthy.
     </p>
-    <p>
+<p>
       Unless it is told to query a specific name server,
       <span class="command"><strong>delv</strong></span> will try each of the servers listed in
       <code class="filename">/etc/resolv.conf</code>. If no usable server
@@ -108,18 +61,15 @@
       queries to the localhost addresses (127.0.0.1 for IPv4, ::1
       for IPv6).
     </p>
-    <p>
+<p>
       When no command line arguments or options are given,
       <span class="command"><strong>delv</strong></span> will perform an NS query for "."
       (the root zone).
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>SIMPLE USAGE</h2>
-
-
-    <p>
+<p>
       A typical invocation of <span class="command"><strong>delv</strong></span> looks like:
       </p>
 <pre class="programlisting"> delv @server name type </pre>
@@ -130,7 +80,7 @@
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">server</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      is the name or IP address of the name server to query.  This
 	      can be an IPv4 address in dotted-decimal notation or an IPv6
 	      address in colon-delimited notation.  When the supplied
@@ -140,7 +90,7 @@
 	      initial lookup is <span class="emphasis"><em>not</em></span> validated
 	      by DNSSEC).
 	    </p>
-	    <p>
+<p>
 	      If no <em class="parameter"><code>server</code></em> argument is
 	      provided, <span class="command"><strong>delv</strong></span> consults
 	      <code class="filename">/etc/resolv.conf</code>; if an
@@ -153,16 +103,13 @@
 	      the localhost addresses (127.0.0.1 for IPv4,
 	      ::1 for IPv6).
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="constant">name</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      is the domain name to be looked up.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="constant">type</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      indicates what type of query is required &#8212;
 	      ANY, A, MX, etc.
 	      <em class="parameter"><code>type</code></em> can be any valid query
@@ -170,27 +117,23 @@
 	      <em class="parameter"><code>type</code></em> argument is supplied,
 	      <span class="command"><strong>delv</strong></span> will perform a lookup for an
 	      A record.
-	    </p>
-	  </dd>
+	    </p></dd>
 </dl></div>
 <p>
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>OPTIONS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specifies a file from which to read DNSSEC trust anchors.
 	    The default is <code class="filename">/etc/bind.keys</code>, which
 	    is included with <acronym class="acronym">BIND</acronym> 9 and contains
 	    one or more trust anchors for the root zone (".").
 	  </p>
-	  <p>
+<p>
 	    Keys that do not match the root zone name are ignored.
             An alternate key name can be specified using the
 	    <code class="option">+root=NAME</code> options. DNSSEC Lookaside
@@ -198,7 +141,7 @@
 	    <code class="option">+dlv=NAME</code> to specify the name of a
             zone containing DLV records.
 	  </p>
-	  <p>
+<p>
 	    Note: When reading the trust anchor file,
 	    <span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
 	    statements and <code class="option">trusted-keys</code> statements
@@ -212,28 +155,23 @@
 	    <code class="filename">/etc/bind.keys</code> to use DNSSEC
 	    validation in <span class="command"><strong>delv</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-b  <em class="replaceable"><code>address</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the source IP address of the query to
 	    <em class="parameter"><code>address</code></em>.  This must be a valid address
 	    on one of the host's network interfaces or "0.0.0.0" or "::".
 	    An optional source port may be specified by appending
 	    "#&lt;port&gt;"
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the query class for the requested data. Currently,
 	    only class "IN" is supported in <span class="command"><strong>delv</strong></span>
 	    and any other value is ignored.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Set the systemwide debug level to <code class="option">level</code>.
 	    The allowed range is from 0 to 99.
 	    The default is 0 (no debugging).
@@ -242,17 +180,13 @@
 	    See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
 	    and <code class="option">+vtrace</code> options below for additional
 	    debugging details.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Display the <span class="command"><strong>delv</strong></span> help usage output and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-i</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Insecure mode. This disables internal DNSSEC validation.
 	    (Note, however, this does not set the CD bit on upstream
 	    queries. If the server being queried is performing DNSSEC
@@ -260,37 +194,30 @@
 	    can cause <span class="command"><strong>delv</strong></span> to time out. When it
 	    is necessary to examine invalid data to debug a DNSSEC
 	    problem, use <span class="command"><strong>dig +cd</strong></span>.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-m</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Enables memory usage debugging.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies a destination port to use for queries instead of
 	    the standard DNS port number 53.  This option would be used
 	    with a name server that has been configured to listen
 	    for queries on a non-standard port number.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the query name to <em class="parameter"><code>name</code></em>.
 	    While the query name can be specified without using the
 	    <code class="option">-q</code>, it is sometimes necessary to disambiguate
 	    names from types or classes (for example, when looking up the
 	    name "ns", which could be misinterpreted as the type NS,
 	    or "ch", which could be misinterpreted as class CH).
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Sets the query type to <em class="parameter"><code>type</code></em>, which
 	    can be any valid query type supported in BIND 9 except
 	    for zone transfer types AXFR and IXFR. As with
@@ -298,21 +225,18 @@
 	    query name type or class when they are ambiguous.
 	    it is sometimes necessary to disambiguate names from types.
 	  </p>
-	  <p>
+<p>
 	    The default query type is "A", unless the <code class="option">-x</code>
 	    option is supplied to indicate a reverse lookup, in which case
 	    it is "PTR".
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print the <span class="command"><strong>delv</strong></span> version and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Performs a reverse lookup, mapping an addresses to
 	    a name.  <em class="parameter"><code>addr</code></em> is an IPv4 address in
 	    dotted-decimal notation, or a colon-delimited IPv6 address.
@@ -322,33 +246,24 @@
 	    lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
 	    and sets the query type to PTR.  IPv6 addresses are looked up
 	    using nibble format under the IP6.ARPA domain.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-4</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Forces <span class="command"><strong>delv</strong></span> to only use IPv4.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-6</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Forces <span class="command"><strong>delv</strong></span> to only use IPv6.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>QUERY OPTIONS</h2>
-
-
-    <p><span class="command"><strong>delv</strong></span>
+<p><span class="command"><strong>delv</strong></span>
       provides a number of query options which affect the way results are
       displayed, and in some cases the way lookups are performed.
     </p>
-
-    <p>
+<p>
       Each query option is identified by a keyword preceded by a plus sign
       (<code class="literal">+</code>).  Some keywords set or reset an
       option.  These may be preceded by the string
@@ -360,8 +275,7 @@
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Controls whether to set the CD (checking disabled) bit in
 	      queries sent by <span class="command"><strong>delv</strong></span>. This may be useful
 	      when troubleshooting DNSSEC problems from behind a validating
@@ -370,25 +284,20 @@
 	      the CD flag on queries will cause the resolver to return
 	      invalid responses, which <span class="command"><strong>delv</strong></span> can then
 	      validate internally and report the errors in detail.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]class</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Controls whether to display the CLASS when printing
 	      a record. The default is to display the CLASS.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Controls whether to display the TTL when printing
 	      a record. The default is to display the TTL.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Toggle resolver fetch logging. This reports the
 	      name and type of each query sent by <span class="command"><strong>delv</strong></span>
 	      in the process of carrying out the resolution and validation
@@ -396,69 +305,62 @@
 	      all subsequent queries to follow CNAMEs and to establish a
 	      chain of trust for DNSSEC validation.
 	    </p>
-	    <p>
+<p>
 	      This is equivalent to setting the debug level to 1 in
 	      the "resolver" logging category. Setting the systemwide
 	      debug level to 1 using the <code class="option">-d</code> option will
 	      product the same output (but will affect other logging
 	      categories as well).
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Toggle message logging. This produces a detailed dump of
 	      the responses received by <span class="command"><strong>delv</strong></span> in the
 	      process of carrying out the resolution and validation process.
 	    </p>
-	    <p>
+<p>
 	      This is equivalent to setting the debug level to 10
 	      for the "packets" module of the "resolver" logging
 	      category. Setting the systemwide debug level to 10 using
 	      the <code class="option">-d</code> option will produce the same output
 	      (but will affect other logging categories as well).
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Toggle validation logging. This shows the internal
 	      process of the validator as it determines whether an
 	      answer is validly signed, unsigned, or invalid.
 	    </p>
-	    <p>
+<p>
 	      This is equivalent to setting the debug level to 3
 	      for the "validator" module of the "dnssec" logging
 	      category. Setting the systemwide debug level to 3 using
 	      the <code class="option">-d</code> option will produce the same output
 	      (but will affect other logging categories as well).
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Provide a terse answer.  The default is to print the answer in a
 	      verbose form.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]comments</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggle the display of comment lines in the output.  The default
 	      is to print comments.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggle the display of per-record comments in the output (for
 	      example, human-readable key information about DNSKEY records).
 	      The default is to print per-record comments.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggle the display of cryptographic fields in DNSSEC records.
 	      The contents of these field are unnecessary to debug most DNSSEC
 	      validation failures and removing them makes it easier to see
@@ -466,18 +368,14 @@
 	      When omitted they are replaced by the string "[omitted]" or
 	      in the DNSKEY case the key id is displayed as the replacement,
 	      e.g. "[ key id = value ]".
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]trust</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Controls whether to display the trust level when printing
 	      a record. The default is to display the trust level.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Split long hex- or base64-formatted fields in resource
 	      records into chunks of <em class="parameter"><code>W</code></em> characters
 	      (where <em class="parameter"><code>W</code></em> is rounded up to the nearest
@@ -486,30 +384,24 @@
 	      <em class="parameter"><code>+split=0</code></em> causes fields not to be
 	      split at all.  The default is 56 characters, or 44 characters
 	      when multiline mode is active.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set or clear the display options
 	      <code class="option">+[no]comments</code>,
 	      <code class="option">+[no]rrcomments</code>, and
 	      <code class="option">+[no]trust</code> as a group.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print long records (such as RRSIG, DNSKEY, and SOA records)
 	      in a verbose multi-line format with human-readable comments.
 	      The default is to print each record on a single line, to
 	      facilitate machine parsing of the <span class="command"><strong>delv</strong></span>
 	      output.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Indicates whether to display RRSIG records in the
 	      <span class="command"><strong>delv</strong></span> output.  The default is to
 	      do so.  Note that (unlike in <span class="command"><strong>dig</strong></span>)
@@ -519,11 +411,9 @@
 	      will always occur unless suppressed by the use of
 	      <code class="option">-i</code> or <code class="option">+noroot</code> and
 	      <code class="option">+nodlv</code>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Indicates whether to perform conventional (non-lookaside)
 	      DNSSEC validation, and if so, specifies the
 	      name of a trust anchor.  The default is to validate using
@@ -531,62 +421,46 @@
 	      a built-in key.  If specifying a different trust anchor,
 	      then <code class="option">-a</code> must be used to specify a file
 	      containing the key.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Indicates whether to perform DNSSEC lookaside validation,
 	      and if so, specifies the name of the DLV trust anchor.
 	      The <code class="option">-a</code> option must also be used to specify
               a file containing the DLV key.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Controls whether to use TCP when sending queries.
 	      The default is to use UDP unless a truncated
 	      response has been received.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print all RDATA in unknown RR type presentation format
 	      (RFC 3597). The default is to print RDATA for known types
 	      in the type's presentation format.
-	    </p>
-	  </dd>
+	    </p></dd>
 </dl></div>
 <p>
 
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>FILES</h2>
-
-    <p><code class="filename">/etc/bind.keys</code></p>
-    <p><code class="filename">/etc/resolv.conf</code></p>
-  </div>
-
-  <div class="refsection">
+<p><code class="filename">/etc/bind.keys</code></p>
+<p><code class="filename">/etc/resolv.conf</code></p>
+</div>
+<div class="refsection">
 <a name="id-1.12"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">dig</span>(1)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <em class="citetitle">RFC4034</em>,
       <em class="citetitle">RFC4035</em>,
       <em class="citetitle">RFC4431</em>,
       <em class="citetitle">RFC5074</em>,
       <em class="citetitle">RFC5155</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/delv/win32/delv.vcxproj.in b/bind/bind9/bin/delv/win32/delv.vcxproj.in
index d9985e52..73b8526b 100644
--- a/bind/bind9/bin/delv/win32/delv.vcxproj.in
+++ b/bind/bind9/bin/delv/win32/delv.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/dig/Makefile.in b/bind/bind9/bin/dig/Makefile.in
index f039be62..7683d5b8 100644
--- a/bind/bind9/bin/dig/Makefile.in
+++ b/bind/bind9/bin/dig/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/dig/dig.1 b/bind/bind9/bin/dig/dig.1
index 08f4783b..0c3b0cd8 100644
--- a/bind/bind9/bin/dig/dig.1
+++ b/bind/bind9/bin/dig/dig.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2011, 2013-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: dig
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-02-19
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -351,9 +351,15 @@ Attempt to display the contents of messages which are malformed\&. The default i
 .PP
 \fB+bufsize=B\fR
 .RS 4
-Set the UDP message buffer size advertised using EDNS0 to
+This option sets the UDP message buffer size advertised using EDNS0 to
 \fIB\fR
-bytes\&. The maximum and minimum sizes of this buffer are 65535 and 0 respectively\&. Values outside this range are rounded up or down appropriately\&. Values other than zero will cause a EDNS query to be sent\&.
+bytes\&. The maximum and minimum sizes of this buffer are 65535 and 0, respectively\&.
++bufsize=0
+disables EDNS (use
++bufsize=0 +edns
+to send a EDNS messages with a advertised size of 0 bytes)\&.
++bufsize
+restores the default buffer size\&.
 .RE
 .PP
 \fB+[no]cdflag\fR
@@ -817,5 +823,5 @@ There are probably too many query options\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2011, 2013-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/dig/dig.c b/bind/bind9/bin/dig/dig.c
index 706299e7..2077fcf5 100644
--- a/bind/bind9/bin/dig/dig.c
+++ b/bind/bind9/bin/dig/dig.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -173,7 +173,7 @@ help(void) {
 "                 +[no]authority      (Control display of authority section)\n"
 "                 +[no]badcookie      (Retry BADCOOKIE responses)\n"
 "                 +[no]besteffort     (Try to parse even illegal messages)\n"
-"                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
+"                 +bufsize[=###]      (Set EDNS0 Max UDP packet size)\n"
 "                 +[no]cdflag         (Set checking disabled flag in query)\n"
 "                 +[no]class          (Control display of class in records)\n"
 "                 +[no]cmd            (Control display of command line -\n"
@@ -277,11 +277,7 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 			printf(";; Query time: %ld msec\n", (long) diff / 1000);
 		printf(";; SERVER: %s(%s)\n", fromtext, query->servname);
 		time(&tnow);
-#if defined(ISC_PLATFORM_USETHREADS) && !defined(WIN32)
 		(void)localtime_r(&tnow, &tmnow);
-#else
-		tmnow  = *localtime(&tnow);
-#endif
 
 #ifdef WIN32
 		/*
@@ -899,15 +895,21 @@ plus_option(const char *option, bool is_batchfile,
 			break;
 		case 'u':/* bufsize */
 			FULLCHECK("bufsize");
-			if (value == NULL)
-				goto need_value;
-			if (!state)
+			if (!state) {
 				goto invalid_option;
+			}
+			if (value == NULL) {
+				lookup->udpsize = DEFAULT_EDNS_BUFSIZE;
+				break;
+			}
 			result = parse_uint(&num, value, COMMSIZE,
 					    "buffer size");
 			if (result != ISC_R_SUCCESS)
 				fatal("Couldn't parse buffer size");
 			lookup->udpsize = num;
+			if (lookup->udpsize == 0) {
+				lookup->edns = -1;
+			}
 			break;
 		default:
 			goto invalid_option;
@@ -945,8 +947,9 @@ plus_option(const char *option, bool is_batchfile,
 				break;
 			case 'o': /* cookie */
 				FULLCHECK("cookie");
-				if (state && lookup->edns == -1)
-					lookup->edns = 0;
+				if (state && lookup->edns == -1) {
+					lookup->edns = DEFAULT_EDNS_VERSION;
+				}
 				lookup->sendcookie = state;
 				if (value != NULL) {
 					n = strlcpy(hexcookie, value,
@@ -979,8 +982,9 @@ plus_option(const char *option, bool is_batchfile,
 			break;
 		case 'n': /* dnssec */
 			FULLCHECK("dnssec");
-			if (state && lookup->edns == -1)
-				lookup->edns = 0;
+			if (state && lookup->edns == -1) {
+				lookup->edns = DEFAULT_EDNS_VERSION;
+			}
 			lookup->dnssec = state;
 			break;
 		case 'o': /* domain */
@@ -1023,7 +1027,8 @@ plus_option(const char *option, bool is_batchfile,
 							break;
 						}
 						if (value == NULL) {
-							lookup->edns = 0;
+							lookup->edns =
+								DEFAULT_EDNS_VERSION;
 							break;
 						}
 						result = parse_uint(&num,
@@ -1184,8 +1189,9 @@ plus_option(const char *option, bool is_batchfile,
 			switch (cmd[2]) {
 			case 'i': /* nsid */
 				FULLCHECK("nsid");
-				if (state && lookup->edns == -1)
-					lookup->edns = 0;
+				if (state && lookup->edns == -1) {
+					lookup->edns = DEFAULT_EDNS_VERSION;
+				}
 				lookup->nsid = state;
 				break;
 			case 's': /* nssearch */
@@ -1389,8 +1395,9 @@ plus_option(const char *option, bool is_batchfile,
 				}
 				break;
 			}
-			if (lookup->edns == -1)
-				lookup->edns = 0;
+			if (lookup->edns == -1) {
+				lookup->edns = DEFAULT_EDNS_VERSION;
+			}
 			if (lookup->ecs_addr != NULL) {
 				isc_mem_free(mctx, lookup->ecs_addr);
 				lookup->ecs_addr = NULL;
@@ -1930,7 +1937,7 @@ parse_args(bool is_batchfile, bool config_only,
 		debug("making new lookup");
 		default_lookup = make_empty_lookup();
 		default_lookup->adflag = true;
-		default_lookup->edns = 0;
+		default_lookup->edns = DEFAULT_EDNS_VERSION;
 		default_lookup->sendcookie = true;
 
 #ifndef NOPOSIX
diff --git a/bind/bind9/bin/dig/dig.docbook b/bind/bind9/bin/dig/dig.docbook
index 57ff556d..416eaf8f 100644
--- a/bind/bind9/bin/dig/dig.docbook
+++ b/bind/bind9/bin/dig/dig.docbook
@@ -5,14 +5,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dig">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dig">
   <info>
     <date>2014-02-19</date>
   </info>
@@ -54,6 +54,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -570,12 +571,14 @@
 	  <term><option>+bufsize=B</option></term>
 	  <listitem>
 	    <para>
-	      Set the UDP message buffer size advertised using EDNS0
-	      to <parameter>B</parameter> bytes.  The maximum and
-	      minimum sizes of this buffer are 65535 and 0 respectively.
-	      Values outside this range are rounded up or down
-	      appropriately.  Values other than zero will cause a
-	      EDNS query to be sent.
+              This option sets the UDP message buffer size advertised
+              using EDNS0 to <parameter>B</parameter> bytes.  The
+              maximum and minimum sizes of this buffer are 65535
+              and 0, respectively.  <literal>+bufsize=0</literal>
+              disables EDNS (use <literal>+bufsize=0 +edns</literal>
+              to send a EDNS messages with a advertised size of 0
+              bytes). <literal>+bufsize</literal> restores the
+              default buffer size.
 	    </para>
 	  </listitem>
 	</varlistentry>
diff --git a/bind/bind9/bin/dig/dig.html b/bind/bind9/bin/dig/dig.html
index 89ced29a..b2c99d8d 100644
--- a/bind/bind9/bin/dig/dig.html
+++ b/bind/bind9/bin/dig/dig.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2011, 2013-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,67 +10,23 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dig</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dig"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    dig
-     &#8212; DNS lookup utility
-  </p>
+<p>dig &#8212; DNS lookup utility</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dig</code> 
-       [@server]
-       [<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>]
-       [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>]
-       [<code class="option">-m</code>]
-       [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
-       [<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
-       [<code class="option">-v</code>]
-       [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
-       [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>]
-       [
-	[<code class="option">-4</code>]
-	 |  [<code class="option">-6</code>]
-      ]
-       [name]
-       [type]
-       [class]
-       [queryopt...]
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">dig</code> 
-       [<code class="option">-h</code>]
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">dig</code> 
-       [global-queryopt...]
-       [query...]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">dig</code>  [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>] [[<code class="option">-4</code>] |  [<code class="option">-6</code>]] [name] [type] [class] [queryopt...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dig</code>  [<code class="option">-h</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dig</strong></span> is a flexible tool
+<p><span class="command"><strong>dig</strong></span> is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
       displays the answers that are returned from the name server(s) that
       were queried.  Most DNS administrators use <span class="command"><strong>dig</strong></span> to
@@ -78,8 +34,7 @@
       clarity of output.  Other lookup tools tend to have less functionality
       than <span class="command"><strong>dig</strong></span>.
     </p>
-
-    <p>
+<p>
       Although <span class="command"><strong>dig</strong></span> is normally used with
       command-line
       arguments, it also has a batch mode of operation for reading lookup
@@ -90,43 +45,35 @@
       from the
       command line.
     </p>
-
-    <p>
+<p>
       Unless it is told to query a specific name server,
       <span class="command"><strong>dig</strong></span> will try each of the servers listed in
       <code class="filename">/etc/resolv.conf</code>. If no usable server addresses
       are found, <span class="command"><strong>dig</strong></span> will send the query to the local
       host.
     </p>
-
-    <p>
+<p>
       When no command line arguments or options are given,
       <span class="command"><strong>dig</strong></span> will perform an NS query for "." (the root).
     </p>
-
-    <p>
+<p>
       It is possible to set per-user defaults for <span class="command"><strong>dig</strong></span> via
       <code class="filename">${HOME}/.digrc</code>. This file is read and any
       options in it are applied before the command line arguments.
       The <code class="option">-r</code> option disables this feature, for
       scripts that need predictable behaviour.
     </p>
-
-    <p>
+<p>
       The IN and CH class names overlap with the IN and CH top level
       domain names.  Either use the <code class="option">-t</code> and
       <code class="option">-c</code> options to specify the type and class,
       use the <code class="option">-q</code> the specify the domain name, or
       use "IN." and "CH." when looking up these top level domains.
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>SIMPLE USAGE</h2>
-
-
-    <p>
+<p>
       A typical invocation of <span class="command"><strong>dig</strong></span> looks like:
       </p>
 <pre class="programlisting"> dig @server name type </pre>
@@ -137,7 +84,7 @@
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">server</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      is the name or IP address of the name server to query.  This
 	      can be an IPv4 address in dotted-decimal notation or an IPv6
 	      address in colon-delimited notation.  When the supplied
@@ -145,7 +92,7 @@
 	      <span class="command"><strong>dig</strong></span> resolves that name before querying
 	      that name server.
 	    </p>
-	    <p>
+<p>
 	      If no <em class="parameter"><code>server</code></em> argument is
 	      provided, <span class="command"><strong>dig</strong></span> consults
 	      <code class="filename">/etc/resolv.conf</code>; if an
@@ -158,16 +105,13 @@
 	      local host.  The reply from the name server that
 	      responds is displayed.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="constant">name</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      is the name of the resource record that is to be looked up.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="constant">type</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      indicates what type of query is required &#8212;
 	      ANY, A, MX, SIG, etc.
 	      <em class="parameter"><code>type</code></em> can be any valid query
@@ -175,116 +119,87 @@
 	      <em class="parameter"><code>type</code></em> argument is supplied,
 	      <span class="command"><strong>dig</strong></span> will perform a lookup for an
 	      A record.
-	    </p>
-	  </dd>
+	    </p></dd>
 </dl></div>
 <p>
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-4</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use IPv4 only.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-6</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use IPv6 only.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-b <em class="replaceable"><code>address[<span class="optional">#port</span>]</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Set the source IP address of the query.
 	    The <em class="parameter"><code>address</code></em> must be a valid address on
 	    one of the host's network interfaces, or "0.0.0.0" or "::". An
 	    optional port may be specified by appending "#&lt;port&gt;"
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Set the query class. The
 	    default <em class="parameter"><code>class</code></em> is IN; other classes
 	    are HS for Hesiod records or CH for Chaosnet records.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Batch mode: <span class="command"><strong>dig</strong></span> reads a list of lookup
 	    requests to process from the
 	    given <em class="parameter"><code>file</code></em>. Each line in the file
 	    should be organized in the same way they would be
 	    presented as queries to
 	    <span class="command"><strong>dig</strong></span> using the command-line interface.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-i</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
 	    domain, which is no longer in use. Obsolete bit string
 	    label queries (RFC 2874) are not attempted.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sign queries using TSIG using a key read from the given file.
 	    Key files can be generated using
-	    <span class="citerefentry">
-	      <span class="refentrytitle">tsig-keygen</span>(8)
-	    </span>.
+	    <span class="citerefentry"><span class="refentrytitle">tsig-keygen</span>(8)</span>.
 	    When using TSIG authentication with <span class="command"><strong>dig</strong></span>,
 	    the name server that is queried needs to know the key and
 	    algorithm that is being used. In BIND, this is done by
 	    providing appropriate <span class="command"><strong>key</strong></span>
 	    and <span class="command"><strong>server</strong></span> statements in
 	    <code class="filename">named.conf</code>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-m</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Enable memory usage debugging.
 	    
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Send the query to a non-standard port on the server,
 	    instead of the default port 53. This option would be used
 	    to test a name server that has been configured to listen
 	    for queries on a non-standard port number.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The domain name to query. This is useful to distinguish
 	    the <em class="parameter"><code>name</code></em> from other arguments.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-r</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Do not read options from <code class="filename">${HOME}/.digrc</code>.
 	    This is useful for scripts that need predictable behaviour.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    The resource record type to query. It can be any valid query
 	    type.  If it is a resource record type supported in BIND 9, it
 	    can be given by the type mnemonic (such as "NS" or "AAAA").
@@ -298,28 +213,23 @@
 	    record was
 	    <em class="parameter"><code>N</code></em>.
 	  </p>
-	  <p>
+<p>
 	    All resource record types can be expressed as "TYPEnn", where
 	    "nn" is the number of the type. If the resource record type is
 	    not supported in BIND 9, the result will be displayed as
 	    described in RFC 3597.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-u</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print query times in microseconds instead of milliseconds.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print the version number and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Simplified reverse lookups, for mapping addresses to
 	    names. The <em class="parameter"><code>addr</code></em> is an IPv4 address
 	    in dotted-decimal notation, or a colon-delimited IPv6
@@ -334,11 +244,10 @@
 	    addresses are looked up using nibble format under the
 	    IP6.ARPA domain (but see also the <code class="option">-i</code>
 	    option).
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Sign queries using TSIG with the given authentication key.
 	    <em class="parameter"><code>keyname</code></em> is the name of the key, and
 	    <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
@@ -350,34 +259,28 @@
 	    is not specified, the default is <code class="literal">hmac-md5</code>
 	    or if MD5 was disabled <code class="literal">hmac-sha256</code>.
 	  </p>
-	  <p>
+<p>
 	    NOTE: You should use the <code class="option">-k</code> option and
 	    avoid the <code class="option">-y</code> option, because
 	    with <code class="option">-y</code> the shared secret is supplied as
 	    a command line argument in clear text. This may be visible
 	    in the output from
-	    <span class="citerefentry">
-	      <span class="refentrytitle">ps</span>(1)
-	    </span>
+	    <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
 	    or in a history file maintained by the user's shell.
 	  </p>
-	</dd>
+</dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>QUERY OPTIONS</h2>
-
-
-    <p><span class="command"><strong>dig</strong></span>
+<p><span class="command"><strong>dig</strong></span>
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
       these set or reset flag bits in the query header, some determine which
       sections of the answer get printed, and others determine the timeout
       and retry strategies.
     </p>
-
-    <p>
+<p>
       Each query option is identified by a keyword preceded by a plus sign
       (<code class="literal">+</code>).  Some keywords set or reset an
       option.  These may be preceded
@@ -393,27 +296,20 @@
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Sets the "aa" flag in the query.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]additional</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Display [do not display] the additional section of a
 	      reply.  The default is to display it.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set [do not set] the AD (authentic data) bit in the
 	      query.  This requests the server to return whether
 	      all of the answer and authority sections have all
@@ -423,89 +319,72 @@
 	      from a OPT-OUT range.  AD=0 indicate that some part
 	      of the answer was insecure or not validated.  This
 	      bit is set by default.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set or clear all display flags.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]answer</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Display [do not display] the answer section of a
 	      reply.  The default is to display it.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]authority</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Display [do not display] the authority section of a
 	      reply.  The default is to display it.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]badcookie</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Retry lookup with the new server cookie if a
 	      BADCOOKIE response is received.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Attempt to display the contents of messages which are
 	      malformed.  The default is to not display malformed
 	      answers.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
-<dd>
-	    <p>
-	      Set the UDP message buffer size advertised using EDNS0
-	      to <em class="parameter"><code>B</code></em> bytes.  The maximum and
-	      minimum sizes of this buffer are 65535 and 0 respectively.
-	      Values outside this range are rounded up or down
-	      appropriately.  Values other than zero will cause a
-	      EDNS query to be sent.
-	    </p>
-	  </dd>
+<dd><p>
+              This option sets the UDP message buffer size advertised
+              using EDNS0 to <em class="parameter"><code>B</code></em> bytes.  The
+              maximum and minimum sizes of this buffer are 65535
+              and 0, respectively.  <code class="literal">+bufsize=0</code>
+              disables EDNS (use <code class="literal">+bufsize=0 +edns</code>
+              to send a EDNS messages with a advertised size of 0
+              bytes). <code class="literal">+bufsize</code> restores the
+              default buffer size.
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set [do not set] the CD (checking disabled) bit in
 	      the query.  This requests the server to not perform
 	      DNSSEC validation of responses.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]class</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Display [do not display] the CLASS when printing the
 	      record.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggles the printing of the initial comment in the
 	      output, identifying the version of <span class="command"><strong>dig</strong></span>
 	      and the query options that have been applied.  This option
 	      always has global effect; it cannot be set globally
 	      and then overridden on a per-lookup basis.  The default
 	      is to print this comment.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]comments</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Toggles the display of some comment lines in the output,
 	      containing information about the packet header and
 	      OPT pseudosection, and the names of the response
 	      section.  The default is to print these comments.
 	    </p>
-	    <p>
+<p>
 	      Other types of comments in the output are not affected by
 	      this option, but can be controlled using other command
 	      line switches. These include <span class="command"><strong>+[no]cmd</strong></span>,
@@ -513,24 +392,23 @@
 	      <span class="command"><strong>+[no]stats</strong></span>, and
 	      <span class="command"><strong>+[no]rrcomments</strong></span>.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Send a COOKIE EDNS option, with optional
 	      value.  Replaying a COOKIE from a previous response will
 	      allow the server to identify a previous client.  The
 	      default is <code class="option">+cookie</code>.
 	    </p>
-	    <p>
+<p>
 	      <span class="command"><strong>+cookie</strong></span> is also set when +trace
 	      is set to better emulate the default queries from a
 	      nameserver.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggle the display of cryptographic fields in DNSSEC
 	      records.  The contents of these field are unnecessary
 	      to debug most DNSSEC validation failures and removing
@@ -539,71 +417,55 @@
 	      are replaced by the string "[omitted]" or in the
 	      DNSKEY case the key id is displayed as the replacement,
 	      e.g. "[ key id = value ]".
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]defname</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Deprecated, treated as a synonym for
 	      <em class="parameter"><code>+[no]search</code></em>
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Requests DNSSEC records be sent by setting the DNSSEC
 	      OK bit (DO) in the OPT record in the additional section
 	      of the query.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+domain=somename</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set the search list to contain the single domain
 	      <em class="parameter"><code>somename</code></em>, as if specified in
 	      a <span class="command"><strong>domain</strong></span> directive in
 	      <code class="filename">/etc/resolv.conf</code>, and enable
 	      search list processing as if the
 	      <em class="parameter"><code>+search</code></em> option were given.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+dscp=value</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set the DSCP code point to be used when sending the
 	      query.  Valid DSCP code points are in the range
 	      [0..63].  By default no code point is explicitly set.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]edns[=#]</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	       Specify the EDNS version to query with.  Valid values
 	       are 0 to 255.  Setting the EDNS version will cause
 	       a EDNS query to be sent.  <code class="option">+noedns</code>
 	       clears the remembered EDNS version.  EDNS is set to
 	       0 by default.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]ednsflags[=#]</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set the must-be-zero EDNS flags bits (Z bits) to the
 	      specified value. Decimal, hex and octal encodings are
 	      accepted. Setting a named flag (e.g. DO) will silently be
 	      ignored. By default, no Z bits are set.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]ednsnegotiation</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Enable / disable EDNS version negotiation. By default
 	      EDNS version negotiation is enabled.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]ednsopt[=code[:value]]</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Specify EDNS option with code point <code class="option">code</code>
 	      and optionally payload of <code class="option">value</code> as a
 	      hexadecimal string.  <code class="option">code</code> can be
@@ -611,104 +473,86 @@
 	      <code class="literal">NSID</code> or <code class="literal">ECS</code>),
 	      or an arbitrary numeric value.  <code class="option">+noednsopt</code>
 	      clears the EDNS options to be sent.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]expire</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Send an EDNS Expire option.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]fail</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Do not try the next server if you receive a SERVFAIL.
 	      The default is to not try the next server which is
 	      the reverse of normal stub resolver behavior.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]header-only</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Send a query with a DNS header without a question section.
 	      The default is to add a question section.  The query type
 	      and query name are ignored when this is set.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]identify</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Show [or do not show] the IP address and port number
 	      that supplied the answer when the
 	      <em class="parameter"><code>+short</code></em> option is enabled.  If
 	      short form answers are requested, the default is not
 	      to show the source address and port number of the
 	      server that provided the answer.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]idnin</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Process [do not process] IDN domain names on input.
 	      This requires IDN SUPPORT to have been enabled at
 	      compile time.
 	    </p>
-	    <p>
+<p>
 	      The default is to process IDN input when standard output
 	      is a tty.  The IDN processing on input is disabled when
 	      dig output is redirected to files, pipes, and other
 	      non-tty file descriptors.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Convert [do not convert] puny code on output.
 	      This requires IDN SUPPORT to have been enabled at
 	      compile time.
 	    </p>
-	    <p>
+<p>
 	      The default is to process puny code on output when
 	      standard output is a tty.  The puny code processing on
 	      output is disabled when dig output is redirected to
 	      files, pipes, and other non-tty file descriptors.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Ignore truncation in UDP responses instead of retrying
 	      with TCP.  By default, TCP retries are performed.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]keepopen</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Keep the TCP socket open between queries and reuse
 	      it rather than creating a new TCP socket for each
 	      lookup.  The default is <code class="option">+nokeepopen</code>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]mapped</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Allow mapped IPv4 over IPv6 addresses to be used.  The
 	      default is <code class="option">+mapped</code>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print records like the SOA records in a verbose
 	      multi-line format with human-readable comments.  The
 	      default is to print each record on a single line, to
 	      facilitate machine parsing of the <span class="command"><strong>dig</strong></span>
 	      output.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+ndots=D</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set the number of dots that have to appear in
 	      <em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em>
 	      for it to be considered absolute.  The default value
@@ -720,64 +564,48 @@
 	      or <code class="option">domain</code> directive in
 	      <code class="filename">/etc/resolv.conf</code> if
 	      <code class="option">+search</code> is set.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Include an EDNS name server ID request when sending
 	      a query.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      When this option is set, <span class="command"><strong>dig</strong></span>
 	      attempts to find the authoritative name servers for
 	      the zone containing the name being looked up and
 	      display the SOA record that each name server has for
 	      the zone.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]onesoa</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print only one (starting) SOA record when performing
 	      an AXFR. The default is to print both the starting
 	      and ending SOA records.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]opcode=value</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set [restore] the DNS message opcode to the specified
 	      value.  The default value is QUERY (0).
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]qr</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggles the display of the query message as it is sent.
 	      By default, the query is not printed.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]question</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggles the display of the question section of a query
 	      when an answer is returned.  The default is to print
 	      the question section as a comment.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]rdflag</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      A synonym for <em class="parameter"><code>+[no]recurse</code></em>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggle the setting of the RD (recursion desired) bit
 	      in the query.  This bit is set by default, which means
 	      <span class="command"><strong>dig</strong></span> normally sends recursive
@@ -786,69 +614,57 @@
 	      when using <em class="parameter"><code>+trace</code></em> except for
 	      an initial recursive query to get the list of root
 	      servers.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+retry=T</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Sets the number of times to retry UDP queries to
 	      server to <em class="parameter"><code>T</code></em> instead of the
 	      default, 2.  Unlike <em class="parameter"><code>+tries</code></em>,
 	      this does not include the initial query.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggle the display of per-record comments in the
 	      output (for example, human-readable key information
 	      about DNSKEY records).  The default is not to print
 	      record comments unless multiline mode is active.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]search</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Use [do not use] the search list defined by the
 	      searchlist or domain directive in
 	      <code class="filename">resolv.conf</code> (if any).  The search
 	      list is not used by default.
 	    </p>
-	    <p>
+<p>
 	      'ndots' from <code class="filename">resolv.conf</code> (default 1)
 	       which may be overridden by <em class="parameter"><code>+ndots</code></em>
 	      determines if the name will be treated as relative
 	      or not and hence whether a search is eventually
 	      performed or not.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Provide a terse answer.  The default is to print the
 	      answer in a verbose form.  This option always has global
 	      effect; it cannot be set globally and then overridden on
 	      a per-lookup basis.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Perform [do not perform] a search showing intermediate
 	      results.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]sigchase</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Chase DNSSEC signature chains. Requires dig be compiled
 	      with -DDIG_SIGCHASE. This feature is deprecated.
 	      Use <span class="command"><strong>delv</strong></span> instead.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+split=W</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Split long hex- or base64-formatted fields in resource
 	      records into chunks of <em class="parameter"><code>W</code></em>
 	      characters (where <em class="parameter"><code>W</code></em> is rounded
@@ -857,23 +673,20 @@
 	      <em class="parameter"><code>+split=0</code></em> causes fields not to
 	      be split at all.  The default is 56 characters, or
 	      44 characters when multiline mode is active.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]stats</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggles the printing of statistics: when the query was made,
 	      the size of the reply and so on.  The default behavior is to
 	      print the query statistics as a comment after each lookup.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Send (don't send) an EDNS Client Subnet option with the
 	      specified IP address or network prefix.
 	    </p>
-	    <p>
+<p>
               <span class="command"><strong>dig +subnet=0.0.0.0/0</strong></span>, or simply
               <span class="command"><strong>dig +subnet=0</strong></span> for short, sends an EDNS
               CLIENT-SUBNET option with an empty address and a source
@@ -882,20 +695,17 @@
               <span class="emphasis"><em>not</em></span> be used when resolving
               this query.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Use [do not use] TCP when querying name servers. The
 	      default behavior is to use UDP unless a type
 	      <code class="literal">any</code> or <code class="literal">ixfr=N</code>
 	      query is requested, in which case the default is TCP.
 	      AXFR queries always use TCP.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+timeout=T</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 
 	      Sets the timeout for a query to
 	      <em class="parameter"><code>T</code></em> seconds.  The default
@@ -903,19 +713,16 @@
 	      An attempt to set <em class="parameter"><code>T</code></em> to less
 	      than 1 will result
 	      in a query timeout of 1 second being applied.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]topdown</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      When chasing DNSSEC signature chains perform a top-down
 	      validation.  Requires dig be compiled with -DDIG_SIGCHASE.
 	      This feature is deprecated. Use <span class="command"><strong>delv</strong></span> instead.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]trace</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Toggle tracing of the delegation path from the root
 	      name servers for the name being looked up.  Tracing
 	      is disabled by default.  When tracing is enabled,
@@ -923,91 +730,80 @@
 	      resolve the name being looked up.  It will follow
 	      referrals from the root servers, showing the answer
 	      from each server that was used to resolve the lookup.
-	    </p> <p>
+	    </p>
+<p>
 	      If @server is also specified, it affects only the
 	      initial query for the root zone name servers.
-	    </p> <p>
+	    </p>
+<p>
 	      <span class="command"><strong>+dnssec</strong></span> is also set when +trace
 	      is set to better emulate the default queries from a
 	      nameserver.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+tries=T</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Sets the number of times to try UDP queries to server
 	      to <em class="parameter"><code>T</code></em> instead of the default,
 	      3.  If <em class="parameter"><code>T</code></em> is less than or equal
 	      to zero, the number of tries is silently rounded up
 	      to 1.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+trusted-key=####</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Specifies a file containing trusted keys to be used
 	      with <code class="option">+sigchase</code>.  Each DNSKEY record
 	      must be on its own line.
-	    </p> <p>
+	    </p>
+<p>
 	      If not specified, <span class="command"><strong>dig</strong></span> will look
 	      for <code class="filename">/etc/trusted-key.key</code> then
 	      <code class="filename">trusted-key.key</code> in the current
 	      directory.
-	    </p> <p>
+	    </p>
+<p>
 	      Requires dig be compiled with -DDIG_SIGCHASE.
 	      This feature is deprecated. Use <span class="command"><strong>delv</strong></span> instead.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Display [do not display] the TTL when printing the
 	      record.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]ttlunits</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Display [do not display] the TTL in friendly human-readable
 	      time units of "s", "m", "h", "d", and "w", representing
 	      seconds, minutes, hours, days and weeks.  Implies +ttlid.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print all RDATA in unknown RR type presentation format
 	      (RFC 3597). The default is to print RDATA for known types
 	      in the type's presentation format.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]vc</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Use [do not use] TCP when querying name servers.  This
 	      alternate syntax to <em class="parameter"><code>+[no]tcp</code></em>
 	      is provided for backwards compatibility.  The "vc"
 	      stands for "virtual circuit".
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]zflag</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set [do not set] the last unassigned DNS header flag in a
 	      DNS query.  This flag is off by default.
-	    </p>
-	  </dd>
+	    </p></dd>
 </dl></div>
 <p>
 
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>MULTIPLE QUERIES</h2>
-
-
-    <p>
+<p>
       The BIND 9 implementation of <span class="command"><strong>dig </strong></span>
       supports
       specifying multiple queries on the command line (in addition to
@@ -1015,8 +811,7 @@
       queries can be supplied with its own set of flags, options and query
       options.
     </p>
-
-    <p>
+<p>
       In this case, each <em class="parameter"><code>query</code></em> argument
       represent an
       individual query in the command-line syntax described above.  Each
@@ -1024,8 +819,7 @@
       looked up, an optional query type and class and any query options that
       should be applied to that query.
     </p>
-
-    <p>
+<p>
       A global set of query options, which should be applied to all queries,
       can also be supplied.  These global query options must precede the
       first tuple of name, class, type, options, flags, and query options
@@ -1052,13 +846,10 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       will not print the initial query when it looks up the NS records for
       <code class="literal">isc.org</code>.
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.12"></a><h2>IDN SUPPORT</h2>
-
-    <p>
+<p>
       If <span class="command"><strong>dig</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
       <span class="command"><strong>dig</strong></span> appropriately converts character encoding of
@@ -1068,43 +859,28 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       parameters <em class="parameter"><code>+noidnin</code></em> and
       <em class="parameter"><code>+noidnout</code></em>.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.13"></a><h2>FILES</h2>
-
-    <p><code class="filename">/etc/resolv.conf</code>
+<p><code class="filename">/etc/resolv.conf</code>
     </p>
-    <p><code class="filename">${HOME}/.digrc</code>
+<p><code class="filename">${HOME}/.digrc</code>
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.14"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">delv</span>(1)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">host</span>(1)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">delv</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.15"></a><h2>BUGS</h2>
-
-    <p>
+<p>
       There are probably too many query options.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/dig/dighost.c b/bind/bind9/bin/dig/dighost.c
index 77a17c88..4043aa3b 100644
--- a/bind/bind9/bin/dig/dighost.c
+++ b/bind/bind9/bin/dig/dighost.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -60,6 +60,7 @@
 #include <dns/log.h>
 #include <dns/message.h>
 #include <dns/name.h>
+#include <dns/opcode.h>
 #include <dns/rcode.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
@@ -845,7 +846,7 @@ make_empty_lookup(void) {
 	looknew->rdclass_sigchaseset = false;
 #endif
 #endif
-	looknew->udpsize = 0;
+	looknew->udpsize = -1;
 	looknew->edns = -1;
 	looknew->recurse = true;
 	looknew->aaonly = false;
@@ -1670,22 +1671,23 @@ typedef struct dig_ednsoptname {
 } dig_ednsoptname_t;
 
 dig_ednsoptname_t optnames[] = {
-	{ 1, "LLQ" },		/* draft-sekar-dns-llq */
-	{ 3, "NSID" },		/* RFC 5001 */
-	{ 5, "DAU" },		/* RFC 6975 */
-	{ 6, "DHU" },		/* RFC 6975 */
-	{ 7, "N3U" },		/* RFC 6975 */
-	{ 8, "ECS" },		/* RFC 7871 */
-	{ 9, "EXPIRE" },	/* RFC 7314 */
-	{ 10, "COOKIE" },	/* RFC 7873 */
-	{ 11, "KEEPALIVE" },	/* RFC 7828 */
-	{ 12, "PADDING" },	/* RFC 7830 */
-	{ 12, "PAD" },		/* shorthand */
-	{ 13, "CHAIN" },	/* RFC 7901 */
-	{ 14, "KEY-TAG" },	/* RFC 8145 */
-	{ 16, "CLIENT-TAG" },	/* draft-bellis-dnsop-edns-tags */
-	{ 17, "SERVER-TAG" },	/* draft-bellis-dnsop-edns-tags */
-	{ 26946, "DEVICEID" },	/* Brian Hartvigsen */
+	{ 1, "LLQ" },	       /* draft-sekar-dns-llq */
+	{ 3, "NSID" },	       /* RFC 5001 */
+	{ 5, "DAU" },	       /* RFC 6975 */
+	{ 6, "DHU" },	       /* RFC 6975 */
+	{ 7, "N3U" },	       /* RFC 6975 */
+	{ 8, "ECS" },	       /* RFC 7871 */
+	{ 9, "EXPIRE" },       /* RFC 7314 */
+	{ 10, "COOKIE" },      /* RFC 7873 */
+	{ 11, "KEEPALIVE" },   /* RFC 7828 */
+	{ 12, "PADDING" },     /* RFC 7830 */
+	{ 12, "PAD" },	       /* shorthand */
+	{ 13, "CHAIN" },       /* RFC 7901 */
+	{ 14, "KEY-TAG" },     /* RFC 8145 */
+	{ 15, "EDE" },	       /* ietf-dnsop-extended-error-16 */
+	{ 16, "CLIENT-TAG" },  /* draft-bellis-dnsop-edns-tags */
+	{ 17, "SERVER-TAG" },  /* draft-bellis-dnsop-edns-tags */
+	{ 26946, "DEVICEID" }, /* Brian Hartvigsen */
 };
 
 #define N_EDNS_OPTNAMES  (sizeof(optnames) / sizeof(optnames[0]))
@@ -1905,7 +1907,7 @@ destroy_lookup(dig_lookup_t *lookup) {
 		isc_mem_free(mctx, ptr);
 	}
 	if (lookup->sendmsg != NULL)
-		dns_message_destroy(&lookup->sendmsg);
+		dns_message_detach(&lookup->sendmsg);
 	if (lookup->querysig != NULL) {
 		debug("freeing buffer %p", lookup->querysig);
 		isc_buffer_free(&lookup->querysig);
@@ -2639,10 +2641,12 @@ setup_lookup(dig_lookup_t *lookup) {
 		unsigned int flags;
 		unsigned int i = 0;
 
-		if (lookup->udpsize == 0)
-			lookup->udpsize = 4096;
-		if (lookup->edns < 0)
-			lookup->edns = 0;
+		if (lookup->udpsize < 0) {
+			lookup->udpsize = DEFAULT_EDNS_BUFSIZE;
+		}
+		if (lookup->edns < 0) {
+			lookup->edns = DEFAULT_EDNS_VERSION;
+		}
 
 		if (lookup->nsid) {
 			INSIST(i < MAXOPTS);
@@ -4009,7 +4013,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		printf(";; Got bad packet: %s\n", isc_result_totext(result));
 		hex_dump(b);
 		query->waiting_connect = false;
-		dns_message_destroy(&msg);
+		dns_message_detach(&msg);
 		isc_event_free(&event);
 		clear_query(query);
 		cancel_lookup(l);
@@ -4017,6 +4021,33 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		UNLOCK_LOOKUP;
 		return;
 	}
+	if (msg->opcode != l->opcode) {
+		isc_buffer_t bb;
+		char expect[20] = { 0 }, got[20] = { 0 };
+
+		isc_buffer_init(&bb, &expect, sizeof(expect));
+		result = dns_opcode_totext(l->opcode, &bb);
+		check_result(result, "dns_opcode_totext");
+
+		isc_buffer_init(&bb, &got, sizeof(got));
+		result = dns_opcode_totext(msg->opcode, &bb);
+		check_result(result, "dns_opcode_totext");
+
+		printf(";; Warning: Opcode mismatch: expected %s, got %s",
+		       expect, got);
+
+		dns_message_detach(&msg);
+		if (l->tcp_mode) {
+			isc_event_free(&event);
+			clear_query(query);
+			cancel_lookup(l);
+			check_next_lookup(l);
+			UNLOCK_LOOKUP;
+			return;
+		} else {
+			goto udp_mismatch;
+		}
+	}
 	if (msg->counts[DNS_SECTION_QUESTION] != 0) {
 		match = true;
 		for (result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
@@ -4052,7 +4083,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			}
 		}
 		if (!match) {
-			dns_message_destroy(&msg);
+			dns_message_detach(&msg);
 			if (l->tcp_mode) {
 				isc_event_free(&event);
 				clear_query(query);
@@ -4076,7 +4107,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		n = requeue_lookup(l, true);
 		if (l->trace && l->trace_root)
 			n->rdtype = l->qrdtype;
-		dns_message_destroy(&msg);
+		dns_message_detach(&msg);
 		isc_event_free(&event);
 		clear_query(query);
 		cancel_lookup(l);
@@ -4094,7 +4125,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		n->tcp_mode = true;
 		if (l->trace && l->trace_root)
 			n->rdtype = l->qrdtype;
-		dns_message_destroy(&msg);
+		dns_message_detach(&msg);
 		isc_event_free(&event);
 		clear_query(query);
 		cancel_lookup(l);
@@ -4115,7 +4146,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			n->seenbadcookie = true;
 			if (l->trace && l->trace_root)
 				n->rdtype = l->qrdtype;
-			dns_message_destroy(&msg);
+			dns_message_detach(&msg);
 			isc_event_free(&event);
 			clear_query(query);
 			cancel_lookup(l);
@@ -4154,7 +4185,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 				       query->servname);
 			clear_query(query);
 			check_next_lookup(l);
-			dns_message_destroy(&msg);
+			dns_message_detach(&msg);
 			isc_event_free(&event);
 			UNLOCK_LOOKUP;
 			return;
@@ -4329,7 +4360,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		debug("still pending.");
 	if (l->doing_xfr) {
 		if (query != l->xfr_q) {
-			dns_message_destroy(&msg);
+			dns_message_detach(&msg);
 			isc_event_free(&event);
 			query->waiting_connect = false;
 			UNLOCK_LOOKUP;
@@ -4338,7 +4369,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		if (!docancel)
 			docancel = check_for_more_data(query, msg, sevent);
 		if (docancel) {
-			dns_message_destroy(&msg);
+			dns_message_detach(&msg);
 			clear_query(query);
 			cancel_lookup(l);
 			check_next_lookup(l);
@@ -4360,7 +4391,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 #ifdef DIG_SIGCHASE
 			if (!do_sigchase)
 #endif
-				dns_message_destroy(&msg);
+				dns_message_detach(&msg);
 
 			cancel_lookup(l);
 		}
@@ -4373,7 +4404,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			msg = NULL;
 		else
 #endif
-			dns_message_destroy(&msg);
+			dns_message_detach(&msg);
 	}
 	isc_event_free(&event);
 	UNLOCK_LOOKUP;
@@ -4627,7 +4658,7 @@ destroy_libs(void) {
 
 	while (chase_msg != NULL) {
 		INSIST(chase_msg->msg != NULL);
-		dns_message_destroy(&(chase_msg->msg));
+		dns_message_detach(&(chase_msg->msg));
 		ptr = chase_msg;
 		chase_msg = ISC_LIST_NEXT(chase_msg, link);
 		isc_mem_free(mctx, ptr);
@@ -4637,7 +4668,7 @@ destroy_libs(void) {
 
 	while (chase_msg != NULL) {
 		INSIST(chase_msg->msg != NULL);
-		dns_message_destroy(&(chase_msg->msg));
+		dns_message_detach(&(chase_msg->msg));
 		ptr = chase_msg;
 		chase_msg = ISC_LIST_NEXT(chase_msg, link);
 		isc_mem_free(mctx, ptr);
diff --git a/bind/bind9/bin/dig/host.1 b/bind/bind9/bin/dig/host.1
index 3eac4fbb..ec5317cb 100644
--- a/bind/bind9/bin/dig/host.1
+++ b/bind/bind9/bin/dig/host.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: host
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2009-01-20
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -39,7 +39,7 @@
 host \- DNS lookup utility
 .SH "SYNOPSIS"
 .HP \w'\fBhost\fR\ 'u
-\fBhost\fR [\fB\-aCdlnrsTUwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
+\fBhost\fR [\fB\-aCdlnrsTUwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
 .SH "DESCRIPTION"
 .PP
 \fBhost\fR
@@ -134,6 +134,11 @@ directive in
 /etc/resolv\&.conf\&.
 .RE
 .PP
+\-p \fIport\fR
+.RS 4
+Specify the port on the server to query\&. The default is 53\&.
+.RE
+.PP
 \-r
 .RS 4
 Non\-recursive query: Setting this option clears the RD (recursion desired) bit in the query\&. This should mean that the name server receiving the query will not attempt to resolve
@@ -265,5 +270,5 @@ runs\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/dig/host.c b/bind/bind9/bin/dig/host.c
index e10d1278..fe4d979e 100644
--- a/bind/bind9/bin/dig/host.c
+++ b/bind/bind9/bin/dig/host.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -153,6 +153,7 @@ show_usage(void) {
 "       -l lists all hosts in a domain, using AXFR\n"
 "       -m set memory debugging flag (trace|record|usage)\n"
 "       -N changes the number of dots allowed before root lookup is done\n"
+"       -p specifies the port on the server to query\n"
 "       -r disables recursive processing\n"
 "       -R specifies number of retries for UDP packets\n"
 "       -s a SERVFAIL response should stop query\n"
@@ -598,7 +599,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
 	return (result);
 }
 
-static const char * optstring = "46ac:dilnm:rst:vVwCDN:R:TUW:";
+static const char * optstring = "46ac:dilnm:p:rst:vVwCDN:R:TUW:";
 
 /*% version */
 static void
@@ -647,6 +648,7 @@ pre_parse_args(int argc, char **argv) {
 		case 'l': break;
 		case 'n': break;
 		case 'N': break;
+		case 'p': break;
 		case 'r': break;
 		case 'R': break;
 		case 's': break;
@@ -685,6 +687,7 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 	lookup = make_empty_lookup();
 
 	lookup->servfail_stops = false;
+	lookup->besteffort = false;
 	lookup->comments = false;
 	short_form = !verbose;
 
@@ -845,6 +848,9 @@ parse_args(bool is_batchfile, int argc, char **argv) {
 		case 's':
 			lookup->servfail_stops = true;
 			break;
+		case 'p':
+			port = atoi(isc_commandline_argument);
+			break;
 		}
 	}
 
diff --git a/bind/bind9/bin/dig/host.docbook b/bind/bind9/bin/dig/host.docbook
index 801dfa3d..9fee5ac8 100644
--- a/bind/bind9/bin/dig/host.docbook
+++ b/bind/bind9/bin/dig/host.docbook
@@ -5,14 +5,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.host">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.host">
   <info>
     <date>2009-01-20</date>
   </info>
@@ -49,6 +49,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -59,6 +60,7 @@
       <arg choice="opt" rep="norepeat"><option>-aCdlnrsTUwv</option></arg>
       <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-p <replaceable class="port">port</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">number</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
@@ -216,6 +218,15 @@
       </varlistentry>
 
       <varlistentry>
+	<term>-p <replaceable class="parameter">port</replaceable></term>
+	<listitem>
+	  <para>
+	    Specify the port on the server to query.  The default is 53.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
 	<term>-r</term>
 	<listitem>
 	  <para>
diff --git a/bind/bind9/bin/dig/host.html b/bind/bind9/bin/dig/host.html
index 22081efe..d3a22f7a 100644
--- a/bind/bind9/bin/dig/host.html
+++ b/bind/bind9/bin/dig/host.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,60 +10,28 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>host</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.host"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    host
-     &#8212; DNS lookup utility
-  </p>
+<p>host &#8212; DNS lookup utility</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">host</code> 
-       [<code class="option">-aCdlnrsTUwv</code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>]
-       [<code class="option">-R <em class="replaceable"><code>number</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
-       [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
-       [
-	[<code class="option">-4</code>]
-	 |  [<code class="option">-6</code>]
-      ]
-       [<code class="option">-v</code>]
-       [<code class="option">-V</code>]
-       {name}
-       [server]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTUwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [[<code class="option">-4</code>] |  [<code class="option">-6</code>]] [<code class="option">-v</code>] [<code class="option">-V</code>] {name} [server]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-
-    <p><span class="command"><strong>host</strong></span>
+<p><span class="command"><strong>host</strong></span>
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
       When no arguments or options are given,
       <span class="command"><strong>host</strong></span>
       prints a short summary of its command line arguments and options.
     </p>
-
-    <p><em class="parameter"><code>name</code></em> is the domain name that is to be
+<p><em class="parameter"><code>name</code></em> is the domain name that is to be
       looked
       up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
       IPv6 address, in which case <span class="command"><strong>host</strong></span> will by
@@ -75,86 +43,68 @@
       should query instead of the server or servers listed in
       <code class="filename">/etc/resolv.conf</code>.
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-4</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use IPv4 only for query transport.
 	    See also the <code class="option">-6</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-6</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use IPv6 only for query transport.
 	    See also the <code class="option">-4</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-a</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    "All". The <code class="option">-a</code> option is normally equivalent
 	    to <code class="option">-v -t <code class="literal">ANY</code></code>.
 	    It also affects the behaviour of the <code class="option">-l</code>
 	    list zone option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Query class: This can be used to lookup HS (Hesiod) or CH
 	    (Chaosnet) class resource records. The default class is IN
 	    (Internet).
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-C</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Check consistency: <span class="command"><strong>host</strong></span> will query the
 	    SOA records for zone <em class="parameter"><code>name</code></em> from all
 	    the listed authoritative name servers for that zone. The
 	    list of name servers is defined by the NS records that are
 	    found for the zone.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-d</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print debugging traces.
 	    Equivalent to the <code class="option">-v</code> verbose option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-i</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Obsolete.
 	    Use the IP6.INT domain for reverse lookups of IPv6
 	    addresses as defined in RFC1886 and deprecated in RFC4159.
 	    The default is to use IP6.ARPA as specified in RFC3596.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-l</span></dt>
 <dd>
-	  <p>
+<p>
 	    List zone:
 	    The <span class="command"><strong>host</strong></span> command performs a zone transfer of
 	    zone <em class="parameter"><code>name</code></em> and prints out the NS,
 	    PTR and address records (A/AAAA).
 	  </p>
-	  <p>
+<p>
 	    Together, the <code class="option">-l -a</code>
 	    options print all records in the zone.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-N <em class="replaceable"><code>ndots</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The number of dots that have to be
 	    in <em class="parameter"><code>name</code></em> for it to be considered
 	    absolute. The default value is that defined using the
@@ -164,11 +114,13 @@
 	    searched for in the domains listed in
 	    the <span class="type">search</span> or <span class="type">domain</span> directive
 	    in <code class="filename">/etc/resolv.conf</code>.
-	  </p>
-	</dd>
+	  </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
+<dd><p>
+	    Specify the port on the server to query.  The default is 53.
+	  </p></dd>
 <dt><span class="term">-r</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Non-recursive query:
 	    Setting this option clears the RD (recursion desired) bit
 	    in the query. This should mean that the name server
@@ -179,35 +131,30 @@
 	    name server by making non-recursive queries and expecting
 	    to receive answers to those queries that can be
 	    referrals to other name servers.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-R <em class="replaceable"><code>number</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Number of retries for UDP queries:
 	    If <em class="parameter"><code>number</code></em> is negative or zero, the
 	    number of retries will default to 1. The default value is
 	    1, or the value of the <em class="parameter"><code>attempts</code></em>
 	    option in <code class="filename">/etc/resolv.conf</code>, if set.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-s</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Do <span class="emphasis"><em>not</em></span> send the query to the next
 	    nameserver if any server responds with a SERVFAIL
 	    response, which is the reverse of normal stub resolver
 	    behavior.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Query type:
 	    The <em class="parameter"><code>type</code></em> argument can be any
 	    recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
 	  </p>
-	  <p>
+<p>
 	    When no query type is specified, <span class="command"><strong>host</strong></span>
 	    automatically selects an appropriate query type. By default, it
 	    looks for A, AAAA, and MX records.
@@ -218,18 +165,17 @@
 	    address, <span class="command"><strong>host</strong></span> will query for PTR
 	    records.
 	  </p>
-	  <p>
+<p>
 	    If a query type of IXFR is chosen the starting serial
 	    number can be specified by appending an equal followed by
 	    the starting serial number
 	    (like <code class="option">-t <code class="literal">IXFR=12345678</code></code>).
 	  </p>
-	</dd>
+</dd>
 <dt>
 <span class="term">-T, </span><span class="term">-U</span>
 </dt>
-<dd>
-	  <p>
+<dd><p>
 	    TCP/UDP:
 	    By default, <span class="command"><strong>host</strong></span> uses UDP when making
 	    queries. The <code class="option">-T</code> option makes it use a TCP
@@ -237,67 +183,55 @@
 	    automatically selected for queries that require it, such
 	    as zone transfer (AXFR) requests.  Type ANY queries default
 	    to TCP but can be forced to UDP initially using <code class="option">-U</code>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Memory usage debugging: the flag can
 	    be <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em>,
 	    or <em class="parameter"><code>trace</code></em>. You can specify
 	    the <code class="option">-m</code> option more than once to set
 	    multiple flags.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Verbose output.
 	    Equivalent to the <code class="option">-d</code> debug option.
 	    Verbose output can also be enabled by setting
 	    the <em class="parameter"><code>debug</code></em> option
 	    in <code class="filename">/etc/resolv.conf</code>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print the version number and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-w</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Wait forever: The query timeout is set to the maximum possible.
 	    See also the <code class="option">-W</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-W <em class="replaceable"><code>wait</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Timeout: Wait for up to <em class="parameter"><code>wait</code></em>
 	    seconds for a reply. If <em class="parameter"><code>wait</code></em> is
 	    less than one, the wait interval is set to one second.
 	  </p>
-	  <p>
+<p>
 	    By default, <span class="command"><strong>host</strong></span> will wait for 5
 	    seconds for UDP responses and 10 seconds for TCP
 	    connections. These defaults can be overridden by
 	    the <em class="parameter"><code>timeout</code></em> option
 	    in <code class="filename">/etc/resolv.conf</code>.
 	  </p>
-	  <p>
+<p>
 	    See also the <code class="option">-w</code> option.
 	  </p>
-	</dd>
+</dd>
 </dl></div>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>IDN SUPPORT</h2>
-
-    <p>
+<p>
       If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
       <span class="command"><strong>host</strong></span> appropriately converts character encoding of
@@ -308,26 +242,17 @@
       The IDN support is disabled if the variable is set when
       <span class="command"><strong>host</strong></span> runs.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>FILES</h2>
-
-    <p><code class="filename">/etc/resolv.conf</code>
+<p><code class="filename">/etc/resolv.conf</code>
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dig</span>(1)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>.
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/dig/include/dig/dig.h b/bind/bind9/bin/dig/include/dig/dig.h
index cc37c55d..7f81c958 100644
--- a/bind/bind9/bin/dig/include/dig/dig.h
+++ b/bind/bind9/bin/dig/include/dig/dig.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -63,6 +63,10 @@
 #define SERVER_TIMEOUT 1
 
 #define LOOKUP_LIMIT 64
+
+#define DEFAULT_EDNS_VERSION 0
+#define DEFAULT_EDNS_BUFSIZE 4096
+
 /*%
  * Lookup_limit is just a limiter, keeping too many lookups from being
  * created.  It's job is mainly to prevent the program from running away
@@ -180,7 +184,7 @@ bool	sigchase;
 	dig_query_t *xfr_q;
 	uint32_t retries;
 	int nsfound;
-	uint16_t udpsize;
+	int16_t udpsize;
 	int16_t edns;
 	uint32_t ixfr_serial;
 	isc_buffer_t rdatabuf;
diff --git a/bind/bind9/bin/dig/nslookup.1 b/bind/bind9/bin/dig/nslookup.1
index 752d52d9..cc0d711b 100644
--- a/bind/bind9/bin/dig/nslookup.1
+++ b/bind/bind9/bin/dig/nslookup.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2010, 2013-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: nslookup
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-01-24
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -85,6 +85,7 @@ nslookup \-query=hinfo  \-timeout=10
 .if n \{\
 .RE
 .\}
+.sp
 .PP
 The
 \fB\-version\fR
@@ -233,7 +234,10 @@ Change the default TCP/UDP name server port to
 .RS 4
 Change the type of the information query\&.
 .sp
-(Default = A; abbreviations = q, ty)
+(Default = A and then AAAA; abbreviations = q, ty)
+.sp
+\fBNote:\fR
+It is only possible to specify one query type, only the default behavior looks up both when an alternative is not specified\&.
 .RE
 .PP
 \fB\fI[no]\fR\fR\fBrecurse\fR
@@ -301,5 +305,5 @@ runs or when the standard output is not a tty\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2007, 2010, 2013-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/dig/nslookup.c b/bind/bind9/bin/dig/nslookup.c
index ba3f70ed..c3528317 100644
--- a/bind/bind9/bin/dig/nslookup.c
+++ b/bind/bind9/bin/dig/nslookup.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -48,6 +48,11 @@
 #elif defined(HAVE_EDITLINE_READLINE_H)
 #include <editline/readline.h>
 #elif defined(HAVE_READLINE_READLINE_H)
+/* Prevent deprecated functions being declared. */
+#define _FUNCTION_DEF 1
+/* Ensure rl_message() gets prototype. */
+#define USE_VARARGS   1
+#define PREFER_STDARG 1
 #include <readline/readline.h>
 #if defined (HAVE_READLINE_HISTORY_H)
 #include <readline/history.h>
@@ -803,7 +808,6 @@ addlookup(char *opt) {
 	lookup->recurse = recurse;
 	lookup->aaonly = aaonly;
 	lookup->retries = tries;
-	lookup->udpsize = 0;
 	lookup->comments = comments;
 	if (lookup->rdtype == dns_rdatatype_any && !tcpmode_set)
 		lookup->tcp_mode = true;
@@ -815,8 +819,10 @@ addlookup(char *opt) {
 	lookup->section_authority = section_authority;
 	lookup->section_additional = section_additional;
 	lookup->new_search = true;
-	if (nofail)
+	lookup->besteffort = false;
+	if (nofail) {
 		lookup->servfail_stops = false;
+	}
 	ISC_LIST_INIT(lookup->q);
 	ISC_LINK_INIT(lookup, link);
 	ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -977,7 +983,7 @@ flush_lookup_list(void) {
 
 		}
 		if (l->sendmsg != NULL)
-			dns_message_destroy(&l->sendmsg);
+			dns_message_detach(&l->sendmsg);
 		lp = l;
 		l = ISC_LIST_NEXT(l, link);
 		ISC_LIST_DEQUEUE(lookup_list, lp, link);
diff --git a/bind/bind9/bin/dig/nslookup.docbook b/bind/bind9/bin/dig/nslookup.docbook
index d08f977a..07b7e0e0 100644
--- a/bind/bind9/bin/dig/nslookup.docbook
+++ b/bind/bind9/bin/dig/nslookup.docbook
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
@@ -38,7 +38,7 @@
  - SUCH DAMAGE.
 -->
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nslookup">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nslookup">
   <info>
     <date>2014-01-24</date>
   </info>
@@ -73,6 +73,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -308,7 +309,7 @@ nslookup -query=hinfo  -timeout=10
                     The class specifies the protocol group of the information.
 
                   </para>
-		  <para>
+                  <para>
                     (Default = IN; abbreviation = cl)
                   </para>
                 </listitem>
@@ -318,10 +319,10 @@ nslookup -query=hinfo  -timeout=10
                 <term><constant><replaceable><optional>no</optional></replaceable>debug</constant></term>
                 <listitem>
                   <para>
-		    Turn on or off the display of the full response packet and
-		    any intermediate response packets when searching.
+                    Turn on or off the display of the full response packet and
+                    any intermediate response packets when searching.
                   </para>
-		  <para>
+                  <para>
                     (Default = nodebug; abbreviation = <optional>no</optional>deb)
                   </para>
                 </listitem>
@@ -332,9 +333,9 @@ nslookup -query=hinfo  -timeout=10
                 <listitem>
                   <para>
                     Turn debugging mode on or off.  This displays more about
-	            what nslookup is doing.
+                    what nslookup is doing.
                   </para>
-		  <para>
+                  <para>
                     (Default = nod2)
                   </para>
                 </listitem>
@@ -358,7 +359,7 @@ nslookup -query=hinfo  -timeout=10
                     names in the domain search list to the request until an
                     answer is received.
                   </para>
-		  <para>
+                  <para>
                     (Default = search)
                   </para>
                 </listitem>
@@ -370,7 +371,7 @@ nslookup -query=hinfo  -timeout=10
                   <para>
                     Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
                   </para>
-		  <para>
+                  <para>
                     (Default = 53; abbreviation = po)
                   </para>
                 </listitem>
@@ -389,9 +390,15 @@ nslookup -query=hinfo  -timeout=10
                   <para>
                     Change the type of the information query.
                   </para>
-		  <para>
-                    (Default = A; abbreviations = q, ty)
+                  <para>
+                    (Default = A and then AAAA; abbreviations = q, ty)
                   </para>
+                    <para>
+                      <emphasis role="bold">Note:</emphasis> It is
+                      only possible to specify one query type, only
+                      the default behavior looks up both when an
+                      alternative is not specified.
+                    </para>
                 </listitem>
               </varlistentry>
 
@@ -403,7 +410,7 @@ nslookup -query=hinfo  -timeout=10
                     have the
                     information.
                   </para>
-		  <para>
+                  <para>
                     (Default = recurse; abbreviation = [no]rec)
                   </para>
                 </listitem>
@@ -413,9 +420,9 @@ nslookup -query=hinfo  -timeout=10
                 <term><constant>ndots=</constant><replaceable>number</replaceable></term>
                 <listitem>
                   <para>
-		    Set the number of dots (label separators) in a domain
-		    that will disable searching.  Absolute names always
-		    stop searching.
+                    Set the number of dots (label separators) in a domain
+                    that will disable searching.  Absolute names always
+                    stop searching.
                   </para>
                 </listitem>
               </varlistentry>
@@ -446,7 +453,7 @@ nslookup -query=hinfo  -timeout=10
                     Always use a virtual circuit when sending requests to the
                     server.
                   </para>
-		  <para>
+                  <para>
                     (Default = novc)
                   </para>
                 </listitem>
@@ -456,15 +463,15 @@ nslookup -query=hinfo  -timeout=10
                 <term><constant><replaceable><optional>no</optional></replaceable>fail</constant></term>
                 <listitem>
                   <para>
-		    Try the next nameserver if a nameserver responds with
-		    SERVFAIL or a referral (nofail) or terminate query
-		    (fail) on such a response.
-		  </para>
-		  <para>
+                    Try the next nameserver if a nameserver responds with
+                    SERVFAIL or a referral (nofail) or terminate query
+                    (fail) on such a response.
+                  </para>
+                  <para>
                     (Default = nofail)
                   </para>
-	        </listitem>
-	      </varlistentry>
+                </listitem>
+              </varlistentry>
 
             </variablelist>
           </para>
diff --git a/bind/bind9/bin/dig/nslookup.html b/bind/bind9/bin/dig/nslookup.html
index dc8c5c23..64001840 100644
--- a/bind/bind9/bin/dig/nslookup.html
+++ b/bind/bind9/bin/dig/nslookup.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2010, 2013-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,39 +10,21 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>nslookup</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.nslookup"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    nslookup
-     &#8212; query Internet name servers interactively
-  </p>
+<p>nslookup &#8212; query Internet name servers interactively</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">nslookup</code> 
-       [<code class="option">-option</code>]
-       [name | -]
-       [server]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">nslookup</code>  [<code class="option">-option</code>] [name | -] [server]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>Nslookup</strong></span>
+<p><span class="command"><strong>Nslookup</strong></span>
       is a program to query Internet domain name servers.  <span class="command"><strong>Nslookup</strong></span>
       has two modes: interactive and non-interactive.  Interactive mode allows
       the user to query name servers for information about various hosts and
@@ -51,37 +33,29 @@
       used to print just the name and requested information for a host or
       domain.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>ARGUMENTS</h2>
-
-    <p>
+<p>
       Interactive mode is entered in the following cases:
       </p>
 <div class="orderedlist"><ol class="orderedlist" type="a">
-<li class="listitem">
-          <p>
+<li class="listitem"><p>
             when no arguments are given (the default name server will be used)
-          </p>
-        </li>
-<li class="listitem">
-          <p>
+          </p></li>
+<li class="listitem"><p>
             when the first argument is a hyphen (-) and the second argument is
             the host name or Internet address of a name server.
-          </p>
-        </li>
+          </p></li>
 </ol></div>
 <p>
     </p>
-
-    <p>
+<p>
       Non-interactive mode is used when the name or Internet address of the
       host to be looked up is given as the first argument. The optional second
       argument specifies the host name or address of a name server.
     </p>
-
-    <p>
+<p>
       Options can also be specified on the command line if they precede the
       arguments and are prefixed with a hyphen.  For example, to
       change the default query type to host information, and the initial
@@ -94,277 +68,238 @@ nslookup -query=hinfo  -timeout=10
 <p>
       
     </p>
-    <p>
+<p>
       The <code class="option">-version</code> option causes
       <span class="command"><strong>nslookup</strong></span> to print the version
       number and immediately exits.
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>INTERACTIVE COMMANDS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
 <dd>
-          <p>
+<p>
             Look up information for host using the current default server or
             using server, if specified.  If host is an Internet address and
             the query type is A or PTR, the name of the host is returned.
             If host is a name and does not have a trailing period, the
             search list is used to qualify the name.
           </p>
-
-          <p>
+<p>
             To look up a host not in the current domain, append a period to
             the name.
           </p>
-        </dd>
+</dd>
 <dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
-          <p></p>
-        </dd>
+<dd><p></p></dd>
 <dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
             server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
             the current default server.  If an authoritative answer can't be
             found, the names of servers that might have the answer are
             returned.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">root</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             not implemented
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">finger</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             not implemented
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">ls</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             not implemented
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">view</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             not implemented
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">help</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             not implemented
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">?</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             not implemented
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">exit</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             Exits the program.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">set</code>
           <em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
 <dd>
-          <p>
+<p>
             This command is used to change state information that affects
             the lookups.  Valid keywords are:
             </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">all</code></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     Prints the current values of the frequently used
                     options to <span class="command"><strong>set</strong></span>.
                     Information about the  current default
                     server and host is also printed.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
 <dd>
-                  <p>
+<p>
                     Change the query class to one of:
                     </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">IN</code></span></dt>
-<dd>
-                          <p>
+<dd><p>
                             the Internet class
-                          </p>
-                        </dd>
+                          </p></dd>
 <dt><span class="term"><code class="constant">CH</code></span></dt>
-<dd>
-                          <p>
+<dd><p>
                             the Chaos class
-                          </p>
-                        </dd>
+                          </p></dd>
 <dt><span class="term"><code class="constant">HS</code></span></dt>
-<dd>
-                          <p>
+<dd><p>
                             the Hesiod class
-                          </p>
-                        </dd>
+                          </p></dd>
 <dt><span class="term"><code class="constant">ANY</code></span></dt>
-<dd>
-                          <p>
+<dd><p>
                             wildcard
-                          </p>
-                        </dd>
+                          </p></dd>
 </dl></div>
 <p>
                     The class specifies the protocol group of the information.
 
                   </p>
-		  <p>
+<p>
                     (Default = IN; abbreviation = cl)
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
 <dd>
-                  <p>
-		    Turn on or off the display of the full response packet and
-		    any intermediate response packets when searching.
+<p>
+                    Turn on or off the display of the full response packet and
+                    any intermediate response packets when searching.
                   </p>
-		  <p>
+<p>
                     (Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
 <dd>
-                  <p>
+<p>
                     Turn debugging mode on or off.  This displays more about
-	            what nslookup is doing.
+                    what nslookup is doing.
                   </p>
-		  <p>
+<p>
                     (Default = nod2)
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     Sets the search list to <em class="replaceable"><code>name</code></em>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
 <dd>
-                  <p>
+<p>
                     If the lookup request contains at least one period but
                     doesn't end with a trailing period, append the domain
                     names in the domain search list to the request until an
                     answer is received.
                   </p>
-		  <p>
+<p>
                     (Default = search)
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
 <dd>
-                  <p>
+<p>
                     Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
                   </p>
-		  <p>
+<p>
                     (Default = 53; abbreviation = po)
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
-                  <p></p>
-                </dd>
+<dd><p></p></dd>
 <dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
 <dd>
-                  <p>
+<p>
                     Change the type of the information query.
                   </p>
-		  <p>
-                    (Default = A; abbreviations = q, ty)
+<p>
+                    (Default = A and then AAAA; abbreviations = q, ty)
                   </p>
-                </dd>
+<p>
+                      <span class="bold"><strong>Note:</strong></span> It is
+                      only possible to specify one query type, only
+                      the default behavior looks up both when an
+                      alternative is not specified.
+                    </p>
+</dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
 <dd>
-                  <p>
+<p>
                     Tell the name server to query other servers if it does not
                     have the
                     information.
                   </p>
-		  <p>
+<p>
                     (Default = recurse; abbreviation = [no]rec)
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><code class="constant">ndots=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd>
-                  <p>
-		    Set the number of dots (label separators) in a domain
-		    that will disable searching.  Absolute names always
-		    stop searching.
-                  </p>
-                </dd>
+<dd><p>
+                    Set the number of dots (label separators) in a domain
+                    that will disable searching.  Absolute names always
+                    stop searching.
+                  </p></dd>
 <dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     Set the number of retries to number.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     Change the initial timeout interval for waiting for a
                     reply to number seconds.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
 <dd>
-                  <p>
+<p>
                     Always use a virtual circuit when sending requests to the
                     server.
                   </p>
-		  <p>
+<p>
                     (Default = novc)
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
 <dd>
-                  <p>
-		    Try the next nameserver if a nameserver responds with
-		    SERVFAIL or a referral (nofail) or terminate query
-		    (fail) on such a response.
-		  </p>
-		  <p>
+<p>
+                    Try the next nameserver if a nameserver responds with
+                    SERVFAIL or a referral (nofail) or terminate query
+                    (fail) on such a response.
+                  </p>
+<p>
                     (Default = nofail)
                   </p>
-	        </dd>
+</dd>
 </dl></div>
 <p>
           </p>
-        </dd>
+</dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>RETURN VALUES</h2>
-    <p>
+<p>
       <span class="command"><strong>nslookup</strong></span> returns with an exit status of 1
       if any query failed, and 0 otherwise.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>IDN SUPPORT</h2>
-
-    <p>
+<p>
       If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
       <span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
@@ -376,28 +311,18 @@ nslookup -query=hinfo  -timeout=10
       <span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
       a tty.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.12"></a><h2>FILES</h2>
-
-    <p><code class="filename">/etc/resolv.conf</code>
+<p><code class="filename">/etc/resolv.conf</code>
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.13"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dig</span>(1)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">host</span>(1)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>.
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
     </p>
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/dig/win32/dig.vcxproj.in b/bind/bind9/bin/dig/win32/dig.vcxproj.in
index 3810dab2..d83d7e40 100644
--- a/bind/bind9/bin/dig/win32/dig.vcxproj.in
+++ b/bind/bind9/bin/dig/win32/dig.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/dig/win32/dighost.vcxproj.in b/bind/bind9/bin/dig/win32/dighost.vcxproj.in
index 5a7df33e..472898c7 100644
--- a/bind/bind9/bin/dig/win32/dighost.vcxproj.in
+++ b/bind/bind9/bin/dig/win32/dighost.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>.\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>.\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -74,7 +77,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/dig/win32/host.vcxproj.in b/bind/bind9/bin/dig/win32/host.vcxproj.in
index 3fc88840..0e4fc85d 100644
--- a/bind/bind9/bin/dig/win32/host.vcxproj.in
+++ b/bind/bind9/bin/dig/win32/host.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/dig/win32/nslookup.vcxproj.in b/bind/bind9/bin/dig/win32/nslookup.vcxproj.in
index 6d841b00..84f13a49 100644
--- a/bind/bind9/bin/dig/win32/nslookup.vcxproj.in
+++ b/bind/bind9/bin/dig/win32/nslookup.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@USE_READLINE_STATIC;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/dnssec/Makefile.in b/bind/bind9/bin/dnssec/Makefile.in
index d9380542..81b3f9a1 100644
--- a/bind/bind9/bin/dnssec/Makefile.in
+++ b/bind/bind9/bin/dnssec/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/dnssec/dnssec-dsfromkey.8 b/bind/bind9/bin/dnssec/dnssec-dsfromkey.8
index 3a4b388f..c803f4d0 100644
--- a/bind/bind9/bin/dnssec/dnssec-dsfromkey.8
+++ b/bind/bind9/bin/dnssec/dnssec-dsfromkey.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: dnssec-dsfromkey
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2012-05-02
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -77,7 +77,8 @@ option,
 reads a
 keyset\-
 file, as generated by
-\fBdnssec\-keygen\fR\fB\-C\fR\&.
+\fBdnssec\-keygen\fR
+\fB\-C\fR\&.
 .SH "OPTIONS"
 .PP
 \-1
@@ -237,5 +238,5 @@ RFC 7344
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/dnssec/dnssec-dsfromkey.c b/bind/bind9/bin/dnssec/dnssec-dsfromkey.c
index d9d6bb9d..4420f2dc 100644
--- a/bind/bind9/bin/dnssec/dnssec-dsfromkey.c
+++ b/bind/bind9/bin/dnssec/dnssec-dsfromkey.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/dnssec/dnssec-dsfromkey.docbook b/bind/bind9/bin/dnssec/dnssec-dsfromkey.docbook
index c81594be..d9d082f2 100644
--- a/bind/bind9/bin/dnssec/dnssec-dsfromkey.docbook
+++ b/bind/bind9/bin/dnssec/dnssec-dsfromkey.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
   <info>
     <date>2012-05-02</date>
   </info>
@@ -43,6 +43,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/dnssec/dnssec-dsfromkey.html b/bind/bind9/bin/dnssec/dnssec-dsfromkey.html
index a68a67f0..fc0f4a07 100644
--- a/bind/bind9/bin/dnssec/dnssec-dsfromkey.html
+++ b/bind/bind9/bin/dnssec/dnssec-dsfromkey.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,301 +10,189 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-dsfromkey</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-dsfromkey</span>
-     &#8212; DNSSEC DS RR generation tool
-  </p>
+<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       {keyfile}
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-A</code>]
-       {<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
-       [dnsname]
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       {-s}
-       {dnsname}
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-h</code> 
-	 |   <code class="option">-V</code> 
-      ]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [ <code class="option">-1</code>  |   <code class="option">-2</code>  |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> ] [ <code class="option">-C</code>  |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> ] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] {keyfile}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [ <code class="option">-1</code>  |   <code class="option">-2</code>  |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> ] [ <code class="option">-C</code>  |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> ] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-A</code>] {<code class="option">-f <em class="replaceable"><code>file</code></em></code>} [dnsname]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [ <code class="option">-1</code>  |   <code class="option">-2</code>  |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> ] [ <code class="option">-C</code>  |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> ] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] {-s} {dnsname}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [ <code class="option">-h</code>  |   <code class="option">-V</code> ]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
       Signer) resource records (RRs) and other similarly-constructed RRs:
       with the <code class="option">-l</code> option it outputs DLV (DNSSEC Lookaside
       Validation) RRs; or with the <code class="option">-C</code> it outputs CDS (Child
       DS) RRs.
     </p>
-
-    <p>
+<p>
       The input keys can be specified in a number of ways:
     </p>
-
-    <p>
+<p>
       By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
       named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
       by <span class="command"><strong>dnssec-keygen</strong></span>.
     </p>
-
-    <p>
+<p>
       With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
       option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
       or partial zone file (which can contain just the DNSKEY records).
     </p>
-
-    <p>
+<p>
       With the <code class="option">-s</code>
       option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
       a <code class="filename">keyset-</code> file, as generated
       by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-1</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    An abbreviation for <code class="option">-a SHA1</code>
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-2</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    An abbreviation for <code class="option">-a SHA-256</code>
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specify a digest algorithm to use when converting DNSKEY
 	    records to DS records. This option can be repeated, so
 	    that multiple DS records are created for each DNSKEY
 	    record.
           </p>
-          <p>
+<p>
 	    The <em class="replaceable"><code>algorithm</code></em> must be one of
 	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
 	    and the hyphen may be omitted.  If no algorithm is specified,
 	    the default is to use both SHA-1 and SHA-256.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-A</span></dt>
-<dd>
-          <p>
+<dd><p>
             Include ZSKs when generating DS records. Without this option, only
             keys which have the KSK flag set will be converted to DS records
             and printed. Useful only in <code class="option">-f</code> zone file mode.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the DNS class (default is IN). Useful only
 	    in <code class="option">-s</code> keyset or <code class="option">-f</code>
 	    zone file mode.
-	  </p>
-	  </dd>
+	  </p></dd>
 <dt><span class="term">-C</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Generate CDS records rather than DS records. This is mutually
 	    exclusive with the <code class="option">-l</code> option for generating DLV
 	    records.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
 	    final <em class="replaceable"><code>dnsname</code></em> argument is
 	    the DNS domain name of a zone whose master file can be read
 	    from <code class="option">file</code>.  If the zone name is the same as
 	    <code class="option">file</code>, then it may be omitted.
 	  </p>
-	  <p>
+<p>
 	    If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
 	    the zone data is read from the standard input.  This makes it
 	    possible to use the output of the <span class="command"><strong>dig</strong></span>
 	    command as input, as in:
 	  </p>
-	  <p>
+<p>
 	    <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints usage information.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Look for key files or <code class="filename">keyset-</code> files in
 	    <code class="option">directory</code>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Generate a DLV set instead of a DS set. The specified
 	    <em class="replaceable"><code>domain</code></em> is appended to the name for each
 	    record in the set.
 	    This is mutually exclusive with the <code class="option">-C</code> option
 	    for generating CDS records.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-s</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
 	    final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
 	    domain name used to locate a <code class="filename">keyset-</code> file.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the TTL of the DS records. By default the TTL is omitted.
-	  </p>
-	  </dd>
+	  </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the debugging level.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints version information.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>EXAMPLE</h2>
-
-    <p>
+<p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
       keyfile name, you can issue the following command:
     </p>
-    <p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
+<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
     </p>
-    <p>
+<p>
       The command would print something like:
     </p>
-    <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
+<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>FILES</h2>
-
-    <p>
+<p>
       The keyfile can be designated by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
       <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
       <span class="refentrytitle">dnssec-keygen</span>(8).
     </p>
-    <p>
+<p>
       The keyset file name is built from the <code class="option">directory</code>,
       the string <code class="filename">keyset-</code> and the
       <code class="option">dnsname</code>.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>CAVEAT</h2>
-
-    <p>
+<p>
       A keyfile error can give a "file not found" even if the file exists.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.12"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 3658</em> (DS RRs),
       <em class="citetitle">RFC 4431</em> (DLV RRs),
@@ -312,7 +200,6 @@
       <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
       <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/dnssec/dnssec-importkey.8 b/bind/bind9/bin/dnssec/dnssec-importkey.8
index 5a91c45d..04f1f468 100644
--- a/bind/bind9/bin/dnssec/dnssec-importkey.8
+++ b/bind/bind9/bin/dnssec/dnssec-importkey.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: dnssec-importkey
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: August 21, 2015
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -134,5 +134,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/dnssec/dnssec-importkey.c b/bind/bind9/bin/dnssec/dnssec-importkey.c
index d65a5146..dc9a2932 100644
--- a/bind/bind9/bin/dnssec/dnssec-importkey.c
+++ b/bind/bind9/bin/dnssec/dnssec-importkey.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/dnssec/dnssec-importkey.docbook b/bind/bind9/bin/dnssec/dnssec-importkey.docbook
index 18fc0b3c..6798bf56 100644
--- a/bind/bind9/bin/dnssec/dnssec-importkey.docbook
+++ b/bind/bind9/bin/dnssec/dnssec-importkey.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-importkey">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-importkey">
   <info>
     <date>2014-02-20</date>
   </info>
@@ -40,6 +40,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/dnssec/dnssec-importkey.html b/bind/bind9/bin/dnssec/dnssec-importkey.html
index b26a8544..2b36d193 100644
--- a/bind/bind9/bin/dnssec/dnssec-importkey.html
+++ b/bind/bind9/bin/dnssec/dnssec-importkey.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,60 +10,22 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-importkey</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-importkey"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-importkey</span>
-     &#8212; import DNSKEY records from external systems so they can be managed
-  </p>
+<p><span class="application">dnssec-importkey</span> &#8212; import DNSKEY records from external systems so they can be managed</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-importkey</code> 
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-V</code>]
-       {<code class="option">keyfile</code>}
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-importkey</code> 
-       {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>}
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-V</code>]
-       [<code class="option">dnsname</code>]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code>  [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code>  {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-importkey</strong></span>
+<p><span class="command"><strong>dnssec-importkey</strong></span>
       reads a public DNSKEY record and generates a pair of
       .key/.private files.  The DNSKEY record may be read from an
       existing .key file, in which case a corresponding .private file
@@ -71,7 +33,7 @@
       from the standard input, in which case both .key and .private
       files will be generated.
     </p>
-    <p>
+<p>
       The newly-created .private file does <span class="emphasis"><em>not</em></span>
       contain private key data, and cannot be used for signing.
       However, having a .private file makes it possible to set
@@ -80,68 +42,53 @@
       public key can be added to and removed from the DNSKEY RRset
       on schedule even if the true private key is stored offline.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Zone file mode: instead of a public keyfile name, the argument
 	    is the DNS domain name of a zone master file, which can be read
 	    from <code class="option">file</code>.  If the domain name is the same as
 	    <code class="option">file</code>, then it may be omitted.
 	  </p>
-	  <p>
+<p>
 	    If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
 	    the zone data is read from the standard input.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the directory in which the key files are to reside.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the default TTL to use for this key when it is converted
 	    into a DNSKEY RR.  If the key is imported into a zone,
 	    this is the TTL that will be used for it, unless there was
 	    already a DNSKEY RRset in place, in which case the existing TTL
 	    would take precedence.  Setting the default TTL to
 	    <code class="literal">0</code> or <code class="literal">none</code> removes it.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Emit usage message and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the debugging level.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints version information.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
-
-    <p>
+<p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
       an offset from the present time.  For convenience, if such an offset
@@ -152,65 +99,47 @@
       is computed in seconds.  To explicitly prevent a date from being
       set, use 'none' or 'never'.
     </p>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which a key is to be published to the zone.
 	    After that date, the key will be included in the zone but will
 	    not be used to sign it.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which CDS and CDNSKEY records that match this
 	    key are to be published to the zone.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be deleted.  After that
 	    date, the key will no longer be included in the zone.  (It
 	    may remain in the key repository, however.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the CDS and CDNSKEY records that match
 	    this key are to be deleted.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>FILES</h2>
-
-    <p>
+<p>
       A keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
       <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
       <span class="refentrytitle">dnssec-keygen</span>(8).
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5011</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/dnssec/dnssec-keyfromlabel.8 b/bind/bind9/bin/dnssec/dnssec-keyfromlabel.8
index 577846d0..348785de 100644
--- a/bind/bind9/bin/dnssec/dnssec-keyfromlabel.8
+++ b/bind/bind9/bin/dnssec/dnssec-keyfromlabel.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: dnssec-keyfromlabel
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: August 27, 2015
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -86,7 +86,7 @@ Specifies the label for a key pair in the crypto hardware\&.
 .sp
 When
 BIND
-9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key\&. It may be preceded by an optional OpenSSL engine name, followed by a colon, as in "pkcs11:\fIkeylabel\fR"\&.
+9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key\&.
 .sp
 When
 BIND
@@ -301,5 +301,5 @@ The PKCS#11 URI Scheme (draft\-pechanec\-pkcs11uri\-13)\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2008-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008-2012, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/dnssec/dnssec-keyfromlabel.c b/bind/bind9/bin/dnssec/dnssec-keyfromlabel.c
index 2af8bca0..9da7312b 100644
--- a/bind/bind9/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bind/bind9/bin/dnssec/dnssec-keyfromlabel.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/dnssec/dnssec-keyfromlabel.docbook b/bind/bind9/bin/dnssec/dnssec-keyfromlabel.docbook
index 05a9f51e..d8cd2be6 100644
--- a/bind/bind9/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bind/bind9/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keyfromlabel">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keyfromlabel">
   <info>
     <date>2014-02-27</date>
   </info>
@@ -45,6 +45,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -167,9 +168,7 @@
 	  <para>
 	    When <acronym>BIND</acronym> 9 is built with OpenSSL-based
 	    PKCS#11 support, the label is an arbitrary string that
-	    identifies a particular key.  It may be preceded by an
-	    optional OpenSSL engine name, followed by a colon, as in
-	    "pkcs11:<replaceable>keylabel</replaceable>".
+	    identifies a particular key.
 	  </para>
 	  <para>
 	    When <acronym>BIND</acronym> 9 is built with native PKCS#11
diff --git a/bind/bind9/bin/dnssec/dnssec-keyfromlabel.html b/bind/bind9/bin/dnssec/dnssec-keyfromlabel.html
index e40e879d..fde3de04 100644
--- a/bind/bind9/bin/dnssec/dnssec-keyfromlabel.html
+++ b/bind/bind9/bin/dnssec/dnssec-keyfromlabel.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2008-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,62 +10,21 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-keyfromlabel</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-keyfromlabel</span>
-     &#8212; DNSSEC key generation tool
-  </p>
+<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-keyfromlabel</code> 
-       {-l <em class="replaceable"><code>label</code></em>}
-       [<code class="option">-3</code>]
-       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
-       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
-       [<code class="option">-G</code>]
-       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
-       [<code class="option">-k</code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
-       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
-       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-y</code>]
-       {name}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
+<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
       generates a key pair of files that referencing a key object stored
       in a cryptographic hardware service module (HSM).  The private key
       file can be used for DNSSEC signing of zone data as if it were a
@@ -73,57 +32,52 @@
       but the key material is stored within the HSM, and the actual signing
       takes place there.
     </p>
-    <p>
+<p>
       The <code class="option">name</code> of the key is specified on the command
       line.  This must match the name of the zone for which the key is
       being generated.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Selects the cryptographic algorithm.  The value of
 	    <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	    These values are case insensitive.
 	  </p>
-	  <p>
+<p>
 	    If no algorithm is specified, then RSASHA1 will be used by
 	    default, unless the <code class="option">-3</code> option is specified,
 	    in which case NSEC3RSASHA1 will be used instead.  (If
 	    <code class="option">-3</code> is used and an algorithm is specified,
 	    that algorithm will be checked for compatibility with NSEC3.)
 	  </p>
-	  <p>
+<p>
 	    Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
 	    algorithm, and DSA is recommended.
 	  </p>
-	  <p>
+<p>
 	    Note 2: DH automatically sets the -k flag.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-3</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
 	    If this option is used and no algorithm is explicitly
 	    set on the command line, NSEC3RSASHA1 will be used by
 	    default.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specifies the cryptographic hardware to use.
 	  </p>
-	  <p>
+<p>
 	    When BIND is built with OpenSSL PKCS#11 support, this defaults
 	    to the string "pkcs11", which identifies an OpenSSL engine
 	    that can drive a cryptographic accelerator or hardware service
@@ -131,20 +85,18 @@
 	    (--enable-native-pkcs11), it defaults to the path of the PKCS#11
 	    provider library specified via "--with-pkcs11".
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specifies the label for a key pair in the crypto hardware.
 	  </p>
-	  <p>
+<p>
 	    When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
 	    PKCS#11 support, the label is an arbitrary string that
-	    identifies a particular key.  It may be preceded by an
-	    optional OpenSSL engine name, followed by a colon, as in
-	    "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
+	    identifies a particular key.
 	  </p>
-	  <p>
+<p>
 	    When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
 	    support, the label is a PKCS#11 URI string in the format
 	    "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
@@ -153,7 +105,7 @@
 	    which the HSM's PIN code can be obtained.  The label will be
 	    stored in the on-disk "private" file.
 	  </p>
-	  <p>
+<p>
 	    If the label contains a
 	    <code class="option">pin-source</code> field, tools using the generated
 	    key files will be able to use the HSM for signing and other
@@ -162,21 +114,18 @@
 	    may reduce the security advantage of using an HSM; be sure
 	    this is what you want to do before making use of this feature.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the owner type of the key.  The value of
 	    <code class="option">nametype</code> must either be ZONE (for a DNSSEC
 	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
 	    a host (KEY)),
 	    USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
 	    These values are case insensitive.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-C</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Compatibility mode:  generates an old-style key, without
 	    any metadata.  By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
 	    will include the key's creation date in the metadata stored
@@ -184,71 +133,53 @@
 	    (publication date, activation date, etc).  Keys that include
 	    this data may be incompatible with older versions of BIND; the
 	    <code class="option">-C</code> option suppresses them.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Indicates that the DNS record containing the key should have
 	    the specified class.  If not specified, class IN is used.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Set the specified flag in the flag field of the KEY/DNSKEY record.
 	    The only recognized flags are KSK (Key Signing Key) and REVOKE.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-G</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Generate a key, but do not publish it or sign with it.  This
 	    option is incompatible with -P and -A.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints a short summary of the options and arguments to
 	    <span class="command"><strong>dnssec-keyfromlabel</strong></span>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the directory in which the key files are to be written.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-k</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Generate KEY records rather than DNSKEY records.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the default TTL to use for this key when it is converted
 	    into a DNSKEY RR.  If the key is imported into a zone,
 	    this is the TTL that will be used for it, unless there was
 	    already a DNSKEY RRset in place, in which case the existing TTL
 	    would take precedence.  Setting the default TTL to
 	    <code class="literal">0</code> or <code class="literal">none</code> removes it.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the protocol value for the key.  The protocol
 	    is a number between 0 and 255.  The default is 3 (DNSSEC).
 	    Other possible values for this argument are listed in
 	    RFC 2535 and its successors.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Generate a key as an explicit successor to an existing key.
 	    The name, algorithm, size, and type of the key will be set
 	    to match the predecessor. The activation date of the new
@@ -256,47 +187,35 @@
 	    one. The publication date will be set to the activation
 	    date minus the prepublication interval, which defaults to
 	    30 days.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Indicates the use of the key.  <code class="option">type</code> must be
 	    one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
 	    is AUTHCONF.  AUTH refers to the ability to authenticate
 	    data, and CONF the ability to encrypt data.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the debugging level.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints version information.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-y</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Allows DNSSEC key files to be generated even if the key ID
 	    would collide with that of an existing key, in the event of
 	    either key being revoked.  (This is only safe to use if you
 	    are sure you won't be using RFC 5011 trust anchor maintenance
 	    with either of the keys involved.)
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
-
-
-    <p>
+<p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
       an offset from the present time.  For convenience, if such an offset
@@ -307,67 +226,52 @@
       is computed in seconds.  To explicitly prevent a date from being
       set, use 'none' or 'never'.
     </p>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which a key is to be published to the zone.
 	    After that date, the key will be included in the zone but will
 	    not be used to sign it.  If not set, and if the -G option has
 	    not been used, the default is "now".
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the CDS and CDNSKEY records which match
 	    this key are to be published to the zone.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be activated.  After that
 	    date, the key will be included in the zone and used to sign
 	    it.  If not set, and if the -G option has not been used, the
 	    default is "now".
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be revoked.  After that
 	    date, the key will be flagged as revoked.  It will be included
 	    in the zone and will be used to sign it.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be retired.  After that
 	    date, the key will still be included in the zone, but it
 	    will not be used to sign it.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be deleted.  After that
 	    date, the key will no longer be included in the zone.  (It
 	    may remain in the key repository, however.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the CDS and CDNSKEY records which match
 	    this key are to be deleted.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Sets the prepublication interval for a key.  If set, then
             the publication and activation dates must be separated by at least
             this much time.  If the activation date is specified but the
@@ -376,83 +280,68 @@
             the publication date is specified but activation date isn't,
             then activation will be set to this much time after publication.
           </p>
-          <p>
+<p>
             If the key is being created as an explicit successor to another
             key, then the default prepublication interval is 30 days;
             otherwise it is zero.
           </p>
-          <p>
+<p>
             As with date offsets, if the argument is followed by one of
             the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
             interval is measured in years, months, weeks, days, hours,
             or minutes, respectively.  Without a suffix, the interval is
             measured in seconds.
           </p>
-        </dd>
+</dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>GENERATED KEY FILES</h2>
-
-    <p>
+<p>
       When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
       successfully,
       it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
       to the standard output.  This is an identification string for
       the key files it has generated.
     </p>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p><code class="filename">nnnn</code> is the key name.
-	</p>
-      </li>
-<li class="listitem">
-	<p><code class="filename">aaa</code> is the numeric representation
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
+	</p></li>
+<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
 	  of the algorithm.
-	</p>
-      </li>
-<li class="listitem">
-	<p><code class="filename">iiiii</code> is the key identifier (or
+	</p></li>
+<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
 	  footprint).
-	</p>
-      </li>
+	</p></li>
 </ul></div>
-    <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
+<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
       creates two files, with names based
       on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
       contains the public key, and
       <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
       private key.
     </p>
-    <p>
+<p>
       The <code class="filename">.key</code> file contains a DNS KEY record
       that
       can be inserted into a zone file (directly or with a $INCLUDE
       statement).
     </p>
-    <p>
+<p>
       The <code class="filename">.private</code> file contains
       algorithm-specific
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4034</em>,
       <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/dnssec/dnssec-keygen.8 b/bind/bind9/bin/dnssec/dnssec-keygen.8
index b6ff1257..c4c8b551 100644
--- a/bind/bind9/bin/dnssec/dnssec-keygen.8
+++ b/bind/bind9/bin/dnssec/dnssec-keygen.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2005, 2007-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2005, 2007-2012, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: dnssec-keygen
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: August 21, 2015
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -358,5 +358,5 @@ RFC 4034\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2005, 2007-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2005, 2007-2012, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/dnssec/dnssec-keygen.c b/bind/bind9/bin/dnssec/dnssec-keygen.c
index 1476d0dd..9d9ae932 100644
--- a/bind/bind9/bin/dnssec/dnssec-keygen.c
+++ b/bind/bind9/bin/dnssec/dnssec-keygen.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/dnssec/dnssec-keygen.docbook b/bind/bind9/bin/dnssec/dnssec-keygen.docbook
index 1826919c..b3cae828 100644
--- a/bind/bind9/bin/dnssec/dnssec-keygen.docbook
+++ b/bind/bind9/bin/dnssec/dnssec-keygen.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keygen">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keygen">
   <info>
     <date>2014-02-06</date>
   </info>
@@ -52,6 +52,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/dnssec/dnssec-keygen.html b/bind/bind9/bin/dnssec/dnssec-keygen.html
index 9d52755a..08b9e3c7 100644
--- a/bind/bind9/bin/dnssec/dnssec-keygen.html
+++ b/bind/bind9/bin/dnssec/dnssec-keygen.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2005, 2007-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2005, 2007-2012, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,97 +10,46 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-keygen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-keygen"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-keygen</span>
-     &#8212; DNSSEC key generation tool
-  </p>
+<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-keygen</code> 
-       [<code class="option">-3</code>]
-       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
-       [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
-       [<code class="option">-C</code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
-       [<code class="option">-G</code>]
-       [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-k</code>]
-       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
-       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
-       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       {name}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-keygen</strong></span>
+<p><span class="command"><strong>dnssec-keygen</strong></span>
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
       TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
       (Transaction Key) as defined in RFC 2930.
     </p>
-    <p>
+<p>
       The <code class="option">name</code> of the key is specified on the command
       line.  For DNSSEC keys, this must match the name of the zone for
       which the key is being generated.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-3</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
 	    If this option is used with an algorithm that has both
 	    NSEC and NSEC3 versions, then the NSEC3 version will be
 	    used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
 	    specifies the NSEC3RSASHA1 algorithm.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
 	    of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
@@ -110,26 +59,26 @@
 	    HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
 	    case insensitive.
 	  </p>
-	  <p>
+<p>
 	    If no algorithm is specified, then RSASHA1 will be used by
 	    default, unless the <code class="option">-3</code> option is specified,
 	    in which case NSEC3RSASHA1 will be used instead.  (If
 	    <code class="option">-3</code> is used and an algorithm is specified,
 	    that algorithm will be checked for compatibility with NSEC3.)
 	  </p>
-	  <p>
+<p>
 	    Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
 	    algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
 	    mandatory.
 	  </p>
-	  <p>
+<p>
 	    Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
 	    automatically set the -T KEY option.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specifies the number of bits in the key.  The choice of key
 	    size depends on the algorithm used.  RSA keys must be
 	    between 512 and 2048 bits.  Diffie Hellman keys must be between
@@ -138,7 +87,7 @@
 	    between 1 and 512 bits. Elliptic curve algorithms don't need
 	    this parameter.
 	  </p>
-	  <p>
+<p>
 	    The key size does not need to be specified if using a default
 	    algorithm.  The default key size is 1024 bits for zone signing
 	    keys (ZSKs) and 2048 bits for key signing keys (KSKs,
@@ -147,10 +96,9 @@
 	    then there is no default key size, and the <code class="option">-b</code>
 	    must be used.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-C</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Compatibility mode: generates an old-style key, without any
 	    timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
 	    will include the key's creation date in the metadata stored with
@@ -158,21 +106,18 @@
 	    (publication date, activation date, etc). Keys that include this
 	    data may be incompatible with older versions of BIND; the
 	    <code class="option">-C</code> option suppresses them.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Indicates that the DNS record containing the key should have
 	    the specified class.  If not specified, class IN is used.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specifies the cryptographic hardware to use, when applicable.
 	  </p>
-	  <p>
+<p>
 	    When BIND is built with OpenSSL PKCS#11 support, this defaults
 	    to the string "pkcs11", which identifies an OpenSSL engine
 	    that can drive a cryptographic accelerator or hardware service
@@ -180,52 +125,39 @@
 	    (--enable-native-pkcs11), it defaults to the path of the PKCS#11
 	    provider library specified via "--with-pkcs11".
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Set the specified flag in the flag field of the KEY/DNSKEY record.
 	    The only recognized flags are KSK (Key Signing Key) and REVOKE.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-G</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Generate a key, but do not publish it or sign with it.  This
 	    option is incompatible with -P and -A.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    If generating a Diffie Hellman key, use this generator.
 	    Allowed values are 2 and 5.  If no generator
 	    is specified, a known prime from RFC 2539 will be used
 	    if possible; otherwise the default is 2.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints a short summary of the options and arguments to
 	    <span class="command"><strong>dnssec-keygen</strong></span>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the directory in which the key files are to be written.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-k</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Deprecated in favor of -T KEY.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the default TTL to use for this key when it is converted
 	    into a DNSKEY RR.  If the key is imported into a zone,
 	    this is the TTL that will be used for it, unless there was
@@ -234,31 +166,25 @@
 	    is no existing DNSKEY RRset, the TTL will default to the
 	    SOA TTL. Setting the default TTL to <code class="literal">0</code>
 	    or <code class="literal">none</code> is the same as leaving it unset.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the owner type of the key.  The value of
 	    <code class="option">nametype</code> must either be ZONE (for a DNSSEC
 	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
 	    with a host (KEY)), USER (for a key associated with a
 	    user(KEY)) or OTHER (DNSKEY).  These values are case
 	    insensitive.  Defaults to ZONE for DNSKEY generation.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the protocol value for the generated key, for use
 	    with <code class="option">-T KEY</code>. The protocol is a number between 0
 	    and 255. The default is 3 (DNSSEC). Other possible values for
 	    this argument are listed in RFC 2535 and its successors.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-q</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Quiet mode: Suppresses unnecessary output, including
 	    progress indication.  Without this option, when
 	    <span class="command"><strong>dnssec-keygen</strong></span> is run interactively
@@ -270,11 +196,9 @@
 	    round of the Miller-Rabin primality test; a space
 	    means that the number has passed all the tests and is
 	    a satisfactory key.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the source of randomness.  If the operating
 	    system does not provide a <code class="filename">/dev/random</code>
 	    or equivalent device, the default source of randomness
@@ -284,11 +208,9 @@
 	    data to be used instead of the default.  The special value
 	    <code class="filename">keyboard</code> indicates that keyboard
 	    input should be used.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Create a new key which is an explicit successor to an
 	    existing key.  The name, algorithm, size, and type of the
 	    key will be set to match the existing key.  The activation
@@ -296,19 +218,16 @@
 	    the existing one.  The publication date will be set to the
 	    activation date minus the prepublication interval, which
 	    defaults to 30 days.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the strength value of the key.  The strength is
 	    a number between 0 and 15, and currently has no defined
 	    purpose in DNSSEC.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specifies the resource record type to use for the key.
 	    <code class="option">rrtype</code> must be either DNSKEY or KEY.  The
 	    default is DNSKEY when using a DNSSEC algorithm, but it can be
@@ -320,37 +239,28 @@
 	    Using any TSIG algorithm (HMAC-* or DH) forces this option
 	    to KEY.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Indicates the use of the key, for use with <code class="option">-T
 	    KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
 	    NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
 	    refers to the ability to authenticate data, and CONF the ability
 	    to encrypt data.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints version information.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the debugging level.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
-
-
-    <p>
+<p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
       an offset from the present time.  For convenience, if such an offset
@@ -361,69 +271,54 @@
       is computed in seconds.  To explicitly prevent a date from being
       set, use 'none' or 'never'.
     </p>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which a key is to be published to the zone.
 	    After that date, the key will be included in the zone but will
 	    not be used to sign it.  If not set, and if the -G option has
 	    not been used, the default is "now".
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which CDS and CDNSKEY records that match this
 	    key are to be published to the zone.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be activated.  After that
 	    date, the key will be included in the zone and used to sign
 	    it.  If not set, and if the -G option has not been used, the
 	    default is "now".  If set, if and -P is not set, then
 	    the publication date will be set to the activation date
 	    minus the prepublication interval.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be revoked.  After that
 	    date, the key will be flagged as revoked.  It will be included
 	    in the zone and will be used to sign it.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be retired.  After that
 	    date, the key will still be included in the zone, but it
 	    will not be used to sign it.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be deleted.  After that
 	    date, the key will no longer be included in the zone.  (It
 	    may remain in the key repository, however.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the CDS and CDNSKEY records that match this
 	    key are to be deleted.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Sets the prepublication interval for a key.  If set, then
             the publication and activation dates must be separated by at least
             this much time.  If the activation date is specified but the
@@ -432,51 +327,42 @@
             the publication date is specified but activation date isn't,
             then activation will be set to this much time after publication.
           </p>
-          <p>
+<p>
             If the key is being created as an explicit successor to another
             key, then the default prepublication interval is 30 days;
             otherwise it is zero.
           </p>
-          <p>
+<p>
             As with date offsets, if the argument is followed by one of
             the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
             interval is measured in years, months, weeks, days, hours,
             or minutes, respectively.  Without a suffix, the interval is
             measured in seconds.
           </p>
-        </dd>
+</dd>
 </dl></div>
-  </div>
-
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>GENERATED KEYS</h2>
-
-    <p>
+<p>
       When <span class="command"><strong>dnssec-keygen</strong></span> completes
       successfully,
       it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
       to the standard output.  This is an identification string for
       the key it has generated.
     </p>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p><code class="filename">nnnn</code> is the key name.
-	</p>
-      </li>
-<li class="listitem">
-	<p><code class="filename">aaa</code> is the numeric representation
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
+	</p></li>
+<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
 	  of the
 	  algorithm.
-	</p>
-      </li>
-<li class="listitem">
-	<p><code class="filename">iiiii</code> is the key identifier (or
+	</p></li>
+<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
 	  footprint).
-	</p>
-      </li>
+	</p></li>
 </ul></div>
-    <p><span class="command"><strong>dnssec-keygen</strong></span>
+<p><span class="command"><strong>dnssec-keygen</strong></span>
       creates two files, with names based
       on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
       contains the public key, and
@@ -484,66 +370,59 @@
       private
       key.
     </p>
-    <p>
+<p>
       The <code class="filename">.key</code> file contains a DNS KEY record
       that
       can be inserted into a zone file (directly or with a $INCLUDE
       statement).
     </p>
-    <p>
+<p>
       The <code class="filename">.private</code> file contains
       algorithm-specific
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </p>
-    <p>
+<p>
       Both <code class="filename">.key</code> and <code class="filename">.private</code>
       files are generated for symmetric cryptography algorithms such as
       HMAC-MD5, even though the public and private key are equivalent.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>EXAMPLE</h2>
-
-    <p>
+<p>
       To generate a 768-bit DSA key for the domain
       <strong class="userinput"><code>example.com</code></strong>, the following command would be
       issued:
     </p>
-    <p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
+<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
     </p>
-    <p>
+<p>
       The command would print a string of the form:
     </p>
-    <p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
+<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
     </p>
-    <p>
+<p>
       In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
       the files <code class="filename">Kexample.com.+003+26160.key</code>
       and
       <code class="filename">Kexample.com.+003+26160.private</code>.
     </p>
-    <p>
+<p>
       To generate a matching key-signing key, issue the command:
     </p>
-    <p>
+<p>
       <strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE -f KSK example.com</code></strong>
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.12"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2539</em>,
       <em class="citetitle">RFC 2845</em>,
       <em class="citetitle">RFC 4034</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/dnssec/dnssec-revoke.8 b/bind/bind9/bin/dnssec/dnssec-revoke.8
index 61d23f85..b507687b 100644
--- a/bind/bind9/bin/dnssec/dnssec-revoke.8
+++ b/bind/bind9/bin/dnssec/dnssec-revoke.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2011, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2011, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: dnssec-revoke
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-01-15
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -99,5 +99,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2011, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2011, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/dnssec/dnssec-revoke.c b/bind/bind9/bin/dnssec/dnssec-revoke.c
index 7d82dbf0..0121a341 100644
--- a/bind/bind9/bin/dnssec/dnssec-revoke.c
+++ b/bind/bind9/bin/dnssec/dnssec-revoke.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/dnssec/dnssec-revoke.docbook b/bind/bind9/bin/dnssec/dnssec-revoke.docbook
index 7a425830..1934889d 100644
--- a/bind/bind9/bin/dnssec/dnssec-revoke.docbook
+++ b/bind/bind9/bin/dnssec/dnssec-revoke.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-revoke">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-revoke">
   <info>
     <date>2014-01-15</date>
   </info>
@@ -40,6 +40,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/dnssec/dnssec-revoke.html b/bind/bind9/bin/dnssec/dnssec-revoke.html
index 09d1d920..4ee37fb2 100644
--- a/bind/bind9/bin/dnssec/dnssec-revoke.html
+++ b/bind/bind9/bin/dnssec/dnssec-revoke.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2011, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2011, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,92 +10,56 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-revoke</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-revoke"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-revoke</span>
-     &#8212; set the REVOKED bit on a DNSSEC key
-  </p>
+<p><span class="application">dnssec-revoke</span> &#8212; set the REVOKED bit on a DNSSEC key</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-revoke</code> 
-       [<code class="option">-hr</code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
-       [<code class="option">-f</code>]
-       [<code class="option">-R</code>]
-       {keyfile}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code>  [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-revoke</strong></span>
+<p><span class="command"><strong>dnssec-revoke</strong></span>
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
       now-revoked key.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Emit usage message and exit.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the directory in which the key files are to reside.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-r</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    After writing the new keyset files remove the original keyset
 	    files.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the debugging level.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints version information.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Specifies the cryptographic hardware to use, when applicable.
           </p>
-          <p>
+<p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -103,35 +67,26 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-f</span></dt>
-<dd>
-          <p>
+<dd><p>
             Force overwrite: Causes <span class="command"><strong>dnssec-revoke</strong></span> to
             write the new key pair even if a file already exists matching
             the algorithm and key ID of the revoked key.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-R</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    Print the key tag of the key with the REVOKE bit set but do
 	    not revoke the key.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5011</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/dnssec/dnssec-settime.8 b/bind/bind9/bin/dnssec/dnssec-settime.8
index b2240494..7fd80d81 100644
--- a/bind/bind9/bin/dnssec/dnssec-settime.8
+++ b/bind/bind9/bin/dnssec/dnssec-settime.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009-2011, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009-2011, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: dnssec-settime
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2015-08-21
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -200,5 +200,5 @@ RFC 5011\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009-2011, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009-2011, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/dnssec/dnssec-settime.c b/bind/bind9/bin/dnssec/dnssec-settime.c
index 7afcaee0..f0178955 100644
--- a/bind/bind9/bin/dnssec/dnssec-settime.c
+++ b/bind/bind9/bin/dnssec/dnssec-settime.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -28,6 +28,7 @@
 #include <isc/mem.h>
 #include <isc/print.h>
 #include <isc/string.h>
+#include <isc/time.h>
 #include <isc/util.h>
 
 #include <dns/keyvalues.h>
@@ -109,7 +110,6 @@ printtime(dst_key_t *key, int type, const char *tag, bool epoch,
 	  FILE *stream)
 {
 	isc_result_t result;
-	const char *output = NULL;
 	isc_stdtime_t when;
 
 	if (tag != NULL)
@@ -121,9 +121,20 @@ printtime(dst_key_t *key, int type, const char *tag, bool epoch,
 	} else if (epoch) {
 		fprintf(stream, "%d\n", (int) when);
 	} else {
-		time_t timet = when;
-		output = ctime(&timet);
-		fprintf(stream, "%s", output);
+		time_t now = when;
+		struct tm t, *tm = localtime_r(&now, &t);
+		unsigned int flen;
+		char timebuf[80];
+
+		if (tm == NULL) {
+			fprintf(stream, "INVALID\n");
+			return;
+		}
+
+		flen = strftime(timebuf, sizeof(timebuf),
+				"%a %b %e %H:%M:%S %Y", tm);
+		INSIST(flen > 0U && flen < sizeof(timebuf));
+		fprintf(stream, "%s\n", timebuf);
 	}
 }
 
diff --git a/bind/bind9/bin/dnssec/dnssec-settime.docbook b/bind/bind9/bin/dnssec/dnssec-settime.docbook
index 176413bd..9d9cdccd 100644
--- a/bind/bind9/bin/dnssec/dnssec-settime.docbook
+++ b/bind/bind9/bin/dnssec/dnssec-settime.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-settime">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-settime">
   <info>
     <date>2015-08-21</date>
   </info>
@@ -42,6 +42,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/dnssec/dnssec-settime.html b/bind/bind9/bin/dnssec/dnssec-settime.html
index 64edb2ea..38a77bb9 100644
--- a/bind/bind9/bin/dnssec/dnssec-settime.html
+++ b/bind/bind9/bin/dnssec/dnssec-settime.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009-2011, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009-2011, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,53 +10,21 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-settime</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-settime"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-settime</span>
-     &#8212; set the key timing metadata for a DNSSEC key
-  </p>
+<p><span class="application">dnssec-settime</span> &#8212; set the key timing metadata for a DNSSEC key</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-settime</code> 
-       [<code class="option">-f</code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
-       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
-       {keyfile}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code>  [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-settime</strong></span>
+<p><span class="command"><strong>dnssec-settime</strong></span>
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
       <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
@@ -65,12 +33,12 @@
       determine when a key is to be published, whether it should be
       used for signing a zone, etc.
     </p>
-    <p>
+<p>
       If none of these options is set on the command line,
       then <span class="command"><strong>dnssec-settime</strong></span> simply prints the key timing
       metadata already stored in the key.
     </p>
-    <p>
+<p>
       When key metadata fields are changed, both files of a key
       pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
       <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
@@ -79,16 +47,12 @@
       file.  The private file's permissions are always set to be
       inaccessible to anyone other than the owner (mode 0600).
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-f</span></dt>
-<dd>
-          <p>
+<dd><p>
             Force an update of an old-format key with no metadata fields.
             Without this option, <span class="command"><strong>dnssec-settime</strong></span> will
             fail when attempting to update a legacy key.  With this option,
@@ -97,17 +61,13 @@
             set to the present time.  If no other values are specified,
             then the key's publication and activation dates will also
             be set to the present time.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the directory in which the key files are to reside.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the default TTL to use for this key when it is converted
             into a DNSKEY RR.  If the key is imported into a zone,
             this is the TTL that will be used for it, unless there was
@@ -116,32 +76,25 @@
             is no existing DNSKEY RRset, the TTL will default to the
             SOA TTL. Setting the default TTL to <code class="literal">0</code>
             or <code class="literal">none</code> removes it from the key.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-          <p>
+<dd><p>
             Emit usage message and exit.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-          <p>
+<dd><p>
             Prints version information.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the debugging level.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Specifies the cryptographic hardware to use, when applicable.
           </p>
-          <p>
+<p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -149,14 +102,12 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-        </dd>
+</dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
-
-    <p>
+<p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
       an offset from the present time.  For convenience, if such an offset
@@ -166,65 +117,49 @@
       days, hours, or minutes, respectively.  Without a suffix, the offset
       is computed in seconds.  To unset a date, use 'none' or 'never'.
     </p>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
             not be used to sign it.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the date on which CDS and CDNSKEY records that match this
             key are to be published to the zone.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the date on which the key is to be activated.  After that
             date, the key will be included in the zone and used to sign
             it.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the date on which the key is to be revoked.  After that
             date, the key will be flagged as revoked.  It will be included
             in the zone and will be used to sign it.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the date on which the key is to be retired.  After that
             date, the key will still be included in the zone, but it
             will not be used to sign it.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the date on which the key is to be deleted.  After that
             date, the key will no longer be included in the zone.  (It
             may remain in the key repository, however.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the date on which the CDS and CDNSKEY records that match this
             key are to be deleted.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Select a key for which the key being modified will be an
             explicit successor.  The name, algorithm, size, and type of the
             predecessor key must exactly match those of the key being
@@ -232,11 +167,10 @@
             to the inactivation date of the predecessor.  The publication
             date will be set to the activation date minus the prepublication
             interval, which defaults to 30 days.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Sets the prepublication interval for a key.  If set, then
             the publication and activation dates must be separated by at least
             this much time.  If the activation date is specified but the
@@ -245,40 +179,34 @@
             the publication date is specified but activation date isn't,
             then activation will be set to this much time after publication.
           </p>
-          <p>
+<p>
             If the key is being set to be an explicit successor to another
             key, then the default prepublication interval is 30 days;
             otherwise it is zero.
           </p>
-          <p>
+<p>
             As with date offsets, if the argument is followed by one of
             the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
             interval is measured in years, months, weeks, days, hours,
             or minutes, respectively.  Without a suffix, the interval is
             measured in seconds.
           </p>
-        </dd>
+</dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>PRINTING OPTIONS</h2>
-
-    <p>
+<p>
       <span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
       timing metadata associated with a key.
     </p>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-u</span></dt>
-<dd>
-          <p>
+<dd><p>
             Print times in UNIX epoch format.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>C/P/Psync/A/R/I/D/Dsync/all</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Print a specific metadata value or set of metadata values.
             The <code class="option">-p</code> option may be followed by one or more
             of the following letters or strings to indicate which value
@@ -292,24 +220,16 @@
             <code class="option">D</code> for the deletion date, and
             <code class="option">Dsync</code> for the CDS and CDNSKEY deletion date
             To print all of the metadata, use <code class="option">-p all</code>.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5011</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/dnssec/dnssec-signzone.8 b/bind/bind9/bin/dnssec/dnssec-signzone.8
index be2af1f4..af9ffa12 100644
--- a/bind/bind9/bin/dnssec/dnssec-signzone.8
+++ b/bind/bind9/bin/dnssec/dnssec-signzone.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2009, 2011-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2009, 2011-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: dnssec-signzone
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-02-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -476,5 +476,5 @@ RFC 4641\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2009, 2011-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2009, 2011-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/dnssec/dnssec-signzone.c b/bind/bind9/bin/dnssec/dnssec-signzone.c
index 71f56728..a097ac84 100644
--- a/bind/bind9/bin/dnssec/dnssec-signzone.c
+++ b/bind/bind9/bin/dnssec/dnssec-signzone.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -176,8 +176,9 @@ static bool remove_orphansigs = false;
 static bool remove_inactkeysigs = false;
 static bool output_dnssec_only = false;
 static bool output_stdout = false;
-bool set_maxttl = false;
+static bool set_maxttl = false;
 static dns_ttl_t maxttl = 0;
+static bool no_max_check = false;
 
 #define INCSTAT(counter)		\
 	if (printstats) {		\
@@ -802,7 +803,7 @@ hashlist_hasdup(hashlist_t *l) {
 	size_t entries = l->entries;
 
 	/*
-	 * Skip initial speculative wild card hashs.
+	 * Skip initial speculative wild card hashes.
 	 */
 	while (entries > 0U && next[l->length-1] != 0U) {
 		next += l->length;
@@ -1126,7 +1127,7 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
 
 /*
  * See if the node contains any non RRSIG/NSEC records and report to
- * caller.  Clean out extranous RRSIG records for node.
+ * caller.  Clean out extraneous RRSIG records for node.
  */
 static inline bool
 active_node(dns_dbnode_t *node) {
@@ -1902,7 +1903,7 @@ addnsec3param(const unsigned char *salt, size_t salt_len,
 	check_result(result, "dns_rdatalist_tordataset()");
 
 	result = dns_db_findnode(gdb, gorigin, true, &node);
-	check_result(result, "dns_db_find(gorigin)");
+	check_result(result, "dns_db_findnode(gorigin)");
 
 	/*
 	 * Delete any current NSEC3PARAM records.
@@ -2312,7 +2313,7 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
 				      salt, salt_len, false);
 		dns_db_detachnode(gdb, &node);
 		/*
-		 * Add hashs for empty nodes.  Use closest encloser logic.
+		 * Add hashes for empty nodes.  Use closest encloser logic.
 		 * The closest encloser either has data or is a empty
 		 * node for another <name,nextname> span so we don't add
 		 * it here.  Empty labels on nextname are within the span.
@@ -2954,13 +2955,18 @@ writeset(const char *prefix, dns_rdatatype_t type) {
 
 static void
 print_time(FILE *fp) {
-	time_t currenttime;
+	time_t currenttime = time(NULL);
+	struct tm t, *tm = localtime_r(&currenttime, &t);
+	unsigned int flen;
+	char timebuf[80];
 
-	if (outputformat != dns_masterformat_text)
+	if (tm == NULL || outputformat != dns_masterformat_text) {
 		return;
+	}
 
-	currenttime = time(NULL);
-	fprintf(fp, "; File written on %s", ctime(&currenttime));
+	flen = strftime(timebuf, sizeof(timebuf), "%a %b %e %H:%M:%S %Y", tm);
+	INSIST(flen > 0U && flen < sizeof(timebuf));
+	fprintf(fp, "; File written on %s\n", timebuf);
 }
 
 static void
@@ -3270,6 +3276,12 @@ main(int argc, char *argv[]) {
 
 		case 'H':
 			set_iter = true;
+			/* too-many is NOT DOCUMENTED */
+			if (strcmp(isc_commandline_argument, "too-many") == 0) {
+				nsec3iter = 151;
+				no_max_check = true;
+				break;
+			}
 			nsec3iter = strtoul(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')
 				fatal("iterations must be numeric");
@@ -3677,7 +3689,6 @@ main(int argc, char *argv[]) {
 	warnifallksk(gdb);
 
 	if (IS_NSEC3) {
-		unsigned int max;
 		bool answer;
 
 		hash_length = dns_nsec3_hashlength(dns_hash_sha1);
@@ -3694,11 +3705,17 @@ main(int argc, char *argv[]) {
 			fatal("NSEC3 generation requested with "
 			      "NSEC-only DNSKEY");
 
-		result = dns_nsec3_maxiterations(gdb, NULL, mctx, &max);
-		check_result(result, "dns_nsec3_maxiterations()");
-		if (nsec3iter > max)
-			fatal("NSEC3 iterations too big for weakest DNSKEY "
-			      "strength. Maximum iterations allowed %u.", max);
+		if (nsec3iter > dns_nsec3_maxiterations()) {
+			if (no_max_check) {
+				fprintf(stderr,
+					"Ignoring max iterations check.\n");
+			} else {
+				fatal("NSEC3 iterations too big. Maximum "
+				      "iterations allowed %u.",
+				      dns_nsec3_maxiterations());
+			}
+		}
+
 	} else {
 		hashlist_init(&hashlist, 0, 0);	/* silence clang */
 	}
diff --git a/bind/bind9/bin/dnssec/dnssec-signzone.docbook b/bind/bind9/bin/dnssec/dnssec-signzone.docbook
index 89abfe9e..225d6399 100644
--- a/bind/bind9/bin/dnssec/dnssec-signzone.docbook
+++ b/bind/bind9/bin/dnssec/dnssec-signzone.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-signzone">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-signzone">
   <info>
     <date>2014-02-18</date>
   </info>
@@ -52,6 +52,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/dnssec/dnssec-signzone.html b/bind/bind9/bin/dnssec/dnssec-signzone.html
index 2add78d8..630d47f9 100644
--- a/bind/bind9/bin/dnssec/dnssec-signzone.html
+++ b/bind/bind9/bin/dnssec/dnssec-signzone.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2009, 2011-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2009, 2011-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,76 +10,21 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-signzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-signzone"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-signzone</span>
-     &#8212; DNSSEC zone signing tool
-  </p>
+<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-signzone</code> 
-       [<code class="option">-a</code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-D</code>]
-       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
-       [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>]
-       [<code class="option">-g</code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
-       [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
-       [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-k <em class="replaceable"><code>key</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
-       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
-       [<code class="option">-M <em class="replaceable"><code>maxttl</code></em></code>]
-       [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>]
-       [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
-       [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>]
-       [<code class="option">-P</code>]
-       [<code class="option">-p</code>]
-       [<code class="option">-Q</code>]
-       [<code class="option">-R</code>]
-       [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
-       [<code class="option">-S</code>]
-       [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
-       [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-t</code>]
-       [<code class="option">-u</code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>]
-       [<code class="option">-x</code>]
-       [<code class="option">-z</code>]
-       [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>]
-       [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>]
-       [<code class="option">-A</code>]
-       {zonefile}
-       [key...]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>maxttl</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-Q</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-signzone</strong></span>
+<p><span class="command"><strong>dnssec-signzone</strong></span>
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
       zone. The security status of delegations from the signed zone
@@ -87,46 +32,34 @@
       determined by the presence or absence of a
       <code class="filename">keyset</code> file for each child zone.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a</span></dt>
-<dd>
-          <p>
+<dd><p>
             Verify all generated signatures.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the DNS class of the zone.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-C</span></dt>
-<dd>
-          <p>
+<dd><p>
             Compatibility mode: Generate a
             <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
             file in addition to
             <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
             when signing a zone, for use by older versions of
             <span class="command"><strong>dnssec-signzone</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Look for <code class="filename">dsset-</code> or
             <code class="filename">keyset-</code> files in <code class="option">directory</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-D</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    Output only those record types automatically managed by
 	    <span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
 	    NSEC3 and NSEC3PARAM records. If smart signing
@@ -135,16 +68,15 @@
 	    zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
 	    cannot be combined with <code class="option">-O raw</code>,
             <code class="option">-O map</code>, or serial number updating.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-          <p>
+<p>
             When applicable, specifies the hardware to use for
             cryptographic operations, such as a secure key store used
             for signing.
           </p>
-          <p>
+<p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -152,39 +84,30 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-g</span></dt>
-<dd>
-          <p>
+<dd><p>
             Generate DS records for child zones from
             <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
             file.  Existing DS records will be removed.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Key repository: Specify a directory to search for DNSSEC keys.
             If not specified, defaults to the current directory.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Treat specified key as a key signing key ignoring any
             key flags.  This option may be specified multiple times.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Generate a DLV set in addition to the key (DNSKEY) and DS sets.
             The domain is appended to the name of the records.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the maximum TTL for the signed zone.
             Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
             input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
@@ -197,11 +120,9 @@
             <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
             (Note: This option is incompatible with <code class="option">-D</code>,
             because it modifies non-DNSSEC data in the output zone.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the date and time when the generated RRSIG records
             become valid.  This can be either an absolute or relative
             time.  An absolute start time is indicated by a number
@@ -210,11 +131,9 @@
             indicated by +N, which is N seconds from the current time.
             If no <code class="option">start-time</code> is specified, the current
             time minus 1 hour (to allow for clock skew) is used.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the date and time when the generated RRSIG records
             expire.  As with <code class="option">start-time</code>, an absolute
             time is indicated in YYYYMMDDHHMMSS notation.  A time relative
@@ -224,11 +143,10 @@
             specified, 30 days from the start time is used as a default.
             <code class="option">end-time</code> must be later than
             <code class="option">start-time</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Specify the date and time when the generated RRSIG records
             for the DNSKEY RRset will expire.  This is to be used in cases
             when the DNSKEY signatures need to persist longer than
@@ -236,7 +154,7 @@
             of the KSK is kept offline and the KSK signature is to be
             refreshed manually.
           </p>
-          <p>
+<p>
             As with <code class="option">start-time</code>, an absolute
             time is indicated in YYYYMMDDHHMMSS notation.  A time relative
             to the start time is indicated with +N, which is N seconds from
@@ -247,34 +165,28 @@
             30 days from the start time.) <code class="option">extended end-time</code>
             must be later than <code class="option">start-time</code>.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             The name of the output file containing the signed zone.  The
             default is to append <code class="filename">.signed</code> to
             the input filename.  If <code class="option">output-file</code> is
             set to <code class="literal">"-"</code>, then the signed zone is
             written to the standard output, with a default output
             format of "full".
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-          <p>
+<dd><p>
             Prints a short summary of the options and arguments to
             <span class="command"><strong>dnssec-signzone</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints version information.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
-          <p>
+<p>
             When a previously-signed zone is passed as input, records
             may be resigned.  The <code class="option">interval</code> option
             specifies the cycle interval as an offset from the current
@@ -282,7 +194,7 @@
             cycle interval, it is retained.  Otherwise, it is considered
             to be expiring soon, and it will be replaced.
           </p>
-          <p>
+<p>
             The default cycle interval is one quarter of the difference
             between the signature end and start times.  So if neither
             <code class="option">end-time</code> or <code class="option">start-time</code>
@@ -293,10 +205,9 @@
             are due to expire in less than 7.5 days, they would be
             replaced.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             The format of the input zone file.
 	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
 	    <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
@@ -305,11 +216,10 @@
             format containing updates can be signed directly.
 	    The use of this option does not make much sense for
 	    non-dynamic zones.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
 <dd>
-          <p>
+<p>
             When signing a zone with a fixed signature lifetime, all
             RRSIG records issued at the time of signing expires
             simultaneously.  If the zone is incrementally signed, i.e.
@@ -320,72 +230,55 @@
             expire time, thus spreading incremental signature
             regeneration over time.
           </p>
-          <p>
+<p>
             Signature lifetime jitter also to some extent benefits
             validators and servers by spreading out cache expiration,
             i.e. if large numbers of RRSIGs don't expire at the same time
             from all caches there will be less congestion than if all
             validators need to refetch at mostly the same time.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             When writing a signed zone to "raw" or "map" format, set the
             "source serial" value in the header to the specified serial
             number.  (This is expected to be used primarily for testing
             purposes.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the number of threads to use.  By default, one
             thread is started for each detected CPU.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
 <dd>
-          <p>
+<p>
             The SOA serial number format of the signed zone.
 	    Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
             <span class="command"><strong>"increment"</strong></span>, <span class="command"><strong>"unixtime"</strong></span>,
             and <span class="command"><strong>"date"</strong></span>.
           </p>
-
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
-<dd>
-                <p>Do not modify the SOA serial number.</p>
-	      </dd>
+<dd><p>Do not modify the SOA serial number.</p></dd>
 <dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
-<dd>
-                <p>Increment the SOA serial number using RFC 1982
-                      arithmetics.</p>
-	      </dd>
+<dd><p>Increment the SOA serial number using RFC 1982
+                      arithmetics.</p></dd>
 <dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
-<dd>
-                <p>Set the SOA serial number to the number of seconds
-	        since epoch.</p>
-	      </dd>
+<dd><p>Set the SOA serial number to the number of seconds
+	        since epoch.</p></dd>
 <dt><span class="term"><span class="command"><strong>"date"</strong></span></span></dt>
-<dd>
-                <p>Set the SOA serial number to today's date in
-                YYYYMMDDNN format.</p>
-	      </dd>
+<dd><p>Set the SOA serial number to today's date in
+                YYYYMMDDNN format.</p></dd>
 </dl></div>
-
-        </dd>
+</dd>
 <dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             The zone origin.  If not specified, the name of the zone file
             is assumed to be the origin.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             The format of the output file containing the signed zone.
 	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
             which is the standard textual representation of the zone;
@@ -398,36 +291,33 @@
             the raw zone file: if N is 0, the raw file can be read by
             any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
             can be read by release 9.9.0 or higher; the default is 1.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p</span></dt>
-<dd>
-          <p>
+<dd><p>
             Use pseudo-random data when signing the zone.  This is faster,
             but less secure, than using real random data.  This option
             may be useful when signing large zones or when the entropy
             source is limited.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-P</span></dt>
 <dd>
-          <p>
+<p>
 	    Disable post sign verification tests.
           </p>
-          <p>
+<p>
 	    The post sign verification test ensures that for each algorithm
 	    in use there is at least one non revoked self signed KSK key,
 	    that all revoked KSK keys are self signed, and that all records
 	    in the zone are signed by the algorithm.
 	    This option skips these tests.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-Q</span></dt>
 <dd>
-          <p>
+<p>
 	    Remove signatures from keys that are no longer active.
           </p>
-          <p>
+<p>
             Normally, when a previously-signed zone is passed as input
             to the signer, and a DNSKEY record has been removed and
             replaced with a new one, signatures from the old key
@@ -439,23 +329,22 @@
             enables ZSK rollover using the procedure described in
             RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-R</span></dt>
 <dd>
-          <p>
+<p>
 	    Remove signatures from keys that are no longer published.
           </p>
-          <p>
+<p>
             This option is similar to <code class="option">-Q</code>, except it
             forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
             keys that are no longer published. This enables ZSK rollover
             using the procedure described in RFC 4641, section 4.2.1.2
             ("Double Signature Zone Signing Key Rollover").
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the source of randomness.  If the operating
             system does not provide a <code class="filename">/dev/random</code>
             or equivalent device, the default source of randomness
@@ -465,65 +354,53 @@
             data to be used instead of the default.  The special value
             <code class="filename">keyboard</code> indicates that keyboard
             input should be used.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-S</span></dt>
 <dd>
-          <p>
+<p>
             Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to
             search the key repository for keys that match the zone being
             signed, and to include them in the zone if appropriate.
           </p>
-          <p>
+<p>
             When a key is found, its timing metadata is examined to
             determine how it should be used, according to the following
             rules.  Each successive rule takes priority over the prior
             ones:
           </p>
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt></dt>
-<dd>
-                <p>
+<dd><p>
                   If no timing metadata has been set for the key, the key is
                   published in the zone and used to sign the zone.
-                </p>
-	      </dd>
+                </p></dd>
 <dt></dt>
-<dd>
-                <p>
+<dd><p>
                   If the key's publication date is set and is in the past, the
                   key is published in the zone.
-                </p>
-	      </dd>
+                </p></dd>
 <dt></dt>
-<dd>
-                <p>
+<dd><p>
                   If the key's activation date is set and in the past, the
                   key is published (regardless of publication date) and
                   used to sign the zone.
-                </p>
-	      </dd>
+                </p></dd>
 <dt></dt>
-<dd>
-                <p>
+<dd><p>
                   If the key's revocation date is set and in the past, and the
                   key is published, then the key is revoked, and the revoked key
                   is used to sign the zone.
-                </p>
-	      </dd>
+                </p></dd>
 <dt></dt>
-<dd>
-                <p>
+<dd><p>
                   If either of the key's unpublication or deletion dates are set
                   and in the past, the key is NOT published or used to sign the
                   zone, regardless of any other metadata.
-                </p>
-	      </dd>
+                </p></dd>
 </dl></div>
-        </dd>
+</dd>
 <dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies a TTL to be used for new DNSKEY records imported
             into the zone from the key repository.  If not
             specified, the default is the TTL value from the zone's SOA
@@ -535,102 +412,81 @@
             them, or if any of the imported DNSKEY records had a default
             TTL value.  In the event of a a conflict between TTL values in
             imported keys, the shortest one is used.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-t</span></dt>
-<dd>
-          <p>
+<dd><p>
             Print statistics at completion.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-u</span></dt>
-<dd>
-          <p>
+<dd><p>
             Update NSEC/NSEC3 chain when re-signing a previously signed
             zone.  With this option, a zone signed with NSEC can be
             switched to NSEC3, or a zone signed with NSEC3 can
             be switch to NSEC or to NSEC3 with different parameters.
             Without this option, <span class="command"><strong>dnssec-signzone</strong></span> will
             retain the existing chain when re-signing.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the debugging level.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-x</span></dt>
-<dd>
-          <p>
+<dd><p>
             Only sign the DNSKEY RRset with key-signing keys, and omit
             signatures from zone-signing keys.  (This is similar to the
             <span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in
             <span class="command"><strong>named</strong></span>.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-z</span></dt>
-<dd>
-          <p>
+<dd><p>
             Ignore KSK flag on key when determining what to sign.  This
             causes KSK-flagged keys to sign all records, not just the
             DNSKEY RRset.  (This is similar to the
             <span class="command"><strong>update-check-ksk no;</strong></span> zone option in
             <span class="command"><strong>named</strong></span>.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Generate an NSEC3 chain with the given hex encoded salt.
 	    A dash (<em class="replaceable"><code>salt</code></em>) can
 	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
 	    When generating an NSEC3 chain, use this many iterations.  The
 	    default is 10.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-A</span></dt>
 <dd>
-          <p>
+<p>
 	    When generating an NSEC3 chain set the OPTOUT flag on all
 	    NSEC3 records and do not generate NSEC3 records for insecure
 	    delegations.
           </p>
-          <p>
+<p>
 	    Using this option twice (i.e., <code class="option">-AA</code>)
 	    turns the OPTOUT flag off for all records.  This is useful
 	    when using the <code class="option">-u</code> option to modify an NSEC3
 	    chain which previously had OPTOUT set.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">zonefile</span></dt>
-<dd>
-          <p>
+<dd><p>
             The file containing the zone to be signed.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">key</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    Specify which keys should be used to sign the zone.  If
 	    no keys are specified, then the zone will be examined
 	    for DNSKEY records at the zone apex.  If these are found and
 	    there are matching private keys, in the current directory,
 	    then these will be used for signing.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>EXAMPLE</h2>
-
-    <p>
+<p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
       zone with the DSA key generated by <span class="command"><strong>dnssec-keygen</strong></span>
       (Kexample.com.+003+17247).  Because the <span class="command"><strong>-S</strong></span> option
@@ -643,13 +499,13 @@
 Kexample.com.+003+17247
 db.example.com.signed
 %</pre>
-    <p>
+<p>
       In the above example, <span class="command"><strong>dnssec-signzone</strong></span> creates
       the file <code class="filename">db.example.com.signed</code>.  This
       file should be referenced in a zone statement in a
       <code class="filename">named.conf</code> file.
     </p>
-    <p>
+<p>
       This example re-signs a previously signed zone with default parameters.
       The private keys are assumed to be in the current directory.
     </p>
@@ -657,18 +513,13 @@ db.example.com.signed
 % dnssec-signzone -o example.com db.example.com
 db.example.com.signed
 %</pre>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/dnssec/dnssec-verify.8 b/bind/bind9/bin/dnssec/dnssec-verify.8
index 0d81dac3..3ce7c6b9 100644
--- a/bind/bind9/bin/dnssec/dnssec-verify.8
+++ b/bind/bind9/bin/dnssec/dnssec-verify.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2012, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: dnssec-verify
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-01-15
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -113,5 +113,5 @@ RFC 4033\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2012, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/dnssec/dnssec-verify.c b/bind/bind9/bin/dnssec/dnssec-verify.c
index 4c293bf5..087cd5dc 100644
--- a/bind/bind9/bin/dnssec/dnssec-verify.c
+++ b/bind/bind9/bin/dnssec/dnssec-verify.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/dnssec/dnssec-verify.docbook b/bind/bind9/bin/dnssec/dnssec-verify.docbook
index 1694feca..c80af6d1 100644
--- a/bind/bind9/bin/dnssec/dnssec-verify.docbook
+++ b/bind/bind9/bin/dnssec/dnssec-verify.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-verify">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-verify">
   <info>
     <date>2014-01-15</date>
   </info>
@@ -39,6 +39,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/dnssec/dnssec-verify.html b/bind/bind9/bin/dnssec/dnssec-verify.html
index 400eda91..9cc0c0d7 100644
--- a/bind/bind9/bin/dnssec/dnssec-verify.html
+++ b/bind/bind9/bin/dnssec/dnssec-verify.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2012, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,68 +10,39 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-verify</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-verify"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-verify</span>
-     &#8212; DNSSEC zone verification tool
-  </p>
+<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-verify</code> 
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
-       [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
-       [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-x</code>]
-       [<code class="option">-z</code>]
-       {zonefile}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-verify</strong></span>
+<p><span class="command"><strong>dnssec-verify</strong></span>
       verifies that a zone is fully signed for each algorithm found
       in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
       chains are complete.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the DNS class of the zone.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Specifies the cryptographic hardware to use, when applicable.
           </p>
-          <p>
+<p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -79,10 +50,9 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             The format of the input zone file.
 	    Possible formats are <span class="command"><strong>"text"</strong></span> (default)
 	    and <span class="command"><strong>"raw"</strong></span>.
@@ -91,41 +61,32 @@
             format containing updates can be verified independently.
 	    The use of this option does not make much sense for
 	    non-dynamic zones.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             The zone origin.  If not specified, the name of the zone file
             is assumed to be the origin.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the debugging level.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints version information.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-x</span></dt>
-<dd>
-          <p>
+<dd><p>
             Only verify that the DNSKEY RRset is signed with key-signing
             keys.  Without this flag, it is assumed that the DNSKEY RRset
             will be signed by all active keys.  When this flag is set,
             it will not be an error if the DNSKEY RRset is not signed
             by zone-signing keys.  This corresponds to the <code class="option">-x</code>
             option in <span class="command"><strong>dnssec-signzone</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-z</span></dt>
 <dd>
-	  <p>
+<p>
 	    Ignore the KSK flag on the keys when determining whether
             the zone if correctly signed.  Without this flag it is
 	    assumed that there will be a non-revoked, self-signed
@@ -133,7 +94,7 @@
 	    that RRsets other than DNSKEY RRset will be signed with
             a different DNSKEY without the KSK flag set.
 	  </p>
-	  <p>
+<p>
 	    With this flag set, we only require that for each algorithm,
             there will be at least one non-revoked, self-signed DNSKEY,
             regardless of the KSK flag state, and that other RRsets
@@ -142,27 +103,20 @@
             for both purposes.  This corresponds to the <code class="option">-z</code>
             option in <span class="command"><strong>dnssec-signzone</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">zonefile</span></dt>
-<dd>
-          <p>
+<dd><p>
             The file containing the zone to be signed.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
+<p>
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/dnssec/dnssectool.c b/bind/bind9/bin/dnssec/dnssectool.c
index 9d2a0169..7f045e82 100644
--- a/bind/bind9/bin/dnssec/dnssectool.c
+++ b/bind/bind9/bin/dnssec/dnssectool.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -694,7 +694,7 @@ verifynsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	result = dns_rdataset_next(&rdataset);
 	if (result != ISC_R_NOMORE) {
 		dns_name_format(name, namebuf, sizeof(namebuf));
-		fprintf(stderr, "Multipe NSEC records for %s\n", namebuf);
+		fprintf(stderr, "Multiple NSEC records for %s\n", namebuf);
 		goto failure;
 
 	}
@@ -1073,7 +1073,7 @@ verifynsec3(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 	check_result(result, "dns_nsec3_hashname()");
 
 	/*
-	 * We don't use dns_db_find() here as it works with the choosen
+	 * We don't use dns_db_find() here as it works with the chosen
 	 * nsec3 chain and we may also be called with uncommitted data
 	 * from dnssec-signzone so the secure status of the zone may not
 	 * be up to date.
@@ -1234,7 +1234,7 @@ verifynode(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 		 * If we are not at a delegation then everything should be
 		 * signed.  If we are at a delegation then only the DS set
 		 * is signed.  The NS set is not signed at a delegation but
-		 * its existance is recorded in the bit map.  Anything else
+		 * its existence is recorded in the bit map.  Anything else
 		 * other than NSEC and DS is not signed at a delegation.
 		 */
 		if (rdataset.type != dns_rdatatype_rrsig &&
@@ -1333,7 +1333,7 @@ free_element(isc_mem_t *mctx, struct nsec3_chain_fixed *e) {
 }
 
 static bool
-checknext(const struct nsec3_chain_fixed *first,
+_checknext(const struct nsec3_chain_fixed *first,
 	  const struct nsec3_chain_fixed *e)
 {
 	char buf[512];
@@ -1371,6 +1371,35 @@ checknext(const struct nsec3_chain_fixed *first,
 	return (false);
 }
 
+static inline bool
+checknext(isc_mem_t *mctx,
+	  const struct nsec3_chain_fixed *first,
+	  struct nsec3_chain_fixed *prev,
+	  const struct nsec3_chain_fixed *cur)
+{
+	bool result = _checknext(prev, cur);
+
+	if (prev != first) {
+		free_element(mctx, prev);
+	}
+
+	return (result);
+}
+
+static inline bool
+checklast(isc_mem_t *mctx,
+	  struct nsec3_chain_fixed *first,
+	  struct nsec3_chain_fixed *prev)
+{
+	bool result = _checknext(prev, first);
+	if (prev != first) {
+		free_element(mctx, prev);
+	}
+	free_element(mctx, first);
+
+	return (result);
+}
+
 #define EXPECTEDANDFOUND "Expected and found NSEC3 chains not equal\n"
 
 static isc_result_t
@@ -1415,32 +1444,27 @@ verify_nsec3_chains(isc_mem_t *mctx) {
 			fprintf(stderr, EXPECTEDANDFOUND);
 			result = ISC_R_FAILURE;
 		}
-		if (first == NULL || newchain(first, e)) {
-			if (prev != NULL) {
-				if (!checknext(prev, first))
-					result = ISC_R_FAILURE;
-				if (prev != first)
-					free_element(mctx, prev);
+
+		if (first == NULL) {
+			prev = first = e;
+		} else if (newchain(first, e)) {
+			if (!checklast(mctx, first, prev)) {
+				result = ISC_R_FAILURE;
 			}
-			if (first != NULL)
-				free_element(mctx, first);
+
 			prev = first = e;
-			continue;
+		} else {
+			if (!checknext(mctx, first, prev, e)) {
+				result = ISC_R_FAILURE;
+			}
+
+			prev = e;
 		}
-		if (!checknext(prev, e))
-			result = ISC_R_FAILURE;
-		if (prev != first)
-			free_element(mctx, prev);
-		prev = e;
 	}
 	if (prev != NULL) {
-		if (!checknext(prev, first))
+		if (!checklast(mctx, first, prev))
 			result = ISC_R_FAILURE;
-		if (prev != first)
-			free_element(mctx, prev);
 	}
-	if (first != NULL)
-		free_element(mctx, first);
 	do {
 		if (f != NULL) {
 			if (result == ISC_R_SUCCESS) {
@@ -1904,7 +1928,7 @@ isoptarg(const char *arg, char **argv, void(*usage)(void)) {
 			usage();
 		}
 		isc_commandline_argument = argv[isc_commandline_index];
-		/* skip to next arguement */
+		/* skip to next argument */
 		isc_commandline_index++;
 		return (true);
 	}
diff --git a/bind/bind9/bin/dnssec/dnssectool.h b/bind/bind9/bin/dnssec/dnssectool.h
index ab57b6dd..6cbda2ae 100644
--- a/bind/bind9/bin/dnssec/dnssectool.h
+++ b/bind/bind9/bin/dnssec/dnssectool.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/dnssec/win32/dnssectool.vcxproj.in b/bind/bind9/bin/dnssec/win32/dnssectool.vcxproj.in
index 1a222732..85e0fa15 100644
--- a/bind/bind9/bin/dnssec/win32/dnssectool.vcxproj.in
+++ b/bind/bind9/bin/dnssec/win32/dnssectool.vcxproj.in
@@ -51,18 +51,21 @@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <OutDir>.\$(Configuration)\</OutDir>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -81,7 +84,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/dnssec/win32/dsfromkey.vcxproj.in b/bind/bind9/bin/dnssec/win32/dsfromkey.vcxproj.in
index eb8ba447..80fd831c 100644
--- a/bind/bind9/bin/dnssec/win32/dsfromkey.vcxproj.in
+++ b/bind/bind9/bin/dnssec/win32/dsfromkey.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -91,7 +94,8 @@ set PYTHONPATH=.
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/dnssec/win32/importkey.vcxproj.in b/bind/bind9/bin/dnssec/win32/importkey.vcxproj.in
index beaf0d65..5f8fbe92 100644
--- a/bind/bind9/bin/dnssec/win32/importkey.vcxproj.in
+++ b/bind/bind9/bin/dnssec/win32/importkey.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/dnssec/win32/keyfromlabel.vcxproj.in b/bind/bind9/bin/dnssec/win32/keyfromlabel.vcxproj.in
index 45d16885..9a26eb7d 100644
--- a/bind/bind9/bin/dnssec/win32/keyfromlabel.vcxproj.in
+++ b/bind/bind9/bin/dnssec/win32/keyfromlabel.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/dnssec/win32/keygen.vcxproj.in b/bind/bind9/bin/dnssec/win32/keygen.vcxproj.in
index c1347e29..e748e290 100644
--- a/bind/bind9/bin/dnssec/win32/keygen.vcxproj.in
+++ b/bind/bind9/bin/dnssec/win32/keygen.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/dnssec/win32/revoke.vcxproj.in b/bind/bind9/bin/dnssec/win32/revoke.vcxproj.in
index a649a958..350f234c 100644
--- a/bind/bind9/bin/dnssec/win32/revoke.vcxproj.in
+++ b/bind/bind9/bin/dnssec/win32/revoke.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/dnssec/win32/settime.vcxproj.in b/bind/bind9/bin/dnssec/win32/settime.vcxproj.in
index 19253dc0..c5231302 100644
--- a/bind/bind9/bin/dnssec/win32/settime.vcxproj.in
+++ b/bind/bind9/bin/dnssec/win32/settime.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/dnssec/win32/signzone.vcxproj.in b/bind/bind9/bin/dnssec/win32/signzone.vcxproj.in
index 2a57e16d..a3d8251e 100644
--- a/bind/bind9/bin/dnssec/win32/signzone.vcxproj.in
+++ b/bind/bind9/bin/dnssec/win32/signzone.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/dnssec/win32/verify.vcxproj.in b/bind/bind9/bin/dnssec/win32/verify.vcxproj.in
index 8cc36ae9..bed629c0 100644
--- a/bind/bind9/bin/dnssec/win32/verify.vcxproj.in
+++ b/bind/bind9/bin/dnssec/win32/verify.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>dnssec-$(ProjectName)</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/named/Makefile.in b/bind/bind9/bin/named/Makefile.in
index e7a61c90..3798a4f6 100644
--- a/bind/bind9/bin/named/Makefile.in
+++ b/bind/bind9/bin/named/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/bind9.xsl b/bind/bind9/bin/named/bind9.xsl
index 975536ca..9a1c6ff9 100644
--- a/bind/bind9/bin/named/bind9.xsl
+++ b/bind/bind9/bin/named/bind9.xsl
@@ -4,7 +4,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/bind9.xsl.h b/bind/bind9/bin/named/bind9.xsl.h
index a1738cd2..9ce8cd7b 100644
--- a/bind/bind9/bin/named/bind9.xsl.h
+++ b/bind/bind9/bin/named/bind9.xsl.h
@@ -9,7 +9,7 @@ static char xslmsg[] =
 	" -\n"
 	" - This Source Code Form is subject to the terms of the Mozilla Public\n"
 	" - License, v. 2.0. If a copy of the MPL was not distributed with this\n"
-	" - file, You can obtain one at http://mozilla.org/MPL/2.0/.\n"
+	" - file, you can obtain one at https://mozilla.org/MPL/2.0/.\n"
 	" -\n"
 	" - See the COPYRIGHT file distributed with this work for additional\n"
 	" - information regarding copyright ownership.\n"
diff --git a/bind/bind9/bin/named/builtin.c b/bind/bind9/bin/named/builtin.c
index d6562ee5..25a4df1e 100644
--- a/bind/bind9/bin/named/builtin.c
+++ b/bind/bind9/bin/named/builtin.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/client.c b/bind/bind9/bin/named/client.c
index f8431bc3..15fcfcd3 100644
--- a/bind/bind9/bin/named/client.c
+++ b/bind/bind9/bin/named/client.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -241,7 +241,23 @@ struct ns_clientmgr {
 #define NS_CLIENT_DROPPORT 1
 #endif
 
+#ifdef NS_CLIENT_NCRSTDATOMIC
+_Atomic(unsigned int) ns_client_requests;
+#else
 unsigned int ns_client_requests;
+#endif
+
+#ifdef NS_CLIENT_NEED_NCR_INC
+ISC_NO_SANITIZE_THREAD void
+ns_client_ncr_inc(void) {
+	ns_client_requests++;
+}
+
+ISC_NO_SANITIZE_THREAD unsigned int
+ns_client_ncr_load(void) {
+	return (ns_client_requests);
+}
+#endif
 
 static void client_read(ns_client_t *client);
 static void client_accept(ns_client_t *client);
@@ -685,7 +701,7 @@ exit_check(ns_client_t *client) {
 		 * the "freed" state, it will be removed from the inactive
 		 * list shortly, and we need to keep the manager locked until
 		 * that has been done, lest the manager decide to reactivate
-		 * the dying client inbetween.
+		 * the dying client in between.
 		 */
 		client->state = NS_CLIENTSTATE_INACTIVE;
 		INSIST(client->recursionquota == NULL);
@@ -695,6 +711,19 @@ exit_check(ns_client_t *client) {
 			if (!ns_g_clienttest && manager != NULL &&
 			    !manager->exiting)
 			{
+				/*
+				 * We are placing client on manager->inactive
+				 * locklessly and it may be picked up by a
+				 * different thread leading to TSAN errors.
+				 * The LOCK/UNLOCK will cause outstanding
+				 * writes to the client structure to be
+				 * flushed.
+				 *
+				 * queue_pop() prevents TSAN errors from
+				 * changes made by ISC_QUEUE_PUSH.
+				 */
+				LOCK(&client->query.fetchlock);
+				UNLOCK(&client->query.fetchlock);
 				ISC_QUEUE_PUSH(manager->inactive, client,
 					       ilink);
 			}
@@ -754,7 +783,7 @@ exit_check(ns_client_t *client) {
 			client->keytag_len = 0;
 		}
 
-		dns_message_destroy(&client->message);
+		dns_message_detach(&client->message);
 
 		/*
 		 * Detaching the task must be done after unlinking from
@@ -846,8 +875,7 @@ client_shutdown(isc_task_t *task, isc_event_t *event) {
 		client->shutdown_arg = NULL;
 	}
 
-	if (ISC_QLINK_LINKED(client, ilink))
-		ISC_QUEUE_UNLINK(client->manager->inactive, client, ilink);
+	ISC_QUEUE_UNLINKIFLINKED(client->manager->inactive, client, ilink);
 
 	client->newstate = NS_CLIENTSTATE_FREED;
 	client->needshutdown = false;
@@ -2477,7 +2505,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 				       NS_CLIENTSTATE_READING :
 				       NS_CLIENTSTATE_READY));
 
-	ns_client_requests++;
+	ncr_inc(ns_client_requests);
 
 	if (event->ev_type == ISC_SOCKEVENT_RECVDONE) {
 		INSIST(!TCP_CLIENT(client));
@@ -2685,7 +2713,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
 			      "message parsing failed: %s",
 			      isc_result_totext(result));
-		if (result == ISC_R_NOSPACE) {
+		if (result == ISC_R_NOSPACE || result == DNS_R_BADTSIG) {
 			result = DNS_R_FORMERR;
 		}
 		ns_client_error(client, result);
@@ -3372,7 +3400,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	client->magic = 0;
 
  cleanup_message:
-	dns_message_destroy(&client->message);
+	dns_message_detach(&client->message);
 
  cleanup_timer:
 	isc_timer_detach(&client->timer);
@@ -3853,6 +3881,22 @@ ns_clientmgr_destroy(ns_clientmgr_t **managerp) {
 	*managerp = NULL;
 }
 
+/*
+ * ISC_QUEUE_POP is deliberately not tsan safe to avoid aquiring
+ * the taillock every time ISC_QUEUE_POP is called.
+ * Isolate ISC_QUEUE_POP from tsan analysis.
+ */
+ISC_NO_SANITIZE_THREAD static ISC_NO_SANITIZE_INLINE ns_client_t *
+queue_pop(ns_clientmgr_t *manager)
+{
+	ns_client_t *client = NULL;
+
+	if (!ns_g_clienttest) {
+		ISC_QUEUE_POP(manager->inactive, ilink, client);
+	}
+	return (client);
+}
+
 static isc_result_t
 get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
 	   dns_dispatch_t *disp, bool tcp)
@@ -3872,8 +3916,9 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
 	 * if that fails, make a new one.
 	 */
 	client = NULL;
-	if (!ns_g_clienttest)
-		ISC_QUEUE_POP(manager->inactive, ilink, client);
+	if (!ns_g_clienttest) {
+		client = queue_pop(manager);
+	}
 
 	if (client != NULL)
 		MTRACE("recycle");
@@ -3941,8 +3986,9 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
 	 * if that fails, make a new one.
 	 */
 	client = NULL;
-	if (!ns_g_clienttest)
-		ISC_QUEUE_POP(manager->inactive, ilink, client);
+	if (!ns_g_clienttest) {
+		client = queue_pop(manager);
+	}
 
 	if (client != NULL)
 		MTRACE("recycle");
diff --git a/bind/bind9/bin/named/config.c b/bind/bind9/bin/named/config.c
index 53a60d7a..d24e4f8a 100644
--- a/bind/bind9/bin/named/config.c
+++ b/bind/bind9/bin/named/config.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -65,7 +65,7 @@ options {\n\
 #	deallocate-on-exit <obsolete>;\n\
 #	directory <none>\n\
 	dump-file \"named_dump.db\";\n\
-	edns-udp-size 4096;\n\
+	edns-udp-size 1232;\n\
 #	fake-iquery <obsolete>;\n"
 #ifndef WIN32
 "	files unlimited;\n"
@@ -86,7 +86,7 @@ options {\n\
 #	lock-file \"" NS_LOCALSTATEDIR "/run/named/named.lock\";\n\
 	match-mapped-addresses no;\n\
 	max-rsa-exponent-size 0; /* no limit */\n\
-	max-udp-size 4096;\n\
+	max-udp-size 1232;\n\
 	memstatistics-file \"named.memstats\";\n\
 #	multiple-cnames <obsolete>;\n\
 #	named-xfer <obsolete>;\n\
@@ -175,7 +175,7 @@ options {\n\
 #if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2)
 "	geoip-use-ecs yes;\n"
 #endif
-"	lame-ttl 600;\n"
+"	lame-ttl 0;\n"
 #ifdef HAVE_LMDB
 "	lmdb-mapsize 32M;\n"
 #endif
@@ -185,7 +185,7 @@ options {\n\
 	max-clients-per-query 100;\n\
 	max-ncache-ttl 10800; /* 3 hours */\n\
 	max-recursion-depth 7;\n\
-	max-recursion-queries 75;\n\
+	max-recursion-queries 100;\n\
 	message-compression yes;\n\
 #	min-roots <obsolete>;\n\
 	minimal-any false;\n\
@@ -344,6 +344,10 @@ ns_checknames_get(const cfg_obj_t **maps, const char *which,
 	const cfg_obj_t *value;
 	int i;
 
+	REQUIRE(maps != NULL);
+	REQUIRE(which != NULL);
+	REQUIRE(obj != NULL && *obj == NULL);
+
 	for (i = 0;; i++) {
 		if (maps[i] == NULL)
 			return (ISC_R_NOTFOUND);
diff --git a/bind/bind9/bin/named/control.c b/bind/bind9/bin/named/control.c
index df23c265..23620b4d 100644
--- a/bind/bind9/bin/named/control.c
+++ b/bind/bind9/bin/named/control.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/controlconf.c b/bind/bind9/bin/named/controlconf.c
index d955c2f9..9fdf49bb 100644
--- a/bind/bind9/bin/named/controlconf.c
+++ b/bind/bind9/bin/named/controlconf.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -21,6 +21,7 @@
 #include <isc/event.h>
 #include <isc/file.h>
 #include <isc/mem.h>
+#include <isc/mutex.h>
 #include <isc/net.h>
 #include <isc/netaddr.h>
 #include <isc/random.h>
@@ -75,8 +76,8 @@ struct controlkey {
 struct controlconnection {
 	isc_socket_t *			sock;
 	isccc_ccmsg_t			ccmsg;
-	bool			ccmsg_valid;
-	bool			sending;
+	bool				ccmsg_valid;
+	bool				sending;
 	isc_timer_t *			timer;
 	isc_buffer_t *			buffer;
 	controllistener_t *		listener;
@@ -91,22 +92,23 @@ struct controllistener {
 	isc_sockaddr_t			address;
 	isc_socket_t *			sock;
 	dns_acl_t *			acl;
-	bool			listening;
-	bool			exiting;
+	bool				listening;
+	bool				exiting;
 	controlkeylist_t		keys;
 	controlconnectionlist_t		connections;
 	isc_sockettype_t		type;
 	uint32_t			perm;
 	uint32_t			owner;
 	uint32_t			group;
-	bool			readonly;
+	bool				readonly;
 	ISC_LINK(controllistener_t)	link;
 };
 
 struct ns_controls {
 	ns_server_t			*server;
 	controllistenerlist_t 		listeners;
-	bool			shuttingdown;
+	bool				shuttingdown;
+	isc_mutex_t			symtab_lock;
 	isccc_symtab_t			*symtab;
 };
 
@@ -434,8 +436,10 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Duplicate suppression (required for UDP).
 	 */
+	LOCK(&listener->controls->symtab_lock);
 	isccc_cc_cleansymtab(listener->controls->symtab, now);
 	result = isccc_cc_checkdup(listener->controls->symtab, request, now);
+	UNLOCK(&listener->controls->symtab_lock);
 	if (result != ISC_R_SUCCESS) {
 		if (result == ISC_R_EXISTS)
 			result = ISCCC_R_DUPLICATE;
@@ -1503,14 +1507,28 @@ ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp) {
 	isc_result_t result;
 	ns_controls_t *controls = isc_mem_get(mctx, sizeof(*controls));
 
-	if (controls == NULL)
+	if (controls == NULL) {
 		return (ISC_R_NOMEMORY);
-	controls->server = server;
+	}
+
+	*controls = (ns_controls_t){
+		.server = server,
+	};
+
 	ISC_LIST_INIT(controls->listeners);
-	controls->shuttingdown = false;
-	controls->symtab = NULL;
+
+	result = isc_mutex_init(&controls->symtab_lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(server->mctx, controls, sizeof(*controls));
+		return (result);
+	}
+
+	LOCK(&controls->symtab_lock);
 	result = isccc_cc_createsymtab(&controls->symtab);
+	UNLOCK(&controls->symtab_lock);
+
 	if (result != ISC_R_SUCCESS) {
+		isc_mutex_destroy(&controls->symtab_lock);
 		isc_mem_put(server->mctx, controls, sizeof(*controls));
 		return (result);
 	}
@@ -1524,7 +1542,10 @@ ns_controls_destroy(ns_controls_t **ctrlsp) {
 
 	REQUIRE(ISC_LIST_EMPTY(controls->listeners));
 
+	LOCK(&controls->symtab_lock);
 	isccc_symtab_destroy(&controls->symtab);
+	UNLOCK(&controls->symtab_lock);
+	isc_mutex_destroy(&controls->symtab_lock);
 	isc_mem_put(controls->server->mctx, controls, sizeof(*controls));
 	*ctrlsp = NULL;
 }
diff --git a/bind/bind9/bin/named/convertxsl.pl b/bind/bind9/bin/named/convertxsl.pl
index 8f78be32..092bc013 100755
--- a/bind/bind9/bin/named/convertxsl.pl
+++ b/bind/bind9/bin/named/convertxsl.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/fuzz.c b/bind/bind9/bin/named/fuzz.c
index 4450df2a..0d6165f4 100644
--- a/bind/bind9/bin/named/fuzz.c
+++ b/bind/bind9/bin/named/fuzz.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/geoip.c b/bind/bind9/bin/named/geoip.c
index 0b11f6b8..02db0de8 100644
--- a/bind/bind9/bin/named/geoip.c
+++ b/bind/bind9/bin/named/geoip.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/include/dlz/dlz_dlopen_driver.h b/bind/bind9/bin/named/include/dlz/dlz_dlopen_driver.h
index 14a637bc..8dcc4b41 100644
--- a/bind/bind9/bin/named/include/dlz/dlz_dlopen_driver.h
+++ b/bind/bind9/bin/named/include/dlz/dlz_dlopen_driver.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/include/named/builtin.h b/bind/bind9/bin/named/include/named/builtin.h
index 97ffdee1..240132fb 100644
--- a/bind/bind9/bin/named/include/named/builtin.h
+++ b/bind/bind9/bin/named/include/named/builtin.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: builtin.h,v 1.6 2007/06/19 23:46:59 tbox Exp $ */
-
 #ifndef NAMED_BUILTIN_H
 #define NAMED_BUILTIN_H 1
 
diff --git a/bind/bind9/bin/named/include/named/client.h b/bind/bind9/bin/named/include/named/client.h
index 01b6141c..78c1a43a 100644
--- a/bind/bind9/bin/named/include/named/client.h
+++ b/bind/bind9/bin/named/include/named/client.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -59,9 +59,10 @@
 
 #include <isc/buffer.h>
 #include <isc/magic.h>
-#include <isc/stdtime.h>
-#include <isc/quota.h>
+#include <isc/platform.h>
 #include <isc/queue.h>
+#include <isc/quota.h>
+#include <isc/stdtime.h>
 
 #include <dns/db.h>
 #include <dns/fixedname.h>
@@ -119,10 +120,10 @@ struct ns_client {
 	isc_socket_t *		tcpsocket;
 	unsigned char *		tcpbuf;
 	dns_tcpmsg_t		tcpmsg;
-	bool		tcpmsg_valid;
+	bool			tcpmsg_valid;
 	isc_timer_t *		timer;
 	isc_timer_t *		delaytimer;
-	bool 		timerset;
+	bool 			timerset;
 	dns_message_t *		message;
 	isc_socketevent_t *	sendevent;
 	isc_socketevent_t *	recvevent;
@@ -130,7 +131,7 @@ struct ns_client {
 	dns_rdataset_t *	opt;
 	uint16_t		udpsize;
 	uint16_t		extflags;
-	int16_t		ednsversion;	/* -1 noedns */
+	int16_t			ednsversion;	/* -1 noedns */
 	void			(*next)(ns_client_t *);
 	void			(*shutdown)(void *arg, isc_result_t result);
 	void 			*shutdown_arg;
@@ -146,7 +147,7 @@ struct ns_client {
 	ns_interface_t		*interface;
 
 	isc_sockaddr_t		peeraddr;
-	bool		peeraddr_valid;
+	bool			peeraddr_valid;
 	isc_netaddr_t		destaddr;
 	isc_sockaddr_t		destsockaddr;
 
@@ -213,9 +214,28 @@ typedef ISC_LIST(ns_client_t) client_list_t;
  */
 #define NS_FAILCACHE_CD		0x01
 
-
-
+#if defined(ISC_PLATFORM_HAVESTDATOMIC)
+#if defined(__cplusplus)
+#include <isc/stdatomic.h>
+#else
+#include <stdatomic.h>
+#endif
+#define ncr_inc(x) atomic_fetch_add(&(x), (1))
+#define ncr_load(x) atomic_load(&(x))
+#define NS_CLIENT_NCRSTDATOMIC 1
+extern _Atomic(unsigned int) ns_client_requests;
+#elif defined(ISC_PLATFORM_HAVEXADD)
+#define ncr_inc(x) isc_atomic_xadd((int *)&(x), 1);
+#define ncr_load(x) isc_atomic_xadd((int *)&(x), 0);
 extern unsigned int ns_client_requests;
+#else
+void ns_client_ncr_inc(void);
+unsigned int ns_client_ncr_load(void);
+#define NS_CLIENT_NEED_NCR_INC
+#define ncr_inc(x) ns_client_ncr_inc()
+#define ncr_load(x) ns_client_ncr_load()
+extern unsigned int ns_client_requests;
+#endif
 
 /***
  *** Functions
diff --git a/bind/bind9/bin/named/include/named/config.h b/bind/bind9/bin/named/include/named/config.h
index 965c2b09..656336b3 100644
--- a/bind/bind9/bin/named/include/named/config.h
+++ b/bind/bind9/bin/named/include/named/config.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/include/named/control.h b/bind/bind9/bin/named/include/named/control.h
index 8705fdd6..56bad8d8 100644
--- a/bind/bind9/bin/named/include/named/control.h
+++ b/bind/bind9/bin/named/include/named/control.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: control.h,v 1.38 2012/01/31 23:47:31 tbox Exp $ */
-
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
 
diff --git a/bind/bind9/bin/named/include/named/fuzz.h b/bind/bind9/bin/named/include/named/fuzz.h
index 6e5eac58..c05f112d 100644
--- a/bind/bind9/bin/named/include/named/fuzz.h
+++ b/bind/bind9/bin/named/include/named/fuzz.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/include/named/geoip.h b/bind/bind9/bin/named/include/named/geoip.h
index 38014ffc..c293f1a4 100644
--- a/bind/bind9/bin/named/include/named/geoip.h
+++ b/bind/bind9/bin/named/include/named/geoip.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/include/named/globals.h b/bind/bind9/bin/named/include/named/globals.h
index 7d24c39f..0d96a799 100644
--- a/bind/bind9/bin/named/include/named/globals.h
+++ b/bind/bind9/bin/named/include/named/globals.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/include/named/interfacemgr.h b/bind/bind9/bin/named/include/named/interfacemgr.h
index 6e10f210..21706939 100644
--- a/bind/bind9/bin/named/include/named/interfacemgr.h
+++ b/bind/bind9/bin/named/include/named/interfacemgr.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/include/named/listenlist.h b/bind/bind9/bin/named/include/named/listenlist.h
index d44594c5..04525c02 100644
--- a/bind/bind9/bin/named/include/named/listenlist.h
+++ b/bind/bind9/bin/named/include/named/listenlist.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: listenlist.h,v 1.15 2007/06/19 23:46:59 tbox Exp $ */
-
 #ifndef NAMED_LISTENLIST_H
 #define NAMED_LISTENLIST_H 1
 
diff --git a/bind/bind9/bin/named/include/named/log.h b/bind/bind9/bin/named/include/named/log.h
index 56bfcd46..76e3a51b 100644
--- a/bind/bind9/bin/named/include/named/log.h
+++ b/bind/bind9/bin/named/include/named/log.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: log.h,v 1.27 2009/01/07 23:47:46 tbox Exp $ */
-
 #ifndef NAMED_LOG_H
 #define NAMED_LOG_H 1
 
diff --git a/bind/bind9/bin/named/include/named/logconf.h b/bind/bind9/bin/named/include/named/logconf.h
index 90dc9c4d..8438b675 100644
--- a/bind/bind9/bin/named/include/named/logconf.h
+++ b/bind/bind9/bin/named/include/named/logconf.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/include/named/lwaddr.h b/bind/bind9/bin/named/include/named/lwaddr.h
index a48d7568..3e5eed27 100644
--- a/bind/bind9/bin/named/include/named/lwaddr.h
+++ b/bind/bind9/bin/named/include/named/lwaddr.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwaddr.h,v 1.8 2007/06/19 23:46:59 tbox Exp $ */
-
 /*! \file */
 
 #include <lwres/lwres.h>
diff --git a/bind/bind9/bin/named/include/named/lwdclient.h b/bind/bind9/bin/named/include/named/lwdclient.h
index 65e630d0..389abc78 100644
--- a/bind/bind9/bin/named/include/named/lwdclient.h
+++ b/bind/bind9/bin/named/include/named/lwdclient.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwdclient.h,v 1.20 2009/01/17 23:47:42 tbox Exp $ */
-
 #ifndef NAMED_LWDCLIENT_H
 #define NAMED_LWDCLIENT_H 1
 
diff --git a/bind/bind9/bin/named/include/named/lwresd.h b/bind/bind9/bin/named/include/named/lwresd.h
index 90e51136..fff9f114 100644
--- a/bind/bind9/bin/named/include/named/lwresd.h
+++ b/bind/bind9/bin/named/include/named/lwresd.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwresd.h,v 1.19 2007/06/19 23:46:59 tbox Exp $ */
-
 #ifndef NAMED_LWRESD_H
 #define NAMED_LWRESD_H 1
 
diff --git a/bind/bind9/bin/named/include/named/lwsearch.h b/bind/bind9/bin/named/include/named/lwsearch.h
index cf3bc6aa..a256f33c 100644
--- a/bind/bind9/bin/named/include/named/lwsearch.h
+++ b/bind/bind9/bin/named/include/named/lwsearch.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwsearch.h,v 1.9 2007/06/19 23:46:59 tbox Exp $ */
-
 #ifndef NAMED_LWSEARCH_H
 #define NAMED_LWSEARCH_H 1
 
diff --git a/bind/bind9/bin/named/include/named/main.h b/bind/bind9/bin/named/include/named/main.h
index 2860bc2e..5e5738f8 100644
--- a/bind/bind9/bin/named/include/named/main.h
+++ b/bind/bind9/bin/named/include/named/main.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/include/named/notify.h b/bind/bind9/bin/named/include/named/notify.h
index 293a6a8b..52895e5f 100644
--- a/bind/bind9/bin/named/include/named/notify.h
+++ b/bind/bind9/bin/named/include/named/notify.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: notify.h,v 1.16 2009/01/17 23:47:42 tbox Exp $ */
-
 #ifndef NAMED_NOTIFY_H
 #define NAMED_NOTIFY_H 1
 
diff --git a/bind/bind9/bin/named/include/named/ns_smf_globals.h b/bind/bind9/bin/named/include/named/ns_smf_globals.h
index 9fc49e65..d2b695ca 100644
--- a/bind/bind9/bin/named/include/named/ns_smf_globals.h
+++ b/bind/bind9/bin/named/include/named/ns_smf_globals.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: ns_smf_globals.h,v 1.7 2007/06/19 23:46:59 tbox Exp $ */
-
 #ifndef NS_SMF_GLOBALS_H
 #define NS_SMF_GLOBALS_H 1
 
diff --git a/bind/bind9/bin/named/include/named/query.h b/bind/bind9/bin/named/include/named/query.h
index 9661f56b..ef1b172e 100644
--- a/bind/bind9/bin/named/include/named/query.h
+++ b/bind/bind9/bin/named/include/named/query.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/include/named/seccomp.h b/bind/bind9/bin/named/include/named/seccomp.h
index 4e2c2d9c..970ce28f 100644
--- a/bind/bind9/bin/named/include/named/seccomp.h
+++ b/bind/bind9/bin/named/include/named/seccomp.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/include/named/server.h b/bind/bind9/bin/named/include/named/server.h
index 3f96b7b7..4fd0194a 100644
--- a/bind/bind9/bin/named/include/named/server.h
+++ b/bind/bind9/bin/named/include/named/server.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -34,6 +34,7 @@
 #define NS_EVENT_RELOAD		(NS_EVENTCLASS + 0)
 #define NS_EVENT_CLIENTCONTROL	(NS_EVENTCLASS + 1)
 #define NS_EVENT_DELZONE	(NS_EVENTCLASS + 2)
+#define NS_EVENT_TATSEND	(NS_EVENTCLASS + 3)
 
 /*%
  * Name server state.  Better here than in lots of separate global variables.
diff --git a/bind/bind9/bin/named/include/named/sortlist.h b/bind/bind9/bin/named/include/named/sortlist.h
index 15bf2a61..0c4e17d7 100644
--- a/bind/bind9/bin/named/include/named/sortlist.h
+++ b/bind/bind9/bin/named/include/named/sortlist.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: sortlist.h,v 1.11 2007/06/19 23:46:59 tbox Exp $ */
-
 #ifndef NAMED_SORTLIST_H
 #define NAMED_SORTLIST_H 1
 
diff --git a/bind/bind9/bin/named/include/named/statschannel.h b/bind/bind9/bin/named/include/named/statschannel.h
index 95f71b31..c107c292 100644
--- a/bind/bind9/bin/named/include/named/statschannel.h
+++ b/bind/bind9/bin/named/include/named/statschannel.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: statschannel.h,v 1.3 2008/04/03 05:55:51 marka Exp $ */
-
 #ifndef NAMED_STATSCHANNEL_H
 #define NAMED_STATSCHANNEL_H 1
 
diff --git a/bind/bind9/bin/named/include/named/tkeyconf.h b/bind/bind9/bin/named/include/named/tkeyconf.h
index 5370913f..7c2d8a86 100644
--- a/bind/bind9/bin/named/include/named/tkeyconf.h
+++ b/bind/bind9/bin/named/include/named/tkeyconf.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: tkeyconf.h,v 1.16 2007/06/19 23:46:59 tbox Exp $ */
-
 #ifndef NS_TKEYCONF_H
 #define NS_TKEYCONF_H 1
 
diff --git a/bind/bind9/bin/named/include/named/tsigconf.h b/bind/bind9/bin/named/include/named/tsigconf.h
index 0bdd02b9..87ddc5e1 100644
--- a/bind/bind9/bin/named/include/named/tsigconf.h
+++ b/bind/bind9/bin/named/include/named/tsigconf.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: tsigconf.h,v 1.18 2009/06/11 23:47:55 tbox Exp $ */
-
 #ifndef NS_TSIGCONF_H
 #define NS_TSIGCONF_H 1
 
diff --git a/bind/bind9/bin/named/include/named/types.h b/bind/bind9/bin/named/include/named/types.h
index 7999d107..8a045e0e 100644
--- a/bind/bind9/bin/named/include/named/types.h
+++ b/bind/bind9/bin/named/include/named/types.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/include/named/update.h b/bind/bind9/bin/named/include/named/update.h
index 3ee6623a..484ad95b 100644
--- a/bind/bind9/bin/named/include/named/update.h
+++ b/bind/bind9/bin/named/include/named/update.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: update.h,v 1.13 2007/06/19 23:46:59 tbox Exp $ */
-
 #ifndef NAMED_UPDATE_H
 #define NAMED_UPDATE_H 1
 
diff --git a/bind/bind9/bin/named/include/named/xfrout.h b/bind/bind9/bin/named/include/named/xfrout.h
index 41c7f27b..a0fc8867 100644
--- a/bind/bind9/bin/named/include/named/xfrout.h
+++ b/bind/bind9/bin/named/include/named/xfrout.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: xfrout.h,v 1.12 2007/06/19 23:46:59 tbox Exp $ */
-
 #ifndef NAMED_XFROUT_H
 #define NAMED_XFROUT_H 1
 
diff --git a/bind/bind9/bin/named/include/named/zoneconf.h b/bind/bind9/bin/named/include/named/zoneconf.h
index 5e016f7b..a5d367b9 100644
--- a/bind/bind9/bin/named/include/named/zoneconf.h
+++ b/bind/bind9/bin/named/include/named/zoneconf.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: zoneconf.h,v 1.30 2011/08/30 23:46:51 tbox Exp $ */
-
 #ifndef NS_ZONECONF_H
 #define NS_ZONECONF_H 1
 
diff --git a/bind/bind9/bin/named/interfacemgr.c b/bind/bind9/bin/named/interfacemgr.c
index 9dea7c11..93aac314 100644
--- a/bind/bind9/bin/named/interfacemgr.c
+++ b/bind/bind9/bin/named/interfacemgr.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/listenlist.c b/bind/bind9/bin/named/listenlist.c
index 234ea75d..289e2d58 100644
--- a/bind/bind9/bin/named/listenlist.c
+++ b/bind/bind9/bin/named/listenlist.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: listenlist.c,v 1.14 2007/06/19 23:46:59 tbox Exp $ */
-
 /*! \file */
 
 #include <config.h>
diff --git a/bind/bind9/bin/named/log.c b/bind/bind9/bin/named/log.c
index 3aa25e9a..acfa766a 100644
--- a/bind/bind9/bin/named/log.c
+++ b/bind/bind9/bin/named/log.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/logconf.c b/bind/bind9/bin/named/logconf.c
index 5b3a14b0..c51e4cab 100644
--- a/bind/bind9/bin/named/logconf.c
+++ b/bind/bind9/bin/named/logconf.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: logconf.c,v 1.45 2011/03/05 23:52:29 tbox Exp $ */
-
 /*! \file */
 
 #include <config.h>
diff --git a/bind/bind9/bin/named/lwaddr.c b/bind/bind9/bin/named/lwaddr.c
index 9a58ee4b..50c43af0 100644
--- a/bind/bind9/bin/named/lwaddr.c
+++ b/bind/bind9/bin/named/lwaddr.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwaddr.c,v 1.10 2008/01/11 23:46:56 tbox Exp $ */
-
 /*! \file */
 
 #include <config.h>
diff --git a/bind/bind9/bin/named/lwdclient.c b/bind/bind9/bin/named/lwdclient.c
index d34f831c..13b81487 100644
--- a/bind/bind9/bin/named/lwdclient.c
+++ b/bind/bind9/bin/named/lwdclient.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwdclient.c,v 1.22 2007/06/18 23:47:18 tbox Exp $ */
-
 /*! \file */
 
 #include <config.h>
diff --git a/bind/bind9/bin/named/lwderror.c b/bind/bind9/bin/named/lwderror.c
index 32ed2d81..e219450e 100644
--- a/bind/bind9/bin/named/lwderror.c
+++ b/bind/bind9/bin/named/lwderror.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwderror.c,v 1.12 2007/06/19 23:46:59 tbox Exp $ */
-
 /*! \file */
 
 #include <config.h>
diff --git a/bind/bind9/bin/named/lwdgabn.c b/bind/bind9/bin/named/lwdgabn.c
index 01faa260..a999740b 100644
--- a/bind/bind9/bin/named/lwdgabn.c
+++ b/bind/bind9/bin/named/lwdgabn.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwdgabn.c,v 1.24 2009/09/02 23:48:01 tbox Exp $ */
-
 /*! \file */
 
 #include <config.h>
diff --git a/bind/bind9/bin/named/lwdgnba.c b/bind/bind9/bin/named/lwdgnba.c
index 9e600f50..e8272894 100644
--- a/bind/bind9/bin/named/lwdgnba.c
+++ b/bind/bind9/bin/named/lwdgnba.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwdgnba.c,v 1.22 2008/01/14 23:46:56 tbox Exp $ */
-
 /*! \file */
 
 #include <config.h>
diff --git a/bind/bind9/bin/named/lwdgrbn.c b/bind/bind9/bin/named/lwdgrbn.c
index 407267d0..2295558f 100644
--- a/bind/bind9/bin/named/lwdgrbn.c
+++ b/bind/bind9/bin/named/lwdgrbn.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwdgrbn.c,v 1.22 2009/09/02 23:48:01 tbox Exp $ */
-
 /*! \file */
 
 #include <config.h>
diff --git a/bind/bind9/bin/named/lwdnoop.c b/bind/bind9/bin/named/lwdnoop.c
index 75769c99..7d4de0d9 100644
--- a/bind/bind9/bin/named/lwdnoop.c
+++ b/bind/bind9/bin/named/lwdnoop.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwdnoop.c,v 1.13 2008/01/22 23:28:04 tbox Exp $ */
-
 /*! \file */
 
 #include <config.h>
diff --git a/bind/bind9/bin/named/lwresd.8 b/bind/bind9/bin/named/lwresd.8
index fedaca2c..f86353bf 100644
--- a/bind/bind9/bin/named/lwresd.8
+++ b/bind/bind9/bin/named/lwresd.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007-2009, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwresd
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2009-01-20
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -246,5 +246,5 @@ The default process\-id file\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007-2009, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/named/lwresd.c b/bind/bind9/bin/named/lwresd.c
index cdc09638..f2e480ed 100644
--- a/bind/bind9/bin/named/lwresd.c
+++ b/bind/bind9/bin/named/lwresd.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -13,8 +13,8 @@
  * \brief
  * Main program for the Lightweight Resolver Daemon.
  *
- * To paraphrase the old saying about X11, "It's not a lightweight deamon
- * for resolvers, it's a deamon for lightweight resolvers".
+ * To paraphrase the old saying about X11, "It's not a lightweight daemon
+ * for resolvers, it's a daemon for lightweight resolvers".
  */
 
 #include <config.h>
@@ -880,9 +880,13 @@ ns_lwresd_shutdown(void) {
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize_mutex) == ISC_R_SUCCESS);
 
+	LOCK(&listeners_lock);
 	while (!ISC_LIST_EMPTY(listeners)) {
 		listener = ISC_LIST_HEAD(listeners);
 		ISC_LIST_UNLINK(listeners, listener, link);
+		UNLOCK(&listeners_lock);
 		ns_lwreslistener_detach(&listener);
+		LOCK(&listeners_lock);
 	}
+	UNLOCK(&listeners_lock);
 }
diff --git a/bind/bind9/bin/named/lwresd.docbook b/bind/bind9/bin/named/lwresd.docbook
index 6d5f5cf6..803bda04 100644
--- a/bind/bind9/bin/named/lwresd.docbook
+++ b/bind/bind9/bin/named/lwresd.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.lwresd">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.lwresd">
   <info>
     <date>2009-01-20</date>
   </info>
@@ -46,6 +46,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/named/lwresd.html b/bind/bind9/bin/named/lwresd.html
index 6c14e43f..c961f17d 100644
--- a/bind/bind9/bin/named/lwresd.html
+++ b/bind/bind9/bin/named/lwresd.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007-2009, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,63 +10,28 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwresd</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.lwresd"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">lwresd</span>
-     &#8212; lightweight resolver daemon
-  </p>
+<p><span class="application">lwresd</span> &#8212; lightweight resolver daemon</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">lwresd</code> 
-       [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>]
-       [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>]
-       [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>]
-       [<code class="option">-f</code>]
-       [<code class="option">-g</code>]
-       [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>]
-       [<code class="option">-P <em class="replaceable"><code>port</code></em></code>]
-       [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
-       [<code class="option">-s</code>]
-       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
-       [<code class="option">-v</code>]
-       [
-	[<code class="option">-4</code>]
-	 |  [<code class="option">-6</code>]
-      ]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">lwresd</code>  [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [[<code class="option">-4</code>] |  [<code class="option">-6</code>]]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-
-    <p><span class="command"><strong>lwresd</strong></span>
+<p><span class="command"><strong>lwresd</strong></span>
       is the daemon providing name lookup
       services to clients that use the BIND 9 lightweight resolver
       library.  It is essentially a stripped-down, caching-only name
       server that answers queries using the BIND 9 lightweight
       resolver protocol rather than the DNS protocol.
     </p>
-
-    <p><span class="command"><strong>lwresd</strong></span>
+<p><span class="command"><strong>lwresd</strong></span>
       listens for resolver queries on a
       UDP port on the IPv4 loopback interface, 127.0.0.1.  This
       means that <span class="command"><strong>lwresd</strong></span> can only be used by
@@ -74,14 +39,14 @@
       number 921 is used for lightweight resolver requests and
       responses.
     </p>
-    <p>
+<p>
       Incoming lightweight resolver requests are decoded by the
       server which then resolves them using the DNS protocol.  When
       the DNS lookup completes, <span class="command"><strong>lwresd</strong></span> encodes
       the answers in the lightweight resolver format and returns
       them to the client that made the request.
     </p>
-    <p>
+<p>
       If <code class="filename">/etc/resolv.conf</code> contains any
       <code class="option">nameserver</code> entries, <span class="command"><strong>lwresd</strong></span>
       sends recursive DNS queries to those servers.  This is similar
@@ -91,80 +56,60 @@
       queries autonomously starting at the root name servers, using
       a built-in list of root server hints.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-4</span></dt>
-<dd>
-          <p>
+<dd><p>
             Use IPv4 only even if the host machine is capable of IPv6.
             <code class="option">-4</code> and <code class="option">-6</code> are mutually
             exclusive.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-6</span></dt>
-<dd>
-          <p>
+<dd><p>
             Use IPv6 only even if the host machine is capable of IPv4.
             <code class="option">-4</code> and <code class="option">-6</code> are mutually
             exclusive.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Use <em class="replaceable"><code>config-file</code></em> as the
             configuration file instead of the default,
             <code class="filename">/etc/lwresd.conf</code>.
 	    
 	    <code class="option">-c</code> can not be used with <code class="option">-C</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Use <em class="replaceable"><code>config-file</code></em> as the
             configuration file instead of the default,
             <code class="filename">/etc/resolv.conf</code>.
 	    <code class="option">-C</code> can not be used with <code class="option">-c</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
             Debugging traces from <span class="command"><strong>lwresd</strong></span> become
             		more verbose as the debug level increases.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-f</span></dt>
-<dd>
-          <p>
+<dd><p>
             Run the server in the foreground (i.e. do not daemonize).
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-g</span></dt>
-<dd>
-          <p>
+<dd><p>
             Run the server in the foreground and force all logging
             to <code class="filename">stderr</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>pid-file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Use <em class="replaceable"><code>pid-file</code></em> as the
             PID file instead of the default,
             <code class="filename">/var/run/lwresd/lwresd.pid</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Turn on memory usage debugging flags.  Possible flags are
             <em class="replaceable"><code>usage</code></em>,
             <em class="replaceable"><code>trace</code></em>,
@@ -173,61 +118,54 @@
             <em class="replaceable"><code>mctx</code></em>.
             These correspond to the ISC_MEM_DEBUGXXXX flags described in
             <code class="filename">&lt;isc/mem.h&gt;</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Create <em class="replaceable"><code>#cpus</code></em> worker threads
             to take advantage of multiple CPUs.  If not specified,
             <span class="command"><strong>lwresd</strong></span> will try to determine the
             number of CPUs present and create one thread per CPU.
             If it is unable to determine the number of CPUs, a
             single worker thread will be created.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-P <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Listen for lightweight resolver queries on port
             <em class="replaceable"><code>port</code></em>.  If
             		not specified, the default is port 921.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Send DNS lookups to port <em class="replaceable"><code>port</code></em>.  If not
             specified, the default is port 53.  This provides a
             way of testing the lightweight resolver daemon with a
             name server that listens for queries on a non-standard
             port number.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-s</span></dt>
 <dd>
-          <p>
+<p>
             Write memory usage statistics to <code class="filename">stdout</code>
             on exit.
           </p>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-            <p>
+<p>
               This option is mainly of interest to BIND 9 developers
               and may be removed or changed in a future release.
             </p>
-          </div>
-        </dd>
+</div>
+</dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd>
-          <p>Chroot
+<p>Chroot
 	    to <em class="replaceable"><code>directory</code></em> after
             processing the command line arguments, but before
             reading the configuration file.
           </p>
-          <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
-            <p>
+<p>
               This option should be used in conjunction with the
               <code class="option">-u</code> option, as chrooting a process
               running as root doesn't enhance security on most
@@ -235,61 +173,39 @@
               defined allows a process with root privileges to
               escape a chroot jail.
             </p>
-          </div>
-        </dd>
+</div>
+</dd>
 <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd>
-          <p>Setuid
+<dd><p>Setuid
 	    to <em class="replaceable"><code>user</code></em> after completing
             privileged operations, such as creating sockets that
             listen on privileged ports.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-          <p>
+<dd><p>
             Report the version number and exit.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>FILES</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             The default configuration file.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="filename">/var/run/lwresd.pid</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             The default process-id file.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres</span>(3)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">resolver</span>(5)
-      </span>.
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/named/lwsearch.c b/bind/bind9/bin/named/lwsearch.c
index cd068bdb..f56dc7be 100644
--- a/bind/bind9/bin/named/lwsearch.c
+++ b/bind/bind9/bin/named/lwsearch.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwsearch.c,v 1.13 2007/06/19 23:46:59 tbox Exp $ */
-
 /*! \file */
 
 #include <config.h>
diff --git a/bind/bind9/bin/named/main.c b/bind/bind9/bin/named/main.c
index c9fc3cc3..d9127cdb 100644
--- a/bind/bind9/bin/named/main.c
+++ b/bind/bind9/bin/named/main.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/named.8 b/bind/bind9/bin/named/named.8
index 8e0e6855..a9ef4c4b 100644
--- a/bind/bind9/bin/named/named.8
+++ b/bind/bind9/bin/named/named.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2003-2009, 2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2003-2009, 2011, 2013-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: named
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-02-19
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -375,5 +375,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2003-2009, 2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2003-2009, 2011, 2013-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/named/named.conf.5 b/bind/bind9/bin/named/named.conf.5
index 9b90eb24..d7c8f8d0 100644
--- a/bind/bind9/bin/named/named.conf.5
+++ b/bind/bind9/bin/named/named.conf.5
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,13 +9,13 @@
 '\" t
 .\"     Title: named.conf
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2019-07-22
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\"      Date: 2020-03-12
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "NAMED\&.CONF" "5" "2019\-07\-22" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2020\-03\-12" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -167,7 +167,7 @@ lwres {
 .if n \{\
 .RE
 .\}
-.SH "MANAGED-KEYS"
+.SH "MANAGED\-KEYS"
 .sp
 .if n \{\
 .RS 4
@@ -517,7 +517,7 @@ server \fInetprefix\fR {
 .if n \{\
 .RE
 .\}
-.SH "STATISTICS-CHANNELS"
+.SH "STATISTICS\-CHANNELS"
 .sp
 .if n \{\
 .RS 4
@@ -533,7 +533,7 @@ statistics\-channels {
 .if n \{\
 .RE
 .\}
-.SH "TRUSTED-KEYS"
+.SH "TRUSTED\-KEYS"
 .sp
 .if n \{\
 .RS 4
@@ -1022,5 +1022,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/named/named.conf.docbook b/bind/bind9/bin/named/named.conf.docbook
index 8703fbd2..6565fcef 100644
--- a/bind/bind9/bin/named/named.conf.docbook
+++ b/bind/bind9/bin/named/named.conf.docbook
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
@@ -11,9 +11,9 @@
 
 <!-- Generated by doc/misc/docbook-options.pl -->
 
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
   <info>
-    <date>2019-07-22</date>
+    <date>2020-03-12</date>
   </info>
   <refentryinfo>
     <corpname>ISC</corpname>
@@ -50,6 +50,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/named/named.conf.html b/bind/bind9/bin/named/named.conf.html
index 9663b254..3486f843 100644
--- a/bind/bind9/bin/named/named.conf.html
+++ b/bind/bind9/bin/named/named.conf.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,65 +10,46 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.named.conf"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <code class="filename">named.conf</code>
-     &#8212; configuration file for <span class="command"><strong>named</strong></span>
-  </p>
+<p><code class="filename">named.conf</code> &#8212; configuration file for <span class="command"><strong>named</strong></span></p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named.conf</code> 
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><code class="filename">named.conf</code> is the configuration file
+<p><code class="filename">named.conf</code> is the configuration file
       for
       <span class="command"><strong>named</strong></span>.  Statements are enclosed
       in braces and terminated with a semi-colon.  Clauses in
       the statements are also semi-colon terminated.  The usual
       comment styles are supported:
     </p>
-    <p>
+<p>
       C style: /* */
     </p>
-    <p>
+<p>
       C++ style: // to end of line
     </p>
-    <p>
+<p>
       Unix style: # to end of line
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>ACL</h2>
-
-    <div class="literallayout"><p><br>
+<div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>CONTROLS</h2>
-
-    <div class="literallayout"><p><br>
+<div class="literallayout"><p><br>
 controls {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
 	    * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] allow<br>
@@ -81,43 +62,35 @@ controls {<br>
 	    <em class="replaceable"><code>boolean</code></em> ];<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>DLZ</h2>
-
-    <div class="literallayout"><p><br>
+<div class="literallayout"><p><br>
 dlz <em class="replaceable"><code>string</code></em> {<br>
 	database <em class="replaceable"><code>string</code></em>;<br>
 	search <em class="replaceable"><code>boolean</code></em>;<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>DYNDB</h2>
-
-    <div class="literallayout"><p><br>
+<div class="literallayout"><p><br>
 dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
     <em class="replaceable"><code>unspecified-text</code></em> };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.12"></a><h2>KEY</h2>
-
-    <div class="literallayout"><p><br>
+<div class="literallayout"><p><br>
 key <em class="replaceable"><code>string</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
 	secret <em class="replaceable"><code>string</code></em>;<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.13"></a><h2>LOGGING</h2>
-
-    <div class="literallayout"><p><br>
+<div class="literallayout"><p><br>
 logging {<br>
 	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
 	channel <em class="replaceable"><code>string</code></em> {<br>
@@ -134,12 +107,10 @@ logging {<br>
 	};<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.14"></a><h2>LWRES</h2>
-
-    <div class="literallayout"><p><br>
+<div class="literallayout"><p><br>
 lwres {<br>
 	listen-on [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
 	    | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };<br>
@@ -150,32 +121,26 @@ lwres {<br>
 	view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ];<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
-
-    <div class="literallayout"><p><br>
+<div class="literallayout"><p><br>
 managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.16"></a><h2>MASTERS</h2>
-
-    <div class="literallayout"><p><br>
+<div class="literallayout"><p><br>
 masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
     <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
     port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
     <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.17"></a><h2>OPTIONS</h2>
-
-    <div class="literallayout"><p><br>
+<div class="literallayout"><p><br>
 options {<br>
 	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
 	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
@@ -451,12 +416,10 @@ options {<br>
 	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.18"></a><h2>SERVER</h2>
-
-    <div class="literallayout"><p><br>
+<div class="literallayout"><p><br>
 server <em class="replaceable"><code>netprefix</code></em> {<br>
 	bogus <em class="replaceable"><code>boolean</code></em>;<br>
 	edns <em class="replaceable"><code>boolean</code></em>;<br>
@@ -488,12 +451,10 @@ server <em class="replaceable"><code>netprefix</code></em> {<br>
 	transfers <em class="replaceable"><code>integer</code></em>;<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.19"></a><h2>STATISTICS-CHANNELS</h2>
-
-    <div class="literallayout"><p><br>
+<div class="literallayout"><p><br>
 statistics-channels {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
 	    * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
@@ -501,21 +462,17 @@ statistics-channels {<br>
 	    } ];<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.20"></a><h2>TRUSTED-KEYS</h2>
-
-    <div class="literallayout"><p><br>
+<div class="literallayout"><p><br>
 trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.21"></a><h2>VIEW</h2>
-
-    <div class="literallayout"><p><br>
+<div class="literallayout"><p><br>
 view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
 	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
@@ -866,12 +823,10 @@ view <em class="replaceable"><code>string</code></em> [ <em class="replaceable">
 	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.22"></a><h2>ZONE</h2>
-
-    <div class="literallayout"><p><br>
+<div class="literallayout"><p><br>
 zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -965,36 +920,21 @@ zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable">
 	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.23"></a><h2>FILES</h2>
-
-    <p><code class="filename">/etc/named.conf</code>
+<p><code class="filename">/etc/named.conf</code>
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.24"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">ddns-confgen</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named-checkconf</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">rndc</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">rndc-confgen</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/named/named.docbook b/bind/bind9/bin/named/named.docbook
index 66236199..8e2fef3b 100644
--- a/bind/bind9/bin/named/named.docbook
+++ b/bind/bind9/bin/named/named.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named">
   <info>
     <date>2014-02-19</date>
   </info>
@@ -50,6 +50,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/named/named.html b/bind/bind9/bin/named/named.html
index 89722e48..fa632b5b 100644
--- a/bind/bind9/bin/named/named.html
+++ b/bind/bind9/bin/named/named.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2003-2009, 2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2003-2009, 2011, 2013-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,97 +10,50 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.named"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">named</span>
-     &#8212; Internet domain name server
-  </p>
+<p><span class="application">named</span> &#8212; Internet domain name server</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named</code> 
-       [
-	[<code class="option">-4</code>]
-	 |  [<code class="option">-6</code>]
-      ]
-       [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>]
-       [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>string</code></em></code>]
-       [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>]
-       [<code class="option">-f</code>]
-       [<code class="option">-g</code>]
-       [<code class="option">-L <em class="replaceable"><code>logfile</code></em></code>]
-       [<code class="option">-M <em class="replaceable"><code>option</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>]
-       [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
-       [<code class="option">-s</code>]
-       [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>]
-       [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
-       [<code class="option">-v</code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-X <em class="replaceable"><code>lock-file</code></em></code>]
-       [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">named</code>  [[<code class="option">-4</code>] |  [<code class="option">-6</code>]] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-D <em class="replaceable"><code>string</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-L <em class="replaceable"><code>logfile</code></em></code>] [<code class="option">-M <em class="replaceable"><code>option</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>lock-file</code></em></code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>named</strong></span>
+<p><span class="command"><strong>named</strong></span>
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
       information on the DNS, see RFCs 1033, 1034, and 1035.
     </p>
-    <p>
+<p>
       When invoked without arguments, <span class="command"><strong>named</strong></span>
       will
       read the default configuration file
       <code class="filename">/etc/named.conf</code>, read any initial
       data, and listen for queries.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-4</span></dt>
-<dd>
-          <p>
+<dd><p>
             Use IPv4 only even if the host machine is capable of IPv6.
             <code class="option">-4</code> and <code class="option">-6</code> are mutually
             exclusive.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-6</span></dt>
-<dd>
-          <p>
+<dd><p>
             Use IPv6 only even if the host machine is capable of IPv4.
             <code class="option">-4</code> and <code class="option">-6</code> are mutually
             exclusive.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Use <em class="replaceable"><code>config-file</code></em> as the
             configuration file instead of the default,
             <code class="filename">/etc/named.conf</code>.  To
@@ -110,33 +63,28 @@
             <code class="option">directory</code> option in the configuration
             file, <em class="replaceable"><code>config-file</code></em> should be
             an absolute pathname.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
             Debugging traces from <span class="command"><strong>named</strong></span> become
             more verbose as the debug level increases.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>string</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies a string that is used to identify a instance of
             <span class="command"><strong>named</strong></span> in a process listing.  The contents
             of <em class="replaceable"><code>string</code></em> are
             not examined.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine-name</code></em></span></dt>
 <dd>
-          <p>
+<p>
             When applicable, specifies the hardware to use for
             cryptographic operations, such as a secure key store used
             for signing.
           </p>
-          <p>
+<p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -144,40 +92,31 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-f</span></dt>
-<dd>
-          <p>
+<dd><p>
             Run the server in the foreground (i.e. do not daemonize).
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-g</span></dt>
-<dd>
-          <p>
+<dd><p>
             Run the server in the foreground and force all logging
             to <code class="filename">stderr</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>logfile</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Log to the file <code class="option">logfile</code> by default
             instead of the system log.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-M <em class="replaceable"><code>option</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the default memory context options.  Currently
             the only supported option is
             <em class="replaceable"><code>external</code></em>,
             which causes the internal memory manager to be bypassed
             in favor of system-provided memory allocation functions.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Turn on memory usage debugging flags.  Possible flags are
             <em class="replaceable"><code>usage</code></em>,
             <em class="replaceable"><code>trace</code></em>,
@@ -186,51 +125,46 @@
             <em class="replaceable"><code>mctx</code></em>.
             These correspond to the ISC_MEM_DEBUGXXXX flags described in
             <code class="filename">&lt;isc/mem.h&gt;</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Create <em class="replaceable"><code>#cpus</code></em> worker threads
             to take advantage of multiple CPUs.  If not specified,
             <span class="command"><strong>named</strong></span> will try to determine the
             number of CPUs present and create one thread per CPU.
             If it is unable to determine the number of CPUs, a
             single worker thread will be created.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Listen for queries on port <em class="replaceable"><code>port</code></em>.  If not
             specified, the default is port 53.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-s</span></dt>
 <dd>
-          <p>
+<p>
             Write memory usage statistics to <code class="filename">stdout</code> on exit.
           </p>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-            <p>
+<p>
               This option is mainly of interest to BIND 9 developers
               and may be removed or changed in a future release.
             </p>
-          </div>
-        </dd>
+</div>
+</dd>
 <dt><span class="term">-S <em class="replaceable"><code>#max-socks</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Allow <span class="command"><strong>named</strong></span> to use up to
             <em class="replaceable"><code>#max-socks</code></em> sockets.
             The default value is 4096 on systems built with default
             configuration options, and 21000 on systems built with
             "configure --with-tuning=large".
           </p>
-          <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
-            <p>
+<p>
               This option should be unnecessary for the vast majority
               of users.
               The use of this option could even be harmful because the
@@ -245,18 +179,18 @@
               <span class="command"><strong>named</strong></span> reserves some file descriptors
               for its internal use.
             </p>
-          </div>
-        </dd>
+</div>
+</dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd>
-          <p>Chroot
+<p>Chroot
             to <em class="replaceable"><code>directory</code></em> after
             processing the command line arguments, but before
             reading the configuration file.
           </p>
-          <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
-            <p>
+<p>
               This option should be used in conjunction with the
               <code class="option">-u</code> option, as chrooting a process
               running as root doesn't enhance security on most
@@ -264,11 +198,10 @@
               defined allows a process with root privileges to
               escape a chroot jail.
             </p>
-          </div>
-        </dd>
+</div>
+</dd>
 <dt><span class="term">-U <em class="replaceable"><code>#listeners</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Use <em class="replaceable"><code>#listeners</code></em>
             worker threads to listen for incoming UDP packets on each
             address.  If not specified, <span class="command"><strong>named</strong></span> will
@@ -281,18 +214,17 @@
             be increased as high as that value, but no higher.
             On Windows, the number of UDP listeners is hardwired to 1
             and this option has no effect.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
 <dd>
-          <p>Setuid
+<p>Setuid
             to <em class="replaceable"><code>user</code></em> after completing
             privileged operations, such as creating sockets that
             listen on privileged ports.
           </p>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-            <p>
+<p>
               On Linux, <span class="command"><strong>named</strong></span> uses the kernel's
                         capability mechanism to drop all root privileges
               except the ability to <code class="function">bind(2)</code> to
@@ -305,23 +237,18 @@
               later, since previous kernels did not allow privileges
               to be retained after <code class="function">setuid(2)</code>.
             </p>
-          </div>
-        </dd>
+</div>
+</dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-          <p>
+<dd><p>
             Report the version number and exit.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-          <p>
+<dd><p>
             Report the version number and build options, and exit.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-X <em class="replaceable"><code>lock-file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Acquire a lock on the specified file at runtime; this
             helps to prevent duplicate <span class="command"><strong>named</strong></span> instances
             from running simultaneously.
@@ -329,68 +256,54 @@
             option in <code class="filename">named.conf</code>.
             If set to <code class="literal">none</code>, the lock file check
             is disabled.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Load data from <em class="replaceable"><code>cache-file</code></em> into the
             cache of the default view.
           </p>
-          <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
-            <p>
+<p>
               This option must not be used.  It is only of interest
               to BIND 9 developers and may be removed or changed in a
               future release.
             </p>
-          </div>
-        </dd>
+</div>
+</dd>
 </dl></div>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SIGNALS</h2>
-
-    <p>
+<p>
       In routine operation, signals should not be used to control
       the nameserver; <span class="command"><strong>rndc</strong></span> should be used
       instead.
     </p>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">SIGHUP</span></dt>
-<dd>
-          <p>
+<dd><p>
             Force a reload of the server.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">SIGINT, SIGTERM</span></dt>
-<dd>
-          <p>
+<dd><p>
             Shut down the server.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-
-    <p>
+<p>
       The result of sending any other signals to the server is undefined.
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>CONFIGURATION</h2>
-
-    <p>
+<p>
       The <span class="command"><strong>named</strong></span> configuration file is too complex
       to describe in detail here.  A complete description is provided
       in the
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-
-    <p>
+<p>
       <span class="command"><strong>named</strong></span> inherits the <code class="function">umask</code>
       (file creation mode mask) from the parent process. If files
       created by <span class="command"><strong>named</strong></span>, such as journal files,
@@ -398,59 +311,32 @@
       should be set explicitly in the script used to start the
       <span class="command"><strong>named</strong></span> process.
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>FILES</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             The default configuration file.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="filename">/var/run/named/named.pid</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             The default process-id file.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.12"></a><h2>SEE ALSO</h2>
-
-    <p><em class="citetitle">RFC 1033</em>,
+<p><em class="citetitle">RFC 1033</em>,
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 1035</em>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named-checkconf</span>
-        (8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named-checkzone</span>
-        (8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">rndc</span>
-        (8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">lwresd</span>
-        (8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named.conf</span>
-        (5)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/named/notify.c b/bind/bind9/bin/named/notify.c
index 0ad5abc7..de4ca092 100644
--- a/bind/bind9/bin/named/notify.c
+++ b/bind/bind9/bin/named/notify.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: notify.c,v 1.37 2007/06/19 23:46:59 tbox Exp $ */
-
 #include <config.h>
 
 #include <isc/log.h>
diff --git a/bind/bind9/bin/named/query.c b/bind/bind9/bin/named/query.c
index c9e5469b..f1098056 100644
--- a/bind/bind9/bin/named/query.c
+++ b/bind/bind9/bin/named/query.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -18,6 +18,7 @@
 
 #include <isc/hex.h>
 #include <isc/mem.h>
+#include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/rwlock.h>
 #include <isc/serial.h>
@@ -61,6 +62,29 @@
 #include <named/sortlist.h>
 #include <named/xfrout.h>
 
+#if defined(ISC_PLATFORM_HAVESTDATOMIC)
+#if defined(__cplusplus)
+#include <isc/stdatomic.h>
+#else
+#include <stdatomic.h>
+#endif
+#define last_load(x) atomic_load((x))
+#define	last_cmpxchg(x, e, r) atomic_compare_exchange_strong((x), (e), r)
+#elif defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
+#define last_load(x) (isc_stdtime_t)isc_atomic_xadd((int32_t*)(x), 0)
+#define last_cmpxchg(x, e, r) isc_atomic_cmpxchg((int32_t*)x, (*(int32_t*)(e)), (int32_t)(r))
+#else
+#define last_load(x) (*(x))
+ISC_NO_SANITIZE_THREAD static ISC_NO_SANITIZE_INLINE bool
+last_cmpxchg(isc_stdtime_t *x, isc_stdtime_t *e, isc_stdtime_t r) {
+	if (*x == *e) {
+		*x = r;
+		return (true);
+	}
+	return (false);
+}
+#endif
+
 #if 0
 /*
  * It has been recommended that DNS64 be changed to return excluded
@@ -4253,6 +4277,33 @@ query_prefetch(ns_client_t *client, dns_name_t *qname,
 	dns_rdataset_clearprefetch(rdataset);
 }
 
+
+#if defined(ISC_PLATFORM_HAVESTDATOMIC)
+static void
+log_quota(ns_client_t *client, _Atomic(isc_stdtime_t) *last, isc_stdtime_t now,
+	  const char *fmt, const char *tail)
+#else
+static void
+log_quota(ns_client_t *client, isc_stdtime_t *last, isc_stdtime_t now,
+	  const char *fmt, const char *tail)
+#endif
+{
+	isc_stdtime_t old = last_load(last);
+	if (now > old || (old + 1) > now) {
+		if (last_cmpxchg(last, &old, now)) {
+			LOCK(&ns_g_server->recursionquota.lock);
+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+					      NS_LOGMODULE_QUERY,
+					      ISC_LOG_WARNING, fmt,
+					      ns_g_server->recursionquota.used,
+					      ns_g_server->recursionquota.soft,
+					      ns_g_server->recursionquota.max,
+					      tail);
+			UNLOCK(&ns_g_server->recursionquota.lock);
+		}
+	}
+}
+
 static isc_result_t
 query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
 	      dns_name_t *qdomain, dns_rdataset_t *nameservers,
@@ -4285,39 +4336,29 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
 		}
 
 		if  (result == ISC_R_SOFTQUOTA) {
+#ifdef ISC_PLATFORM_HAVESTDATOMIC
+			static _Atomic(isc_stdtime_t) last = 0;
+#else
 			static isc_stdtime_t last = 0;
+#endif
 			isc_stdtime_t now;
 			isc_stdtime_get(&now);
-			if (now != last) {
-				last = now;
-				ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-					      NS_LOGMODULE_QUERY,
-					      ISC_LOG_WARNING,
-					      "recursive-clients soft limit "
-					      "exceeded (%d/%d/%d), "
-					      "aborting oldest query",
-					      client->recursionquota->used,
-					      client->recursionquota->soft,
-					      client->recursionquota->max);
-			}
+			log_quota(client, &last, now,
+				  "recursive-clients soft limit exceeded "
+				  "(%d/%d/%d) %s", "aborting oldest query");
 			ns_client_killoldestquery(client);
 			result = ISC_R_SUCCESS;
 		} else if (result == ISC_R_QUOTA) {
+#ifdef ISC_PLATFORM_HAVESTDATOMIC
+			static _Atomic(isc_stdtime_t) last = 0;
+#else
 			static isc_stdtime_t last = 0;
+#endif
 			isc_stdtime_t now;
 			isc_stdtime_get(&now);
-			if (now != last) {
-				last = now;
-				ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-					      NS_LOGMODULE_QUERY,
-					      ISC_LOG_WARNING,
-					      "no more recursive clients "
-					      "(%d/%d/%d): %s",
-					      ns_g_server->recursionquota.used,
-					      ns_g_server->recursionquota.soft,
-					      ns_g_server->recursionquota.max,
-					      isc_result_totext(result));
-			}
+			log_quota(client, &last, now,
+				  "no more recursive clients (%d/%d/%d): %s",
+				  isc_result_totext(result));
 			ns_client_killoldestquery(client);
 		}
 		if (result == ISC_R_SUCCESS && !client->mortal &&
@@ -4745,7 +4786,7 @@ rpz_get_p_name(ns_client_t *client, dns_name_t *p_name,
 		 */
 		if (labels-first < 2) {
 			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, suffix,
-				     rpz_type, " concatentate()", result);
+				     rpz_type, " concatenate()", result);
 			return (ISC_R_FAILURE);
 		}
 		/*
@@ -4753,7 +4794,7 @@ rpz_get_p_name(ns_client_t *client, dns_name_t *p_name,
 		 */
 		if (first == 0) {
 			rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, suffix,
-				     rpz_type, " concatentate()", result);
+				     rpz_type, " concatenate()", result);
 		}
 		++first;
 	}
@@ -5637,7 +5678,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
 		 * 2nd zone matters until after recursing to get the A RRs and
 		 * testing them in the first zone.
 		 * Do not bother saving the work from this attempt,
-		 * because recusion is so slow.
+		 * because recursion is so slow.
 		 */
 		if (qresult_type == RPZ_QRESULT_TYPE_RECURSE)
 			goto cleanup;
@@ -5667,7 +5708,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
 			goto cleanup;
 		/*
 		 * We are finished checking the IP addresses for the qname.
-		 * Start with IPv4 if we will check NS IP addesses.
+		 * Start with IPv4 if we will check NS IP addresses.
 		 */
 		st->state |= DNS_RPZ_DONE_QNAME_IP;
 		st->state &= ~DNS_RPZ_DONE_IPv4;
@@ -6836,7 +6877,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		snprintf(qbuf, sizeof(qbuf), "<unset>");
 
 	snprintf(mbuf, sizeof(mbuf) - 1,
-		 "client attr:0x%x, query attr:0x%X, restarts:%d, "
+		 "client attr:0x%x, query attr:0x%X, restarts:%u, "
 		 "origqname:%s, timer:%d, authdb:%d, referral:%d",
 		 client->attributes,
 		 client->query.attributes,
@@ -7569,7 +7610,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				goto cleanup;
 			case DNS_RPZ_POLICY_CNAME:
 				/*
-				 * Add overridding CNAME from a named.conf
+				 * Add overriding CNAME from a named.conf
 				 * response-policy statement
 				 */
 				result = rpz_add_cname(client, rpz_st,
@@ -8610,13 +8651,21 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		/*
-		 * Switch to the new qname and restart.
+		 * If the original query was not for a CNAME or ANY then
+		 * follow the CNAME.
 		 */
-		ns_client_qnamereplace(client, fname);
-		fname = NULL;
-		want_restart = true;
-		if (!WANTRECURSION(client))
-			options |= DNS_GETDB_NOLOG;
+		if (qtype != dns_rdatatype_cname &&
+		    qtype != dns_rdatatype_any)
+		{
+			/*
+			 * Switch to the new qname and restart.
+			 */
+			ns_client_qnamereplace(client, fname);
+			fname = NULL;
+			want_restart = true;
+			if (!WANTRECURSION(client))
+				options |= DNS_GETDB_NOLOG;
+		}
 		goto addauth;
 	default:
 		/*
@@ -9139,10 +9188,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		if (noqname != NULL)
 			query_addnoqnameproof(client, noqname);
 		/*
-		 * We shouldn't ever fail to add 'rdataset'
-		 * because it's already in the answer.
+		 * 'rdataset' will only be non-NULL here if the ANSWER section
+		 * of the message to be sent to the client already contains an
+		 * RRset with the same owner name and the same type as
+		 * 'rdataset'.  This should never happen, with one exception:
+		 * when chasing DNAME records, one of the DNAME records placed
+		 * in the ANSWER section may turn out to be the final answer to
+		 * the client's query, but we have no way of knowing that until
+		 * now.  In such a case, 'rdataset' will be freed later, so we
+		 * do not need to free it here.
 		 */
-		INSIST(rdataset == NULL);
+		INSIST(rdataset == NULL || qtype == dns_rdatatype_dname);
 	}
 
  addauth:
@@ -9596,6 +9652,12 @@ ns_query_start(ns_client_t *client) {
 	{
 		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
 					     NS_QUERYATTR_NOADDITIONAL);
+	} else if (qtype == dns_rdatatype_ns) {
+		/*
+		 * Always turn on additional records for NS queries.
+		 */
+		client->query.attributes &= ~(NS_QUERYATTR_NOAUTHORITY |
+					      NS_QUERYATTR_NOADDITIONAL);
 	}
 
 	/*
diff --git a/bind/bind9/bin/named/server.c b/bind/bind9/bin/named/server.c
index 43003304..9826588e 100644
--- a/bind/bind9/bin/named/server.c
+++ b/bind/bind9/bin/named/server.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -78,6 +78,7 @@
 #include <dns/lib.h>
 #include <dns/master.h>
 #include <dns/masterdump.h>
+#include <dns/nsec3.h>
 #include <dns/nta.h>
 #include <dns/order.h>
 #include <dns/peer.h>
@@ -3748,7 +3749,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	 * When the view's configuration changes, the cached data may become
 	 * invalid because it reflects our old view of the world.  We check
 	 * some of the configuration parameters that could invalidate the cache
-	 * or otherwise make it unsharable, but there are other configuration
+	 * or otherwise make it unshareable, but there are other configuration
 	 * options that should be checked.  For example, if a view uses a
 	 * forwarder, changes in the forwarder configuration may invalidate
 	 * the cache.  At the moment, it's the administrator's responsibility to
@@ -3986,8 +3987,12 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	result = ns_config_get(maps, "lame-ttl", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	lame_ttl = cfg_obj_asuint32(obj);
-	if (lame_ttl > 1800)
-		lame_ttl = 1800;
+	if (lame_ttl > 0) {
+		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
+			    "disabling lame cache despite lame-ttl > 0 as it "
+			    "may cause performance issues");
+		lame_ttl = 0;
+	}
 	dns_resolver_setlamettl(view->resolver, lame_ttl);
 
 	/*
@@ -6094,11 +6099,14 @@ heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) {
 }
 
 typedef struct {
-       isc_mem_t       *mctx;
-       isc_task_t      *task;
-       dns_rdataset_t  rdataset;
-       dns_rdataset_t  sigrdataset;
-       dns_fetch_t     *fetch;
+	isc_mem_t *mctx;
+	isc_task_t *task;
+	dns_fetch_t *fetch;
+	dns_view_t *view;
+	dns_fixedname_t tatname;
+	dns_fixedname_t keyname;
+	dns_rdataset_t rdataset;
+	dns_rdataset_t sigrdataset;
 } ns_tat_t;
 
 static int
@@ -6118,10 +6126,11 @@ tat_done(isc_task_t *task, isc_event_t *event) {
 	dns_fetchevent_t *devent;
 	ns_tat_t *tat;
 
-	UNUSED(task);
 	INSIST(event != NULL && event->ev_type == DNS_EVENT_FETCHDONE);
 	INSIST(event->ev_arg != NULL);
 
+	UNUSED(task);
+
 	tat = event->ev_arg;
 	devent = (dns_fetchevent_t *) event;
 
@@ -6136,6 +6145,7 @@ tat_done(isc_task_t *task, isc_event_t *event) {
 		dns_rdataset_disassociate(&tat->rdataset);
 	if (dns_rdataset_isassociated(&tat->sigrdataset))
 		dns_rdataset_disassociate(&tat->sigrdataset);
+	dns_view_detach(&tat->view);
 	isc_task_detach(&tat->task);
 	isc_mem_putanddetach(&tat->mctx, tat, sizeof(*tat));
 }
@@ -6148,7 +6158,7 @@ struct dotat_arg {
 /*%
  * Prepare the QNAME for the TAT query to be sent by processing the trust
  * anchors present at 'keynode' of 'keytable'.  Store the result in 'dst' and
- * the domain name which 'keynode' is associated with in 'origin'.
+ * the domain name which 'keynode' is associated with in 'keyname'.
  *
  * A maximum of 12 key IDs can be reported in a single TAT query due to the
  * 63-octet length limit for any single label in a domain name.  If there are
@@ -6156,7 +6166,7 @@ struct dotat_arg {
  * reported in the TAT query.
  */
 static isc_result_t
-get_tat_qname(dns_name_t *dst, dns_name_t **origin, dns_keytable_t *keytable,
+get_tat_qname(dns_name_t *dst, dns_name_t **keyname, dns_keytable_t *keytable,
 	      dns_keynode_t *keynode)
 {
 	dns_keynode_t *firstnode = keynode;
@@ -6167,12 +6177,12 @@ get_tat_qname(dns_name_t *dst, dns_name_t **origin, dns_keytable_t *keytable,
 	char label[64];
 	int m;
 
-	REQUIRE(origin != NULL && *origin == NULL);
+	REQUIRE(keyname != NULL && *keyname == NULL);
 
 	do {
 		dst_key_t *key = dns_keynode_key(keynode);
 		if (key != NULL) {
-			*origin = dst_key_name(key);
+			*keyname = dst_key_name(key);
 			if (n < (sizeof(ids)/sizeof(ids[0]))) {
 				ids[n] = dst_key_id(key);
 				n++;
@@ -6212,52 +6222,35 @@ get_tat_qname(dns_name_t *dst, dns_name_t **origin, dns_keytable_t *keytable,
 		isc_textregion_consume(&r, m);
 	}
 
-	return (dns_name_fromstring2(dst, label, *origin, 0, NULL));
+	return (dns_name_fromstring2(dst, label, *keyname, 0, NULL));
 }
 
 static void
-dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) {
-	struct dotat_arg *dotat_arg = arg;
+tat_send(isc_task_t *task, isc_event_t *event) {
+	ns_tat_t *tat;
 	char namebuf[DNS_NAME_FORMATSIZE];
-	dns_fixedname_t fixed, fdomain;
-	dns_name_t *tatname, *domain;
+	dns_fixedname_t fdomain;
+	dns_name_t *domain;
 	dns_rdataset_t nameservers;
-	dns_name_t *origin = NULL;
 	isc_result_t result;
-	dns_view_t *view;
-	isc_task_t *task;
-	ns_tat_t *tat;
+	dns_name_t *keyname;
+	dns_name_t *tatname;
 
-	REQUIRE(keytable != NULL);
-	REQUIRE(keynode != NULL);
-	REQUIRE(dotat_arg != NULL);
+	INSIST(event != NULL && event->ev_type == NS_EVENT_TATSEND);
+	INSIST(event->ev_arg != NULL);
 
-	view = dotat_arg->view;
-	task = dotat_arg->task;
+	UNUSED(task);
 
-	tatname = dns_fixedname_initname(&fixed);
-	result = get_tat_qname(tatname, &origin, keytable, keynode);
-	if (result != ISC_R_SUCCESS) {
-		return;
-	}
+	tat = event->ev_arg;
+
+	tatname = dns_fixedname_name(&tat->tatname);
+	keyname = dns_fixedname_name(&tat->keyname);
 
 	dns_name_format(tatname, namebuf, sizeof(namebuf));
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
 		      ISC_LOG_INFO,
-		     "%s: sending trust-anchor-telemetry query '%s/NULL'",
-		     view->name, namebuf);
-
-	tat = isc_mem_get(dotat_arg->view->mctx, sizeof(*tat));
-	if (tat == NULL)
-		return;
-
-	tat->mctx = NULL;
-	tat->task = NULL;
-	tat->fetch = NULL;
-	dns_rdataset_init(&tat->rdataset);
-	dns_rdataset_init(&tat->sigrdataset);
-	isc_mem_attach(dotat_arg->view->mctx, &tat->mctx);
-	isc_task_attach(task, &tat->task);
+		      "%s: sending trust-anchor-telemetry query '%s/NULL'",
+		      tat->view->name, namebuf);
 
 	/*
 	 * TAT queries should be sent to the authoritative servers for a given
@@ -6276,20 +6269,20 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) {
 	 * order to eventually find the destination host to send the TAT query
 	 * to.
 	 *
-	 * 'origin' holds the domain name at 'keynode', i.e. the domain name
+	 * 'keyname' holds the domain name at 'keynode', i.e. the domain name
 	 * for which the trust anchors to be reported by this TAT query are
 	 * defined.
 	 *
 	 * After the dns_view_findzonecut() call, 'domain' will hold the
-	 * deepest zone cut we can find for 'origin' while 'nameservers' will
+	 * deepest zone cut we can find for 'keyname' while 'nameservers' will
 	 * hold the NS RRset at that zone cut.
 	 */
 	domain = dns_fixedname_initname(&fdomain);
 	dns_rdataset_init(&nameservers);
-	result = dns_view_findzonecut(view, origin, domain, 0, 0, true,
+	result = dns_view_findzonecut(tat->view, keyname, domain, 0, 0, true,
 				      &nameservers, NULL);
 	if (result == ISC_R_SUCCESS) {
-		result = dns_resolver_createfetch(view->resolver, tatname,
+		result = dns_resolver_createfetch(tat->view->resolver, tatname,
 						  dns_rdatatype_null, domain,
 						  &nameservers, NULL, 0,
 						  tat->task, tat_done, tat,
@@ -6314,9 +6307,66 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) {
 	}
 
 	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&tat->view);
 		isc_task_detach(&tat->task);
 		isc_mem_putanddetach(&tat->mctx, tat, sizeof(*tat));
 	}
+	isc_event_free(&event);
+}
+
+static void
+dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) {
+	struct dotat_arg *dotat_arg = arg;
+	dns_name_t *keyname = NULL;
+	isc_result_t result;
+	dns_view_t *view;
+	isc_task_t *task;
+	ns_tat_t *tat;
+	isc_event_t *event;
+
+	REQUIRE(keytable != NULL);
+	REQUIRE(keynode != NULL);
+	REQUIRE(dotat_arg != NULL);
+
+	view = dotat_arg->view;
+	task = dotat_arg->task;
+
+	tat = isc_mem_get(dotat_arg->view->mctx, sizeof(*tat));
+
+	tat->fetch = NULL;
+	tat->mctx = NULL;
+	tat->task = NULL;
+	tat->view = NULL;
+	dns_rdataset_init(&tat->rdataset);
+	dns_rdataset_init(&tat->sigrdataset);
+	result = get_tat_qname(dns_fixedname_initname(&tat->tatname), &keyname,
+			       keytable, keynode);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(dotat_arg->view->mctx, tat, sizeof(*tat));
+		return;
+	}
+	dns_name_copy(keyname, dns_fixedname_initname(&tat->keyname), NULL);
+	isc_mem_attach(dotat_arg->view->mctx, &tat->mctx);
+	isc_task_attach(task, &tat->task);
+	dns_view_attach(view, &tat->view);
+
+	/*
+	 * We don't want to be holding the keytable lock when calling
+	 * dns_view_findzonecut() as it creates a lock order loop so
+	 * call dns_view_findzonecut() in a event handler.
+	 *
+	 * zone->lock (dns_zone_setviewcommit) while holding view->lock
+	 * (dns_view_setviewcommit)
+	 *
+	 * keytable->lock (dns_keytable_find) while holding zone->lock
+	 * (zone_asyncload)
+	 *
+	 * view->lock (dns_view_findzonecut) while holding keytable->lock
+	 * (dns_keytable_forall)
+	 */
+	event = isc_event_allocate(tat->mctx, keytable, NS_EVENT_TATSEND,
+				   tat_send, tat, sizeof(isc_event_t));
+	isc_task_send(task, &event);
 }
 
 static void
@@ -6354,7 +6404,7 @@ tat_timer_tick(isc_task_t *task, isc_event_t *event) {
 static void
 pps_timer_tick(isc_task_t *task, isc_event_t *event) {
 	static unsigned int oldrequests = 0;
-	unsigned int requests = ns_client_requests;
+	unsigned int requests = ncr_load(ns_client_requests);
 
 	UNUSED(task);
 	isc_event_free(&event);
@@ -6541,7 +6591,7 @@ static isc_result_t
 generate_session_key(const char *filename, const char *keynamestr,
 		     dns_name_t *keyname, const char *algstr,
 		     dns_name_t *algname, unsigned int algtype,
-		     uint16_t bits, isc_mem_t *mctx,
+		     uint16_t bits, isc_mem_t *mctx, bool first_time,
 		     dns_tsigkey_t **tsigkeyp)
 {
 	isc_result_t result = ISC_R_SUCCESS;
@@ -6584,7 +6634,7 @@ generate_session_key(const char *filename, const char *keynamestr,
 					&tsigkey));
 
 	/* Dump the key to the key file. */
-	fp = ns_os_openfile(filename, S_IRUSR|S_IWUSR, true);
+	fp = ns_os_openfile(filename, S_IRUSR|S_IWUSR, first_time);
 	if (fp == NULL) {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
@@ -6630,7 +6680,7 @@ generate_session_key(const char *filename, const char *keynamestr,
 
 static isc_result_t
 configure_session_key(const cfg_obj_t **maps, ns_server_t *server,
-		      isc_mem_t *mctx)
+		      isc_mem_t *mctx, bool first_time)
 {
 	const char *keyfile, *keynamestr, *algstr;
 	unsigned int algtype;
@@ -6724,7 +6774,7 @@ configure_session_key(const cfg_obj_t **maps, ns_server_t *server,
 
 		CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
 					   algname, algtype, bits, mctx,
-					   &server->sessionkey));
+					   first_time, &server->sessionkey));
 	}
 
 	return (result);
@@ -6789,6 +6839,8 @@ count_newzones(dns_view_t *view, ns_cfgctx_t *nzcfg, int *num_zonesp) {
 
 	REQUIRE(num_zonesp != NULL);
 
+	LOCK(&view->new_zone_lock);
+
 	CHECK(migrate_nzf(view));
 
 	isc_log_write(ns_g_lctx,
@@ -6811,6 +6863,8 @@ count_newzones(dns_view_t *view, ns_cfgctx_t *nzcfg, int *num_zonesp) {
 	if (result != ISC_R_SUCCESS)
 		*num_zonesp = 0;
 
+	UNLOCK(&view->new_zone_lock);
+
 	return (ISC_R_SUCCESS);
 }
 
@@ -7038,6 +7092,7 @@ data_to_cfg(dns_view_t *view, MDB_val *key, MDB_val *data,
 	const char *zone_config;
 	size_t zone_config_len;
 	cfg_obj_t *zoneconf = NULL;
+	char bufname[DNS_NAME_FORMATSIZE];
 
 	REQUIRE(view != NULL);
 	REQUIRE(key != NULL);
@@ -7062,20 +7117,20 @@ data_to_cfg(dns_view_t *view, MDB_val *key, MDB_val *data,
 	INSIST(zone_config != NULL && zone_config_len > 0);
 
 	/* zone zonename { config; }; */
-	result = isc_buffer_reserve(text, 5 + zone_name_len + 1 +
+	result = isc_buffer_reserve(text, 6 + zone_name_len + 2 +
 				    zone_config_len + 2);
 	if (result != ISC_R_SUCCESS) {
 		goto cleanup;
 	}
 
-	CHECK(putstr(text, "zone "));
+	CHECK(putstr(text, "zone \""));
 	CHECK(putmem(text, (const void *) zone_name, zone_name_len));
-	CHECK(putstr(text, " "));
+	CHECK(putstr(text, "\" "));
 	CHECK(putmem(text, (const void *) zone_config, zone_config_len));
 	CHECK(putstr(text, ";\n"));
 
 	cfg_parser_reset(ns_g_addparser);
-	result = cfg_parse_buffer3(ns_g_addparser, *text, zone_name, 0,
+	result = cfg_parse_buffer3(ns_g_addparser, *text, bufname, 0,
 				   &cfg_type_addzoneconf, &zoneconf);
 	if (result != ISC_R_SUCCESS) {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
@@ -7115,6 +7170,8 @@ typedef isc_result_t (*newzone_cfg_cb_t)(const cfg_obj_t *zconfig,
  * Immediately interrupt processing if an error is encountered while
  * transforming NZD data into a zone configuration object or if "callback"
  * returns an error.
+ *
+ * Caller must hold 'view->new_zone_lock'.
  */
 static isc_result_t
 for_all_newzone_cfgs(newzone_cfg_cb_t callback, cfg_obj_t *config,
@@ -7227,8 +7284,11 @@ configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		return (ISC_R_SUCCESS);
 	}
 
+	LOCK(&view->new_zone_lock);
+
 	result = nzd_open(view, MDB_RDONLY, &txn, &dbi);
 	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&view->new_zone_lock);
 		return (ISC_R_SUCCESS);
 	}
 
@@ -7255,6 +7315,9 @@ configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	}
 
 	(void) nzd_close(&txn, false);
+
+	UNLOCK(&view->new_zone_lock);
+
 	return (result);
 }
 
@@ -7276,6 +7339,8 @@ get_newzone_config(dns_view_t *view, const char *zonename,
 
 	INSIST(zoneconfig != NULL && *zoneconfig == NULL);
 
+	LOCK(&view->new_zone_lock);
+
 	CHECK(nzd_open(view, MDB_RDONLY, &txn, &dbi));
 
 	isc_log_write(ns_g_lctx,
@@ -7309,6 +7374,8 @@ get_newzone_config(dns_view_t *view, const char *zonename,
  cleanup:
 	(void) nzd_close(&txn, false);
 
+	UNLOCK(&view->new_zone_lock);
+
 	if (zoneconf != NULL) {
 		cfg_obj_destroy(ns_g_addparser, &zoneconf);
 	}
@@ -7566,7 +7633,14 @@ load_configuration(const char *filename, ns_server_t *server,
 
 		result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
 					&cfg_type_bindkeys, &bindkeys);
-		CHECK(result);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "unable to parse '%s' error '%s'; using "
+				      "built-in keys instead",
+				      server->bindkeysfile,
+				      isc_result_totext(result));
+		}
 	} else {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
@@ -7846,7 +7920,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	}
 
 	/*
-	 * Determing the default DSCP code point.
+	 * Determining the default DSCP code point.
 	 */
 	CHECKM(ns_config_getdscp(config, &ns_g_dscp), "dscp");
 
@@ -8028,7 +8102,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * turns out that a session key is really needed but doesn't exist,
 	 * we'll treat it as a fatal error then.
 	 */
-	(void)configure_session_key(maps, server, ns_g_mctx);
+	(void)configure_session_key(maps, server, ns_g_mctx, first_time);
 
 	views = NULL;
 	(void)cfg_map_get(config, "view", &views);
@@ -8701,8 +8775,8 @@ static isc_result_t
 view_loaded(void *arg) {
 	isc_result_t result;
 	ns_zoneload_t *zl = (ns_zoneload_t *) arg;
-	ns_server_t *server = zl->server;
-	bool reconfig = zl->reconfig;
+	ns_server_t *server;
+	bool reconfig;
 	unsigned int refs;
 
 
@@ -8718,6 +8792,9 @@ view_loaded(void *arg) {
 	if (refs != 0)
 		return (ISC_R_SUCCESS);
 
+	server = zl->server;
+	reconfig = zl->reconfig;
+
 	isc_refcount_destroy(&zl->refs);
 	isc_mem_put(server->mctx, zl, sizeof (*zl));
 
@@ -9275,7 +9352,7 @@ ns_server_destroy(ns_server_t **serverp) {
 
 static void
 fatal(ns_server_t *server, const char *msg, isc_result_t result) {
-	if (server != NULL) {
+	if (server != NULL && server->task != NULL) {
 		/*
 		 * Prevent races between the OpenSSL on_exit registered
 		 * function and any other OpenSSL calls from other tasks
@@ -10904,9 +10981,11 @@ ns_server_status(ns_server_t *server, isc_buffer_t **text) {
 		     server->log_queries ? "ON" : "OFF");
 	CHECK(putstr(text, line));
 
+	LOCK(&server->recursionquota.lock);
 	snprintf(line, sizeof(line), "recursive clients: %d/%d/%d\n",
 		     server->recursionquota.used, server->recursionquota.soft,
 		     server->recursionquota.max);
+	UNLOCK(&server->recursionquota.lock);
 	CHECK(putstr(text, line));
 
 	snprintf(line, sizeof(line), "tcp clients: %d/%d\n",
@@ -11637,8 +11716,6 @@ nzd_save(MDB_txn **txnp, MDB_dbi dbi, dns_zone_t *zone,
 
 	nzd_setkey(&key, dns_zone_getorigin(zone), namebuf, sizeof(namebuf));
 
-	LOCK(&view->new_zone_lock);
-
 	if (zconfig == NULL) {
 		/* We're deleting the zone from the database */
 		status = mdb_del(*txnp, dbi, &key, NULL);
@@ -11738,8 +11815,6 @@ nzd_save(MDB_txn **txnp, MDB_dbi dbi, dns_zone_t *zone,
 	}
 	*txnp = NULL;
 
-	UNLOCK(&view->new_zone_lock);
-
 	if (text != NULL) {
 		isc_buffer_free(&text);
 	}
@@ -11747,6 +11822,11 @@ nzd_save(MDB_txn **txnp, MDB_dbi dbi, dns_zone_t *zone,
 	return (result);
 }
 
+/*
+ * Check whether the new zone database for 'view' can be opened for writing.
+ *
+ * Caller must hold 'view->new_zone_lock'.
+ */
 static isc_result_t
 nzd_writable(dns_view_t *view) {
 	isc_result_t result = ISC_R_SUCCESS;
@@ -11778,6 +11858,11 @@ nzd_writable(dns_view_t *view) {
 	return (result);
 }
 
+/*
+ * Open the new zone database for 'view' and start a transaction for it.
+ *
+ * Caller must hold 'view->new_zone_lock'.
+ */
 static isc_result_t
 nzd_open(dns_view_t *view, unsigned int flags, MDB_txn **txnp, MDB_dbi *dbi) {
 	int status;
@@ -11908,6 +11993,13 @@ nzd_env_reopen(dns_view_t *view) {
 	return (result);
 }
 
+/*
+ * If 'commit' is true, commit the new zone database transaction pointed to by
+ * 'txnp'; otherwise, abort that transaction.
+ *
+ * Caller must hold 'view->new_zone_lock' for the view that the transaction
+ * pointed to by 'txnp' was started for.
+ */
 static isc_result_t
 nzd_close(MDB_txn **txnp, bool commit) {
 	isc_result_t result = ISC_R_SUCCESS;
@@ -11930,6 +12022,12 @@ nzd_close(MDB_txn **txnp, bool commit) {
 	return (result);
 }
 
+/*
+ * Count the zones configured in the new zone database for 'view' and store the
+ * result in 'countp'.
+ *
+ * Caller must hold 'view->new_zone_lock'.
+ */
 static isc_result_t
 nzd_count(dns_view_t *view, int *countp) {
 	isc_result_t result;
@@ -11963,6 +12061,10 @@ nzd_count(dns_view_t *view, int *countp) {
 	return (result);
 }
 
+/*
+ * Migrate zone configuration from an NZF file to an NZD database.
+ * Caller must hold view->new_zone_lock.
+ */
 static isc_result_t
 migrate_nzf(dns_view_t *view) {
 	isc_result_t result;
@@ -12324,6 +12426,7 @@ do_addzone(ns_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
 	MDB_dbi dbi;
 
 	UNUSED(zoneconf);
+	LOCK(&view->new_zone_lock);
 #endif /* HAVE_LMDB */
 
 	/* Zone shouldn't already exist */
@@ -12464,6 +12567,7 @@ do_addzone(ns_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
 #else /* HAVE_LMDB */
 	if (txn != NULL)
 		(void) nzd_close(&txn, false);
+	UNLOCK(&view->new_zone_lock);
 #endif /* HAVE_LMDB */
 
 	if (zone != NULL)
@@ -12487,6 +12591,7 @@ do_modzone(ns_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
 #else /* HAVE_LMDB */
 	MDB_txn *txn = NULL;
 	MDB_dbi dbi;
+	LOCK(&view->new_zone_lock);
 #endif /* HAVE_LMDB */
 
 	/* Zone must already exist */
@@ -12666,6 +12771,7 @@ do_modzone(ns_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
 #else /* HAVE_LMDB */
 	if (txn != NULL)
 		(void) nzd_close(&txn, false);
+	UNLOCK(&view->new_zone_lock);
 #endif /* HAVE_LMDB */
 
 	if (zone != NULL)
@@ -12815,6 +12921,7 @@ rmzone(isc_task_t *task, isc_event_t *event) {
 	if (added && cfg != NULL) {
 #ifdef HAVE_LMDB
 		/* Make sure we can open the NZD database */
+		LOCK(&view->new_zone_lock);
 		result = nzd_open(view, 0, &txn, &dbi);
 		if (result != ISC_R_SUCCESS) {
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
@@ -12833,6 +12940,11 @@ rmzone(isc_task_t *task, isc_event_t *event) {
 				      "delete zone configuration: %s",
 				      isc_result_totext(result));
 		}
+
+		if (txn != NULL) {
+			(void)nzd_close(&txn, false);
+		}
+		UNLOCK(&view->new_zone_lock);
 #else
 		result = delete_zoneconf(view, cfg->add_parser,
 					 cfg->nzf_config,
@@ -12925,10 +13037,6 @@ rmzone(isc_task_t *task, isc_event_t *event) {
 		}
 	}
 
-#ifdef HAVE_LMDB
-	if (txn != NULL)
-		(void) nzd_close(&txn, false);
-#endif
 	if (raw != NULL)
 		dns_zone_detach(&raw);
 	dns_zone_detach(&zone);
@@ -13366,7 +13474,8 @@ ns_server_signing(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
 			if (n != 3U)
 				return (ISC_R_BADNUMBER);
 
-			if (hash > 0xffU || flags > 0xffU)
+			if (hash > 0xffU || flags > 0xffU ||
+			    iter > dns_nsec3_maxiterations())
 				return (ISC_R_RANGE);
 
 			ptr = next_token(lex, text);
diff --git a/bind/bind9/bin/named/sortlist.c b/bind/bind9/bin/named/sortlist.c
index 20a131ca..b36b0a0b 100644
--- a/bind/bind9/bin/named/sortlist.c
+++ b/bind/bind9/bin/named/sortlist.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: sortlist.c,v 1.17 2007/09/14 01:46:05 marka Exp $ */
-
 /*! \file */
 
 #include <config.h>
diff --git a/bind/bind9/bin/named/statschannel.c b/bind/bind9/bin/named/statschannel.c
index 6292bcb8..12ab0484 100644
--- a/bind/bind9/bin/named/statschannel.c
+++ b/bind/bind9/bin/named/statschannel.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -608,7 +608,7 @@ init_desc(void) {
 		dnstapstats_index[i++] = dns_dnstapcounter_ ## counterid; \
 	} while (0)
 	i = 0;
-	SET_DNSTAPSTATDESC(success, "dnstap messges written", "DNSTAPsuccess");
+	SET_DNSTAPSTATDESC(success, "dnstap messages written", "DNSTAPsuccess");
 	SET_DNSTAPSTATDESC(drop, "dnstap messages dropped", "DNSTAPdropped");
 	INSIST(i == dns_dnstapcounter_max);
 
diff --git a/bind/bind9/bin/named/tkeyconf.c b/bind/bind9/bin/named/tkeyconf.c
index 6cbf132a..a65a94a4 100644
--- a/bind/bind9/bin/named/tkeyconf.c
+++ b/bind/bind9/bin/named/tkeyconf.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/tsigconf.c b/bind/bind9/bin/named/tsigconf.c
index 3426f928..7d732a52 100644
--- a/bind/bind9/bin/named/tsigconf.c
+++ b/bind/bind9/bin/named/tsigconf.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/unix/Makefile.in b/bind/bind9/bin/named/unix/Makefile.in
index 30075e61..025af9c5 100644
--- a/bind/bind9/bin/named/unix/Makefile.in
+++ b/bind/bind9/bin/named/unix/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/unix/dlz_dlopen_driver.c b/bind/bind9/bin/named/unix/dlz_dlopen_driver.c
index b8bb27dd..398df916 100644
--- a/bind/bind9/bin/named/unix/dlz_dlopen_driver.c
+++ b/bind/bind9/bin/named/unix/dlz_dlopen_driver.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/unix/include/named/os.h b/bind/bind9/bin/named/unix/include/named/os.h
index 5415b83b..87498b8d 100644
--- a/bind/bind9/bin/named/unix/include/named/os.h
+++ b/bind/bind9/bin/named/unix/include/named/os.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -73,7 +73,7 @@ ns_os_tzset(void);
 void
 ns_os_started(void);
 
-char *
+const char *
 ns_os_uname(void);
 
 #endif /* NS_OS_H */
diff --git a/bind/bind9/bin/named/unix/os.c b/bind/bind9/bin/named/unix/os.c
index 809cede3..42c6276b 100644
--- a/bind/bind9/bin/named/unix/os.c
+++ b/bind/bind9/bin/named/unix/os.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -42,6 +42,7 @@
 #include <isc/result.h>
 #include <isc/strerror.h>
 #include <isc/string.h>
+#include <isc/util.h>
 
 #include <named/globals.h>
 #include <named/main.h>
@@ -786,6 +787,7 @@ mkdirpath(char *filename, void (*report)(const char *, ...)) {
 	return (-1);
 }
 
+#ifndef HAVE_LINUXTHREADS
 static void
 setperms(uid_t uid, gid_t gid) {
 #if defined(HAVE_SETEGID) || defined(HAVE_SETRESGID)
@@ -829,6 +831,7 @@ setperms(uid_t uid, gid_t gid) {
 	}
 #endif
 }
+#endif /* !HAVE_LINUXTHREADS */
 
 FILE *
 ns_os_openfile(const char *filename, mode_t mode, bool switch_user) {
@@ -853,17 +856,20 @@ ns_os_openfile(const char *filename, mode_t mode, bool switch_user) {
 	free(f);
 
 	if (switch_user && runas_pw != NULL) {
-#ifndef HAVE_LINUXTHREADS
+		uid_t olduid = getuid();
 		gid_t oldgid = getgid();
-#endif
+#ifdef HAVE_LINUXTHREADS
+		REQUIRE(olduid == runas_pw->pw_uid);
+		REQUIRE(oldgid == runas_pw->pw_gid);
+#else
 		/* Set UID/GID to the one we'll be running with eventually */
 		setperms(runas_pw->pw_uid, runas_pw->pw_gid);
-
+#endif
 		fd = safe_open(filename, mode, false);
 
 #ifndef HAVE_LINUXTHREADS
 		/* Restore UID/GID to root */
-		setperms(0, oldgid);
+		setperms(olduid, oldgid);
 #endif /* HAVE_LINUXTHREADS */
 
 		if (fd == -1) {
@@ -1083,8 +1089,12 @@ ns_os_tzset(void) {
 #endif
 }
 
-static char unamebuf[BUFSIZ];
-static char *unamep = NULL;
+#ifdef HAVE_UNAME
+static char unamebuf[sizeof(struct utsname)];
+#else
+static const char unamebuf[] = { "unknown architecture" };
+#endif
+static const char *unamep = NULL;
 
 static void
 getuname(void) {
@@ -1097,18 +1107,16 @@ getuname(void) {
 		return;
 	}
 
-	snprintf(unamebuf, sizeof(unamebuf),
-		 "%s %s %s %s",
-		 uts.sysname, uts.machine, uts.release, uts.version);
-#else
-	snprintf(unamebuf, sizeof(unamebuf), "unknown architecture");
-#endif
+	snprintf(unamebuf, sizeof(unamebuf), "%s %s %s %s", uts.sysname,
+		 uts.machine, uts.release, uts.version);
+#endif /* ifdef HAVE_UNAME */
 	unamep = unamebuf;
 }
 
-char *
+const char *
 ns_os_uname(void) {
-	if (unamep == NULL)
+	if (unamep == NULL) {
 		getuname();
+	}
 	return (unamep);
 }
diff --git a/bind/bind9/bin/named/update.c b/bind/bind9/bin/named/update.c
index 4ed0b6b8..6ad7d27d 100644
--- a/bind/bind9/bin/named/update.c
+++ b/bind/bind9/bin/named/update.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -1940,7 +1940,7 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_difftuple_t *tuple;
 	bool nseconly = false, nsec3 = false;
 	isc_result_t result;
-	unsigned int iterations = 0, max;
+	unsigned int iterations = 0;
 	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
 
 	/* Scan the tuples for an NSEC-only DNSKEY or an NSEC3PARAM */
@@ -1994,11 +1994,9 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 
 	/* Verify NSEC3 params */
 	CHECK(get_iterations(db, ver, privatetype, &iterations));
-	CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max));
-	if (max != 0 && iterations > max) {
+	if (iterations > dns_nsec3_maxiterations()) {
 		update_log(client, zone, ISC_LOG_ERROR,
-			   "too many NSEC3 iterations (%u) for "
-			   "weakest DNSKEY (%u)", iterations, max);
+			   "too many NSEC3 iterations (%u)", iterations);
 		result = DNS_R_REFUSED;
 		goto failure;
 	}
@@ -2113,7 +2111,7 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		next = ISC_LIST_NEXT(tuple, link);
 		if ((tuple->rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
 			/*
-			 * If we havn't had any adds then the tuple->ttl must
+			 * If we haven't had any adds then the tuple->ttl must
 			 * be the original ttl and should be used for any
 			 * future changes.
 			 */
@@ -2140,7 +2138,7 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
 	     tuple != NULL; tuple = next) {
 		/*
-		 * If we havn't had any adds then the tuple->ttl must be the
+		 * If we haven't had any adds then the tuple->ttl must be the
 		 * original ttl and should be used for any future changes.
 		 */
 		if (!ttl_good) {
@@ -2152,7 +2150,7 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 
 			/*
 			 * Look for any deletes which match this ADD ignoring
-			 * flags.  We don't need to explictly remove them as
+			 * flags.  We don't need to explicitly remove them as
 			 * they will be removed a side effect of processing
 			 * the add.
 			 */
@@ -2208,7 +2206,7 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 
 			/*
 			 * Remove any existing CREATE request to add an
-			 * otherwise indentical chain with a reversed
+			 * otherwise identical chain with a reversed
 			 * OPTOUT state.
 			 */
 			buf[2] ^= DNS_NSEC3FLAG_OPTOUT;
@@ -2529,7 +2527,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	dns_zone_getssutable(zone, &ssutable);
 
 	/*
-	 * Update message processing can leak record existance information
+	 * Update message processing can leak record existence information
 	 * so check that we are allowed to query this zone.  Additionally
 	 * if we would refuse all updates for this zone we bail out here.
 	 */
@@ -3440,7 +3438,7 @@ forward_done(isc_task_t *task, isc_event_t *event) {
 	INSIST(client->nupdates > 0);
 	client->nupdates--;
 	ns_client_sendraw(client, uev->answer);
-	dns_message_destroy(&uev->answer);
+	dns_message_detach(&uev->answer);
 	isc_event_free(&event);
 	ns_client_detach(&client);
 }
diff --git a/bind/bind9/bin/named/win32/dlz_dlopen_driver.c b/bind/bind9/bin/named/win32/dlz_dlopen_driver.c
index bb0eeddc..7ba1f0c2 100644
--- a/bind/bind9/bin/named/win32/dlz_dlopen_driver.c
+++ b/bind/bind9/bin/named/win32/dlz_dlopen_driver.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/win32/include/named/ntservice.h b/bind/bind9/bin/named/win32/include/named/ntservice.h
index 38732fb2..77f4ba55 100644
--- a/bind/bind9/bin/named/win32/include/named/ntservice.h
+++ b/bind/bind9/bin/named/win32/include/named/ntservice.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/win32/include/named/os.h b/bind/bind9/bin/named/win32/include/named/os.h
index cac89a48..e65a321f 100644
--- a/bind/bind9/bin/named/win32/include/named/os.h
+++ b/bind/bind9/bin/named/win32/include/named/os.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -70,7 +70,7 @@ ns_os_tzset(void);
 void
 ns_os_started(void);
 
-char *
+const char *
 ns_os_uname(void);
 
 #endif /* NS_OS_H */
diff --git a/bind/bind9/bin/named/win32/named.vcxproj.in b/bind/bind9/bin/named/win32/named.vcxproj.in
index eb44bf35..0487405e 100644
--- a/bind/bind9/bin/named/win32/named.vcxproj.in
+++ b/bind/bind9/bin/named/win32/named.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@@USE_GSSAPI@BUILDER="Visual Studio";_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/named/win32/ntservice.c b/bind/bind9/bin/named/win32/ntservice.c
index fe4ab5c4..77cafe39 100644
--- a/bind/bind9/bin/named/win32/ntservice.c
+++ b/bind/bind9/bin/named/win32/ntservice.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/named/win32/os.c b/bind/bind9/bin/named/win32/os.c
index 34be311b..300e115f 100644
--- a/bind/bind9/bin/named/win32/os.c
+++ b/bind/bind9/bin/named/win32/os.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -392,7 +392,7 @@ ns_os_started(void) {
 }
 
 static char unamebuf[BUFSIZ];
-static char *unamep = NULL;
+static const char *unamep = NULL;
 
 static void
 getuname(void) {
@@ -461,9 +461,10 @@ getuname(void) {
  * GetVersionEx() returns 6.2 (aka Windows 8.1) since it was obsoleted
  * so we had to switch to the recommended way to get the Windows version.
  */
-char *
+const char *
 ns_os_uname(void) {
-	if (unamep == NULL)
+	if (unamep == NULL) {
 		getuname();
+	}
 	return (unamep);
 }
diff --git a/bind/bind9/bin/named/xfrout.c b/bind/bind9/bin/named/xfrout.c
index ce659f5b..7149825a 100644
--- a/bind/bind9/bin/named/xfrout.c
+++ b/bind/bind9/bin/named/xfrout.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -961,26 +961,8 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 
 	current_serial = dns_soa_getserial(&current_soa_tuple->rdata);
 	if (reqtype == dns_rdatatype_ixfr) {
-		/*
-		 * Outgoing IXFR may have been disabled for this peer
-		 * or globally.
-		 */
-		if ((client->attributes & NS_CLIENTATTR_TCP) != 0) {
-			bool provide_ixfr;
-
-			provide_ixfr = client->view->provideixfr;
-			if (peer != NULL) {
-				(void) dns_peer_getprovideixfr(peer,
-							       &provide_ixfr);
-			}
-			if (provide_ixfr == false) {
-				goto axfr_fallback;
-			}
-		}
-
-		if (! have_soa) {
-			FAILC(DNS_R_FORMERR,
-			      "IXFR request missing SOA");
+		if (!have_soa) {
+			FAILC(DNS_R_FORMERR, "IXFR request missing SOA");
 		}
 
 		begin_serial = dns_soa_getserial(&soa_rdata);
@@ -1003,6 +985,29 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 			is_poll = true;
 			goto have_stream;
 		}
+
+		/*
+		 * Outgoing IXFR may have been disabled for this peer
+		 * or globally.
+		 */
+		if ((client->attributes & NS_CLIENTATTR_TCP) != 0) {
+			bool provide_ixfr;
+
+			provide_ixfr = client->view->provideixfr;
+			if (peer != NULL) {
+				(void)dns_peer_getprovideixfr(peer,
+							      &provide_ixfr);
+			}
+			if (!provide_ixfr) {
+				xfrout_log1(client, question_name,
+					    question_class, ISC_LOG_DEBUG(4),
+					    "IXFR delta response disabled due "
+					    "to 'provide-ixfr no;' being set");
+				mnemonic = "AXFR-style IXFR";
+				goto axfr_fallback;
+			}
+		}
+
 		journalfile = is_dlz ? NULL : dns_zone_getjournal(zone);
 		if (journalfile != NULL) {
 			result = ixfr_rrstream_create(mctx,
@@ -1575,7 +1580,7 @@ sendstream(xfrout_ctx_t *xfr) {
 	}
 
 	if (tcpmsg != NULL)
-		dns_message_destroy(&tcpmsg);
+		dns_message_detach(&tcpmsg);
 
 	if (cleanup_cctx)
 		dns_compress_invalidate(&cctx);
diff --git a/bind/bind9/bin/named/zoneconf.c b/bind/bind9/bin/named/zoneconf.c
index 6a28cf83..fa6dbf96 100644
--- a/bind/bind9/bin/named/zoneconf.c
+++ b/bind/bind9/bin/named/zoneconf.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -239,7 +239,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
 
 		str = cfg_obj_asstring(matchtype);
 		CHECK(dns_ssu_mtypefromstring(str, &mtype));
-		if (mtype == dns_ssumatchtype_subdomain) {
+		if (mtype == dns_ssumatchtype_subdomain &&
+		    strcasecmp(str, "zonesub") == 0) {
 			usezone = true;
 		}
 
@@ -1250,6 +1251,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		INSIST(result == ISC_R_SUCCESS);
 		dns_zone_setrequestixfr(zone, cfg_obj_asboolean(obj));
 
+		obj = NULL;
 		checknames(ztype, maps, &obj);
 		INSIST(obj != NULL);
 		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
@@ -1442,7 +1444,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			} else if (strcasecmp(arg, "maintain") == 0) {
 				allow = maint = true;
 			} else if (strcasecmp(arg, "off") == 0) {
-				;
+				/* Default */
 			} else {
 				INSIST(0);
 				ISC_UNREACHABLE();
@@ -1591,7 +1593,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 				dns_zone_setkeyopt(zone, DNS_ZONEKEY_NORESIGN,
 						   true);
 			} else if (strcasecmp(arg, "maintain") == 0) {
-				;
+				/* Default */
 			} else {
 				INSIST(0);
 				ISC_UNREACHABLE();
diff --git a/bind/bind9/bin/nsupdate/Makefile.in b/bind/bind9/bin/nsupdate/Makefile.in
index 5332516f..ef9af0ce 100644
--- a/bind/bind9/bin/nsupdate/Makefile.in
+++ b/bind/bind9/bin/nsupdate/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/nsupdate/nsupdate.1 b/bind/bind9/bin/nsupdate/nsupdate.1
index d842fb98..522ebbfe 100644
--- a/bind/bind9/bin/nsupdate/nsupdate.1
+++ b/bind/bind9/bin/nsupdate/nsupdate.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2012, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: nsupdate
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-04-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -287,7 +287,8 @@ will clear the default ttl\&.
 \fBkey\fR [hmac:] {keyname} {secret}
 .RS 4
 Specifies that all updates are to be TSIG\-signed using the
-\fIkeyname\fR\fIsecret\fR
+\fIkeyname\fR
+\fIsecret\fR
 pair\&. If
 \fIhmac\fR
 is specified, then it sets the signing algorithm in use; the default is
@@ -520,5 +521,5 @@ The TSIG key is redundantly stored in two separate files\&. This is a consequenc
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000-2012, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/nsupdate/nsupdate.c b/bind/bind9/bin/nsupdate/nsupdate.c
index de60313f..faf32635 100644
--- a/bind/bind9/bin/nsupdate/nsupdate.c
+++ b/bind/bind9/bin/nsupdate/nsupdate.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -59,6 +59,7 @@
 #include <dns/masterdump.h>
 #include <dns/message.h>
 #include <dns/name.h>
+#include <dns/nsec3.h>
 #include <dns/rcode.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
@@ -94,9 +95,14 @@
 #endif
 #elif defined(HAVE_EDITLINE_READLINE_H)
 #include <editline/readline.h>
-#else
-#include <readline/readline.h>
+#else /* if defined(HAVE_EDIT_READLINE_READLINE_H) */
+/* Prevent deprecated functions being declared. */
+#define _FUNCTION_DEF 1
+/* Ensure rl_message() gets prototype. */
+#define USE_VARARGS   1
+#define PREFER_STDARG 1
 #include <readline/history.h>
+#include <readline/readline.h>
 #endif
 #endif
 
@@ -192,6 +198,7 @@ static unsigned int udp_timeout = 3;
 static unsigned int udp_retries = 3;
 static dns_rdataclass_t defaultclass = dns_rdataclass_in;
 static dns_rdataclass_t zoneclass = dns_rdataclass_none;
+static isc_mutex_t answer_lock;
 static dns_message_t *answer = NULL;
 static uint32_t default_ttl = 0;
 static bool default_ttl_set = false;
@@ -801,7 +808,7 @@ doshutdown(void) {
 	}
 
 	if (updatemsg != NULL)
-		dns_message_destroy(&updatemsg);
+		dns_message_detach(&updatemsg);
 
 	if (is_dst_up) {
 		ddebug("Destroy DST lib");
@@ -830,6 +837,10 @@ doshutdown(void) {
 
 static void
 maybeshutdown(void) {
+	/* when called from getinput, doshutdown might be already finished */
+	if (requestmgr == NULL)
+		return;
+
 	ddebug("Shutting down request manager");
 	dns_requestmgr_shutdown(requestmgr);
 
@@ -1038,15 +1049,19 @@ setup_system(void) {
 				       dispatchv4, dispatchv6, &requestmgr);
 	check_result(result, "dns_requestmgr_create");
 
-	if (keystr != NULL)
+	if (keystr != NULL) {
 		setup_keystr();
-	else if (local_only) {
+	} else if (local_only) {
 		result = read_sessionkey(gmctx, glctx);
 		if (result != ISC_R_SUCCESS)
 			fatal("can't read key from %s: %s\n",
 			      keyfile, isc_result_totext(result));
-	} else if (keyfile != NULL)
+	} else if (keyfile != NULL) {
 		setup_keyfile(gmctx, glctx);
+	}
+
+	result = isc_mutex_init(&answer_lock);
+	check_result(result, "isc_mutex_init");
 }
 
 static int
@@ -1979,6 +1994,19 @@ update_addordelete(char *cmdline, bool isdelete) {
 		}
 	}
 
+	if (!isdelete && rdata->type == dns_rdatatype_nsec3param) {
+		dns_rdata_nsec3param_t nsec3param;
+
+		result = dns_rdata_tostruct(rdata, &nsec3param, NULL);
+		check_result(result, "dns_rdata_tostruct");
+		if (nsec3param.iterations > dns_nsec3_maxiterations()) {
+			fprintf(stderr,
+				"NSEC3PARAM has excessive iterations (> %u)\n",
+				dns_nsec3_maxiterations());
+			goto failure;
+		}
+	}
+
  doneparsing:
 
 	result = dns_message_gettemprdatalist(updatemsg, &rdatalist);
@@ -2177,8 +2205,11 @@ do_next_command(char *cmdline) {
 		return (STATUS_MORE);
 	}
 	if (strcasecmp(word, "answer") == 0) {
-		if (answer != NULL)
+		LOCK(&answer_lock);
+		if (answer != NULL) {
 			show_message(stdout, answer, "Answer:");
+		}
+		UNLOCK(&answer_lock);
 		return (STATUS_MORE);
 	}
 	if (strcasecmp(word, "key") == 0) {
@@ -2378,6 +2409,7 @@ update_completed(isc_task_t *task, isc_event_t *event) {
 		return;
 	}
 
+	LOCK(&answer_lock);
 	result = dns_message_create(gmctx, DNS_MESSAGE_INTENTPARSE, &answer);
 	check_result(result, "dns_message_create");
 	result = dns_request_getresponse(request, answer,
@@ -2409,6 +2441,10 @@ update_completed(isc_task_t *task, isc_event_t *event) {
 		check_result(result, "dns_request_getresponse");
 	}
 
+	if (answer->opcode != dns_opcode_update) {
+		fatal("invalid OPCODE in response to UPDATE request");
+	}
+
 	if (answer->rcode != dns_rcode_noerror) {
 		seenerror = true;
 		if (!debugging) {
@@ -2426,8 +2462,10 @@ update_completed(isc_task_t *task, isc_event_t *event) {
 				(int)isc_buffer_usedlength(&b), buf);
 		}
 	}
-	if (debugging)
+	if (debugging) {
 		show_message(stderr, answer, "\nReply from update query:");
+	}
+	UNLOCK(&answer_lock);
 
  done:
 	dns_request_destroy(&request);
@@ -2536,7 +2574,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 
 	if (shuttingdown) {
 		dns_request_destroy(&request);
-		dns_message_destroy(&soaquery);
+		dns_message_detach(&soaquery);
 		isc_mem_put(gmctx, reqinfo, sizeof(nsu_requestinfo_t));
 		isc_event_free(&event);
 		maybeshutdown();
@@ -2567,7 +2605,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 	result = dns_request_getresponse(request, rcvmsg,
 					 DNS_MESSAGEPARSE_PRESERVEORDER);
 	if (result == DNS_R_TSIGERRORSET && servers != NULL) {
-		dns_message_destroy(&rcvmsg);
+		dns_message_detach(&rcvmsg);
 		ddebug("Destroying request [%p]", request);
 		dns_request_destroy(&request);
 		reqinfo = isc_mem_get(gmctx, sizeof(nsu_requestinfo_t));
@@ -2599,6 +2637,10 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 	if (debugging)
 		show_message(stderr, rcvmsg, "Reply from SOA query:");
 
+	if (rcvmsg->opcode != dns_opcode_query) {
+		fatal("invalid OPCODE in response to SOA query");
+	}
+
 	if (rcvmsg->rcode != dns_rcode_noerror &&
 	    rcvmsg->rcode != dns_rcode_nxdomain)
 		fatal("response to SOA query was unsuccessful");
@@ -2608,9 +2650,9 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 		dns_name_format(userzone, namebuf, sizeof(namebuf));
 		error("specified zone '%s' does not exist (NXDOMAIN)",
 		      namebuf);
-		dns_message_destroy(&rcvmsg);
+		dns_message_detach(&rcvmsg);
 		dns_request_destroy(&request);
-		dns_message_destroy(&soaquery);
+		dns_message_detach(&soaquery);
 		ddebug("Out of recvsoa");
 		done_update();
 		seenerror = true;
@@ -2727,9 +2769,11 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 #ifdef GSSAPI
 	if (usegsstsig) {
 		dns_name_init(&tmpzonename, NULL);
-		dns_name_dup(zname, gmctx, &tmpzonename);
+		result = dns_name_dup(zname, gmctx, &tmpzonename);
+		check_result(result, "dns_name_dup");
 		dns_name_init(&restart_master, NULL);
-		dns_name_dup(&master, gmctx, &restart_master);
+		result = dns_name_dup(&master, gmctx, &restart_master);
+		check_result(result, "dns_name_dup");
 		start_gssrequest(&master);
 	} else {
 		send_update(zname, &master_servers[master_inuse]);
@@ -2740,11 +2784,11 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 	setzoneclass(dns_rdataclass_none);
 #endif
 
-	dns_message_destroy(&soaquery);
+	dns_message_detach(&soaquery);
 	dns_request_destroy(&request);
 
  out:
-	dns_message_destroy(&rcvmsg);
+	dns_message_detach(&rcvmsg);
 	ddebug("Out of recvsoa");
 	return;
 
@@ -2953,7 +2997,7 @@ start_gssrequest(dns_name_t *master) {
 
 failure:
 	if (rmsg != NULL)
-		dns_message_destroy(&rmsg);
+		dns_message_detach(&rmsg);
 	if (err_message != NULL)
 		isc_mem_free(gmctx, err_message);
 	failed_gssrequest();
@@ -2969,6 +3013,8 @@ send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
 	isc_sockaddr_t *srcaddr;
 
 	debug("send_gssrequest");
+	REQUIRE(destaddr != NULL);
+
 	reqinfo = isc_mem_get(gmctx, sizeof(nsu_gssinfo_t));
 	if (reqinfo == NULL)
 		fatal("out of memory");
@@ -3025,7 +3071,7 @@ recvgss(isc_task_t *task, isc_event_t *event) {
 
 	if (shuttingdown) {
 		dns_request_destroy(&request);
-		dns_message_destroy(&tsigquery);
+		dns_message_detach(&tsigquery);
 		isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t));
 		isc_event_free(&event);
 		maybeshutdown();
@@ -3036,7 +3082,7 @@ recvgss(isc_task_t *task, isc_event_t *event) {
 		ddebug("Destroying request [%p]", request);
 		dns_request_destroy(&request);
 		if (!next_master("recvgss", addr, eresult)) {
-			dns_message_destroy(&tsigquery);
+			dns_message_detach(&tsigquery);
 			failed_gssrequest();
 		} else {
 			dns_message_renderreset(tsigquery);
@@ -3065,6 +3111,10 @@ recvgss(isc_task_t *task, isc_event_t *event) {
 		show_message(stderr, rcvmsg,
 			     "recvmsg reply from GSS-TSIG query");
 
+	if (rcvmsg->opcode != dns_opcode_query) {
+		fatal("invalid OPCODE in response to GSS-TSIG query");
+	}
+
 	if (rcvmsg->rcode == dns_rcode_formerr && !tried_other_gsstsig) {
 		ddebug("recvgss trying %s GSS-TSIG",
 		       use_win2k_gsstsig ? "Standard" : "Win2k");
@@ -3095,7 +3145,7 @@ recvgss(isc_task_t *task, isc_event_t *event) {
 	switch (result) {
 
 	case DNS_R_CONTINUE:
-		dns_message_destroy(&rcvmsg);
+		dns_message_detach(&rcvmsg);
 		dns_request_destroy(&request);
 		send_gssrequest(kserver, tsigquery, &request, context);
 		ddebug("Out of recvgss");
@@ -3143,9 +3193,9 @@ recvgss(isc_task_t *task, isc_event_t *event) {
 
  done:
 	dns_request_destroy(&request);
-	dns_message_destroy(&tsigquery);
+	dns_message_detach(&tsigquery);
 
-	dns_message_destroy(&rcvmsg);
+	dns_message_detach(&rcvmsg);
 	ddebug("Out of recvgss");
 }
 #endif
@@ -3162,8 +3212,11 @@ start_update(void) {
 
 	ddebug("start_update()");
 
-	if (answer != NULL)
-		dns_message_destroy(&answer);
+	LOCK(&answer_lock);
+	if (answer != NULL) {
+		dns_message_detach(&answer);
+	}
+	UNLOCK(&answer_lock);
 
 	/*
 	 * If we have both the zone and the servers we have enough information
@@ -3206,7 +3259,7 @@ start_update(void) {
 			dns_message_puttempname(soaquery, &name);
 			dns_rdataset_disassociate(rdataset);
 			dns_message_puttemprdataset(soaquery, &rdataset);
-			dns_message_destroy(&soaquery);
+			dns_message_detach(&soaquery);
 			done_update();
 			return;
 		}
@@ -3241,8 +3294,11 @@ static void
 cleanup(void) {
 	ddebug("cleanup()");
 
-	if (answer != NULL)
-		dns_message_destroy(&answer);
+	LOCK(&answer_lock);
+	if (answer != NULL) {
+		dns_message_detach(&answer);
+	}
+	UNLOCK(&answer_lock);
 
 #ifdef GSSAPI
 	if (tsigkey != NULL) {
@@ -3253,20 +3309,6 @@ cleanup(void) {
 		ddebug("Detaching GSS-TSIG keyring");
 		dns_tsigkeyring_detach(&gssring);
 	}
-	if (kserver != NULL) {
-		isc_mem_put(gmctx, kserver, sizeof(isc_sockaddr_t));
-		kserver = NULL;
-	}
-	if (realm != NULL) {
-		isc_mem_free(gmctx, realm);
-		realm = NULL;
-	}
-	if (dns_name_dynamic(&tmpzonename)) {
-		dns_name_free(&tmpzonename, gmctx);
-	}
-	if (dns_name_dynamic(&restart_master)) {
-		dns_name_free(&restart_master, gmctx);
-	}
 #endif
 
 	if (sig0key != NULL)
@@ -3290,6 +3332,26 @@ cleanup(void) {
 	ddebug("Destroying name state");
 	dns_name_destroy();
 
+#ifdef GSSAPI
+	/*
+	 * Cleanup GSSAPI resources after taskmgr has been destroyed.
+	 */
+	if (kserver != NULL) {
+		isc_mem_put(gmctx, kserver, sizeof(isc_sockaddr_t));
+		kserver = NULL;
+	}
+	if (realm != NULL) {
+		isc_mem_free(gmctx, realm);
+		realm = NULL;
+	}
+	if (dns_name_dynamic(&tmpzonename)) {
+		dns_name_free(&tmpzonename, gmctx);
+	}
+	if (dns_name_dynamic(&restart_master)) {
+		dns_name_free(&restart_master, gmctx);
+	}
+#endif
+
 	ddebug("Removing log context");
 	isc_log_destroy(&glctx);
 
@@ -3297,6 +3359,8 @@ cleanup(void) {
 	if (memdebugging)
 		isc_mem_stats(gmctx, stderr);
 	isc_mem_destroy(&gmctx);
+
+	isc_mutex_destroy(&answer_lock);
 }
 
 static void
diff --git a/bind/bind9/bin/nsupdate/nsupdate.docbook b/bind/bind9/bin/nsupdate/nsupdate.docbook
index a77f3e66..d3e7d619 100644
--- a/bind/bind9/bin/nsupdate/nsupdate.docbook
+++ b/bind/bind9/bin/nsupdate/nsupdate.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nsupdate">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nsupdate">
   <info>
     <date>2014-04-18</date>
   </info>
@@ -51,6 +51,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/nsupdate/nsupdate.html b/bind/bind9/bin/nsupdate/nsupdate.html
index fdeb9255..26c7c0d7 100644
--- a/bind/bind9/bin/nsupdate/nsupdate.html
+++ b/bind/bind9/bin/nsupdate/nsupdate.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2012, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,55 +10,21 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>nsupdate</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.nsupdate"></a><div class="titlepage"></div>
-  
-  
-
-  
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">nsupdate</span>
-     &#8212; Dynamic DNS update utility
-  </p>
+<p><span class="application">nsupdate</span> &#8212; Dynamic DNS update utility</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">nsupdate</code> 
-       [<code class="option">-d</code>]
-       [<code class="option">-D</code>]
-       [<code class="option">-i</code>]
-       [<code class="option">-L <em class="replaceable"><code>level</code></em></code>]
-       [
-	[<code class="option">-g</code>]
-	 |  [<code class="option">-o</code>]
-	 |  [<code class="option">-l</code>]
-	 |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>]
-	 |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]
-      ]
-       [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>]
-       [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>]
-       [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>]
-       [<code class="option">-v</code>]
-       [<code class="option">-T</code>]
-       [<code class="option">-P</code>]
-       [<code class="option">-V</code>]
-       [filename]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [<code class="option">-i</code>] [<code class="option">-L <em class="replaceable"><code>level</code></em></code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-l</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [<code class="option">-T</code>] [<code class="option">-P</code>] [<code class="option">-V</code>] [filename]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>nsupdate</strong></span>
+<p><span class="command"><strong>nsupdate</strong></span>
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
       This allows resource records to be added or removed from a zone
@@ -67,27 +33,27 @@
       one
       resource record.
     </p>
-    <p>
+<p>
       Zones that are under dynamic control via
       <span class="command"><strong>nsupdate</strong></span>
       or a DHCP server should not be edited by hand.
       Manual edits could
       conflict with dynamic updates and cause data to be lost.
     </p>
-    <p>
+<p>
       The resource records that are dynamically added or removed with
       <span class="command"><strong>nsupdate</strong></span>
       have to be in the same zone.
       Requests are sent to the zone's master server.
       This is identified by the MNAME field of the zone's SOA record.
     </p>
-    <p>
+<p>
       Transaction signatures can be used to authenticate the Dynamic
       DNS updates.  These use the TSIG resource record type described
       in RFC 2845 or the SIG(0) record described in RFC 2535 and
       RFC 2931 or GSS-TSIG as described in RFC 3645.
     </p>
-    <p>
+<p>
       TSIG relies on
       a shared secret that should only be known to
       <span class="command"><strong>nsupdate</strong></span> and the name server.
@@ -102,47 +68,37 @@
       uses the <code class="option">-y</code> or <code class="option">-k</code> options
       to provide the TSIG shared secret.  These options are mutually exclusive.
     </p>
-    <p>
+<p>
       SIG(0) uses public key cryptography.
       To use a SIG(0) key, the public key must be stored in a KEY
       record in a zone served by the name server.
     </p>
-    <p>
+<p>
       GSS-TSIG uses Kerberos credentials.  Standard GSS-TSIG mode
       is switched on with the <code class="option">-g</code> flag.  A
       non-standards-compliant variant of GSS-TSIG used by Windows
       2000 can be switched on with the <code class="option">-o</code> flag.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-d</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Debug mode. This provides tracing information about the
 	    update requests that are made and the replies received
 	    from the name server.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-D</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Extra debug mode.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-i</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Force interactive mode, even when standard input is not a terminal.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The file containing the TSIG authentication key.
 	    Keyfiles may be in two formats: a single file containing
 	    a <code class="filename">named.conf</code>-format <span class="command"><strong>key</strong></span>
@@ -154,11 +110,9 @@
 	    The <code class="option">-k</code> may also be used to specify a SIG(0) key used
 	    to authenticate Dynamic DNS update requests.  In this case, the key
 	    specified is not an HMAC-MD5 key.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-l</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Local-host only mode. This sets the server address to
 	    localhost (disabling the <span class="command"><strong>server</strong></span> so that the server
 	    address cannot be overridden).  Connections to the local server will
@@ -167,40 +121,30 @@
 	    local master zone has set <span class="command"><strong>update-policy</strong></span> to
 	    <span class="command"><strong>local</strong></span>.  The location of this key file can be
 	    overridden with the <code class="option">-k</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Set the logging debug level.  If zero, logging is disabled.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Set the port to use for connections to a name server. The
 	    default is 53.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-P</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print the list of private BIND-specific resource record
 	    types whose format is understood
 	    by <span class="command"><strong>nsupdate</strong></span>. See also
 	    the <code class="option">-T</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>udpretries</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The number of UDP retries. The default is 3. If zero, only
 	    one update request will be made.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-R <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd>
-	<p>
+<dd><p>
 	  Where to obtain randomness. If the operating system
 	  does not provide a <code class="filename">/dev/random</code> or
 	  equivalent device, the default source of randomness is keyboard
@@ -209,60 +153,51 @@
 	  instead of the default.  The special value
 	  <code class="filename">keyboard</code> indicates that keyboard input
 	  should be used.  This option may be specified multiple times.
-	</p>
-	</dd>
+	</p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>timeout</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The maximum time an update request can take before it is
 	    aborted. The default is 300 seconds. Zero can be used to
 	    disable the timeout.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-T</span></dt>
 <dd>
-	  <p>
+<p>
 	    Print the list of IANA standard resource record types
 	    whose format is understood by <span class="command"><strong>nsupdate</strong></span>.
 	    <span class="command"><strong>nsupdate</strong></span> will exit after the lists are
 	    printed. The <code class="option">-T</code> option can be combined
 	    with the <code class="option">-P</code> option.
 	  </p>
-	  <p>
+<p>
 	    Other types can be entered using "TYPEXXXXX" where "XXXXX" is the
 	    decimal value of the type with no leading zeros.  The rdata,
 	    if present, will be parsed using the UNKNOWN rdata format,
 	    (&lt;backslash&gt; &lt;hash&gt; &lt;space&gt; &lt;length&gt;
 	    &lt;space&gt; &lt;hexstring&gt;).
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-u <em class="replaceable"><code>udptimeout</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The UDP retry interval. The default is 3 seconds. If zero,
 	    the interval will be computed from the timeout interval and
 	    number of UDP retries.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use TCP even for small update requests.
 	    By default, <span class="command"><strong>nsupdate</strong></span>
 	    uses UDP to send update requests to the name server unless they are too
 	    large to fit in a UDP request in which case TCP will be used.
 	    TCP may be preferable when a batch of update requests is made.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print the version number and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Literal TSIG authentication key.
 	    <em class="parameter"><code>keyname</code></em> is the name of the key, and
 	    <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
@@ -274,23 +209,19 @@
 	    is not specified, the default is <code class="literal">hmac-md5</code>
 	    or if MD5 was disabled <code class="literal">hmac-sha256</code>.
 	  </p>
-	  <p>
+<p>
 	    NOTE: Use of the <code class="option">-y</code> option is discouraged because the
 	    shared secret is supplied as a command line argument in clear text.
 	    This may be visible in the output from
-	    <span class="citerefentry">
-	      <span class="refentrytitle">ps</span>(1)
-	    </span>
+	    <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
 	    or in a history file maintained by the user's shell.
 	  </p>
-	</dd>
+</dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>INPUT FORMAT</h2>
-
-    <p><span class="command"><strong>nsupdate</strong></span>
+<p><span class="command"><strong>nsupdate</strong></span>
       reads input from
       <em class="parameter"><code>filename</code></em>
       or standard input.
@@ -304,7 +235,7 @@
       Updates will be rejected if the tests for the prerequisite conditions
       fail.
     </p>
-    <p>
+<p>
       Every update request consists of zero or more prerequisites
       and zero or more updates.
       This allows a suitably authenticated update request to proceed if some
@@ -314,7 +245,7 @@
       accumulated commands to be sent as one Dynamic DNS update request to the
       name server.
     </p>
-    <p>
+<p>
       The command formats and their meaning are as follows:
       </p>
 <div class="variablelist"><dl class="variablelist">
@@ -323,8 +254,7 @@
 	       {servername}
 	       [port]
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Sends all dynamic update requests to the name server
 	      <em class="parameter"><code>servername</code></em>.
 	      When no server statement is provided,
@@ -340,15 +270,13 @@
 	      If no port number is specified, the default DNS port number of
 	      53 is
 	      used.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>local</strong></span>
 	       {address}
 	       [port]
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Sends all dynamic update requests using the local
 	      <em class="parameter"><code>address</code></em>.
 
@@ -360,14 +288,12 @@
 	      can additionally be used to make requests come from a specific
 	      port.
 	      If no port number is specified, the system will assign one.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>zone</strong></span>
 	       {zonename}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Specifies that all updates are to be made to the zone
 	      <em class="parameter"><code>zonename</code></em>.
 	      If no
@@ -376,38 +302,32 @@
 	      <span class="command"><strong>nsupdate</strong></span>
 	      will attempt determine the correct zone to update based on the
 	      rest of the input.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>class</strong></span>
 	       {classname}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Specify the default class.
 	      If no <em class="parameter"><code>class</code></em> is specified, the
 	      default class is
 	      <em class="parameter"><code>IN</code></em>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>ttl</strong></span>
 	       {seconds}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Specify the default time to live for records to be added.
 	      The value <em class="parameter"><code>none</code></em> will clear the default
 	      ttl.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>key</strong></span>
 	       [hmac:] {keyname}
 	       {secret}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Specifies that all updates are to be TSIG-signed using the
 	      <em class="parameter"><code>keyname</code></em> <em class="parameter"><code>secret</code></em> pair.
 	      If <em class="parameter"><code>hmac</code></em> is specified, then it sets the
@@ -416,80 +336,66 @@
 	      <code class="literal">hmac-sha256</code>.  The <span class="command"><strong>key</strong></span>
 	      command overrides any key specified on the command line via
 	      <code class="option">-y</code> or <code class="option">-k</code>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	    <span class="command"><strong>gsstsig</strong></span>
 	  </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Use GSS-TSIG to sign the updated.  This is equivalent to
 	      specifying <code class="option">-g</code> on the command line.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	    <span class="command"><strong>oldgsstsig</strong></span>
 	  </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Use the Windows 2000 version of GSS-TSIG to sign the updated.
 	      This is equivalent to specifying <code class="option">-o</code> on the
 	      command line.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	    <span class="command"><strong>realm</strong></span>
 	     {[<span class="optional">realm_name</span>]}
 	  </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather
 	      than the default realm in <code class="filename">krb5.conf</code>.  If no
 	      realm is specified the saved realm is cleared.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	    <span class="command"><strong>check-names</strong></span>
 	     {[<span class="optional">yes_or_no</span>]}
 	  </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Turn on or off check-names processing on records to
 	      be added.  Check-names has no effect on prerequisites
 	      or records to be deleted.  By default check-names
 	      processing is on.  If check-names processing fails
 	      the record will not be added to the UPDATE message.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>[<span class="optional">prereq</span>] nxdomain</strong></span>
 	       {domain-name}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Requires that no resource record of any type exists with name
 	      <em class="parameter"><code>domain-name</code></em>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>[<span class="optional">prereq</span>] yxdomain</strong></span>
 	       {domain-name}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Requires that
 	      <em class="parameter"><code>domain-name</code></em>
 	      exists (has as at least one resource record, of any type).
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>[<span class="optional">prereq</span>] nxrrset</strong></span>
 	       {domain-name}
 	       [class]
 	       {type}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Requires that no resource record exists of the specified
 	      <em class="parameter"><code>type</code></em>,
 	      <em class="parameter"><code>class</code></em>
@@ -498,16 +404,14 @@
 	      If
 	      <em class="parameter"><code>class</code></em>
 	      is omitted, IN (internet) is assumed.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span>
 	       {domain-name}
 	       [class]
 	       {type}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      This requires that a resource record of the specified
 	      <em class="parameter"><code>type</code></em>,
 	      <em class="parameter"><code>class</code></em>
@@ -517,8 +421,7 @@
 	      If
 	      <em class="parameter"><code>class</code></em>
 	      is omitted, IN (internet) is assumed.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span>
 	       {domain-name}
@@ -526,8 +429,7 @@
 	       {type}
 	       {data...}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      The
 	      <em class="parameter"><code>data</code></em>
 	      from each set of prerequisites of this form
@@ -548,8 +450,7 @@
 	      are written in the standard text representation of the resource
 	      record's
 	      RDATA.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span>
 	       {domain-name}
@@ -557,8 +458,7 @@
 	       [class]
 	       [type [data...]]
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Deletes any resource records named
 	      <em class="parameter"><code>domain-name</code></em>.
 	      If
@@ -571,8 +471,7 @@
 	      is not supplied.  The
 	      <em class="parameter"><code>ttl</code></em>
 	      is ignored, and is only allowed for compatibility.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>[<span class="optional">update</span>] add</strong></span>
 	       {domain-name}
@@ -581,80 +480,62 @@
 	       {type}
 	       {data...}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Adds a new resource record with the specified
 	      <em class="parameter"><code>ttl</code></em>,
 	      <em class="parameter"><code>class</code></em>
 	      and
 	      <em class="parameter"><code>data</code></em>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>show</strong></span>
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Displays the current message, containing all of the
 	      prerequisites and
 	      updates specified since the last send.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>send</strong></span>
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Sends the current message.  This is equivalent to entering a
 	      blank line.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>answer</strong></span>
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Displays the answer.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>debug</strong></span>
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Turn on debugging.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>version</strong></span>
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print version number.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>help</strong></span>
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print a list of commands.
-	    </p>
-	  </dd>
+	    </p></dd>
 </dl></div>
 <p>
     </p>
-
-    <p>
+<p>
       Lines beginning with a semicolon are comments and are ignored.
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>EXAMPLES</h2>
-
-    <p>
+<p>
       The examples below show how
       <span class="command"><strong>nsupdate</strong></span>
       could be used to insert and delete resource records from the
@@ -675,7 +556,7 @@
 </pre>
 <p>
     </p>
-    <p>
+<p>
       Any A records for
       <span class="type">oldhost.example.com</span>
       are deleted.
@@ -692,7 +573,7 @@
 </pre>
 <p>
     </p>
-    <p>
+<p>
       The prerequisite condition gets the name server to check that there
       are no resource records of any type for
       <span class="type">nickname.example.com</span>.
@@ -705,50 +586,33 @@
       (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
       RRSIG, DNSKEY and NSEC records.)
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>FILES</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    used to identify default name server
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    sets the default TSIG key for use in local-only mode
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    base-64 encoding of HMAC-MD5 key created by
-	    <span class="citerefentry">
-	      <span class="refentrytitle">dnssec-keygen</span>(8)
-	    </span>.
-	  </p>
-	</dd>
+	    <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
+	  </p></dd>
 <dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    base-64 encoding of HMAC-MD5 key created by
-	    <span class="citerefentry">
-	      <span class="refentrytitle">dnssec-keygen</span>(8)
-	    </span>.
-	  </p>
-	</dd>
+	    <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.12"></a><h2>SEE ALSO</h2>
-
-    <p>
+<p>
       <em class="citetitle">RFC 2136</em>,
       <em class="citetitle">RFC 3007</em>,
       <em class="citetitle">RFC 2104</em>,
@@ -756,28 +620,19 @@
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 2535</em>,
       <em class="citetitle">RFC 2931</em>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">ddns-confgen</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>.
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.13"></a><h2>BUGS</h2>
-
-    <p>
+<p>
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
       for its cryptographic operations, and may change in future
       releases.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/nsupdate/win32/nsupdate.vcxproj.in b/bind/bind9/bin/nsupdate/win32/nsupdate.vcxproj.in
index 9bac652b..2da37477 100644
--- a/bind/bind9/bin/nsupdate/win32/nsupdate.vcxproj.in
+++ b/bind/bind9/bin/nsupdate/win32/nsupdate.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@@USE_GSSAPI@USE_READLINE_STATIC;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/pkcs11/Makefile.in b/bind/bind9/bin/pkcs11/Makefile.in
index ae906162..df8de24b 100644
--- a/bind/bind9/bin/pkcs11/Makefile.in
+++ b/bind/bind9/bin/pkcs11/Makefile.in
@@ -2,13 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: Makefile.in,v 1.2 2009/10/05 12:07:08 fdupont Exp $
-
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/bind/bind9/bin/pkcs11/pkcs11-destroy.8 b/bind/bind9/bin/pkcs11/pkcs11-destroy.8
index 8c0775fc..b35cc160 100644
--- a/bind/bind9/bin/pkcs11/pkcs11-destroy.8
+++ b/bind/bind9/bin/pkcs11/pkcs11-destroy.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: pkcs11-destroy
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-01-15
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -93,5 +93,5 @@ Specify how long to pause before carrying out key destruction\&. The default is
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/pkcs11/pkcs11-destroy.docbook b/bind/bind9/bin/pkcs11/pkcs11-destroy.docbook
index 3858f765..d88e7666 100644
--- a/bind/bind9/bin/pkcs11/pkcs11-destroy.docbook
+++ b/bind/bind9/bin/pkcs11/pkcs11-destroy.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-destroy">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-destroy">
   <info>
     <date>2014-01-15</date>
   </info>
@@ -39,6 +39,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/pkcs11/pkcs11-destroy.html b/bind/bind9/bin/pkcs11/pkcs11-destroy.html
index 5190a855..f543edd2 100644
--- a/bind/bind9/bin/pkcs11/pkcs11-destroy.html
+++ b/bind/bind9/bin/pkcs11/pkcs11-destroy.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,119 +10,73 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>pkcs11-destroy</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.pkcs11-destroy"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">pkcs11-destroy</span>
-     &#8212; destroy PKCS#11 objects
-  </p>
+<p><span class="application">pkcs11-destroy</span> &#8212; destroy PKCS#11 objects</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">pkcs11-destroy</code> 
-       [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
-       {
-         -i <em class="replaceable"><code>ID</code></em> 
-         |   -l <em class="replaceable"><code>label</code></em> 
-      }
-       [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
-       [<code class="option">-w <em class="replaceable"><code>seconds</code></em></code>]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">pkcs11-destroy</code>  [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] { -i <em class="replaceable"><code>ID</code></em>  |   -l <em class="replaceable"><code>label</code></em> } [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>] [<code class="option">-w <em class="replaceable"><code>seconds</code></em></code>]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       <span class="command"><strong>pkcs11-destroy</strong></span> destroys keys stored in a
       PKCS#11 device, identified by their <code class="option">ID</code> or
       <code class="option">label</code>.
     </p>
-    <p>
+<p>
       Matching keys are displayed before being destroyed.  By default,
       there is a five second delay to allow the user to interrupt the
       process before the destruction takes place.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>ARGUMENTS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the PKCS#11 provider module.  This must be the full
             path to a shared library object implementing the PKCS#11 API
             for the device.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Open the session with the given PKCS#11 slot.  The default is
             slot 0.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>ID</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Destroy keys with the given object ID.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Destroy keys with the given label.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the PIN for the device.  If no PIN is provided on the
             command line, <span class="command"><strong>pkcs11-destroy</strong></span> will prompt for it.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-w <em class="replaceable"><code>seconds</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify how long to pause before carrying out key destruction.
             The default is five seconds.  If set to <code class="literal">0</code>,
             destruction will be immediate.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-list</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-tokens</span>(8)
-      </span>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-tokens</span>(8)</span>
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/pkcs11/pkcs11-keygen.8 b/bind/bind9/bin/pkcs11/pkcs11-keygen.8
index c606a5d4..2e3e2a6f 100644
--- a/bind/bind9/bin/pkcs11/pkcs11-keygen.8
+++ b/bind/bind9/bin/pkcs11/pkcs11-keygen.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: pkcs11-keygen
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-01-15
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -116,5 +116,5 @@ Open the session with the given PKCS#11 slot\&. The default is slot 0\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/pkcs11/pkcs11-keygen.docbook b/bind/bind9/bin/pkcs11/pkcs11-keygen.docbook
index d1bbf3a7..1844491e 100644
--- a/bind/bind9/bin/pkcs11/pkcs11-keygen.docbook
+++ b/bind/bind9/bin/pkcs11/pkcs11-keygen.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-keygen">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-keygen">
   <info>
     <date>2014-01-15</date>
   </info>
@@ -40,6 +40,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/pkcs11/pkcs11-keygen.html b/bind/bind9/bin/pkcs11/pkcs11-keygen.html
index 9375efbe..672ab63e 100644
--- a/bind/bind9/bin/pkcs11/pkcs11-keygen.html
+++ b/bind/bind9/bin/pkcs11/pkcs11-keygen.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,157 +10,98 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>pkcs11-keygen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.pkcs11-keygen"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">pkcs11-keygen</span>
-     &#8212; generate keys on a PKCS#11 device
-  </p>
+<p><span class="application">pkcs11-keygen</span> &#8212; generate keys on a PKCS#11 device</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">pkcs11-keygen</code> 
-       {-a <em class="replaceable"><code>algorithm</code></em>}
-       [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
-       [<code class="option">-e</code>]
-       [<code class="option">-i <em class="replaceable"><code>id</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
-       [<code class="option">-P</code>]
-       [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-S</code>]
-       [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
-       {label}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">pkcs11-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-e</code>] [<code class="option">-i <em class="replaceable"><code>id</code></em></code>] [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>] [<code class="option">-q</code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] {label}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       <span class="command"><strong>pkcs11-keygen</strong></span> causes a PKCS#11 device to generate
       a new key pair with the given <code class="option">label</code> (which must be
       unique) and with <code class="option">keysize</code> bits of prime.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>ARGUMENTS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the key algorithm class: Supported classes are RSA,
             DSA, DH, ECC and ECX. In addition to these strings, the
             <code class="option">algorithm</code> can be specified as a DNSSEC
             signing algorithm that will be used with this key; for
             example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
             to ECC, and ED25519 to ECX.  The default class is "RSA".
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Create the key pair with <code class="option">keysize</code> bits of
             prime. For ECC keys, the only valid values are 256 and 384,
             and the default is 256. For ECX kyes, the only valid values
             are 256 and 456, and the default is 256.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-e</span></dt>
-<dd>
-          <p>
+<dd><p>
             For RSA keys only, use a large exponent.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>id</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Create key objects with id. The id is either
             an unsigned short 2 byte or an unsigned long 4 byte number.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the PKCS#11 provider module.  This must be the full
             path to a shared library object implementing the PKCS#11 API
             for the device.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-P</span></dt>
-<dd>
-          <p>
+<dd><p>
             Set the new private key to be non-sensitive and extractable.
             The allows the private key data to be read from the PKCS#11
             device.  The default is for private keys to be sensitive and
             non-extractable.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the PIN for the device.  If no PIN is provided on
             the command line, <span class="command"><strong>pkcs11-keygen</strong></span> will
             prompt for it.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-q</span></dt>
-<dd>
-          <p>
+<dd><p>
             Quiet mode: suppress unnecessary output.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-S</span></dt>
-<dd>
-          <p>
+<dd><p>
             For Diffie-Hellman (DH) keys only, use a special prime of
             768, 1024 or 1536 bit size and base (aka generator) 2.
 	    If not specified, bit size will default to 1024.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Open the session with the given PKCS#11 slot.  The default is
             slot 0.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-destroy</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-list</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-tokens</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-keyfromlabel</span>(8)
-      </span>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-destroy</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-tokens</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keyfromlabel</span>(8)</span>
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/pkcs11/pkcs11-list.8 b/bind/bind9/bin/pkcs11/pkcs11-list.8
index 9d9a58e2..c923c15f 100644
--- a/bind/bind9/bin/pkcs11/pkcs11-list.8
+++ b/bind/bind9/bin/pkcs11/pkcs11-list.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: pkcs11-list
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2009-10-05
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -94,5 +94,5 @@ will prompt for it\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/pkcs11/pkcs11-list.c b/bind/bind9/bin/pkcs11/pkcs11-list.c
index 89125211..96f12e0a 100644
--- a/bind/bind9/bin/pkcs11/pkcs11-list.c
+++ b/bind/bind9/bin/pkcs11/pkcs11-list.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/pkcs11/pkcs11-list.docbook b/bind/bind9/bin/pkcs11/pkcs11-list.docbook
index 85dc531b..acd1ea20 100644
--- a/bind/bind9/bin/pkcs11/pkcs11-list.docbook
+++ b/bind/bind9/bin/pkcs11/pkcs11-list.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-list">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-list">
   <info>
     <date>2009-10-05</date>
   </info>
@@ -39,6 +39,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/pkcs11/pkcs11-list.html b/bind/bind9/bin/pkcs11/pkcs11-list.html
index c16a1273..3e1bde24 100644
--- a/bind/bind9/bin/pkcs11/pkcs11-list.html
+++ b/bind/bind9/bin/pkcs11/pkcs11-list.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,42 +10,21 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>pkcs11-list</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.pkcs11-list"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">pkcs11-list</span>
-     &#8212; list PKCS#11 objects
-  </p>
+<p><span class="application">pkcs11-list</span> &#8212; list PKCS#11 objects</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">pkcs11-list</code> 
-       [<code class="option">-P</code>]
-       [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
-       [-i <em class="replaceable"><code>ID</code></em>]
-       [-l <em class="replaceable"><code>label</code></em>]
-       [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">pkcs11-list</code>  [<code class="option">-P</code>] [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] [-i <em class="replaceable"><code>ID</code></em>] [-l <em class="replaceable"><code>label</code></em>] [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       <span class="command"><strong>pkcs11-list</strong></span>
       lists the PKCS#11 objects with <code class="option">ID</code> or
       <code class="option">label</code> or by default all objects.
@@ -54,71 +33,48 @@
       attribute is also displayed, as either <code class="literal">true</code>,
       <code class="literal">false</code>, or <code class="literal">never</code>.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>ARGUMENTS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-P</span></dt>
-<dd>
-          <p>
+<dd><p>
             List only the public objects. (Note that on some PKCS#11
             devices, all objects are private.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the PKCS#11 provider module.  This must be the full
             path to a shared library object implementing the PKCS#11 API
             for the device.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Open the session with the given PKCS#11 slot.  The default is
             slot 0.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>ID</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             List only key objects with the given object ID.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             List only key objects with the given label.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the PIN for the device.  If no PIN is provided on the
             command line, <span class="command"><strong>pkcs11-list</strong></span> will prompt for it.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-destroy</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-tokens</span>(8)
-      </span>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-destroy</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-tokens</span>(8)</span>
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/pkcs11/pkcs11-tokens.8 b/bind/bind9/bin/pkcs11/pkcs11-tokens.8
index b8e92aaf..8c6cf4f1 100644
--- a/bind/bind9/bin/pkcs11/pkcs11-tokens.8
+++ b/bind/bind9/bin/pkcs11/pkcs11-tokens.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: pkcs11-tokens
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-01-15
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -65,5 +65,5 @@ Make the PKCS#11 libisc initialization verbose\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/pkcs11/pkcs11-tokens.c b/bind/bind9/bin/pkcs11/pkcs11-tokens.c
index 564710ac..7a405e1b 100644
--- a/bind/bind9/bin/pkcs11/pkcs11-tokens.c
+++ b/bind/bind9/bin/pkcs11/pkcs11-tokens.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/pkcs11/pkcs11-tokens.docbook b/bind/bind9/bin/pkcs11/pkcs11-tokens.docbook
index 890506e5..be2cb486 100644
--- a/bind/bind9/bin/pkcs11/pkcs11-tokens.docbook
+++ b/bind/bind9/bin/pkcs11/pkcs11-tokens.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-tokens">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-tokens">
   <info>
     <date>2014-01-15</date>
   </info>
@@ -38,6 +38,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/pkcs11/pkcs11-tokens.html b/bind/bind9/bin/pkcs11/pkcs11-tokens.html
index e7979f66..6da3f39f 100644
--- a/bind/bind9/bin/pkcs11/pkcs11-tokens.html
+++ b/bind/bind9/bin/pkcs11/pkcs11-tokens.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,80 +10,48 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>pkcs11-tokens</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.pkcs11-tokens"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">pkcs11-tokens</span>
-     &#8212; list PKCS#11 available tokens
-  </p>
+<p><span class="application">pkcs11-tokens</span> &#8212; list PKCS#11 available tokens</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">pkcs11-tokens</code> 
-       [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
-       [<code class="option">-v</code>]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">pkcs11-tokens</code>  [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-v</code>]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       <span class="command"><strong>pkcs11-tokens</strong></span>
       lists the PKCS#11 available tokens with defaults from the slot/token
       scan performed at application initialization.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>ARGUMENTS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the PKCS#11 provider module.  This must be the full
             path to a shared library object implementing the PKCS#11 API
             for the device.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-          <p>
+<dd><p>
             Make the PKCS#11 libisc initialization verbose.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-destroy</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-list</span>(8)
-      </span>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-destroy</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(8)</span>
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/pkcs11/win32/pk11destroy.vcxproj.in b/bind/bind9/bin/pkcs11/win32/pk11destroy.vcxproj.in
index b8009780..54208f2e 100644
--- a/bind/bind9/bin/pkcs11/win32/pk11destroy.vcxproj.in
+++ b/bind/bind9/bin/pkcs11/win32/pk11destroy.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>pkcs11-destroy</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>pkcs11-destroy</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/pkcs11/win32/pk11keygen.vcxproj.in b/bind/bind9/bin/pkcs11/win32/pk11keygen.vcxproj.in
index 767dae55..915c6784 100644
--- a/bind/bind9/bin/pkcs11/win32/pk11keygen.vcxproj.in
+++ b/bind/bind9/bin/pkcs11/win32/pk11keygen.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>pkcs11-keygen</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>pkcs11-keygen</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/pkcs11/win32/pk11list.vcxproj.in b/bind/bind9/bin/pkcs11/win32/pk11list.vcxproj.in
index 10d05eaf..40e4f893 100644
--- a/bind/bind9/bin/pkcs11/win32/pk11list.vcxproj.in
+++ b/bind/bind9/bin/pkcs11/win32/pk11list.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>pkcs11-list</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>pkcs11-list</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/pkcs11/win32/pk11tokens.vcxproj.in b/bind/bind9/bin/pkcs11/win32/pk11tokens.vcxproj.in
index a5ee0228..463bbd36 100644
--- a/bind/bind9/bin/pkcs11/win32/pk11tokens.vcxproj.in
+++ b/bind/bind9/bin/pkcs11/win32/pk11tokens.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>pkcs11-tokens</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>pkcs11-tokens</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/python/Makefile.in b/bind/bind9/bin/python/Makefile.in
index aa678d47..25dc8383 100644
--- a/bind/bind9/bin/python/Makefile.in
+++ b/bind/bind9/bin/python/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/dnssec-checkds.8 b/bind/bind9/bin/python/dnssec-checkds.8
index 58013260..91bbdf77 100644
--- a/bind/bind9/bin/python/dnssec-checkds.8
+++ b/bind/bind9/bin/python/dnssec-checkds.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2012-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2012-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: dnssec-checkds
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2013-01-01
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -83,5 +83,5 @@ binary\&. Used for testing\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2012-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2012-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/python/dnssec-checkds.docbook b/bind/bind9/bin/python/dnssec-checkds.docbook
index a9959fea..22c40f83 100644
--- a/bind/bind9/bin/python/dnssec-checkds.docbook
+++ b/bind/bind9/bin/python/dnssec-checkds.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-checkds">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-checkds">
   <info>
     <date>2013-01-01</date>
   </info>
@@ -41,6 +41,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/python/dnssec-checkds.html b/bind/bind9/bin/python/dnssec-checkds.html
index 84fa3cfc..690af4f6 100644
--- a/bind/bind9/bin/python/dnssec-checkds.html
+++ b/bind/bind9/bin/python/dnssec-checkds.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2012-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2012-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,106 +10,59 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-checkds</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-checkds"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-checkds</span>
-     &#8212; DNSSEC delegation consistency checking tool
-  </p>
+<p><span class="application">dnssec-checkds</span> &#8212; DNSSEC delegation consistency checking tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-checkds</code> 
-       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
-       [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>]
-       {zone}
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
-       [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>]
-       {zone}
-   </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">dnssec-checkds</code>  [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-checkds</strong></span>
+<p><span class="command"><strong>dnssec-checkds</strong></span>
       verifies the correctness of Delegation Signer (DS) or DNSSEC
       Lookaside Validation (DLV) resource records for keys in a specified
       zone.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             If a <code class="option">file</code> is specified, then the zone is
             read from that file to find the DNSKEY records.  If not,
             then the DNSKEY records for the zone are looked up in the DNS.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Check for a DLV record in the specified lookaside domain,
             instead of checking for a DS record in the zone's parent.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>dig path</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies a path to a <span class="command"><strong>dig</strong></span> binary.  Used
             for testing.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>dsfromkey path</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies a path to a <span class="command"><strong>dnssec-dsfromkey</strong></span> binary.
             Used for testing.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dnssec-dsfromkey</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/python/dnssec-checkds.py.in b/bind/bind9/bin/python/dnssec-checkds.py.in
index ed5ac374..2817b795 100644
--- a/bind/bind9/bin/python/dnssec-checkds.py.in
+++ b/bind/bind9/bin/python/dnssec-checkds.py.in
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/dnssec-coverage.8 b/bind/bind9/bin/python/dnssec-coverage.8
index 295a1e5e..90f8a771 100644
--- a/bind/bind9/bin/python/dnssec-coverage.8
+++ b/bind/bind9/bin/python/dnssec-coverage.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: dnssec-coverage
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-01-11
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -152,5 +152,5 @@ binary\&. Used for testing\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/python/dnssec-coverage.docbook b/bind/bind9/bin/python/dnssec-coverage.docbook
index cbbf773f..cb3f9a5a 100644
--- a/bind/bind9/bin/python/dnssec-coverage.docbook
+++ b/bind/bind9/bin/python/dnssec-coverage.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-coverage">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-coverage">
   <info>
     <date>2014-01-11</date>
   </info>
@@ -39,6 +39,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/python/dnssec-coverage.html b/bind/bind9/bin/python/dnssec-coverage.html
index 83b881a2..b16fb1d8 100644
--- a/bind/bind9/bin/python/dnssec-coverage.html
+++ b/bind/bind9/bin/python/dnssec-coverage.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,51 +10,26 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-coverage</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-coverage"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-coverage</span>
-     &#8212; checks future DNSKEY coverage for a zone
-  </p>
+<p><span class="application">dnssec-coverage</span> &#8212; checks future DNSKEY coverage for a zone</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-coverage</code> 
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-l <em class="replaceable"><code>length</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
-       [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>]
-       [<code class="option">-k</code>]
-       [<code class="option">-z</code>]
-       [zone...]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code>  [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>length</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [<code class="option">-k</code>] [<code class="option">-z</code>] [zone...]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-coverage</strong></span>
+<p><span class="command"><strong>dnssec-coverage</strong></span>
       verifies that the DNSSEC keys for a given zone or a set of zones
       have timing metadata set properly to ensure no future lapses in DNSSEC
       coverage.
     </p>
-    <p>
+<p>
       If <code class="option">zone</code> is specified, then keys found in
       the key repository matching that zone are scanned, and an ordered
       list is generated of the events scheduled for that key (i.e.,
@@ -67,54 +42,47 @@
       key is rolled, and cached data signed by the prior key has not had
       time to expire from resolver caches.
     </p>
-    <p>
+<p>
       If <code class="option">zone</code> is not specified, then all keys in the
       key repository will be scanned, and all zones for which there are
       keys will be analyzed.  (Note: This method of reporting is only
       accurate if all the zones that have keys in a given repository
       share the same TTL parameters.)
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the directory in which keys can be found.  Defaults to the
             current working directory.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             If a <code class="option">file</code> is specified, then the zone is
             read from that file; the largest TTL and the DNSKEY TTL are
             determined directly from the zone data, and the
             <code class="option">-m</code> and <code class="option">-d</code> options do
             not need to be specified on the command line.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
 <dd>
-          <p>
+<p>
             The length of time to check for DNSSEC coverage.  Key events
             scheduled further into the future than <code class="option">duration</code>
             will be ignored, and assumed to be correct.
           </p>
-          <p>
+<p>
             The value of <code class="option">duration</code> can be set in seconds,
             or in larger units of time by adding a suffix: 'mi' for minutes,
             'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
             'y' for years.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Sets the value to be used as the maximum TTL for the zone or
             zones being analyzed when determining whether there is a
             possibility of validation failure.  When a zone-signing key is
@@ -123,26 +91,26 @@
             before that key can be purged from the DNSKEY RRset.  If that
             condition does not apply, a warning will be generated.
           </p>
-          <p>
+<p>
             The length of the TTL can be set in seconds, or in larger units
             of time by adding a suffix: 'mi' for minutes, 'h' for hours,
             'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
           </p>
-          <p>
+<p>
             This option is not necessary if the <code class="option">-f</code> has
             been used to specify a zone file.  If <code class="option">-f</code> has
             been specified, this option may still be used; it will override
             the value found in the file.
           </p>
-          <p>
+<p>
             If this option is not used and the maximum TTL cannot be retrieved
             from a zone file, a warning is generated and a default value of
             1 week is used.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Sets the value to be used as the DNSKEY TTL for the zone or
             zones being analyzed when determining whether there is a
             possibility of validation failure.  When a key is rolled (that
@@ -151,12 +119,12 @@
             the new key is activated and begins generating signatures.  If
             that condition does not apply, a warning will be generated.
           </p>
-          <p>
+<p>
             The length of the TTL can be set in seconds, or in larger units
             of time by adding a suffix: 'mi' for minutes, 'h' for hours,
             'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
           </p>
-          <p>
+<p>
             This option is not necessary if <code class="option">-f</code> has
             been used to specify a zone file from which the TTL
             of the DNSKEY RRset can be read, or if a default key TTL was
@@ -165,15 +133,15 @@
             this option may still be used; it will override the values
             found in the zone file or the key file.
           </p>
-          <p>
+<p>
             If this option is not used and the key TTL cannot be retrieved
             from the zone file or the key file, then a warning is generated
             and a default value of 1 day is used.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Sets the value to be used as the resign interval for the zone
             or zones being analyzed when determining whether there is a
             possibility of validation failure.  This value defaults to
@@ -183,54 +151,37 @@
             <code class="filename">named.conf</code>, then it should also be
             changed here.
           </p>
-          <p>
+<p>
             The length of the interval can be set in seconds, or in larger
             units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
             'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-k</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    Only check KSK coverage; ignore ZSK events. Cannot be
             used with <code class="option">-z</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-z</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    Only check ZSK coverage; ignore KSK events. Cannot be
             used with <code class="option">-k</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies a path to a <span class="command"><strong>named-compilezone</strong></span> binary.
             Used for testing.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-checkds</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-dsfromkey</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/python/dnssec-coverage.py.in b/bind/bind9/bin/python/dnssec-coverage.py.in
index 8518dc3b..248679d9 100644
--- a/bind/bind9/bin/python/dnssec-coverage.py.in
+++ b/bind/bind9/bin/python/dnssec-coverage.py.in
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/dnssec-keymgr.8 b/bind/bind9/bin/python/dnssec-keymgr.8
index 6441e725..ecf4f034 100644
--- a/bind/bind9/bin/python/dnssec-keymgr.8
+++ b/bind/bind9/bin/python/dnssec-keymgr.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2016-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2016-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: dnssec-keymgr
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2016-06-03
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -303,5 +303,5 @@ Allow configuration of standby keys and use of the REVOKE bit, for keys that use
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2016-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2016-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/python/dnssec-keymgr.docbook b/bind/bind9/bin/python/dnssec-keymgr.docbook
index 38b94881..67cf22f4 100644
--- a/bind/bind9/bin/python/dnssec-keymgr.docbook
+++ b/bind/bind9/bin/python/dnssec-keymgr.docbook
@@ -3,13 +3,13 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keymgr">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keymgr">
   <info>
     <date>2016-06-03</date>
   </info>
@@ -36,6 +36,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/python/dnssec-keymgr.html b/bind/bind9/bin/python/dnssec-keymgr.html
index 7bf7d5e1..d20bff6d 100644
--- a/bind/bind9/bin/python/dnssec-keymgr.html
+++ b/bind/bind9/bin/python/dnssec-keymgr.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2016-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2016-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,53 +10,28 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-keymgr</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnssec-keymgr"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-keymgr</span>
-     &#8212; Ensures correct DNSKEY coverage for a zone based on a defined policy
-  </p>
+<p><span class="application">dnssec-keymgr</span> &#8212; Ensures correct DNSKEY coverage for a zone based on a defined policy</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-keymgr</code> 
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>file</code></em></code>]
-       [<code class="option">-f</code>]
-       [<code class="option">-k</code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-v</code>]
-       [<code class="option">-z</code>]
-       [<code class="option">-g <em class="replaceable"><code>path</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>path</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>path</code></em></code>]
-       [zone...]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">dnssec-keymgr</code>  [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-c <em class="replaceable"><code>file</code></em></code>] [<code class="option">-f</code>] [<code class="option">-k</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-z</code>] [<code class="option">-g <em class="replaceable"><code>path</code></em></code>] [<code class="option">-r <em class="replaceable"><code>path</code></em></code>] [<code class="option">-s <em class="replaceable"><code>path</code></em></code>] [zone...]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-    <p>
+<p>
       <span class="command"><strong>dnssec-keymgr</strong></span> is a high level Python wrapper
       to facilitate the key rollover process for zones handled by
       BIND. It uses the BIND commands for manipulating DNSSEC key
       metadata: <span class="command"><strong>dnssec-keygen</strong></span> and
       <span class="command"><strong>dnssec-settime</strong></span>.
     </p>
-    <p>
+<p>
       DNSSEC policy can be read from a configuration file (default
       <code class="filename">/etc/dnssec-policy.conf</code>), from which the
       key parameters, publication and rollover schedule, and desired
@@ -65,14 +40,14 @@
       per-zone basis, or to set a "<code class="literal">default</code>" policy
       used for all zones.
     </p>
-    <p>
+<p>
       When <span class="command"><strong>dnssec-keymgr</strong></span> runs, it examines the DNSSEC
       keys for one or more zones, comparing their timing metadata against
       the policies for those zones.  If key settings do not conform to the
       DNSSEC policy (for example, because the policy has been changed),
       they are automatically corrected.
     </p>
-    <p>
+<p>
       A zone policy can specify a duration for which we want to
       ensure the key correctness (<code class="option">coverage</code>).  It can
       also specify a rollover period (<code class="option">roll-period</code>).
@@ -80,47 +55,43 @@
       coverage period ends, then a successor key will automatically be
       created and added to the end of the key series.
     </p>
-    <p>
+<p>
       If zones are specified on the command line,
       <span class="command"><strong>dnssec-keymgr</strong></span> will examine only those zones.
       If a specified zone does not already have keys in place, then
       keys will be generated for it according to policy.
     </p>
-    <p>
+<p>
       If zones are <span class="emphasis"><em>not</em></span> specified on the command
       line, then <span class="command"><strong>dnssec-keymgr</strong></span> will search the
       key directory (either the current working directory or the directory
       set by the <code class="option">-K</code> option), and check the keys for
       all the zones represented in the directory.
     </p>
-    <p>
+<p>
       Key times that are in the past will not be updated unless
       the <code class="option">-f</code> is used (see below).  Key inactivation
       and deletion times that are less than five minutes in the future
       will be delayed by five minutes.
     </p>
-    <p>
+<p>
       It is expected that this tool will be run automatically and
       unattended (for example, by <span class="command"><strong>cron</strong></span>).
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-c <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    If <code class="option">-c</code> is specified, then the DNSSEC
 	    policy is read from <code class="option">file</code>.  (If not
 	    specified, then the policy is read from
 	    <code class="filename">/etc/dnssec-policy.conf</code>; if that file
 	    doesn't exist, a built-in global default policy is used.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-f</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Force: allow updating of key events even if they are
 	    already in the past. This is not recommended for use with
 	    zones in which keys have already been published. However,
@@ -129,86 +100,65 @@
 	    keys have not been published in a zone as yet, then this
 	    option can be used to clean them up and turn them into a
 	    proper series of keys with appropriate rollover intervals.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-g <em class="replaceable"><code>keygen-path</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies a path to a <span class="command"><strong>dnssec-keygen</strong></span> binary.
 	    Used for testing.
 	    See also the <code class="option">-s</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print the <span class="command"><strong>dnssec-keymgr</strong></span> help summary
 	    and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the directory in which keys can be found.  Defaults to the
 	    current working directory.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-k</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Only apply policies to KSK keys.
 	    See also the <code class="option">-z</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-q</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Quiet: suppress printing of <span class="command"><strong>dnssec-keygen</strong></span>
 	    and <span class="command"><strong>dnssec-settime</strong></span>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies a path to a file containing random data.
 	    This is passed to the <span class="command"><strong>dnssec-keygen</strong></span> binary
 	    using its <code class="option">-r</code> option.
 
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>settime-path</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies a path to a <span class="command"><strong>dnssec-settime</strong></span> binary.
 	    Used for testing.
 	    See also the <code class="option">-g</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print the <span class="command"><strong>dnssec-keymgr</strong></span> version and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-z</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Only apply policies to ZSK keys.
 	    See also the <code class="option">-k</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>POLICY CONFIGURATION</h2>
-    <p>
+<p>
       The <code class="filename">dnssec-policy.conf</code> file can specify three kinds
       of policies:
     </p>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
 	  <span class="emphasis"><em>Policy classes</em></span>
 	  (<code class="option">policy <em class="replaceable"><code>name</code></em> { ... };</code>)
 	  can be inherited by zone policies or other policy classes; these
@@ -217,20 +167,16 @@
 	  1024-bit key sizes, but a class <strong class="userinput"><code>extra</code></strong> might
 	  specify 2048 bits instead; <strong class="userinput"><code>extra</code></strong> would be
 	  used for zones that had unusually high security needs.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
+	</p></li>
+<li class="listitem"><p>
 	  <span class="emphasis"><em>Algorithm policies:</em></span>
 	  (<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
 	  override default per-algorithm settings.  For example, by default,
 	  RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
 	  can be modified using <span class="command"><strong>algorithm-policy</strong></span>, and the
 	  new key sizes would then be used for any key of type RSASHA256.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
+	</p></li>
+<li class="listitem"><p>
 	  <span class="emphasis"><em>Zone policies:</em></span>
 	  (<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
 	  set policy for a single zone by name. A zone policy can inherit
@@ -238,25 +184,21 @@
 	  Zone names beginning with digits (i.e., 0-9) must be quoted.
 	  If a zone does not have its own policy then the
 	  "<code class="literal">default</code>" policy applies.
-	</p>
-      </li>
+	</p></li>
 </ul></div>
-    <p>
+<p>
       Options that can be specified in policies:
     </p>
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>algorithm</strong></span>
 	  <em class="replaceable"><code>name</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The key algorithm. If no policy is defined, the default is
 	    RSASHA256.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>coverage</strong></span>
 	  <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The length of time to ensure that keys will be correct; no action
 	    will be taken to create new keys to be activated after this time.
 	    This can be represented as a number of seconds, or as a duration
@@ -264,119 +206,89 @@
 	    A default value for this option can be set in algorithm policies
 	    as well as in policy classes or zone policies.
 	    If no policy is configured, the default is six months.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>directory</strong></span>
 	  <em class="replaceable"><code>path</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the directory in which keys should be stored.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>key-size</strong></span> <em class="replaceable"><code>keytype</code></em>
 	  <em class="replaceable"><code>size</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the number of bits to use in creating keys.
 	    The keytype is either "zsk" or "ksk".
 	    A default value for this option can be set in algorithm policies
 	    as well as in policy classes or zone policies. If no policy is
 	    configured, the default is 1024 bits for DSA keys and 2048 for
 	    RSA.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>keyttl</strong></span>
 	  <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The key TTL. If no policy is defined, the default is one hour.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>post-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
 	  <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    How long after inactivation a key should be deleted from the zone.
 	    Note: If <code class="option">roll-period</code> is not set, this value is
 	    ignored. The keytype is either "zsk" or "ksk".
 	    A default duration for this option can be set in algorithm
 	    policies as well as in policy classes or zone policies. The default
 	    is one month.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>pre-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
 	  <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    How long before activation a key should be published.  Note: If
 	    <code class="option">roll-period</code> is not set, this value is ignored.
 	    The keytype is either "zsk" or "ksk".
 	    A default duration for this option can be set in algorithm policies
 	    as well as in policy classes or zone policies.  The default is
 	    one month.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>roll-period</strong></span> <em class="replaceable"><code>keytype</code></em>
 	  <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    How frequently keys should be rolled over.
 	    The keytype is either "zsk" or "ksk".
 	    A default duration for this option can be set in algorithm policies
 	    as well as in policy classes or zone policies.  If no policy is
 	    configured, the default is one year for ZSKs. KSKs do not
 	    roll over by default.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>standby</strong></span> <em class="replaceable"><code>keytype</code></em>
 	  <em class="replaceable"><code>number</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Not yet implemented.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>REMAINING WORK</h2>
-  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-      <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
 	Enable scheduling of KSK rollovers using the <code class="option">-P sync</code>
 	and <code class="option">-D sync</code> options to
 	<span class="command"><strong>dnssec-keygen</strong></span> and
 	<span class="command"><strong>dnssec-settime</strong></span>.  Check the parent zone
 	(as in <span class="command"><strong>dnssec-checkds</strong></span>) to determine when it's
 	safe for the key to roll.
-      </p>
-    </li>
-<li class="listitem">
-      <p>
+      </p></li>
+<li class="listitem"><p>
 	Allow configuration of standby keys and use of the REVOKE bit,
 	for keys that use RFC 5011 semantics.
-      </p>
-    </li>
+      </p></li>
 </ul></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>SEE ALSO</h2>
-    <p>
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-coverage</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-settime</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-checkds</span>(8)
-      </span>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">dnssec-coverage</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-settime</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/python/dnssec-keymgr.py.in b/bind/bind9/bin/python/dnssec-keymgr.py.in
index c8453a78..657e7a65 100644
--- a/bind/bind9/bin/python/dnssec-keymgr.py.in
+++ b/bind/bind9/bin/python/dnssec-keymgr.py.in
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/Makefile.in b/bind/bind9/bin/python/isc/Makefile.in
index ec17b6bd..53a836b7 100644
--- a/bind/bind9/bin/python/isc/Makefile.in
+++ b/bind/bind9/bin/python/isc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/__init__.py.in b/bind/bind9/bin/python/isc/__init__.py.in
index 916333c3..3edd59fd 100644
--- a/bind/bind9/bin/python/isc/__init__.py.in
+++ b/bind/bind9/bin/python/isc/__init__.py.in
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/checkds.py.in b/bind/bind9/bin/python/isc/checkds.py.in
index 9d6429c0..01a59d5a 100644
--- a/bind/bind9/bin/python/isc/checkds.py.in
+++ b/bind/bind9/bin/python/isc/checkds.py.in
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/coverage.py.in b/bind/bind9/bin/python/isc/coverage.py.in
index fe591431..46574180 100644
--- a/bind/bind9/bin/python/isc/coverage.py.in
+++ b/bind/bind9/bin/python/isc/coverage.py.in
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/dnskey.py.in b/bind/bind9/bin/python/isc/dnskey.py.in
index 8d7e8dbd..6f877edb 100644
--- a/bind/bind9/bin/python/isc/dnskey.py.in
+++ b/bind/bind9/bin/python/isc/dnskey.py.in
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/eventlist.py.in b/bind/bind9/bin/python/isc/eventlist.py.in
index f11bba3a..6fa8295e 100644
--- a/bind/bind9/bin/python/isc/eventlist.py.in
+++ b/bind/bind9/bin/python/isc/eventlist.py.in
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -45,7 +45,7 @@ class eventlist:
                                             key=lambda event: event.when)
 
     # scan events per zone, algorithm, and key type, in order of
-    # occurrance, noting inconsistent states when found
+    # occurrence, noting inconsistent states when found
     def coverage(self, zone, keytype, until, output = None):
         def noop(*args, **kwargs): pass
         if not output:
diff --git a/bind/bind9/bin/python/isc/keydict.py.in b/bind/bind9/bin/python/isc/keydict.py.in
index e4dcb08f..a1b669c1 100644
--- a/bind/bind9/bin/python/isc/keydict.py.in
+++ b/bind/bind9/bin/python/isc/keydict.py.in
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/keyevent.py.in b/bind/bind9/bin/python/isc/keyevent.py.in
index cfc935a6..7f9a2827 100644
--- a/bind/bind9/bin/python/isc/keyevent.py.in
+++ b/bind/bind9/bin/python/isc/keyevent.py.in
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/keymgr.py.in b/bind/bind9/bin/python/isc/keymgr.py.in
index c193daa4..18857966 100644
--- a/bind/bind9/bin/python/isc/keymgr.py.in
+++ b/bind/bind9/bin/python/isc/keymgr.py.in
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/keyseries.py.in b/bind/bind9/bin/python/isc/keyseries.py.in
index 2f4906f8..689d35bc 100644
--- a/bind/bind9/bin/python/isc/keyseries.py.in
+++ b/bind/bind9/bin/python/isc/keyseries.py.in
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/keyzone.py.in b/bind/bind9/bin/python/isc/keyzone.py.in
index bc8c51d7..0c0d714c 100644
--- a/bind/bind9/bin/python/isc/keyzone.py.in
+++ b/bind/bind9/bin/python/isc/keyzone.py.in
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/policy.py.in b/bind/bind9/bin/python/isc/policy.py.in
index f7829fa3..021c6583 100644
--- a/bind/bind9/bin/python/isc/policy.py.in
+++ b/bind/bind9/bin/python/isc/policy.py.in
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/rndc.py.in b/bind/bind9/bin/python/isc/rndc.py.in
index e1a3e777..58ff267f 100644
--- a/bind/bind9/bin/python/isc/rndc.py.in
+++ b/bind/bind9/bin/python/isc/rndc.py.in
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/tests/Makefile.in b/bind/bind9/bin/python/isc/tests/Makefile.in
index 60b9bd77..329ffdaf 100644
--- a/bind/bind9/bin/python/isc/tests/Makefile.in
+++ b/bind/bind9/bin/python/isc/tests/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/tests/dnskey_test.py.in b/bind/bind9/bin/python/isc/tests/dnskey_test.py.in
index 91d52452..3401c0d9 100644
--- a/bind/bind9/bin/python/isc/tests/dnskey_test.py.in
+++ b/bind/bind9/bin/python/isc/tests/dnskey_test.py.in
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/tests/policy_test.py.in b/bind/bind9/bin/python/isc/tests/policy_test.py.in
index b09c62f8..0444da18 100644
--- a/bind/bind9/bin/python/isc/tests/policy_test.py.in
+++ b/bind/bind9/bin/python/isc/tests/policy_test.py.in
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/tests/test-policies/01-keysize.pol b/bind/bind9/bin/python/isc/tests/test-policies/01-keysize.pol
index 8b62c5fd..0b716eb9 100644
--- a/bind/bind9/bin/python/isc/tests/test-policies/01-keysize.pol
+++ b/bind/bind9/bin/python/isc/tests/test-policies/01-keysize.pol
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/tests/test-policies/02-prepublish.pol b/bind/bind9/bin/python/isc/tests/test-policies/02-prepublish.pol
index bd353866..9d9ee575 100644
--- a/bind/bind9/bin/python/isc/tests/test-policies/02-prepublish.pol
+++ b/bind/bind9/bin/python/isc/tests/test-policies/02-prepublish.pol
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/tests/test-policies/03-postpublish.pol b/bind/bind9/bin/python/isc/tests/test-policies/03-postpublish.pol
index 4d4a8efa..aadccacf 100644
--- a/bind/bind9/bin/python/isc/tests/test-policies/03-postpublish.pol
+++ b/bind/bind9/bin/python/isc/tests/test-policies/03-postpublish.pol
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/tests/test-policies/04-combined-pre-post.pol b/bind/bind9/bin/python/isc/tests/test-policies/04-combined-pre-post.pol
index d612d816..1a8aba8e 100644
--- a/bind/bind9/bin/python/isc/tests/test-policies/04-combined-pre-post.pol
+++ b/bind/bind9/bin/python/isc/tests/test-policies/04-combined-pre-post.pol
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/tests/test-policies/05-numeric-zone.pol b/bind/bind9/bin/python/isc/tests/test-policies/05-numeric-zone.pol
index 1db8c08a..40fe459b 100644
--- a/bind/bind9/bin/python/isc/tests/test-policies/05-numeric-zone.pol
+++ b/bind/bind9/bin/python/isc/tests/test-policies/05-numeric-zone.pol
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/isc/utils.py.in b/bind/bind9/bin/python/isc/utils.py.in
index 02418719..18dfbc47 100644
--- a/bind/bind9/bin/python/isc/utils.py.in
+++ b/bind/bind9/bin/python/isc/utils.py.in
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/python/setup.py b/bind/bind9/bin/python/setup.py
index c50f6d1a..ba71971e 100644
--- a/bind/bind9/bin/python/setup.py
+++ b/bind/bind9/bin/python/setup.py
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/rndc/Makefile.in b/bind/bind9/bin/rndc/Makefile.in
index 1e63b553..3a7d6da4 100644
--- a/bind/bind9/bin/rndc/Makefile.in
+++ b/bind/bind9/bin/rndc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/rndc/include/rndc/os.h b/bind/bind9/bin/rndc/include/rndc/os.h
index 6346b2b4..a65f3836 100644
--- a/bind/bind9/bin/rndc/include/rndc/os.h
+++ b/bind/bind9/bin/rndc/include/rndc/os.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/rndc/rndc.8 b/bind/bind9/bin/rndc/rndc.8
index b9d28174..de58c29f 100644
--- a/bind/bind9/bin/rndc/rndc.8
+++ b/bind/bind9/bin/rndc/rndc.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: rndc
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2014-08-15
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -371,7 +371,8 @@ All of these options can be shortened, i\&.e\&., to
 Enable or disable query logging\&. (For backward compatibility, this command can also be used without an argument to toggle query logging on and off\&.)
 .sp
 Query logging can also be enabled by explicitly directing the
-\fBqueries\fR\fBcategory\fR
+\fBqueries\fR
+\fBcategory\fR
 to a
 \fBchannel\fR
 in the
@@ -625,5 +626,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2013-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/rndc/rndc.c b/bind/bind9/bin/rndc/rndc.c
index 9eb0ce0c..93fa2d5b 100644
--- a/bind/bind9/bin/rndc/rndc.c
+++ b/bind/bind9/bin/rndc/rndc.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -214,6 +214,8 @@ get_addresses(const char *host, in_port_t port) {
 	isc_result_t result;
 	int found = 0, count;
 
+	REQUIRE(host != NULL);
+
 	if (*host == '/') {
 		result = isc_sockaddr_frompath(&serveraddrs[nserveraddrs],
 					       host);
@@ -944,8 +946,9 @@ main(int argc, char **argv) {
 	if (strcmp(command, "restart") == 0)
 		fatal("'%s' is not implemented", command);
 
-	if (nserveraddrs == 0)
+	if (nserveraddrs == 0 && servername != NULL) {
 		get_addresses(servername, (in_port_t) remoteport);
+	}
 
 	DO("post event", isc_app_onrun(rndc_mctx, task, rndc_start, NULL));
 
diff --git a/bind/bind9/bin/rndc/rndc.conf b/bind/bind9/bin/rndc/rndc.conf
index 68003315..96d435c9 100644
--- a/bind/bind9/bin/rndc/rndc.conf
+++ b/bind/bind9/bin/rndc/rndc.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/rndc/rndc.conf.5 b/bind/bind9/bin/rndc/rndc.conf.5
index c60473e8..a99b41e4 100644
--- a/bind/bind9/bin/rndc/rndc.conf.5
+++ b/bind/bind9/bin/rndc/rndc.conf.5
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: rndc.conf
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2013-03-14
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -230,5 +230,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/rndc/rndc.conf.docbook b/bind/bind9/bin/rndc/rndc.conf.docbook
index 91ec9ba7..2c1d5042 100644
--- a/bind/bind9/bin/rndc/rndc.conf.docbook
+++ b/bind/bind9/bin/rndc/rndc.conf.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc.conf">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc.conf">
   <info>
     <date>2013-03-14</date>
   </info>
@@ -44,6 +44,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/rndc/rndc.conf.html b/bind/bind9/bin/rndc/rndc.conf.html
index 7dee2d68..e75072ac 100644
--- a/bind/bind9/bin/rndc/rndc.conf.html
+++ b/bind/bind9/bin/rndc/rndc.conf.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,36 +10,21 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.rndc.conf"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <code class="filename">rndc.conf</code>
-     &#8212; rndc configuration file
-  </p>
+<p><code class="filename">rndc.conf</code> &#8212; rndc configuration file</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">rndc.conf</code> 
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><code class="filename">rndc.conf</code> is the configuration file
+<p><code class="filename">rndc.conf</code> is the configuration file
       for <span class="command"><strong>rndc</strong></span>, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
       <code class="filename">named.conf</code>.  Statements are enclosed
@@ -47,21 +32,21 @@
       the statements are also semi-colon terminated.  The usual
       comment styles are supported:
     </p>
-    <p>
+<p>
       C style: /* */
     </p>
-    <p>
+<p>
       C++ style: // to end of line
     </p>
-    <p>
+<p>
       Unix style: # to end of line
     </p>
-    <p><code class="filename">rndc.conf</code> is much simpler than
+<p><code class="filename">rndc.conf</code> is much simpler than
       <code class="filename">named.conf</code>.  The file uses three
       statements: an options statement, a server statement
       and a key statement.
     </p>
-    <p>
+<p>
       The <code class="option">options</code> statement contains five clauses.
       The <code class="option">default-server</code> clause is followed by the
       name or address of a name server.  This host will be used when
@@ -84,7 +69,7 @@
       can be used to set the IPv4 and IPv6 source addresses
       respectively.
     </p>
-    <p>
+<p>
       After the <code class="option">server</code> keyword, the server
       statement includes a string which is the hostname or address
       for a name server.  The statement has three possible clauses:
@@ -98,7 +83,7 @@
       of supplied then these will be used to specify the IPv4 and IPv6
       source addresses respectively.
     </p>
-    <p>
+<p>
       The <code class="option">key</code> statement begins with an identifying
       string, the name of the key.  The statement has two clauses.
       <code class="option">algorithm</code> identifies the authentication algorithm
@@ -109,7 +94,7 @@
       the base-64 encoding of the algorithm's authentication key.  The
       base-64 string is enclosed in double quotes.
     </p>
-    <p>
+<p>
       There are two common ways to generate the base-64 string for the
       secret.  The BIND 9 program <span class="command"><strong>rndc-confgen</strong></span>
       can
@@ -122,13 +107,10 @@
       ship with BIND 9 but is available on many systems.  See the
       EXAMPLE section for sample command lines for each.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>EXAMPLE</h2>
-
-
-    <pre class="programlisting">
+<pre class="programlisting">
       options {
         default-server  localhost;
         default-key     samplekey;
@@ -136,14 +118,14 @@
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
       server localhost {
         key             samplekey;
       };
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
       server testserver {
         key		testkey;
         addresses	{ localhost port 5353; };
@@ -151,7 +133,7 @@
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
       key samplekey {
         algorithm       hmac-sha256;
         secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
@@ -159,7 +141,7 @@
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
       key testkey {
         algorithm	hmac-sha256;
         secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
@@ -167,8 +149,7 @@
     </pre>
 <p>
     </p>
-
-    <p>
+<p>
       In the above example, <span class="command"><strong>rndc</strong></span> will by
       default use
       the server at localhost (127.0.0.1) and the key called samplekey.
@@ -178,16 +159,16 @@
       uses the HMAC-SHA256 algorithm and its secret clause contains the
       base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
     </p>
-    <p>
+<p>
       If <span class="command"><strong>rndc -s testserver</strong></span> is used then <span class="command"><strong>rndc</strong></span> will
       connect to server on localhost port 5353 using the key testkey.
     </p>
-    <p>
+<p>
       To generate a random secret with <span class="command"><strong>rndc-confgen</strong></span>:
     </p>
-    <p><strong class="userinput"><code>rndc-confgen</code></strong>
+<p><strong class="userinput"><code>rndc-confgen</code></strong>
     </p>
-    <p>
+<p>
       A complete <code class="filename">rndc.conf</code> file, including
       the
       randomly generated key, will be written to the standard
@@ -195,40 +176,29 @@
       <code class="option">controls</code> statements for
       <code class="filename">named.conf</code> are also printed.
     </p>
-    <p>
+<p>
       To generate a base-64 secret with <span class="command"><strong>mmencode</strong></span>:
     </p>
-    <p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
+<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>NAME SERVER CONFIGURATION</h2>
-
-    <p>
+<p>
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the <code class="filename">rndc.conf</code>
       file, using the controls statement in <code class="filename">named.conf</code>.
       See the sections on the <code class="option">controls</code> statement in the
       BIND 9 Administrator Reference Manual for details.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">rndc</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">rndc-confgen</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">mmencode</span>(1)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/rndc/rndc.docbook b/bind/bind9/bin/rndc/rndc.docbook
index e14a17ea..c700139f 100644
--- a/bind/bind9/bin/rndc/rndc.docbook
+++ b/bind/bind9/bin/rndc/rndc.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc">
   <info>
     <date>2014-08-15</date>
   </info>
@@ -45,6 +45,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/rndc/rndc.html b/bind/bind9/bin/rndc/rndc.html
index f42fb2cd..a7382a2d 100644
--- a/bind/bind9/bin/rndc/rndc.html
+++ b/bind/bind9/bin/rndc/rndc.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,46 +10,21 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.rndc"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">rndc</span>
-     &#8212; name server control utility
-  </p>
+<p><span class="application">rndc</span> &#8212; name server control utility</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">rndc</code> 
-       [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>]
-       [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>server</code></em></code>]
-       [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-r</code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>]
-       {command}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>rndc</strong></span>
+<p><span class="command"><strong>rndc</strong></span>
       controls the operation of a name
       server.  It supersedes the <span class="command"><strong>ndc</strong></span> utility
       that was provided in old BIND releases.  If
@@ -58,7 +33,7 @@
       supported commands and the available options and their
       arguments.
     </p>
-    <p><span class="command"><strong>rndc</strong></span>
+<p><span class="command"><strong>rndc</strong></span>
       communicates with the name server over a TCP connection, sending
       commands authenticated with digital signatures.  In the current
       versions of
@@ -72,38 +47,30 @@
       over the channel must be signed by a key_id known to the
       server.
     </p>
-    <p><span class="command"><strong>rndc</strong></span>
+<p><span class="command"><strong>rndc</strong></span>
       reads a configuration file to
       determine how to contact the name server and decide what
       algorithm and key it should use.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use <em class="replaceable"><code>source-address</code></em>
 	    as the source address for the connection to the server.
 	    Multiple instances are permitted to allow setting of both
 	    the IPv4 and IPv6 source addresses.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use <em class="replaceable"><code>config-file</code></em>
 	    as the configuration file instead of the default,
 	    <code class="filename">/etc/rndc.conf</code>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use <em class="replaceable"><code>key-file</code></em>
 	    as the key file instead of the default,
 	    <code class="filename">/etc/rndc.key</code>.  The key in
@@ -111,52 +78,40 @@
 	    authenticate
 	    commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
 	    does not exist.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
-<dd>
-	  <p><em class="replaceable"><code>server</code></em> is
+<dd><p><em class="replaceable"><code>server</code></em> is
 	    the name or address of the server which matches a
 	    server statement in the configuration file for
 	    <span class="command"><strong>rndc</strong></span>.  If no server is supplied on the
 	    command line, the host named by the default-server clause
 	    in the options statement of the <span class="command"><strong>rndc</strong></span>
 	    configuration file will be used.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Send commands to TCP port
 	    <em class="replaceable"><code>port</code></em>
 	    instead
 	    of BIND 9's default control channel port, 953.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-q</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Quiet mode: Message text returned by the server
 	    will not be printed except when there is an error.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-r</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Instructs <span class="command"><strong>rndc</strong></span> to print the result code
 	    returned by <span class="command"><strong>named</strong></span> after executing the
 	    requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Enable verbose logging.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use the key <em class="replaceable"><code>key_id</code></em>
 	    from the configuration file.
 	    <em class="replaceable"><code>key_id</code></em>
@@ -172,26 +127,22 @@
 	    which are used to send authenticated control commands
 	    to name servers.  It should therefore not have general read
 	    or write access.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>COMMANDS</h2>
-
-    <p>
+<p>
       A list of commands supported by <span class="command"><strong>rndc</strong></span> can
       be seen by running <span class="command"><strong>rndc</strong></span> without arguments.
     </p>
-    <p>
+<p>
       Currently supported commands are:
     </p>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Add a zone while the server is running.  This
 	    command requires the
 	    <span class="command"><strong>allow-new-zones</strong></span> option to be set
@@ -201,7 +152,7 @@
 	    configuration text that would ordinarily be
 	    placed in <code class="filename">named.conf</code>.
 	  </p>
-	  <p>
+<p>
 	    The configuration is saved in a file called
 	    <code class="filename"><em class="replaceable"><code>name</code></em>.nzf</code>,
 	    where <em class="replaceable"><code>name</code></em> is the
@@ -214,28 +165,28 @@
 	    configuration, so that zones that were added
 	    can persist after a restart.
 	  </p>
-	  <p>
+<p>
 	    This sample <span class="command"><strong>addzone</strong></span> command
 	    would add the zone <code class="literal">example.com</code>
 	    to the default view:
 	  </p>
-	  <p>
+<p>
 <code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
 	  </p>
-	  <p>
+<p>
 	    (Note the brackets and semi-colon around the zone
 	    configuration text.)
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc delzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Delete a zone while the server is running.
 	  </p>
-	  <p>
+<p>
 	    If the <code class="option">-clean</code> argument is specified,
 	    the zone's master file (and journal file, if any)
 	    will be deleted along with the zone.  Without the
@@ -245,7 +196,7 @@
 	    be cleaned up will be reported in the output
 	    of the <span class="command"><strong>rndc delzone</strong></span> command.)
 	  </p>
-	  <p>
+<p>
 	    If the zone was originally added via
 	    <span class="command"><strong>rndc addzone</strong></span>, then it will be
 	    removed permanently. However, if it was originally
@@ -255,13 +206,12 @@
 	    come back. To remove it permanently, it must also be
 	    removed from <code class="filename">named.conf</code>
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>dnstap ( -reopen | -roll [<span class="optional"><em class="replaceable"><code>number</code></em></span>] )</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Close and re-open DNSTAP output files.
 	    <span class="command"><strong>rndc dnstap -reopen</strong></span> allows the output
 	    file to be renamed externally, so
@@ -272,43 +222,34 @@
 	    previous most recent output file is moved to ".1", and so on.
 	    If <em class="replaceable"><code>number</code></em> is specified, then the
 	    number of backup log files is limited to that number.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zones|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Dump the server's caches (default) and/or zones to
 	    the dump file for the specified views.  If no view
             is specified, all views are dumped.
 	    (See the <span class="command"><strong>dump-file</strong></span> option in
 	    the BIND 9 Administrator Reference Manual.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Flushes the server's cache.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Flushes the given name from the view's DNS cache
 	    and, if applicable, from the view's nameserver address
 	    database, bad server cache and SERVFAIL cache.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Flushes the given name, and all of its subdomains,
 	    from the view's DNS cache, address database,
 	    bad server cache, and SERVFAIL cache.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Suspend updates to a dynamic zone.  If no zone is
 	    specified, then all zones are suspended.  This allows
 	    manual edits to be made to a zone normally updated by
@@ -317,13 +258,13 @@
 	    All dynamic update attempts will be refused while
 	    the zone is frozen.
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc thaw</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Stop the server immediately.  Recent changes
 	    made through dynamic update or IXFR are not saved to
 	    the master files, but will be rolled forward from the
@@ -332,13 +273,13 @@
 	    This allows an external process to determine when <span class="command"><strong>named</strong></span>
 	    had completed halting.
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc stop</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Fetch all DNSSEC keys for the given zone
 	    from the key directory.  If they are within
 	    their publication period, merge them into the
@@ -347,7 +288,7 @@
 	    immediately re-signed by the new keys, but is
 	    allowed to incrementally re-sign over time.
 	  </p>
-	  <p>
+<p>
 	    This command requires that the
 	    <span class="command"><strong>auto-dnssec</strong></span> zone option
 	    be set to <code class="literal">maintain</code>,
@@ -356,10 +297,9 @@
 	    (See "Dynamic Update Policies" in the Administrator
 	    Reference Manual for more details.)
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    When run with the "status" keyword, print the current
 	    status of the managed-keys database for the specified
 	    view, or for all views if none is specified.  When run
@@ -369,11 +309,10 @@
 	    immediate dump of the managed-keys database to disk (in
 	    the file <code class="filename">managed-keys.bind</code> or
 	    (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>modzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Modify the configuration of a zone while the server
 	    is running.  This command requires the
 	    <span class="command"><strong>allow-new-zones</strong></span> option to be
@@ -384,7 +323,7 @@
 	    configuration text that would ordinarily be
 	    placed in <code class="filename">named.conf</code>.
 	  </p>
-	  <p>
+<p>
 	    If the zone was originally added via
 	    <span class="command"><strong>rndc addzone</strong></span>, the configuration
 	    changes will be recorded permanently and will still be
@@ -397,32 +336,30 @@
 	    permanent, it must also be modified in
 	    <code class="filename">named.conf</code>
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc delzone</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Resend NOTIFY messages for the zone.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Sets the server's debugging level to 0.
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc trace</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>nta
 	    [<span class="optional">( -class <em class="replaceable"><code>class</code></em> | -dump | -force | -remove | -lifetime <em class="replaceable"><code>duration</code></em>)</span>]
 	<em class="replaceable"><code>domain</code></em>
 	[<span class="optional"><em class="replaceable"><code>view</code></em></span>]
 	</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Sets a DNSSEC negative trust anchor (NTA)
 	    for <code class="option">domain</code>, with a lifetime of
 	    <code class="option">duration</code>.  The default lifetime is
@@ -430,7 +367,7 @@
 	    <code class="option">nta-lifetime</code> option, and defaults to
 	    one hour.  The lifetime cannot exceed one week.
 	  </p>
-	  <p>
+<p>
 	    A negative trust anchor selectively disables
 	    DNSSEC validation for zones that are known to be
 	    failing because of misconfiguration rather than
@@ -441,7 +378,7 @@
 	    insecure rather than bogus.  This continues until the
 	    NTA's lifetime is elapsed.
 	  </p>
-	  <p>
+<p>
 	    NTAs persist across restarts of the <span class="command"><strong>named</strong></span> server.
 	    The NTAs for a view are saved in a file called
 	    <code class="filename"><em class="replaceable"><code>name</code></em>.nta</code>,
@@ -451,11 +388,11 @@
 	    cryptographic hash generated from the name
 	    of the view.
 	  </p>
-	  <p>
+<p>
 	    An existing NTA can be removed by using the
 	    <code class="option">-remove</code> option.
 	  </p>
-	  <p>
+<p>
 	    An NTA's lifetime can be specified with the
 	    <code class="option">-lifetime</code> option.  TTL-style
 	    suffixes can be used to specify the lifetime in
@@ -464,13 +401,13 @@
 	    new value.  Setting <code class="option">lifetime</code> to zero
 	    is equivalent to <code class="option">-remove</code>.
 	  </p>
-	  <p>
+<p>
 	    If the <code class="option">-dump</code> is used, any other arguments
 	    are ignored, and a list of existing NTAs is printed
 	    (note that this may include NTAs that are expired but
 	    have not yet been cleaned up).
 	  </p>
-	  <p>
+<p>
 	    Normally, <span class="command"><strong>named</strong></span> will periodically
 	    test to see whether data below an NTA can now be
 	    validated (see the <code class="option">nta-recheck</code> option
@@ -482,25 +419,25 @@
 	    lifetime, regardless of whether data could be
 	    validated if the NTA were not present.
 	  </p>
-	  <p>
+<p>
 	    The view class can be specified with <code class="option">-class</code>.
 	    The default is class <strong class="userinput"><code>IN</code></strong>, which is
 	    the only class for which DNSSEC is currently supported.
 	  </p>
-	  <p>
+<p>
 	    All of these options can be shortened, i.e., to
 	    <code class="option">-l</code>, <code class="option">-r</code>, <code class="option">-d</code>,
 	    <code class="option">-f</code>, and <code class="option">-c</code>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional"> on | off </span>] </span></dt>
 <dd>
-	  <p>
+<p>
 	    Enable or disable query logging.  (For backward
 	    compatibility, this command can also be used without
 	    an argument to toggle query logging on and off.)
 	  </p>
-	  <p>
+<p>
 	    Query logging can also be enabled
 	    by explicitly directing the <span class="command"><strong>queries</strong></span>
 	    <span class="command"><strong>category</strong></span> to a
@@ -511,10 +448,9 @@
 	    <span class="command"><strong>options</strong></span> section of
 	    <code class="filename">named.conf</code>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Reload the configuration file and load new zones,
 	    but do not reload existing zone files even if they
 	    have changed.
@@ -522,43 +458,34 @@
 	    is a large number of zones because it avoids the need
 	    to examine the
 	    modification times of the zones files.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Dump the list of queries <span class="command"><strong>named</strong></span> is currently
 	    recursing on, and the list of domains to which iterative
 	    queries are currently being sent.  (The second list includes
 	    the number of fetches currently active for the given domain,
 	    and how many have been passed or dropped because of the
 	    <code class="option">fetches-per-zone</code> option.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Schedule zone maintenance for the given zone.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Reload configuration file and zones.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Reload the given zone.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Retransfer the given slave zone from the master server.
 	  </p>
-	  <p>
+<p>
 	    If the zone is configured to use
 	    <span class="command"><strong>inline-signing</strong></span>, the signed
 	    version of the zone is discarded; after the
@@ -566,24 +493,22 @@
 	    signed version will be regenerated with all new
 	    signatures.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	     Scan the list of available network interfaces
 	     for changes, without performing a full
 	     <span class="command"><strong>reconfig</strong></span> or waiting for the
 	     <span class="command"><strong>interface-interval</strong></span> timer.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional">-</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Dump the server's security roots and negative trust anchors
 	    for the specified views.  If no view is specified, all views
 	    are dumped.
 	  </p>
-	  <p>
+<p>
 	    If the first argument is "-", then the output is
 	    returned via the <span class="command"><strong>rndc</strong></span> response channel
 	    and printed to the standard output.
@@ -592,22 +517,22 @@
 	    overridden via the <code class="option">secroots-file</code> option in
 	    <code class="filename">named.conf</code>.
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc managed-keys</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Print the configuration of a running zone.
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc zonestatus</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Fetch all DNSSEC keys for the given zone
 	    from the key directory (see the
 	    <span class="command"><strong>key-directory</strong></span> option in
@@ -617,7 +542,7 @@
 	    is changed, then the zone is automatically
 	    re-signed with the new key set.
 	  </p>
-	  <p>
+<p>
 	    This command requires that the
 	    <span class="command"><strong>auto-dnssec</strong></span> zone option be set
 	    to <code class="literal">allow</code> or
@@ -627,13 +552,13 @@
 	    (See "Dynamic Update Policies" in the Administrator
 	    Reference Manual for more details.)
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc loadkeys</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) | -serial <em class="replaceable"><code>value</code></em> ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    List, edit, or remove the DNSSEC signing state records
 	    for the specified zone.  The status of ongoing DNSSEC
 	    operations (such as signing or generating
@@ -646,7 +571,7 @@
 	    or have finished signing the zone, and which NSEC3
 	    chains are being created or removed.
 	  </p>
-	  <p>
+<p>
 	    <span class="command"><strong>rndc signing -clear</strong></span> can remove
 	    a single key (specified in the same format that
 	    <span class="command"><strong>rndc signing -list</strong></span> uses to
@@ -655,7 +580,7 @@
 	    that a key has not yet finished signing the zone
 	    will be retained.
 	  </p>
-	  <p>
+<p>
 	    <span class="command"><strong>rndc signing -nsec3param</strong></span> sets
 	    the NSEC3 parameters for a zone.  This is the
 	    only supported mechanism for using NSEC3 with
@@ -664,7 +589,7 @@
 	    an NSEC3PARAM resource record: hash algorithm,
 	    flags, iterations, and salt, in that order.
 	  </p>
-	  <p>
+<p>
 	    Currently, the only defined value for hash algorithm
 	    is <code class="literal">1</code>, representing SHA-1.
 	    The <code class="option">flags</code> may be set to
@@ -679,7 +604,7 @@
 	    which causes <span class="command"><strong>named</strong></span> to generate a
 	    random 64-bit salt.
 	  </p>
-	  <p>
+<p>
 	    So, for example, to create an NSEC3 chain using
 	    the SHA-1 hash algorithm, no opt-out flag,
 	    10 iterations, and a salt value of "FFFF", use:
@@ -688,40 +613,36 @@
 	    salt, use:
 	    <span class="command"><strong>rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
 	  </p>
-	  <p>
+<p>
 	    <span class="command"><strong>rndc signing -nsec3param none</strong></span>
 	    removes an existing NSEC3 chain and replaces it
 	    with NSEC.
 	  </p>
-	  <p>
+<p>
 	    <span class="command"><strong>rndc signing -serial value</strong></span> sets
 	    the serial number of the zone to value.  If the value
 	    would cause the serial number to go backwards it will
 	    be rejected.  The primary use is to set the serial on
 	    inline signed zones.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Write server statistics to the statistics file.
 	    (See the <span class="command"><strong>statistics-file</strong></span> option in
 	    the BIND 9 Administrator Reference Manual.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Display status of the server.
 	    Note that the number of zones includes the internal <span class="command"><strong>bind/CH</strong></span> zone
 	    and the default <span class="command"><strong>./IN</strong></span>
 	    hint zone if there is not an
 	    explicit root zone configured.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Stop the server, making sure any recent changes
 	    made through dynamic update or IXFR are first saved to
 	    the master files of the updated zones.
@@ -729,20 +650,18 @@
 	    This allows an external process to determine when <span class="command"><strong>named</strong></span>
 	    had completed stopping.
 	  </p>
-	  <p>See also <span class="command"><strong>rndc halt</strong></span>.</p>
-	</dd>
+<p>See also <span class="command"><strong>rndc halt</strong></span>.</p>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sync changes in the journal file for a dynamic zone
 	    to the master file.  If the "-clean" option is
 	    specified, the journal file is also removed.  If
 	    no zone is specified, then all zones are synced.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Enable updates to a frozen dynamic zone.  If no
 	    zone is specified, then all frozen zones are
 	    enabled.  This causes the server to reload the zone
@@ -756,55 +675,47 @@
 	    zone has changed, any existing journal file will be
 	    removed.
 	  </p>
-	  <p>See also <span class="command"><strong>rndc freeze</strong></span>.</p>
-	</dd>
+<p>See also <span class="command"><strong>rndc freeze</strong></span>.</p>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Increment the servers debugging level by one.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Sets the server's debugging level to an explicit
 	    value.
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc notrace</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Delete a given TKEY-negotiated key from the server.
 	    (This does not apply to statically configured TSIG
 	    keys.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    List the names of all TSIG keys currently configured
 	    for use by <span class="command"><strong>named</strong></span> in each view.  The
 	    list includes both statically configured keys and dynamic
 	    TKEY-negotiated keys.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>validation ( on | off | status ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Enable, disable, or check the current status of
 	    DNSSEC validation.
 	    Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
 	    set to <strong class="userinput"><code>yes</code></strong> or
 	    <strong class="userinput"><code>auto</code></strong> to be effective.
 	    It defaults to enabled.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Displays the current status of the given zone,
 	    including the master file name and any include
 	    files from which it was loaded, when it was most
@@ -815,46 +726,31 @@
 	    management or inline signing, and the scheduled
 	    refresh or expiry times for the zone.
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc showzone</strong></span>.
 	  </p>
-	</dd>
+</dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>LIMITATIONS</h2>
-
-    <p>
+<p>
       There is currently no way to provide the shared secret for a
       <code class="option">key_id</code> without using the configuration file.
     </p>
-    <p>
+<p>
       Several error messages could be clearer.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">rndc.conf</span>(5)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">rndc-confgen</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named.conf</span>(5)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">ndc</span>(8)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
+      <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/rndc/util.c b/bind/bind9/bin/rndc/util.c
index 0066e7cb..5ab2109f 100644
--- a/bind/bind9/bin/rndc/util.c
+++ b/bind/bind9/bin/rndc/util.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/rndc/util.h b/bind/bind9/bin/rndc/util.h
index fa4a62b0..41107291 100644
--- a/bind/bind9/bin/rndc/util.h
+++ b/bind/bind9/bin/rndc/util.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/rndc/win32/rndc.vcxproj.in b/bind/bind9/bin/rndc/win32/rndc.vcxproj.in
index f47d7844..243f3591 100644
--- a/bind/bind9/bin/rndc/win32/rndc.vcxproj.in
+++ b/bind/bind9/bin/rndc/win32/rndc.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/rndc/win32/rndcutil.vcxproj.in b/bind/bind9/bin/rndc/win32/rndcutil.vcxproj.in
index f6afdf73..3467bfbb 100644
--- a/bind/bind9/bin/rndc/win32/rndcutil.vcxproj.in
+++ b/bind/bind9/bin/rndc/win32/rndcutil.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>.\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>util</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>.\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>util</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -74,7 +77,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/Makefile.in b/bind/bind9/bin/tests/Makefile.in
index f34069ad..69cb6a11 100644
--- a/bind/bind9/bin/tests/Makefile.in
+++ b/bind/bind9/bin/tests/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/bigtest/README b/bind/bind9/bin/tests/bigtest/README
index 0daea5c9..2d90f94d 100644
--- a/bind/bind9/bin/tests/bigtest/README
+++ b/bind/bind9/bin/tests/bigtest/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 	bash buildzones.sh < zones	# creates setup, run, servers/* master/*
 					# named.conf
diff --git a/bind/bind9/bin/tests/bigtest/buildzones.sh b/bind/bind9/bin/tests/bigtest/buildzones.sh
index f8d531a7..cc0e99dc 100644
--- a/bind/bind9/bin/tests/bigtest/buildzones.sh
+++ b/bind/bind9/bin/tests/bigtest/buildzones.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/bigtest/tests.sh b/bind/bind9/bin/tests/bigtest/tests.sh
index 7b3bd8f0..2b6b3b8e 100644
--- a/bind/bind9/bin/tests/bigtest/tests.sh
+++ b/bind/bind9/bin/tests/bigtest/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/cfg_test.c b/bind/bind9/bin/tests/cfg_test.c
index 4d63c3b4..b13a7720 100644
--- a/bind/bind9/bin/tests/cfg_test.c
+++ b/bind/bind9/bin/tests/cfg_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/fromhex.pl b/bind/bind9/bin/tests/fromhex.pl
index ab8a74c1..d12789e9 100644
--- a/bind/bind9/bin/tests/fromhex.pl
+++ b/bind/bind9/bin/tests/fromhex.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/headerdep_test.sh.in b/bind/bind9/bin/tests/headerdep_test.sh.in
index 3a94d472..e54b157c 100644
--- a/bind/bind9/bin/tests/headerdep_test.sh.in
+++ b/bind/bind9/bin/tests/headerdep_test.sh.in
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/makejournal.c b/bind/bind9/bin/tests/makejournal.c
index 61a41b0e..68b5e5a0 100644
--- a/bind/bind9/bin/tests/makejournal.c
+++ b/bind/bind9/bin/tests/makejournal.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/named.conf b/bind/bind9/bin/tests/named.conf
index 5673e982..1cbc9ee0 100644
--- a/bind/bind9/bin/tests/named.conf
+++ b/bind/bind9/bin/tests/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/Makefile.in b/bind/bind9/bin/tests/optional/Makefile.in
index 97d10242..dc72486a 100644
--- a/bind/bind9/bin/tests/optional/Makefile.in
+++ b/bind/bind9/bin/tests/optional/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/adb_test.c b/bind/bind9/bin/tests/optional/adb_test.c
index 9cd96a4a..017f8f4a 100644
--- a/bind/bind9/bin/tests/optional/adb_test.c
+++ b/bind/bind9/bin/tests/optional/adb_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -364,7 +364,7 @@ main(int argc, char **argv) {
 	lookup("moghedien.flame.org.");		/* should fetch */
 	lookup("mailrelay.flame.org.");		/* should fetch */
 	lookup("ipv4v6.flame.org.");		/* should fetch */
-	lookup("nonexistant.flame.org.");	/* should fail to be found */
+	lookup("nonexistent.flame.org.");	/* should fail to be found */
 	lookup("foobar.badns.flame.org.");	/* should fail utterly (NS) */
 	lookup("i.root-servers.net.");		/* Should be in hints */
 	lookup("www.firstcard.com.");
@@ -386,7 +386,7 @@ main(int argc, char **argv) {
 	lookup("moghedien.flame.org.");		/* should fetch */
 	lookup("mailrelay.flame.org.");		/* should fetch */
 	lookup("ipv4v6.flame.org.");		/* should fetch */
-	lookup("nonexistant.flame.org.");	/* should fail to be found */
+	lookup("nonexistent.flame.org.");	/* should fail to be found */
 	lookup("foobar.badns.flame.org.");	/* should fail utterly (NS) */
 	lookup("i.root-servers.net.");		/* Should be in hints */
 	CUNLOCK();
diff --git a/bind/bind9/bin/tests/optional/backtrace_test.c b/bind/bind9/bin/tests/optional/backtrace_test.c
index cd89a68b..d31c0347 100644
--- a/bind/bind9/bin/tests/optional/backtrace_test.c
+++ b/bind/bind9/bin/tests/optional/backtrace_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/byaddr_test.c b/bind/bind9/bin/tests/optional/byaddr_test.c
index b1c1a7f7..36073e2d 100644
--- a/bind/bind9/bin/tests/optional/byaddr_test.c
+++ b/bind/bind9/bin/tests/optional/byaddr_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/byname_test.c b/bind/bind9/bin/tests/optional/byname_test.c
index 4b255baa..c010b544 100644
--- a/bind/bind9/bin/tests/optional/byname_test.c
+++ b/bind/bind9/bin/tests/optional/byname_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -318,6 +318,7 @@ main(int argc, char *argv[]) {
 		isc_sockaddr_fromin(&sa, &ina, 53);
 		ISC_LIST_APPEND(sal, &sa, link);
 
+		REQUIRE(DNS_VIEW_VALID(view));
 		RUNTIME_CHECK(dns_fwdtable_add(view->fwdtable, dns_rootname,
 					       &sal, dns_fwdpolicy_only)
 			      == ISC_R_SUCCESS);
diff --git a/bind/bind9/bin/tests/optional/db_test.c b/bind/bind9/bin/tests/optional/db_test.c
index c69af660..ae3c2cee 100644
--- a/bind/bind9/bin/tests/optional/db_test.c
+++ b/bind/bind9/bin/tests/optional/db_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/dst_test.c b/bind/bind9/bin/tests/optional/dst_test.c
index 405a292a..5efdd0aa 100644
--- a/bind/bind9/bin/tests/optional/dst_test.c
+++ b/bind/bind9/bin/tests/optional/dst_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/entropy2_test.c b/bind/bind9/bin/tests/optional/entropy2_test.c
index b7b2b708..37077975 100644
--- a/bind/bind9/bin/tests/optional/entropy2_test.c
+++ b/bind/bind9/bin/tests/optional/entropy2_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/entropy_test.c b/bind/bind9/bin/tests/optional/entropy_test.c
index 67ec640a..555cee3f 100644
--- a/bind/bind9/bin/tests/optional/entropy_test.c
+++ b/bind/bind9/bin/tests/optional/entropy_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/fsaccess_test.c b/bind/bind9/bin/tests/optional/fsaccess_test.c
index f2e4c24f..fecf91c6 100644
--- a/bind/bind9/bin/tests/optional/fsaccess_test.c
+++ b/bind/bind9/bin/tests/optional/fsaccess_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/gsstest.c b/bind/bind9/bin/tests/optional/gsstest.c
index 90059d2a..901c2bbb 100644
--- a/bind/bind9/bin/tests/optional/gsstest.c
+++ b/bind/bind9/bin/tests/optional/gsstest.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -157,11 +157,11 @@ recvresponse(isc_task_t *task, isc_event_t *event) {
 	CHECK("dns_request_getresponse", result2);
 
 	if (response != NULL)
-		dns_message_destroy(&response);
+		dns_message_detach(&response);
 
  end:
 	if (query != NULL)
-		dns_message_destroy(&query);
+		dns_message_detach(&query);
 
 	if (reqev->request != NULL)
 		dns_request_destroy(&reqev->request);
@@ -248,7 +248,7 @@ sendquery(isc_task_t *task, isc_event_t *event)
 	if (qrdataset != NULL)
 		dns_message_puttemprdataset(message, &qrdataset);
 	if (message != NULL)
-		dns_message_destroy(&message);
+		dns_message_detach(&message);
 }
 
 static void
@@ -314,11 +314,11 @@ initctx2(isc_task_t *task, isc_event_t *event) {
 		tsigkey = NULL;
 	}
 
-	dns_message_destroy(&response);
+	dns_message_detach(&response);
 
  end:
 	if (query != NULL)
-		dns_message_destroy(&query);
+		dns_message_detach(&query);
 
 	if (reqev->request != NULL)
 		dns_request_destroy(&reqev->request);
diff --git a/bind/bind9/bin/tests/optional/gxba_test.c b/bind/bind9/bin/tests/optional/gxba_test.c
index 61c6a344..9c1da0ea 100644
--- a/bind/bind9/bin/tests/optional/gxba_test.c
+++ b/bind/bind9/bin/tests/optional/gxba_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/gxbn_test.c b/bind/bind9/bin/tests/optional/gxbn_test.c
index 68f42045..be959635 100644
--- a/bind/bind9/bin/tests/optional/gxbn_test.c
+++ b/bind/bind9/bin/tests/optional/gxbn_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/hash_test.c b/bind/bind9/bin/tests/optional/hash_test.c
index bf2891ad..edb6be4b 100644
--- a/bind/bind9/bin/tests/optional/hash_test.c
+++ b/bind/bind9/bin/tests/optional/hash_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/inter_test.c b/bind/bind9/bin/tests/optional/inter_test.c
index 42a4ec5b..dea7bbdd 100644
--- a/bind/bind9/bin/tests/optional/inter_test.c
+++ b/bind/bind9/bin/tests/optional/inter_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/keyboard_test.c b/bind/bind9/bin/tests/optional/keyboard_test.c
index 085b314e..c61e7665 100644
--- a/bind/bind9/bin/tests/optional/keyboard_test.c
+++ b/bind/bind9/bin/tests/optional/keyboard_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/lex_test.c b/bind/bind9/bin/tests/optional/lex_test.c
index 46312426..95adada2 100644
--- a/bind/bind9/bin/tests/optional/lex_test.c
+++ b/bind/bind9/bin/tests/optional/lex_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/lfsr_test.c b/bind/bind9/bin/tests/optional/lfsr_test.c
index 28303e0c..61c0649d 100644
--- a/bind/bind9/bin/tests/optional/lfsr_test.c
+++ b/bind/bind9/bin/tests/optional/lfsr_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -31,7 +31,7 @@ main(int argc, char **argv) {
 	UNUSED(argv);
 
 	/*
-	 * Verify that returned values are reproducable.
+	 * Verify that returned values are reproducible.
 	 */
 	isc_lfsr_init(&lfsr1, 0, 32, 0x80000057U, 0, NULL, NULL);
 	for (i = 0; i < 32; i++) {
diff --git a/bind/bind9/bin/tests/optional/log_test.c b/bind/bind9/bin/tests/optional/log_test.c
index 11207537..9d51a575 100644
--- a/bind/bind9/bin/tests/optional/log_test.c
+++ b/bind/bind9/bin/tests/optional/log_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/lwres_test.c b/bind/bind9/bin/tests/optional/lwres_test.c
index 44e1cb04..cf4a671a 100644
--- a/bind/bind9/bin/tests/optional/lwres_test.c
+++ b/bind/bind9/bin/tests/optional/lwres_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/lwresconf_test.c b/bind/bind9/bin/tests/optional/lwresconf_test.c
index a72b08ae..2a8143df 100644
--- a/bind/bind9/bin/tests/optional/lwresconf_test.c
+++ b/bind/bind9/bin/tests/optional/lwresconf_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/master_test.c b/bind/bind9/bin/tests/optional/master_test.c
index 9c1a059d..9562f14d 100644
--- a/bind/bind9/bin/tests/optional/master_test.c
+++ b/bind/bind9/bin/tests/optional/master_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/mempool_test.c b/bind/bind9/bin/tests/optional/mempool_test.c
index 6a878f44..9286793f 100644
--- a/bind/bind9/bin/tests/optional/mempool_test.c
+++ b/bind/bind9/bin/tests/optional/mempool_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/name_test.c b/bind/bind9/bin/tests/optional/name_test.c
index 4ab0dfc8..dcf62b0a 100644
--- a/bind/bind9/bin/tests/optional/name_test.c
+++ b/bind/bind9/bin/tests/optional/name_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/nsecify.c b/bind/bind9/bin/tests/optional/nsecify.c
index 446f60fe..edde95f8 100644
--- a/bind/bind9/bin/tests/optional/nsecify.c
+++ b/bind/bind9/bin/tests/optional/nsecify.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/ratelimiter_test.c b/bind/bind9/bin/tests/optional/ratelimiter_test.c
index 02eadace..9759a0a0 100644
--- a/bind/bind9/bin/tests/optional/ratelimiter_test.c
+++ b/bind/bind9/bin/tests/optional/ratelimiter_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/rbt_test.c b/bind/bind9/bin/tests/optional/rbt_test.c
index 0d41dc2f..821b251b 100644
--- a/bind/bind9/bin/tests/optional/rbt_test.c
+++ b/bind/bind9/bin/tests/optional/rbt_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -226,7 +226,7 @@ iterate(dns_rbt_t *rbt, bool forward) {
 
 			} else {
 				if (result != ISC_R_NOMORE)
-				       printf("UNEXEPCTED ITERATION ERROR: %s",
+				       printf("UNEXPECTED ITERATION ERROR: %s",
 					      dns_result_totext(result));
 				break;
 			}
diff --git a/bind/bind9/bin/tests/optional/rbt_test.txt b/bind/bind9/bin/tests/optional/rbt_test.txt
index 4821c34c..e915992e 100644
--- a/bind/bind9/bin/tests/optional/rbt_test.txt
+++ b/bind/bind9/bin/tests/optional/rbt_test.txt
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/rwlock_test.c b/bind/bind9/bin/tests/optional/rwlock_test.c
index a540e3cd..6911d21e 100644
--- a/bind/bind9/bin/tests/optional/rwlock_test.c
+++ b/bind/bind9/bin/tests/optional/rwlock_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/serial_test.c b/bind/bind9/bin/tests/optional/serial_test.c
index 3ecb147c..b314a07c 100644
--- a/bind/bind9/bin/tests/optional/serial_test.c
+++ b/bind/bind9/bin/tests/optional/serial_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/shutdown_test.c b/bind/bind9/bin/tests/optional/shutdown_test.c
index 1eeaf07e..55e10477 100644
--- a/bind/bind9/bin/tests/optional/shutdown_test.c
+++ b/bind/bind9/bin/tests/optional/shutdown_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/sig0_test.c b/bind/bind9/bin/tests/optional/sig0_test.c
index dcf64ba3..a74bea1b 100644
--- a/bind/bind9/bin/tests/optional/sig0_test.c
+++ b/bind/bind9/bin/tests/optional/sig0_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -71,10 +71,8 @@ static const dns_master_style_t *style = &dns_master_style_debug;
 
 static void
 senddone(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-
-	REQUIRE(sevent != NULL);
-	REQUIRE(sevent->ev_type == ISC_SOCKEVENT_SENDDONE);
+	REQUIRE(event != NULL);
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
 	REQUIRE(task == task1);
 
 	printf("senddone\n");
@@ -84,15 +82,17 @@ senddone(isc_task_t *task, isc_event_t *event) {
 
 static void
 recvdone(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	isc_socketevent_t *sevent;
 	isc_buffer_t source;
 	isc_result_t result;
 	dns_message_t *response;
 
-	REQUIRE(sevent != NULL);
-	REQUIRE(sevent->ev_type == ISC_SOCKEVENT_RECVDONE);
+	REQUIRE(event != NULL);
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
 	REQUIRE(task == task1);
 
+	sevent = (isc_socketevent_t *)event;
+
 	printf("recvdone\n");
 	if (sevent->result != ISC_R_SUCCESS) {
 		printf("failed\n");
@@ -114,7 +114,7 @@ recvdone(isc_task_t *task, isc_event_t *event) {
 	printf("%.*s\n", (int)isc_buffer_usedlength(&outbuf),
 	       (char *)isc_buffer_base(&outbuf));
 
-	dns_message_destroy(&response);
+	dns_message_detach(&response);
 	isc_event_free(&event);
 
 	isc_app_shutdown();
@@ -190,7 +190,7 @@ buildquery(void) {
 	inr.length = sizeof(rdata);
 	result = isc_socket_recv(s, &inr, 1, task1, recvdone, NULL);
 	CHECK("isc_socket_recv", result);
-	dns_message_destroy(&query);
+	dns_message_detach(&query);
 }
 
 int
diff --git a/bind/bind9/bin/tests/optional/sock_test.c b/bind/bind9/bin/tests/optional/sock_test.c
index f13a3ffe..bdb5f389 100644
--- a/bind/bind9/bin/tests/optional/sock_test.c
+++ b/bind/bind9/bin/tests/optional/sock_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -118,7 +118,9 @@ my_recv(isc_task_t *task, isc_event_t *event) {
 		       (int)dev->n, (char *)region.base);
 	}
 
-	isc_socket_recv(sock, &dev->region, 1, task, my_recv, event->ev_arg);
+	RUNTIME_CHECK(isc_socket_recv(sock, &dev->region, 1, task,
+				      my_recv, event->ev_arg)
+		      == ISC_R_SUCCESS);
 
 	isc_event_free(&event);
 }
@@ -146,7 +148,9 @@ my_http_get(isc_task_t *task, isc_event_t *event) {
 		return;
 	}
 
-	isc_socket_recv(sock, &dev->region, 1, task, my_recv, event->ev_arg);
+	RUNTIME_CHECK(isc_socket_recv(sock, &dev->region, 1, task,
+				      my_recv, event->ev_arg)
+		      == ISC_R_SUCCESS);
 
 	isc_event_free(&event);
 }
@@ -223,8 +227,9 @@ my_listen(isc_task_t *task, isc_event_t *event) {
 		newtask = NULL;
 		RUNTIME_CHECK(isc_task_create(manager, 0, &newtask)
 			      == ISC_R_SUCCESS);
-		isc_socket_recv(dev->newsocket, &region, 1,
-				newtask, my_recv, event->ev_arg);
+		RUNTIME_CHECK(isc_socket_recv(dev->newsocket, &region, 1,
+					      newtask, my_recv, event->ev_arg)
+			      == ISC_R_SUCCESS);
 		isc_task_detach(&newtask);
 	} else {
 		printf("detaching from socket %p\n", event->ev_sender);
diff --git a/bind/bind9/bin/tests/optional/sym_test.c b/bind/bind9/bin/tests/optional/sym_test.c
index 4eeac182..acc6be8e 100644
--- a/bind/bind9/bin/tests/optional/sym_test.c
+++ b/bind/bind9/bin/tests/optional/sym_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/task_test.c b/bind/bind9/bin/tests/optional/task_test.c
index 10880103..bb86ee13 100644
--- a/bind/bind9/bin/tests/optional/task_test.c
+++ b/bind/bind9/bin/tests/optional/task_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/timer_test.c b/bind/bind9/bin/tests/optional/timer_test.c
index 53d3b35c..35a59098 100644
--- a/bind/bind9/bin/tests/optional/timer_test.c
+++ b/bind/bind9/bin/tests/optional/timer_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/optional/zone_test.c b/bind/bind9/bin/tests/optional/zone_test.c
index 5e94aaf6..04f8c2b1 100644
--- a/bind/bind9/bin/tests/optional/zone_test.c
+++ b/bind/bind9/bin/tests/optional/zone_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -202,7 +202,7 @@ query(void) {
 		ERRCONT(result, "dns_name_fromtext");
 
 		result = dns_db_find(db, dns_fixedname_name(&name),
-				     NULL /*vesion*/,
+				     NULL /*version*/,
 				     dns_rdatatype_a,
 				     0 /*options*/,
 				     0 /*time*/,
diff --git a/bind/bind9/bin/tests/pkcs11/Makefile.in b/bind/bind9/bin/tests/pkcs11/Makefile.in
index 73e05967..cfb407c9 100644
--- a/bind/bind9/bin/tests/pkcs11/Makefile.in
+++ b/bind/bind9/bin/tests/pkcs11/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/pkcs11/benchmarks/Makefile.in b/bind/bind9/bin/tests/pkcs11/benchmarks/Makefile.in
index 15f54600..20cd4a1c 100644
--- a/bind/bind9/bin/tests/pkcs11/benchmarks/Makefile.in
+++ b/bind/bind9/bin/tests/pkcs11/benchmarks/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/pkcs11/benchmarks/create.c b/bind/bind9/bin/tests/pkcs11/benchmarks/create.c
index 44c531e7..91920706 100644
--- a/bind/bind9/bin/tests/pkcs11/benchmarks/create.c
+++ b/bind/bind9/bin/tests/pkcs11/benchmarks/create.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -160,7 +160,7 @@ main(int argc, char *argv[]) {
 
 	pk11_result_register();
 
-	/* Allocate hanles */
+	/* Allocate handles */
 	hKey = (CK_SESSION_HANDLE *)
 		malloc(count * sizeof(CK_SESSION_HANDLE));
 	if (hKey == NULL) {
diff --git a/bind/bind9/bin/tests/pkcs11/benchmarks/find.c b/bind/bind9/bin/tests/pkcs11/benchmarks/find.c
index da582521..0572a4d5 100644
--- a/bind/bind9/bin/tests/pkcs11/benchmarks/find.c
+++ b/bind/bind9/bin/tests/pkcs11/benchmarks/find.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/pkcs11/benchmarks/genrsa.c b/bind/bind9/bin/tests/pkcs11/benchmarks/genrsa.c
index 8b06152f..0c15bfdf 100644
--- a/bind/bind9/bin/tests/pkcs11/benchmarks/genrsa.c
+++ b/bind/bind9/bin/tests/pkcs11/benchmarks/genrsa.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -178,7 +178,7 @@ main(int argc, char *argv[]) {
 
 	pk11_result_register();
 
-	/* Allocate hanles */
+	/* Allocate handles */
 	pubKey = (CK_SESSION_HANDLE *)
 		malloc(count * sizeof(CK_SESSION_HANDLE));
 	if (pubKey == NULL) {
diff --git a/bind/bind9/bin/tests/pkcs11/benchmarks/login.c b/bind/bind9/bin/tests/pkcs11/benchmarks/login.c
index 178c2348..db7f6433 100644
--- a/bind/bind9/bin/tests/pkcs11/benchmarks/login.c
+++ b/bind/bind9/bin/tests/pkcs11/benchmarks/login.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/pkcs11/benchmarks/privrsa.c b/bind/bind9/bin/tests/pkcs11/benchmarks/privrsa.c
index 02c5d619..f38e09da 100644
--- a/bind/bind9/bin/tests/pkcs11/benchmarks/privrsa.c
+++ b/bind/bind9/bin/tests/pkcs11/benchmarks/privrsa.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -265,7 +265,7 @@ main(int argc, char *argv[]) {
 
 	pk11_result_register();
 
-	/* Allocate hanles */
+	/* Allocate handles */
 	hKey = (CK_SESSION_HANDLE *)
 		malloc(count * sizeof(CK_SESSION_HANDLE));
 	if (hKey == NULL) {
diff --git a/bind/bind9/bin/tests/pkcs11/benchmarks/pubrsa.c b/bind/bind9/bin/tests/pkcs11/benchmarks/pubrsa.c
index d9f3e375..7744707c 100644
--- a/bind/bind9/bin/tests/pkcs11/benchmarks/pubrsa.c
+++ b/bind/bind9/bin/tests/pkcs11/benchmarks/pubrsa.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -186,7 +186,7 @@ main(int argc, char *argv[]) {
 
 	pk11_result_register();
 
-	/* Allocate hanles */
+	/* Allocate handles */
 	hKey = (CK_SESSION_HANDLE *)
 		malloc(count * sizeof(CK_SESSION_HANDLE));
 	if (hKey == NULL) {
diff --git a/bind/bind9/bin/tests/pkcs11/benchmarks/random.c b/bind/bind9/bin/tests/pkcs11/benchmarks/random.c
index c2b5cd5d..8d9e001f 100644
--- a/bind/bind9/bin/tests/pkcs11/benchmarks/random.c
+++ b/bind/bind9/bin/tests/pkcs11/benchmarks/random.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/pkcs11/benchmarks/session.c b/bind/bind9/bin/tests/pkcs11/benchmarks/session.c
index 5cdc11a0..0a3e16b4 100644
--- a/bind/bind9/bin/tests/pkcs11/benchmarks/session.c
+++ b/bind/bind9/bin/tests/pkcs11/benchmarks/session.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/pkcs11/benchmarks/sha1.c b/bind/bind9/bin/tests/pkcs11/benchmarks/sha1.c
index 01115d55..8eab0036 100644
--- a/bind/bind9/bin/tests/pkcs11/benchmarks/sha1.c
+++ b/bind/bind9/bin/tests/pkcs11/benchmarks/sha1.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/pkcs11/benchmarks/sign.c b/bind/bind9/bin/tests/pkcs11/benchmarks/sign.c
index 6e2c746f..b3ae2b67 100644
--- a/bind/bind9/bin/tests/pkcs11/benchmarks/sign.c
+++ b/bind/bind9/bin/tests/pkcs11/benchmarks/sign.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/pkcs11/benchmarks/verify.c b/bind/bind9/bin/tests/pkcs11/benchmarks/verify.c
index 9b1e350d..cc69112d 100644
--- a/bind/bind9/bin/tests/pkcs11/benchmarks/verify.c
+++ b/bind/bind9/bin/tests/pkcs11/benchmarks/verify.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/pkcs11/pkcs11-hmacmd5.c b/bind/bind9/bin/tests/pkcs11/pkcs11-hmacmd5.c
index ba4adb1b..cbb8b4b3 100644
--- a/bind/bind9/bin/tests/pkcs11/pkcs11-hmacmd5.c
+++ b/bind/bind9/bin/tests/pkcs11/pkcs11-hmacmd5.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/pkcs11/pkcs11-md5sum.c b/bind/bind9/bin/tests/pkcs11/pkcs11-md5sum.c
index 56f3a61b..95545313 100644
--- a/bind/bind9/bin/tests/pkcs11/pkcs11-md5sum.c
+++ b/bind/bind9/bin/tests/pkcs11/pkcs11-md5sum.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/prepare-softhsm2.sh b/bind/bind9/bin/tests/prepare-softhsm2.sh
index 24c7f17c..f5122472 100755
--- a/bind/bind9/bin/tests/prepare-softhsm2.sh
+++ b/bind/bind9/bin/tests/prepare-softhsm2.sh
@@ -5,6 +5,6 @@ if [ -n "${SOFTHSM2_CONF}" ] && command -v softhsm2-util >/dev/null; then
     echo "directories.tokendir = ${SOFTHSM2_DIR}/tokens" > "${SOFTHSM2_CONF}"
     echo "objectstore.backend = file" >> "${SOFTHSM2_CONF}"
     echo "log.level = DEBUG" >> "${SOFTHSM2_CONF}"
-    softhsm2-util --init-token --free --pin 0000 --so-pin 0000 --label "softhsm2";
+    softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'
 fi
 exit 0
diff --git a/bind/bind9/bin/tests/startperf/clean.sh b/bind/bind9/bin/tests/startperf/clean.sh
index 4049ba3a..be41ffc7 100644
--- a/bind/bind9/bin/tests/startperf/clean.sh
+++ b/bind/bind9/bin/tests/startperf/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/startperf/makenames.pl b/bind/bind9/bin/tests/startperf/makenames.pl
index a2bb2cfb..47f9b998 100644
--- a/bind/bind9/bin/tests/startperf/makenames.pl
+++ b/bind/bind9/bin/tests/startperf/makenames.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/startperf/mkzonefile.pl b/bind/bind9/bin/tests/startperf/mkzonefile.pl
index f050535b..ba4d220f 100644
--- a/bind/bind9/bin/tests/startperf/mkzonefile.pl
+++ b/bind/bind9/bin/tests/startperf/mkzonefile.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/startperf/setup.sh b/bind/bind9/bin/tests/startperf/setup.sh
index e7846656..ff93d794 100644
--- a/bind/bind9/bin/tests/startperf/setup.sh
+++ b/bind/bind9/bin/tests/startperf/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/startperf/smallzone.db b/bind/bind9/bin/tests/startperf/smallzone.db
index 20a3b9d4..57cbc247 100644
--- a/bind/bind9/bin/tests/startperf/smallzone.db
+++ b/bind/bind9/bin/tests/startperf/smallzone.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/Makefile.in b/bind/bind9/bin/tests/system/Makefile.in
index 06153eb8..8584c64e 100644
--- a/bind/bind9/bin/tests/system/Makefile.in
+++ b/bind/bind9/bin/tests/system/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/README b/bind/bind9/bin/tests/system/README
index 6c23e5a2..a446561c 100644
--- a/bind/bind9/bin/tests/system/README
+++ b/bind/bind9/bin/tests/system/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Introduction
 ===
diff --git a/bind/bind9/bin/tests/system/acl/clean.sh b/bind/bind9/bin/tests/system/acl/clean.sh
index 75acebac..51e1b873 100644
--- a/bind/bind9/bin/tests/system/acl/clean.sh
+++ b/bind/bind9/bin/tests/system/acl/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/acl/ns2/named1.conf.in b/bind/bind9/bin/tests/system/acl/ns2/named1.conf.in
index 0ea65027..9999ada5 100644
--- a/bind/bind9/bin/tests/system/acl/ns2/named1.conf.in
+++ b/bind/bind9/bin/tests/system/acl/ns2/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/acl/ns2/named2.conf.in b/bind/bind9/bin/tests/system/acl/ns2/named2.conf.in
index b8778805..f8ec34ec 100644
--- a/bind/bind9/bin/tests/system/acl/ns2/named2.conf.in
+++ b/bind/bind9/bin/tests/system/acl/ns2/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/acl/ns2/named3.conf.in b/bind/bind9/bin/tests/system/acl/ns2/named3.conf.in
index 0a950622..2acb8138 100644
--- a/bind/bind9/bin/tests/system/acl/ns2/named3.conf.in
+++ b/bind/bind9/bin/tests/system/acl/ns2/named3.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/acl/ns2/named4.conf.in b/bind/bind9/bin/tests/system/acl/ns2/named4.conf.in
index 7cdcb6e3..bca3ee11 100644
--- a/bind/bind9/bin/tests/system/acl/ns2/named4.conf.in
+++ b/bind/bind9/bin/tests/system/acl/ns2/named4.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/acl/ns2/named5.conf.in b/bind/bind9/bin/tests/system/acl/ns2/named5.conf.in
index 4b4e0502..9ef8171f 100644
--- a/bind/bind9/bin/tests/system/acl/ns2/named5.conf.in
+++ b/bind/bind9/bin/tests/system/acl/ns2/named5.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/acl/ns2/named6.conf.in b/bind/bind9/bin/tests/system/acl/ns2/named6.conf.in
index 805942db..3cb051bb 100644
--- a/bind/bind9/bin/tests/system/acl/ns2/named6.conf.in
+++ b/bind/bind9/bin/tests/system/acl/ns2/named6.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/acl/ns2/named7.conf.in b/bind/bind9/bin/tests/system/acl/ns2/named7.conf.in
index 5dde6580..2ec25231 100644
--- a/bind/bind9/bin/tests/system/acl/ns2/named7.conf.in
+++ b/bind/bind9/bin/tests/system/acl/ns2/named7.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/acl/ns3/example.db b/bind/bind9/bin/tests/system/acl/ns3/example.db
index ae1ceabe..fae62c61 100644
--- a/bind/bind9/bin/tests/system/acl/ns3/example.db
+++ b/bind/bind9/bin/tests/system/acl/ns3/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/acl/ns3/named.conf.in b/bind/bind9/bin/tests/system/acl/ns3/named.conf.in
index 760c2bc8..b6c91890 100644
--- a/bind/bind9/bin/tests/system/acl/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/acl/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/acl/ns4/example.db b/bind/bind9/bin/tests/system/acl/ns4/example.db
index f5e178d5..8c76e6bc 100644
--- a/bind/bind9/bin/tests/system/acl/ns4/example.db
+++ b/bind/bind9/bin/tests/system/acl/ns4/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/acl/ns4/existing.db b/bind/bind9/bin/tests/system/acl/ns4/existing.db
index f5e178d5..8c76e6bc 100644
--- a/bind/bind9/bin/tests/system/acl/ns4/existing.db
+++ b/bind/bind9/bin/tests/system/acl/ns4/existing.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/acl/ns4/named.conf.in b/bind/bind9/bin/tests/system/acl/ns4/named.conf.in
index 17cef4a7..0906c86c 100644
--- a/bind/bind9/bin/tests/system/acl/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/acl/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/acl/setup.sh b/bind/bind9/bin/tests/system/acl/setup.sh
index ad952264..9cb2fc7b 100644
--- a/bind/bind9/bin/tests/system/acl/setup.sh
+++ b/bind/bind9/bin/tests/system/acl/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/acl/tests.sh b/bind/bind9/bin/tests/system/acl/tests.sh
index 09f31f2b..2ee34a09 100644
--- a/bind/bind9/bin/tests/system/acl/tests.sh
+++ b/bind/bind9/bin/tests/system/acl/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/clean.sh b/bind/bind9/bin/tests/system/additional/clean.sh
index 03e55cd3..da99f427 100644
--- a/bind/bind9/bin/tests/system/additional/clean.sh
+++ b/bind/bind9/bin/tests/system/additional/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/ns1/mx.db b/bind/bind9/bin/tests/system/additional/ns1/mx.db
index 32a2b87b..1ec374b6 100644
--- a/bind/bind9/bin/tests/system/additional/ns1/mx.db
+++ b/bind/bind9/bin/tests/system/additional/ns1/mx.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/ns1/named1.conf.in b/bind/bind9/bin/tests/system/additional/ns1/named1.conf.in
index ad007970..6f1bef14 100644
--- a/bind/bind9/bin/tests/system/additional/ns1/named1.conf.in
+++ b/bind/bind9/bin/tests/system/additional/ns1/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/ns1/named2.conf.in b/bind/bind9/bin/tests/system/additional/ns1/named2.conf.in
index 30a19b13..927fa349 100644
--- a/bind/bind9/bin/tests/system/additional/ns1/named2.conf.in
+++ b/bind/bind9/bin/tests/system/additional/ns1/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/ns1/named3.conf.in b/bind/bind9/bin/tests/system/additional/ns1/named3.conf.in
index fe442b1d..5538b048 100644
--- a/bind/bind9/bin/tests/system/additional/ns1/named3.conf.in
+++ b/bind/bind9/bin/tests/system/additional/ns1/named3.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/ns1/named4.conf.in b/bind/bind9/bin/tests/system/additional/ns1/named4.conf.in
index 22156698..0d6cd40b 100644
--- a/bind/bind9/bin/tests/system/additional/ns1/named4.conf.in
+++ b/bind/bind9/bin/tests/system/additional/ns1/named4.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/ns1/naptr.db b/bind/bind9/bin/tests/system/additional/ns1/naptr.db
index d604a3ac..8d08cb4d 100644
--- a/bind/bind9/bin/tests/system/additional/ns1/naptr.db
+++ b/bind/bind9/bin/tests/system/additional/ns1/naptr.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/ns1/naptr2.db b/bind/bind9/bin/tests/system/additional/ns1/naptr2.db
index 090e9b62..bcd425e4 100644
--- a/bind/bind9/bin/tests/system/additional/ns1/naptr2.db
+++ b/bind/bind9/bin/tests/system/additional/ns1/naptr2.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/ns1/nid.db b/bind/bind9/bin/tests/system/additional/ns1/nid.db
index 70e4dc83..c78dc569 100644
--- a/bind/bind9/bin/tests/system/additional/ns1/nid.db
+++ b/bind/bind9/bin/tests/system/additional/ns1/nid.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/ns1/root.db b/bind/bind9/bin/tests/system/additional/ns1/root.db
index 7db363b2..f0899231 100644
--- a/bind/bind9/bin/tests/system/additional/ns1/root.db
+++ b/bind/bind9/bin/tests/system/additional/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/ns1/rt.db b/bind/bind9/bin/tests/system/additional/ns1/rt.db
index 57ee400e..e9b95f2a 100644
--- a/bind/bind9/bin/tests/system/additional/ns1/rt.db
+++ b/bind/bind9/bin/tests/system/additional/ns1/rt.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/ns1/rt2.db b/bind/bind9/bin/tests/system/additional/ns1/rt2.db
index 73cb9f30..5ce31800 100644
--- a/bind/bind9/bin/tests/system/additional/ns1/rt2.db
+++ b/bind/bind9/bin/tests/system/additional/ns1/rt2.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/ns1/srv.db b/bind/bind9/bin/tests/system/additional/ns1/srv.db
index bc8d5819..3104cb50 100644
--- a/bind/bind9/bin/tests/system/additional/ns1/srv.db
+++ b/bind/bind9/bin/tests/system/additional/ns1/srv.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/ns3/named.conf.in b/bind/bind9/bin/tests/system/additional/ns3/named.conf.in
index f01bd47b..531c0abd 100644
--- a/bind/bind9/bin/tests/system/additional/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/additional/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/ns3/root.hint b/bind/bind9/bin/tests/system/additional/ns3/root.hint
index c1784c7e..c808d202 100644
--- a/bind/bind9/bin/tests/system/additional/ns3/root.hint
+++ b/bind/bind9/bin/tests/system/additional/ns3/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/setup.sh b/bind/bind9/bin/tests/system/additional/setup.sh
index 9157bca2..701c1f77 100644
--- a/bind/bind9/bin/tests/system/additional/setup.sh
+++ b/bind/bind9/bin/tests/system/additional/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/additional/tests.sh b/bind/bind9/bin/tests/system/additional/tests.sh
index dc537ccf..6400723a 100644
--- a/bind/bind9/bin/tests/system/additional/tests.sh
+++ b/bind/bind9/bin/tests/system/additional/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -24,7 +24,7 @@ dotests() {
     ret=0
     $DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 
     n=`expr $n + 1`
@@ -32,7 +32,7 @@ dotests() {
     ret=0
     $DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 
     n=`expr $n + 1`
@@ -40,7 +40,7 @@ dotests() {
     ret=0
     $DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 
     n=`expr $n + 1`
@@ -48,7 +48,7 @@ dotests() {
     ret=0
     $DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 
     n=`expr $n + 1`
@@ -78,7 +78,7 @@ dotests() {
       ;;
     esac
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 
     n=`expr $n + 1`
@@ -94,7 +94,7 @@ dotests() {
       grep -w "L32" dig.out.$n > /dev/null && ret=1
     fi
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 
     n=`expr $n + 1`
@@ -112,7 +112,7 @@ dotests() {
       grep -w "L32" dig.out.$n > /dev/null && ret=1
     fi
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 
     n=`expr $n + 1`
@@ -120,7 +120,7 @@ dotests() {
     ret=0
     $DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 
     n=`expr $n + 1`
@@ -128,7 +128,7 @@ dotests() {
     ret=0
     $DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 
     n=`expr $n + 1`
@@ -136,7 +136,7 @@ dotests() {
     ret=0
     $DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 
     n=`expr $n + 1`
@@ -144,7 +144,7 @@ dotests() {
     ret=0
     $DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 
     n=`expr $n + 1`
@@ -174,7 +174,7 @@ dotests() {
       ;;
     esac
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 
     n=`expr $n + 1`
@@ -190,7 +190,7 @@ dotests() {
       grep -w "L32" dig.out.$n > /dev/null && ret=1
     fi
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 
     n=`expr $n + 1`
@@ -208,7 +208,7 @@ dotests() {
       grep -w "L32" dig.out.$n > /dev/null && ret=1
     fi
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 
     n=`expr $n + 1`
@@ -218,7 +218,7 @@ dotests() {
     # Always expect glue for root priming queries, regardless $minimal
     grep 'ADDITIONAL: 3' dig.out.$n > /dev/null || ret=1
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 
     n=`expr $n + 1`
@@ -227,7 +227,7 @@ dotests() {
     $DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1
     case $minimal in
     yes)
-      grep 'ADDITIONAL: 1' dig.out.$n > /dev/null || ret=1
+      grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
       ;;
     no)
       grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
@@ -240,7 +240,7 @@ dotests() {
       ;;
     esac
     if [ $ret -eq 1 ] ; then
-            echo_i " failed"; status=1
+            echo_i "failed"; status=`expr status + 1`
     fi
 }
 
@@ -263,7 +263,7 @@ ret=0
 $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
 grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
-    echo_i " failed"; status=1
+    echo_i "failed"; status=`expr status + 1`
 fi
 
 echo_i "reconfiguring server: minimal-any yes"
@@ -277,7 +277,7 @@ ret=0
 $DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1
 grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
-    echo_i " failed"; status=1
+    echo_i "failed"; status=`expr status + 1`
 fi
 n=`expr $n + 1`
 
@@ -286,7 +286,7 @@ ret=0
 $DIG $DIGOPTS -t ANY +tcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1
 grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
-    echo_i " failed"; status=1
+    echo_i "failed"; status=`expr status + 1`
 fi
 
 n=`expr $n + 1`
@@ -295,7 +295,7 @@ ret=0
 $DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1
 grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
-    echo_i " failed"; status=1
+    echo_i "failed"; status=`expr status + 1`
 fi
 
 echo_i "testing with 'minimal-responses no-auth;'"
@@ -319,7 +319,7 @@ grep "mx\.example\..*MX.0 mail\.mx\.example" dig.out.$n > /dev/null || ret=1
 grep "mail\.mx\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1
 grep "_25\._tcp\.mail\.mx\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
-    echo_i " failed"; status=1
+    echo_i "failed"; status=`expr status + 1`
 fi
 
 n=`expr $n + 1`
@@ -330,7 +330,7 @@ grep "_xmpp-client\._tcp\.srv\.example\..*SRV.1 0 5222 server\.srv\.example" dig
 grep "server\.srv\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1
 grep "_5222\._tcp\.server\.srv\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
-    echo_i " failed"; status=1
+    echo_i "failed"; status=`expr status + 1`
 fi
 
 echo_i "reconfiguring server: minimal-responses no"
@@ -345,7 +345,7 @@ $DIG $DIGOPTS -t ANY rt.example @10.53.0.1 > dig.out.$n || ret=1
 grep "AUTHORITY: 0" dig.out.$n  > /dev/null || ret=1
 grep "NS[ 	]*ns" dig.out.$n  > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
-    echo_i " failed"; status=1
+    echo_i "failed"; status=`expr status + 1`
 fi
 
 n=`expr $n + 1`
@@ -355,7 +355,7 @@ $DIG $DIGOPTS -t ANY rt.example @10.53.0.3 > dig.out.$n || ret=1
 grep "AUTHORITY: 0" dig.out.$n  > /dev/null || ret=1
 grep "NS[ 	]*ns" dig.out.$n  > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
-    echo_i " failed"; status=1
+    echo_i "failed"; status=`expr status + 1`
 fi
 
 echo_i "exit status: $status"
diff --git a/bind/bind9/bin/tests/system/addzone/clean.sh b/bind/bind9/bin/tests/system/addzone/clean.sh
index 30889d22..0a14abbe 100644
--- a/bind/bind9/bin/tests/system/addzone/clean.sh
+++ b/bind/bind9/bin/tests/system/addzone/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/addzone/ns1/inlineslave.db b/bind/bind9/bin/tests/system/addzone/ns1/inlineslave.db
index 625349ec..fe4658e0 100644
--- a/bind/bind9/bin/tests/system/addzone/ns1/inlineslave.db
+++ b/bind/bind9/bin/tests/system/addzone/ns1/inlineslave.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/addzone/ns1/named.conf.in b/bind/bind9/bin/tests/system/addzone/ns1/named.conf.in
index dddddfc7..c10cd57b 100644
--- a/bind/bind9/bin/tests/system/addzone/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/addzone/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/addzone/ns2/added.db b/bind/bind9/bin/tests/system/addzone/ns2/added.db
index 9b54d192..82f34308 100644
--- a/bind/bind9/bin/tests/system/addzone/ns2/added.db
+++ b/bind/bind9/bin/tests/system/addzone/ns2/added.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/addzone/ns2/hints.db b/bind/bind9/bin/tests/system/addzone/ns2/hints.db
index 418ea963..9883426b 100644
--- a/bind/bind9/bin/tests/system/addzone/ns2/hints.db
+++ b/bind/bind9/bin/tests/system/addzone/ns2/hints.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/addzone/ns2/inline.db b/bind/bind9/bin/tests/system/addzone/ns2/inline.db
index a45d30e0..4e90eb9a 100644
--- a/bind/bind9/bin/tests/system/addzone/ns2/inline.db
+++ b/bind/bind9/bin/tests/system/addzone/ns2/inline.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/addzone/ns2/named1.conf.in b/bind/bind9/bin/tests/system/addzone/ns2/named1.conf.in
index 47a3cc99..6c08335c 100644
--- a/bind/bind9/bin/tests/system/addzone/ns2/named1.conf.in
+++ b/bind/bind9/bin/tests/system/addzone/ns2/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/addzone/ns2/named2.conf.in b/bind/bind9/bin/tests/system/addzone/ns2/named2.conf.in
index c063d425..84a3452d 100644
--- a/bind/bind9/bin/tests/system/addzone/ns2/named2.conf.in
+++ b/bind/bind9/bin/tests/system/addzone/ns2/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/addzone/ns2/normal.db b/bind/bind9/bin/tests/system/addzone/ns2/normal.db
index 50450928..86916b82 100644
--- a/bind/bind9/bin/tests/system/addzone/ns2/normal.db
+++ b/bind/bind9/bin/tests/system/addzone/ns2/normal.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/addzone/ns2/previous.db b/bind/bind9/bin/tests/system/addzone/ns2/previous.db
index 7fe55176..9df6af5d 100644
--- a/bind/bind9/bin/tests/system/addzone/ns2/previous.db
+++ b/bind/bind9/bin/tests/system/addzone/ns2/previous.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/addzone/ns2/redirect.db b/bind/bind9/bin/tests/system/addzone/ns2/redirect.db
index 7b40db9c..0edd91cf 100644
--- a/bind/bind9/bin/tests/system/addzone/ns2/redirect.db
+++ b/bind/bind9/bin/tests/system/addzone/ns2/redirect.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/addzone/ns3/e.db b/bind/bind9/bin/tests/system/addzone/ns3/e.db
index d5f7ff9c..56587f11 100644
--- a/bind/bind9/bin/tests/system/addzone/ns3/e.db
+++ b/bind/bind9/bin/tests/system/addzone/ns3/e.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/addzone/ns3/named1.conf.in b/bind/bind9/bin/tests/system/addzone/ns3/named1.conf.in
index 11be2f27..2666e301 100644
--- a/bind/bind9/bin/tests/system/addzone/ns3/named1.conf.in
+++ b/bind/bind9/bin/tests/system/addzone/ns3/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/addzone/ns3/named2.conf.in b/bind/bind9/bin/tests/system/addzone/ns3/named2.conf.in
index 5aa682fb..4cbe3269 100644
--- a/bind/bind9/bin/tests/system/addzone/ns3/named2.conf.in
+++ b/bind/bind9/bin/tests/system/addzone/ns3/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/addzone/setup.sh b/bind/bind9/bin/tests/system/addzone/setup.sh
index 9e294c03..fca6da84 100644
--- a/bind/bind9/bin/tests/system/addzone/setup.sh
+++ b/bind/bind9/bin/tests/system/addzone/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/addzone/tests.sh b/bind/bind9/bin/tests/system/addzone/tests.sh
index 1592dd01..bdc29ba3 100755
--- a/bind/bind9/bin/tests/system/addzone/tests.sh
+++ b/bind/bind9/bin/tests/system/addzone/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -527,10 +527,33 @@ echo_i "check that named restarts with multiple added zones ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 addzone "test4.baz" '{ type master; file "e.db"; };' > /dev/null 2>&1 || ret=1
 $RNDCCMD 10.53.0.3 addzone "test5.baz" '{ type master; file "e.db"; };' > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 addzone '"test/.baz"' '{ type master; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type master; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 addzone '"test\\.baz"' '{ type master; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 addzone '"test\032.baz"' '{ type master; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 addzone '"test\010.baz"' '{ type master; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
 $PERL $SYSTEMTESTTOP/stop.pl addzone ns3
 $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} addzone ns3 || ret=1
 $DIG $DIGOPTS @10.53.0.3 version.bind txt ch > dig.out.test$n || ret=1
 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 SOA  "test4.baz" > dig.out.1.test$n || ret=1
+grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 SOA  "test5.baz" > dig.out.2.test$n || ret=1
+grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 SOA  'test/.baz' > dig.out.3.test$n || ret=1
+grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 SOA  'test\\.baz' > dig.out.4.test$n || ret=1
+grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.4.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 SOA  'test\032.baz' > dig.out.5.test$n || ret=1
+grep "status: NOERROR" dig.out.5.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.5.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 SOA  'test\010.baz' > dig.out.6.test$n || ret=1
+grep "status: NOERROR" dig.out.6.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.6.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
diff --git a/bind/bind9/bin/tests/system/allow-query/clean.sh b/bind/bind9/bin/tests/system/allow-query/clean.sh
index 1d02bf59..fec81967 100644
--- a/bind/bind9/bin/tests/system/allow-query/clean.sh
+++ b/bind/bind9/bin/tests/system/allow-query/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns1/named.conf.in b/bind/bind9/bin/tests/system/allow-query/ns1/named.conf.in
index 607925b2..8ed4202a 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns1/root.db b/bind/bind9/bin/tests/system/allow-query/ns1/root.db
index 00402716..671e713b 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns1/root.db
+++ b/bind/bind9/bin/tests/system/allow-query/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/generic.db b/bind/bind9/bin/tests/system/allow-query/ns2/generic.db
index dc51ce24..1cf6ab3f 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/generic.db
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/generic.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named01.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named01.conf.in
index 5c736ea8..dc1b39e1 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named01.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named01.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named02.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named02.conf.in
index ec65cb26..0ba01a3c 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named02.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named02.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named03.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named03.conf.in
index 1e3a3fd7..8f3f43dd 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named03.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named03.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named04.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named04.conf.in
index 565b6667..3204b4e8 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named04.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named04.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named05.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named05.conf.in
index f340ecb7..c344c1aa 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named05.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named05.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named06.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named06.conf.in
index 0860addd..046403df 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named06.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named06.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named07.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named07.conf.in
index 760888e3..a2c5e4e1 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named07.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named07.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named08.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named08.conf.in
index 2cf07def..f5ef7cce 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named08.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named08.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named09.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named09.conf.in
index bb5542ee..91822aac 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named09.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named09.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named10.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named10.conf.in
index 1569913b..a579f32b 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named10.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named10.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named11.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named11.conf.in
index 18ac91c6..166afa19 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named11.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named11.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named12.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named12.conf.in
index b8248444..25271a5d 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named12.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named12.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named21.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named21.conf.in
index 88b43721..bd519855 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named21.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named21.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named22.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named22.conf.in
index b4612835..86aa23b4 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named22.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named22.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named23.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named23.conf.in
index b24dac05..d7ccdf69 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named23.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named23.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named24.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named24.conf.in
index 67dfbfb1..168d3b39 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named24.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named24.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named25.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named25.conf.in
index 50ec84a2..aaabad40 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named25.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named25.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named26.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named26.conf.in
index a04f633f..212cb18c 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named26.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named26.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named27.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named27.conf.in
index 0916cada..12ef3e17 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named27.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named27.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named28.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named28.conf.in
index 9dae4c95..89109935 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named28.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named28.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named29.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named29.conf.in
index 04955161..e3756290 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named29.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named29.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named30.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named30.conf.in
index aeb1540e..c7c82546 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named30.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named30.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named31.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named31.conf.in
index d4b74328..567bbccf 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named31.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named31.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named32.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named32.conf.in
index c0259387..b75161fa 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named32.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named32.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named33.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named33.conf.in
index f69bf759..1eeff1da 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named33.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named33.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named34.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named34.conf.in
index 694864d6..3e0bb673 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named34.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named34.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named40.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named40.conf.in
index d83b376c..9e178183 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named40.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named40.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named53.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named53.conf.in
index d08a22cf..bd54c76b 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named53.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named53.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named54.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named54.conf.in
index 921f3c93..11b4e485 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named54.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named54.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named55.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named55.conf.in
index 8652ffb6..e9ecc1fc 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named55.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named55.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named56.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named56.conf.in
index 37d014d2..8ccd7e43 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named56.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named56.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns2/named57.conf.in b/bind/bind9/bin/tests/system/allow-query/ns2/named57.conf.in
index 06147274..088e5b97 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns2/named57.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns2/named57.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/ns3/named.conf.in b/bind/bind9/bin/tests/system/allow-query/ns3/named.conf.in
index 6eace597..cc768751 100644
--- a/bind/bind9/bin/tests/system/allow-query/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/allow-query/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/setup.sh b/bind/bind9/bin/tests/system/allow-query/setup.sh
index 10b3c934..2c3b2d52 100644
--- a/bind/bind9/bin/tests/system/allow-query/setup.sh
+++ b/bind/bind9/bin/tests/system/allow-query/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/allow-query/tests.sh b/bind/bind9/bin/tests/system/allow-query/tests.sh
index fb6059d5..791a1a48 100644
--- a/bind/bind9/bin/tests/system/allow-query/tests.sh
+++ b/bind/bind9/bin/tests/system/allow-query/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ans.pl b/bind/bind9/bin/tests/system/ans.pl
index d7f9f63c..8f48f50c 100644
--- a/bind/bind9/bin/tests/system/ans.pl
+++ b/bind/bind9/bin/tests/system/ans.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -62,6 +62,11 @@
 #  Note that this data will still be sent with any request for
 #  pattern, only this data will be signed. Currently, this is only
 #  done for TCP.
+#
+# /pattern bad-id <key> <key_data>/
+# /pattern bad-id/
+#
+# will add 50 to the message id of the response.
 
 
 use IO::File;
@@ -361,7 +366,7 @@ sub handleTCP {
 	my $r;
 	foreach $r (@rules) {
 		my $pattern = $r->{pattern};
-		my($dbtype, $key_name, $key_data) = split(/ /,$pattern);
+		my($dbtype, $key_name, $key_data, $extra) = split(/ /,$pattern);
 		print "[handleTCP] $dbtype, $key_name, $key_data \n";
 		if ("$qname $qtype" =~ /$dbtype/) {
 			$count_these++;
@@ -369,6 +374,11 @@ sub handleTCP {
 			foreach $a (@{$r->{answer}}) {
 				$packet->push("answer", $a);
 			}
+			if(defined($key_name) && $key_name eq "bad-id") {
+				$packet->header->id(($id+50)%0xffff);
+				$key_name = $key_data;
+				$key_data = $extra;
+			}
 			if (defined($key_name) && defined($key_data)) {
 				my $tsig;
 				# sign the packet
diff --git a/bind/bind9/bin/tests/system/auth/clean.sh b/bind/bind9/bin/tests/system/auth/clean.sh
new file mode 100644
index 00000000..adb9b67e
--- /dev/null
+++ b/bind/bind9/bin/tests/system/auth/clean.sh
@@ -0,0 +1,16 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */named.memstats
+rm -f */named.run
+rm -f */named.conf
+rm -f dig.out.test*
+rm -f ns2/example.com.bk
+rm -f ns2/example.net.bk
+rm -f ns*/managed-keys.bind* ns*/*mkeys*
diff --git a/bind/bind9/bin/tests/system/auth/ns1/chaos.db b/bind/bind9/bin/tests/system/auth/ns1/chaos.db
new file mode 100644
index 00000000..175b84b1
--- /dev/null
+++ b/bind/bind9/bin/tests/system/auth/ns1/chaos.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			CH SOA  ns root (
+				2018010100 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	ch-addr.example. 1001
+test 			A	ch-addr.example. 1002
+			A	ch-addr.example. 1003
diff --git a/bind/bind9/bin/tests/system/auth/ns1/example.com.db b/bind/bind9/bin/tests/system/auth/ns1/example.com.db
new file mode 100644
index 00000000..542b0d5b
--- /dev/null
+++ b/bind/bind9/bin/tests/system/auth/ns1/example.com.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300        ; 5 minutes
+@                       IN SOA  ns root (
+				2018010100 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS      ns
+ns                      A       10.53.0.1
+www			CNAME	server.example.net.
+inzone			CNAME	a.example.com.
+a			A	10.53.0.1
+dname			DNAME	@
diff --git a/bind/bind9/bin/tests/system/auth/ns1/example.net.db b/bind/bind9/bin/tests/system/auth/ns1/example.net.db
new file mode 100644
index 00000000..13d51527
--- /dev/null
+++ b/bind/bind9/bin/tests/system/auth/ns1/example.net.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300        ; 5 minutes
+@                       IN SOA  ns root (
+				2018010100 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS      ns
+ns                      A       10.53.0.1
+server			A	10.53.0.100
diff --git a/bind/bind9/bin/tests/system/auth/ns1/named.conf.in b/bind/bind9/bin/tests/system/auth/ns1/named.conf.in
new file mode 100644
index 00000000..c004d8a0
--- /dev/null
+++ b/bind/bind9/bin/tests/system/auth/ns1/named.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+view main in {
+	zone example.net {
+		type master;
+		file "example.net.db";
+	};
+
+	zone example.com {
+		type master;
+		file "example.com.db";
+	};
+};
+
+view alt chaos {
+	zone example.chaos chaos {
+		type master;
+		file "chaos.db";
+	};
+};
diff --git a/bind/bind9/bin/tests/system/auth/ns2/named.conf.in b/bind/bind9/bin/tests/system/auth/ns2/named.conf.in
new file mode 100644
index 00000000..c99fb88d
--- /dev/null
+++ b/bind/bind9/bin/tests/system/auth/ns2/named.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+};
+
+zone example.net {
+	type slave;
+	masters { 10.53.0.1; };
+	file "example.net.bk";
+};
+
+zone example.com {
+	type slave;
+	masters { 10.53.0.1; };
+	file "example.com.bk";
+};
diff --git a/bind/bind9/bin/tests/system/auth/setup.sh b/bind/bind9/bin/tests/system/auth/setup.sh
new file mode 100644
index 00000000..5c160b92
--- /dev/null
+++ b/bind/bind9/bin/tests/system/auth/setup.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
diff --git a/bind/bind9/bin/tests/system/auth/tests.sh b/bind/bind9/bin/tests/system/auth/tests.sh
new file mode 100644
index 00000000..cc7e1153
--- /dev/null
+++ b/bind/bind9/bin/tests/system/auth/tests.sh
@@ -0,0 +1,189 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+DIGOPTS="+tcp -p ${PORT}"
+
+status=0
+n=0
+
+n=`expr $n + 1`
+echo_i "wait for zones to finish transferring to ns2 ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+  ret=0
+  for zone in example.com example.net
+  do
+    $DIG $DIGOPTS @10.53.0.2 soa $zone > dig.out.test$n || ret=1
+    grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+  done
+  [ $ret -eq 0 ] && break
+  sleep 1
+done
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+#
+#  Cross zone CNAME behaviour is changed in version 9.12.1 BIND.
+#  The CNAME is not followed in subsequent versions unless it is a
+#  recursive query and recursion is allowed (rd=1/ra=1).
+#
+n=`expr $n + 1`
+echo_i "check that cross-zone CNAME records return target data (rd=0/ra=0) ($n)"
+ret=0
+$DIG $DIGOPTS +norec @10.53.0.1 www.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1
+grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
+grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that cross-zone CNAME records return target data (rd=1/ra=0) ($n)"
+ret=0
+$DIG $DIGOPTS +rec @10.53.0.1 www.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1
+grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
+grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that cross-zone CNAME records return target data (rd=0/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS +norec @10.53.0.2 www.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1
+grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
+grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that cross-zone CNAME records return target data (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 www.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1
+grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
+grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+#
+# In-zone CNAME records should always be followed regardless of RD and RA.
+#
+n=`expr $n + 1`
+echo_i "check that in-zone CNAME records return target data (rd=0/ra=0) ($n)"
+ret=0
+$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1
+grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
+grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that in-zone CNAME records return target data (rd=1/ra=0) ($n)"
+ret=0
+$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1
+grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
+grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that in-zone CNAME records return target data (rd=0/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1
+grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
+grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that in-zone CNAME records return target data (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1
+grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
+grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that in-zone CNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com > dig.out.test$n || ret=1
+grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1
+grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that in-zone CNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com > dig.out.test$n || ret=1
+grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1
+grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that in-zone DNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com > dig.out.test$n || ret=1
+grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1
+grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
+grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1
+grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that in-zone DNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com > dig.out.test$n || ret=1
+grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1
+grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
+grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1
+grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that CHAOS addresses are compared correctly ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos > dig.out.test$n
+lines=`wc -l < dig.out.test$n`
+[ ${lines:-0} -eq 2 ] || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/autosign/clean.sh b/bind/bind9/bin/tests/system/autosign/clean.sh
index 371040f5..9cc119f3 100644
--- a/bind/bind9/bin/tests/system/autosign/clean.sh
+++ b/bind/bind9/bin/tests/system/autosign/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -41,6 +41,7 @@ rm -f ns3/inaczsk2.example.db
 rm -f ns3/inaczsk3.example.db
 rm -f ns3/jitter.nsec3.example.db
 rm -f ns3/kg.out ns3/s.out ns3/st.out
+rm -f ns3/named.ns3.prev
 rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
 rm -f ns3/nsec.example.db
 rm -f ns3/nsec3-to-nsec.example.db
@@ -60,9 +61,9 @@ rm -f ns3/secure-to-insecure2.example.db
 rm -f ns3/secure.example.db
 rm -f ns3/secure.nsec3.example.db
 rm -f ns3/secure.optout.example.db
+rm -f ns3/settime.out.*
 rm -f ns3/sync.example.db
 rm -f ns3/ttl*.db
-rm -f ns3/settime.out.*
 rm -f nsupdate.out
 rm -f settime.out.*
 rm -f signing.out.*
diff --git a/bind/bind9/bin/tests/system/autosign/ns1/keygen.sh b/bind/bind9/bin/tests/system/autosign/ns1/keygen.sh
index ae98c42b..86ce9ad2 100644
--- a/bind/bind9/bin/tests/system/autosign/ns1/keygen.sh
+++ b/bind/bind9/bin/tests/system/autosign/ns1/keygen.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns1/named.conf.in b/bind/bind9/bin/tests/system/autosign/ns1/named.conf.in
index 8c2e86c0..5ee812b2 100644
--- a/bind/bind9/bin/tests/system/autosign/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/autosign/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns1/root.db.in b/bind/bind9/bin/tests/system/autosign/ns1/root.db.in
index 4ed99909..4ea43d0a 100644
--- a/bind/bind9/bin/tests/system/autosign/ns1/root.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns1/root.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns2/bar.db.in b/bind/bind9/bin/tests/system/autosign/ns2/bar.db.in
index a78c518b..170590d3 100644
--- a/bind/bind9/bin/tests/system/autosign/ns2/bar.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns2/bar.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns2/child.nsec3.example.db b/bind/bind9/bin/tests/system/autosign/ns2/child.nsec3.example.db
index 8c7db653..d25b57f0 100644
--- a/bind/bind9/bin/tests/system/autosign/ns2/child.nsec3.example.db
+++ b/bind/bind9/bin/tests/system/autosign/ns2/child.nsec3.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns2/child.optout.example.db b/bind/bind9/bin/tests/system/autosign/ns2/child.optout.example.db
index 8c7db653..d25b57f0 100644
--- a/bind/bind9/bin/tests/system/autosign/ns2/child.optout.example.db
+++ b/bind/bind9/bin/tests/system/autosign/ns2/child.optout.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns2/dst.example.db.in b/bind/bind9/bin/tests/system/autosign/ns2/dst.example.db.in
index 769d2b5f..a1e3f1df 100644
--- a/bind/bind9/bin/tests/system/autosign/ns2/dst.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns2/dst.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns2/example.db.in b/bind/bind9/bin/tests/system/autosign/ns2/example.db.in
index d5198630..a504d98d 100644
--- a/bind/bind9/bin/tests/system/autosign/ns2/example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns2/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns2/insecure.secure.example.db b/bind/bind9/bin/tests/system/autosign/ns2/insecure.secure.example.db
index 86552149..276547e8 100644
--- a/bind/bind9/bin/tests/system/autosign/ns2/insecure.secure.example.db
+++ b/bind/bind9/bin/tests/system/autosign/ns2/insecure.secure.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns2/keygen.sh b/bind/bind9/bin/tests/system/autosign/ns2/keygen.sh
index ce97775e..94b819f5 100644
--- a/bind/bind9/bin/tests/system/autosign/ns2/keygen.sh
+++ b/bind/bind9/bin/tests/system/autosign/ns2/keygen.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns2/named.conf.in b/bind/bind9/bin/tests/system/autosign/ns2/named.conf.in
index 9f0c617f..d1778793 100644
--- a/bind/bind9/bin/tests/system/autosign/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/autosign/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns2/private.secure.example.db.in b/bind/bind9/bin/tests/system/autosign/ns2/private.secure.example.db.in
index 37a77b72..b0a75e1b 100644
--- a/bind/bind9/bin/tests/system/autosign/ns2/private.secure.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns2/private.secure.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/autonsec3.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/autonsec3.example.db.in
index 0b160d79..313bdf0f 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/autonsec3.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/autonsec3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/delay.example.db b/bind/bind9/bin/tests/system/autosign/ns3/delay.example.db
index cbfb691d..5c5163bb 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/delay.example.db
+++ b/bind/bind9/bin/tests/system/autosign/ns3/delay.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/delzsk.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/delzsk.example.db.in
index 241de318..f735cabd 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/delzsk.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/delzsk.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in
index def9dd7d..c7735212 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/inacksk2.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/inacksk2.example.db.in
index 90dcba9d..2b977edd 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/inacksk2.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/inacksk2.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/inacksk3.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/inacksk3.example.db.in
index 90dcba9d..2b977edd 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/inacksk3.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/inacksk3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/inaczsk.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/inaczsk.example.db.in
index 90dcba9d..2b977edd 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/inaczsk.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/inaczsk.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/inaczsk2.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/inaczsk2.example.db.in
index 90dcba9d..2b977edd 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/inaczsk2.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/inaczsk2.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/inaczsk3.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/inaczsk3.example.db.in
index 90dcba9d..2b977edd 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/inaczsk3.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/inaczsk3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/insecure.example.db b/bind/bind9/bin/tests/system/autosign/ns3/insecure.example.db
index 86552149..276547e8 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/insecure.example.db
+++ b/bind/bind9/bin/tests/system/autosign/ns3/insecure.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in
index aa08c776..34e62b27 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/keygen.sh b/bind/bind9/bin/tests/system/autosign/ns3/keygen.sh
index 43e88a8b..2ec3f39e 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/keygen.sh
+++ b/bind/bind9/bin/tests/system/autosign/ns3/keygen.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/named.conf.in b/bind/bind9/bin/tests/system/autosign/ns3/named.conf.in
index b664152b..13144f6d 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/nozsk.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/nozsk.example.db.in
index 90dcba9d..2b977edd 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/nozsk.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/nozsk.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/nsec.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/nsec.example.db.in
index cbfb691d..5c5163bb 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/nsec.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/nsec.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in
index cbfb691d..5c5163bb 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/nsec3.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/nsec3.example.db.in
index 0b160d79..313bdf0f 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/nsec3.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/nsec3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in
index 3f107483..86a2a359 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in
index 3f107483..86a2a359 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/oldsigs.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/oldsigs.example.db.in
index cbfb691d..5c5163bb 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/oldsigs.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/oldsigs.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/optout.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/optout.example.db.in
index 5d5416db..1b219170 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/optout.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/optout.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in
index 3f107483..86a2a359 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/optout.optout.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/optout.optout.example.db.in
index 3f107483..86a2a359 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/optout.optout.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/optout.optout.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/rsasha256.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/rsasha256.example.db.in
index 862dadba..dd92655d 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/rsasha256.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/rsasha256.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/rsasha512.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/rsasha512.example.db.in
index 862dadba..dd92655d 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/rsasha512.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/rsasha512.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in
index 86552149..276547e8 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/secure-to-insecure2.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/secure-to-insecure2.example.db.in
index 86552149..276547e8 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/secure-to-insecure2.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/secure-to-insecure2.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/secure.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/secure.example.db.in
index a3abaefa..b1a0ae2c 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/secure.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/secure.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in
index 3f107483..86a2a359 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/secure.optout.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/secure.optout.example.db.in
index 3f107483..86a2a359 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/secure.optout.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/secure.optout.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/sync.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/sync.example.db.in
index c3dbada7..d2cd9ac9 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/sync.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/sync.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/ttl1.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/ttl1.example.db.in
index cbfb691d..5c5163bb 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/ttl1.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/ttl1.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/ttl2.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/ttl2.example.db.in
index cbfb691d..5c5163bb 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/ttl2.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/ttl2.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/ttl3.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/ttl3.example.db.in
index cbfb691d..5c5163bb 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/ttl3.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/ttl3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns3/ttl4.example.db.in b/bind/bind9/bin/tests/system/autosign/ns3/ttl4.example.db.in
index cbfb691d..5c5163bb 100644
--- a/bind/bind9/bin/tests/system/autosign/ns3/ttl4.example.db.in
+++ b/bind/bind9/bin/tests/system/autosign/ns3/ttl4.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns4/named.conf.in b/bind/bind9/bin/tests/system/autosign/ns4/named.conf.in
index dc1803f7..01d455ea 100644
--- a/bind/bind9/bin/tests/system/autosign/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/autosign/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/ns5/named.conf.in b/bind/bind9/bin/tests/system/autosign/ns5/named.conf.in
index bc33b23d..88c2b75f 100644
--- a/bind/bind9/bin/tests/system/autosign/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/autosign/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/prereq.sh b/bind/bind9/bin/tests/system/autosign/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/autosign/prereq.sh
+++ b/bind/bind9/bin/tests/system/autosign/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/setup.sh b/bind/bind9/bin/tests/system/autosign/setup.sh
index ef898ccc..21f481ed 100644
--- a/bind/bind9/bin/tests/system/autosign/setup.sh
+++ b/bind/bind9/bin/tests/system/autosign/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/autosign/tests.sh b/bind/bind9/bin/tests/system/autosign/tests.sh
index de0cc49b..f42fd3f6 100755
--- a/bind/bind9/bin/tests/system/autosign/tests.sh
+++ b/bind/bind9/bin/tests/system/autosign/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -90,16 +90,16 @@ checkjitter () {
 	_expiretimes=`freq "$_file" | awk '{print $1}'`
 
 	_count=0
-	# Check if we have at least 5 days
+	# Check if we have at least 4 days
 	# This number has been tuned for `sig-validity-interval 10 2`, as
-	# 1. 1. signature expiration dates should be spread out across at most 8 (10-2) days
+	# 1 signature expiration dates should be spread out across at most 8 (10-2) days
 	# 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days
-	# 3. we substract one more day to allow test pass on day boundaries, etc. leaving us with 5 (6-1) days
+	# 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2)
 	for _num in $_expiretimes
 	do
 		_count=$((_count+1))
 	done
-	if [ "$_count" -lt 5 ]; then
+	if [ "$_count" -lt 4 ]; then
 		echo_i "error: not enough categories"
 		return 1
 	fi
@@ -206,8 +206,8 @@ nextpartreset ns3/named.run
 # Check that DNSKEY is initially signed with a KSK and not a ZSK.
 #
 echo_i "check that zone with active and inactive KSK and active ZSK is properly"
-echo_i "  resigned after the active KSK is deleted - stage 1: Verify that DNSKEY"
-echo_i "  is initially signed with a KSK and not a ZSK. ($n)"
+echo_ic "resigned after the active KSK is deleted - stage 1: Verify that DNSKEY"
+echo_ic "is initially signed with a KSK and not a ZSK. ($n)"
 ret=0
 
 $DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
@@ -243,8 +243,8 @@ status=`expr $status + $ret`
 # Check that zone is initially signed with a ZSK and not a KSK.
 #
 echo_i "check that zone with active and inactive ZSK and active KSK is properly"
-echo_i "  resigned after the active ZSK is deleted - stage 1: Verify that zone"
-echo_i "  is initially signed with a ZSK and not a KSK. ($n)"
+echo_ic "resigned after the active ZSK is deleted - stage 1: Verify that zone"
+echo_ic "is initially signed with a ZSK and not a KSK. ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
 kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
@@ -496,10 +496,13 @@ status=`expr $status + $ret`
 echo_i "checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. > /dev/null 2>&1
-sleep 2
 # this command should result in an empty file:
-$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
-grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
+no_nsec3param() (
+ $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || return 1
+ grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && return 1
+ return 0
+)
+retry_quiet 10 no_nsec3param || ret=1
 $DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
@@ -1249,17 +1252,21 @@ $SETTIME -K ns3 -A now+3s $ksk > settime.out.test$n.ksk || ret=1
 ($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
 echo_i "waiting for changes to take effect"
 sleep 3
-wait_for_notifies "delay.example" "ns3" || ret=1
-$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
-# DNSKEY expected:
-awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.1.test$n || ret=1
-# RRSIG expected:
-awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.1.test$n || ret=1
-$DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
-# A expected:
-awk 'BEGIN {r=1} $4=="A" {r=0} END {exit r}' dig.out.ns3.2.test$n || ret=1
-# RRSIG expected:
-awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.2.test$n || ret=1
+wait_for_log "add delay\.example\..*NSEC.a\.delay\.example\. NS SOA RRSIG NSEC DNSKEY" ns3/named.run
+check_is_signed() {
+  $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || return 1
+  # DNSKEY expected:
+  awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.1.test$n || return 1
+  # RRSIG expected:
+  awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.1.test$n || return 1
+  $DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 > dig.out.ns3.2.test$n || return 1
+  # A expected:
+  awk 'BEGIN {r=1} $4=="A" {r=0} END {exit r}' dig.out.ns3.2.test$n || return 1
+  # RRSIG expected:
+  awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.2.test$n || return 1
+  return 0
+}
+retry_quiet 5 check_is_signed || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -1461,8 +1468,8 @@ status=`expr $status + $ret`
 # Check that DNSKEY is now signed with the ZSK.
 #
 echo_i "check that zone with active and inactive KSK and active ZSK is properly"
-echo_i "  resigned after the active KSK is deleted - stage 2: Verify that DNSKEY"
-echo_i "  is now signed with the ZSK. ($n)"
+echo_ic "resigned after the active KSK is deleted - stage 2: Verify that DNSKEY"
+echo_ic "is now signed with the ZSK. ($n)"
 ret=0
 
 $DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
@@ -1490,8 +1497,8 @@ status=`expr $status + $ret`
 # Check that zone is now signed with the KSK.
 #
 echo_i "check that zone with active and inactive ZSK and active KSK is properly"
-echo_i "  resigned after the active ZSK is deleted - stage 2: Verify that zone"
-echo_i "  is now signed with the KSK. ($n)"
+echo_ic "resigned after the active ZSK is deleted - stage 2: Verify that zone"
+echo_ic "is now signed with the KSK. ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
 kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
diff --git a/bind/bind9/bin/tests/system/builtin/clean.sh b/bind/bind9/bin/tests/system/builtin/clean.sh
index 93a11156..92f549fd 100644
--- a/bind/bind9/bin/tests/system/builtin/clean.sh
+++ b/bind/bind9/bin/tests/system/builtin/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/builtin/ns1/named.conf.in b/bind/bind9/bin/tests/system/builtin/ns1/named.conf.in
index d181a36c..6b200974 100644
--- a/bind/bind9/bin/tests/system/builtin/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/builtin/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/builtin/ns2/named.conf.in b/bind/bind9/bin/tests/system/builtin/ns2/named.conf.in
index e875a923..fb96a00b 100644
--- a/bind/bind9/bin/tests/system/builtin/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/builtin/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/builtin/ns3/named.conf.in b/bind/bind9/bin/tests/system/builtin/ns3/named.conf.in
index 4bce9f7a..78807587 100644
--- a/bind/bind9/bin/tests/system/builtin/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/builtin/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/builtin/setup.sh b/bind/bind9/bin/tests/system/builtin/setup.sh
index def2a615..4c12eaf5 100644
--- a/bind/bind9/bin/tests/system/builtin/setup.sh
+++ b/bind/bind9/bin/tests/system/builtin/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/builtin/tests.sh b/bind/bind9/bin/tests/system/builtin/tests.sh
index 391c239b..41ba5a2e 100644
--- a/bind/bind9/bin/tests/system/builtin/tests.sh
+++ b/bind/bind9/bin/tests/system/builtin/tests.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cacheclean/clean.sh b/bind/bind9/bin/tests/system/cacheclean/clean.sh
index fd15c5ab..c4141570 100644
--- a/bind/bind9/bin/tests/system/cacheclean/clean.sh
+++ b/bind/bind9/bin/tests/system/cacheclean/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cacheclean/ns1/example.db b/bind/bind9/bin/tests/system/cacheclean/ns1/example.db
index 0231fbcd..d5814ce6 100644
--- a/bind/bind9/bin/tests/system/cacheclean/ns1/example.db
+++ b/bind/bind9/bin/tests/system/cacheclean/ns1/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cacheclean/ns1/expire-test.db b/bind/bind9/bin/tests/system/cacheclean/ns1/expire-test.db
index 32d70818..f3fb872e 100644
--- a/bind/bind9/bin/tests/system/cacheclean/ns1/expire-test.db
+++ b/bind/bind9/bin/tests/system/cacheclean/ns1/expire-test.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cacheclean/ns1/flushtest.db b/bind/bind9/bin/tests/system/cacheclean/ns1/flushtest.db
index 72a1096f..27634b19 100644
--- a/bind/bind9/bin/tests/system/cacheclean/ns1/flushtest.db
+++ b/bind/bind9/bin/tests/system/cacheclean/ns1/flushtest.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cacheclean/ns1/named.conf.in b/bind/bind9/bin/tests/system/cacheclean/ns1/named.conf.in
index 2f448f75..52530ec2 100644
--- a/bind/bind9/bin/tests/system/cacheclean/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/cacheclean/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cacheclean/ns2/named.conf.in b/bind/bind9/bin/tests/system/cacheclean/ns2/named.conf.in
index c3c42609..97d8413f 100644
--- a/bind/bind9/bin/tests/system/cacheclean/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/cacheclean/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cacheclean/setup.sh b/bind/bind9/bin/tests/system/cacheclean/setup.sh
index f3826d86..c3b29e62 100644
--- a/bind/bind9/bin/tests/system/cacheclean/setup.sh
+++ b/bind/bind9/bin/tests/system/cacheclean/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cacheclean/tests.sh b/bind/bind9/bin/tests/system/cacheclean/tests.sh
index d35e9b71..d0d0d60f 100755
--- a/bind/bind9/bin/tests/system/cacheclean/tests.sh
+++ b/bind/bind9/bin/tests/system/cacheclean/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/case/clean.sh b/bind/bind9/bin/tests/system/case/clean.sh
index 646f3f6c..e11b5259 100644
--- a/bind/bind9/bin/tests/system/case/clean.sh
+++ b/bind/bind9/bin/tests/system/case/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/case/ns1/dynamic.db.in b/bind/bind9/bin/tests/system/case/ns1/dynamic.db.in
index ee1c464e..00fa963e 100644
--- a/bind/bind9/bin/tests/system/case/ns1/dynamic.db.in
+++ b/bind/bind9/bin/tests/system/case/ns1/dynamic.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/case/ns1/example.db b/bind/bind9/bin/tests/system/case/ns1/example.db
index 8aba2936..57177674 100644
--- a/bind/bind9/bin/tests/system/case/ns1/example.db
+++ b/bind/bind9/bin/tests/system/case/ns1/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/case/ns1/named.conf.in b/bind/bind9/bin/tests/system/case/ns1/named.conf.in
index e1e31608..5d92862f 100644
--- a/bind/bind9/bin/tests/system/case/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/case/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/case/ns2/named.conf.in b/bind/bind9/bin/tests/system/case/ns2/named.conf.in
index 17202374..f7ff9a42 100644
--- a/bind/bind9/bin/tests/system/case/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/case/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/case/setup.sh b/bind/bind9/bin/tests/system/case/setup.sh
index bc5d9de9..c2f130c8 100644
--- a/bind/bind9/bin/tests/system/case/setup.sh
+++ b/bind/bind9/bin/tests/system/case/setup.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/case/tests.sh b/bind/bind9/bin/tests/system/case/tests.sh
index 1f5634da..f2875e5a 100644
--- a/bind/bind9/bin/tests/system/case/tests.sh
+++ b/bind/bind9/bin/tests/system/case/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -14,6 +14,12 @@ SYSTEMTESTTOP=..
 
 DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
 
+wait_for_serial() (
+    $DIG $DIGOPTS "@$1" "$2" SOA > "$4"
+    serial=$(awk '$4 == "SOA" { print $7 }' "$4")
+    [ "$3" -eq "${serial:--1}" ]
+)
+
 status=0
 n=0
 
@@ -91,14 +97,16 @@ digcomp dig.ns1.test$n postupdate.good || ret=1
 test $ret -eq 0 || echo_i "failed"
 status=`expr $status + $ret`
 
-for i in 1 2 3 4 5 6 7 8 9
-do
-	$DIG $DIGOPTS soa dynamic @10.53.0.2 | grep 2000042408 > /dev/null && break
-	sleep 1
-done
+n=`expr $n + 1`
+ret=0
+echo_i "wait for zone to transfer ($n)"
+retry_quiet 20 wait_for_serial 10.53.0.2 dynamic 2000042408 dig.ns2.test$n || ret=1
+
+test $ret -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "check SOA owner case is transfered to slave ($n)"
+echo_i "check SOA owner case is transferred to slave ($n)"
 ret=0
 $DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n
 digcomp dig.ns2.test$n postupdate.good || ret=1
@@ -121,14 +129,16 @@ digcomp dig.ns1.test$n postns1.good || ret=1
 test $ret -eq 0 || echo_i "failed"
 status=`expr $status + $ret`
 
-for i in 1 2 3 4 5 6 7 8 9
-do
-	$DIG $DIGOPTS soa dynamic @10.53.0.2 | grep 2000042409 > /dev/null && break
-	sleep 1
-done
+n=`expr $n + 1`
+ret=0
+echo_i "wait for zone to transfer ($n)"
+retry_quiet 20 wait_for_serial 10.53.0.2 dynamic 2000042409 dig.ns2.test$n || ret=1
+
+test $ret -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "check A owner case is transfered to slave ($n)"
+echo_i "check A owner case is transferred to slave ($n)"
 ret=0
 $DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n
 digcomp dig.ns2.test$n postns1.good || ret=1
diff --git a/bind/bind9/bin/tests/system/catz/clean.sh b/bind/bind9/bin/tests/system/catz/clean.sh
index c16b4734..3a78760f 100644
--- a/bind/bind9/bin/tests/system/catz/clean.sh
+++ b/bind/bind9/bin/tests/system/catz/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/catz/ns1/catalog.example.db.in b/bind/bind9/bin/tests/system/catz/ns1/catalog.example.db.in
index dc18bf5b..cdadc769 100644
--- a/bind/bind9/bin/tests/system/catz/ns1/catalog.example.db.in
+++ b/bind/bind9/bin/tests/system/catz/ns1/catalog.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/catz/ns1/named.conf.in b/bind/bind9/bin/tests/system/catz/ns1/named.conf.in
index 74b7d371..6856ec70 100644
--- a/bind/bind9/bin/tests/system/catz/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/catz/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/catz/ns2/named.conf.in b/bind/bind9/bin/tests/system/catz/ns2/named.conf.in
index ee83efbe..dd3a9dc8 100644
--- a/bind/bind9/bin/tests/system/catz/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/catz/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/catz/ns3/dom5.example.db b/bind/bind9/bin/tests/system/catz/ns3/dom5.example.db
index f61860dd..d8aa1c47 100644
--- a/bind/bind9/bin/tests/system/catz/ns3/dom5.example.db
+++ b/bind/bind9/bin/tests/system/catz/ns3/dom5.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/catz/ns3/dom6.example.db b/bind/bind9/bin/tests/system/catz/ns3/dom6.example.db
index f61860dd..d8aa1c47 100644
--- a/bind/bind9/bin/tests/system/catz/ns3/dom6.example.db
+++ b/bind/bind9/bin/tests/system/catz/ns3/dom6.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/catz/ns3/named.conf.in b/bind/bind9/bin/tests/system/catz/ns3/named.conf.in
index d5ee7c87..c5b7a2bd 100644
--- a/bind/bind9/bin/tests/system/catz/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/catz/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/catz/setup.sh b/bind/bind9/bin/tests/system/catz/setup.sh
index e06f3a02..ff3be002 100644
--- a/bind/bind9/bin/tests/system/catz/setup.sh
+++ b/bind/bind9/bin/tests/system/catz/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/catz/tests.sh b/bind/bind9/bin/tests/system/catz/tests.sh
index fa189cb4..a628ba65 100644
--- a/bind/bind9/bin/tests/system/catz/tests.sh
+++ b/bind/bind9/bin/tests/system/catz/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -376,7 +376,7 @@ ret=0
 $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
     server 10.53.0.1 ${PORT}
     update add masters.catalog1.example. 3600 IN A 10.53.0.3
-    update add masters.catalog1.example. 3600 IN AAAA  fd92:7065:b8e:ffff::3
+    update add masters.catalog1.example. 3600 IN AAAA fd92:7065:b8e:ffff::3
     update add 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example.
     send
 END
@@ -756,96 +756,127 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 ##########################################################################
-echo_i "Testing very long domain in catalog"
-n=`expr $n + 1`
-echo_i "checking that this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example. is not served by master ($n)"
-ret=0
-wait_for_no_soa @10.53.0.1 this.is.aery.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example. dig.out.test$n || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo_i "Adding a domain this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example. to master via RNDC ($n)"
-ret=0
-echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom10.example.db
-echo "@ IN NS invalid." >> ns1/dom10.example.db
-rndccmd 10.53.0.1 addzone this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example. '{type master; file "dom10.example.db";};' || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo_i "checking that this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example. is now served by master ($n)"
-ret=0
-wait_for_soa @10.53.0.1 this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example. dig.out.test$n || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-nextpart ns2/named.run >/dev/null
-
-n=`expr $n + 1`
-echo_i "Adding domain this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example. to catalog1 zone ($n)"
-ret=0
-$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
-    server 10.53.0.1 ${PORT}
-    update add 825f48b1ce1b4cf5a041d20255a0c8e98d114858.zones.catalog1.example 3600 IN PTR this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example.
-    send
+echo_i "Testing catalog entries that can't be represented as filenames"
+# note: we need 4 backslashes in the shell to get 2 backslashes in DNS
+# presentation format, which is 1 backslash on the wire.
+for special in \
+       this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example \
+       this.zone/domain.has.a.slash.dom10.example \
+       this.zone\\\\domain.has.backslash.dom10.example \
+       this.zone:domain.has.a.colon.dom.10.example
+do
+    # hashes below are generated by:
+    # python ${TOP}/contrib/scripts/catzhash.py "${special}"
+
+    case "$special" in
+    this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example)
+        hash=825f48b1ce1b4cf5a041d20255a0c8e98d114858
+        db=__catz__4d70696f2335687069467f11f5d5378c480383f97782e553fb2d04a7bb2a23ed.db
+        ;;
+    this.zone/domain.has.a.slash.dom10.example)
+        hash=e64cc64c99bf52d0a77fb16dd7ed57cf925a36aa
+        db=__catz__46ba3e1b28d5955e5313d5fee61bedc78c71d08035aa7ea2f7bf0b8228ab3acc.db
+        ;;
+    this.zone\\\\domain.has.backslash.dom10.example)
+        hash=91e27e02153d38cf656a9b376d7747fbcd19f985
+        db=__catz__b667f7ff802c0895e0506699951cff9a1cab68c5ef8546aa0d07425f244ed870.db
+        ;;
+    this.zone:domain.has.a.colon.dom.10.example)
+        hash=8b7238bf4c34045834c573ba4116557ebb24d33c
+        db=__catz__5c721f7872913a4e7fa8ad42589cce5dd6e551a4c9e6ab3f86e77c0bbc7c2ca6.db
+        ;;
+    esac
+
+    n=`expr $n + 1`
+    echo_i "checking that ${special}. is not served by master ($n)"
+    ret=0
+    wait_for_no_soa @10.53.0.1 "${special}" dig.out.test$n || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+
+    n=`expr $n + 1`
+    echo_i "Adding a domain ${special}. to master via RNDC ($n)"
+    ret=0
+    echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom10.example.db
+    echo "@ IN NS invalid." >> ns1/dom10.example.db
+    rndccmd 10.53.0.1 addzone '"'"${special}"'"' '{type master; file "dom10.example.db";};' || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+
+    n=`expr $n + 1`
+    echo_i "checking that ${special}. is now served by master ($n)"
+    ret=0
+    wait_for_soa @10.53.0.1 "${special}." dig.out.test$n || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+
+    nextpart ns2/named.run >/dev/null
+
+    n=`expr $n + 1`
+    echo_i "Adding domain ${special}. to catalog1 zone ($n)"
+    ret=0
+    $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+      server 10.53.0.1 ${PORT}
+      update add ${hash}.zones.catalog1.example 3600 IN PTR ${special}.
+      send
 END
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo_i "waiting for slave to sync up ($n)"
-ret=0
-wait_for_message ns2/named.run  "catz: adding zone 'this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example' from catalog 'catalog1.example'" &&
-wait_for_message ns2/named.run  "transfer of 'this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo_i "checking that this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example. is served by slave ($n)"
-ret=0
-wait_for_soa @10.53.0.2 this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example. dig.out.test$n || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo_i "checking that zone-directory is populated with a hashed filename ($n)"
-ret=0
-wait_for_zonefile "ns2/zonedir/__catz__4d70696f2335687069467f11f5d5378c480383f97782e553fb2d04a7bb2a23ed.db" || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo_i "removing domain this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example.  from catalog1 zone ($n)"
-ret=0
-$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
-   server 10.53.0.1 ${PORT}
-   update delete 825f48b1ce1b4cf5a041d20255a0c8e98d114858.zones.catalog1.example
-   send
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+
+    n=`expr $n + 1`
+    echo_i "waiting for slave to sync up ($n)"
+    ret=0
+    wait_for_message ns2/named.run  "catz: adding zone '$special' from catalog 'catalog1.example'" &&
+    wait_for_message ns2/named.run  "transfer of '$special/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+
+    n=`expr $n + 1`
+    echo_i "checking that ${special}. is served by slave ($n)"
+    ret=0
+    wait_for_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+
+    n=`expr $n + 1`
+    echo_i "checking that zone-directory is populated with a hashed filename ($n)"
+    ret=0
+    wait_for_zonefile "ns2/zonedir/$db" || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+
+    n=`expr $n + 1`
+    echo_i "removing domain ${special}. from catalog1 zone ($n)"
+    ret=0
+    $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+      server 10.53.0.1 ${PORT}
+      update delete ${hash}.zones.catalog1.example
+      send
 END
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo_i "waiting for slave to sync up ($n)"
-ret=0
-wait_for_message ns2/named.run  "zone_shutdown: zone this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example/IN: shutting down" || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo_i "checking that this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example. is not served by slave ($n)"
-ret=0
-wait_for_no_soa @10.53.0.2 this.is.aery.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example. dig.out.test$n || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo_i "checking that zone-directory is emptied ($n)"
-ret=0
-wait_for_no_zonefile "ns2/zonedir/__catz__4d70696f2335687069467f11f5d5378c480383f97782e553fb2d04a7bb2a23ed.db" || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+
+    n=`expr $n + 1`
+    echo_i "waiting for slave to sync up ($n)"
+    ret=0
+    wait_for_message ns2/named.run  "zone_shutdown: zone ${special}/IN: shutting down" || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+
+    n=`expr $n + 1`
+    echo_i "checking that ${special}. is not served by slave ($n)"
+    ret=0
+    wait_for_no_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+
+    n=`expr $n + 1`
+    echo_i "checking that zone-directory is emptied ($n)"
+    ret=0
+    wait_for_no_zonefile "ns2/zonedir/$db" || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+done
 
 ##########################################################################
 echo_i "Testing adding a domain and a subdomain of it"
@@ -950,9 +981,6 @@ ret=0
 wait_for_soa @10.53.0.2 subdomain.of.dom11.example. dig.out.test$n || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
-
-
-
 n=`expr $n + 1`
 echo_i "removing domain dom11.example. from catalog1 zone ($n)"
 ret=0
@@ -1010,7 +1038,6 @@ wait_for_no_soa @10.53.0.2 subdomain.of.d11.example. dig.out.test$n || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-
 ##########################################################################
 echo_i "Testing adding a catalog zone at runtime with rndc reconfig"
 n=`expr $n + 1`
diff --git a/bind/bind9/bin/tests/system/chain/README b/bind/bind9/bin/tests/system/chain/README
index f51c123b..26e2d37e 100644
--- a/bind/bind9/bin/tests/system/chain/README
+++ b/bind/bind9/bin/tests/system/chain/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 ns1 is the root server.
 
diff --git a/bind/bind9/bin/tests/system/chain/ans3/ans.pl b/bind/bind9/bin/tests/system/chain/ans3/ans.pl
index cdbfc84c..31d22d80 100644
--- a/bind/bind9/bin/tests/system/chain/ans3/ans.pl
+++ b/bind/bind9/bin/tests/system/chain/ans3/ans.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -80,6 +80,34 @@ sub reply_handler {
 	$rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME .");
 	push @ans, $rr;
 	$rcode = "NOERROR";
+    # The following three code branches referring to the "example.dname"
+    # zone are necessary for the resolver variant of the CVE-2021-25215
+    # regression test to work.  A named instance cannot be used for
+    # serving the DNAME records below as a version of BIND vulnerable to
+    # CVE-2021-25215 would crash while answering the queries asked by
+    # the tested resolver.
+    } elsif ($qname eq "ns3.example.dname") {
+	if ($qtype eq "A") {
+		my $rr = new Net::DNS::RR("$qname $ttl $qclass A 10.53.0.3");
+		push @ans, $rr;
+	}
+	if ($qtype eq "AAAA") {
+		my $rr = new Net::DNS::RR("example.dname. $ttl $qclass SOA . . 0 0 0 0 $ttl");
+		push @auth, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "self.example.self.example.dname") {
+	my $rr = new Net::DNS::RR("self.example.dname. $ttl $qclass DNAME dname.");
+	push @ans, $rr;
+	$rr = new Net::DNS::RR("$qname $ttl $qclass CNAME self.example.dname.");
+	push @ans, $rr;
+	$rcode = "NOERROR";
+    } elsif ($qname eq "self.example.dname") {
+	if ($qtype eq "DNAME") {
+		my $rr = new Net::DNS::RR("$qname $ttl $qclass DNAME dname.");
+		push @ans, $rr;
+	}
+	$rcode = "NOERROR";
     } else {
 	$rcode = "REFUSED";
     }
diff --git a/bind/bind9/bin/tests/system/chain/ans4/README.anspy b/bind/bind9/bin/tests/system/chain/ans4/README.anspy
index a419c61a..6ca2b689 100644
--- a/bind/bind9/bin/tests/system/chain/ans4/README.anspy
+++ b/bind/bind9/bin/tests/system/chain/ans4/README.anspy
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 REQUIREMENTS
 ans.py requires at least dnspython 1.12.0.
diff --git a/bind/bind9/bin/tests/system/chain/ans4/ans.py b/bind/bind9/bin/tests/system/chain/ans4/ans.py
index 2dd7def0..45d65041 100755
--- a/bind/bind9/bin/tests/system/chain/ans4/ans.py
+++ b/bind/bind9/bin/tests/system/chain/ans4/ans.py
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -56,7 +56,7 @@ from dns.name import *
 #
 # examples: for the answer set "cname, cname, cname", an rr set
 # '1, s1, 2, s2, 3, s3, 4, s4' indicates that all four RRs should
-# be included in the answer, with siagntures, in the origninal
+# be included in the answer, with siagntures, in the original
 # order, while 4, s4, 3, s3, 2, s2, 1, s1' indicates the order
 # should be reversed, 's3, s3, s3, s3' indicates that the third
 # RRSIG should be repeated four times and everything else should
diff --git a/bind/bind9/bin/tests/system/chain/clean.sh b/bind/bind9/bin/tests/system/chain/clean.sh
index 265123f0..6ff529ae 100755
--- a/bind/bind9/bin/tests/system/chain/clean.sh
+++ b/bind/bind9/bin/tests/system/chain/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/chain/ns1/named.conf.in b/bind/bind9/bin/tests/system/chain/ns1/named.conf.in
index 5815c3c7..873e76ad 100644
--- a/bind/bind9/bin/tests/system/chain/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/chain/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/chain/ns1/root.db b/bind/bind9/bin/tests/system/chain/ns1/root.db
index bc70f8c2..80c85294 100644
--- a/bind/bind9/bin/tests/system/chain/ns1/root.db
+++ b/bind/bind9/bin/tests/system/chain/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
@@ -24,6 +24,10 @@ ns2.example.		A	10.53.0.2
 example.broken.		NS	ns3.example.broken.
 ns3.example.broken.	A	10.53.0.3
 
+; for the resolver variant of the CVE-2021-25215 regression test
+example.dname.		NS	ns3.example.dname.
+ns3.example.dname.	A	10.53.0.3
+
 domain0.nil.		NS	ns2.domain0.nil
 domain1.nil.		NS	ns2.domain0.nil
 domain2.nil.		NS	ns2.domain0.nil
diff --git a/bind/bind9/bin/tests/system/chain/ns2/example.db b/bind/bind9/bin/tests/system/chain/ns2/example.db
index 5f29f861..fb28f7e7 100644
--- a/bind/bind9/bin/tests/system/chain/ns2/example.db
+++ b/bind/bind9/bin/tests/system/chain/ns2/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/chain/ns2/generic.db b/bind/bind9/bin/tests/system/chain/ns2/generic.db
index 8b9d2207..bb3aa641 100644
--- a/bind/bind9/bin/tests/system/chain/ns2/generic.db
+++ b/bind/bind9/bin/tests/system/chain/ns2/generic.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
@@ -16,3 +16,5 @@ ns2	86400	AAAA    fd92:7065:b8e:ffff::2
 @       86400	AAAA 	1:2:3::4
 *       86400	A 	1.2.3.4
 *       86400	AAAA 	1:2:3::4
+; CVE-2021-25215 regression test data
+self	86400	DNAME	nil.
diff --git a/bind/bind9/bin/tests/system/chain/ns2/named.conf.in b/bind/bind9/bin/tests/system/chain/ns2/named.conf.in
index 519bfb34..00a249cd 100644
--- a/bind/bind9/bin/tests/system/chain/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/chain/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/chain/ns2/sign.sh b/bind/bind9/bin/tests/system/chain/ns2/sign.sh
index 11b87ad4..057ec386 100644
--- a/bind/bind9/bin/tests/system/chain/ns2/sign.sh
+++ b/bind/bind9/bin/tests/system/chain/ns2/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/chain/ns2/sub.db b/bind/bind9/bin/tests/system/chain/ns2/sub.db
index 5e65fdf5..8c0c7c96 100644
--- a/bind/bind9/bin/tests/system/chain/ns2/sub.db
+++ b/bind/bind9/bin/tests/system/chain/ns2/sub.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/chain/ns5/named.conf.in b/bind/bind9/bin/tests/system/chain/ns5/named.conf.in
index d6813b6f..4b57eb91 100644
--- a/bind/bind9/bin/tests/system/chain/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/chain/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/chain/ns5/sub.db b/bind/bind9/bin/tests/system/chain/ns5/sub.db
index 9ddb4313..d1d3ac94 100644
--- a/bind/bind9/bin/tests/system/chain/ns5/sub.db
+++ b/bind/bind9/bin/tests/system/chain/ns5/sub.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/chain/ns7/named.conf.in b/bind/bind9/bin/tests/system/chain/ns7/named.conf.in
index c314922a..48a8aacb 100644
--- a/bind/bind9/bin/tests/system/chain/ns7/named.conf.in
+++ b/bind/bind9/bin/tests/system/chain/ns7/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/chain/ns7/root.hint b/bind/bind9/bin/tests/system/chain/ns7/root.hint
index ab755ba2..61f222f7 100644
--- a/bind/bind9/bin/tests/system/chain/ns7/root.hint
+++ b/bind/bind9/bin/tests/system/chain/ns7/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/chain/prereq.sh b/bind/bind9/bin/tests/system/chain/prereq.sh
index f3f1939b..23bedcd6 100644
--- a/bind/bind9/bin/tests/system/chain/prereq.sh
+++ b/bind/bind9/bin/tests/system/chain/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/chain/setup.sh b/bind/bind9/bin/tests/system/chain/setup.sh
index 0b648c0c..f95d7211 100644
--- a/bind/bind9/bin/tests/system/chain/setup.sh
+++ b/bind/bind9/bin/tests/system/chain/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/chain/tests.sh b/bind/bind9/bin/tests/system/chain/tests.sh
index bfa81d82..4aee59f8 100644
--- a/bind/bind9/bin/tests/system/chain/tests.sh
+++ b/bind/bind9/bin/tests/system/chain/tests.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -153,21 +153,21 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking CNAME to signed external delgation is handled ($n)"
+echo_i "checking CNAME to signed external delegation is handled ($n)"
 ret=0
 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
 $DIG $DIGOPTS @10.53.0.7 c.example > dig.out.$n
 grep "status: NOERROR" dig.out.$n > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i " failed"; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking CNAME to signed internal delgation is handled ($n)"
+echo_i "checking CNAME to signed internal delegation is handled ($n)"
 ret=0
 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
 $DIG $DIGOPTS @10.53.0.7 d.example > dig.out.$n
 grep "status: NOERROR" dig.out.$n > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i " failed"; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
@@ -292,5 +292,23 @@ grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+# Regression test for CVE-2021-25215 (authoritative server).
+n=`expr $n + 1`
+echo_i "checking DNAME resolution via itself (authoritative) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. > dig.out.2.$n 2>&1
+grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Regression test for CVE-2021-25215 (recursive resolver).
+n=`expr $n + 1`
+echo_i "checking DNAME resolution via itself (recursive) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. > dig.out.7.$n 2>&1
+grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/checkconf/altdb.conf b/bind/bind9/bin/tests/system/checkconf/altdb.conf
index 0ee9680d..2f0cbcb6 100644
--- a/bind/bind9/bin/tests/system/checkconf/altdb.conf
+++ b/bind/bind9/bin/tests/system/checkconf/altdb.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/altdlz.conf b/bind/bind9/bin/tests/system/checkconf/altdlz.conf
index 86331971..c092e5b0 100644
--- a/bind/bind9/bin/tests/system/checkconf/altdlz.conf
+++ b/bind/bind9/bin/tests/system/checkconf/altdlz.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-also-notify.conf b/bind/bind9/bin/tests/system/checkconf/bad-also-notify.conf
index bf27dab0..5108a225 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-also-notify.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-also-notify.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-catz-zone.conf b/bind/bind9/bin/tests/system/checkconf/bad-catz-zone.conf
index 429a2145..eb016fd8 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-catz-zone.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-catz-zone.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-dnssec.conf b/bind/bind9/bin/tests/system/checkconf/bad-dnssec.conf
index 9db164ed..dd61a159 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-dnssec.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-dnssec.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-hint.conf b/bind/bind9/bin/tests/system/checkconf/bad-hint.conf
index a99ddba4..d9a0b7a6 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-hint.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-hint.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-in-view-dup.conf b/bind/bind9/bin/tests/system/checkconf/bad-in-view-dup.conf
index dfde1240..aa4c4125 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-in-view-dup.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-in-view-dup.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-inline-slave.conf b/bind/bind9/bin/tests/system/checkconf/bad-inline-slave.conf
index ff283b62..c99c1e98 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-inline-slave.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-inline-slave.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf b/bind/bind9/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf
index 29bf2555..0e860055 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-ipv4-prefix2.conf b/bind/bind9/bin/tests/system/checkconf/bad-ipv4-prefix2.conf
index f1236eba..1ad13b84 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-ipv4-prefix2.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-ipv4-prefix2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-keep-response-order.conf b/bind/bind9/bin/tests/system/checkconf/bad-keep-response-order.conf
index c2c8929c..c2acd247 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-keep-response-order.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-keep-response-order.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-lifetime.conf b/bind/bind9/bin/tests/system/checkconf/bad-lifetime.conf
index b5926f0e..d6b6b6bd 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-lifetime.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-lifetime.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf b/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf
index 17d2ac59..f257f001 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf b/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf
index 99540cae..cbd9cbbb 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf b/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf
index e5e50f7f..2dae298f 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf b/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf
index 252ab366..d4afe22f 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-many.conf b/bind/bind9/bin/tests/system/checkconf/bad-many.conf
index 27f7e9bd..e41b94ce 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-many.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-many.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-master-request-ixfr.conf b/bind/bind9/bin/tests/system/checkconf/bad-master-request-ixfr.conf
index 2d3913f7..6d59c84c 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-master-request-ixfr.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-master-request-ixfr.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-maxttlmap.conf b/bind/bind9/bin/tests/system/checkconf/bad-maxttlmap.conf
index f404b3e8..a426f80d 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-maxttlmap.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-maxttlmap.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-noddns.conf b/bind/bind9/bin/tests/system/checkconf/bad-noddns.conf
index d4e93dcb..93994b76 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-noddns.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-noddns.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-options-also-notify.conf b/bind/bind9/bin/tests/system/checkconf/bad-options-also-notify.conf
index d5a28c0e..004a3cb4 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-options-also-notify.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-options-also-notify.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-acl.conf b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-acl.conf
index b344a0ff..f3180809 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-acl.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-acl.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf
index 6a60a8bf..630e533e 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf
index bea96395..5fe2fb60 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf
index b94d8db7..31cf01c7 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf
index 4378e718..a7ecd917 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf
index ed05f576..b7b425a2 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf
index 893640ee..b677e423 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf
index 8e2f4079..af8c62a5 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf
index 585e90e2..2f3acf8c 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf
index 21f528cd..b53ab7d6 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf
index 784f529b..75cfc7c0 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-slip.conf b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-slip.conf
index c6162952..3b460b64 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-slip.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-slip.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-window.conf b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-window.conf
index 5a0bcdb4..51888bde 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-window.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-rate-limit-window.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-rpz-zone.conf b/bind/bind9/bin/tests/system/checkconf/bad-rpz-zone.conf
index 120c8e4f..e3c43679 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-rpz-zone.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-rpz-zone.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-sharedwritable1.conf b/bind/bind9/bin/tests/system/checkconf/bad-sharedwritable1.conf
index 38d244a6..856ecd8f 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-sharedwritable1.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-sharedwritable1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-sharedwritable2.conf b/bind/bind9/bin/tests/system/checkconf/bad-sharedwritable2.conf
index 31c77c41..63a66ba1 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-sharedwritable2.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-sharedwritable2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-sharedzone1.conf b/bind/bind9/bin/tests/system/checkconf/bad-sharedzone1.conf
index 3782991f..86790652 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-sharedzone1.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-sharedzone1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-sharedzone2.conf b/bind/bind9/bin/tests/system/checkconf/bad-sharedzone2.conf
index 91b0472d..36c09665 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-sharedzone2.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-sharedzone2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-sharedzone3.conf b/bind/bind9/bin/tests/system/checkconf/bad-sharedzone3.conf
index e174ab11..578f7da3 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-sharedzone3.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-sharedzone3.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-stub-masters-dialup.conf b/bind/bind9/bin/tests/system/checkconf/bad-stub-masters-dialup.conf
index 3b193234..7a51f838 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-stub-masters-dialup.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-stub-masters-dialup.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-tsig.conf b/bind/bind9/bin/tests/system/checkconf/bad-tsig.conf
index 21be03e9..338dddbc 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-tsig.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-tsig.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-update-policy1.conf b/bind/bind9/bin/tests/system/checkconf/bad-update-policy1.conf
index 13e21db6..e7abf6ff 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-update-policy1.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-update-policy1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-update-policy10.conf b/bind/bind9/bin/tests/system/checkconf/bad-update-policy10.conf
index 8c9a4ade..2dd47983 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-update-policy10.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-update-policy10.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-update-policy11.conf b/bind/bind9/bin/tests/system/checkconf/bad-update-policy11.conf
index 6f81c310..8f8e825e 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-update-policy11.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-update-policy11.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-update-policy12.conf b/bind/bind9/bin/tests/system/checkconf/bad-update-policy12.conf
index c636f1bf..08a623eb 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-update-policy12.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-update-policy12.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-update-policy13.conf b/bind/bind9/bin/tests/system/checkconf/bad-update-policy13.conf
index 4fb16f20..170c1f16 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-update-policy13.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-update-policy13.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-update-policy14.conf b/bind/bind9/bin/tests/system/checkconf/bad-update-policy14.conf
index 1498180d..9fce4565 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-update-policy14.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-update-policy14.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-update-policy15.conf b/bind/bind9/bin/tests/system/checkconf/bad-update-policy15.conf
index 7591b0b3..6afbee70 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-update-policy15.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-update-policy15.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-update-policy2.conf b/bind/bind9/bin/tests/system/checkconf/bad-update-policy2.conf
index 987e0967..2553c169 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-update-policy2.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-update-policy2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-update-policy3.conf b/bind/bind9/bin/tests/system/checkconf/bad-update-policy3.conf
index ff0811f9..e2b93507 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-update-policy3.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-update-policy3.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-update-policy4.conf b/bind/bind9/bin/tests/system/checkconf/bad-update-policy4.conf
index 396f69b8..be790e3c 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-update-policy4.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-update-policy4.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-update-policy5.conf b/bind/bind9/bin/tests/system/checkconf/bad-update-policy5.conf
index 718dad53..0a00ac9e 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-update-policy5.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-update-policy5.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-update-policy6.conf b/bind/bind9/bin/tests/system/checkconf/bad-update-policy6.conf
index 992e384a..7c1996a7 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-update-policy6.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-update-policy6.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-update-policy7.conf b/bind/bind9/bin/tests/system/checkconf/bad-update-policy7.conf
index 3bd2185a..23d84a3b 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-update-policy7.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-update-policy7.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-update-policy8.conf b/bind/bind9/bin/tests/system/checkconf/bad-update-policy8.conf
index c88b0e25..d85859c7 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-update-policy8.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-update-policy8.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-update-policy9.conf b/bind/bind9/bin/tests/system/checkconf/bad-update-policy9.conf
index 382f899f..88001c30 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-update-policy9.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-update-policy9.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-view-also-notify.conf b/bind/bind9/bin/tests/system/checkconf/bad-view-also-notify.conf
index 418fa47a..7c64d10c 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-view-also-notify.conf
+++ b/bind/bind9/bin/tests/system/checkconf/bad-view-also-notify.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/check-dlv-ksk-key.conf b/bind/bind9/bin/tests/system/checkconf/check-dlv-ksk-key.conf
index 2322e7dd..3160c099 100644
--- a/bind/bind9/bin/tests/system/checkconf/check-dlv-ksk-key.conf
+++ b/bind/bind9/bin/tests/system/checkconf/check-dlv-ksk-key.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/check-dup-records-fail.conf b/bind/bind9/bin/tests/system/checkconf/check-dup-records-fail.conf
index 684e8c6e..94649c8b 100644
--- a/bind/bind9/bin/tests/system/checkconf/check-dup-records-fail.conf
+++ b/bind/bind9/bin/tests/system/checkconf/check-dup-records-fail.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/check-dup-records.db b/bind/bind9/bin/tests/system/checkconf/check-dup-records.db
index 3d148e5d..fbb71455 100644
--- a/bind/bind9/bin/tests/system/checkconf/check-dup-records.db
+++ b/bind/bind9/bin/tests/system/checkconf/check-dup-records.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/check-missing-zone.conf b/bind/bind9/bin/tests/system/checkconf/check-missing-zone.conf
new file mode 100644
index 00000000..c9e5aea2
--- /dev/null
+++ b/bind/bind9/bin/tests/system/checkconf/check-missing-zone.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view missing {
+	zone missing.example {
+		type master;
+		file "missing.example.db";
+	};
+};
+
+view good {
+	zone shared.example {
+		type master;
+		file "shared.example.db";
+	};
+};
diff --git a/bind/bind9/bin/tests/system/checkconf/check-mx-cname-fail.conf b/bind/bind9/bin/tests/system/checkconf/check-mx-cname-fail.conf
index 71292c88..517b4f92 100644
--- a/bind/bind9/bin/tests/system/checkconf/check-mx-cname-fail.conf
+++ b/bind/bind9/bin/tests/system/checkconf/check-mx-cname-fail.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/check-mx-cname.db b/bind/bind9/bin/tests/system/checkconf/check-mx-cname.db
index 321c38e1..f2fe3072 100644
--- a/bind/bind9/bin/tests/system/checkconf/check-mx-cname.db
+++ b/bind/bind9/bin/tests/system/checkconf/check-mx-cname.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/check-mx-fail.conf b/bind/bind9/bin/tests/system/checkconf/check-mx-fail.conf
index 2eb8ad67..e0a517ce 100644
--- a/bind/bind9/bin/tests/system/checkconf/check-mx-fail.conf
+++ b/bind/bind9/bin/tests/system/checkconf/check-mx-fail.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/check-mx.db b/bind/bind9/bin/tests/system/checkconf/check-mx.db
index 28331b4a..dafae25b 100644
--- a/bind/bind9/bin/tests/system/checkconf/check-mx.db
+++ b/bind/bind9/bin/tests/system/checkconf/check-mx.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/check-names-fail.conf b/bind/bind9/bin/tests/system/checkconf/check-names-fail.conf
index 9c0ac26e..1dab0b21 100644
--- a/bind/bind9/bin/tests/system/checkconf/check-names-fail.conf
+++ b/bind/bind9/bin/tests/system/checkconf/check-names-fail.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/check-names.db b/bind/bind9/bin/tests/system/checkconf/check-names.db
index 7763647f..a0cbed01 100644
--- a/bind/bind9/bin/tests/system/checkconf/check-names.db
+++ b/bind/bind9/bin/tests/system/checkconf/check-names.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/check-root-ksk-2010.conf b/bind/bind9/bin/tests/system/checkconf/check-root-ksk-2010.conf
index 025564cc..3f3eced1 100644
--- a/bind/bind9/bin/tests/system/checkconf/check-root-ksk-2010.conf
+++ b/bind/bind9/bin/tests/system/checkconf/check-root-ksk-2010.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/check-root-ksk-2017.conf b/bind/bind9/bin/tests/system/checkconf/check-root-ksk-2017.conf
index ebefd9c9..6fb0e4da 100644
--- a/bind/bind9/bin/tests/system/checkconf/check-root-ksk-2017.conf
+++ b/bind/bind9/bin/tests/system/checkconf/check-root-ksk-2017.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/check-root-ksk-both.conf b/bind/bind9/bin/tests/system/checkconf/check-root-ksk-both.conf
index aebf7f5b..5346215d 100644
--- a/bind/bind9/bin/tests/system/checkconf/check-root-ksk-both.conf
+++ b/bind/bind9/bin/tests/system/checkconf/check-root-ksk-both.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/check-srv-cname-fail.conf b/bind/bind9/bin/tests/system/checkconf/check-srv-cname-fail.conf
index e8463072..2209ed64 100644
--- a/bind/bind9/bin/tests/system/checkconf/check-srv-cname-fail.conf
+++ b/bind/bind9/bin/tests/system/checkconf/check-srv-cname-fail.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/check-srv-cname.db b/bind/bind9/bin/tests/system/checkconf/check-srv-cname.db
index 8bc71bdb..144807af 100644
--- a/bind/bind9/bin/tests/system/checkconf/check-srv-cname.db
+++ b/bind/bind9/bin/tests/system/checkconf/check-srv-cname.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/clean.sh b/bind/bind9/bin/tests/system/checkconf/clean.sh
index ed02f98f..ae289fc7 100644
--- a/bind/bind9/bin/tests/system/checkconf/clean.sh
+++ b/bind/bind9/bin/tests/system/checkconf/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/dlz-bad.conf b/bind/bind9/bin/tests/system/checkconf/dlz-bad.conf
index 2ba89b19..f1341777 100644
--- a/bind/bind9/bin/tests/system/checkconf/dlz-bad.conf
+++ b/bind/bind9/bin/tests/system/checkconf/dlz-bad.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/dnssec.1 b/bind/bind9/bin/tests/system/checkconf/dnssec.1
index 176711fc..6601bba9 100644
--- a/bind/bind9/bin/tests/system/checkconf/dnssec.1
+++ b/bind/bind9/bin/tests/system/checkconf/dnssec.1
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/dnssec.2 b/bind/bind9/bin/tests/system/checkconf/dnssec.2
index 64db848a..d8b5e9b1 100644
--- a/bind/bind9/bin/tests/system/checkconf/dnssec.2
+++ b/bind/bind9/bin/tests/system/checkconf/dnssec.2
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/dnssec.3 b/bind/bind9/bin/tests/system/checkconf/dnssec.3
index fbb5882d..593f3776 100644
--- a/bind/bind9/bin/tests/system/checkconf/dnssec.3
+++ b/bind/bind9/bin/tests/system/checkconf/dnssec.3
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-acl.conf b/bind/bind9/bin/tests/system/checkconf/good-acl.conf
index 53218991..da44490b 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-acl.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-acl.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-class.conf b/bind/bind9/bin/tests/system/checkconf/good-class.conf
index 1839fe23..c31994e4 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-class.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-class.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-dlv-dlv.example.com.conf b/bind/bind9/bin/tests/system/checkconf/good-dlv-dlv.example.com.conf
index fd242bce..4eab17f9 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-dlv-dlv.example.com.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-dlv-dlv.example.com.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-dup-managed-key.conf b/bind/bind9/bin/tests/system/checkconf/good-dup-managed-key.conf
index 38533fc8..57904cc7 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-dup-managed-key.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-dup-managed-key.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-dup-trusted-key.conf b/bind/bind9/bin/tests/system/checkconf/good-dup-trusted-key.conf
index fc344ba4..197611a2 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-dup-trusted-key.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-dup-trusted-key.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-lmdb-mapsize-largest.conf b/bind/bind9/bin/tests/system/checkconf/good-lmdb-mapsize-largest.conf
index a01fbc49..b64b78d9 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-lmdb-mapsize-largest.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-lmdb-mapsize-largest.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-lmdb-mapsize-smallest.conf b/bind/bind9/bin/tests/system/checkconf/good-lmdb-mapsize-smallest.conf
index 797395f8..23f7bfbc 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-lmdb-mapsize-smallest.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-lmdb-mapsize-smallest.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-nested.conf b/bind/bind9/bin/tests/system/checkconf/good-nested.conf
index 4523b401..7adfb001 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-nested.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-nested.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-options-also-notify.conf b/bind/bind9/bin/tests/system/checkconf/good-options-also-notify.conf
index fcb01638..146496ad 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-options-also-notify.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-options-also-notify.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-response-dot.conf b/bind/bind9/bin/tests/system/checkconf/good-response-dot.conf
index 68e511f9..68737b97 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-response-dot.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-response-dot.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-update-policy1.conf b/bind/bind9/bin/tests/system/checkconf/good-update-policy1.conf
index 8d345186..4994d7e8 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-update-policy1.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-update-policy1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-update-policy10.conf b/bind/bind9/bin/tests/system/checkconf/good-update-policy10.conf
index 60bea6b5..bb4f27d7 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-update-policy10.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-update-policy10.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-update-policy11.conf b/bind/bind9/bin/tests/system/checkconf/good-update-policy11.conf
index ba6f396f..64ae8f78 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-update-policy11.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-update-policy11.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-update-policy12.conf b/bind/bind9/bin/tests/system/checkconf/good-update-policy12.conf
index 09bd926a..43ed97ef 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-update-policy12.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-update-policy12.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-update-policy2.conf b/bind/bind9/bin/tests/system/checkconf/good-update-policy2.conf
index 5b453e73..f5a90f39 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-update-policy2.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-update-policy2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-update-policy3.conf b/bind/bind9/bin/tests/system/checkconf/good-update-policy3.conf
index 3f4cef24..bf1df2a9 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-update-policy3.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-update-policy3.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-update-policy4.conf b/bind/bind9/bin/tests/system/checkconf/good-update-policy4.conf
index a3ef5343..15160424 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-update-policy4.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-update-policy4.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-update-policy5.conf b/bind/bind9/bin/tests/system/checkconf/good-update-policy5.conf
index 1f70f0c2..ab58e9e1 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-update-policy5.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-update-policy5.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-update-policy6.conf b/bind/bind9/bin/tests/system/checkconf/good-update-policy6.conf
index ac43c48d..61e8643c 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-update-policy6.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-update-policy6.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-update-policy7.conf b/bind/bind9/bin/tests/system/checkconf/good-update-policy7.conf
index 96431a3e..10aa0262 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-update-policy7.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-update-policy7.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-update-policy8.conf b/bind/bind9/bin/tests/system/checkconf/good-update-policy8.conf
index cd33559d..dae086f9 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-update-policy8.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-update-policy8.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-update-policy9.conf b/bind/bind9/bin/tests/system/checkconf/good-update-policy9.conf
index dcb5b461..747cd8ea 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-update-policy9.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-update-policy9.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good-view-also-notify.conf b/bind/bind9/bin/tests/system/checkconf/good-view-also-notify.conf
index b8a46e98..2824a969 100644
--- a/bind/bind9/bin/tests/system/checkconf/good-view-also-notify.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good-view-also-notify.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/good.conf b/bind/bind9/bin/tests/system/checkconf/good.conf
index 9ab35b38..2282f877 100644
--- a/bind/bind9/bin/tests/system/checkconf/good.conf
+++ b/bind/bind9/bin/tests/system/checkconf/good.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -104,6 +104,12 @@ view "second" {
 		};
 		zone-statistics no;
 	};
+	zone "example3" {
+		type static-stub;
+		server-addresses {
+			1.2.3.4;
+		};
+	};
 	zone "clone" {
 		in-view "first";
 	};
diff --git a/bind/bind9/bin/tests/system/checkconf/hint-nofile.conf b/bind/bind9/bin/tests/system/checkconf/hint-nofile.conf
index f0ef89fb..c8de3894 100644
--- a/bind/bind9/bin/tests/system/checkconf/hint-nofile.conf
+++ b/bind/bind9/bin/tests/system/checkconf/hint-nofile.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/in-view-good.conf b/bind/bind9/bin/tests/system/checkconf/in-view-good.conf
index 3161c381..3f8954fb 100644
--- a/bind/bind9/bin/tests/system/checkconf/in-view-good.conf
+++ b/bind/bind9/bin/tests/system/checkconf/in-view-good.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/inline-bad.conf b/bind/bind9/bin/tests/system/checkconf/inline-bad.conf
index 011bea91..22ee54ff 100644
--- a/bind/bind9/bin/tests/system/checkconf/inline-bad.conf
+++ b/bind/bind9/bin/tests/system/checkconf/inline-bad.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/inline-good.conf b/bind/bind9/bin/tests/system/checkconf/inline-good.conf
index 8e3115b1..d42b7a85 100644
--- a/bind/bind9/bin/tests/system/checkconf/inline-good.conf
+++ b/bind/bind9/bin/tests/system/checkconf/inline-good.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/inline-no.conf b/bind/bind9/bin/tests/system/checkconf/inline-no.conf
index c441fa9c..bde20568 100644
--- a/bind/bind9/bin/tests/system/checkconf/inline-no.conf
+++ b/bind/bind9/bin/tests/system/checkconf/inline-no.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/max-cache-size-good.conf b/bind/bind9/bin/tests/system/checkconf/max-cache-size-good.conf
index ff9dc8fc..dd7490d7 100644
--- a/bind/bind9/bin/tests/system/checkconf/max-cache-size-good.conf
+++ b/bind/bind9/bin/tests/system/checkconf/max-cache-size-good.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/max-ttl.conf b/bind/bind9/bin/tests/system/checkconf/max-ttl.conf
index 074bc2cb..4b4830d9 100644
--- a/bind/bind9/bin/tests/system/checkconf/max-ttl.conf
+++ b/bind/bind9/bin/tests/system/checkconf/max-ttl.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/maxttl-bad.conf b/bind/bind9/bin/tests/system/checkconf/maxttl-bad.conf
index ac4ca654..46855daf 100644
--- a/bind/bind9/bin/tests/system/checkconf/maxttl-bad.conf
+++ b/bind/bind9/bin/tests/system/checkconf/maxttl-bad.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/maxttl-bad.db b/bind/bind9/bin/tests/system/checkconf/maxttl-bad.db
index 9c8aa7e1..6e2987e2 100644
--- a/bind/bind9/bin/tests/system/checkconf/maxttl-bad.db
+++ b/bind/bind9/bin/tests/system/checkconf/maxttl-bad.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/maxttl.db b/bind/bind9/bin/tests/system/checkconf/maxttl.db
index 21536b48..385c4442 100644
--- a/bind/bind9/bin/tests/system/checkconf/maxttl.db
+++ b/bind/bind9/bin/tests/system/checkconf/maxttl.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/notify.conf b/bind/bind9/bin/tests/system/checkconf/notify.conf
index 60c4f15d..dafe7a85 100644
--- a/bind/bind9/bin/tests/system/checkconf/notify.conf
+++ b/bind/bind9/bin/tests/system/checkconf/notify.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/portrange-good.conf b/bind/bind9/bin/tests/system/checkconf/portrange-good.conf
index e02097f1..c3e079aa 100644
--- a/bind/bind9/bin/tests/system/checkconf/portrange-good.conf
+++ b/bind/bind9/bin/tests/system/checkconf/portrange-good.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/range.conf b/bind/bind9/bin/tests/system/checkconf/range.conf
index a7f94d9f..7e36b691 100644
--- a/bind/bind9/bin/tests/system/checkconf/range.conf
+++ b/bind/bind9/bin/tests/system/checkconf/range.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/shared.example.db b/bind/bind9/bin/tests/system/checkconf/shared.example.db
index 7b40db9c..0edd91cf 100644
--- a/bind/bind9/bin/tests/system/checkconf/shared.example.db
+++ b/bind/bind9/bin/tests/system/checkconf/shared.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/tests.sh b/bind/bind9/bin/tests/system/checkconf/tests.sh
index 3c683257..b6b04141 100644
--- a/bind/bind9/bin/tests/system/checkconf/tests.sh
+++ b/bind/bind9/bin/tests/system/checkconf/tests.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -356,6 +356,13 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
+echo_i "check that named-checkconf -z returns error when a later view is okay ($n)"
+ret=0
+$CHECKCONF -z check-missing-zone.conf > checkconf.out$n 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
 echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)"
 ret=0
 $CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1
@@ -380,6 +387,15 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
+echo_i "check that invalid address/prefix length generates a warning ($n)"
+ret=0
+$CHECKCONF warn-address-prefix-length-mismatch.conf > checkconf.out$n 2>/dev/null || ret=1
+LINES=$(grep -c "address/prefix length mismatch" < checkconf.out$n) || ret=1
+[ "$LINES" -eq 8 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
 echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)"
 ret=0
 $CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
diff --git a/bind/bind9/bin/tests/system/checkconf/view-class-any1.conf b/bind/bind9/bin/tests/system/checkconf/view-class-any1.conf
index 9832ce02..3713b769 100644
--- a/bind/bind9/bin/tests/system/checkconf/view-class-any1.conf
+++ b/bind/bind9/bin/tests/system/checkconf/view-class-any1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/view-class-any2.conf b/bind/bind9/bin/tests/system/checkconf/view-class-any2.conf
index 03f08030..3ba443eb 100644
--- a/bind/bind9/bin/tests/system/checkconf/view-class-any2.conf
+++ b/bind/bind9/bin/tests/system/checkconf/view-class-any2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/view-class-in1.conf b/bind/bind9/bin/tests/system/checkconf/view-class-in1.conf
index 794f9e00..1d2ec698 100644
--- a/bind/bind9/bin/tests/system/checkconf/view-class-in1.conf
+++ b/bind/bind9/bin/tests/system/checkconf/view-class-in1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/view-class-in2.conf b/bind/bind9/bin/tests/system/checkconf/view-class-in2.conf
index c519b1a6..e30dd629 100644
--- a/bind/bind9/bin/tests/system/checkconf/view-class-in2.conf
+++ b/bind/bind9/bin/tests/system/checkconf/view-class-in2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bind/bind9/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
index 2c768c7e..bc731408 100644
--- a/bind/bind9/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
+++ b/bind/bind9/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
@@ -3,12 +3,20 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-acl myacl {
-	127.1/8; /* No-zero bits */
+zone example {
+	type master;
+	file "example.db";
+	auto-dnssec maintain;
+	allow-update {
+		192.0.2.64/24;
+		192.0.2.128/24;
+		198.51.100.255/24;
+		203.0.113.2/24;
+	};
 };
diff --git a/bind/bind9/bin/tests/system/checkconf/warn-dlv-auto.conf b/bind/bind9/bin/tests/system/checkconf/warn-dlv-auto.conf
index 3ba73420..0454cf6c 100644
--- a/bind/bind9/bin/tests/system/checkconf/warn-dlv-auto.conf
+++ b/bind/bind9/bin/tests/system/checkconf/warn-dlv-auto.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf b/bind/bind9/bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf
index 49b11bc5..4bc07fd8 100644
--- a/bind/bind9/bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf
+++ b/bind/bind9/bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/warn-duplicate-key.conf b/bind/bind9/bin/tests/system/checkconf/warn-duplicate-key.conf
index 92d5231c..a973991a 100644
--- a/bind/bind9/bin/tests/system/checkconf/warn-duplicate-key.conf
+++ b/bind/bind9/bin/tests/system/checkconf/warn-duplicate-key.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/warn-duplicate-root-key.conf b/bind/bind9/bin/tests/system/checkconf/warn-duplicate-root-key.conf
index 1e72ad4a..72dfadda 100644
--- a/bind/bind9/bin/tests/system/checkconf/warn-duplicate-root-key.conf
+++ b/bind/bind9/bin/tests/system/checkconf/warn-duplicate-root-key.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/warn-keydir.conf b/bind/bind9/bin/tests/system/checkconf/warn-keydir.conf
index 502a4f3d..5b857509 100644
--- a/bind/bind9/bin/tests/system/checkconf/warn-keydir.conf
+++ b/bind/bind9/bin/tests/system/checkconf/warn-keydir.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkconf/warn-validation-auto-key.conf b/bind/bind9/bin/tests/system/checkconf/warn-validation-auto-key.conf
index 31a6e822..ba11af81 100644
--- a/bind/bind9/bin/tests/system/checkconf/warn-validation-auto-key.conf
+++ b/bind/bind9/bin/tests/system/checkconf/warn-validation-auto-key.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkds/clean.sh b/bind/bind9/bin/tests/system/checkds/clean.sh
index 436f66d3..c6693ce6 100644
--- a/bind/bind9/bin/tests/system/checkds/clean.sh
+++ b/bind/bind9/bin/tests/system/checkds/clean.sh
@@ -4,12 +4,10 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id$
-
 rm -f checkds.*
 rm -f ns*/named.lock
diff --git a/bind/bind9/bin/tests/system/checkds/dig.pl b/bind/bind9/bin/tests/system/checkds/dig.pl
index 51e5713e..237d6061 100644
--- a/bind/bind9/bin/tests/system/checkds/dig.pl
+++ b/bind/bind9/bin/tests/system/checkds/dig.pl
@@ -4,13 +4,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id$
-
 my $arg;
 my $ext;
 my $file;
diff --git a/bind/bind9/bin/tests/system/checkds/dig.sh b/bind/bind9/bin/tests/system/checkds/dig.sh
index b7472ea6..8c094708 100755
--- a/bind/bind9/bin/tests/system/checkds/dig.sh
+++ b/bind/bind9/bin/tests/system/checkds/dig.sh
@@ -4,14 +4,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id$
-
-
 while [ "$#" != 0 ]; do
     case $1 in
     +*) shift ;;
diff --git a/bind/bind9/bin/tests/system/checkds/tests.sh b/bind/bind9/bin/tests/system/checkds/tests.sh
index 141d83bf..5ee445ae 100644
--- a/bind/bind9/bin/tests/system/checkds/tests.sh
+++ b/bind/bind9/bin/tests/system/checkds/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/clean.sh b/bind/bind9/bin/tests/system/checknames/clean.sh
index 83073f9e..108406bc 100644
--- a/bind/bind9/bin/tests/system/checknames/clean.sh
+++ b/bind/bind9/bin/tests/system/checknames/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/ns1/fail.example.db.in b/bind/bind9/bin/tests/system/checknames/ns1/fail.example.db.in
index a9844712..64df5276 100644
--- a/bind/bind9/bin/tests/system/checknames/ns1/fail.example.db.in
+++ b/bind/bind9/bin/tests/system/checknames/ns1/fail.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/ns1/fail.update.db.in b/bind/bind9/bin/tests/system/checknames/ns1/fail.update.db.in
index 218f6bc3..5e21d176 100644
--- a/bind/bind9/bin/tests/system/checknames/ns1/fail.update.db.in
+++ b/bind/bind9/bin/tests/system/checknames/ns1/fail.update.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/ns1/ignore.example.db.in b/bind/bind9/bin/tests/system/checknames/ns1/ignore.example.db.in
index 050041e2..2140d9ae 100644
--- a/bind/bind9/bin/tests/system/checknames/ns1/ignore.example.db.in
+++ b/bind/bind9/bin/tests/system/checknames/ns1/ignore.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/ns1/ignore.update.db.in b/bind/bind9/bin/tests/system/checknames/ns1/ignore.update.db.in
index f7864ab3..a7a85ee2 100644
--- a/bind/bind9/bin/tests/system/checknames/ns1/ignore.update.db.in
+++ b/bind/bind9/bin/tests/system/checknames/ns1/ignore.update.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/ns1/named.conf.in b/bind/bind9/bin/tests/system/checknames/ns1/named.conf.in
index 99b8004e..17bb8e52 100644
--- a/bind/bind9/bin/tests/system/checknames/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/checknames/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/ns1/root.db b/bind/bind9/bin/tests/system/checknames/ns1/root.db
index 1a0d44bd..97193aad 100644
--- a/bind/bind9/bin/tests/system/checknames/ns1/root.db
+++ b/bind/bind9/bin/tests/system/checknames/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/ns1/warn.example.db.in b/bind/bind9/bin/tests/system/checknames/ns1/warn.example.db.in
index bc4d1c08..6a28da1e 100644
--- a/bind/bind9/bin/tests/system/checknames/ns1/warn.example.db.in
+++ b/bind/bind9/bin/tests/system/checknames/ns1/warn.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/ns1/warn.update.db.in b/bind/bind9/bin/tests/system/checknames/ns1/warn.update.db.in
index 1bf280a9..fc004ead 100644
--- a/bind/bind9/bin/tests/system/checknames/ns1/warn.update.db.in
+++ b/bind/bind9/bin/tests/system/checknames/ns1/warn.update.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/ns2/named.conf.in b/bind/bind9/bin/tests/system/checknames/ns2/named.conf.in
index bdec53da..ddfbc57a 100644
--- a/bind/bind9/bin/tests/system/checknames/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/checknames/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/ns2/root.hints b/bind/bind9/bin/tests/system/checknames/ns2/root.hints
index 962d33d9..d9555329 100644
--- a/bind/bind9/bin/tests/system/checknames/ns2/root.hints
+++ b/bind/bind9/bin/tests/system/checknames/ns2/root.hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/ns3/named.conf.in b/bind/bind9/bin/tests/system/checknames/ns3/named.conf.in
index d4a3cd94..f7e2a257 100644
--- a/bind/bind9/bin/tests/system/checknames/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/checknames/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/ns3/root.hints b/bind/bind9/bin/tests/system/checknames/ns3/root.hints
index 962d33d9..d9555329 100644
--- a/bind/bind9/bin/tests/system/checknames/ns3/root.hints
+++ b/bind/bind9/bin/tests/system/checknames/ns3/root.hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/ns4/master-ignore.update.db.in b/bind/bind9/bin/tests/system/checknames/ns4/master-ignore.update.db.in
index f7864ab3..a7a85ee2 100644
--- a/bind/bind9/bin/tests/system/checknames/ns4/master-ignore.update.db.in
+++ b/bind/bind9/bin/tests/system/checknames/ns4/master-ignore.update.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/ns4/named.conf.in b/bind/bind9/bin/tests/system/checknames/ns4/named.conf.in
index 5a97d499..aea85b40 100644
--- a/bind/bind9/bin/tests/system/checknames/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/checknames/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/ns4/root.hints b/bind/bind9/bin/tests/system/checknames/ns4/root.hints
index 962d33d9..d9555329 100644
--- a/bind/bind9/bin/tests/system/checknames/ns4/root.hints
+++ b/bind/bind9/bin/tests/system/checknames/ns4/root.hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/setup.sh b/bind/bind9/bin/tests/system/checknames/setup.sh
index 117c5022..c59c0c41 100644
--- a/bind/bind9/bin/tests/system/checknames/setup.sh
+++ b/bind/bind9/bin/tests/system/checknames/setup.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checknames/tests.sh b/bind/bind9/bin/tests/system/checknames/tests.sh
index 74f783e4..357d2545 100644
--- a/bind/bind9/bin/tests/system/checknames/tests.sh
+++ b/bind/bind9/bin/tests/system/checknames/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/clean.sh b/bind/bind9/bin/tests/system/checkzone/clean.sh
index 95d3caaa..6f602768 100644
--- a/bind/bind9/bin/tests/system/checkzone/clean.sh
+++ b/bind/bind9/bin/tests/system/checkzone/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/setup.sh b/bind/bind9/bin/tests/system/checkzone/setup.sh
index 68144318..a3ab65cf 100644
--- a/bind/bind9/bin/tests/system/checkzone/setup.sh
+++ b/bind/bind9/bin/tests/system/checkzone/setup.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/tests.sh b/bind/bind9/bin/tests/system/checkzone/tests.sh
index 022c3111..4c931ed6 100644
--- a/bind/bind9/bin/tests/system/checkzone/tests.sh
+++ b/bind/bind9/bin/tests/system/checkzone/tests.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad-caa-rr.db b/bind/bind9/bin/tests/system/checkzone/zones/bad-caa-rr.db
index 9d22cd33..fb7b8618 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad-caa-rr.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad-caa-rr.db
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad-cdnskey.db b/bind/bind9/bin/tests/system/checkzone/zones/bad-cdnskey.db
index 63ecd055..b54023e2 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad-cdnskey.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad-cdnskey.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad-cds.db b/bind/bind9/bin/tests/system/checkzone/zones/bad-cds.db
index 955d9a89..0cb53f4e 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad-cds.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad-cds.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad-dhcid.db b/bind/bind9/bin/tests/system/checkzone/zones/bad-dhcid.db
index b2652b77..c26fd3ae 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad-dhcid.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad-dhcid.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db b/bind/bind9/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db
index 9635a7ab..1664dc6d 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad-eid.db b/bind/bind9/bin/tests/system/checkzone/zones/bad-eid.db
index 96383740..03aa2512 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad-eid.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad-eid.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad-generate-tkey.db b/bind/bind9/bin/tests/system/checkzone/zones/bad-generate-tkey.db
index f86f15c7..91421f66 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad-generate-tkey.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad-generate-tkey.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad-nimloc.db b/bind/bind9/bin/tests/system/checkzone/zones/bad-nimloc.db
index bdfba728..2562a589 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad-nimloc.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad-nimloc.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad-nsap-empty.db b/bind/bind9/bin/tests/system/checkzone/zones/bad-nsap-empty.db
index 3ed2451a..65c6a3c3 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad-nsap-empty.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad-nsap-empty.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db b/bind/bind9/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db
index f8c82f5a..531295d4 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad-nsec3-padded.db b/bind/bind9/bin/tests/system/checkzone/zones/bad-nsec3-padded.db
index 77d8ead2..e1cb30a0 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad-nsec3-padded.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad-nsec3-padded.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db b/bind/bind9/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db
index 3f9bbb6a..48543430 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad-tkey.db b/bind/bind9/bin/tests/system/checkzone/zones/bad-tkey.db
index 00f25db9..33cdfab9 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad-tkey.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad-tkey.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad-tsig.db b/bind/bind9/bin/tests/system/checkzone/zones/bad-tsig.db
index 76af2e9a..9f2ae342 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad-tsig.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad-tsig.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad-unspec.db b/bind/bind9/bin/tests/system/checkzone/zones/bad-unspec.db
index 2352ff95..9813164f 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad-unspec.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad-unspec.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad1.db b/bind/bind9/bin/tests/system/checkzone/zones/bad1.db
index c17ab0cd..05ab8296 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad1.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad1.db
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad2.db b/bind/bind9/bin/tests/system/checkzone/zones/bad2.db
index e6afacdd..23fbdf27 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad2.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad2.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad3.db b/bind/bind9/bin/tests/system/checkzone/zones/bad3.db
index 44e45e51..23cb01f8 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad3.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad3.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/bad4.db b/bind/bind9/bin/tests/system/checkzone/zones/bad4.db
index 4e6ec79b..faad928d 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/bad4.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/bad4.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/badttl.db b/bind/bind9/bin/tests/system/checkzone/zones/badttl.db
index 43fb41a3..fbde3b04 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/badttl.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/badttl.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/crashzone.db b/bind/bind9/bin/tests/system/checkzone/zones/crashzone.db
index c6bd4e94..2a62e2a0 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/crashzone.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/crashzone.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db b/bind/bind9/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db
index d26f51b5..20ff9c8b 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/good-cdnskey.db b/bind/bind9/bin/tests/system/checkzone/zones/good-cdnskey.db
index 0288bfb6..dc614e4b 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/good-cdnskey.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/good-cdnskey.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/good-cds.db b/bind/bind9/bin/tests/system/checkzone/zones/good-cds.db
index dd89bc96..85e8ee35 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/good-cds.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/good-cds.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db b/bind/bind9/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db
index 566ce5b3..a87d2457 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/good-gc-msdcs.db b/bind/bind9/bin/tests/system/checkzone/zones/good-gc-msdcs.db
index cf9bc745..9ec9e5a7 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/good-gc-msdcs.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/good-gc-msdcs.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/good-nsap.db b/bind/bind9/bin/tests/system/checkzone/zones/good-nsap.db
index c7bc655a..84aa53e7 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/good-nsap.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/good-nsap.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db b/bind/bind9/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db
index 4b4d4e4c..b1ee547c 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db b/bind/bind9/bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db
index caa78561..554c5887 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db b/bind/bind9/bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db
index bdc8c6b3..04481998 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/good1.db b/bind/bind9/bin/tests/system/checkzone/zones/good1.db
index f77f3ec2..e9e8223d 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/good1.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/good1.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/inherit.db b/bind/bind9/bin/tests/system/checkzone/zones/inherit.db
index 61c9d2a4..ae990282 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/inherit.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/inherit.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db b/bind/bind9/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db
index 4083210e..af921cf3 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/ns-address-below-dname.db b/bind/bind9/bin/tests/system/checkzone/zones/ns-address-below-dname.db
index 7e65e577..37ae32c7 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/ns-address-below-dname.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/ns-address-below-dname.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/spf.db b/bind/bind9/bin/tests/system/checkzone/zones/spf.db
index 6c0e7e55..dfeaeb4f 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/spf.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/spf.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/test1.db b/bind/bind9/bin/tests/system/checkzone/zones/test1.db
index bb75d3ce..ec8566ed 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/test1.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/test1.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/test2.db b/bind/bind9/bin/tests/system/checkzone/zones/test2.db
index cee52ca6..13e36162 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/test2.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/test2.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/warn.inherit.origin.db b/bind/bind9/bin/tests/system/checkzone/zones/warn.inherit.origin.db
index 5057cd95..b5c7c055 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/warn.inherit.origin.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/warn.inherit.origin.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/checkzone/zones/warn.inherited.owner.db b/bind/bind9/bin/tests/system/checkzone/zones/warn.inherited.owner.db
index 0879149f..ed22fcf4 100644
--- a/bind/bind9/bin/tests/system/checkzone/zones/warn.inherited.owner.db
+++ b/bind/bind9/bin/tests/system/checkzone/zones/warn.inherited.owner.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cleanall.sh b/bind/bind9/bin/tests/system/cleanall.sh
index 9ac023f4..96b7011b 100644
--- a/bind/bind9/bin/tests/system/cleanall.sh
+++ b/bind/bind9/bin/tests/system/cleanall.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cleanpkcs11.sh b/bind/bind9/bin/tests/system/cleanpkcs11.sh
index b974708b..3dfb0212 100644
--- a/bind/bind9/bin/tests/system/cleanpkcs11.sh
+++ b/bind/bind9/bin/tests/system/cleanpkcs11.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/common/controls.conf b/bind/bind9/bin/tests/system/common/controls.conf
index 8cd709cb..ee662bac 100644
--- a/bind/bind9/bin/tests/system/common/controls.conf
+++ b/bind/bind9/bin/tests/system/common/controls.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/common/controls.conf.in b/bind/bind9/bin/tests/system/common/controls.conf.in
index 69581151..04dc5263 100644
--- a/bind/bind9/bin/tests/system/common/controls.conf.in
+++ b/bind/bind9/bin/tests/system/common/controls.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/common/rndc.conf b/bind/bind9/bin/tests/system/common/rndc.conf
index 8fe0bc3b..3f264ece 100644
--- a/bind/bind9/bin/tests/system/common/rndc.conf
+++ b/bind/bind9/bin/tests/system/common/rndc.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/common/rndc.key b/bind/bind9/bin/tests/system/common/rndc.key
index b9def8ec..3ef41c30 100644
--- a/bind/bind9/bin/tests/system/common/rndc.key
+++ b/bind/bind9/bin/tests/system/common/rndc.key
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/common/root.hint b/bind/bind9/bin/tests/system/common/root.hint
index 418ea963..9883426b 100644
--- a/bind/bind9/bin/tests/system/common/root.hint
+++ b/bind/bind9/bin/tests/system/common/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/conf.sh.in b/bind/bind9/bin/tests/system/conf.sh.in
index 91264580..85792a9f 100644
--- a/bind/bind9/bin/tests/system/conf.sh.in
+++ b/bind/bind9/bin/tests/system/conf.sh.in
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -54,6 +54,7 @@ SIGNER=$TOP/bin/dnssec/dnssec-signzone
 REVOKE=$TOP/bin/dnssec/dnssec-revoke
 SETTIME=$TOP/bin/dnssec/dnssec-settime
 DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
+HOST=$TOP/bin/dig/host
 IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
 CHECKDS=$TOP/bin/python/dnssec-checkds
 COVERAGE=$TOP/bin/python/dnssec-coverage
@@ -89,6 +90,8 @@ SAMPLEUPDATE=$TOP/lib/samples/sample-update
 
 # we don't want a KRB5_CONFIG setting breaking the tests
 KRB5_CONFIG=/dev/null
+# use local keytab instead of default /etc/krb5.keytab
+KRB5_KTNAME=dns.keytab
 
 # the amount of fake "entropy" to generate with GENRANDOM in
 # system tests
@@ -110,7 +113,7 @@ SEQUENTIALDIRS="ecdsa eddsa gost lwresd @PKCS11_TEST@ tkey"
 # Note: some of the longer-running tests are scheduled first,
 # in order to get more benefit from parallelism.
 PARALLELDIRS="dnssec rpzrecurse \
-	acl additional addzone allow-query autosign \
+	acl additional addzone allow-query auth autosign \
 	builtin cacheclean case catz chain \
 	checkconf checknames checkzone \
 	@CHECKDS@ @COVERAGE@ @KEYMGR@ \
@@ -204,6 +207,8 @@ else
     COLOR_WARN=''
 fi
 
+SYSTESTDIR="`basename $PWD`"
+
 if type printf > /dev/null 2>&1
 then
 	echofail () {
@@ -224,6 +229,23 @@ then
 	echoend () {
 		printf "${COLOR_END}%s${COLOR_NONE}\n" "$*"
 	}
+	echo_i() {
+	    printf '%s\n' "$*" | while read -r __LINE ; do
+	       echoinfo "I:$SYSTESTDIR:$__LINE"
+	    done
+	}
+
+	echo_ic() {
+	    printf '%s\n' "$*" | while read -r __LINE ; do
+	       echoinfo "I:$SYSTESTDIR:  $__LINE"
+	    done
+	}
+
+	echo_d() {
+	    printf '%s\n' "$*" | while read -r __LINE ; do
+	       echoinfo "D:$SYSTESTDIR:$__LINE"
+	    done
+	}
 else
 	echofail () {
 		echo "$*"
@@ -243,36 +265,34 @@ else
 	echoend () {
 		echo "$*"
 	}
-fi
 
-SYSTESTDIR="`basename $PWD`"
+	echo_i() {
+	    echo "$@" | while read -r __LINE ; do
+	       echoinfo "I:$SYSTESTDIR:$__LINE"
+	    done
+	}
 
-echo_i() {
-    echo "$@" | while read __LINE ; do
-       echoinfo "I:$SYSTESTDIR:$__LINE"
-    done
-}
+	echo_ic() {
+	    echo "$@" | while read -r __LINE ; do
+	       echoinfo "I:$SYSTESTDIR:  $__LINE"
+	    done
+	}
 
-echo_ic() {
-    echo "$@" | while read __LINE ; do
-       echoinfo "I:$SYSTESTDIR:  $__LINE"
-    done
-}
+	echo_d() {
+	    echo "$@" | while read -r __LINE ; do
+	       echoinfo "D:$SYSTESTDIR:$__LINE"
+	    done
+	}
+fi
 
 cat_i() {
-    while read __LINE ; do
+    while read -r __LINE ; do
        echoinfo "I:$SYSTESTDIR:$__LINE"
     done
 }
 
-echo_d() {
-    echo "$@" | while read __LINE ; do
-       echoinfo "D:$SYSTESTDIR:$__LINE"
-    done
-}
-
 cat_d() {
-    while read __LINE ; do
+    while read -r __LINE ; do
        echoinfo "D:$SYSTESTDIR:$__LINE"
     done
 }
@@ -498,6 +518,22 @@ retry_quiet() {
 	_retry "$@"
 }
 
+# _repeat: keep running command up to $1 times, unless it fails
+_repeat() (
+    __retries="${1}"
+    shift
+    while :; do
+        if ! "$@"; then
+            return 1
+        fi
+        __retries=$((__retries-1))
+        if [ "${__retries}" -le 0 ]; then
+            break
+        fi
+    done
+    return 0
+)
+
 # rndc_dumpdb: call "rndc dumpdb [...]" and wait until it completes
 #
 # The first argument is the name server instance to send the command to, in the
@@ -593,6 +629,7 @@ export KEYGEN
 export KEYSETTOOL
 export KEYSIGNER
 export KRB5_CONFIG
+export KRB5_KTNAME
 export LWRESD
 export LWTEST
 export MAKEJOURNAL
diff --git a/bind/bind9/bin/tests/system/conf.sh.win32 b/bind/bind9/bin/tests/system/conf.sh.win32
index d0b02fba..dd5c7af5 100644
--- a/bind/bind9/bin/tests/system/conf.sh.win32
+++ b/bind/bind9/bin/tests/system/conf.sh.win32
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -99,6 +99,8 @@ PIPEQUERIES=$TOP/Build/$VSCONF/pipequeries@EXEEXT@
 
 # we don't want a KRB5_CONFIG setting breaking the tests
 KRB5_CONFIG=NUL
+# use local keytab instead of default /etc/krb5.keytab
+KRB5_KTNAME=dns.keytab
 
 # the amount of fake "entropy" to generate with GENRANDOM in
 # system tests
@@ -230,23 +232,35 @@ echoend () {
 SYSTESTDIR="`basename $PWD`"
 
 echo_i() {
-    echo "$@" | while read __LINE ; do
+    printf '%s\n' "$*" | while read -r __LINE ; do
        echoinfo "I:$SYSTESTDIR:$__LINE"
     done
 }
 
 echo_ic() {
-    echo "$@" | while read __LINE ; do
+    printf '%s\n' "$*" | while read -r __LINE ; do
        echoinfo "I:$SYSTESTDIR:  $__LINE"
     done
 }
 
+echo_d() {
+    echo "$@" | while read -r __LINE ; do
+       echoinfo "D:$SYSTESTDIR:$__LINE"
+    done
+}
+
 cat_i() {
-    while read __LINE ; do
+    while read -r __LINE ; do
        echoinfo "I:$SYSTESTDIR:$__LINE"
     done
 }
 
+cat_d() {
+    while read -r __LINE ; do
+       echoinfo "D:$SYSTESTDIR:$__LINE"
+    done
+}
+
 digcomp() {
     output=`$PERL $SYSTEMTESTTOP/digcomp.pl "$@"`
     result=$?
@@ -467,6 +481,22 @@ retry_quiet() {
 	_retry "$@"
 }
 
+# _repeat: keep running command up to $1 times, unless it fails
+_repeat() (
+    __retries="${1}"
+    shift
+    while :; do
+        if ! "$@"; then
+            return 1
+        fi
+        __retries=$((__retries-1))
+        if [ "${__retries}" -le 0 ]; then
+            break
+        fi
+    done
+    return 0
+)
+
 # rndc_dumpdb: call "rndc dumpdb [...]" and wait until it completes
 #
 # The first argument is the name server instance to send the command to, in the
@@ -568,6 +598,7 @@ export KEYGEN
 export KEYSETTOOL
 export KEYSIGNER
 export KRB5_CONFIG
+export KRB5_KTNAME
 export LWRESD
 export LWTEST
 export MAKEJOURNAL
diff --git a/bind/bind9/bin/tests/system/cookie/.gitignore b/bind/bind9/bin/tests/system/cookie/.gitignore
deleted file mode 100644
index eee491d3..00000000
--- a/bind/bind9/bin/tests/system/cookie/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-prereq.sh
diff --git a/bind/bind9/bin/tests/system/cookie/ans9/ans.py b/bind/bind9/bin/tests/system/cookie/ans9/ans.py
new file mode 100644
index 00000000..b454fc8c
--- /dev/null
+++ b/bind/bind9/bin/tests/system/cookie/ans9/ans.py
@@ -0,0 +1,277 @@
+############################################################################
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+############################################################################
+
+from __future__ import print_function
+import os
+import sys
+import signal
+import socket
+import select
+from datetime import datetime, timedelta
+import time
+import functools
+
+import dns
+import dns.edns
+import dns.flags
+import dns.message
+import dns.query
+import dns.tsig
+import dns.tsigkeyring
+import dns.version
+
+from dns.edns import *
+from dns.name import *
+from dns.rcode import *
+from dns.rdataclass import *
+from dns.rdatatype import *
+from dns.tsig import *
+
+# Log query to file
+def logquery(type, qname):
+    with open("qlog", "a") as f:
+        f.write("%s %s\n", type, qname)
+
+# DNS 2.0 keyring specifies the algorithm
+try:
+    keyring = dns.tsigkeyring.from_text({ "foo" : {
+                                                   "hmac-sha256",
+                                                   "aaaaaaaaaaaa"
+                                                  } ,
+                                          "fake" : {
+                                                   "hmac-sha256",
+                                                   "aaaaaaaaaaaa"
+                                                  }
+                                         })
+except:
+    keyring = dns.tsigkeyring.from_text({ "foo" : "aaaaaaaaaaaa",
+                                           "fake" : "aaaaaaaaaaaa" })
+
+dopass2 = False
+
+############################################################################
+#
+# This server will serve valid and spoofed answers. A spoofed answer will
+# have the address 10.53.0.10 included.
+#
+# When receiving a query over UDP:
+#
+# A query to "nocookie"/A will result in a spoofed answer with no cookie set.
+# A query to "tcponly"/A will result in a spoofed answer with no cookie set.
+# A query to "withtsig"/A will result in two responses, the first is a spoofed
+# answer that is TSIG signed, the second is a valid answer with a cookie set.
+# A query to anything else will result in a valid answer with a cookie set.
+#
+# When receiving a query over TCP:
+#
+# A query to "nocookie"/A will result in a valid answer with no cookie set.
+# A query to anything else will result in a valid answer with a cookie set.
+#
+############################################################################
+def create_response(msg, tcp, first, ns10):
+    global dopass2
+    m = dns.message.from_wire(msg, keyring=keyring)
+    qname = m.question[0].name.to_text()
+    lqname = qname.lower()
+    labels = lqname.split('.')
+    rrtype = m.question[0].rdtype
+    typename = dns.rdatatype.to_text(rrtype)
+
+    with open("query.log", "a") as f:
+        f.write("%s %s\n" % (typename, qname))
+        print("%s %s" % (typename, qname), end=" ")
+
+    r = dns.message.make_response(m)
+    r.set_rcode(NOERROR)
+    if rrtype == A:
+        # exempt potential nameserver A records.
+        if labels[0] == "ns" and ns10:
+            r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10"))
+        else:
+            r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.9"))
+        if not tcp and labels[0] == "nocookie":
+            r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10"))
+        if not tcp and labels[0] == "tcponly":
+            r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10"))
+        if first and not tcp and labels[0] == "withtsig":
+            r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10"))
+            dopass2 = True
+    elif rrtype == NS:
+        r.answer.append(dns.rrset.from_text(qname, 1, IN, NS, "."))
+    elif rrtype == SOA:
+        r.answer.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0"))
+    else:
+        r.authority.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0"))
+    # Add a server cookie to the response
+    if labels[0] != "nocookie":
+        for o in m.options:
+            if o.otype == 10: # Use 10 instead of COOKIE
+                 if first and labels[0] == "withtsig" and not tcp:
+                     r.use_tsig(keyring = keyring,
+                                keyname = dns.name.from_text("fake"),
+                                algorithm = HMAC_SHA256)
+                 elif labels[0] != "tcponly" or tcp:
+                     cookie = o
+                     if len(o.data) == 8:
+                         cookie.data = o.data + o.data
+                     else:
+                         cookie.data = o.data
+                     r.use_edns(options=[cookie])
+    r.flags |= dns.flags.AA
+    return r
+
+def sigterm(signum, frame):
+    print ("Shutting down now...")
+    os.remove('ans.pid')
+    running = False
+    sys.exit(0)
+
+############################################################################
+# Main
+#
+# Set up responder and control channel, open the pid file, and start
+# the main loop, listening for queries on the query channel or commands
+# on the control channel and acting on them.
+############################################################################
+ip4_addr1 = "10.53.0.9"
+ip4_addr2 = "10.53.0.10"
+ip6_addr1 = "fd92:7065:b8e:ffff::9"
+ip6_addr2 = "fd92:7065:b8e:ffff::10"
+
+try: port=int(os.environ['PORT'])
+except: port=5300
+
+query4_udp1 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+query4_udp1.bind((ip4_addr1, port))
+query4_tcp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+query4_tcp1.bind((ip4_addr1, port))
+query4_tcp1.listen(1)
+query4_tcp1.settimeout(1)
+
+query4_udp2 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+query4_udp2.bind((ip4_addr2, port))
+query4_tcp2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+query4_tcp2.bind((ip4_addr2, port))
+query4_tcp2.listen(1)
+query4_tcp2.settimeout(1)
+
+havev6 = True
+query6_udp1 = None
+query6_udp2 = None
+query6_tcp1 = None
+query6_tcp2 = None
+try:
+    query6_udp1 = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+    query6_udp1.bind((ip6_addr1, port))
+    query6_tcp1 = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
+    query6_tcp1.bind((ip6_addr1, port))
+    query6_tcp1.listen(1)
+    query6_tcp1.settimeout(1)
+
+    query6_udp2 = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+    query6_udp2.bind((ip6_addr2, port))
+    query6_tcp2 = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
+    query6_tcp2.bind((ip6_addr2, port))
+    query6_tcp2.listen(1)
+    query6_tcp2.settimeout(1)
+except:
+    if query6_udp1 != None:
+        query6_udp1.close()
+    if query6_tcp1 != None:
+        query6_tcp1.close()
+    if query6_udp2 != None:
+        query6_udp2.close()
+    if query6_tcp2 != None:
+        query6_tcp2.close()
+    havev6 = False
+
+signal.signal(signal.SIGTERM, sigterm)
+
+f = open('ans.pid', 'w')
+pid = os.getpid()
+print (pid, file=f)
+f.close()
+
+running = True
+
+print ("Using DNS version %s" % dns.version.version)
+print ("Listening on %s port %d" % (ip4_addr1, port))
+print ("Listening on %s port %d" % (ip4_addr2, port))
+if havev6:
+    print ("Listening on %s port %d" % (ip6_addr1, port))
+    print ("Listening on %s port %d" % (ip6_addr2, port))
+print ("Ctrl-c to quit")
+
+if havev6:
+    input = [query4_udp1, query6_udp1, query4_tcp1, query6_tcp1,
+             query4_udp2, query6_udp2, query4_tcp2, query6_tcp2]
+else:
+    input = [query4_udp1, query4_tcp1, query4_udp2, query4_tcp2]
+
+while running:
+    try:
+        inputready, outputready, exceptready = select.select(input, [], [])
+    except select.error as e:
+        break
+    except socket.error as e:
+        break
+    except KeyboardInterrupt:
+        break
+
+    for s in inputready:
+        ns10 = False
+        if s == query4_udp1 or s == query6_udp1 or \
+           s == query4_udp2 or s == query6_udp2:
+            if s == query4_udp1 or s == query6_udp1:
+                print ("UDP Query received on %s" %
+                       (ip4_addr1 if s == query4_udp1 else ip6_addr1), end=" ")
+            if s == query4_udp2 or s == query6_udp2:
+                print ("UDP Query received on %s" %
+                       (ip4_addr2 if s == query4_udp2 else ip6_addr2), end=" ")
+                ns10 = True
+            # Handle incoming queries
+            msg = s.recvfrom(65535)
+            dopass2 = False
+            rsp = create_response(msg[0], False, True, ns10)
+            print(dns.rcode.to_text(rsp.rcode()))
+            s.sendto(rsp.to_wire(), msg[1])
+            if dopass2:
+                print ("Sending second UDP response without TSIG", end=" ")
+                rsp = create_response(msg[0], False, False, ns10)
+                s.sendto(rsp.to_wire(), msg[1])
+                print(dns.rcode.to_text(rsp.rcode()))
+
+        if s == query4_tcp1 or s == query6_tcp1 or \
+           s == query4_tcp2 or s == query6_tcp2:
+            try:
+                (cs, _) = s.accept()
+                if s == query4_tcp1 or s == query6_tcp1:
+                    print ("TCP Query received on %s" %
+                           (ip4_addr1 if s == query4_tcp1 else ip6_addr1), end=" ")
+                if s == query4_tcp2 or s == query6_tcp2:
+                    print ("TCP Query received on %s" %
+                           (ip4_addr2 if s == query4_tcp2 else ip6_addr2), end=" ")
+                    ns10 = True
+                # get TCP message length
+                buf = cs.recv(2)
+                length = struct.unpack('>H', buf[:2])[0]
+                # grep DNS message
+                msg = cs.recv(length)
+                rsp = create_response(msg, True, True, ns10)
+                print(dns.rcode.to_text(rsp.rcode()))
+                wire = rsp.to_wire()
+                cs.send(struct.pack('>H', len(wire)))
+                cs.send(wire)
+                cs.close()
+            except s.timeout:
+                pass
+    if not running:
+        break
diff --git a/bind/bind9/bin/tests/system/cookie/bad-cookie-badhex.conf b/bind/bind9/bin/tests/system/cookie/bad-cookie-badhex.conf
index 318425f9..5ce0d656 100644
--- a/bind/bind9/bin/tests/system/cookie/bad-cookie-badhex.conf
+++ b/bind/bind9/bin/tests/system/cookie/bad-cookie-badhex.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/bad-cookie-badsha1.conf b/bind/bind9/bin/tests/system/cookie/bad-cookie-badsha1.conf
index f22dd49e..f1c0c2a7 100644
--- a/bind/bind9/bin/tests/system/cookie/bad-cookie-badsha1.conf
+++ b/bind/bind9/bin/tests/system/cookie/bad-cookie-badsha1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/bad-cookie-badsha256.conf b/bind/bind9/bin/tests/system/cookie/bad-cookie-badsha256.conf
index 3442099a..dd949d1f 100644
--- a/bind/bind9/bin/tests/system/cookie/bad-cookie-badsha256.conf
+++ b/bind/bind9/bin/tests/system/cookie/bad-cookie-badsha256.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/bad-cookie-toolong.conf b/bind/bind9/bin/tests/system/cookie/bad-cookie-toolong.conf
index 3171b3c5..02de9ae4 100644
--- a/bind/bind9/bin/tests/system/cookie/bad-cookie-toolong.conf
+++ b/bind/bind9/bin/tests/system/cookie/bad-cookie-toolong.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/clean.sh b/bind/bind9/bin/tests/system/cookie/clean.sh
index 3b1899f4..9364329c 100644
--- a/bind/bind9/bin/tests/system/cookie/clean.sh
+++ b/bind/bind9/bin/tests/system/cookie/clean.sh
@@ -2,13 +2,14 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
 rm -f ns*/named.conf
 rm -f dig.out.*
+rm -f named.run.*
 rm -f rndc.out.*
 rm -f ns1/named_dump.db*
 rm -f ns*/named.memstats
@@ -16,3 +17,6 @@ rm -f ns*/named.run
 rm -f ns*/named.lock
 rm -f ./good-cookie-aes.conf
 rm -f ./bad-cookie-badaes.conf
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named.run.prev
+rm -f ans*/ans.run ans*/ans.log ans*/query.log
diff --git a/bind/bind9/bin/tests/system/cookie/good-cookie-sha1.conf b/bind/bind9/bin/tests/system/cookie/good-cookie-sha1.conf
index 315732bf..75ded8db 100644
--- a/bind/bind9/bin/tests/system/cookie/good-cookie-sha1.conf
+++ b/bind/bind9/bin/tests/system/cookie/good-cookie-sha1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/good-cookie-sha256.conf b/bind/bind9/bin/tests/system/cookie/good-cookie-sha256.conf
index 2fe68f2e..562d105d 100644
--- a/bind/bind9/bin/tests/system/cookie/good-cookie-sha256.conf
+++ b/bind/bind9/bin/tests/system/cookie/good-cookie-sha256.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/ns1/example.db b/bind/bind9/bin/tests/system/cookie/ns1/example.db
index fae6856e..1801d365 100644
--- a/bind/bind9/bin/tests/system/cookie/ns1/example.db
+++ b/bind/bind9/bin/tests/system/cookie/ns1/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/ns1/named.conf.in b/bind/bind9/bin/tests/system/cookie/ns1/named.conf.in
index 6548f2d2..02a1a904 100644
--- a/bind/bind9/bin/tests/system/cookie/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/cookie/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -14,6 +14,15 @@ key rndc_key {
 	algorithm hmac-sha256;
 };
 
+key foo {
+	secret "aaaaaaaaaaaa";
+	algorithm hmac-sha256;
+};
+
+server 10.53.0.10 {
+	keys foo;
+};
+
 controls {
 	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
diff --git a/bind/bind9/bin/tests/system/cookie/ns1/root.hint b/bind/bind9/bin/tests/system/cookie/ns1/root.hint
index 64769b9f..8b55c604 100644
--- a/bind/bind9/bin/tests/system/cookie/ns1/root.hint
+++ b/bind/bind9/bin/tests/system/cookie/ns1/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/ns2/named.conf.in b/bind/bind9/bin/tests/system/cookie/ns2/named.conf.in
index 08dcf494..bb4717b7 100644
--- a/bind/bind9/bin/tests/system/cookie/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/cookie/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/ns2/root.db b/bind/bind9/bin/tests/system/cookie/ns2/root.db
index 96410eef..6737850c 100644
--- a/bind/bind9/bin/tests/system/cookie/ns2/root.db
+++ b/bind/bind9/bin/tests/system/cookie/ns2/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
@@ -20,3 +20,7 @@ large.xxx TXT	( large large large large large large large large
 		  large large large large large large large large
 		  large large large large large large large large
 		  large large large large large large large large )
+tld.	NS	ns.tld.
+ns.tld	A	10.53.0.9
+tsig.	NS	ns.tsig.
+ns.tsig	A	10.53.0.10
diff --git a/bind/bind9/bin/tests/system/cookie/ns3/named.conf.in b/bind/bind9/bin/tests/system/cookie/ns3/named.conf.in
index 12500f54..3377d76c 100644
--- a/bind/bind9/bin/tests/system/cookie/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/cookie/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/ns3/root.hint b/bind/bind9/bin/tests/system/cookie/ns3/root.hint
index 64769b9f..8b55c604 100644
--- a/bind/bind9/bin/tests/system/cookie/ns3/root.hint
+++ b/bind/bind9/bin/tests/system/cookie/ns3/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/ns4/named.conf.in b/bind/bind9/bin/tests/system/cookie/ns4/named.conf.in
index c993dd2d..6097a2ac 100644
--- a/bind/bind9/bin/tests/system/cookie/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/cookie/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/ns4/root.hint b/bind/bind9/bin/tests/system/cookie/ns4/root.hint
index 64769b9f..8b55c604 100644
--- a/bind/bind9/bin/tests/system/cookie/ns4/root.hint
+++ b/bind/bind9/bin/tests/system/cookie/ns4/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/ns5/named.conf.in b/bind/bind9/bin/tests/system/cookie/ns5/named.conf.in
index a46f32f9..8188cd97 100644
--- a/bind/bind9/bin/tests/system/cookie/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/cookie/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/ns5/root.hint b/bind/bind9/bin/tests/system/cookie/ns5/root.hint
index 64769b9f..8b55c604 100644
--- a/bind/bind9/bin/tests/system/cookie/ns5/root.hint
+++ b/bind/bind9/bin/tests/system/cookie/ns5/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/ns6/named.conf.in b/bind/bind9/bin/tests/system/cookie/ns6/named.conf.in
index b61d3213..f9fa2f20 100644
--- a/bind/bind9/bin/tests/system/cookie/ns6/named.conf.in
+++ b/bind/bind9/bin/tests/system/cookie/ns6/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/ns6/root.hint b/bind/bind9/bin/tests/system/cookie/ns6/root.hint
index 64769b9f..8b55c604 100644
--- a/bind/bind9/bin/tests/system/cookie/ns6/root.hint
+++ b/bind/bind9/bin/tests/system/cookie/ns6/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/ns7/named.conf.in b/bind/bind9/bin/tests/system/cookie/ns7/named.conf.in
index 9c25220b..633ee18c 100644
--- a/bind/bind9/bin/tests/system/cookie/ns7/named.conf.in
+++ b/bind/bind9/bin/tests/system/cookie/ns7/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/ns7/root.db b/bind/bind9/bin/tests/system/cookie/ns7/root.db
index 96410eef..0930dd83 100644
--- a/bind/bind9/bin/tests/system/cookie/ns7/root.db
+++ b/bind/bind9/bin/tests/system/cookie/ns7/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/ns8/example.db b/bind/bind9/bin/tests/system/cookie/ns8/example.db
index 0693de06..bb066f1c 100644
--- a/bind/bind9/bin/tests/system/cookie/ns8/example.db
+++ b/bind/bind9/bin/tests/system/cookie/ns8/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/ns8/named.conf.in b/bind/bind9/bin/tests/system/cookie/ns8/named.conf.in
index 36bc29d2..9f6d4da1 100644
--- a/bind/bind9/bin/tests/system/cookie/ns8/named.conf.in
+++ b/bind/bind9/bin/tests/system/cookie/ns8/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/prereq.sh b/bind/bind9/bin/tests/system/cookie/prereq.sh
new file mode 100644
index 00000000..7dce737b
--- /dev/null
+++ b/bind/bind9/bin/tests/system/cookie/prereq.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if test -n "$PYTHON"
+then
+    if $PYTHON -c "import dns" 2> /dev/null
+    then
+        :
+    else
+        echo_i "This test requires the dnspython module." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires Python and the dnspython module." >&2
+    exit 1
+fi
+
+exit 0
diff --git a/bind/bind9/bin/tests/system/cookie/setup.sh b/bind/bind9/bin/tests/system/cookie/setup.sh
index edcb7802..a948debe 100644
--- a/bind/bind9/bin/tests/system/cookie/setup.sh
+++ b/bind/bind9/bin/tests/system/cookie/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/cookie/tests.sh b/bind/bind9/bin/tests/system/cookie/tests.sh
index 8e711039..d01a8d5e 100755
--- a/bind/bind9/bin/tests/system/cookie/tests.sh
+++ b/bind/bind9/bin/tests/system/cookie/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -303,5 +303,211 @@ grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "check that test server is correctly configured ($n)"
+ret=0
+pat="; COOKIE: ................................ (good)"
+#UDP
+$DIG $DIGOPTS @10.53.0.9 +notcp tld > dig.out.test$n.1
+grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+grep "$pat" dig.out.test$n.1 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld > dig.out.test$n.2
+grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null  || ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld > dig.out.test$n.3
+grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1
+grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null  || ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld > dig.out.test$n.4
+grep "status: NOERROR" dig.out.test$n.4 > /dev/null || ret=1
+grep "; COOKIE:" dig.out.test$n.4 > /dev/null && ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.4 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.4 > /dev/null || ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 > /dev/null || ret=1
+
+#TCP
+$DIG $DIGOPTS @10.53.0.9 +tcp tld > dig.out.test$n.5
+grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1
+grep "$pat" dig.out.test$n.5 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld > dig.out.test$n.6
+grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1
+grep "$pat" dig.out.test$n.6 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld > dig.out.test$n.7
+grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1
+grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld > dig.out.test$n.8
+grep "status: NOERROR" dig.out.test$n.8 > /dev/null || ret=1
+grep "$pat" dig.out.test$n.8 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.8 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.8 > /dev/null && ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 > /dev/null && ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that spoofed response is dropped when we have a server cookie ($n)"
+ret=0
+msg="missing expected cookie from"
+pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
+# prime EDNS COOKIE state
+$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1
+grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+rndc_dumpdb ns1
+grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
+# spoofed response contains 10.53.0.10
+nextpart ns1/named.run >/dev/null
+$DIG $DIGOPTS @10.53.0.1 tcponly.tld > dig.out.test$n.2
+wait_for_log 5 "$msg" ns1/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that gracefully handle server disabling DNS COOKIE we have a server cookie ($n)"
+ret=0
+msg="missing expected cookie from"
+pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
+# prime EDNS COOKIE state
+$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1
+grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+rndc_dumpdb ns1
+grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
+# check the disabled server response
+nextpart ns1/named.run >/dev/null
+$DIG $DIGOPTS @10.53.0.1 nocookie.tld > dig.out.test$n.2
+wait_for_log 5 "$msg" ns1/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that spoofed response with a TSIG is dropped when we have a server cookie ($n)"
+ret=0
+pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
+# prime EDNS COOKIE state
+$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1
+grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+rndc_dumpdb ns1
+grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
+# spoofed response contains 10.53.0.10
+nextpart ns1/named.run >/dev/null
+$DIG $DIGOPTS @10.53.0.1 withtsig.tld > dig.out.test$n.2
+grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
+nextpart ns1/named.run > named.run.test$n
+count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
+test $count -eq 1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+if $PYTHON -c '
+import dns.version, sys;
+if dns.version.MAJOR > 1: sys.exit(0);
+if dns.version.MAJOR == 1 and dns.version.MINOR >= 16: sys.exit(0);
+sys.exit(1)'
+then
+  n=`expr $n + 1`
+  echo_i "check that TSIG test server is correctly configured ($n)"
+  ret=0
+  pat="; COOKIE: ................................ (good)"
+  key=hmac-sha256:foo:aaaaaaaaaaaa
+  #UDP
+  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. > dig.out.test$n.1
+  grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+  grep "$pat" dig.out.test$n.1 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig > dig.out.test$n.2
+  grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+  grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null  || ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig > dig.out.test$n.3
+  grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1
+  grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null  || ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  #TCP
+  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. > dig.out.test$n.5
+  grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1
+  grep "$pat" dig.out.test$n.5 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig > dig.out.test$n.6
+  grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1
+  grep "$pat" dig.out.test$n.6 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig > dig.out.test$n.7
+  grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1
+  grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+
+  n=`expr $n + 1`
+  echo_i "check that missing COOKIE with a valid TSIG signed response does not trigger TCP fallback ($n)"
+  ret=0
+  pat='10\.53\.0\.10 .*\[cookie=................................\] \[ttl'
+  # prime EDNS COOKIE state
+  $DIG $DIGOPTS @10.53.0.1 tsig. > dig.out.test$n.1
+  grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+  rndc_dumpdb ns1
+  grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
+  # check the disabled server response
+  nextpart ns1/named.run >/dev/null
+  $DIG $DIGOPTS @10.53.0.1 nocookie.tsig > dig.out.test$n.2
+  grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1
+  nextpart ns1/named.run > named.run.test$n
+  count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
+  test $count -eq 2 || ret=1
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+fi
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/coverage/clean.sh b/bind/bind9/bin/tests/system/coverage/clean.sh
index 9917e2e2..e662b8ed 100644
--- a/bind/bind9/bin/tests/system/coverage/clean.sh
+++ b/bind/bind9/bin/tests/system/coverage/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/coverage/prereq.sh b/bind/bind9/bin/tests/system/coverage/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/coverage/prereq.sh
+++ b/bind/bind9/bin/tests/system/coverage/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/coverage/setup.sh b/bind/bind9/bin/tests/system/coverage/setup.sh
index 31153a7d..eee0b138 100644
--- a/bind/bind9/bin/tests/system/coverage/setup.sh
+++ b/bind/bind9/bin/tests/system/coverage/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/coverage/tests.sh b/bind/bind9/bin/tests/system/coverage/tests.sh
index 74343585..dcb3a487 100644
--- a/bind/bind9/bin/tests/system/coverage/tests.sh
+++ b/bind/bind9/bin/tests/system/coverage/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/database/clean.sh b/bind/bind9/bin/tests/system/database/clean.sh
index 5a08ae0c..f0fd5c35 100644
--- a/bind/bind9/bin/tests/system/database/clean.sh
+++ b/bind/bind9/bin/tests/system/database/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/database/ns1/named1.conf.in b/bind/bind9/bin/tests/system/database/ns1/named1.conf.in
index 8fa82ae0..ea9aaac9 100644
--- a/bind/bind9/bin/tests/system/database/ns1/named1.conf.in
+++ b/bind/bind9/bin/tests/system/database/ns1/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/database/ns1/named2.conf.in b/bind/bind9/bin/tests/system/database/ns1/named2.conf.in
index 8238f548..2c5d70b7 100644
--- a/bind/bind9/bin/tests/system/database/ns1/named2.conf.in
+++ b/bind/bind9/bin/tests/system/database/ns1/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/database/setup.sh b/bind/bind9/bin/tests/system/database/setup.sh
index 8aa0d68b..0d276a1f 100644
--- a/bind/bind9/bin/tests/system/database/setup.sh
+++ b/bind/bind9/bin/tests/system/database/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/database/tests.sh b/bind/bind9/bin/tests/system/database/tests.sh
index 7fa9337b..c543a6a6 100644
--- a/bind/bind9/bin/tests/system/database/tests.sh
+++ b/bind/bind9/bin/tests/system/database/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/delzone/clean.sh b/bind/bind9/bin/tests/system/delzone/clean.sh
index 9a1c79fd..3e62e23d 100644
--- a/bind/bind9/bin/tests/system/delzone/clean.sh
+++ b/bind/bind9/bin/tests/system/delzone/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/delzone/ns1/inlineslave.db b/bind/bind9/bin/tests/system/delzone/ns1/inlineslave.db
index 625349ec..fe4658e0 100644
--- a/bind/bind9/bin/tests/system/delzone/ns1/inlineslave.db
+++ b/bind/bind9/bin/tests/system/delzone/ns1/inlineslave.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/delzone/ns1/named.conf b/bind/bind9/bin/tests/system/delzone/ns1/named.conf
index 8b6c4415..290d335a 100644
--- a/bind/bind9/bin/tests/system/delzone/ns1/named.conf
+++ b/bind/bind9/bin/tests/system/delzone/ns1/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/delzone/ns2/added.db b/bind/bind9/bin/tests/system/delzone/ns2/added.db
index 9b54d192..82f34308 100644
--- a/bind/bind9/bin/tests/system/delzone/ns2/added.db
+++ b/bind/bind9/bin/tests/system/delzone/ns2/added.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/delzone/ns2/named.conf b/bind/bind9/bin/tests/system/delzone/ns2/named.conf
index 8532e500..6eacb64b 100644
--- a/bind/bind9/bin/tests/system/delzone/ns2/named.conf
+++ b/bind/bind9/bin/tests/system/delzone/ns2/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/delzone/ns2/normal.db b/bind/bind9/bin/tests/system/delzone/ns2/normal.db
index 50450928..86916b82 100644
--- a/bind/bind9/bin/tests/system/delzone/ns2/normal.db
+++ b/bind/bind9/bin/tests/system/delzone/ns2/normal.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/delzone/tests.sh b/bind/bind9/bin/tests/system/delzone/tests.sh
index dd0a2dec..6810f906 100755
--- a/bind/bind9/bin/tests/system/delzone/tests.sh
+++ b/bind/bind9/bin/tests/system/delzone/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -16,20 +16,20 @@ DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnss
 status=0
 n=0
 
-echo "I:checking normally loaded zone ($n)"
+echo_i "checking normally loaded zone ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 if [ -x "$PYTHON" ]; then 
-echo "I:adding and deleting 20000 new zones ($n)"
+echo_i "adding and deleting 20000 new zones ($n)"
 ret=0
     time (
-        echo "I:adding"
+        echo_i "adding"
         $PYTHON << EOF
 import sys
 sys.path.insert(0, '../../../../bin/python')
@@ -42,7 +42,7 @@ for i in range(20000):
 EOF
     )
     time (
-        echo "I:deleting"
+        echo_i "deleting"
         $PYTHON << EOF
 import sys
 sys.path.insert(0, '../../../../bin/python')
@@ -55,9 +55,9 @@ for i in range(20000):
 EOF
     )
     n=`expr $n + 1`
-    if [ $ret != 0 ]; then echo "I:failed"; fi
+    if [ $ret != 0 ]; then echo_i "failed"; fi
     status=`expr $status + $ret`
 fi
 
-echo "I:exit status: $status"
+echo_i "exit status: $status"
 exit $status
diff --git a/bind/bind9/bin/tests/system/dialup/clean.sh b/bind/bind9/bin/tests/system/dialup/clean.sh
index 867d6986..0ec62d5b 100644
--- a/bind/bind9/bin/tests/system/dialup/clean.sh
+++ b/bind/bind9/bin/tests/system/dialup/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dialup/ns1/example.db b/bind/bind9/bin/tests/system/dialup/ns1/example.db
index e1f203ee..6c5c5d1c 100644
--- a/bind/bind9/bin/tests/system/dialup/ns1/example.db
+++ b/bind/bind9/bin/tests/system/dialup/ns1/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dialup/ns1/named.conf b/bind/bind9/bin/tests/system/dialup/ns1/named.conf
index d184cd82..0f06d4e8 100644
--- a/bind/bind9/bin/tests/system/dialup/ns1/named.conf
+++ b/bind/bind9/bin/tests/system/dialup/ns1/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dialup/ns1/root.db b/bind/bind9/bin/tests/system/dialup/ns1/root.db
index 7baffd2b..0cb75755 100644
--- a/bind/bind9/bin/tests/system/dialup/ns1/root.db
+++ b/bind/bind9/bin/tests/system/dialup/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dialup/ns2/hint.db b/bind/bind9/bin/tests/system/dialup/ns2/hint.db
index ffb6dcff..c00c2769 100644
--- a/bind/bind9/bin/tests/system/dialup/ns2/hint.db
+++ b/bind/bind9/bin/tests/system/dialup/ns2/hint.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dialup/ns2/named.conf b/bind/bind9/bin/tests/system/dialup/ns2/named.conf
index a71d685b..51d76794 100644
--- a/bind/bind9/bin/tests/system/dialup/ns2/named.conf
+++ b/bind/bind9/bin/tests/system/dialup/ns2/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dialup/ns3/hint.db b/bind/bind9/bin/tests/system/dialup/ns3/hint.db
index ffb6dcff..c00c2769 100644
--- a/bind/bind9/bin/tests/system/dialup/ns3/hint.db
+++ b/bind/bind9/bin/tests/system/dialup/ns3/hint.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dialup/ns3/named.conf b/bind/bind9/bin/tests/system/dialup/ns3/named.conf
index 7a7b4247..b4dcb250 100644
--- a/bind/bind9/bin/tests/system/dialup/ns3/named.conf
+++ b/bind/bind9/bin/tests/system/dialup/ns3/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dialup/tests.sh b/bind/bind9/bin/tests/system/dialup/tests.sh
index a910783f..64e8fd0c 100644
--- a/bind/bind9/bin/tests/system/dialup/tests.sh
+++ b/bind/bind9/bin/tests/system/dialup/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -21,7 +21,7 @@ DIGOPTS="+norec +tcp +noadd +nosea +nostat +noquest +nocmd -p 5300"
 # Check the example. domain
 
 $DIG $DIGOPTS example. @10.53.0.1 soa > dig.out.ns1.test || ret=1
-echo "I:checking that first zone transfer worked"
+echo_i "checking that first zone transfer worked"
 ret=0
 try=0
 while test $try -lt 120
@@ -36,11 +36,11 @@ do
 		break;
 	fi
 done
-echo "I:try $try"
-if [ $ret != 0 ]; then echo "I:failed"; fi
+echo_i "try $try"
+if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo "I:checking that second zone transfer worked"
+echo_i "checking that second zone transfer worked"
 ret=0
 try=0
 while test $try -lt 120
@@ -55,9 +55,9 @@ do
 		break;
 	fi
 done
-echo "I:try $try"
-if [ $ret != 0 ]; then echo "I:failed"; fi
+echo_i "try $try"
+if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo "I:exit status: $status"
+echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/digcomp.pl b/bind/bind9/bin/tests/system/digcomp.pl
index fa038160..228caf41 100644
--- a/bind/bind9/bin/tests/system/digcomp.pl
+++ b/bind/bind9/bin/tests/system/digcomp.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/digdelv/ans7/ans.pl b/bind/bind9/bin/tests/system/digdelv/ans7/ans.pl
new file mode 100755
index 00000000..0c62043c
--- /dev/null
+++ b/bind/bind9/bin/tests/system/digdelv/ans7/ans.pl
@@ -0,0 +1,66 @@
+#!/usr/bin/perl -w
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use IO::File;
+use IO::Socket;
+use Net::DNS;
+use Net::DNS::Packet;
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.7",
+   LocalPort => $localport, Proto => "udp") or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+STDOUT->autoflush(1);
+
+print "Net::DNS::VERSION => $Net::DNS::VERSION\n";
+
+for (;;) {
+	$sock->recv($buf, 512);
+
+	print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n";
+
+	my $packet;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$packet = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($packet, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	print "REQUEST:\n";
+	$packet->print;
+
+	$packet->header->qr(1);
+	$packet->header->opcode(5);
+
+	my @questions = $packet->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+	$packet->push("update", rr_del("$qname SOA"));
+
+	print "RESPONSE:\n";
+	$packet->print;
+
+	$sock->send($packet->data);
+}
diff --git a/bind/bind9/bin/tests/system/digdelv/clean.sh b/bind/bind9/bin/tests/system/digdelv/clean.sh
index 681c027a..961dc7f3 100644
--- a/bind/bind9/bin/tests/system/digdelv/clean.sh
+++ b/bind/bind9/bin/tests/system/digdelv/clean.sh
@@ -4,14 +4,16 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
 rm -f dig.out.*test*
 rm -f delv.out.test*
+rm -f host.out.test*
+rm -f nslookup.out.test*
 rm -f */named.memstats
 rm -f */named.run
 rm -f */named.conf
-rm -f ns*/named.lock
+rm -f ./nsupdate.out.test*
diff --git a/bind/bind9/bin/tests/system/digdelv/ns1/named.conf.in b/bind/bind9/bin/tests/system/digdelv/ns1/named.conf.in
index 92acac9f..6017c1bd 100644
--- a/bind/bind9/bin/tests/system/digdelv/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/digdelv/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/digdelv/ns1/root.db b/bind/bind9/bin/tests/system/digdelv/ns1/root.db
index 76ed2a03..c8849820 100644
--- a/bind/bind9/bin/tests/system/digdelv/ns1/root.db
+++ b/bind/bind9/bin/tests/system/digdelv/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/digdelv/ns2/example.db b/bind/bind9/bin/tests/system/digdelv/ns2/example.db
index f4e30f51..b66207a7 100644
--- a/bind/bind9/bin/tests/system/digdelv/ns2/example.db
+++ b/bind/bind9/bin/tests/system/digdelv/ns2/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/digdelv/ns2/named.conf.in b/bind/bind9/bin/tests/system/digdelv/ns2/named.conf.in
index 98bc5ac3..7259ca93 100644
--- a/bind/bind9/bin/tests/system/digdelv/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/digdelv/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/digdelv/ns3/named.conf.in b/bind/bind9/bin/tests/system/digdelv/ns3/named.conf.in
index 2df5417f..af44e40e 100644
--- a/bind/bind9/bin/tests/system/digdelv/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/digdelv/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/digdelv/prereq.sh b/bind/bind9/bin/tests/system/digdelv/prereq.sh
index de147a4c..d2ca8fc2 100644
--- a/bind/bind9/bin/tests/system/digdelv/prereq.sh
+++ b/bind/bind9/bin/tests/system/digdelv/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -16,6 +16,6 @@ if $PERL -e 'use Net::DNS;' 2>/dev/null
 then
     :
 else
-    echo "I:This test requires the Net::DNS library." >&2
+    echo_i "This test requires the Net::DNS library." >&2
     exit 1
 fi
diff --git a/bind/bind9/bin/tests/system/digdelv/setup.sh b/bind/bind9/bin/tests/system/digdelv/setup.sh
index def2a615..4c12eaf5 100644
--- a/bind/bind9/bin/tests/system/digdelv/setup.sh
+++ b/bind/bind9/bin/tests/system/digdelv/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/digdelv/tests.sh b/bind/bind9/bin/tests/system/digdelv/tests.sh
index ef8a7a1e..a3ebc316 100644
--- a/bind/bind9/bin/tests/system/digdelv/tests.sh
+++ b/bind/bind9/bin/tests/system/digdelv/tests.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -38,7 +38,74 @@ check_ttl_range() {
    return $result
 }
 
+#
+# test whether ans7/ans.pl will be able to send a UPDATE response.
+# if it can't, we will log that below.
+#
+if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet; my $p = new Net::DNS::Packet; $p->header->opcode(5);' > /dev/null 2>&1
+then
+	checkupdate=1
+else
+	checkupdate=0
+fi
+
+if [ -x "$NSLOOKUP" -a $checkupdate -eq 1 ] ; then
+
+  n=`expr $n + 1`
+  echo_i "check nslookup handles UPDATE response ($n)"
+  ret=0
+  "$NSLOOKUP" -q=CNAME "-port=$PORT" foo.bar 10.53.0.7 > nslookup.out.test$n 2>&1 && ret=1
+  grep "Opcode mismatch" nslookup.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+
+fi
+
+if [ -x "$HOST" -a $checkupdate -eq 1 ] ; then
+
+  n=`expr $n + 1`
+  echo_i "check host handles UPDATE response ($n)"
+  ret=0
+  "$HOST" -t CNAME -p $PORT foo.bar 10.53.0.7 > host.out.test$n 2>&1 && ret=1
+  grep "Opcode mismatch" host.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+
+fi
+
+if [ -x "$NSUPDATE" -a $checkupdate -eq 1 ] ; then
+
+  n=$((n+1))
+  echo_i "check nsupdate handles UPDATE response to QUERY ($n)"
+  ret=0
+  res=0
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || res=$?
+server 10.53.0.7 ${PORT}
+add x.example.com 300 in a 1.2.3.4
+send
+EOF
+  test $res -eq 1 || ret=1
+  grep "invalid OPCODE in response to SOA query" nsupdate.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+fi
+
 if [ -x "$DIG" ] ; then
+
+  if [ $checkupdate -eq 1 ] ; then
+
+    n=`expr $n + 1`
+    echo_i "check dig handles UPDATE response ($n)"
+    ret=0
+    $DIG $DIGOPTS @10.53.0.7 cname foo.bar > dig.out.test$n 2>&1 && ret=1
+    grep "Opcode mismatch" dig.out.test$n > /dev/null || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+  else
+    echo_i "Skipped UPDATE handling test"
+  fi
+
   n=`expr $n + 1`
   echo_i "checking dig short form works ($n)"
   ret=0
@@ -453,7 +520,8 @@ ret=0
   echo_i "checking ednsopt LLQ prints as expected ($n)"
   ret=0
   $DIG $DIGOPTS @10.53.0.3 +ednsopt=llq:0001000200001234567812345678fefefefe +qr a.example > dig.out.test$n 2>&1 || ret=1
-  grep 'LLQ: Version: 1, Opcode: 2, Error: 0, Identifier: 1311768465173141112, Lifetime: 4278124286$' dig.out.test$n > /dev/null || ret=1
+  pat='LLQ: Version: 1, Opcode: 2, Error: 0, Identifier: 1311768465173141112, Lifetime: 4278124286$'
+  tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1
   if [ $ret -ne 0 ]; then echo_i "failed"; fi
   status=`expr $status + $ret`
 
@@ -540,6 +608,51 @@ ret=0
   status=`expr $status + $ret`
 
   n=`expr $n + 1`
+  echo_i "check that Extended DNS Error 0 is printed correctly ($n)"
+  # First defined EDE code, additional text "foo".
+  $DIG $DIGOPTS @10.53.0.3 +ednsopt=ede:0000666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1
+  pat='^; EDE: 0 (Other): (foo)$'
+  tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+
+  n=`expr $n + 1`
+  echo_i "check that Extended DNS Error 24 is printed correctly ($n)"
+  # Last defined EDE code, no additional text.
+  $DIG $DIGOPTS @10.53.0.3 +ednsopt=ede:0018 a.example +qr > dig.out.test$n 2>&1 || ret=1
+  pat='^; EDE: 24 (Invalid Data)$'
+  tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+
+  n=`expr $n + 1`
+  echo_i "check that Extended DNS Error 25 is printed correctly ($n)"
+  # First undefined EDE code, additional text "foo".
+  $DIG $DIGOPTS @10.53.0.3 +ednsopt=ede:0019666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1
+  pat='^; EDE: 25: (foo)$'
+  tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+
+  n=`expr $n + 1`
+  echo_i "check that invalid Extended DNS Error (length 0) is printed ($n)"
+  # EDE payload is too short
+  $DIG $DIGOPTS @10.53.0.3 +ednsopt=ede a.example +qr > dig.out.test$n 2>&1 || ret=1
+  pat='^; EDE$'
+  tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+
+  n=$((n+1))
+  echo_i "check that invalid Extended DNS Error (length 1) is printed ($n)"
+  # EDE payload is too short
+  $DIG $DIGOPTS @10.53.0.3 +ednsopt=ede:00 a.example +qr > dig.out.test$n 2>&1 || ret=1
+  pat='^; EDE: 00 (".")$'
+  tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+
+  n=`expr $n + 1`
   echo_i "check that dig handles malformed option '+ednsopt=:' gracefully ($n)"
   ret=0
   $DIG $DIGOPTS @10.53.0.3 +ednsopt=: a.example > dig.out.test$n 2>&1 && ret=1
@@ -551,10 +664,40 @@ ret=0
   echo_i "check that dig -q -m works ($n)"
   ret=0
   $DIG $DIGOPTS @10.53.0.3 -q -m > dig.out.test$n 2>&1
-  grep '^;-m\..*IN.*A$' dig.out.test$n > /dev/null || ret=1
+  pat='^;-m\..*IN.*A$'
+  tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1
   grep "Dump of all outstanding memory allocations" dig.out.test$n > /dev/null && ret=1
-  if [ $ret != 0 ]; then echo_i "failed"; fi
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
   status=`expr $status + $ret`
+
+  n=$((n+1))
+  echo_i "check that dig +bufsize=0 disables EDNS ($n)"
+  ret=0
+  $DIG $DIGOPTS @10.53.0.3 a.example +bufsize=0 +qr > dig.out.test$n 2>&1 || ret=1
+  grep "EDNS:" dig.out.test$n > /dev/null && ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+
+  n=$((n+1))
+  echo_i "check that dig +bufsize=0 +edns sends EDNS with bufsize of 0 ($n)"
+  ret=0
+  $DIG $DIGOPTS @10.53.0.3 a.example +bufsize=0 +edns +qr > dig.out.test$n 2>&1 || ret=1
+  pat='EDNS:.* udp: 0$'
+  tr -d '\r' < dig.out.test$n | grep -E "$pat" > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+
+  n=$((n+1))
+  echo_i "check that dig +bufsize restores default bufsize ($n)"
+  ret=0
+  $DIG $DIGOPTS @10.53.0.3 a.example +bufsize=0 +bufsize +qr > dig.out.test$n 2>&1 || ret=1
+  lines1232=`grep "EDNS:.* udp: 1232" dig.out.test$n | wc -l`
+  lines4096=`grep "EDNS:.* udp: 4096" dig.out.test$n | wc -l`
+  test $lines1232 -eq 1 || ret=1
+  test $lines4096 -eq 1 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+
 else
   echo_i "$DIG is needed, so skipping these dig tests"
 fi
diff --git a/bind/bind9/bin/tests/system/ditch.pl b/bind/bind9/bin/tests/system/ditch.pl
index 8f1b652a..5a62a524 100644
--- a/bind/bind9/bin/tests/system/ditch.pl
+++ b/bind/bind9/bin/tests/system/ditch.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/clean.sh b/bind/bind9/bin/tests/system/dlv/clean.sh
index 44531dda..746a2585 100644
--- a/bind/bind9/bin/tests/system/dlv/clean.sh
+++ b/bind/bind9/bin/tests/system/dlv/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns1/named.conf.in b/bind/bind9/bin/tests/system/dlv/ns1/named.conf.in
index 337558f9..5847a69b 100644
--- a/bind/bind9/bin/tests/system/dlv/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/dlv/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns1/root.db.in b/bind/bind9/bin/tests/system/dlv/ns1/root.db.in
index f4faa25d..86d3c339 100644
--- a/bind/bind9/bin/tests/system/dlv/ns1/root.db.in
+++ b/bind/bind9/bin/tests/system/dlv/ns1/root.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns1/rootservers.utld.db b/bind/bind9/bin/tests/system/dlv/ns1/rootservers.utld.db
index 8491ed0e..491e2213 100644
--- a/bind/bind9/bin/tests/system/dlv/ns1/rootservers.utld.db
+++ b/bind/bind9/bin/tests/system/dlv/ns1/rootservers.utld.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns1/sign.sh b/bind/bind9/bin/tests/system/dlv/ns1/sign.sh
index 606e7cc5..14ca5db1 100755
--- a/bind/bind9/bin/tests/system/dlv/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/dlv/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns2/druz.db.in b/bind/bind9/bin/tests/system/dlv/ns2/druz.db.in
index 4e0f892a..cc1ca5c0 100644
--- a/bind/bind9/bin/tests/system/dlv/ns2/druz.db.in
+++ b/bind/bind9/bin/tests/system/dlv/ns2/druz.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns2/hints b/bind/bind9/bin/tests/system/dlv/ns2/hints
index 381e86b1..bb94b24a 100644
--- a/bind/bind9/bin/tests/system/dlv/ns2/hints
+++ b/bind/bind9/bin/tests/system/dlv/ns2/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns2/named.conf.in b/bind/bind9/bin/tests/system/dlv/ns2/named.conf.in
index d59ba719..84a978be 100644
--- a/bind/bind9/bin/tests/system/dlv/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/dlv/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns2/sign.sh b/bind/bind9/bin/tests/system/dlv/ns2/sign.sh
index 9825c570..d8707983 100755
--- a/bind/bind9/bin/tests/system/dlv/ns2/sign.sh
+++ b/bind/bind9/bin/tests/system/dlv/ns2/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns2/utld.db b/bind/bind9/bin/tests/system/dlv/ns2/utld.db
index 4369968b..e79234d8 100644
--- a/bind/bind9/bin/tests/system/dlv/ns2/utld.db
+++ b/bind/bind9/bin/tests/system/dlv/ns2/utld.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns3/child.db.in b/bind/bind9/bin/tests/system/dlv/ns3/child.db.in
index 11df807a..e3975025 100644
--- a/bind/bind9/bin/tests/system/dlv/ns3/child.db.in
+++ b/bind/bind9/bin/tests/system/dlv/ns3/child.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns3/dlv.db.in b/bind/bind9/bin/tests/system/dlv/ns3/dlv.db.in
index fdc8ce99..538159cd 100644
--- a/bind/bind9/bin/tests/system/dlv/ns3/dlv.db.in
+++ b/bind/bind9/bin/tests/system/dlv/ns3/dlv.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns3/hints b/bind/bind9/bin/tests/system/dlv/ns3/hints
index 381e86b1..bb94b24a 100644
--- a/bind/bind9/bin/tests/system/dlv/ns3/hints
+++ b/bind/bind9/bin/tests/system/dlv/ns3/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns3/named.conf.in b/bind/bind9/bin/tests/system/dlv/ns3/named.conf.in
index f93d1920..2ac165f6 100644
--- a/bind/bind9/bin/tests/system/dlv/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/dlv/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns3/sign.sh b/bind/bind9/bin/tests/system/dlv/ns3/sign.sh
index 2c45f663..56f29490 100755
--- a/bind/bind9/bin/tests/system/dlv/ns3/sign.sh
+++ b/bind/bind9/bin/tests/system/dlv/ns3/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns4/child.db b/bind/bind9/bin/tests/system/dlv/ns4/child.db
index c123f70a..a8baf5cb 100644
--- a/bind/bind9/bin/tests/system/dlv/ns4/child.db
+++ b/bind/bind9/bin/tests/system/dlv/ns4/child.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns4/hints b/bind/bind9/bin/tests/system/dlv/ns4/hints
index 381e86b1..bb94b24a 100644
--- a/bind/bind9/bin/tests/system/dlv/ns4/hints
+++ b/bind/bind9/bin/tests/system/dlv/ns4/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns4/named.conf.in b/bind/bind9/bin/tests/system/dlv/ns4/named.conf.in
index 805b5f33..86e3d14f 100644
--- a/bind/bind9/bin/tests/system/dlv/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/dlv/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns5/hints b/bind/bind9/bin/tests/system/dlv/ns5/hints
index 381e86b1..bb94b24a 100644
--- a/bind/bind9/bin/tests/system/dlv/ns5/hints
+++ b/bind/bind9/bin/tests/system/dlv/ns5/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns5/named.conf.in b/bind/bind9/bin/tests/system/dlv/ns5/named.conf.in
index a711b335..4a1b164f 100644
--- a/bind/bind9/bin/tests/system/dlv/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/dlv/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns5/rndc.conf b/bind/bind9/bin/tests/system/dlv/ns5/rndc.conf
index 02bce927..fc44e1a1 100644
--- a/bind/bind9/bin/tests/system/dlv/ns5/rndc.conf
+++ b/bind/bind9/bin/tests/system/dlv/ns5/rndc.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns6/child.db.in b/bind/bind9/bin/tests/system/dlv/ns6/child.db.in
index 09a942ed..29903050 100644
--- a/bind/bind9/bin/tests/system/dlv/ns6/child.db.in
+++ b/bind/bind9/bin/tests/system/dlv/ns6/child.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns6/hints b/bind/bind9/bin/tests/system/dlv/ns6/hints
index 381e86b1..bb94b24a 100644
--- a/bind/bind9/bin/tests/system/dlv/ns6/hints
+++ b/bind/bind9/bin/tests/system/dlv/ns6/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns6/named.conf.in b/bind/bind9/bin/tests/system/dlv/ns6/named.conf.in
index fe5c68df..6d8f802c 100644
--- a/bind/bind9/bin/tests/system/dlv/ns6/named.conf.in
+++ b/bind/bind9/bin/tests/system/dlv/ns6/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns6/sign.sh b/bind/bind9/bin/tests/system/dlv/ns6/sign.sh
index 1e398625..ba39f904 100755
--- a/bind/bind9/bin/tests/system/dlv/ns6/sign.sh
+++ b/bind/bind9/bin/tests/system/dlv/ns6/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns7/hints b/bind/bind9/bin/tests/system/dlv/ns7/hints
index cdf0f26f..e13adf05 100644
--- a/bind/bind9/bin/tests/system/dlv/ns7/hints
+++ b/bind/bind9/bin/tests/system/dlv/ns7/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/ns7/named.conf.in b/bind/bind9/bin/tests/system/dlv/ns7/named.conf.in
index fd9c7c8a..b871fa67 100644
--- a/bind/bind9/bin/tests/system/dlv/ns7/named.conf.in
+++ b/bind/bind9/bin/tests/system/dlv/ns7/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/prereq.sh b/bind/bind9/bin/tests/system/dlv/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/dlv/prereq.sh
+++ b/bind/bind9/bin/tests/system/dlv/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/setup.sh b/bind/bind9/bin/tests/system/dlv/setup.sh
index ee8dc13f..ea59e4ad 100644
--- a/bind/bind9/bin/tests/system/dlv/setup.sh
+++ b/bind/bind9/bin/tests/system/dlv/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlv/tests.sh b/bind/bind9/bin/tests/system/dlv/tests.sh
index 3f139f75..3ad2d592 100644
--- a/bind/bind9/bin/tests/system/dlv/tests.sh
+++ b/bind/bind9/bin/tests/system/dlv/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlz/clean.sh b/bind/bind9/bin/tests/system/dlz/clean.sh
index e38b806c..e7e28a1b 100644
--- a/bind/bind9/bin/tests/system/dlz/clean.sh
+++ b/bind/bind9/bin/tests/system/dlz/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.= b/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.=
index be99eb3e..50d2ad0c 100644
--- a/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.=
+++ b/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.=
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 The contents of this file is not read by the filesystem driver.
 This is the file for "DNAME 10 example.net.".
diff --git a/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.= b/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.=
index cca17c38..5faa45ce 100644
--- a/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.=
+++ b/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.=
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 The contents of this file is not read by the filesystem driver.
 This is the file for "NS 10 example.com.".
diff --git a/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None= b/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None=
index f2ca5de8..ee74e03e 100644
--- a/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None=
+++ b/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None=
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 The contents of this file is not read by the filesystem driver.
 This is the file for "SOA 10 ns.example.com. root.example.com. 2010062900 None None None None" which is a malformed SOA record.
diff --git a/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/DNAME=10=example.net.= b/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/DNAME=10=example.net.=
index be99eb3e..50d2ad0c 100644
--- a/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/DNAME=10=example.net.=
+++ b/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/DNAME=10=example.net.=
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 The contents of this file is not read by the filesystem driver.
 This is the file for "DNAME 10 example.net.".
diff --git a/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/NS=10=example.com.= b/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/NS=10=example.com.=
index cca17c38..5faa45ce 100644
--- a/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/NS=10=example.com.=
+++ b/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/NS=10=example.com.=
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 The contents of this file is not read by the filesystem driver.
 This is the file for "NS 10 example.com.".
diff --git a/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10= b/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10=
index bb5ebac9..2f63999a 100644
--- a/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10=
+++ b/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10=
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 The contents of this file is not read by the filesystem driver.
 This is the file for "SOA 10 ns.example.com. root.example.com. 2010062900 0 0 0 10".
diff --git a/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/xfr.d/10.53.0.1 b/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/xfr.d/10.53.0.1
index 70deea6e..8a07d4fa 100644
--- a/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/xfr.d/10.53.0.1
+++ b/bind/bind9/bin/tests/system/dlz/ns1/dns-root/com/example/xfr.d/10.53.0.1
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 The contents of this file are not read by the filesystem driver.
 The presence of this file allows 10.53.0.1 to transfer this zone.
diff --git a/bind/bind9/bin/tests/system/dlz/ns1/named.conf.in b/bind/bind9/bin/tests/system/dlz/ns1/named.conf.in
index 273ff02c..1089418d 100644
--- a/bind/bind9/bin/tests/system/dlz/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/dlz/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlz/setup.sh b/bind/bind9/bin/tests/system/dlz/setup.sh
index 985a4bcb..c2be7228 100644
--- a/bind/bind9/bin/tests/system/dlz/setup.sh
+++ b/bind/bind9/bin/tests/system/dlz/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlz/tests.sh b/bind/bind9/bin/tests/system/dlz/tests.sh
index 78f74dc0..71fd0820 100644
--- a/bind/bind9/bin/tests/system/dlz/tests.sh
+++ b/bind/bind9/bin/tests/system/dlz/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlzexternal/Makefile.in b/bind/bind9/bin/tests/system/dlzexternal/Makefile.in
index dd04bd7d..446285f6 100644
--- a/bind/bind9/bin/tests/system/dlzexternal/Makefile.in
+++ b/bind/bind9/bin/tests/system/dlzexternal/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlzexternal/clean.sh b/bind/bind9/bin/tests/system/dlzexternal/clean.sh
index 3e6cb9ef..f7c2ab89 100644
--- a/bind/bind9/bin/tests/system/dlzexternal/clean.sh
+++ b/bind/bind9/bin/tests/system/dlzexternal/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlzexternal/driver.c b/bind/bind9/bin/tests/system/dlzexternal/driver.c
index ffa98d7a..a136702e 100644
--- a/bind/bind9/bin/tests/system/dlzexternal/driver.c
+++ b/bind/bind9/bin/tests/system/dlzexternal/driver.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlzexternal/driver.h b/bind/bind9/bin/tests/system/dlzexternal/driver.h
index 7a0ec612..409585db 100644
--- a/bind/bind9/bin/tests/system/dlzexternal/driver.h
+++ b/bind/bind9/bin/tests/system/dlzexternal/driver.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlzexternal/ns1/dlzs.conf.in b/bind/bind9/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
index d583cb4e..5751b597 100644
--- a/bind/bind9/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
+++ b/bind/bind9/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlzexternal/ns1/named.conf.in b/bind/bind9/bin/tests/system/dlzexternal/ns1/named.conf.in
index d35061a8..11927202 100644
--- a/bind/bind9/bin/tests/system/dlzexternal/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/dlzexternal/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlzexternal/ns1/root.db b/bind/bind9/bin/tests/system/dlzexternal/ns1/root.db
index 45a6b04c..a6b5f8f8 100644
--- a/bind/bind9/bin/tests/system/dlzexternal/ns1/root.db
+++ b/bind/bind9/bin/tests/system/dlzexternal/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlzexternal/prereq.sh b/bind/bind9/bin/tests/system/dlzexternal/prereq.sh
index b3c73c33..fa4d3e3b 100644
--- a/bind/bind9/bin/tests/system/dlzexternal/prereq.sh
+++ b/bind/bind9/bin/tests/system/dlzexternal/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -16,4 +16,10 @@ $FEATURETEST --have-dlopen ||  {
         echo_i "dlopen() not supported - skipping dlzexternal test"
         exit 255
 }
+
+$FEATURETEST --tsan && {
+	echo_i "TSAN - skipping dlzexternal test"
+        exit 255
+}
+
 exit 0
diff --git a/bind/bind9/bin/tests/system/dlzexternal/setup.sh b/bind/bind9/bin/tests/system/dlzexternal/setup.sh
index 8279398d..c9e575ef 100644
--- a/bind/bind9/bin/tests/system/dlzexternal/setup.sh
+++ b/bind/bind9/bin/tests/system/dlzexternal/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dlzexternal/tests.sh b/bind/bind9/bin/tests/system/dlzexternal/tests.sh
index 1754aaa5..fa6510ff 100644
--- a/bind/bind9/bin/tests/system/dlzexternal/tests.sh
+++ b/bind/bind9/bin/tests/system/dlzexternal/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/clean.sh b/bind/bind9/bin/tests/system/dns64/clean.sh
index 8bb11df2..43e3ead4 100644
--- a/bind/bind9/bin/tests/system/dns64/clean.sh
+++ b/bind/bind9/bin/tests/system/dns64/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -14,3 +14,12 @@ rm -f */named.run
 rm -f checkconf.out*
 rm -f dig.out.*
 rm -f ns*/named.lock
+rm -f ns1/Ksigned.+005+*.key
+rm -f ns1/Ksigned.+005+*.private
+rm -f ns1/Ksigned.+005+*.key
+rm -f ns1/Ksigned.+005+*.private
+rm -f ns1/dsset-signed.
+rm -f ns1/named.conf
+rm -f ns1/signed.db
+rm -f ns1/signed.db.signed
+rm -f ns2/named.conf
diff --git a/bind/bind9/bin/tests/system/dns64/conf/bad1.conf b/bind/bind9/bin/tests/system/dns64/conf/bad1.conf
index 3f749175..d4d3233b 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/bad1.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/bad1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/bad18.conf b/bind/bind9/bin/tests/system/dns64/conf/bad18.conf
index 60a9ad53..aa5df2ce 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/bad18.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/bad18.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/bad19.conf b/bind/bind9/bin/tests/system/dns64/conf/bad19.conf
index 3fa8b4c1..ce96a408 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/bad19.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/bad19.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/bad2.conf b/bind/bind9/bin/tests/system/dns64/conf/bad2.conf
index 79bc04f3..9e868292 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/bad2.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/bad2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/bad3.conf b/bind/bind9/bin/tests/system/dns64/conf/bad3.conf
index 76f16069..02c0c1a1 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/bad3.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/bad3.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/bad4.conf b/bind/bind9/bin/tests/system/dns64/conf/bad4.conf
index fbf60d1b..13a4a4f9 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/bad4.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/bad4.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/bad5.conf b/bind/bind9/bin/tests/system/dns64/conf/bad5.conf
index fbf60d1b..13a4a4f9 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/bad5.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/bad5.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/bad6.conf b/bind/bind9/bin/tests/system/dns64/conf/bad6.conf
index c29bb3e8..970e025d 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/bad6.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/bad6.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/bad7.conf b/bind/bind9/bin/tests/system/dns64/conf/bad7.conf
index 06919f99..f95d80e7 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/bad7.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/bad7.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/bad8.conf b/bind/bind9/bin/tests/system/dns64/conf/bad8.conf
index 794ad7e4..e83c19fd 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/bad8.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/bad8.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/bad9.conf b/bind/bind9/bin/tests/system/dns64/conf/bad9.conf
index af4b6d91..6817efef 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/bad9.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/bad9.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/good1.conf b/bind/bind9/bin/tests/system/dns64/conf/good1.conf
index 8013b94b..17d64310 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/good1.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/good1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/good2.conf b/bind/bind9/bin/tests/system/dns64/conf/good2.conf
index 4bd4780a..e79e99eb 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/good2.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/good2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/good3.conf b/bind/bind9/bin/tests/system/dns64/conf/good3.conf
index aa07886d..c6fde26e 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/good3.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/good3.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/good4.conf b/bind/bind9/bin/tests/system/dns64/conf/good4.conf
index 7ba43076..c55dd8d3 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/good4.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/good4.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/good5.conf b/bind/bind9/bin/tests/system/dns64/conf/good5.conf
index 8a558ba3..3bce0aaa 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/good5.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/good5.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/warn1.conf b/bind/bind9/bin/tests/system/dns64/conf/warn1.conf
index 8bc2f480..b96e6c84 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/warn1.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/warn1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/warn2.conf b/bind/bind9/bin/tests/system/dns64/conf/warn2.conf
index 8cf4cd8d..f6733c35 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/warn2.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/warn2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/warn3.conf b/bind/bind9/bin/tests/system/dns64/conf/warn3.conf
index 277f3246..d2d0577c 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/warn3.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/warn3.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/warn4.conf b/bind/bind9/bin/tests/system/dns64/conf/warn4.conf
index ee8ee3cc..bc038c26 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/warn4.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/warn4.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/warn5.conf b/bind/bind9/bin/tests/system/dns64/conf/warn5.conf
index 1551192e..3f94986d 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/warn5.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/warn5.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/warn6.conf b/bind/bind9/bin/tests/system/dns64/conf/warn6.conf
index c41356fd..5cde7b1b 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/warn6.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/warn6.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/warn7.conf b/bind/bind9/bin/tests/system/dns64/conf/warn7.conf
index 58c79153..e0a2a944 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/warn7.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/warn7.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/conf/warn8.conf b/bind/bind9/bin/tests/system/dns64/conf/warn8.conf
index fe9c63e6..6532253a 100644
--- a/bind/bind9/bin/tests/system/dns64/conf/warn8.conf
+++ b/bind/bind9/bin/tests/system/dns64/conf/warn8.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/ns1/example.db b/bind/bind9/bin/tests/system/dns64/ns1/example.db
index d91fcced..e7546e74 100644
--- a/bind/bind9/bin/tests/system/dns64/ns1/example.db
+++ b/bind/bind9/bin/tests/system/dns64/ns1/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/ns1/named.conf.in b/bind/bind9/bin/tests/system/dns64/ns1/named.conf.in
index d8faa113..4fa0c483 100644
--- a/bind/bind9/bin/tests/system/dns64/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/dns64/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/ns1/root.db b/bind/bind9/bin/tests/system/dns64/ns1/root.db
index 532063c0..ccb4ef1f 100644
--- a/bind/bind9/bin/tests/system/dns64/ns1/root.db
+++ b/bind/bind9/bin/tests/system/dns64/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/ns1/sign.sh b/bind/bind9/bin/tests/system/dns64/ns1/sign.sh
index ac984935..1631f94b 100644
--- a/bind/bind9/bin/tests/system/dns64/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/dns64/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/ns2/named.conf.in b/bind/bind9/bin/tests/system/dns64/ns2/named.conf.in
index 070fdecb..bdbc420d 100644
--- a/bind/bind9/bin/tests/system/dns64/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/dns64/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/ns2/rpz.db b/bind/bind9/bin/tests/system/dns64/ns2/rpz.db
index d08a83b3..8af2ba8b 100644
--- a/bind/bind9/bin/tests/system/dns64/ns2/rpz.db
+++ b/bind/bind9/bin/tests/system/dns64/ns2/rpz.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/prereq.sh b/bind/bind9/bin/tests/system/dns64/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/dns64/prereq.sh
+++ b/bind/bind9/bin/tests/system/dns64/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/setup.sh b/bind/bind9/bin/tests/system/dns64/setup.sh
index 141512e8..f624906c 100644
--- a/bind/bind9/bin/tests/system/dns64/setup.sh
+++ b/bind/bind9/bin/tests/system/dns64/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dns64/tests.sh b/bind/bind9/bin/tests/system/dns64/tests.sh
index ed1e8af9..69f7f2b2 100644
--- a/bind/bind9/bin/tests/system/dns64/tests.sh
+++ b/bind/bind9/bin/tests/system/dns64/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/README b/bind/bind9/bin/tests/system/dnssec/README
index df83eb14..1912a1c7 100644
--- a/bind/bind9/bin/tests/system/dnssec/README
+++ b/bind/bind9/bin/tests/system/dnssec/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 The test setup for the DNSSEC tests has a secure root.
 
diff --git a/bind/bind9/bin/tests/system/dnssec/ans10/ans.py b/bind/bind9/bin/tests/system/dnssec/ans10/ans.py
new file mode 100644
index 00000000..93e2deb7
--- /dev/null
+++ b/bind/bind9/bin/tests/system/dnssec/ans10/ans.py
@@ -0,0 +1,145 @@
+############################################################################
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+############################################################################
+
+from __future__ import print_function
+import os
+import sys
+import signal
+import socket
+import select
+from datetime import datetime, timedelta
+import time
+import functools
+
+import dns, dns.message, dns.query, dns.flags
+from dns.rdatatype import *
+from dns.rdataclass import *
+from dns.rcode import *
+from dns.name import *
+
+# Log query to file
+def logquery(type, qname):
+    with open("qlog", "a") as f:
+        f.write("%s %s\n", type, qname)
+
+############################################################################
+# Respond to a DNS query.
+# SOA gets a unsigned response.
+# NS gets a unsigned response.
+# DNSKEY get a unsigned NODATA response.
+# A gets a signed response.
+# All other types get a unsigned NODATA response.
+############################################################################
+def create_response(msg):
+    m = dns.message.from_wire(msg)
+    qname = m.question[0].name.to_text()
+    rrtype = m.question[0].rdtype
+    typename = dns.rdatatype.to_text(rrtype)
+
+    with open("query.log", "a") as f:
+        f.write("%s %s\n" % (typename, qname))
+        print("%s %s" % (typename, qname), end=" ")
+
+    r = dns.message.make_response(m)
+    r.set_rcode(NOERROR)
+    if rrtype == A:
+        now = datetime.today()
+        expire = now + timedelta(days=30)
+        inception = now - timedelta(days=1)
+        rrsig = "A 13 2 60 " + expire.strftime("%Y%m%d%H%M%S") + " " + \
+            inception.strftime("%Y%m%d%H%M%S") + " 12345 " + qname + \
+            " gB+eISXAhSPZU2i/II0W9ZUhC2SCIrb94mlNvP5092WAeXxqN/vG43/1nmDl" + \
+	    "y2Qs7y5VCjSMOGn85bnaMoAc7w=="
+        r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10"))
+        r.answer.append(dns.rrset.from_text(qname, 1, IN, RRSIG, rrsig))
+    elif rrtype == NS:
+        r.answer.append(dns.rrset.from_text(qname, 1, IN, NS, "."))
+    elif rrtype == SOA:
+        r.answer.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0"))
+    else:
+        r.authority.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0"))
+    r.flags |= dns.flags.AA
+    return r
+
+def sigterm(signum, frame):
+    print ("Shutting down now...")
+    os.remove('ans.pid')
+    running = False
+    sys.exit(0)
+
+############################################################################
+# Main
+#
+# Set up responder and control channel, open the pid file, and start
+# the main loop, listening for queries on the query channel or commands
+# on the control channel and acting on them.
+############################################################################
+ip4 = "10.53.0.10"
+ip6 = "fd92:7065:b8e:ffff::10"
+
+try: port=int(os.environ['PORT'])
+except: port=5300
+
+query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+query4_socket.bind((ip4, port))
+havev6 = True
+try:
+    query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+    try:
+        query6_socket.bind((ip6, port))
+    except:
+        query6_socket.close()
+        havev6 = False
+except:
+    havev6 = False
+signal.signal(signal.SIGTERM, sigterm)
+
+f = open('ans.pid', 'w')
+pid = os.getpid()
+print (pid, file=f)
+f.close()
+
+running = True
+
+print ("Listening on %s port %d" % (ip4, port))
+if havev6:
+    print ("Listening on %s port %d" % (ip6, port))
+print ("Ctrl-c to quit")
+
+if havev6:
+    input = [query4_socket, query6_socket]
+else:
+    input = [query4_socket]
+
+while running:
+    try:
+        inputready, outputready, exceptready = select.select(input, [], [])
+    except select.error as e:
+        break
+    except socket.error as e:
+        break
+    except KeyboardInterrupt:
+        break
+
+    for s in inputready:
+        if s == query4_socket or s == query6_socket:
+            print ("Query received on %s" %
+                    (ip4 if s == query4_socket else ip6), end=" ")
+            # Handle incoming queries
+            msg = s.recvfrom(65535)
+            rsp = create_response(msg[0])
+            if rsp:
+                print(dns.rcode.to_text(rsp.rcode()))
+                s.sendto(rsp.to_wire(), msg[1])
+            else:
+                print("NO RESPONSE")
+    if not running:
+        break
diff --git a/bind/bind9/bin/tests/system/dnssec/clean.sh b/bind/bind9/bin/tests/system/dnssec/clean.sh
index bee3bbfd..4a822d7b 100644
--- a/bind/bind9/bin/tests/system/dnssec/clean.sh
+++ b/bind/bind9/bin/tests/system/dnssec/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -20,13 +20,15 @@ rm -f ./*/named.secroots
 rm -f ./*/tmp* ./*/*.jnl ./*/*.bk ./*/*.jbk
 rm -f ./*/trusted.conf ./*/managed.conf ./*/revoked.conf
 rm -f ./Kexample.*
+rm -f ./ans10/query.log ./ans10/ans.run
 rm -f ./canonical?.*
 rm -f ./delv.out*
 rm -f ./delve.out*
 rm -f ./dig.out.*
+rm -f ./ns2/too-many-iterations.db
+rm -f ./dnssectools.out*
 rm -f ./dsfromkey.out.*
 rm -f ./keygen.err
-rm -f ./dnssectools.out*
 rm -f ./named.secroots.test*
 rm -f ./nosign.before
 rm -f ./ns*/*.nta
@@ -36,12 +38,10 @@ rm -f ./ns1/managed.key.id
 rm -f ./ns1/root.db ./ns2/example.db ./ns2/managed.db ./ns2/trusted.db
 rm -f ./ns2/algroll.db
 rm -f ./ns2/badparam.db ./ns2/badparam.db.bad
-rm -f ./ns2/cdnskey-kskonly.secure.db
 rm -f ./ns2/cdnskey-update.secure.db
 rm -f ./ns2/cdnskey-x.secure.db
 rm -f ./ns2/cdnskey.secure.db
 rm -f ./ns2/cds-auto.secure.db ./ns2/cds-auto.secure.db.jnl
-rm -f ./ns2/cds-kskonly.secure.db
 rm -f ./ns2/cds-update.secure.db ./ns2/cds-update.secure.db.jnl
 rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db
 rm -f ./ns2/dlv.db
@@ -50,8 +50,6 @@ rm -f ./ns2/nsec3chain-test.db
 rm -f ./ns2/private.secure.example.db
 rm -f ./ns2/single-nsec3.db
 rm -f ./ns2/updatecheck-kskonly.secure.*
-rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db
-rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp
 rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec3.example.db
 rm -f ./ns3/badds.example.db
 rm -f ./ns3/dname-at-apex-nsec3.example.db
@@ -59,10 +57,10 @@ rm -f ./ns3/dnskey-nsec3-unknown.example.db
 rm -f ./ns3/dnskey-nsec3-unknown.example.db.tmp
 rm -f ./ns3/dnskey-unknown.example.db
 rm -f ./ns3/dnskey-unknown.example.db.tmp
-rm -f ./ns3/dnskey-unsupported.example.db
-rm -f ./ns3/dnskey-unsupported.example.db.tmp
 rm -f ./ns3/dnskey-unsupported-2.example.db
 rm -f ./ns3/dnskey-unsupported-2.example.db.tmp
+rm -f ./ns3/dnskey-unsupported.example.db
+rm -f ./ns3/dnskey-unsupported.example.db.tmp
 rm -f ./ns3/dynamic.example.db ./ns3/dynamic.example.db.signed.jnl
 rm -f ./ns3/expired.example.db ./ns3/update-nsec3.example.db
 rm -f ./ns3/expiring.example.db ./ns3/nosign.example.db
@@ -82,6 +80,7 @@ rm -f ./ns3/publish-inactive.example.db
 rm -f ./ns3/revkey.example.db
 rm -f ./ns3/rsasha256.example.db ./ns3/rsasha512.example.db
 rm -f ./ns3/secure.below-cname.example.db
+rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db
 rm -f ./ns3/secure.nsec3.example.db
 rm -f ./ns3/secure.optout.example.db
 rm -f ./ns3/siginterval.conf
@@ -91,6 +90,7 @@ rm -f ./ns3/split-smart.example.db
 rm -f ./ns3/ttlpatch.example.db ./ns3/ttlpatch.example.db.signed
 rm -f ./ns3/ttlpatch.example.db.patched
 rm -f ./ns3/unsecure.example.db ./ns3/bogus.example.db ./ns3/keyless.example.db
+rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp
 rm -f ./ns4/managed-keys.bind*
 rm -f ./ns4/named_dump.db*
 rm -f ./ns6/optout-tld.db
diff --git a/bind/bind9/bin/tests/system/dnssec/dnssec_update_test.pl b/bind/bind9/bin/tests/system/dnssec/dnssec_update_test.pl
index 6b7412e2..23a40f4b 100644
--- a/bind/bind9/bin/tests/system/dnssec/dnssec_update_test.pl
+++ b/bind/bind9/bin/tests/system/dnssec/dnssec_update_test.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns1/named.conf.in b/bind/bind9/bin/tests/system/dnssec/ns1/named.conf.in
index 4401f595..ac786b59 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns1/root.db.in b/bind/bind9/bin/tests/system/dnssec/ns1/root.db.in
index 7fdbab9c..04862387 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns1/root.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns1/root.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
@@ -31,3 +31,7 @@ ns2.trusted.		A	10.53.0.2
 optout-tld		NS	ns6.optout-tld.
 ns6.optout-tld.		A	10.53.0.6
 in-addr.arpa.		NS	ns2.example.
+inprogress.		NS	ns10.inprogress.
+ns10.inprogress.	A	10.53.0.10
+too-many-iterations.	NS	ns2.too-many-iterations.
+ns2.too-many-iterations. A	10.53.0.2
diff --git a/bind/bind9/bin/tests/system/dnssec/ns1/sign.sh b/bind/bind9/bin/tests/system/dnssec/ns1/sign.sh
index a6da8576..f6741d55 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/dnssec/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -25,6 +25,7 @@ echo_i "ns1/sign.sh"
 cp ../ns2/dsset-example$TP .
 cp ../ns2/dsset-dlv$TP .
 cp ../ns2/dsset-in-addr.arpa$TP .
+cp ../ns2/dsset-too-many-iterations$TP .
 
 grep "$DEFAULT_ALGORITHM_NUMBER [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP
 cp ../ns6/dsset-optout-tld$TP .
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/algroll.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/algroll.db.in
index 73c0d6bd..2fc5793d 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/algroll.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/algroll.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/badparam.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/badparam.db.in
index 091e4ea2..90bfd3ae 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/badparam.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/badparam.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in
index e42cb4a2..488168cc 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in
index e42cb4a2..488168cc 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in
index e42cb4a2..488168cc 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in
index e42cb4a2..488168cc 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/cds-update.secure.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/cds-update.secure.db.in
index e42cb4a2..488168cc 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/cds-update.secure.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/cds-update.secure.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/cds.secure.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/cds.secure.db.in
index e42cb4a2..488168cc 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/cds.secure.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/cds.secure.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/child.nsec3.example.db b/bind/bind9/bin/tests/system/dnssec/ns2/child.nsec3.example.db
index 8c7db653..d25b57f0 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/child.nsec3.example.db
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/child.nsec3.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/child.optout.example.db b/bind/bind9/bin/tests/system/dnssec/ns2/child.optout.example.db
index 8c7db653..d25b57f0 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/child.optout.example.db
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/child.optout.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/dlv.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/dlv.db.in
index 836359dc..49b24346 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/dlv.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/dlv.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/dst.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/dst.example.db.in
index 769d2b5f..a1e3f1df 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/dst.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/dst.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/example.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/example.db.in
index 2545faf6..d19241b8 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in
index 0884ad0c..451af1f2 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/insecure.secure.example.db b/bind/bind9/bin/tests/system/dnssec/ns2/insecure.secure.example.db
index 78f33257..4dcc3478 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/insecure.secure.example.db
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/insecure.secure.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/key.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/key.db.in
index 60be0cf4..c3aed9c3 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/key.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/key.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/named.conf.in b/bind/bind9/bin/tests/system/dnssec/ns2/named.conf.in
index 72ae3289..4b8f0266 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -168,4 +168,9 @@ zone "corp" {
 	file "corp.db";
 };
 
+zone "too-many-iterations" {
+	type master;
+	file "too-many-iterations.db.signed";
+};
+
 include "trusted.conf";
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/private.secure.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/private.secure.example.db.in
index 98b43a01..3732615f 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/private.secure.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/private.secure.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/sign.sh b/bind/bind9/bin/tests/system/dnssec/ns2/sign.sh
index 7f95c8a5..d4018238 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -291,3 +291,14 @@ $DSFROMKEY -C $key1.key > $key1.cds
 cat $infile $key1.key $key2.key $key1.cdnskey $key1.cds > $zonefile
 # Don't sign, let auto-dnssec maintain do it.
 mv $zonefile $zonefile.signed
+
+#
+# Negative result from this zone should come back as insecure.
+#
+zone=too-many-iterations
+infile=too-many-iterations.db.in
+zonefile=too-many-iterations.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
+"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" > /dev/null 2>&1
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/single-nsec3.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/single-nsec3.db.in
index 6fe1dd0a..039951c3 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/single-nsec3.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/single-nsec3.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/template.secure.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/template.secure.db.in
index e42cb4a2..488168cc 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns2/template.secure.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/template.secure.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns2/too-many-iterations.db.in b/bind/bind9/bin/tests/system/dnssec/ns2/too-many-iterations.db.in
new file mode 100644
index 00000000..43a2ebe8
--- /dev/null
+++ b/bind/bind9/bin/tests/system/dnssec/ns2/too-many-iterations.db.in
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				30       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+*.a			A	10.0.0.3
+b			A	10.0.0.2
+d			A	10.0.0.4
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in
index 0e0e5e09..7aae9400 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in
index 0e0e5e09..7aae9400 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/bogus.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/bogus.example.db.in
index 8d49000e..d65e9bc0 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/bogus.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/bogus.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in
index 80838cab..1737fc71 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in
index e1475c53..e2b0fbd6 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in
index c9e7c2b3..a811f4f0 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in
index c9e7c2b3..a811f4f0 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in
index c9e7c2b3..a811f4f0 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/dynamic.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/dynamic.example.db.in
index c7dab830..fd17e066 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/dynamic.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/dynamic.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/expired.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/expired.example.db.in
index af312f2a..fd9c6cd7 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/expired.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/expired.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/expiring.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/expiring.example.db.in
index 4d8db530..e8c9de6f 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/expiring.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/expiring.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/future.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/future.example.db.in
index ddda25d2..a8c61c12 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/future.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/future.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/generic.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/generic.example.db.in
index dd1778e2..472a9652 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/generic.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/generic.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/inline.example.db b/bind/bind9/bin/tests/system/dnssec/ns3/inline.example.db
index 86552149..276547e8 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/inline.example.db
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/inline.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db b/bind/bind9/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db
index 86552149..276547e8 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/insecure.example.db b/bind/bind9/bin/tests/system/dnssec/ns3/insecure.example.db
index 86552149..276547e8 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/insecure.example.db
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/insecure.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db b/bind/bind9/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db
index 86552149..276547e8 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/insecure.optout.example.db b/bind/bind9/bin/tests/system/dnssec/ns3/insecure.optout.example.db
index 86552149..276547e8 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/insecure.optout.example.db
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/insecure.optout.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/key.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/key.db.in
index 3847e2ea..34a92529 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/key.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/key.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/kskonly.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/kskonly.example.db.in
index cbfb691d..5c5163bb 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/kskonly.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/kskonly.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/lower.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/lower.example.db.in
index 7a3879fa..c601b803 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/lower.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/lower.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/managed-future.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/managed-future.example.db.in
index ddda25d2..a8c61c12 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/managed-future.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/managed-future.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/multiple.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/multiple.example.db.in
index c9e7c2b3..a811f4f0 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/multiple.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/multiple.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/named.conf.in b/bind/bind9/bin/tests/system/dnssec/ns3/named.conf.in
index 4e2eff11..708b8b0e 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -333,6 +333,12 @@ zone "unsupported.trusted" {
 	file "unsupported.trusted.db.signed";
 };
 
+zone "too-many-iterations" {
+	type slave;
+	masters { 10.53.0.2; };
+	file "too-many-iterations.bk";
+};
+
 include "siginterval.conf";
 
 include "trusted.conf";
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/nosign.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/nosign.example.db.in
index f066e3c8..b87502e4 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/nosign.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/nosign.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in
index c9e7c2b3..a811f4f0 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/nsec3.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/nsec3.example.db.in
index 8761ebb0..3ea098aa 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/nsec3.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/nsec3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in
index 3f107483..86a2a359 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in
index 3f107483..86a2a359 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/occluded.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/occluded.example.db.in
index 77a1cfb6..b7d214bb 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/occluded.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/occluded.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in
index c9e7c2b3..a811f4f0 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/optout.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/optout.example.db.in
index ddda25d2..a8c61c12 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/optout.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/optout.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in
index 3f107483..86a2a359 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/optout.optout.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/optout.optout.example.db.in
index 3f107483..86a2a359 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/optout.optout.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/optout.optout.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in
index 86552149..276547e8 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/rsasha256.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/rsasha256.example.db.in
index 862dadba..dd92655d 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/rsasha256.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/rsasha256.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/rsasha512.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/rsasha512.example.db.in
index 862dadba..dd92655d 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/rsasha512.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/rsasha512.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in
index 86552149..276547e8 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/secure.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/secure.example.db.in
index 9d310d8c..a0972272 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/secure.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/secure.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in
index 3f107483..86a2a359 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/secure.optout.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/secure.optout.example.db.in
index 3f107483..86a2a359 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/secure.optout.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/secure.optout.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/siginterval.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/siginterval.example.db.in
index 703a3063..8a17fcd3 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/siginterval.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/siginterval.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/siginterval1.conf b/bind/bind9/bin/tests/system/dnssec/ns3/siginterval1.conf
index 092dcfa2..da86eb50 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/siginterval1.conf
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/siginterval1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/siginterval2.conf b/bind/bind9/bin/tests/system/dnssec/ns3/siginterval2.conf
index 9fab130f..09f50dc2 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/siginterval2.conf
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/siginterval2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/sign.sh b/bind/bind9/bin/tests/system/dnssec/ns3/sign.sh
index 592af33b..7caf29c3 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -449,7 +449,7 @@ $CHECKZONE -D -s full $zone $signedfile 2> /dev/null | \
     awk '{$2 = "3600"; print}' > $patchedfile
 
 #
-# Seperate DNSSEC records.
+# Separate DNSSEC records.
 #
 zone=split-dnssec.example.
 infile=split-dnssec.example.db.in
@@ -463,7 +463,7 @@ echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
 $SIGNER -P -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1
 
 #
-# Seperate DNSSEC records smart signing.
+# Separate DNSSEC records smart signing.
 #
 zone=split-smart.example.
 infile=split-smart.example.db.in
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in
index 8761ebb0..3ea098aa 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/split-smart.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/split-smart.example.db.in
index 8761ebb0..3ea098aa 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/split-smart.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/split-smart.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in
index 86552149..276547e8 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in
index 0e0e5e09..7aae9400 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns3/upper.example.db.in b/bind/bind9/bin/tests/system/dnssec/ns3/upper.example.db.in
index 703a3063..8a17fcd3 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns3/upper.example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns3/upper.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns4/named1.conf.in b/bind/bind9/bin/tests/system/dnssec/ns4/named1.conf.in
index d3e221e3..e592862f 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns4/named1.conf.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns4/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns4/named2.conf.in b/bind/bind9/bin/tests/system/dnssec/ns4/named2.conf.in
index da6f831d..0b0c63fd 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns4/named2.conf.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns4/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns4/named3.conf.in b/bind/bind9/bin/tests/system/dnssec/ns4/named3.conf.in
index d6cfd45d..37a77246 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns4/named3.conf.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns4/named3.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns4/named4.conf.in b/bind/bind9/bin/tests/system/dnssec/ns4/named4.conf.in
index 017c5401..6a28eea0 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns4/named4.conf.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns4/named4.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -25,6 +25,7 @@ options {
 	dnssec-validation auto;
 	bindkeys-file "managed.conf";
 	dnssec-accept-expired yes;
+	minimal-responses no;
 };
 
 key rndc_key {
diff --git a/bind/bind9/bin/tests/system/dnssec/ns4/named5.conf.in b/bind/bind9/bin/tests/system/dnssec/ns4/named5.conf.in
index 0878c150..f7223bc8 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns4/named5.conf.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns4/named5.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns5/named1.conf.in b/bind/bind9/bin/tests/system/dnssec/ns5/named1.conf.in
index ddd03438..772b2caa 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns5/named1.conf.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns5/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns5/named2.conf.in b/bind/bind9/bin/tests/system/dnssec/ns5/named2.conf.in
index 8aa4e692..2d7ae071 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns5/named2.conf.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns5/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns5/sign.sh b/bind/bind9/bin/tests/system/dnssec/ns5/sign.sh
index 0711a781..7cc58973 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns5/sign.sh
+++ b/bind/bind9/bin/tests/system/dnssec/ns5/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bind/bind9/bin/tests/system/dnssec/ns5/trusted.conf.bad
index ed30460b..75cf6994 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns5/trusted.conf.bad
+++ b/bind/bind9/bin/tests/system/dnssec/ns5/trusted.conf.bad
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns6/named.conf.in b/bind/bind9/bin/tests/system/dnssec/ns6/named.conf.in
index e3c553fd..3081f707 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns6/named.conf.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns6/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns6/optout-tld.db.in b/bind/bind9/bin/tests/system/dnssec/ns6/optout-tld.db.in
index b90c9eae..546f290f 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns6/optout-tld.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns6/optout-tld.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns6/sign.sh b/bind/bind9/bin/tests/system/dnssec/ns6/sign.sh
index 0c79cec6..65a0d880 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns6/sign.sh
+++ b/bind/bind9/bin/tests/system/dnssec/ns6/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns7/named.conf.in b/bind/bind9/bin/tests/system/dnssec/ns7/named.conf.in
index 2dc2a9cc..1b2a2a08 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns7/named.conf.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns7/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns7/named.nosoa b/bind/bind9/bin/tests/system/dnssec/ns7/named.nosoa
index a7af1dd6..b8aab6c3 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns7/named.nosoa
+++ b/bind/bind9/bin/tests/system/dnssec/ns7/named.nosoa
@@ -1,5 +1,5 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Add -T nosoa.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns7/nosoa.secure.example.db b/bind/bind9/bin/tests/system/dnssec/ns7/nosoa.secure.example.db
index e8949475..41c7dacb 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns7/nosoa.secure.example.db
+++ b/bind/bind9/bin/tests/system/dnssec/ns7/nosoa.secure.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns7/sign.sh b/bind/bind9/bin/tests/system/dnssec/ns7/sign.sh
index 1bb3eea8..00992a7b 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns7/sign.sh
+++ b/bind/bind9/bin/tests/system/dnssec/ns7/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns7/split-rrsig.db.in b/bind/bind9/bin/tests/system/dnssec/ns7/split-rrsig.db.in
index 14300c3b..74e38316 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns7/split-rrsig.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns7/split-rrsig.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns8/named.conf.in b/bind/bind9/bin/tests/system/dnssec/ns8/named.conf.in
index fdc18df6..09c0c62a 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns8/named.conf.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns8/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ns9/named.conf.in b/bind/bind9/bin/tests/system/dnssec/ns9/named.conf.in
index d655112a..881f1ad9 100644
--- a/bind/bind9/bin/tests/system/dnssec/ns9/named.conf.in
+++ b/bind/bind9/bin/tests/system/dnssec/ns9/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/ntadiff.pl b/bind/bind9/bin/tests/system/dnssec/ntadiff.pl
index e49ae146..041e7bca 100755
--- a/bind/bind9/bin/tests/system/dnssec/ntadiff.pl
+++ b/bind/bind9/bin/tests/system/dnssec/ntadiff.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/prereq.sh b/bind/bind9/bin/tests/system/dnssec/prereq.sh
index 9c1d276e..700709bb 100644
--- a/bind/bind9/bin/tests/system/dnssec/prereq.sh
+++ b/bind/bind9/bin/tests/system/dnssec/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -12,6 +12,20 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
+if test -n "$PYTHON"
+then
+    if $PYTHON -c "import dns" 2> /dev/null
+    then
+        :
+    else
+        echo_i "This test requires the dnspython module." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires Python and the dnspython module." >&2
+    exit 1
+fi
+
 if $PERL -e 'use Net::DNS;' 2>/dev/null
 then
     if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.70);' 2>/dev/null
diff --git a/bind/bind9/bin/tests/system/dnssec/setup.sh b/bind/bind9/bin/tests/system/dnssec/setup.sh
index 95d6e31f..0c5a498c 100644
--- a/bind/bind9/bin/tests/system/dnssec/setup.sh
+++ b/bind/bind9/bin/tests/system/dnssec/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/example.db.in b/bind/bind9/bin/tests/system/dnssec/signer/example.db.in
index dbf60c1d..df3003c4 100644
--- a/bind/bind9/bin/tests/system/dnssec/signer/example.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/signer/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.key b/bind/bind9/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.key
new file mode 100644
index 00000000..d4b8efbe
--- /dev/null
+++ b/bind/bind9/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 15002, for example.com.
+; Created: 20210423012926 (Fri Apr 23 11:29:26 2021)
+; Publish: 20210423012926 (Fri Apr 23 11:29:26 2021)
+; Activate: 20210423012926 (Fri Apr 23 11:29:26 2021)
+example.com. IN DNSKEY 257 3 8 AwEAAdp+oCXl7vpKA3Mmyndx6/iA+wLrtxeMUiWL7uWJ9ZF24EdS8Dye 63p0lGlyvjvM9T5dTiyEpTAdutEBr79H0MlDqIBqpadrCdJRI2S4kC+0 nq5+Aj2CEyiAamPGujwWeXwtfLAvVPfBqs42PBr6wPQIJOByFYDaZBU3 enUEWgHYy/7OnJDrt0QlswKphR6SvYtyuixiUR8J/WouWXglUY5qlC7Z vVDxs9E4q7B1mfKCyoqcFMKPh9lzEBH+IfUZ543xXEYf2BEztKB1SZ2R QnpYedjATGDcgPis46uA2gHMfvDYJTQ5UqTBtveGb3Wsqc0oRXVPMEoY 3WnWhaKDzkk=
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.private b/bind/bind9/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.private
new file mode 100644
index 00000000..72b8e2e0
--- /dev/null
+++ b/bind/bind9/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 2n6gJeXu+koDcybKd3Hr+ID7Auu3F4xSJYvu5Yn1kXbgR1LwPJ7renSUaXK+O8z1Pl1OLISlMB260QGvv0fQyUOogGqlp2sJ0lEjZLiQL7Sern4CPYITKIBqY8a6PBZ5fC18sC9U98GqzjY8GvrA9Agk4HIVgNpkFTd6dQRaAdjL/s6ckOu3RCWzAqmFHpK9i3K6LGJRHwn9ai5ZeCVRjmqULtm9UPGz0TirsHWZ8oLKipwUwo+H2XMQEf4h9RnnjfFcRh/YETO0oHVJnZFCelh52MBMYNyA+Kzjq4DaAcx+8NglNDlSpMG294ZvdaypzShFdU8wShjdadaFooPOSQ==
+PublicExponent: AQAB
+PrivateExponent: SD4X64/0DTONonRP+2Biej8DP7r6RcHyo1F6QtDzrg4VJ+AHaLPO/iUvsRHsTk99QwqMv3F4QMmDrHmXR3KSWQmS3Crm7M0aaTzErBfOLMfWs7EcQoQQm5KiGq1phFaWAnXzxTlRKb4SIK6T/wOr6sQKlV+DNqB++Pjn92rh67vLM8kZBUzWI14Vl9N0ib+xOOFH1oYFo7ynDgMfJhpnQSkuRfyQls3aD1eKQsNazRtZ7lFi2S0HR/V0AKYH2AQi7SdL5wH6hYba5cHfpKSw7PebI0lYkUJ4PAg3Xw7DPMkg8O0hkpLICpU8x7MPqQQ74eKDaEY+fjbL0KLL0Dy9UQ==
+Prime1: /IDRb7WzMY6wp14LqDORULoUnmiQOqkRjOQnCoEXT2KVpYwPmGMG+GR40hrMFgqqAZFVmi56VBoasWpYbSBEqM4aJv1JVimMPREk23v5i+TY93kxICO/ee9/v0hXgLmrKUkS1Kwu4a1PxLX5U/LAzXPR6zF+EHP9OKFjDRWHqN0=
+Prime2: 3YU9QdtsXofjNmlDETRwemKv45pa0oVNPmNvS1vtzIpQ3m/QSuhJxzyTgSP9x1XMiIsg63er3LOCtkRifXVE1IBrfIUgchp8YD5LsyesRl2ielE8Hw8PwSA1YjUVu90yRHcVfbZJ8lm2KyRKHgDWXz94t2Xnm/9M5XjUGuNW7l0=
+Exponent1: 7KIkpJYZyvW4ZAFk10sMgiUBMbs4f2D2i509YUC9ga4YJD7wVpVncN1nxS9L19RCopl7KbUo+yxDm8TX/dzhu3j7VVLFqbPiM1Cfw/mZUhszoii3ezFFPpbOl4rKRl66I0TSGvEKNoDfYrBPavby7Rf/wHRveifZRXspgpeMvRk=
+Exponent2: yvvtjuxW2CRiopg/+YL40lyd2cy2DpRRnKqW8BHzzGquAbWpwwopmOS8MSjewgqv2irK5pmJJTpku0nciiOsB6EJXVfLzGLSt4o96ZOf+/aPDNBla/xsLkaqRCxqlvPwvOX2DnS8O9PS5qNhOy7/QNYzcrJxUfPV7awTh/Pr040=
+Coefficient: PHxU1tqPKTpI/8nABvso0SRerc1m+RPWGRk7s/SVcADSBvEW7fUDcwiZeRfK9MdlwPvLiVozbYnRbgRQl8GuKSqAD1+Cnvn2yOQk81AgNKbuKPwF7UvKIdq/c/xnhj2bvZUVSavJ91ux/RlZNP50378Ks8bj5HJl1xzAMVHXB5o=
+Created: 20210423012926
+Publish: 20210423012926
+Activate: 20210423012926
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.key b/bind/bind9/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.key
new file mode 100644
index 00000000..990b8370
--- /dev/null
+++ b/bind/bind9/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 63613, for example.com.
+; Created: 20210423012810 (Fri Apr 23 11:28:10 2021)
+; Publish: 20210423012810 (Fri Apr 23 11:28:10 2021)
+; Activate: 20210423012810 (Fri Apr 23 11:28:10 2021)
+example.com. IN DNSKEY 256 3 8 AwEAAZzun7bYfjmGDwUEn4pyJG34vsiawRMW6pEdoNMH87ozxriOzgG6 /4zTjEv8JyYjGQz2k2vcoWWcD+86xD5IUqfa1pdXXUU8bdhG9DBtW/K1 mc4P6g8heU+0f++mq/L4TPlWVZUG8lVH4H8mD6r8PsVK7v/QR7wMeg9b JpCYyxon2A9rZ4zS0J9kX9bfciQVh6ODGVENctwEK5FNp5u0VonPEIx3 5Kj+IVn/mHpfbz4LaC02s7C6Kgvn3ToFFSJczwbOaexl/d+/ai8FLJi7 8UgiAq5/178bcVLItMeY6aD5eQGkRtr2c3JZ/JR4Nf+TQAWFBnl9NSDa RH4Qa55ZNqs=
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.private b/bind/bind9/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.private
new file mode 100644
index 00000000..1765d3f0
--- /dev/null
+++ b/bind/bind9/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: nO6ftth+OYYPBQSfinIkbfi+yJrBExbqkR2g0wfzujPGuI7OAbr/jNOMS/wnJiMZDPaTa9yhZZwP7zrEPkhSp9rWl1ddRTxt2Eb0MG1b8rWZzg/qDyF5T7R/76ar8vhM+VZVlQbyVUfgfyYPqvw+xUru/9BHvAx6D1smkJjLGifYD2tnjNLQn2Rf1t9yJBWHo4MZUQ1y3AQrkU2nm7RWic8QjHfkqP4hWf+Yel9vPgtoLTazsLoqC+fdOgUVIlzPBs5p7GX9379qLwUsmLvxSCICrn/XvxtxUsi0x5jpoPl5AaRG2vZzcln8lHg1/5NABYUGeX01INpEfhBrnlk2qw==
+PublicExponent: AQAB
+PrivateExponent: N4egcDzO/V/YdLgcFAsrpNY9/BH2e+DCA7NuMv4/WgX0LV4quyYGQzigDksdNzt4I8Qkiig53BCK+uXahwdkaAzhng/F6zfkzoDc6z3nKUzlLasn8U6w9Gk0VAKwGXuPETNheShKG68hWxyGssQrGfjX9SEoIPxxPHnOfZ/zTj95KAnVV5qPz90xVAb0+FUrLXAt72KuRwepOTlsETsMFDKe17uUCqCCdX98Ko0u14wrO6zGRQtNhUsfvNB/pY8fvbHD1GcCTbFSx4FxsUsZMrNtMsvMe3HN9ggC0Y9htbH9HV0hS0w9SKCUyoeOVwf/JZL4hlfoe8+jglsyJpAgoQ==
+Prime1: zeXvO3PT4iXv9GlGeebl39pF1sXs8tXY4B9VHUJGGSYlyOlyCEy4URQJIPfuL6VjFKCErSxUJSrGz0HyQuKr8l9qP/0MGxGRH7wxvUR7YTmai84yyQ4fFENRmn8bzxGwj0MVHIW7cKC59j7nWT24gseT21/NP5m8EnPsjz/K40M=
+Prime2: wx5vVFSydUfr8HtOHNS1kRrTjhnQOfjmj8SxGi72Hk+mgi9fBCTC5fRLifd80wGbgyFk1vZOXeStOC8L3IlnBGLX0O9MNip+vVX3hRzIRhLwHhL1ygN3xEd04qwVH0XJ8+4A0XCzh/FJgW59F62geN6gwedo7GmZAOSZUBAyRHk=
+Exponent1: IlkqeLuQ7Fgx2I87b5iiXp62Keco6TXdkT4I3/GvagCgKw0utc2+rd/uye4ycQZhKg7BM3aCrxScx/STaq8PykY6nmQjgdyDXkzx60YiYwzOCGakuD+/1YyJb4Gm7PthffTN780rgNV/UGIcDBoszrxmoSExR1vpMRbfruIQgas=
+Exponent2: or0Os/KUibc79W6Snv9WlLkgPAQRpViQzNaLtD/47R0Xzrs975HNsMgJ/P+bb86Ga1994MC8ahmh1BuBNCax8nmScWQ1V3QoEzjRYoe4DqIa/aposF4mFWJX/fry/wtRPo+CxSzPwJGh8j86PHaHQmjFAhVFcPE+OP1xVdK8alk=
+Coefficient: r5wPmPXUF5pVC0Y7La3jVkL4w/3wvq9LBz91tH9gA8OUNLpDDBuFZISiJdhOZ4JVw+qSSoHcEa+3Phd+BqxmXzwZDU1Fqta9mLDDGCqCWjVQOopeeJgrvkv9P0TIzEuoGmW50cQhyqHYCtuUxjOnHfiQSc53p7rfD4Vom1VQ3Ok=
+Created: 20210423012810
+Publish: 20210423012810
+Activate: 20210423012810
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/general/test1.zone b/bind/bind9/bin/tests/system/dnssec/signer/general/test1.zone
index 8c11a0e7..ecf8f4e5 100644
--- a/bind/bind9/bin/tests/system/dnssec/signer/general/test1.zone
+++ b/bind/bind9/bin/tests/system/dnssec/signer/general/test1.zone
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/general/test2.zone b/bind/bind9/bin/tests/system/dnssec/signer/general/test2.zone
index b603931a..3264cb79 100644
--- a/bind/bind9/bin/tests/system/dnssec/signer/general/test2.zone
+++ b/bind/bind9/bin/tests/system/dnssec/signer/general/test2.zone
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/general/test3.zone b/bind/bind9/bin/tests/system/dnssec/signer/general/test3.zone
index 70f2a869..56e835fe 100644
--- a/bind/bind9/bin/tests/system/dnssec/signer/general/test3.zone
+++ b/bind/bind9/bin/tests/system/dnssec/signer/general/test3.zone
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/general/test4.zone b/bind/bind9/bin/tests/system/dnssec/signer/general/test4.zone
index fb5b6c44..e9ace462 100644
--- a/bind/bind9/bin/tests/system/dnssec/signer/general/test4.zone
+++ b/bind/bind9/bin/tests/system/dnssec/signer/general/test4.zone
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/general/test5.zone b/bind/bind9/bin/tests/system/dnssec/signer/general/test5.zone
index 7f33e271..ce6e4f9f 100644
--- a/bind/bind9/bin/tests/system/dnssec/signer/general/test5.zone
+++ b/bind/bind9/bin/tests/system/dnssec/signer/general/test5.zone
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/general/test6.zone b/bind/bind9/bin/tests/system/dnssec/signer/general/test6.zone
index aad28386..9efc1e2c 100644
--- a/bind/bind9/bin/tests/system/dnssec/signer/general/test6.zone
+++ b/bind/bind9/bin/tests/system/dnssec/signer/general/test6.zone
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/general/test7.zone b/bind/bind9/bin/tests/system/dnssec/signer/general/test7.zone
index e804f81d..88c4996f 100644
--- a/bind/bind9/bin/tests/system/dnssec/signer/general/test7.zone
+++ b/bind/bind9/bin/tests/system/dnssec/signer/general/test7.zone
@@ -2,14 +2,14 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 
 ;	This is a zone which has two DNSKEY records, none of which have
 ; existing private key files available.  The resulting zone should fail
-; the consistancy tests.
+; the consistency tests.
 ;
 $TTL 3600
 example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/general/test8.zone b/bind/bind9/bin/tests/system/dnssec/signer/general/test8.zone
index abfc58f8..9ed486f3 100644
--- a/bind/bind9/bin/tests/system/dnssec/signer/general/test8.zone
+++ b/bind/bind9/bin/tests/system/dnssec/signer/general/test8.zone
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/general/test9.zone b/bind/bind9/bin/tests/system/dnssec/signer/general/test9.zone
new file mode 100644
index 00000000..91b6de50
--- /dev/null
+++ b/bind/bind9/bin/tests/system/dnssec/signer/general/test9.zone
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;	This is a zone which has two DNSKEY records, both of which have
+; existing private key files available.  They should be loaded automatically
+; and the zone correctly signed.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+008+63613.key
+$include Kexample.com.+008+15002.key
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/remove.db.in b/bind/bind9/bin/tests/system/dnssec/signer/remove.db.in
index 8e0fccdd..894836af 100644
--- a/bind/bind9/bin/tests/system/dnssec/signer/remove.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/signer/remove.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/signer/remove2.db.in b/bind/bind9/bin/tests/system/dnssec/signer/remove2.db.in
index aa1d2f55..383807ae 100644
--- a/bind/bind9/bin/tests/system/dnssec/signer/remove2.db.in
+++ b/bind/bind9/bin/tests/system/dnssec/signer/remove2.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnssec/tests.sh b/bind/bind9/bin/tests/system/dnssec/tests.sh
index 0fe60c10..30f7fc5e 100644
--- a/bind/bind9/bin/tests/system/dnssec/tests.sh
+++ b/bind/bind9/bin/tests/system/dnssec/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -185,13 +185,13 @@ ret=0
 grep "query 'example/DS/IN' approved" ns1/named.run > /dev/null && ret=1
 grep "fetch: example/DS" ns4/named.run > /dev/null && ret=1
 grep "validating example/DS: starting" ns4/named.run > /dev/null || ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 if [ -x ${DELV} ] ; then
    ret=0
-   echo_i "checking postive validation NSEC using dns_client ($n)"
+   echo_i "checking positive validation NSEC using dns_client ($n)"
    $DELV $DELVOPTS @10.53.0.4 a a.example > delv.out$n || ret=1
    grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
    grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1
@@ -919,7 +919,7 @@ if [ -x ${DELV} ] ; then
    ret=0
    echo_i "checking that validation fails when key record is missing using dns_client ($n)"
    $DELV $DELVOPTS +cd @10.53.0.4 a a.b.keyless.example > delv.out$n 2>&1 || ret=1
-   grep "resolution failed: broken trust chain" delv.out$n > /dev/null || ret=1
+   grep "resolution failed: no valid DS" delv.out$n > /dev/null || ret=1
    n=`expr $n + 1`
    if [ $ret != 0 ]; then echo_i "failed"; fi
    status=`expr $status + $ret`
@@ -1331,10 +1331,10 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 echo_i "basic dnssec-signzone checks:"
-echo_i " two DNSKEYs ($n)"
+echo_ic "two DNSKEYs ($n)"
 ret=0
 (
-cd signer/general
+cd signer/general || exit 1
 rm -f signed.zone
 $SIGNER -f signed.zone -o example.com. test1.zone > signer.out.$n 2>&1
 test -f signed.zone
@@ -1343,10 +1343,10 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i " one non-KSK DNSKEY ($n)"
+echo_ic "one non-KSK DNSKEY ($n)"
 ret=0
 (
-cd signer/general
+cd signer/general || exit 0
 rm -f signed.zone
 $SIGNER -f signed.zone -o example.com. test2.zone > signer.out.$n 2>&1
 test -f signed.zone
@@ -1355,10 +1355,10 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i " one KSK DNSKEY ($n)"
+echo_ic "one KSK DNSKEY ($n)"
 ret=0
 (
-cd signer/general
+cd signer/general || exit 0
 rm -f signed.zone
 $SIGNER -f signed.zone -o example.com. test3.zone > signer.out.$n 2>&1
 test -f signed.zone
@@ -1367,10 +1367,10 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i " three DNSKEY ($n)"
+echo_ic "three DNSKEY ($n)"
 ret=0
 (
-cd signer/general
+cd signer/general || exit 1
 rm -f signed.zone
 $SIGNER -f signed.zone -o example.com. test4.zone > signer.out.$n 2>&1
 test -f signed.zone
@@ -1379,10 +1379,10 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i " three DNSKEY, one private key missing ($n)"
+echo_ic "three DNSKEY, one private key missing ($n)"
 ret=0
 (
-cd signer/general
+cd signer/general || exit 1
 rm -f signed.zone
 $SIGNER -f signed.zone -o example.com. test5.zone > signer.out.$n 2>&1
 test -f signed.zone
@@ -1391,10 +1391,10 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i " four DNSKEY ($n)"
+echo_ic "four DNSKEY ($n)"
 ret=0
 (
-cd signer/general
+cd signer/general || exit 1
 rm -f signed.zone
 $SIGNER -f signed.zone -o example.com. test6.zone > signer.out.$n 2>&1
 test -f signed.zone
@@ -1403,10 +1403,10 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i " two DNSKEY, both private keys missing ($n)"
+echo_ic "two DNSKEY, both private keys missing ($n)"
 ret=0
 (
-cd signer/general
+cd signer/general || exit 0
 rm -f signed.zone
 $SIGNER -f signed.zone -o example.com. test7.zone > signer.out.$n 2>&1
 test -f signed.zone
@@ -1415,10 +1415,10 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i " two DNSKEY, one private key missing ($n)"
+echo_ic "two DNSKEY, one private key missing ($n)"
 ret=0
 (
-cd signer/general
+cd signer/general || exit 0
 rm -f signed.zone
 $SIGNER -f signed.zone -o example.com. test8.zone > signer.out.$n 2>&1
 test -f signed.zone
@@ -1442,6 +1442,30 @@ get_rsasha1_key_ids_from_sigs() {
 	sort -u
 }
 
+echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)"
+ret=0
+(
+cd signer/general || exit 0
+rm -f signed.zone
+$SIGNER -f signed.zone -3 - -H 151 -o example.com. test9.zone > signer.out.$n
+test -f signed.zone
+) && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)"
+ret=0
+(
+cd signer/general || exit 1
+rm -f signed.zone
+$SIGNER -f signed.zone -3 - -H 150 -o example.com. test9.zone > signer.out.$n
+test -f signed.zone
+) || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)"
 ret=0
 zone=example
@@ -1450,9 +1474,9 @@ zone=example
 # succeeds, by using "&& ret=1".
 $KEYGEN -a 255 $zone > dnssectools.out.test$n 2>&1 && ret=1
 grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)"
 ret=0
@@ -1466,9 +1490,9 @@ mv ${unsupportedkey}.tmp ${unsupportedkey}.key
 # unexpectedly succeeds, by using "&& ret=1".
 $DSFROMKEY ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1
 grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)"
 ret=0
@@ -1479,9 +1503,9 @@ cat signer/example.db.in "${unsupportedkey}.key" > signer/example.db
 # unexpectedly succeeds, by using "&& ret=1".
 $SIGNER -o example signer/example.db ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1
 grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 echo_i "checking that we can sign a zone with out-of-zone records ($n)"
 ret=0
@@ -2670,13 +2694,16 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 echo_i "clear signing records ($n)"
-$RNDCCMD 10.53.0.3 signing -clear all update-nsec3.example > /dev/null || ret=1
-sleep 1
-$RNDCCMD 10.53.0.3 signing -list update-nsec3.example 2>&1 > signing.out
-grep "No signing records found" signing.out > /dev/null 2>&1 || {
-        ret=1
-        sed 's/^/ns3 /' signing.out | cat_i
+$RNDCCMD 10.53.0.3 signing -clear all update-nsec3.example > /dev/null 2>&1 || ret=1
+check_no_signing_record_found() {
+  $RNDCCMD 10.53.0.3 signing -list update-nsec3.example > signing.out 2>&1
+  grep -q "No signing records found" signing.out || {
+    sed 's/^/ns3 /' signing.out | cat_i
+    return 1
+  }
+  return 0
 }
+retry_quiet 5 check_no_signing_record_found || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -3361,6 +3388,24 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+echo_i "check that a CDS deletion record is accepted ($n)"
+ret=0
+(
+echo zone cds-update.secure
+echo server 10.53.0.2 "$PORT"
+echo update delete cds-update.secure CDS
+echo update add cds-update.secure 0 CDS 0 0 0 00
+echo send
+) | $NSUPDATE > nsupdate.out.test$n 2>&1
+$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
+lines=`awk '$4 == "CDS" {print}' dig.out.test$n | wc -l`
+test "${lines:-10}" -eq 1 || ret=1
+lines=`tr -d '\r' < dig.out.test$n | awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' | wc -l`
+test "$lines" -eq 1 || ret=1
+n=`expr $n + 1`
+test "$ret" -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
+
 echo_i "check that CDS records are signed using KSK when added by nsupdate ($n)"
 ret=0
 (
@@ -3376,11 +3421,11 @@ echo send
 ) | $NSUPDATE
 $DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
 lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l`
-test ${lines:-0} -eq 2 || ret=1
+test "$lines" -eq 2 || ret=1
 lines=`awk '$4 == "CDS" {print}' dig.out.test$n | wc -l`
-test ${lines:-0} -eq 2 || ret=1
+test "$lines" -eq 2 || ret=1
 n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
+test "$ret" -eq 0 || echo_i "failed"
 status=`expr $status + $ret`
 
 echo_i "checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)"
@@ -3490,6 +3535,13 @@ n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
 status=`expr $status + $ret`
 
+# TODO: test case for GL #1689.
+# If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5)
+# we could write a test that signs a zone with supported and unsupported
+# algorithm, apply a fixed rrset order such that the unsupported algorithm
+# precedes the supported one in the DNSKEY RRset, and verify the result still
+# validates succesfully.
+
 echo_i "check that a lone non matching CDNSKEY record is rejected ($n)"
 ret=0
 (
@@ -3509,6 +3561,24 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+echo_i "check that a CDNSKEY deletion record is accepted ($n)"
+ret=0
+(
+echo zone cdnskey-update.secure
+echo server 10.53.0.2 "$PORT"
+echo update delete cdnskey-update.secure CDNSKEY
+echo update add cdnskey-update.secure 0 CDNSKEY 0 3 0 AA==
+echo send
+) | $NSUPDATE > nsupdate.out.test$n 2>&1
+$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n
+lines=`awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
+test "${lines:-10}" -eq 1 || ret=1
+lines=`tr -d '\r' < dig.out.test$n | awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' | wc -l`
+test "${lines:-10}" -eq 1 || ret=1
+n=`expr $n + 1`
+test "$ret" -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
+
 echo_i "checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)"
 ret=0
 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-nsec3-unknown.example A > dig.out.ns3.test$n
@@ -3532,11 +3602,11 @@ echo send
 ) | $NSUPDATE
 $DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n
 lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
-test ${lines:-0} -eq 2 || ret=1
+test "$lines" -eq 2 || ret=1
 lines=`awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
-test ${lines:-0} -eq 1 || ret=1
+test "$lines" -eq 1 || ret=1
 n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
+test "$ret" -eq 0 || echo_i "failed"
 status=`expr $status + $ret`
 
 echo_i "checking initialization with a revoked managed key ($n)"
@@ -3663,11 +3733,19 @@ $DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 >
 grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1
 grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1
 $PERL $SYSTEMTESTTOP/stop.pl dnssec ns1 || ret=1
+nextpart ns1/named.run > /dev/null
 $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} dnssec ns1 || ret=1
 n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
 status=`expr $status + $ret`
 
+echo_i "waiting for root server to finish reloading ($n)"
+ret=0
+wait_for_log "all zones loaded" ns1/named.run || ret=1
+n=`expr $n + 1`
+test "$ret" -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
+
 echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)"
 ret=0
 $DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
@@ -3712,24 +3790,24 @@ get_keys_which_signed() {
 echo_i "checking DNSKEY RRset is signed with KSK only (update-check-ksk, dnssec-ksk-only) ($n)"
 ret=0
 $DIG $DIGOPTS $SECTIONS @10.53.0.2 DNSKEY $zone > dig.out.test$n
-lines=$(get_keys_which_signed "DNSKEY" dig.out.test$n | wc -l)
+lines=`get_keys_which_signed "DNSKEY" dig.out.test$n | wc -l`
 test "$lines" -eq 1 || ret=1
 get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1
 get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 echo_i "checking SOA RRset is signed with ZSK only (update-check-ksk, dnssec-ksk-only) ($n)"
 ret=0
 $DIG $DIGOPTS $SECTIONS @10.53.0.2 soa $zone > dig.out.test$n
-lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l)
+lines=`get_keys_which_signed "SOA" dig.out.test$n | wc -l`
 test "$lines" -eq 1 || ret=1
 get_keys_which_signed "SOA" dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1
 get_keys_which_signed "SOA" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null || ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 # Roll the ZSK.
 zsk2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -K ns2 -n zone $zone`
@@ -3739,9 +3817,9 @@ ZSK_ID2=`cat ns2/$zone.zsk.id2`
 echo_i "load new ZSK $ZSK_ID2 for $zone ($n)"
 ret=0
 dnssec_loadkeys_on 2 $zone || ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 # Wait until new ZSK becomes active.
 echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)"
@@ -3749,9 +3827,9 @@ ret=0
 $SETTIME -I now -K ns2 $ZSK > /dev/null
 $SETTIME -A now -K ns2 $zsk2 > /dev/null
 dnssec_loadkeys_on 2 $zone || ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 # Remove the KSK from disk.
 echo_i "remove the KSK $KSK_ID for zone $zone from disk"
@@ -3771,28 +3849,28 @@ echo send
 echo_i "checking DNSKEY RRset is signed with KSK only, KSK offline (update-check-ksk, dnssec-ksk-only) ($n)"
 ret=0
 $DIG $DIGOPTS $SECTIONS @10.53.0.2 DNSKEY $zone > dig.out.test$n
-lines=$(get_keys_which_signed "DNSKEY" dig.out.test$n | wc -l)
+lines=`get_keys_which_signed "DNSKEY" dig.out.test$n | wc -l`
 test "$lines" -eq 1 || ret=1
 get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1
 get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
 get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 for qtype in "SOA" "TXT"
 do
   echo_i "checking $qtype RRset is signed with ZSK only, KSK offline (update-check-ksk and dnssec-ksk-only) ($n)"
   ret=0
   $DIG $DIGOPTS $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
-  lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
+  lines=`get_keys_which_signed $qtype dig.out.test$n | wc -l`
   test "$lines" -eq 1 || ret=1
   get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1
   get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
   get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1
-  n=$((n+1))
+  n=`expr $n + 1`
   test "$ret" -eq 0 || echo_i "failed"
-  status=$((status+ret))
+  status=`expr $status + $ret`
 done
 
 # Put back the KSK.
@@ -3808,9 +3886,9 @@ ZSK_ID3=`cat ns2/$zone.zsk.id3`
 echo_i "load new ZSK $ZSK_ID3 for $zone ($n)"
 ret=0
 dnssec_loadkeys_on 2 $zone || ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 # Wait until new ZSK becomes active.
 echo_i "delete old ZSK $ZSK_ID make ZSK $ZSK_ID2 inactive and make new ZSK $ZSK_ID3 active for zone $zone ($n)"
@@ -3818,9 +3896,9 @@ $SETTIME -D now -K ns2 $ZSK > /dev/null
 $SETTIME -I +5 -K ns2 $zsk2 > /dev/null
 $SETTIME -A +5 -K ns2 $zsk3 > /dev/null
 dnssec_loadkeys_on 2 $zone || ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 # Remove the KSK from disk.
 echo_i "remove the KSK $KSK_ID for zone $zone from disk"
@@ -3840,30 +3918,30 @@ echo send
 echo_i "checking DNSKEY RRset is signed with KSK only, old ZSK deleted (update-check-ksk, dnssec-ksk-only) ($n)"
 ret=0
 $DIG $DIGOPTS $SECTIONS @10.53.0.2 DNSKEY $zone > dig.out.test$n
-lines=$(get_keys_which_signed "DNSKEY" dig.out.test$n | wc -l)
+lines=`get_keys_which_signed "DNSKEY" dig.out.test$n | wc -l`
 test "$lines" -eq 1 || ret=1
 get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1
 get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
 get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1
 get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 for qtype in "SOA" "TXT"
 do
   echo_i "checking $qtype RRset is signed with ZSK only, old ZSK deleted (update-check-ksk and dnssec-ksk-only) ($n)"
   ret=0
   $DIG $DIGOPTS $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
-  lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
+  lines=`get_keys_which_signed $qtype dig.out.test$n | wc -l`
   test "$lines" -eq 1 || ret=1
   get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1
   get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
   get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1
   get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1
-  n=$((n+1))
+  n=`expr $n + 1`
   test "$ret" -eq 0 || echo_i "failed"
-  status=$((status+ret))
+  status=`expr $status + $ret`
 done
 
 # Wait for newest ZSK to become active.
@@ -3874,23 +3952,23 @@ for i in 1 2 3 4 5 6 7 8 9 10; do
     [ "$ret" -eq 0 ] && break
     sleep 1
 done
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 # Redo the tests one more time.
 echo_i "checking DNSKEY RRset is signed with KSK only, new ZSK active (update-check-ksk, dnssec-ksk-only) ($n)"
 ret=0
 $DIG $DIGOPTS $SECTIONS @10.53.0.2 DNSKEY $zone > dig.out.test$n
-lines=$(get_keys_which_signed "DNSKEY" dig.out.test$n | wc -l)
+lines=`get_keys_which_signed "DNSKEY" dig.out.test$n | wc -l`
 test "$lines" -eq 1 || ret=1
 get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1
 get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
 get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1
 get_keys_which_signed "DNSKEY" dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 #
 # DNSSEC tests related to unsupported trust anchors.
@@ -3905,9 +3983,9 @@ echo_i "checking that keys with unsupported algorithms are ignored ($n)"
 ret=0
 grep "skipping trusted key for 'unsupported\.trusted\.': algorithm is unsupported" ns8/named.run > /dev/null || ret=1
 grep "skipping managed key for 'unsupported\.managed\.': algorithm is unsupported" ns8/named.run > /dev/null || ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 # The next two tests are fairly normal DNSSEC queries to signed zones with a
 # default algorithm.  First, a query is made against the server that is
@@ -3921,9 +3999,9 @@ $DIG $DIGOPTS @10.53.0.8 a.secure.trusted A > dig.out.ns8.test$n
 grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
 grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 echo_i "checking that a managed key using a supported algorithm validates as secure ($n)"
 ret=0
@@ -3932,9 +4010,9 @@ $DIG $DIGOPTS @10.53.0.8 a.secure.managed A > dig.out.ns8.test$n
 grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
 grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 # The next two queries ensure that a zone signed with a DNSKEY with an unsupported
 # algorithm will yield insecure positive responses.  These trust anchors in ns8 are
@@ -3947,9 +4025,9 @@ $DIG $DIGOPTS @10.53.0.8 a.unsupported.trusted A > dig.out.ns8.test$n
 grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
 grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 echo_i "checking that a managed key using an unsupported algorithm validates as insecure ($n)"
 ret=0
@@ -3958,14 +4036,83 @@ $DIG $DIGOPTS @10.53.0.8 a.unsupported.managed A > dig.out.ns8.test$n
 grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
 grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
-n=$((n+1))
+n=`expr $n + 1`
 test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=`expr $status + $ret`
 
 echo_i "checking secroots output with multiple views ($n)"
-rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i
+$RNDCCMD 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i
 cp ns4/named.secroots named.secroots.test$n
 check_secroots_layout named.secroots.test$n || ret=1
+n=`expr $n + 1`
+test "$ret" -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
+
+echo_i "checking validation succeeds during transition to signed ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.4 inprogress A > dig.out.ns4.test$n || ret=1
+grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.ns4.test$n >/dev/null || ret=1
+n=`expr $n + 1`
+test "$ret" -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
+
+echo_i "checking excessive NSEC3 iteration warnings in named.run ($n)"
+ret=0
+grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns2/named.run >/dev/null 2>&1 || ret=1
+grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns3/named.run >/dev/null 2>&1 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Check that the validating resolver will fallback to insecure if the answer
+# contains NSEC3 records with high iteration count.
+echo_i "checking fallback to insecure when NSEC3 iterations is too high (nxdomain) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 does-not-exist.too-many-iterations > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS @10.53.0.4 does-not-exist.too-many-iterations > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 0, AUTHORITY: 6" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking fallback to insecure when NSEC3 iterations is too high (nodata) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 a.too-many-iterations txt > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS @10.53.0.4 a.too-many-iterations txt > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 0, AUTHORITY: 4" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 wild.a.too-many-iterations > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS @10.53.0.4 wild.a.too-many-iterations > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep 'wild\.a\.too-many-iterations\..*A.10\.0\.0\.3' dig.out.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 2, AUTHORITY: 4" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard nodata) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 type100 wild.a.too-many-iterations > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS @10.53.0.4 type100 wild.a.too-many-iterations > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n > /dev/null || ret=1
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
diff --git a/bind/bind9/bin/tests/system/dnstap/README b/bind/bind9/bin/tests/system/dnstap/README
index f4cb3856..5ff797b6 100644
--- a/bind/bind9/bin/tests/system/dnstap/README
+++ b/bind/bind9/bin/tests/system/dnstap/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 The "large-answer.fstrm" file was generated by configuring a named instance
 compiled with --enable-dnstap and --enable-fixed-rrset with the following
diff --git a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf
index 4f90895d..249aacb3 100644
--- a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf
+++ b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf
index 14cfa3e8..0338494a 100644
--- a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf
+++ b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf
index aac8dd92..c08133ec 100644
--- a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf
+++ b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf
index 9bca0c11..0e7ec840 100644
--- a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf
+++ b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf
index d04a1b07..2e1aa616 100644
--- a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf
+++ b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf
index 35f8cf7b..bcce70a0 100644
--- a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf
+++ b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf
index a82c42cf..86c60573 100644
--- a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf
+++ b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf
index 264dce89..fed82d36 100644
--- a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf
+++ b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf
index a250f50e..b45b0c6c 100644
--- a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf
+++ b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf
index ea6852a1..fc26da02 100644
--- a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf
+++ b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf
index e602bfc2..90e69ea2 100644
--- a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf
+++ b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf
index acd1d7ea..3c95a424 100644
--- a/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf
+++ b/bind/bind9/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf b/bind/bind9/bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf
index ebd09821..9a9b987f 100644
--- a/bind/bind9/bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf
+++ b/bind/bind9/bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/bad-missing-dnstap-output.conf b/bind/bind9/bin/tests/system/dnstap/bad-missing-dnstap-output.conf
index 2cc470b9..e98be419 100644
--- a/bind/bind9/bin/tests/system/dnstap/bad-missing-dnstap-output.conf
+++ b/bind/bind9/bin/tests/system/dnstap/bad-missing-dnstap-output.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/clean.sh b/bind/bind9/bin/tests/system/dnstap/clean.sh
index 261200b8..5d07ca74 100644
--- a/bind/bind9/bin/tests/system/dnstap/clean.sh
+++ b/bind/bind9/bin/tests/system/dnstap/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -12,6 +12,7 @@
 rm -f */named.conf
 rm -f */named.memstats
 rm -f */named.run
+rm -f */named.run.prev
 rm -f */named.stats
 rm -f dig.out*
 rm -f dnstap.out
@@ -21,4 +22,6 @@ rm -f ns*/dnstap.out
 rm -f ns*/dnstap.out.save
 rm -f ns*/dnstap.out.save.?
 rm -f ns*/named.lock
+rm -f ns2/dnstap.out.*
+rm -f ns3/dnstap.out.*
 rm -f ydump.out
diff --git a/bind/bind9/bin/tests/system/dnstap/good-dnstap-in-options.conf b/bind/bind9/bin/tests/system/dnstap/good-dnstap-in-options.conf
index fe2bd93f..9bb90e51 100644
--- a/bind/bind9/bin/tests/system/dnstap/good-dnstap-in-options.conf
+++ b/bind/bind9/bin/tests/system/dnstap/good-dnstap-in-options.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/good-dnstap-in-view.conf b/bind/bind9/bin/tests/system/dnstap/good-dnstap-in-view.conf
index 6fbbec45..128f59cc 100644
--- a/bind/bind9/bin/tests/system/dnstap/good-dnstap-in-view.conf
+++ b/bind/bind9/bin/tests/system/dnstap/good-dnstap-in-view.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf
index abaaa73c..8eccdd52 100644
--- a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf
+++ b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf
index dbc9364e..7f561b55 100644
--- a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf
+++ b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf
index 1c3b5ef5..dd31f554 100644
--- a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf
+++ b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf
index e18ec38f..5c62bfd3 100644
--- a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf
+++ b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf
index 05ad706d..ab8922d5 100644
--- a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf
+++ b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf
index ef735a67..7e73c7f7 100644
--- a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf
+++ b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf
index 9f93bb68..54e87b9d 100644
--- a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf
+++ b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf
index fe6462b0..166b17fa 100644
--- a/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf
+++ b/bind/bind9/bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/ns1/named.conf.in b/bind/bind9/bin/tests/system/dnstap/ns1/named.conf.in
index 441e37f3..182872ef 100644
--- a/bind/bind9/bin/tests/system/dnstap/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/dnstap/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/ns1/root.db b/bind/bind9/bin/tests/system/dnstap/ns1/root.db
index dab5cea7..e5f65ab6 100644
--- a/bind/bind9/bin/tests/system/dnstap/ns1/root.db
+++ b/bind/bind9/bin/tests/system/dnstap/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/ns2/example.db b/bind/bind9/bin/tests/system/dnstap/ns2/example.db
index 4073dc26..41de12f7 100644
--- a/bind/bind9/bin/tests/system/dnstap/ns2/example.db
+++ b/bind/bind9/bin/tests/system/dnstap/ns2/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/ns2/named.conf.in b/bind/bind9/bin/tests/system/dnstap/ns2/named.conf.in
index 0ca67af7..8eb9c81f 100644
--- a/bind/bind9/bin/tests/system/dnstap/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/dnstap/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/ns3/named.conf.in b/bind/bind9/bin/tests/system/dnstap/ns3/named.conf.in
index e19d189e..73e2658c 100644
--- a/bind/bind9/bin/tests/system/dnstap/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/dnstap/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/ns4/named.conf.in b/bind/bind9/bin/tests/system/dnstap/ns4/named.conf.in
index 3aa9dd62..e9d31bbe 100644
--- a/bind/bind9/bin/tests/system/dnstap/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/dnstap/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/setup.sh b/bind/bind9/bin/tests/system/dnstap/setup.sh
index 607a3417..e677e86e 100644
--- a/bind/bind9/bin/tests/system/dnstap/setup.sh
+++ b/bind/bind9/bin/tests/system/dnstap/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dnstap/tests.sh b/bind/bind9/bin/tests/system/dnstap/tests.sh
index b46fb929..5e5ce7c5 100644
--- a/bind/bind9/bin/tests/system/dnstap/tests.sh
+++ b/bind/bind9/bin/tests/system/dnstap/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -17,6 +17,24 @@ RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf"
 
 status=0
 
+# dnstap_data_ready <fstrm_capture_PID> <capture_file> <min_file_size>
+# Flushes capture_file and checks wheter its size is >= min_file_size.
+dnstap_data_ready() {
+	# Process id of running fstrm_capture.
+	fstrm_capture_pid=$1
+	# Output file provided to fstrm_capture via -w switch.
+	capture_file=$2
+	# Minimum expected file size.
+	min_size_expected=$3
+
+	kill -HUP $fstrm_capture_pid
+	file_size=`wc -c < "$capture_file" | tr -d ' '`
+	if [ $file_size -lt $min_size_expected ]; then
+		return 1
+	fi
+}
+
+
 for bad in bad-*.conf
 do
 	ret=0
@@ -35,7 +53,21 @@ do
 	status=`expr $status + $ret`
 done
 
+echo_i "wait for servers to finish loading"
+ret=0
+wait_for_log 20 "all zones loaded" ns1/named.run || ret=1
+wait_for_log 20 "all zones loaded" ns2/named.run || ret=1
+wait_for_log 20 "all zones loaded" ns3/named.run || ret=1
+wait_for_log 20 "all zones loaded" ns4/named.run || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# both the 'a.example/A' lookup and the './NS' lookup to ns1
+# need tocomplete before reopening/rolling for the counts to
+# be correct.
+
 $DIG $DIGOPTS @10.53.0.3 a.example > dig.out
+wait_for_log 20 "(.): endrequest" ns1/named.run || true
 
 # check three different dnstap reopen/roll methods:
 # ns1: dnstap-reopen; ns2: dnstap -reopen; ns3: dnstap -roll
@@ -63,6 +95,7 @@ $DIG $DIGOPTS @10.53.0.3 a.example > dig.out
 $RNDCCMD -s 10.53.0.1 stop | sed 's/^/ns1 /' | cat_i
 $RNDCCMD -s 10.53.0.2 stop | sed 's/^/ns2 /' | cat_i
 $RNDCCMD -s 10.53.0.3 stop | sed 's/^/ns3 /' | cat_i
+
 sleep 1
 
 echo_i "checking initial message counts"
@@ -416,6 +449,7 @@ if [ -n "$FSTRM_CAPTURE" ] ; then
 
 	echo_i "checking unix socket message counts"
 	sleep 2
+	retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 470
 	kill $fstrm_capture_pid
 	wait
 	udp4=`$DNSTAPREAD dnstap.out | grep "UDP " | wc -l`
@@ -505,6 +539,7 @@ if [ -n "$FSTRM_CAPTURE" ] ; then
 
 	echo_i "checking reopened unix socket message counts"
 	sleep 2
+	retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 270
 	kill $fstrm_capture_pid
 	wait
 	udp4=`$DNSTAPREAD dnstap.out | grep "UDP " | wc -l`
@@ -596,5 +631,21 @@ lines=`$DNSTAPREAD -y large-answer.fstrm | grep -c "opcode: QUERY"`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+test_dnstap_roll() (
+    ip="$1"
+    ns="$2"
+    n="$3"
+    $RNDCCMD -s "${ip}" dnstap -roll "${n}" | sed "s/^/${ns} /" | cat_i &&
+    files=$(find "${ns}" -name "dnstap.out.[0-9]" | wc -l) &&
+    test "$files" -le "${n}" && test "$files" -ge "1"
+)
+
+echo_i "checking 'rndc -roll <value>'"
+ret=0
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} dnstap ns2
+_repeat 5 test_dnstap_roll 10.53.0.2 ns2 3 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
 echo_i "exit status: $status"
-[ $status -eq 0 ] || exit 1
+[ "$status" -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/dnstap/ydump.py b/bind/bind9/bin/tests/system/dnstap/ydump.py
index 50ad791c..05ebe72c 100644
--- a/bind/bind9/bin/tests/system/dnstap/ydump.py
+++ b/bind/bind9/bin/tests/system/dnstap/ydump.py
@@ -3,24 +3,27 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 ############################################################################
 
+import sys
+
 try:
     import yaml
-except:
+except (ModuleNotFoundError, ImportError):
     print("No python yaml module, skipping")
-    exit(1)
+    sys.exit(1)
 
 import subprocess
 import pprint
-import sys
 
-DNSTAP_READ=sys.argv[1]
-DATAFILE=sys.argv[2]
+DNSTAP_READ = sys.argv[1]
+DATAFILE = sys.argv[2]
+ARGS = [DNSTAP_READ, '-y', DATAFILE]
 
-f = subprocess.Popen([DNSTAP_READ, '-y', DATAFILE], stdout=subprocess.PIPE)
-pprint.pprint([l for l in yaml.load_all(f.stdout)])
+with subprocess.Popen(ARGS, stdout=subprocess.PIPE) as f:
+    for y in yaml.load_all(f.stdout, Loader=yaml.SafeLoader):
+        pprint.pprint(y)
diff --git a/bind/bind9/bin/tests/system/dscp/clean.sh b/bind/bind9/bin/tests/system/dscp/clean.sh
index b29303a6..58d98f7a 100644
--- a/bind/bind9/bin/tests/system/dscp/clean.sh
+++ b/bind/bind9/bin/tests/system/dscp/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dscp/ns1/named.conf.in b/bind/bind9/bin/tests/system/dscp/ns1/named.conf.in
index a6e8b410..b45f14eb 100644
--- a/bind/bind9/bin/tests/system/dscp/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/dscp/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dscp/ns1/root.db b/bind/bind9/bin/tests/system/dscp/ns1/root.db
index 3bd58294..a7f6bd03 100644
--- a/bind/bind9/bin/tests/system/dscp/ns1/root.db
+++ b/bind/bind9/bin/tests/system/dscp/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dscp/ns2/named.conf.in b/bind/bind9/bin/tests/system/dscp/ns2/named.conf.in
index 6419a019..9aca35c9 100644
--- a/bind/bind9/bin/tests/system/dscp/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/dscp/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dscp/ns3/hint.db b/bind/bind9/bin/tests/system/dscp/ns3/hint.db
index 5fe03e71..1ab157ce 100644
--- a/bind/bind9/bin/tests/system/dscp/ns3/hint.db
+++ b/bind/bind9/bin/tests/system/dscp/ns3/hint.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dscp/ns3/named.conf.in b/bind/bind9/bin/tests/system/dscp/ns3/named.conf.in
index 71d72cd5..8ebbeda3 100644
--- a/bind/bind9/bin/tests/system/dscp/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/dscp/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dscp/ns4/named.conf.in b/bind/bind9/bin/tests/system/dscp/ns4/named.conf.in
index 70dd5e5e..1d033f53 100644
--- a/bind/bind9/bin/tests/system/dscp/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/dscp/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dscp/ns4/root.db b/bind/bind9/bin/tests/system/dscp/ns4/root.db
index d1627dbd..34b8913f 100644
--- a/bind/bind9/bin/tests/system/dscp/ns4/root.db
+++ b/bind/bind9/bin/tests/system/dscp/ns4/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dscp/ns5/named.conf.in b/bind/bind9/bin/tests/system/dscp/ns5/named.conf.in
index e2726c3d..6e678507 100644
--- a/bind/bind9/bin/tests/system/dscp/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/dscp/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dscp/ns6/hint.db b/bind/bind9/bin/tests/system/dscp/ns6/hint.db
index 8c54e3a3..f65ecf3e 100644
--- a/bind/bind9/bin/tests/system/dscp/ns6/hint.db
+++ b/bind/bind9/bin/tests/system/dscp/ns6/hint.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dscp/ns6/named.conf.in b/bind/bind9/bin/tests/system/dscp/ns6/named.conf.in
index eedbab13..5e45549b 100644
--- a/bind/bind9/bin/tests/system/dscp/ns6/named.conf.in
+++ b/bind/bind9/bin/tests/system/dscp/ns6/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dscp/ns7/named.conf.in b/bind/bind9/bin/tests/system/dscp/ns7/named.conf.in
index e7c9528d..cfae4bf8 100644
--- a/bind/bind9/bin/tests/system/dscp/ns7/named.conf.in
+++ b/bind/bind9/bin/tests/system/dscp/ns7/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dscp/setup.sh b/bind/bind9/bin/tests/system/dscp/setup.sh
index 87951d7c..7e510253 100644
--- a/bind/bind9/bin/tests/system/dscp/setup.sh
+++ b/bind/bind9/bin/tests/system/dscp/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dscp/tests.sh b/bind/bind9/bin/tests/system/dscp/tests.sh
index e8a20f5b..4c6f32cf 100644
--- a/bind/bind9/bin/tests/system/dscp/tests.sh
+++ b/bind/bind9/bin/tests/system/dscp/tests.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dsdigest/clean.sh b/bind/bind9/bin/tests/system/dsdigest/clean.sh
index bb40bcb8..aacceada 100644
--- a/bind/bind9/bin/tests/system/dsdigest/clean.sh
+++ b/bind/bind9/bin/tests/system/dsdigest/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dsdigest/ns1/named.conf.in b/bind/bind9/bin/tests/system/dsdigest/ns1/named.conf.in
index 215800ca..8de13b98 100644
--- a/bind/bind9/bin/tests/system/dsdigest/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/dsdigest/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dsdigest/ns1/root.db.in b/bind/bind9/bin/tests/system/dsdigest/ns1/root.db.in
index 52232798..15f5ad5b 100644
--- a/bind/bind9/bin/tests/system/dsdigest/ns1/root.db.in
+++ b/bind/bind9/bin/tests/system/dsdigest/ns1/root.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dsdigest/ns1/sign.sh b/bind/bind9/bin/tests/system/dsdigest/ns1/sign.sh
index 81156c42..a2941ec7 100644
--- a/bind/bind9/bin/tests/system/dsdigest/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/dsdigest/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dsdigest/ns2/bad.db.in b/bind/bind9/bin/tests/system/dsdigest/ns2/bad.db.in
index ab5ce91b..d4ef1634 100644
--- a/bind/bind9/bin/tests/system/dsdigest/ns2/bad.db.in
+++ b/bind/bind9/bin/tests/system/dsdigest/ns2/bad.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dsdigest/ns2/good.db.in b/bind/bind9/bin/tests/system/dsdigest/ns2/good.db.in
index ab5ce91b..d4ef1634 100644
--- a/bind/bind9/bin/tests/system/dsdigest/ns2/good.db.in
+++ b/bind/bind9/bin/tests/system/dsdigest/ns2/good.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dsdigest/ns2/named.conf.in b/bind/bind9/bin/tests/system/dsdigest/ns2/named.conf.in
index 73a41ba8..bc4dd6ea 100644
--- a/bind/bind9/bin/tests/system/dsdigest/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/dsdigest/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dsdigest/ns2/sign.sh b/bind/bind9/bin/tests/system/dsdigest/ns2/sign.sh
index 7e853ea2..271d5057 100644
--- a/bind/bind9/bin/tests/system/dsdigest/ns2/sign.sh
+++ b/bind/bind9/bin/tests/system/dsdigest/ns2/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dsdigest/ns3/named.conf.in b/bind/bind9/bin/tests/system/dsdigest/ns3/named.conf.in
index 1bc62156..2912c863 100644
--- a/bind/bind9/bin/tests/system/dsdigest/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/dsdigest/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dsdigest/ns4/named.conf.in b/bind/bind9/bin/tests/system/dsdigest/ns4/named.conf.in
index b5a49597..41cfb697 100644
--- a/bind/bind9/bin/tests/system/dsdigest/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/dsdigest/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dsdigest/prereq.sh b/bind/bind9/bin/tests/system/dsdigest/prereq.sh
index 1febbd52..a795bdca 100644
--- a/bind/bind9/bin/tests/system/dsdigest/prereq.sh
+++ b/bind/bind9/bin/tests/system/dsdigest/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dsdigest/setup.sh b/bind/bind9/bin/tests/system/dsdigest/setup.sh
index c7ade46d..dbb254d8 100644
--- a/bind/bind9/bin/tests/system/dsdigest/setup.sh
+++ b/bind/bind9/bin/tests/system/dsdigest/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dsdigest/tests.sh b/bind/bind9/bin/tests/system/dsdigest/tests.sh
index 8f9eb581..297e6d96 100644
--- a/bind/bind9/bin/tests/system/dsdigest/tests.sh
+++ b/bind/bind9/bin/tests/system/dsdigest/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dupsigs/check_journal.pl b/bind/bind9/bin/tests/system/dupsigs/check_journal.pl
index 972ea8b0..bd5f4c24 100644
--- a/bind/bind9/bin/tests/system/dupsigs/check_journal.pl
+++ b/bind/bind9/bin/tests/system/dupsigs/check_journal.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dupsigs/clean.sh b/bind/bind9/bin/tests/system/dupsigs/clean.sh
index 7a6d78e7..af61d651 100644
--- a/bind/bind9/bin/tests/system/dupsigs/clean.sh
+++ b/bind/bind9/bin/tests/system/dupsigs/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dupsigs/ns1/named.conf.in b/bind/bind9/bin/tests/system/dupsigs/ns1/named.conf.in
index 296ad0ec..4fe09b17 100644
--- a/bind/bind9/bin/tests/system/dupsigs/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/dupsigs/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dupsigs/ns1/reset_keys.sh b/bind/bind9/bin/tests/system/dupsigs/ns1/reset_keys.sh
index 42ce8ac2..99be125b 100644
--- a/bind/bind9/bin/tests/system/dupsigs/ns1/reset_keys.sh
+++ b/bind/bind9/bin/tests/system/dupsigs/ns1/reset_keys.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dupsigs/ns1/signing.test.db.in b/bind/bind9/bin/tests/system/dupsigs/ns1/signing.test.db.in
index 072efe16..bd4fa0b5 100644
--- a/bind/bind9/bin/tests/system/dupsigs/ns1/signing.test.db.in
+++ b/bind/bind9/bin/tests/system/dupsigs/ns1/signing.test.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dupsigs/prereq.sh b/bind/bind9/bin/tests/system/dupsigs/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/dupsigs/prereq.sh
+++ b/bind/bind9/bin/tests/system/dupsigs/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dupsigs/setup.sh b/bind/bind9/bin/tests/system/dupsigs/setup.sh
index dcfd5c07..2497f5d8 100644
--- a/bind/bind9/bin/tests/system/dupsigs/setup.sh
+++ b/bind/bind9/bin/tests/system/dupsigs/setup.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dupsigs/tests.sh b/bind/bind9/bin/tests/system/dupsigs/tests.sh
index 80ddaeaf..fc7eae5f 100644
--- a/bind/bind9/bin/tests/system/dupsigs/tests.sh
+++ b/bind/bind9/bin/tests/system/dupsigs/tests.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dyndb/Makefile.in b/bind/bind9/bin/tests/system/dyndb/Makefile.in
index e975337d..b94252d8 100644
--- a/bind/bind9/bin/tests/system/dyndb/Makefile.in
+++ b/bind/bind9/bin/tests/system/dyndb/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dyndb/clean.sh b/bind/bind9/bin/tests/system/dyndb/clean.sh
index 63449472..a1ea5d51 100644
--- a/bind/bind9/bin/tests/system/dyndb/clean.sh
+++ b/bind/bind9/bin/tests/system/dyndb/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dyndb/driver/Makefile.in b/bind/bind9/bin/tests/system/dyndb/driver/Makefile.in
index e62b2474..2ca4863e 100644
--- a/bind/bind9/bin/tests/system/dyndb/driver/Makefile.in
+++ b/bind/bind9/bin/tests/system/dyndb/driver/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dyndb/driver/driver.c b/bind/bind9/bin/tests/system/dyndb/driver/driver.c
index 26005de0..0ef07d35 100644
--- a/bind/bind9/bin/tests/system/dyndb/driver/driver.c
+++ b/bind/bind9/bin/tests/system/dyndb/driver/driver.c
@@ -148,7 +148,7 @@ dyndb_destroy(void **instp) {
 
 /*
  * Driver version is called when loading the driver to ensure there
- * is no API mismatch betwen the driver and the caller.
+ * is no API mismatch between the driver and the caller.
  */
 int
 dyndb_version(unsigned int *flags) {
diff --git a/bind/bind9/bin/tests/system/dyndb/driver/syncptr.c b/bind/bind9/bin/tests/system/dyndb/driver/syncptr.c
index 8270d8db..7669c4d1 100644
--- a/bind/bind9/bin/tests/system/dyndb/driver/syncptr.c
+++ b/bind/bind9/bin/tests/system/dyndb/driver/syncptr.c
@@ -226,7 +226,7 @@ syncptr(sample_instance_t *inst, dns_name_t *name,
 	result = syncptr_find_zone(inst, addr_rdata,
 				   dns_fixedname_name(&ptr_name), &ptr_zone);
 	if (result != ISC_R_SUCCESS) {
-		log_error_r("PTR record synchonization skipped: reverse zone "
+		log_error_r("PTR record synchronization skipped: reverse zone "
 			    "is not managed by driver instance '%s'",
 			    inst->db_name);
 		goto cleanup;
diff --git a/bind/bind9/bin/tests/system/dyndb/ns1/named.conf.in b/bind/bind9/bin/tests/system/dyndb/ns1/named.conf.in
index dde4a4de..ed6a8f52 100644
--- a/bind/bind9/bin/tests/system/dyndb/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/dyndb/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dyndb/prereq.sh b/bind/bind9/bin/tests/system/dyndb/prereq.sh
index 76af4655..c8fcadd0 100644
--- a/bind/bind9/bin/tests/system/dyndb/prereq.sh
+++ b/bind/bind9/bin/tests/system/dyndb/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -16,4 +16,10 @@ $FEATURETEST --have-dlopen ||  {
         echo_i "dlopen() not supported - skipping dyndb test"
         exit 255
 }
+
+$FEATURETEST --tsan &&  {
+        echo_i "TSAN - skipping dyndb test"
+        exit 255
+}
+
 exit 0
diff --git a/bind/bind9/bin/tests/system/dyndb/setup.sh b/bind/bind9/bin/tests/system/dyndb/setup.sh
index 985a4bcb..c2be7228 100644
--- a/bind/bind9/bin/tests/system/dyndb/setup.sh
+++ b/bind/bind9/bin/tests/system/dyndb/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/dyndb/tests.sh b/bind/bind9/bin/tests/system/dyndb/tests.sh
index 2bbff206..00769dbf 100644
--- a/bind/bind9/bin/tests/system/dyndb/tests.sh
+++ b/bind/bind9/bin/tests/system/dyndb/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ecdsa/clean.sh b/bind/bind9/bin/tests/system/ecdsa/clean.sh
index 3779676e..4e48d494 100644
--- a/bind/bind9/bin/tests/system/ecdsa/clean.sh
+++ b/bind/bind9/bin/tests/system/ecdsa/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ecdsa/ns1/named.conf b/bind/bind9/bin/tests/system/ecdsa/ns1/named.conf
index 715f7d3f..5a4420f6 100644
--- a/bind/bind9/bin/tests/system/ecdsa/ns1/named.conf
+++ b/bind/bind9/bin/tests/system/ecdsa/ns1/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ecdsa/ns1/root.db.in b/bind/bind9/bin/tests/system/ecdsa/ns1/root.db.in
index c0d7a839..1bd44a02 100644
--- a/bind/bind9/bin/tests/system/ecdsa/ns1/root.db.in
+++ b/bind/bind9/bin/tests/system/ecdsa/ns1/root.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ecdsa/ns1/sign.sh b/bind/bind9/bin/tests/system/ecdsa/ns1/sign.sh
index 176efccc..81fc55bd 100644
--- a/bind/bind9/bin/tests/system/ecdsa/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/ecdsa/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ecdsa/ns2/named.conf b/bind/bind9/bin/tests/system/ecdsa/ns2/named.conf
index 7a8e80cc..fe17313f 100644
--- a/bind/bind9/bin/tests/system/ecdsa/ns2/named.conf
+++ b/bind/bind9/bin/tests/system/ecdsa/ns2/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ecdsa/prereq.sh b/bind/bind9/bin/tests/system/ecdsa/prereq.sh
index f01828f7..bdc35aa8 100644
--- a/bind/bind9/bin/tests/system/ecdsa/prereq.sh
+++ b/bind/bind9/bin/tests/system/ecdsa/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ecdsa/setup.sh b/bind/bind9/bin/tests/system/ecdsa/setup.sh
index 7fba74b5..344f1bc7 100644
--- a/bind/bind9/bin/tests/system/ecdsa/setup.sh
+++ b/bind/bind9/bin/tests/system/ecdsa/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ecdsa/tests.sh b/bind/bind9/bin/tests/system/ecdsa/tests.sh
index c4ceefc3..8f8c6974 100644
--- a/bind/bind9/bin/tests/system/ecdsa/tests.sh
+++ b/bind/bind9/bin/tests/system/ecdsa/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -20,16 +20,15 @@ rm -f dig.out.*
 DIGOPTS="+tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p 5300"
 
 # Check the example. domain
-
-echo "I:checking that positive validation works ($n)"
+echo_i "checking that positive validation works ($n)"
 ret=0
 $DIG $DIGOPTS . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
 $DIG $DIGOPTS . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
 
-echo "I:exit status: $status"
+echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/eddsa/clean.sh b/bind/bind9/bin/tests/system/eddsa/clean.sh
index 0bcd0ac2..280199d8 100644
--- a/bind/bind9/bin/tests/system/eddsa/clean.sh
+++ b/bind/bind9/bin/tests/system/eddsa/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/eddsa/ns1/named.conf b/bind/bind9/bin/tests/system/eddsa/ns1/named.conf
index 715f7d3f..5a4420f6 100644
--- a/bind/bind9/bin/tests/system/eddsa/ns1/named.conf
+++ b/bind/bind9/bin/tests/system/eddsa/ns1/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/eddsa/ns1/root.db.in b/bind/bind9/bin/tests/system/eddsa/ns1/root.db.in
index c0d7a839..1bd44a02 100644
--- a/bind/bind9/bin/tests/system/eddsa/ns1/root.db.in
+++ b/bind/bind9/bin/tests/system/eddsa/ns1/root.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/eddsa/ns1/sign.sh b/bind/bind9/bin/tests/system/eddsa/ns1/sign.sh
index ee0b3094..e36ab504 100644
--- a/bind/bind9/bin/tests/system/eddsa/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/eddsa/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/eddsa/ns2/example.com.db b/bind/bind9/bin/tests/system/eddsa/ns2/example.com.db
index 306a1569..b4cf38ea 100644
--- a/bind/bind9/bin/tests/system/eddsa/ns2/example.com.db
+++ b/bind/bind9/bin/tests/system/eddsa/ns2/example.com.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/eddsa/ns2/named.conf b/bind/bind9/bin/tests/system/eddsa/ns2/named.conf
index 50621a53..2f6dcc3d 100644
--- a/bind/bind9/bin/tests/system/eddsa/ns2/named.conf
+++ b/bind/bind9/bin/tests/system/eddsa/ns2/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/eddsa/ns2/sign.sh b/bind/bind9/bin/tests/system/eddsa/ns2/sign.sh
index 947e7473..6cc8a6cd 100644
--- a/bind/bind9/bin/tests/system/eddsa/ns2/sign.sh
+++ b/bind/bind9/bin/tests/system/eddsa/ns2/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/eddsa/prereq.sh b/bind/bind9/bin/tests/system/eddsa/prereq.sh
index 648f97dc..96133e4e 100644
--- a/bind/bind9/bin/tests/system/eddsa/prereq.sh
+++ b/bind/bind9/bin/tests/system/eddsa/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/eddsa/setup.sh b/bind/bind9/bin/tests/system/eddsa/setup.sh
index 7fba74b5..344f1bc7 100644
--- a/bind/bind9/bin/tests/system/eddsa/setup.sh
+++ b/bind/bind9/bin/tests/system/eddsa/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/eddsa/tests.sh b/bind/bind9/bin/tests/system/eddsa/tests.sh
index 4f6269e3..8efb030d 100644
--- a/bind/bind9/bin/tests/system/eddsa/tests.sh
+++ b/bind/bind9/bin/tests/system/eddsa/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -21,29 +21,29 @@ DIGOPTS="+tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p 5300"
 
 # Check the example. domain
 
-echo "I:checking that positive validation works ($n)"
+echo_i "checking that positive validation works ($n)"
 ret=0
 $DIG $DIGOPTS . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
 $DIG $DIGOPTS . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
 
 # Check test vectors (RFC 8080 + errata)
 
-echo "I:checking that Ed25519 test vectors match ($n)"
+echo_i "checking that Ed25519 test vectors match ($n)"
 ret=0
 grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1
 grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1
 grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1
 grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
 
-echo "I:checking that Ed448 test vectors match ($n)"
+echo_i "checking that Ed448 test vectors match ($n)"
 ret=0
 grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns2/example.com.db.signed > /dev/null || ret=1
 grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns2/example.com.db.signed > /dev/null || ret=1
@@ -57,9 +57,9 @@ grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns2/example.com.db.signed > /dev/nul
 grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns2/example.com.db.signed > /dev/null || ret=1
 grep 'ZmQ0YQUA' ns2/example.com.db.signed > /dev/null || ret=1
 
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
 
-echo "I:exit status: $status"
+echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/ednscompliance/clean.sh b/bind/bind9/bin/tests/system/ednscompliance/clean.sh
index 037fccf8..3b0c0230 100644
--- a/bind/bind9/bin/tests/system/ednscompliance/clean.sh
+++ b/bind/bind9/bin/tests/system/ednscompliance/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ednscompliance/ns1/named.conf.in b/bind/bind9/bin/tests/system/ednscompliance/ns1/named.conf.in
index b24ceaa2..fadab913 100644
--- a/bind/bind9/bin/tests/system/ednscompliance/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/ednscompliance/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ednscompliance/ns1/root.db b/bind/bind9/bin/tests/system/ednscompliance/ns1/root.db
index 93306dbf..2b2105a1 100644
--- a/bind/bind9/bin/tests/system/ednscompliance/ns1/root.db
+++ b/bind/bind9/bin/tests/system/ednscompliance/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ednscompliance/setup.sh b/bind/bind9/bin/tests/system/ednscompliance/setup.sh
index 985a4bcb..c2be7228 100644
--- a/bind/bind9/bin/tests/system/ednscompliance/setup.sh
+++ b/bind/bind9/bin/tests/system/ednscompliance/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ednscompliance/tests.sh b/bind/bind9/bin/tests/system/ednscompliance/tests.sh
index acede9d6..e2933556 100644
--- a/bind/bind9/bin/tests/system/ednscompliance/tests.sh
+++ b/bind/bind9/bin/tests/system/ednscompliance/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -48,7 +48,7 @@ ret=0 reason=
 $DIG $DIGOPTS  @10.53.0.1 +edns=100 +noednsnegotiation soa $zone > dig.out$n
 grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
 grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
-grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reaons="soa"; }
+grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reasons="soa"; }
 if [ $ret != 0 ]; then echo_i "failed $reason"; fi
 status=`expr $status + $ret`
 
diff --git a/bind/bind9/bin/tests/system/emptyzones/clean.sh b/bind/bind9/bin/tests/system/emptyzones/clean.sh
index 7826e73b..aaca0d3d 100644
--- a/bind/bind9/bin/tests/system/emptyzones/clean.sh
+++ b/bind/bind9/bin/tests/system/emptyzones/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/emptyzones/ns1/empty.db b/bind/bind9/bin/tests/system/emptyzones/ns1/empty.db
index fdd5ef91..12c20686 100644
--- a/bind/bind9/bin/tests/system/emptyzones/ns1/empty.db
+++ b/bind/bind9/bin/tests/system/emptyzones/ns1/empty.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/emptyzones/ns1/named1.conf.in b/bind/bind9/bin/tests/system/emptyzones/ns1/named1.conf.in
index 765ce2c3..8ed3b8df 100644
--- a/bind/bind9/bin/tests/system/emptyzones/ns1/named1.conf.in
+++ b/bind/bind9/bin/tests/system/emptyzones/ns1/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/emptyzones/ns1/named2.conf.in b/bind/bind9/bin/tests/system/emptyzones/ns1/named2.conf.in
index 6af2697f..ad7554a0 100644
--- a/bind/bind9/bin/tests/system/emptyzones/ns1/named2.conf.in
+++ b/bind/bind9/bin/tests/system/emptyzones/ns1/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/emptyzones/ns1/rfc1918.zones b/bind/bind9/bin/tests/system/emptyzones/ns1/rfc1918.zones
index 465c14f1..6cc98bd1 100644
--- a/bind/bind9/bin/tests/system/emptyzones/ns1/rfc1918.zones
+++ b/bind/bind9/bin/tests/system/emptyzones/ns1/rfc1918.zones
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/emptyzones/ns1/root.hint b/bind/bind9/bin/tests/system/emptyzones/ns1/root.hint
index 64769b9f..8b55c604 100644
--- a/bind/bind9/bin/tests/system/emptyzones/ns1/root.hint
+++ b/bind/bind9/bin/tests/system/emptyzones/ns1/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/emptyzones/setup.sh b/bind/bind9/bin/tests/system/emptyzones/setup.sh
index 3d4a96d9..4c0f3c8a 100644
--- a/bind/bind9/bin/tests/system/emptyzones/setup.sh
+++ b/bind/bind9/bin/tests/system/emptyzones/setup.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/emptyzones/tests.sh b/bind/bind9/bin/tests/system/emptyzones/tests.sh
index 58724792..1525ddaf 100644
--- a/bind/bind9/bin/tests/system/emptyzones/tests.sh
+++ b/bind/bind9/bin/tests/system/emptyzones/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/feature-test.c b/bind/bind9/bin/tests/system/feature-test.c
index c1249ed6..5e473ab5 100644
--- a/bind/bind9/bin/tests/system/feature-test.c
+++ b/bind/bind9/bin/tests/system/feature-test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -37,21 +37,23 @@ static void
 usage() {
 	fprintf(stderr, "usage: feature-test <arg>\n");
 	fprintf(stderr, "args:\n");
-	fprintf(stderr, "	--edns-version\n");
-	fprintf(stderr, "	--enable-filter-aaaa\n");
-	fprintf(stderr, "	--gethostname\n");
-	fprintf(stderr, "	--gssapi\n");
-	fprintf(stderr, "       --have-aes\n");
-	fprintf(stderr, "	--have-dlopen\n");
-	fprintf(stderr, "	--have-geoip\n");
-	fprintf(stderr, "	--have-geoip2\n");
-	fprintf(stderr, "	--have-libxml2\n");
-	fprintf(stderr, "	--ipv6only=no\n");
-	fprintf(stderr, "	--rpz-nsdname\n");
-	fprintf(stderr, "	--rpz-nsip\n");
-	fprintf(stderr, "	--with-idn\n");
-	fprintf(stderr, "	--with-lmdb\n");
-	fprintf(stderr, "	--with-dlz-filesystem\n");
+	fprintf(stderr, "\t--edns-version\n");
+	fprintf(stderr, "\t--enable-filter-aaaa\n");
+	fprintf(stderr, "\t--gethostname\n");
+	fprintf(stderr, "\t--gssapi\n");
+	fprintf(stderr, "\t--have-aes\n");
+	fprintf(stderr, "\t--have-dlopen\n");
+	fprintf(stderr, "\t--have-geoip2\n");
+	fprintf(stderr, "\t--have-geoip\n");
+	fprintf(stderr, "\t--have-libxml2\n");
+	fprintf(stderr, "\t--ipv6only=no\n");
+	fprintf(stderr, "\t--rpz-log-qtype-qclass\n");
+	fprintf(stderr, "\t--rpz-nsdname\n");
+	fprintf(stderr, "\t--rpz-nsip\n");
+	fprintf(stderr, "\t--tsan\n");
+	fprintf(stderr, "\t--with-dlz-filesystem\n");
+	fprintf(stderr, "\t--with-idn\n");
+	fprintf(stderr, "\t--with-lmdb\n");
 }
 
 int
@@ -61,14 +63,6 @@ main(int argc, char **argv) {
 		return (1);
 	}
 
-	if (strcmp(argv[1], "--enable-filter-aaaa") == 0) {
-#ifdef ALLOW_FILTER_AAAA
-		return (0);
-#else
-		return (1);
-#endif
-	}
-
 	if (strcmp(argv[1], "--edns-version") == 0) {
 #ifdef DNS_EDNS_VERSION
 		printf("%d\n", DNS_EDNS_VERSION);
@@ -78,6 +72,14 @@ main(int argc, char **argv) {
 		return (0);
 	}
 
+	if (strcmp(argv[1], "--enable-filter-aaaa") == 0) {
+#ifdef ALLOW_FILTER_AAAA
+		return (0);
+#else
+		return (1);
+#endif
+	}
+
 	if (strcmp(argv[1], "--gethostname") == 0) {
 		char hostname[MAXHOSTNAMELEN];
 		int n;
@@ -155,8 +157,29 @@ main(int argc, char **argv) {
 #endif
 	}
 
-	if (strcmp(argv[1], "--rpz-nsip") == 0) {
-#ifdef ENABLE_RPZ_NSIP
+	if (strcmp(argv[1], "--ipv6only=no") == 0) {
+#ifdef WIN32
+		return (0);
+#elif defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
+		int s;
+		int n = -1;
+		int v6only = -1;
+		ISC_SOCKADDR_LEN_T len = sizeof(v6only);
+
+		s = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+		if (s >= 0) {
+			n = getsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
+				       (void *)&v6only, &len);
+			close(s);
+		}
+		return ((n == 0 && v6only == 0) ? 0 : 1);
+#else
+		return (1);
+#endif
+	}
+
+	if (strcmp(argv[1], "--rpz-log-qtype-qclass") == 0) {
+#ifdef RPZ_LOG_QTYPE_QCLASS
 		return (0);
 #else
 		return (1);
@@ -171,16 +194,21 @@ main(int argc, char **argv) {
 #endif
 	}
 
-	if (strcmp(argv[1], "--with-idn") == 0) {
-#ifdef WITH_LIBIDN2
+	if (strcmp(argv[1], "--rpz-nsip") == 0) {
+#ifdef ENABLE_RPZ_NSIP
 		return (0);
 #else
 		return (1);
 #endif
 	}
 
-	if (strcmp(argv[1], "--with-lmdb") == 0) {
-#ifdef HAVE_LMDB
+	if (strcmp(argv[1], "--tsan") == 0) {
+#if defined(__has_feature)
+#if __has_feature(thread_sanitizer)
+		return (0);
+#endif
+#endif
+#if __SANITIZE_THREAD__
 		return (0);
 #else
 		return (1);
@@ -190,38 +218,25 @@ main(int argc, char **argv) {
 	if (strcmp(argv[1], "--with-dlz-filesystem") == 0) {
 #ifdef DLZ_FILESYSTEM
 		return (0);
-#else
+#else  /* ifdef DLZ_FILESYSTEM */
 		return (1);
-#endif
+#endif /* ifdef DLZ_FILESYSTEM */
 	}
 
-	if (strcmp(argv[1], "--ipv6only=no") == 0) {
-#ifdef WIN32
+	if (strcmp(argv[1], "--with-idn") == 0) {
+#ifdef HAVE_LIBIDN2
 		return (0);
-#elif defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
-		int s;
-		int n = -1;
-		int v6only = -1;
-		ISC_SOCKADDR_LEN_T len = sizeof(v6only);
-
-		s = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
-		if (s >= 0) {
-			n = getsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
-				       (void *)&v6only, &len);
-			close(s);
-		}
-		return ((n == 0 && v6only == 0) ? 0 : 1);
-#else
+#else  /* ifdef HAVE_LIBIDN2 */
 		return (1);
-#endif
+#endif /* ifdef HAVE_LIBIDN2 */
 	}
 
-	if (strcmp(argv[1], "--rpz-log-qtype-qclass") == 0) {
-#ifdef RPZ_LOG_QTYPE_QCLASS
+	if (strcmp(argv[1], "--with-lmdb") == 0) {
+#ifdef HAVE_LMDB
 		return (0);
-#else
+#else  /* ifdef HAVE_LMDB */
 		return (1);
-#endif
+#endif /* ifdef HAVE_LMDB */
 	}
 
 	fprintf(stderr, "unknown arg: %s\n", argv[1]);
diff --git a/bind/bind9/bin/tests/system/fetchlimit/ans4/ans.pl b/bind/bind9/bin/tests/system/fetchlimit/ans4/ans.pl
index 4b14a927..1c459d6f 100644
--- a/bind/bind9/bin/tests/system/fetchlimit/ans4/ans.pl
+++ b/bind/bind9/bin/tests/system/fetchlimit/ans4/ans.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/fetchlimit/clean.sh b/bind/bind9/bin/tests/system/fetchlimit/clean.sh
index 9296105d..e2a9dd0e 100644
--- a/bind/bind9/bin/tests/system/fetchlimit/clean.sh
+++ b/bind/bind9/bin/tests/system/fetchlimit/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/fetchlimit/ns1/named.conf.in b/bind/bind9/bin/tests/system/fetchlimit/ns1/named.conf.in
index eabfe0cd..dbe4f900 100644
--- a/bind/bind9/bin/tests/system/fetchlimit/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/fetchlimit/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/fetchlimit/ns1/root.db b/bind/bind9/bin/tests/system/fetchlimit/ns1/root.db
index dab5cea7..e5f65ab6 100644
--- a/bind/bind9/bin/tests/system/fetchlimit/ns1/root.db
+++ b/bind/bind9/bin/tests/system/fetchlimit/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/fetchlimit/ns2/example.db b/bind/bind9/bin/tests/system/fetchlimit/ns2/example.db
index 40929b3b..c9739df7 100644
--- a/bind/bind9/bin/tests/system/fetchlimit/ns2/example.db
+++ b/bind/bind9/bin/tests/system/fetchlimit/ns2/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/fetchlimit/ns2/named.conf.in b/bind/bind9/bin/tests/system/fetchlimit/ns2/named.conf.in
index 1892756c..887d7aac 100644
--- a/bind/bind9/bin/tests/system/fetchlimit/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/fetchlimit/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/fetchlimit/ns3/named1.conf.in b/bind/bind9/bin/tests/system/fetchlimit/ns3/named1.conf.in
index b470f463..993f749a 100644
--- a/bind/bind9/bin/tests/system/fetchlimit/ns3/named1.conf.in
+++ b/bind/bind9/bin/tests/system/fetchlimit/ns3/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/fetchlimit/ns3/named2.conf.in b/bind/bind9/bin/tests/system/fetchlimit/ns3/named2.conf.in
index 001a9581..a9c656cd 100644
--- a/bind/bind9/bin/tests/system/fetchlimit/ns3/named2.conf.in
+++ b/bind/bind9/bin/tests/system/fetchlimit/ns3/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/fetchlimit/ns3/named3.conf.in b/bind/bind9/bin/tests/system/fetchlimit/ns3/named3.conf.in
index 0244a9a6..9c58356d 100644
--- a/bind/bind9/bin/tests/system/fetchlimit/ns3/named3.conf.in
+++ b/bind/bind9/bin/tests/system/fetchlimit/ns3/named3.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/fetchlimit/ns3/root.hint b/bind/bind9/bin/tests/system/fetchlimit/ns3/root.hint
index 418ea963..9883426b 100644
--- a/bind/bind9/bin/tests/system/fetchlimit/ns3/root.hint
+++ b/bind/bind9/bin/tests/system/fetchlimit/ns3/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/fetchlimit/prereq.sh b/bind/bind9/bin/tests/system/fetchlimit/prereq.sh
index de147a4c..d2ca8fc2 100644
--- a/bind/bind9/bin/tests/system/fetchlimit/prereq.sh
+++ b/bind/bind9/bin/tests/system/fetchlimit/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -16,6 +16,6 @@ if $PERL -e 'use Net::DNS;' 2>/dev/null
 then
     :
 else
-    echo "I:This test requires the Net::DNS library." >&2
+    echo_i "This test requires the Net::DNS library." >&2
     exit 1
 fi
diff --git a/bind/bind9/bin/tests/system/fetchlimit/setup.sh b/bind/bind9/bin/tests/system/fetchlimit/setup.sh
index 25d8b5d8..224c8ab0 100644
--- a/bind/bind9/bin/tests/system/fetchlimit/setup.sh
+++ b/bind/bind9/bin/tests/system/fetchlimit/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/fetchlimit/tests.sh b/bind/bind9/bin/tests/system/fetchlimit/tests.sh
index b27d464f..abcd70fb 100644
--- a/bind/bind9/bin/tests/system/fetchlimit/tests.sh
+++ b/bind/bind9/bin/tests/system/fetchlimit/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/clean.sh b/bind/bind9/bin/tests/system/filter-aaaa/clean.sh
index 73732758..309d4594 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/clean.sh
+++ b/bind/bind9/bin/tests/system/filter-aaaa/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/conf/bad1.conf b/bind/bind9/bin/tests/system/filter-aaaa/conf/bad1.conf
index 9a23fd8b..3e6bc0e1 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/conf/bad1.conf
+++ b/bind/bind9/bin/tests/system/filter-aaaa/conf/bad1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/conf/bad2.conf b/bind/bind9/bin/tests/system/filter-aaaa/conf/bad2.conf
index 798f4fd6..8fdc1f2a 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/conf/bad2.conf
+++ b/bind/bind9/bin/tests/system/filter-aaaa/conf/bad2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/conf/bad3.conf b/bind/bind9/bin/tests/system/filter-aaaa/conf/bad3.conf
index 3c068bbb..3dc521f5 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/conf/bad3.conf
+++ b/bind/bind9/bin/tests/system/filter-aaaa/conf/bad3.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/conf/bad4.conf b/bind/bind9/bin/tests/system/filter-aaaa/conf/bad4.conf
index 5744c8b2..453ea31e 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/conf/bad4.conf
+++ b/bind/bind9/bin/tests/system/filter-aaaa/conf/bad4.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/conf/bad5.conf b/bind/bind9/bin/tests/system/filter-aaaa/conf/bad5.conf
index 39f9acca..bb4e7121 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/conf/bad5.conf
+++ b/bind/bind9/bin/tests/system/filter-aaaa/conf/bad5.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/conf/bad6.conf b/bind/bind9/bin/tests/system/filter-aaaa/conf/bad6.conf
index e92bb1e5..f770366c 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/conf/bad6.conf
+++ b/bind/bind9/bin/tests/system/filter-aaaa/conf/bad6.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/conf/good1.conf b/bind/bind9/bin/tests/system/filter-aaaa/conf/good1.conf
index 2a93ef6f..0343250f 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/conf/good1.conf
+++ b/bind/bind9/bin/tests/system/filter-aaaa/conf/good1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/conf/good2.conf b/bind/bind9/bin/tests/system/filter-aaaa/conf/good2.conf
index 916af8e9..d9fe7f58 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/conf/good2.conf
+++ b/bind/bind9/bin/tests/system/filter-aaaa/conf/good2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/conf/good3.conf b/bind/bind9/bin/tests/system/filter-aaaa/conf/good3.conf
index b3f8de4d..713821e9 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/conf/good3.conf
+++ b/bind/bind9/bin/tests/system/filter-aaaa/conf/good3.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/conf/good4.conf b/bind/bind9/bin/tests/system/filter-aaaa/conf/good4.conf
index d789f30b..9b5587d9 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/conf/good4.conf
+++ b/bind/bind9/bin/tests/system/filter-aaaa/conf/good4.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/conf/good5.conf b/bind/bind9/bin/tests/system/filter-aaaa/conf/good5.conf
index 95baae5b..a0b137db 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/conf/good5.conf
+++ b/bind/bind9/bin/tests/system/filter-aaaa/conf/good5.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/conf/good6.conf b/bind/bind9/bin/tests/system/filter-aaaa/conf/good6.conf
index 9e783670..b0faa123 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/conf/good6.conf
+++ b/bind/bind9/bin/tests/system/filter-aaaa/conf/good6.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/conf/good7.conf b/bind/bind9/bin/tests/system/filter-aaaa/conf/good7.conf
index 2531de95..dace6291 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/conf/good7.conf
+++ b/bind/bind9/bin/tests/system/filter-aaaa/conf/good7.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/conf/good8.conf b/bind/bind9/bin/tests/system/filter-aaaa/conf/good8.conf
index f28fdd96..21b11cc5 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/conf/good8.conf
+++ b/bind/bind9/bin/tests/system/filter-aaaa/conf/good8.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns1/named1.conf.in b/bind/bind9/bin/tests/system/filter-aaaa/ns1/named1.conf.in
index b49fe6be..576c3607 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns1/named1.conf.in
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns1/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns1/named2.conf.in b/bind/bind9/bin/tests/system/filter-aaaa/ns1/named2.conf.in
index 46e89b4c..354772f5 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns1/named2.conf.in
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns1/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns1/root.db b/bind/bind9/bin/tests/system/filter-aaaa/ns1/root.db
index 6a4f8329..f2d4d16a 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns1/root.db
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns1/sign.sh b/bind/bind9/bin/tests/system/filter-aaaa/ns1/sign.sh
index f7555810..479f98c2 100755
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns1/signed.db.in b/bind/bind9/bin/tests/system/filter-aaaa/ns1/signed.db.in
index 31dda571..2c8f2a60 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns1/signed.db.in
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns1/signed.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns1/unsigned.db b/bind/bind9/bin/tests/system/filter-aaaa/ns1/unsigned.db
index 8b422584..d9ba00a5 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns1/unsigned.db
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns1/unsigned.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns2/hints b/bind/bind9/bin/tests/system/filter-aaaa/ns2/hints
index fbf01a93..33d60cec 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns2/hints
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns2/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns2/named1.conf.in b/bind/bind9/bin/tests/system/filter-aaaa/ns2/named1.conf.in
index 1ca80d19..9ad4220d 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns2/named1.conf.in
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns2/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns2/named2.conf.in b/bind/bind9/bin/tests/system/filter-aaaa/ns2/named2.conf.in
index c08725e0..74f121a4 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns2/named2.conf.in
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns2/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns3/hints b/bind/bind9/bin/tests/system/filter-aaaa/ns3/hints
index fbf01a93..33d60cec 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns3/hints
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns3/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns3/named1.conf.in b/bind/bind9/bin/tests/system/filter-aaaa/ns3/named1.conf.in
index 5f748706..bbca3fca 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns3/named1.conf.in
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns3/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns3/named2.conf.in b/bind/bind9/bin/tests/system/filter-aaaa/ns3/named2.conf.in
index b1b23678..2fde9fb5 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns3/named2.conf.in
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns3/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns4/named1.conf.in b/bind/bind9/bin/tests/system/filter-aaaa/ns4/named1.conf.in
index f70c7a65..fb3ae308 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns4/named1.conf.in
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns4/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns4/named2.conf.in b/bind/bind9/bin/tests/system/filter-aaaa/ns4/named2.conf.in
index 3d2b29b8..10fd75c1 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns4/named2.conf.in
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns4/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns4/root.db b/bind/bind9/bin/tests/system/filter-aaaa/ns4/root.db
index 1511cc9a..3aa2e79c 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns4/root.db
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns4/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns4/sign.sh b/bind/bind9/bin/tests/system/filter-aaaa/ns4/sign.sh
index f7555810..479f98c2 100755
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns4/sign.sh
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns4/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns4/signed.db.in b/bind/bind9/bin/tests/system/filter-aaaa/ns4/signed.db.in
index 623b2b95..0729e9d7 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns4/signed.db.in
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns4/signed.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns4/unsigned.db b/bind/bind9/bin/tests/system/filter-aaaa/ns4/unsigned.db
index 8f155bb9..22d276f7 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns4/unsigned.db
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns4/unsigned.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns5/hints b/bind/bind9/bin/tests/system/filter-aaaa/ns5/hints
index fbf01a93..33d60cec 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns5/hints
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns5/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/ns5/named.conf.in b/bind/bind9/bin/tests/system/filter-aaaa/ns5/named.conf.in
index 47b3aff3..502a0197 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/filter-aaaa/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/prereq.sh b/bind/bind9/bin/tests/system/filter-aaaa/prereq.sh
index 9c22176a..59ba6bce 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/prereq.sh
+++ b/bind/bind9/bin/tests/system/filter-aaaa/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -13,7 +13,7 @@ SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
 $FEATURETEST --enable-filter-aaaa || {
-    echo "I:This test requires --enable-filter-aaaa at compile time." >&2
+    echo_i "This test requires --enable-filter-aaaa at compile time." >&2
     exit 255
 }
 exit 0
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/setup.sh b/bind/bind9/bin/tests/system/filter-aaaa/setup.sh
index bdd75793..879f924e 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/setup.sh
+++ b/bind/bind9/bin/tests/system/filter-aaaa/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/filter-aaaa/tests.sh b/bind/bind9/bin/tests/system/filter-aaaa/tests.sh
index 29565740..d5270fec 100644
--- a/bind/bind9/bin/tests/system/filter-aaaa/tests.sh
+++ b/bind/bind9/bin/tests/system/filter-aaaa/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/formerr/clean.sh b/bind/bind9/bin/tests/system/formerr/clean.sh
index 0bb0e3d2..0926aaa2 100644
--- a/bind/bind9/bin/tests/system/formerr/clean.sh
+++ b/bind/bind9/bin/tests/system/formerr/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/formerr/formerr.pl b/bind/bind9/bin/tests/system/formerr/formerr.pl
index f0937e29..7382af04 100644
--- a/bind/bind9/bin/tests/system/formerr/formerr.pl
+++ b/bind/bind9/bin/tests/system/formerr/formerr.pl
@@ -4,14 +4,14 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
 # This is a tool for sending an arbitrary packet via UDP or TCP to an
 # arbitrary address and port.  The packet is specified in a file or on
-# the standard input, in the form of a series of bytes in hexidecimal.
+# the standard input, in the form of a series of bytes in hexadecimal.
 # Whitespace is ignored, as is anything following a '#' symbol.
 #
 # For example, the following input would generate normal query for 
diff --git a/bind/bind9/bin/tests/system/formerr/ns1/named.conf.in b/bind/bind9/bin/tests/system/formerr/ns1/named.conf.in
index b24ceaa2..fadab913 100644
--- a/bind/bind9/bin/tests/system/formerr/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/formerr/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/formerr/ns1/root.db b/bind/bind9/bin/tests/system/formerr/ns1/root.db
index 9515924d..5f2375db 100644
--- a/bind/bind9/bin/tests/system/formerr/ns1/root.db
+++ b/bind/bind9/bin/tests/system/formerr/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/formerr/setup.sh b/bind/bind9/bin/tests/system/formerr/setup.sh
index 985a4bcb..c2be7228 100644
--- a/bind/bind9/bin/tests/system/formerr/setup.sh
+++ b/bind/bind9/bin/tests/system/formerr/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/formerr/tests.sh b/bind/bind9/bin/tests/system/formerr/tests.sh
index d8b91e87..1cba2875 100644
--- a/bind/bind9/bin/tests/system/formerr/tests.sh
+++ b/bind/bind9/bin/tests/system/formerr/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/clean.sh b/bind/bind9/bin/tests/system/forward/clean.sh
index e0ebd308..26e4e76d 100644
--- a/bind/bind9/bin/tests/system/forward/clean.sh
+++ b/bind/bind9/bin/tests/system/forward/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/ns1/named.conf.in b/bind/bind9/bin/tests/system/forward/ns1/named.conf.in
index 7ce81dde..9904f37e 100644
--- a/bind/bind9/bin/tests/system/forward/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/forward/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/ns1/root.db b/bind/bind9/bin/tests/system/forward/ns1/root.db
index 23e40bd5..3e10c459 100644
--- a/bind/bind9/bin/tests/system/forward/ns1/root.db
+++ b/bind/bind9/bin/tests/system/forward/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/ns2/named.conf.in b/bind/bind9/bin/tests/system/forward/ns2/named.conf.in
index 6e9243b1..f3788eee 100644
--- a/bind/bind9/bin/tests/system/forward/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/forward/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/ns2/root.db b/bind/bind9/bin/tests/system/forward/ns2/root.db
index 7346810b..b368847d 100644
--- a/bind/bind9/bin/tests/system/forward/ns2/root.db
+++ b/bind/bind9/bin/tests/system/forward/ns2/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/ns3/named.conf.in b/bind/bind9/bin/tests/system/forward/ns3/named.conf.in
index 0af2e150..eba8ed3b 100644
--- a/bind/bind9/bin/tests/system/forward/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/forward/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/ns3/root.db b/bind/bind9/bin/tests/system/forward/ns3/root.db
index 7346810b..b368847d 100644
--- a/bind/bind9/bin/tests/system/forward/ns3/root.db
+++ b/bind/bind9/bin/tests/system/forward/ns3/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/ns4/malicious.db b/bind/bind9/bin/tests/system/forward/ns4/malicious.db
new file mode 100644
index 00000000..c035bf1e
--- /dev/null
+++ b/bind/bind9/bin/tests/system/forward/ns4/malicious.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL    86400
+@       IN      SOA     malicious. admin.malicious. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS      ns
+
+ns          IN    A       10.53.0.4
+
+target      IN    CNAME   subdomain.rebind.
diff --git a/bind/bind9/bin/tests/system/forward/ns4/named.conf.in b/bind/bind9/bin/tests/system/forward/ns4/named.conf.in
index 643e1271..d42a9eb7 100644
--- a/bind/bind9/bin/tests/system/forward/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/forward/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -55,3 +55,8 @@ zone "grafted" {
 	forward only;
 	forwarders { 10.53.0.2; };
 };
+
+zone "malicious." {
+	type master;
+	file "malicious.db";
+};
diff --git a/bind/bind9/bin/tests/system/forward/ns4/root.db b/bind/bind9/bin/tests/system/forward/ns4/root.db
index 7346810b..b368847d 100644
--- a/bind/bind9/bin/tests/system/forward/ns4/root.db
+++ b/bind/bind9/bin/tests/system/forward/ns4/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/ns5/named.conf.in b/bind/bind9/bin/tests/system/forward/ns5/named.conf.in
index 0e65985d..e5c21cfd 100644
--- a/bind/bind9/bin/tests/system/forward/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/forward/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -19,9 +19,16 @@ options {
 	listen-on-v6 { none; };
 	forward only;
 	forwarders { 10.53.0.4; };
+	deny-answer-aliases { "rebind"; };
+	dnssec-validation yes;
 };
 
 zone "." {
 	type hint;
 	file "root.db";
 };
+
+zone "rebind" {
+	type master;
+	file "rebind.db";
+};
diff --git a/bind/bind9/bin/tests/system/forward/ns5/rebind.db b/bind/bind9/bin/tests/system/forward/ns5/rebind.db
new file mode 100644
index 00000000..a6d03488
--- /dev/null
+++ b/bind/bind9/bin/tests/system/forward/ns5/rebind.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL    86400
+@       IN      SOA     rebind. admin.rebind. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS    ns
+
+ns          IN    A     10.53.0.5
+
+subdomain   IN    A     10.53.0.1
diff --git a/bind/bind9/bin/tests/system/forward/ns5/root.db b/bind/bind9/bin/tests/system/forward/ns5/root.db
index 7346810b..b368847d 100644
--- a/bind/bind9/bin/tests/system/forward/ns5/root.db
+++ b/bind/bind9/bin/tests/system/forward/ns5/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/ns7/named.conf.in b/bind/bind9/bin/tests/system/forward/ns7/named.conf.in
index d9f5e8a9..6cd4c9ca 100644
--- a/bind/bind9/bin/tests/system/forward/ns7/named.conf.in
+++ b/bind/bind9/bin/tests/system/forward/ns7/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/ns7/root.db b/bind/bind9/bin/tests/system/forward/ns7/root.db
index 7346810b..b368847d 100644
--- a/bind/bind9/bin/tests/system/forward/ns7/root.db
+++ b/bind/bind9/bin/tests/system/forward/ns7/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/prereq.sh b/bind/bind9/bin/tests/system/forward/prereq.sh
index 0e299f4d..d2ca8fc2 100644
--- a/bind/bind9/bin/tests/system/forward/prereq.sh
+++ b/bind/bind9/bin/tests/system/forward/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/rfc1918-inherited.conf b/bind/bind9/bin/tests/system/forward/rfc1918-inherited.conf
index 3c310d04..07579967 100644
--- a/bind/bind9/bin/tests/system/forward/rfc1918-inherited.conf
+++ b/bind/bind9/bin/tests/system/forward/rfc1918-inherited.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/rfc1918-notinherited.conf b/bind/bind9/bin/tests/system/forward/rfc1918-notinherited.conf
index d3febc1c..91a94724 100644
--- a/bind/bind9/bin/tests/system/forward/rfc1918-notinherited.conf
+++ b/bind/bind9/bin/tests/system/forward/rfc1918-notinherited.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/setup.sh b/bind/bind9/bin/tests/system/forward/setup.sh
index a09a3c13..87452b9a 100644
--- a/bind/bind9/bin/tests/system/forward/setup.sh
+++ b/bind/bind9/bin/tests/system/forward/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/tests.sh b/bind/bind9/bin/tests/system/forward/tests.sh
index 761cf8e2..e3549c5b 100644
--- a/bind/bind9/bin/tests/system/forward/tests.sh
+++ b/bind/bind9/bin/tests/system/forward/tests.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -199,8 +199,9 @@ echo_i "checking that priming queries are not forwarded ($n)"
 ret=0
 nextpart ns7/named.run >/dev/null
 dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.$n.f7 || ret=1
+received_pattern="received packet from 10\.53\.0\.1"
 start_pattern="sending packet to 10\.53\.0\.1"
-retry_quiet 5 wait_for_log ns7/named.run "$start_pattern" || ret=1
+retry_quiet 5 wait_for_log ns7/named.run "$received_pattern" || ret=1
 check_sent 1 ns7/named.run "$start_pattern" ";\.[[:space:]]*IN[[:space:]]*NS$" || ret=1
 sent=`grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run`
 [ "$sent" -eq 0 ] || ret=1
@@ -209,5 +210,18 @@ sent=`grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=$((n+1))
+echo_i "checking that rebinding protection works in forward only mode ($n)"
+ret=0
+# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
+# which in turn will return a CNAME for subdomain.rebind.
+# to honor the option deny-answer-aliases { "rebind"; };
+# ns5 should return a SERVFAIL to avoid potential rebinding attacks
+dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
+grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/forward/ula-inherited.conf b/bind/bind9/bin/tests/system/forward/ula-inherited.conf
index 27fc8edc..1a515f2c 100644
--- a/bind/bind9/bin/tests/system/forward/ula-inherited.conf
+++ b/bind/bind9/bin/tests/system/forward/ula-inherited.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/forward/ula-notinherited.conf b/bind/bind9/bin/tests/system/forward/ula-notinherited.conf
index e235d203..15cb652f 100644
--- a/bind/bind9/bin/tests/system/forward/ula-notinherited.conf
+++ b/bind/bind9/bin/tests/system/forward/ula-notinherited.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/genzone.sh b/bind/bind9/bin/tests/system/genzone.sh
index cccbab3e..765a4be7 100644
--- a/bind/bind9/bin/tests/system/genzone.sh
+++ b/bind/bind9/bin/tests/system/genzone.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -369,11 +369,17 @@ csync01			CSYNC	0 0 A NS AAAA
 csync02			CSYNC	0 0
 
 ;type	63
-zonemd01		ZONEMD	2019020700 1 0 (
+zonemd01		ZONEMD	2019020700 1 1 (
                                 C220B8A6ED5728A971902F7E3D4FD93A
                                 DEEA88B0453C2E8E8C863D465AB06CF3
                                 4EB95B266398C98B59124FA239CB7EEB
 				)
+zonemd02		ZONEMD	2019020700 1 2 (
+				08CFA1115C7B948C4163A901270395EA
+			        226A930CD2CBCF2FA9A5E6EB85F37C8A
+                                4E114D884E66F176EAB121CB02DB7D65
+                                2E0CC4827E7A3204F166B47E5613FD27
+				)
 
 ; type 64 -- 98 (unassigned)
 
diff --git a/bind/bind9/bin/tests/system/geoip/clean.sh b/bind/bind9/bin/tests/system/geoip/clean.sh
index 1257fdae..f53744e0 100644
--- a/bind/bind9/bin/tests/system/geoip/clean.sh
+++ b/bind/bind9/bin/tests/system/geoip/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/data/README b/bind/bind9/bin/tests/system/geoip/data/README
index 7ed1d612..447d903f 100644
--- a/bind/bind9/bin/tests/system/geoip/data/README
+++ b/bind/bind9/bin/tests/system/geoip/data/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 The data data files in this directory are sample GeoIP databases,
 generated from the corresponding CSV files.  Thanks to MaxMind, Inc.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/example.db.in b/bind/bind9/bin/tests/system/geoip/ns2/example.db.in
index 836359dc..49b24346 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/example.db.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named1.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named1.conf.in
index a4253119..1307fb96 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named1.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named10.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named10.conf.in
index 1372d410..57e5a281 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named10.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named10.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named11.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named11.conf.in
index c7a0ad2d..3a4b7849 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named11.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named11.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named12.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named12.conf.in
index 68abc85f..447fce72 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named12.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named12.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named13.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named13.conf.in
index 05a33140..f9752ba1 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named13.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named13.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named14.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named14.conf.in
index 6d9d9667..ff11e049 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named14.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named14.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named15.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named15.conf.in
index 6e983caa..652d1ff7 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named15.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named15.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named16.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named16.conf.in
index 68c0e2c5..6324932f 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named16.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named16.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named2.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named2.conf.in
index 541f904b..eb2f0f5c 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named2.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named3.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named3.conf.in
index a8cf6a3a..6730cab2 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named3.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named3.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named4.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named4.conf.in
index 81e3e65d..27b9e18a 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named4.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named4.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named5.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named5.conf.in
index 0c4ce508..6cb6f1b1 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named5.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named5.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named6.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named6.conf.in
index 195133bf..ed66380e 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named6.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named6.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named7.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named7.conf.in
index 4fa4626d..aa2cae54 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named7.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named7.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named8.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named8.conf.in
index 2840c8fb..d7ecb4b5 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named8.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named8.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/ns2/named9.conf.in b/bind/bind9/bin/tests/system/geoip/ns2/named9.conf.in
index 720f7acc..3c7c01f2 100644
--- a/bind/bind9/bin/tests/system/geoip/ns2/named9.conf.in
+++ b/bind/bind9/bin/tests/system/geoip/ns2/named9.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/options.conf b/bind/bind9/bin/tests/system/geoip/options.conf
index 95df0af1..7936c594 100644
--- a/bind/bind9/bin/tests/system/geoip/options.conf
+++ b/bind/bind9/bin/tests/system/geoip/options.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/prereq.sh b/bind/bind9/bin/tests/system/geoip/prereq.sh
index 9bd44297..571e1bcf 100644
--- a/bind/bind9/bin/tests/system/geoip/prereq.sh
+++ b/bind/bind9/bin/tests/system/geoip/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/setup.sh b/bind/bind9/bin/tests/system/geoip/setup.sh
index 5351df94..310ac3b5 100644
--- a/bind/bind9/bin/tests/system/geoip/setup.sh
+++ b/bind/bind9/bin/tests/system/geoip/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip/tests.sh b/bind/bind9/bin/tests/system/geoip/tests.sh
index 0867c8cc..9f092dd3 100644
--- a/bind/bind9/bin/tests/system/geoip/tests.sh
+++ b/bind/bind9/bin/tests/system/geoip/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/clean.sh b/bind/bind9/bin/tests/system/geoip2/clean.sh
index 9f20acdb..4b088882 100644
--- a/bind/bind9/bin/tests/system/geoip2/clean.sh
+++ b/bind/bind9/bin/tests/system/geoip2/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/conf/bad-areacode.conf b/bind/bind9/bin/tests/system/geoip2/conf/bad-areacode.conf
index 5ae84b42..d9dd5ffc 100644
--- a/bind/bind9/bin/tests/system/geoip2/conf/bad-areacode.conf
+++ b/bind/bind9/bin/tests/system/geoip2/conf/bad-areacode.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/conf/bad-dbname.conf b/bind/bind9/bin/tests/system/geoip2/conf/bad-dbname.conf
index 31268b05..ec4e327d 100644
--- a/bind/bind9/bin/tests/system/geoip2/conf/bad-dbname.conf
+++ b/bind/bind9/bin/tests/system/geoip2/conf/bad-dbname.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/conf/bad-netspeed.conf b/bind/bind9/bin/tests/system/geoip2/conf/bad-netspeed.conf
index 59d991d3..1d0c8559 100644
--- a/bind/bind9/bin/tests/system/geoip2/conf/bad-netspeed.conf
+++ b/bind/bind9/bin/tests/system/geoip2/conf/bad-netspeed.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/conf/bad-regiondb.conf b/bind/bind9/bin/tests/system/geoip2/conf/bad-regiondb.conf
index 38b68b02..00c3c32f 100644
--- a/bind/bind9/bin/tests/system/geoip2/conf/bad-regiondb.conf
+++ b/bind/bind9/bin/tests/system/geoip2/conf/bad-regiondb.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/conf/bad-threeletter.conf b/bind/bind9/bin/tests/system/geoip2/conf/bad-threeletter.conf
index 06d8b888..ce3edc80 100644
--- a/bind/bind9/bin/tests/system/geoip2/conf/bad-threeletter.conf
+++ b/bind/bind9/bin/tests/system/geoip2/conf/bad-threeletter.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/conf/good-options.conf b/bind/bind9/bin/tests/system/geoip2/conf/good-options.conf
index 9a6dd171..cf92aa71 100644
--- a/bind/bind9/bin/tests/system/geoip2/conf/good-options.conf
+++ b/bind/bind9/bin/tests/system/geoip2/conf/good-options.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/data/README.md b/bind/bind9/bin/tests/system/geoip2/data/README.md
index fe45144e..48d2d288 100644
--- a/bind/bind9/bin/tests/system/geoip2/data/README.md
+++ b/bind/bind9/bin/tests/system/geoip2/data/README.md
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/data/write-test-data.pl b/bind/bind9/bin/tests/system/geoip2/data/write-test-data.pl
index 979e04de..794e9d5b 100755
--- a/bind/bind9/bin/tests/system/geoip2/data/write-test-data.pl
+++ b/bind/bind9/bin/tests/system/geoip2/data/write-test-data.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/ns2/example.db.in b/bind/bind9/bin/tests/system/geoip2/ns2/example.db.in
index 836359dc..49b24346 100644
--- a/bind/bind9/bin/tests/system/geoip2/ns2/example.db.in
+++ b/bind/bind9/bin/tests/system/geoip2/ns2/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/ns2/named1.conf.in b/bind/bind9/bin/tests/system/geoip2/ns2/named1.conf.in
index 7d8ceb1d..25cbbcc0 100644
--- a/bind/bind9/bin/tests/system/geoip2/ns2/named1.conf.in
+++ b/bind/bind9/bin/tests/system/geoip2/ns2/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/ns2/named10.conf.in b/bind/bind9/bin/tests/system/geoip2/ns2/named10.conf.in
index 9e12fe08..5d6c3fd4 100644
--- a/bind/bind9/bin/tests/system/geoip2/ns2/named10.conf.in
+++ b/bind/bind9/bin/tests/system/geoip2/ns2/named10.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/ns2/named11.conf.in b/bind/bind9/bin/tests/system/geoip2/ns2/named11.conf.in
index 4ad1ad0b..e4f099f8 100644
--- a/bind/bind9/bin/tests/system/geoip2/ns2/named11.conf.in
+++ b/bind/bind9/bin/tests/system/geoip2/ns2/named11.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/ns2/named12.conf.in b/bind/bind9/bin/tests/system/geoip2/ns2/named12.conf.in
index a968c8a9..42aefc5c 100644
--- a/bind/bind9/bin/tests/system/geoip2/ns2/named12.conf.in
+++ b/bind/bind9/bin/tests/system/geoip2/ns2/named12.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/ns2/named13.conf.in b/bind/bind9/bin/tests/system/geoip2/ns2/named13.conf.in
index 6d9d9667..ff11e049 100644
--- a/bind/bind9/bin/tests/system/geoip2/ns2/named13.conf.in
+++ b/bind/bind9/bin/tests/system/geoip2/ns2/named13.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/ns2/named14.conf.in b/bind/bind9/bin/tests/system/geoip2/ns2/named14.conf.in
index b61867aa..2249d2bb 100644
--- a/bind/bind9/bin/tests/system/geoip2/ns2/named14.conf.in
+++ b/bind/bind9/bin/tests/system/geoip2/ns2/named14.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/ns2/named2.conf.in b/bind/bind9/bin/tests/system/geoip2/ns2/named2.conf.in
index b0c15640..45887efb 100644
--- a/bind/bind9/bin/tests/system/geoip2/ns2/named2.conf.in
+++ b/bind/bind9/bin/tests/system/geoip2/ns2/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/ns2/named3.conf.in b/bind/bind9/bin/tests/system/geoip2/ns2/named3.conf.in
index e275fe34..3389e224 100644
--- a/bind/bind9/bin/tests/system/geoip2/ns2/named3.conf.in
+++ b/bind/bind9/bin/tests/system/geoip2/ns2/named3.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/ns2/named4.conf.in b/bind/bind9/bin/tests/system/geoip2/ns2/named4.conf.in
index a3015d64..2dc076f6 100644
--- a/bind/bind9/bin/tests/system/geoip2/ns2/named4.conf.in
+++ b/bind/bind9/bin/tests/system/geoip2/ns2/named4.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/ns2/named5.conf.in b/bind/bind9/bin/tests/system/geoip2/ns2/named5.conf.in
index c38e613d..9997597b 100644
--- a/bind/bind9/bin/tests/system/geoip2/ns2/named5.conf.in
+++ b/bind/bind9/bin/tests/system/geoip2/ns2/named5.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/ns2/named6.conf.in b/bind/bind9/bin/tests/system/geoip2/ns2/named6.conf.in
index 3e95e700..5e0ab63f 100644
--- a/bind/bind9/bin/tests/system/geoip2/ns2/named6.conf.in
+++ b/bind/bind9/bin/tests/system/geoip2/ns2/named6.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/ns2/named7.conf.in b/bind/bind9/bin/tests/system/geoip2/ns2/named7.conf.in
index 0674e75f..86d9adbf 100644
--- a/bind/bind9/bin/tests/system/geoip2/ns2/named7.conf.in
+++ b/bind/bind9/bin/tests/system/geoip2/ns2/named7.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/ns2/named8.conf.in b/bind/bind9/bin/tests/system/geoip2/ns2/named8.conf.in
index a175cb9d..43d39647 100644
--- a/bind/bind9/bin/tests/system/geoip2/ns2/named8.conf.in
+++ b/bind/bind9/bin/tests/system/geoip2/ns2/named8.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/ns2/named9.conf.in b/bind/bind9/bin/tests/system/geoip2/ns2/named9.conf.in
index 41992e49..4ce19289 100644
--- a/bind/bind9/bin/tests/system/geoip2/ns2/named9.conf.in
+++ b/bind/bind9/bin/tests/system/geoip2/ns2/named9.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/prereq.sh b/bind/bind9/bin/tests/system/geoip2/prereq.sh
index 2e38b774..6e89a7df 100644
--- a/bind/bind9/bin/tests/system/geoip2/prereq.sh
+++ b/bind/bind9/bin/tests/system/geoip2/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/setup.sh b/bind/bind9/bin/tests/system/geoip2/setup.sh
index 41f7a827..4dfa7965 100644
--- a/bind/bind9/bin/tests/system/geoip2/setup.sh
+++ b/bind/bind9/bin/tests/system/geoip2/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/geoip2/tests.sh b/bind/bind9/bin/tests/system/geoip2/tests.sh
index d94fba62..a429c83a 100644
--- a/bind/bind9/bin/tests/system/geoip2/tests.sh
+++ b/bind/bind9/bin/tests/system/geoip2/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/glue/clean.sh b/bind/bind9/bin/tests/system/glue/clean.sh
index 25e408dc..411112f5 100644
--- a/bind/bind9/bin/tests/system/glue/clean.sh
+++ b/bind/bind9/bin/tests/system/glue/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/glue/ns1/cache.in b/bind/bind9/bin/tests/system/glue/ns1/cache.in
index 8089efb1..aca1a963 100644
--- a/bind/bind9/bin/tests/system/glue/ns1/cache.in
+++ b/bind/bind9/bin/tests/system/glue/ns1/cache.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/glue/ns1/mil.db b/bind/bind9/bin/tests/system/glue/ns1/mil.db
index 2dda6949..afd7f804 100644
--- a/bind/bind9/bin/tests/system/glue/ns1/mil.db
+++ b/bind/bind9/bin/tests/system/glue/ns1/mil.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/glue/ns1/named.conf.in b/bind/bind9/bin/tests/system/glue/ns1/named.conf.in
index 20cc8870..1602e96a 100644
--- a/bind/bind9/bin/tests/system/glue/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/glue/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/glue/ns1/net.db b/bind/bind9/bin/tests/system/glue/ns1/net.db
index b98271ef..7a86b297 100644
--- a/bind/bind9/bin/tests/system/glue/ns1/net.db
+++ b/bind/bind9/bin/tests/system/glue/ns1/net.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/glue/ns1/root-servers.nil.db b/bind/bind9/bin/tests/system/glue/ns1/root-servers.nil.db
index e40f392d..bcddfa63 100644
--- a/bind/bind9/bin/tests/system/glue/ns1/root-servers.nil.db
+++ b/bind/bind9/bin/tests/system/glue/ns1/root-servers.nil.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/glue/ns1/root.db b/bind/bind9/bin/tests/system/glue/ns1/root.db
index 1d585420..f32604e1 100644
--- a/bind/bind9/bin/tests/system/glue/ns1/root.db
+++ b/bind/bind9/bin/tests/system/glue/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/glue/setup.sh b/bind/bind9/bin/tests/system/glue/setup.sh
index db566a32..0491ad0f 100644
--- a/bind/bind9/bin/tests/system/glue/setup.sh
+++ b/bind/bind9/bin/tests/system/glue/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/glue/tests.sh b/bind/bind9/bin/tests/system/glue/tests.sh
index 0425a349..061cf0de 100644
--- a/bind/bind9/bin/tests/system/glue/tests.sh
+++ b/bind/bind9/bin/tests/system/glue/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/gost/clean.sh b/bind/bind9/bin/tests/system/gost/clean.sh
index 3779676e..4e48d494 100644
--- a/bind/bind9/bin/tests/system/gost/clean.sh
+++ b/bind/bind9/bin/tests/system/gost/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/gost/ns1/named.conf b/bind/bind9/bin/tests/system/gost/ns1/named.conf
index 715f7d3f..5a4420f6 100644
--- a/bind/bind9/bin/tests/system/gost/ns1/named.conf
+++ b/bind/bind9/bin/tests/system/gost/ns1/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/gost/ns1/root.db.in b/bind/bind9/bin/tests/system/gost/ns1/root.db.in
index e882893e..2f48c39b 100644
--- a/bind/bind9/bin/tests/system/gost/ns1/root.db.in
+++ b/bind/bind9/bin/tests/system/gost/ns1/root.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/gost/ns1/sign.sh b/bind/bind9/bin/tests/system/gost/ns1/sign.sh
index bdd78d53..8608a19f 100644
--- a/bind/bind9/bin/tests/system/gost/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/gost/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/gost/ns2/named.conf b/bind/bind9/bin/tests/system/gost/ns2/named.conf
index 50621a53..2f6dcc3d 100644
--- a/bind/bind9/bin/tests/system/gost/ns2/named.conf
+++ b/bind/bind9/bin/tests/system/gost/ns2/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/gost/prereq.sh b/bind/bind9/bin/tests/system/gost/prereq.sh
index f5295b71..d5e6e202 100644
--- a/bind/bind9/bin/tests/system/gost/prereq.sh
+++ b/bind/bind9/bin/tests/system/gost/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/gost/setup.sh b/bind/bind9/bin/tests/system/gost/setup.sh
index 7fba74b5..344f1bc7 100644
--- a/bind/bind9/bin/tests/system/gost/setup.sh
+++ b/bind/bind9/bin/tests/system/gost/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/gost/tests.sh b/bind/bind9/bin/tests/system/gost/tests.sh
index 75b577f1..fdb9a1db 100644
--- a/bind/bind9/bin/tests/system/gost/tests.sh
+++ b/bind/bind9/bin/tests/system/gost/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -21,15 +21,15 @@ DIGOPTS="+tcp +noadd +noauth +nosea +nostat +nocmd +dnssec -p 5300"
 
 # Check the example. domain
 
-echo "I:checking that positive validation works ($n)"
+echo_i "checking that positive validation works ($n)"
 ret=0
 $DIG $DIGOPTS . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
 $DIG $DIGOPTS . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
 n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo "I:exit status: $status"
+echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/idna/clean.sh b/bind/bind9/bin/tests/system/idna/clean.sh
index 7a8e0d3a..c25e9ad9 100644
--- a/bind/bind9/bin/tests/system/idna/clean.sh
+++ b/bind/bind9/bin/tests/system/idna/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/idna/ns1/named.conf.in b/bind/bind9/bin/tests/system/idna/ns1/named.conf.in
index 92acac9f..6017c1bd 100644
--- a/bind/bind9/bin/tests/system/idna/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/idna/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/idna/ns1/root.db b/bind/bind9/bin/tests/system/idna/ns1/root.db
index 76ed2a03..c8849820 100644
--- a/bind/bind9/bin/tests/system/idna/ns1/root.db
+++ b/bind/bind9/bin/tests/system/idna/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/idna/setup.sh b/bind/bind9/bin/tests/system/idna/setup.sh
index 985a4bcb..c2be7228 100644
--- a/bind/bind9/bin/tests/system/idna/setup.sh
+++ b/bind/bind9/bin/tests/system/idna/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/idna/tests.sh b/bind/bind9/bin/tests/system/idna/tests.sh
index 52d11f2c..5fb20045 100644
--- a/bind/bind9/bin/tests/system/idna/tests.sh
+++ b/bind/bind9/bin/tests/system/idna/tests.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ifconfig.sh b/bind/bind9/bin/tests/system/ifconfig.sh
index 41b0182f..d0eb9fa6 100755
--- a/bind/bind9/bin/tests/system/ifconfig.sh
+++ b/bind/bind9/bin/tests/system/ifconfig.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/checkdsa.sh.in b/bind/bind9/bin/tests/system/inline/checkdsa.sh.in
index 5b6ea2eb..3d11809f 100644
--- a/bind/bind9/bin/tests/system/inline/checkdsa.sh.in
+++ b/bind/bind9/bin/tests/system/inline/checkdsa.sh.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/clean.sh b/bind/bind9/bin/tests/system/inline/clean.sh
index e82504bb..6539f2b5 100644
--- a/bind/bind9/bin/tests/system/inline/clean.sh
+++ b/bind/bind9/bin/tests/system/inline/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns1/named.conf.in b/bind/bind9/bin/tests/system/inline/ns1/named.conf.in
index 215800ca..8de13b98 100644
--- a/bind/bind9/bin/tests/system/inline/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/inline/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns1/root.db.in b/bind/bind9/bin/tests/system/inline/ns1/root.db.in
index 5f8640f5..380c6b52 100644
--- a/bind/bind9/bin/tests/system/inline/ns1/root.db.in
+++ b/bind/bind9/bin/tests/system/inline/ns1/root.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns1/sign.sh b/bind/bind9/bin/tests/system/inline/ns1/sign.sh
index 80b88cc3..6a8c080a 100644
--- a/bind/bind9/bin/tests/system/inline/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/inline/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns2/bits.db.in b/bind/bind9/bin/tests/system/inline/ns2/bits.db.in
index a86fe8f4..98a678c0 100644
--- a/bind/bind9/bin/tests/system/inline/ns2/bits.db.in
+++ b/bind/bind9/bin/tests/system/inline/ns2/bits.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns2/named.conf.in b/bind/bind9/bin/tests/system/inline/ns2/named.conf.in
index c4da5080..19798de6 100644
--- a/bind/bind9/bin/tests/system/inline/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/inline/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns2/nsec3-loop.db.in b/bind/bind9/bin/tests/system/inline/ns2/nsec3-loop.db.in
index ba0db9d3..686b9bc4 100644
--- a/bind/bind9/bin/tests/system/inline/ns2/nsec3-loop.db.in
+++ b/bind/bind9/bin/tests/system/inline/ns2/nsec3-loop.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns3/master.db.in b/bind/bind9/bin/tests/system/inline/ns3/master.db.in
index 67e1510d..92f12e76 100644
--- a/bind/bind9/bin/tests/system/inline/ns3/master.db.in
+++ b/bind/bind9/bin/tests/system/inline/ns3/master.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns3/master2.db.in b/bind/bind9/bin/tests/system/inline/ns3/master2.db.in
index 1bbeb9d9..cfcd06de 100644
--- a/bind/bind9/bin/tests/system/inline/ns3/master2.db.in
+++ b/bind/bind9/bin/tests/system/inline/ns3/master2.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns3/master3.db.in b/bind/bind9/bin/tests/system/inline/ns3/master3.db.in
index f78a950b..ca07e428 100644
--- a/bind/bind9/bin/tests/system/inline/ns3/master3.db.in
+++ b/bind/bind9/bin/tests/system/inline/ns3/master3.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns3/master4.db.in b/bind/bind9/bin/tests/system/inline/ns3/master4.db.in
index 0dc04a9d..ce8dfe9a 100644
--- a/bind/bind9/bin/tests/system/inline/ns3/master4.db.in
+++ b/bind/bind9/bin/tests/system/inline/ns3/master4.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns3/master5.db.in b/bind/bind9/bin/tests/system/inline/ns3/master5.db.in
index 9bad5917..52764b5a 100644
--- a/bind/bind9/bin/tests/system/inline/ns3/master5.db.in
+++ b/bind/bind9/bin/tests/system/inline/ns3/master5.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns3/master6.db.in b/bind/bind9/bin/tests/system/inline/ns3/master6.db.in
index 5cdb504b..afff09dd 100644
--- a/bind/bind9/bin/tests/system/inline/ns3/master6.db.in
+++ b/bind/bind9/bin/tests/system/inline/ns3/master6.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns3/named.conf.in b/bind/bind9/bin/tests/system/inline/ns3/named.conf.in
index b5019022..bb0c01cc 100644
--- a/bind/bind9/bin/tests/system/inline/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/inline/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns3/sign.sh b/bind/bind9/bin/tests/system/inline/ns3/sign.sh
index b6f3b37f..9a414acb 100755
--- a/bind/bind9/bin/tests/system/inline/ns3/sign.sh
+++ b/bind/bind9/bin/tests/system/inline/ns3/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -173,9 +173,9 @@ do
     rm -f $k1.private 
     mv $k1.key a-file
     $IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1 ||
-        ( echo "importkey failed: $alg"; rm -f $checkfile )
+        ( echo_i "importkey failed: $alg"; rm -f $checkfile )
     rm -f $k2.private 
     mv $k2.key a-file
     $IMPORTKEY -f a-file $zone > /dev/null 2>&1 ||
-        ( echo "importkey failed: $alg"; rm -f $checkfile )
+        ( echo_i "importkey failed: $alg"; rm -f $checkfile )
 done
diff --git a/bind/bind9/bin/tests/system/inline/ns4/named.conf.in b/bind/bind9/bin/tests/system/inline/ns4/named.conf.in
index c20c74e6..b45f1316 100644
--- a/bind/bind9/bin/tests/system/inline/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/inline/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns4/noixfr.db.in b/bind/bind9/bin/tests/system/inline/ns4/noixfr.db.in
index c4750ca1..568a4242 100644
--- a/bind/bind9/bin/tests/system/inline/ns4/noixfr.db.in
+++ b/bind/bind9/bin/tests/system/inline/ns4/noixfr.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns5/named.conf.post b/bind/bind9/bin/tests/system/inline/ns5/named.conf.post
index 2a241e57..24816bef 100644
--- a/bind/bind9/bin/tests/system/inline/ns5/named.conf.post
+++ b/bind/bind9/bin/tests/system/inline/ns5/named.conf.post
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns5/named.conf.pre b/bind/bind9/bin/tests/system/inline/ns5/named.conf.pre
index dd92ebe3..7010b122 100644
--- a/bind/bind9/bin/tests/system/inline/ns5/named.conf.pre
+++ b/bind/bind9/bin/tests/system/inline/ns5/named.conf.pre
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns6/named.conf.in b/bind/bind9/bin/tests/system/inline/ns6/named.conf.in
index dc8b5ecd..52d521ec 100644
--- a/bind/bind9/bin/tests/system/inline/ns6/named.conf.in
+++ b/bind/bind9/bin/tests/system/inline/ns6/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns7/named.conf.in b/bind/bind9/bin/tests/system/inline/ns7/named.conf.in
index 08479668..3db6143c 100644
--- a/bind/bind9/bin/tests/system/inline/ns7/named.conf.in
+++ b/bind/bind9/bin/tests/system/inline/ns7/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns7/sign.sh b/bind/bind9/bin/tests/system/inline/ns7/sign.sh
index 9fd5553e..d04747f2 100755
--- a/bind/bind9/bin/tests/system/inline/ns7/sign.sh
+++ b/bind/bind9/bin/tests/system/inline/ns7/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/ns8/example.com.db.in b/bind/bind9/bin/tests/system/inline/ns8/example.com.db.in
new file mode 100644
index 00000000..73fa9aa5
--- /dev/null
+++ b/bind/bind9/bin/tests/system/inline/ns8/example.com.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns8 . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns8
+ns8			A	10.53.0.8
diff --git a/bind/bind9/bin/tests/system/inline/ns8/named.conf.in b/bind/bind9/bin/tests/system/inline/ns8/named.conf.in
new file mode 100644
index 00000000..7217164e
--- /dev/null
+++ b/bind/bind9/bin/tests/system/inline/ns8/named.conf.in
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS8
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.8;
+	notify-source 10.53.0.8;
+	transfer-source 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	try-tcp-refresh no;
+	notify-delay 0;
+	allow-new-zones yes;
+};
+
+zone "example01.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example01.com.db";
+};
+
+zone "example02.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example02.com.db";
+};
+
+zone "example03.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example03.com.db";
+};
+
+zone "example04.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example04.com.db";
+};
+
+zone "example05.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example05.com.db";
+};
+
+zone "example06.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example06.com.db";
+};
+
+zone "example07.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example07.com.db";
+};
+
+zone "example08.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example08.com.db";
+};
+
+zone "example09.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example09.com.db";
+};
+
+zone "example10.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example10.com.db";
+};
+
+zone "example11.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example11.com.db";
+};
+
+zone "example12.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example12.com.db";
+};
+
+zone "example13.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example13.com.db";
+};
+
+zone "example14.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example14.com.db";
+};
+
+zone "example15.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example15.com.db";
+};
+
+zone "example16.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example16.com.db";
+};
diff --git a/bind/bind9/bin/tests/system/inline/ns8/sign.sh b/bind/bind9/bin/tests/system/inline/ns8/sign.sh
new file mode 100755
index 00000000..488a1d80
--- /dev/null
+++ b/bind/bind9/bin/tests/system/inline/ns8/sign.sh
@@ -0,0 +1,26 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+for zone in example01.com example02.com example03.com example04.com \
+	    example05.com example06.com example07.com example08.com \
+	    example09.com example10.com example11.com example12.com \
+	    example13.com example14.com example15.com example16.com
+do
+  rm -f K${zone}.+*+*.key
+  rm -f K${zone}.+*+*.private
+  keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
+  keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone`
+  cp example.com.db.in ${zone}.db
+  $SIGNER -r $RANDFILE -S -T 3600 -O raw -o ${zone} ${zone}.db > /dev/null 2>&1
+done
diff --git a/bind/bind9/bin/tests/system/inline/prereq.sh b/bind/bind9/bin/tests/system/inline/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/inline/prereq.sh
+++ b/bind/bind9/bin/tests/system/inline/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/inline/setup.sh b/bind/bind9/bin/tests/system/inline/setup.sh
index 1384928a..f94225bd 100644
--- a/bind/bind9/bin/tests/system/inline/setup.sh
+++ b/bind/bind9/bin/tests/system/inline/setup.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -46,7 +46,9 @@ copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.pre ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
 copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
 
 (cd ns3; $SHELL -e sign.sh)
 (cd ns1; $SHELL -e sign.sh)
 (cd ns7; $SHELL -e sign.sh)
+(cd ns8; $SHELL -e sign.sh)
diff --git a/bind/bind9/bin/tests/system/inline/tests.sh b/bind/bind9/bin/tests/system/inline/tests.sh
index 0874dcee..5ef3bfa6 100755
--- a/bind/bind9/bin/tests/system/inline/tests.sh
+++ b/bind/bind9/bin/tests/system/inline/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -153,7 +153,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that update has been transfered and has been signed ($n)"
+echo_i "checking that update has been transferred and has been signed ($n)"
 ret=0
 for i in 1 2 3 4 5 6 7 8 9 10
 do
@@ -231,7 +231,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that update has been transfered and has been signed, noixfr ($n)"
+echo_i "checking that update has been transferred and has been signed, noixfr ($n)"
 ret=0
 for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
 do
@@ -396,7 +396,6 @@ $DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns6.test$n
 grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1
 grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1
 grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1
-
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
@@ -418,7 +417,8 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "checking master zone that was updated while offline is correct ($n)"
 ret=0
-serial=`$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA | awk '{print $3}'`
+$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns2.soa.test$n
+serial=`awk '{print $3}' dig.out.ns2.soa.test$n`
 # serial should have changed
 [ "$serial" = "2000042407" ] && ret=1
 # e.updated should exist and should be signed
@@ -429,9 +429,10 @@ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
 # of master2.db, and should show a minimal diff: no more than 8 added
 # records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records
 # (SOA/RRSIG, NSEC/RRSIG).
-serial=`$JOURNALPRINT ns3/updated.db.signed.jnl | head -1 | awk '{print $4}'`
+$JOURNALPRINT ns3/updated.db.signed.jnl >journalprint.out.test$n
+serial=`awk '/Source serial =/ {print $4}' journalprint.out.test$n`
 [ "$serial" = "2000042408" ] || ret=1
-diffsize=`$JOURNALPRINT ns3/updated.db.signed.jnl | wc -l`
+diffsize=`wc -l < journalprint.out.test$n`
 [ "$diffsize" -le 13 ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -739,7 +740,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that the change has not been transfered due to notify ($n)"
+echo_i "checking that the change has not been transferred due to notify ($n)"
 ret=0
 for i in 0 1 2 3 4 5 6 7 8 9
 do
@@ -1357,6 +1358,7 @@ $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} inline ns3
 # receive_secure_serial() should refrain from introducing any zone changes.
 $PERL $SYSTEMTESTTOP/stop.pl --use-rndc --halt --port ${CONTROLPORT} inline ns3
 ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed
+nextpart ns3/named.run > /dev/null
 $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} inline ns3
 # We can now test whether the secure zone journal was correctly processed:
 # unless the records contained in it were scheduled for resigning, no resigning
@@ -1384,5 +1386,24 @@ grep "type: slave" rndc.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking reload of touched inline zones ($n)"
+echo_ic "pre-reload 'next key event'"
+nextpart ns8/named.run > nextpart.pre$n.out
+count=`grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l`
+echo_ic "found: $count/16"
+[ $count -eq 16 ] || ret=1
+echo_ic "touch and reload"
+touch ns8/example??.com.db
+$RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 5
+echo_ic "post-reload 'next key event'"
+nextpart ns8/named.run > nextpart.post$n.out
+count=`grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l`
+echo_ic "found: $count/16"
+[ $count -eq 16 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/integrity/clean.sh b/bind/bind9/bin/tests/system/integrity/clean.sh
index d9c14533..44dc1353 100644
--- a/bind/bind9/bin/tests/system/integrity/clean.sh
+++ b/bind/bind9/bin/tests/system/integrity/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/integrity/ns1/mx-cname.db b/bind/bind9/bin/tests/system/integrity/ns1/mx-cname.db
index 550f9851..23178697 100644
--- a/bind/bind9/bin/tests/system/integrity/ns1/mx-cname.db
+++ b/bind/bind9/bin/tests/system/integrity/ns1/mx-cname.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/integrity/ns1/named.conf.in b/bind/bind9/bin/tests/system/integrity/ns1/named.conf.in
index bc043326..ba8ba1a3 100644
--- a/bind/bind9/bin/tests/system/integrity/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/integrity/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/integrity/ns1/srv-cname.db b/bind/bind9/bin/tests/system/integrity/ns1/srv-cname.db
index d0dca6c0..716d77e1 100644
--- a/bind/bind9/bin/tests/system/integrity/ns1/srv-cname.db
+++ b/bind/bind9/bin/tests/system/integrity/ns1/srv-cname.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/integrity/setup.sh b/bind/bind9/bin/tests/system/integrity/setup.sh
index 985a4bcb..c2be7228 100644
--- a/bind/bind9/bin/tests/system/integrity/setup.sh
+++ b/bind/bind9/bin/tests/system/integrity/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/integrity/tests.sh b/bind/bind9/bin/tests/system/integrity/tests.sh
index 8d494d92..84715889 100644
--- a/bind/bind9/bin/tests/system/integrity/tests.sh
+++ b/bind/bind9/bin/tests/system/integrity/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ixfr/clean.sh b/bind/bind9/bin/tests/system/ixfr/clean.sh
index 3c68a364..0daf9584 100644
--- a/bind/bind9/bin/tests/system/ixfr/clean.sh
+++ b/bind/bind9/bin/tests/system/ixfr/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -16,6 +16,7 @@ rm -f ns5/*.jnl ns5/*.db
 rm -f */named.memstats
 rm -f */named.conf
 rm -f */named.run
+rm -f */named.run.prev
 rm -f */ans.run
 rm -f dig.out.test* dig.out1.test* dig.out2.test* dig.out3.test*
 rm -f ns3/large.db
diff --git a/bind/bind9/bin/tests/system/ixfr/ns3/mytest0.db b/bind/bind9/bin/tests/system/ixfr/ns3/mytest0.db
index 644086fb..6f92f936 100644
--- a/bind/bind9/bin/tests/system/ixfr/ns3/mytest0.db
+++ b/bind/bind9/bin/tests/system/ixfr/ns3/mytest0.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ixfr/ns3/mytest1.db b/bind/bind9/bin/tests/system/ixfr/ns3/mytest1.db
index ddc7e05d..748193b9 100644
--- a/bind/bind9/bin/tests/system/ixfr/ns3/mytest1.db
+++ b/bind/bind9/bin/tests/system/ixfr/ns3/mytest1.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ixfr/ns3/mytest2.db b/bind/bind9/bin/tests/system/ixfr/ns3/mytest2.db
index 080f3358..7eeb38b8 100644
--- a/bind/bind9/bin/tests/system/ixfr/ns3/mytest2.db
+++ b/bind/bind9/bin/tests/system/ixfr/ns3/mytest2.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
@@ -10,7 +10,7 @@
 $ORIGIN test.
 $TTL    15
 test.  15  IN        SOA ns1.test.  hostmaster.test. (
-                              4 ; serial
+                              3 ; serial
                               3H ; refresh
                               15 ; retry
                               1w ; expire
diff --git a/bind/bind9/bin/tests/system/ixfr/ns3/named.conf.in b/bind/bind9/bin/tests/system/ixfr/ns3/named.conf.in
index 4ffb872b..c51cf5a2 100644
--- a/bind/bind9/bin/tests/system/ixfr/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/ixfr/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ixfr/ns3/subtest0.db b/bind/bind9/bin/tests/system/ixfr/ns3/subtest0.db
index 7dc1ed79..f52b61d6 100644
--- a/bind/bind9/bin/tests/system/ixfr/ns3/subtest0.db
+++ b/bind/bind9/bin/tests/system/ixfr/ns3/subtest0.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ixfr/ns3/subtest1.db b/bind/bind9/bin/tests/system/ixfr/ns3/subtest1.db
index 5af027a4..c4ea3e5c 100644
--- a/bind/bind9/bin/tests/system/ixfr/ns3/subtest1.db
+++ b/bind/bind9/bin/tests/system/ixfr/ns3/subtest1.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ixfr/ns4/named.conf.in b/bind/bind9/bin/tests/system/ixfr/ns4/named.conf.in
index d3490b18..187d61e1 100644
--- a/bind/bind9/bin/tests/system/ixfr/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/ixfr/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ixfr/ns5/named.conf.in b/bind/bind9/bin/tests/system/ixfr/ns5/named.conf.in
index 220b1d39..de32dff9 100644
--- a/bind/bind9/bin/tests/system/ixfr/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/ixfr/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ixfr/prereq.sh b/bind/bind9/bin/tests/system/ixfr/prereq.sh
index 0e299f4d..d2ca8fc2 100644
--- a/bind/bind9/bin/tests/system/ixfr/prereq.sh
+++ b/bind/bind9/bin/tests/system/ixfr/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ixfr/setup.sh b/bind/bind9/bin/tests/system/ixfr/setup.sh
index 963d54c5..dc3b5acb 100644
--- a/bind/bind9/bin/tests/system/ixfr/setup.sh
+++ b/bind/bind9/bin/tests/system/ixfr/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/ixfr/tests.sh b/bind/bind9/bin/tests/system/ixfr/tests.sh
index 670c15c9..cd1baf87 100644
--- a/bind/bind9/bin/tests/system/ixfr/tests.sh
+++ b/bind/bind9/bin/tests/system/ixfr/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -67,7 +67,7 @@ done
 
 $DIG $DIGOPTS @10.53.0.1 nil. TXT | grep 'initial AXFR' >/dev/null || {
     echo_i "failed"
-    status=1
+    status=`expr $status + 1`
 }
 
 n=`expr $n + 1`
@@ -100,11 +100,11 @@ sleep 2
 
 $DIG $DIGOPTS @10.53.0.1 nil. TXT | grep 'successful IXFR' >/dev/null || {
     echo_i "failed"
-    status=1
+    status=`expr $status + 1`
 }
 
 n=`expr $n + 1`
-echo_i "testing AXFR fallback after IXFR failure ($n)"
+echo_i "testing AXFR fallback after IXFR failure (not exact error) ($n)"
 
 # Provide a broken IXFR response and a working fallback AXFR response
 
@@ -135,10 +135,70 @@ sleep 2
 
 $DIG $DIGOPTS @10.53.0.1 nil. TXT | grep 'fallback AXFR' >/dev/null || {
     echo_i "failed"
-    status=1
+    status=`expr $status + 1`
 }
 
 n=`expr $n + 1`
+echo_i "testing AXFR fallback after IXFR failure (bad SOA owner) ($n)"
+ret=0
+
+# Prepare for checking the logs later on.
+nextpart ns1/named.run >/dev/null
+
+# Provide a broken IXFR response and a working fallback AXFR response.
+$SENDCMD <<EOF
+/SOA/
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+/IXFR/
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+nil.      	300	SOA	ns.nil. root.nil. 3 300 300 604800 300
+bad-owner.    	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+test.nil.	300	TXT	"serial 4, malformed IXFR"
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+/AXFR/
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+/AXFR/
+nil.      	300	NS	ns.nil.
+test.nil.      	300	TXT	"serial 4, fallback AXFR"
+/AXFR/
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+EOF
+$RNDCCMD 10.53.0.1 refresh nil | sed 's/^/ns1 /' | cat_i
+
+# A broken server would accept the malformed IXFR and apply its contents to the
+# zone.  A fixed one would reject the IXFR and fall back to AXFR.  Both IXFR and
+# AXFR above bring the nil. zone up to serial 4, but we cannot reliably query
+# for the SOA record to check whether the transfer was finished because a broken
+# server would send back SERVFAIL responses to SOA queries after accepting the
+# malformed IXFR.  Instead, check transfer progress by querying for a TXT record
+# at test.nil. which is present in both IXFR and AXFR (with different contents).
+_wait_until_transfer_is_finished() {
+	$DIG $DIGOPTS +tries=1 +time=1 @10.53.0.1 test.nil. TXT > dig.out.test$n.1 &&
+	grep -q -F "serial 4" dig.out.test$n.1
+}
+if ! retry_quiet 10 _wait_until_transfer_is_finished; then
+	echo_i "timed out waiting for version 4 of zone nil. to be transferred"
+	ret=1
+fi
+
+# At this point a broken server would be serving a zone with no SOA records.
+# Try crashing it by triggering a SOA refresh query.
+$RNDCCMD 10.53.0.1 refresh nil | sed 's/^/ns1 /' | cat_i
+
+# Do not wait until the zone refresh completes - even if a crash has not
+# happened by now, a broken server would never serve the record which is only
+# present in the fallback AXFR, so checking for that is enough to verify if a
+# server is broken or not; if it is, it is bound to crash shortly anyway.
+$DIG $DIGOPTS test.nil. TXT @10.53.0.1 > dig.out.test$n.2 || ret=1
+grep -q -F "serial 4, fallback AXFR" dig.out.test$n.2 || ret=1
+
+# Ensure the expected error is logged.
+nextpart ns1/named.run | grep -q -F "SOA name mismatch" || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
 echo_i "testing ixfr-from-differences option ($n)"
 # ns3 is master; ns4 is slave
 $CHECKZONE test. ns3/mytest.db > /dev/null 2>&1
@@ -196,7 +256,7 @@ done
 if [ $INCR -ne 1 ]
 then
     echo_i "failed to get incremental response"
-    status=1
+    status=`expr $status + 1`
 fi
 
 n=`expr $n + 1`
@@ -206,7 +266,7 @@ echo_i "testing request-ixfr option in view vs zone ($n)"
 # we want to make sure that a change to sub.test results in AXFR, while
 # changes to test. result in IXFR
 
-echo_i " this result should be AXFR"
+echo_ic "this result should be AXFR"
 cp ns3/subtest1.db ns3/subtest.db # change to sub.test zone, should be AXFR
 $RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i
 
@@ -231,7 +291,7 @@ do
 	sleep 1
 done
 
-echo_i " this result should be AXFR"
+echo_ic "this result should be AXFR"
 for i in 0 1 2 3 4 5 6 7 8 9
 do
 	NONINCR=`grep 'sub\.test/IN/primary' ns4/named.run|grep "got nonincremental" | wc -l`
@@ -240,13 +300,15 @@ do
 done
 if [ $NONINCR -ne 2 ]
 then
-    echo_i "failed to get nonincremental response in 2nd AXFR test"
-    status=1
+    echo_ic "failed to get nonincremental response in 2nd AXFR test"
+
+    echo_i "failed"
+    status=`expr $status + 1`
 else
-    echo_i "  success: AXFR it was"
+    echo_ic "success: AXFR it was"
 fi
 
-echo_i " this result should be IXFR"
+echo_ic "this result should be IXFR"
 cp ns3/mytest2.db ns3/mytest.db # change to test zone, should be IXFR
 $RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i
 
@@ -279,10 +341,12 @@ do
 done
 if [ $INCR -ne 2 ]
 then
-    echo_i "failed to get incremental response in 2nd IXFR test"
-    status=1
+    echo_ic "failed to get incremental response in 2nd IXFR test"
+
+    echo_i "failed"
+    status=`expr $status + 1`
 else
-    echo_i "  success: IXFR it was"
+    echo_ic "success: IXFR it was"
 fi
 
 n=`expr $n + 1`
@@ -294,9 +358,9 @@ $DIG -p ${PORT} ixfr=0 large @10.53.0.3 > dig.out.test$n
 kill $sub
 )
 lines=`grep hostmaster.large dig.out.test$n | wc -l`
-test ${lines:-0} -eq 2 || { echo_i "failed"; status=1; }
+test ${lines:-0} -eq 2 || { echo_i "failed"; status=`expr $status + 1`; }
 messages=`sed -n 's/^;;.*messages \([0-9]*\),.*/\1/p' dig.out.test$n`
-test ${messages:-0} -gt 1 || { echo_i "failed"; status=1; }
+test ${messages:-0} -gt 1 || { echo_i "failed"; status=`expr $status + 1`; }
 
 n=`expr $n + 1`
 echo_i "test 'dig +notcp ixfr=<value>' vs 'dig ixfr=<value> +notcp' vs 'dig ixfr=<value>' ($n)"
@@ -306,13 +370,13 @@ $DIG $DIGOPTS +notcp ixfr=1 test @10.53.0.4 > dig.out1.test$n || ret=1
 $DIG $DIGOPTS ixfr=1 +notcp test @10.53.0.4 > dig.out2.test$n || ret=1
 digcomp dig.out1.test$n dig.out2.test$n || ret=1
 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out1.test$n || ret=1
-awk '$4 == "SOA" { if ($7 == 4) exit(0); else exit(1);}' dig.out1.test$n || ret=1
+awk '$4 == "SOA" { if ($7 == 3) exit(0); else exit(1);}' dig.out1.test$n || ret=1
 # Should be incremental transfer.
 $DIG $DIGOPTS ixfr=1 test @10.53.0.4 > dig.out3.test$n || ret=1
 awk '$4 == "SOA" { soacnt++} END { if (soacnt == 6) exit(0); else exit(1);}' dig.out3.test$n || ret=1
 if [ ${ret} != 0 ]; then
-	echo_i "failed";
-	status=1;
+	echo_i "failed"
+	status=`expr $status + 1`
 fi
 
 # wait for slave to transfer zone
@@ -329,18 +393,43 @@ do
 done
 
 n=`expr $n + 1`
-echo_i "test 'provide-ixfr no;' ($n)"
+echo_i "test 'provide-ixfr no;' (serial < current) ($n)"
 ret=0
+nextpart ns5/named.run > /dev/null
 # Should be "AXFR style" response
 $DIG $DIGOPTS ixfr=1 test @10.53.0.5 > dig.out1.test$n || ret=1
 # Should be "switch to TCP" response
 $DIG $DIGOPTS ixfr=1 +notcp test @10.53.0.5 > dig.out2.test$n || ret=1
 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 2) exit(0); else exit(1);}' dig.out1.test$n || ret=1
 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out2.test$n || ret=1
-if [ ${ret} != 0 ]; then
-	echo_i "failed";
-	status=1;
-fi
+msg="IXFR delta response disabled due to 'provide-ixfr no;' being set"
+nextpart ns5/named.run | grep "$msg" > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "test 'provide-ixfr no;' (serial = current) ($n)"
+ret=0
+# Should be "AXFR style" response
+$DIG $DIGOPTS ixfr=3 test @10.53.0.5 > dig.out1.test$n || ret=1
+# Should be "switch to TCP" response
+$DIG $DIGOPTS ixfr=3 +notcp test @10.53.0.5 > dig.out2.test$n || ret=1
+awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out1.test$n || ret=1
+awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out2.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "test 'provide-ixfr no;' (serial > current) ($n)"
+ret=0
+# Should be "AXFR style" response
+$DIG $DIGOPTS ixfr=4 test @10.53.0.5 > dig.out1.test$n || ret=1
+# Should be "switch to TCP" response
+$DIG $DIGOPTS ixfr=4 +notcp test @10.53.0.5 > dig.out2.test$n || ret=1
+awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out1.test$n || ret=1
+awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out2.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
 
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/keymgr/01-ksk-inactive/README b/bind/bind9/bin/tests/system/keymgr/01-ksk-inactive/README
index b91a6757..a79314ea 100644
--- a/bind/bind9/bin/tests/system/keymgr/01-ksk-inactive/README
+++ b/bind/bind9/bin/tests/system/keymgr/01-ksk-inactive/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This set includes one KSK rollover.  The KSK is deactivated prior to
 its replacement being activated.
diff --git a/bind/bind9/bin/tests/system/keymgr/02-zsk-inactive/README b/bind/bind9/bin/tests/system/keymgr/02-zsk-inactive/README
index 9d1e17f5..8997e0a1 100644
--- a/bind/bind9/bin/tests/system/keymgr/02-zsk-inactive/README
+++ b/bind/bind9/bin/tests/system/keymgr/02-zsk-inactive/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This set includes one ZSK rollover.  The first ZSK is deactivated
 prior to its replacement being activated.
diff --git a/bind/bind9/bin/tests/system/keymgr/03-ksk-unpublished/README b/bind/bind9/bin/tests/system/keymgr/03-ksk-unpublished/README
index 513e9bda..4086a318 100644
--- a/bind/bind9/bin/tests/system/keymgr/03-ksk-unpublished/README
+++ b/bind/bind9/bin/tests/system/keymgr/03-ksk-unpublished/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This set contains one KSK rollover.  The KSK is unpublished before its
 successor is published.
diff --git a/bind/bind9/bin/tests/system/keymgr/04-zsk-unpublished/README b/bind/bind9/bin/tests/system/keymgr/04-zsk-unpublished/README
index a5185563..a3bbe85a 100644
--- a/bind/bind9/bin/tests/system/keymgr/04-zsk-unpublished/README
+++ b/bind/bind9/bin/tests/system/keymgr/04-zsk-unpublished/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This set contains one ZSK rollover.  The ZSK is unpublished before its
 successor is published.
diff --git a/bind/bind9/bin/tests/system/keymgr/05-ksk-unpub-active/README b/bind/bind9/bin/tests/system/keymgr/05-ksk-unpub-active/README
index e6a194b6..5b474567 100644
--- a/bind/bind9/bin/tests/system/keymgr/05-ksk-unpub-active/README
+++ b/bind/bind9/bin/tests/system/keymgr/05-ksk-unpub-active/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This set includes one KSK rollover.  The first KSK is deleted
 and its successor published prior to the first KSK being deactivated
diff --git a/bind/bind9/bin/tests/system/keymgr/06-zsk-unpub-active/README b/bind/bind9/bin/tests/system/keymgr/06-zsk-unpub-active/README
index e6a194b6..5b474567 100644
--- a/bind/bind9/bin/tests/system/keymgr/06-zsk-unpub-active/README
+++ b/bind/bind9/bin/tests/system/keymgr/06-zsk-unpub-active/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This set includes one KSK rollover.  The first KSK is deleted
 and its successor published prior to the first KSK being deactivated
diff --git a/bind/bind9/bin/tests/system/keymgr/07-ksk-ttl/README b/bind/bind9/bin/tests/system/keymgr/07-ksk-ttl/README
index 791b6d38..0830ca3e 100644
--- a/bind/bind9/bin/tests/system/keymgr/07-ksk-ttl/README
+++ b/bind/bind9/bin/tests/system/keymgr/07-ksk-ttl/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This set includes a KSK rollover, with insufficient delay between
 prepublication and rollover.
diff --git a/bind/bind9/bin/tests/system/keymgr/08-zsk-ttl/README b/bind/bind9/bin/tests/system/keymgr/08-zsk-ttl/README
index 791b6d38..0830ca3e 100644
--- a/bind/bind9/bin/tests/system/keymgr/08-zsk-ttl/README
+++ b/bind/bind9/bin/tests/system/keymgr/08-zsk-ttl/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This set includes a KSK rollover, with insufficient delay between
 prepublication and rollover.
diff --git a/bind/bind9/bin/tests/system/keymgr/09-no-keys/README b/bind/bind9/bin/tests/system/keymgr/09-no-keys/README
index 5f4d53ab..7de6d408 100644
--- a/bind/bind9/bin/tests/system/keymgr/09-no-keys/README
+++ b/bind/bind9/bin/tests/system/keymgr/09-no-keys/README
@@ -1,5 +1,5 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This directory has no key set, but one will be initialized by dnssec-keymgr.
diff --git a/bind/bind9/bin/tests/system/keymgr/10-change-roll/README b/bind/bind9/bin/tests/system/keymgr/10-change-roll/README
index 8cf6f4e6..c83de5f3 100644
--- a/bind/bind9/bin/tests/system/keymgr/10-change-roll/README
+++ b/bind/bind9/bin/tests/system/keymgr/10-change-roll/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This directory has a key set which is valid, but has a ZSK rollover period
 of only three months. It will be updated to have a ZSK rollover period of
diff --git a/bind/bind9/bin/tests/system/keymgr/11-many-simul/README b/bind/bind9/bin/tests/system/keymgr/11-many-simul/README
index 791b6d38..0830ca3e 100644
--- a/bind/bind9/bin/tests/system/keymgr/11-many-simul/README
+++ b/bind/bind9/bin/tests/system/keymgr/11-many-simul/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This set includes a KSK rollover, with insufficient delay between
 prepublication and rollover.
diff --git a/bind/bind9/bin/tests/system/keymgr/12-many-active/README b/bind/bind9/bin/tests/system/keymgr/12-many-active/README
index 791b6d38..0830ca3e 100644
--- a/bind/bind9/bin/tests/system/keymgr/12-many-active/README
+++ b/bind/bind9/bin/tests/system/keymgr/12-many-active/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This set includes a KSK rollover, with insufficient delay between
 prepublication and rollover.
diff --git a/bind/bind9/bin/tests/system/keymgr/13-noroll/README b/bind/bind9/bin/tests/system/keymgr/13-noroll/README
index 791b6d38..0830ca3e 100644
--- a/bind/bind9/bin/tests/system/keymgr/13-noroll/README
+++ b/bind/bind9/bin/tests/system/keymgr/13-noroll/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This set includes a KSK rollover, with insufficient delay between
 prepublication and rollover.
diff --git a/bind/bind9/bin/tests/system/keymgr/14-wrongalg/README b/bind/bind9/bin/tests/system/keymgr/14-wrongalg/README
index 791b6d38..0830ca3e 100644
--- a/bind/bind9/bin/tests/system/keymgr/14-wrongalg/README
+++ b/bind/bind9/bin/tests/system/keymgr/14-wrongalg/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This set includes a KSK rollover, with insufficient delay between
 prepublication and rollover.
diff --git a/bind/bind9/bin/tests/system/keymgr/15-unspec/README b/bind/bind9/bin/tests/system/keymgr/15-unspec/README
index 791b6d38..0830ca3e 100644
--- a/bind/bind9/bin/tests/system/keymgr/15-unspec/README
+++ b/bind/bind9/bin/tests/system/keymgr/15-unspec/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This set includes a KSK rollover, with insufficient delay between
 prepublication and rollover.
diff --git a/bind/bind9/bin/tests/system/keymgr/16-wrongalg-unspec/README b/bind/bind9/bin/tests/system/keymgr/16-wrongalg-unspec/README
index 791b6d38..0830ca3e 100644
--- a/bind/bind9/bin/tests/system/keymgr/16-wrongalg-unspec/README
+++ b/bind/bind9/bin/tests/system/keymgr/16-wrongalg-unspec/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This set includes a KSK rollover, with insufficient delay between
 prepublication and rollover.
diff --git a/bind/bind9/bin/tests/system/keymgr/17-noforce/README b/bind/bind9/bin/tests/system/keymgr/17-noforce/README
index 791b6d38..0830ca3e 100644
--- a/bind/bind9/bin/tests/system/keymgr/17-noforce/README
+++ b/bind/bind9/bin/tests/system/keymgr/17-noforce/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This set includes a KSK rollover, with insufficient delay between
 prepublication and rollover.
diff --git a/bind/bind9/bin/tests/system/keymgr/18-nonstd-prepub/README b/bind/bind9/bin/tests/system/keymgr/18-nonstd-prepub/README
index fc1aacae..4ee0a8a3 100644
--- a/bind/bind9/bin/tests/system/keymgr/18-nonstd-prepub/README
+++ b/bind/bind9/bin/tests/system/keymgr/18-nonstd-prepub/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This directory has a key set which is valid, but will expire within
 the rollover period. The prepublication interval in policy.conf is a
diff --git a/bind/bind9/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf b/bind/bind9/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf
index 91817ff4..31db3be8 100644
--- a/bind/bind9/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf
+++ b/bind/bind9/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/keymgr/19-old-keys/README b/bind/bind9/bin/tests/system/keymgr/19-old-keys/README
index 424b70c4..bd66ba83 100644
--- a/bind/bind9/bin/tests/system/keymgr/19-old-keys/README
+++ b/bind/bind9/bin/tests/system/keymgr/19-old-keys/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This directory has a key set which is valid, but which was published
 and activated more than one rollover period ago. dnssec-keymgr should
diff --git a/bind/bind9/bin/tests/system/keymgr/19-old-keys/extra.sh b/bind/bind9/bin/tests/system/keymgr/19-old-keys/extra.sh
index 8da6aa13..cd175a1c 100644
--- a/bind/bind9/bin/tests/system/keymgr/19-old-keys/extra.sh
+++ b/bind/bind9/bin/tests/system/keymgr/19-old-keys/extra.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/keymgr/19-old-keys/policy.conf b/bind/bind9/bin/tests/system/keymgr/19-old-keys/policy.conf
index 91817ff4..31db3be8 100644
--- a/bind/bind9/bin/tests/system/keymgr/19-old-keys/policy.conf
+++ b/bind/bind9/bin/tests/system/keymgr/19-old-keys/policy.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/keymgr/clean.sh b/bind/bind9/bin/tests/system/keymgr/clean.sh
index 04aebe1b..4273405c 100644
--- a/bind/bind9/bin/tests/system/keymgr/clean.sh
+++ b/bind/bind9/bin/tests/system/keymgr/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/keymgr/policy.conf b/bind/bind9/bin/tests/system/keymgr/policy.conf
index 4da487a6..4f3aba7c 100644
--- a/bind/bind9/bin/tests/system/keymgr/policy.conf
+++ b/bind/bind9/bin/tests/system/keymgr/policy.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/keymgr/policy.sample b/bind/bind9/bin/tests/system/keymgr/policy.sample
index 4594091f..cf382ebd 100644
--- a/bind/bind9/bin/tests/system/keymgr/policy.sample
+++ b/bind/bind9/bin/tests/system/keymgr/policy.sample
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/keymgr/prereq.sh b/bind/bind9/bin/tests/system/keymgr/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/keymgr/prereq.sh
+++ b/bind/bind9/bin/tests/system/keymgr/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/keymgr/setup.sh b/bind/bind9/bin/tests/system/keymgr/setup.sh
index 256c2ec9..358a1edd 100644
--- a/bind/bind9/bin/tests/system/keymgr/setup.sh
+++ b/bind/bind9/bin/tests/system/keymgr/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/keymgr/testpolicy.py b/bind/bind9/bin/tests/system/keymgr/testpolicy.py
index e9125cf3..967bfc34 100644
--- a/bind/bind9/bin/tests/system/keymgr/testpolicy.py
+++ b/bind/bind9/bin/tests/system/keymgr/testpolicy.py
@@ -3,37 +3,36 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 ############################################################################
 
 import sys
-sys.path.insert(0, '../../../python')
-from isc import *
+from isc import policy
 
-pp = policy.dnssec_policy()
+PP = policy.dnssec_policy()
 # print the unmodified default and a generated zone policy
-print(pp.named_policy['default'])
-print(pp.named_policy['global'])
-print(pp.policy('example.com'))
+print(PP.named_policy['default'])
+print(PP.named_policy['global'])
+print(PP.policy('example.com'))
 
 if len(sys.argv) > 0:
     for policy_file in sys.argv[1:]:
-        pp.load(policy_file)
+        PP.load(policy_file)
 
         # now print the modified default and generated zone policies
-        print(pp.named_policy['default'])
-        print(pp.policy('example.com'))
-        print(pp.policy('example.org'))
-        print(pp.policy('example.net'))
+        print(PP.named_policy['default'])
+        print(PP.policy('example.com'))
+        print(PP.policy('example.org'))
+        print(PP.policy('example.net'))
 
         # print algorithm policies
-        print(pp.alg_policy['RSASHA1'])
-        print(pp.alg_policy['DSA'])
+        print(PP.alg_policy['RSASHA1'])
+        print(PP.alg_policy['DSA'])
 
         # print another named policy
-        print(pp.named_policy['extra'])
+        print(PP.named_policy['extra'])
 else:
     print("ERROR: Please provide an input file")
diff --git a/bind/bind9/bin/tests/system/keymgr/tests.sh b/bind/bind9/bin/tests/system/keymgr/tests.sh
index 182b3b2c..2110d2bf 100644
--- a/bind/bind9/bin/tests/system/keymgr/tests.sh
+++ b/bind/bind9/bin/tests/system/keymgr/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -133,7 +133,7 @@ n=`expr $n + 1`
 
 echo_i "checking policy.conf parser ($n)"
 ret=0
-${PYTHON} testpolicy.py policy.sample > policy.out
+PYTHONPATH="../../../python:$PYTHONPATH" ${PYTHON} testpolicy.py policy.sample > policy.out
 $DOS2UNIX policy.out > /dev/null 2>&1
 cmp -s policy.good policy.out || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
diff --git a/bind/bind9/bin/tests/system/legacy/build.sh b/bind/bind9/bin/tests/system/legacy/build.sh
index 08a2e495..551c24a5 100644
--- a/bind/bind9/bin/tests/system/legacy/build.sh
+++ b/bind/bind9/bin/tests/system/legacy/build.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/clean.sh b/bind/bind9/bin/tests/system/legacy/clean.sh
index 84605d32..21246681 100644
--- a/bind/bind9/bin/tests/system/legacy/clean.sh
+++ b/bind/bind9/bin/tests/system/legacy/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -12,6 +12,7 @@ rm -f ns*/named.conf
 rm -f ns*/named.memstats
 rm -f ns*/named.run
 rm -f ns*/named.lock
+rm -f ns1/named_dump.db.test*
 
 # build.sh
 rm -f ns6/K*
diff --git a/bind/bind9/bin/tests/system/legacy/ns1/named1.conf.in b/bind/bind9/bin/tests/system/legacy/ns1/named1.conf.in
index 61e842a9..4993040d 100644
--- a/bind/bind9/bin/tests/system/legacy/ns1/named1.conf.in
+++ b/bind/bind9/bin/tests/system/legacy/ns1/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -18,6 +18,9 @@ options {
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	recursion yes;
+	max-udp-size 4096;
+	edns-udp-size 4096;
+	nocookie-udp-size 4096;
 };
 
 key rndc_key {
diff --git a/bind/bind9/bin/tests/system/legacy/ns1/named2.conf.in b/bind/bind9/bin/tests/system/legacy/ns1/named2.conf.in
index e3edb027..7b0104fb 100644
--- a/bind/bind9/bin/tests/system/legacy/ns1/named2.conf.in
+++ b/bind/bind9/bin/tests/system/legacy/ns1/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -18,6 +18,9 @@ options {
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	recursion yes;
+	max-udp-size 4096;
+	edns-udp-size 4096;
+	nocookie-udp-size 4096;
 };
 
 zone "." {
diff --git a/bind/bind9/bin/tests/system/legacy/ns1/root.db b/bind/bind9/bin/tests/system/legacy/ns1/root.db
index e4889a8f..64b3b41c 100644
--- a/bind/bind9/bin/tests/system/legacy/ns1/root.db
+++ b/bind/bind9/bin/tests/system/legacy/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns10/ednsrefused.db b/bind/bind9/bin/tests/system/legacy/ns10/ednsrefused.db
index caac70d2..1d65d523 100644
--- a/bind/bind9/bin/tests/system/legacy/ns10/ednsrefused.db
+++ b/bind/bind9/bin/tests/system/legacy/ns10/ednsrefused.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns10/named.conf.in b/bind/bind9/bin/tests/system/legacy/ns10/named.conf.in
index e7bf8b25..db74c3ac 100644
--- a/bind/bind9/bin/tests/system/legacy/ns10/named.conf.in
+++ b/bind/bind9/bin/tests/system/legacy/ns10/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns2/dropedns.db b/bind/bind9/bin/tests/system/legacy/ns2/dropedns.db
index 3bf81cd1..eab3b72f 100644
--- a/bind/bind9/bin/tests/system/legacy/ns2/dropedns.db
+++ b/bind/bind9/bin/tests/system/legacy/ns2/dropedns.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns2/named.conf.in b/bind/bind9/bin/tests/system/legacy/ns2/named.conf.in
index 552227d6..c408b16a 100644
--- a/bind/bind9/bin/tests/system/legacy/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/legacy/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns3/dropedns-notcp.db b/bind/bind9/bin/tests/system/legacy/ns3/dropedns-notcp.db
index 40f5e111..7f32e657 100644
--- a/bind/bind9/bin/tests/system/legacy/ns3/dropedns-notcp.db
+++ b/bind/bind9/bin/tests/system/legacy/ns3/dropedns-notcp.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns3/named.conf.in b/bind/bind9/bin/tests/system/legacy/ns3/named.conf.in
index 8d10f937..e1fefd8a 100644
--- a/bind/bind9/bin/tests/system/legacy/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/legacy/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns4/named.conf.in b/bind/bind9/bin/tests/system/legacy/ns4/named.conf.in
index 91c12032..8015b353 100644
--- a/bind/bind9/bin/tests/system/legacy/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/legacy/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns4/plain.db b/bind/bind9/bin/tests/system/legacy/ns4/plain.db
index fd5be9f2..87180dd9 100644
--- a/bind/bind9/bin/tests/system/legacy/ns4/plain.db
+++ b/bind/bind9/bin/tests/system/legacy/ns4/plain.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns5/named.conf.in b/bind/bind9/bin/tests/system/legacy/ns5/named.conf.in
index 2cb4af43..59ade6e4 100644
--- a/bind/bind9/bin/tests/system/legacy/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/legacy/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns5/plain-notcp.db b/bind/bind9/bin/tests/system/legacy/ns5/plain-notcp.db
index 51c9e101..dced7c07 100644
--- a/bind/bind9/bin/tests/system/legacy/ns5/plain-notcp.db
+++ b/bind/bind9/bin/tests/system/legacy/ns5/plain-notcp.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns6/edns512.db.in b/bind/bind9/bin/tests/system/legacy/ns6/edns512.db.in
index 8afe499c..c32a404c 100644
--- a/bind/bind9/bin/tests/system/legacy/ns6/edns512.db.in
+++ b/bind/bind9/bin/tests/system/legacy/ns6/edns512.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns6/named.conf.in b/bind/bind9/bin/tests/system/legacy/ns6/named.conf.in
index 80800037..e99a20a6 100644
--- a/bind/bind9/bin/tests/system/legacy/ns6/named.conf.in
+++ b/bind/bind9/bin/tests/system/legacy/ns6/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns6/sign.sh b/bind/bind9/bin/tests/system/legacy/ns6/sign.sh
index ba083bed..b318591d 100755
--- a/bind/bind9/bin/tests/system/legacy/ns6/sign.sh
+++ b/bind/bind9/bin/tests/system/legacy/ns6/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns7/edns512-notcp.db.in b/bind/bind9/bin/tests/system/legacy/ns7/edns512-notcp.db.in
index 646d488e..7a95e2dc 100644
--- a/bind/bind9/bin/tests/system/legacy/ns7/edns512-notcp.db.in
+++ b/bind/bind9/bin/tests/system/legacy/ns7/edns512-notcp.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns7/named.conf.in b/bind/bind9/bin/tests/system/legacy/ns7/named.conf.in
index d48a190c..2e27880b 100644
--- a/bind/bind9/bin/tests/system/legacy/ns7/named.conf.in
+++ b/bind/bind9/bin/tests/system/legacy/ns7/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -18,6 +18,10 @@ options {
 	listen-on { 10.53.0.7; };
 	listen-on-v6 { none; };
 	recursion no;
+	max-udp-size 4096;
+	edns-udp-size 4096;
+	nocookie-udp-size 4096;
+	answer-cookie no;
 };
 
 zone "edns512-notcp" {
diff --git a/bind/bind9/bin/tests/system/legacy/ns7/sign.sh b/bind/bind9/bin/tests/system/legacy/ns7/sign.sh
index 344a869a..30d2775b 100755
--- a/bind/bind9/bin/tests/system/legacy/ns7/sign.sh
+++ b/bind/bind9/bin/tests/system/legacy/ns7/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns8/ednsformerr.db b/bind/bind9/bin/tests/system/legacy/ns8/ednsformerr.db
index caac70d2..1d65d523 100644
--- a/bind/bind9/bin/tests/system/legacy/ns8/ednsformerr.db
+++ b/bind/bind9/bin/tests/system/legacy/ns8/ednsformerr.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns8/named.conf.in b/bind/bind9/bin/tests/system/legacy/ns8/named.conf.in
index dc4ce6b3..511bafeb 100644
--- a/bind/bind9/bin/tests/system/legacy/ns8/named.conf.in
+++ b/bind/bind9/bin/tests/system/legacy/ns8/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns9/ednsnotimp.db b/bind/bind9/bin/tests/system/legacy/ns9/ednsnotimp.db
index caac70d2..1d65d523 100644
--- a/bind/bind9/bin/tests/system/legacy/ns9/ednsnotimp.db
+++ b/bind/bind9/bin/tests/system/legacy/ns9/ednsnotimp.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/ns9/named.conf.in b/bind/bind9/bin/tests/system/legacy/ns9/named.conf.in
index 34ac3af8..5823c35d 100644
--- a/bind/bind9/bin/tests/system/legacy/ns9/named.conf.in
+++ b/bind/bind9/bin/tests/system/legacy/ns9/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/setup.sh b/bind/bind9/bin/tests/system/legacy/setup.sh
index 4aa4e853..8fca1827 100644
--- a/bind/bind9/bin/tests/system/legacy/setup.sh
+++ b/bind/bind9/bin/tests/system/legacy/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/legacy/tests.sh b/bind/bind9/bin/tests/system/legacy/tests.sh
index 79254e0d..764d753a 100755
--- a/bind/bind9/bin/tests/system/legacy/tests.sh
+++ b/bind/bind9/bin/tests/system/legacy/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/limits/clean.sh b/bind/bind9/bin/tests/system/limits/clean.sh
index 73f4bc3a..63d7ad04 100644
--- a/bind/bind9/bin/tests/system/limits/clean.sh
+++ b/bind/bind9/bin/tests/system/limits/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/limits/ns1/example.db b/bind/bind9/bin/tests/system/limits/ns1/example.db
index 1fc5ec63..f9a06812 100644
--- a/bind/bind9/bin/tests/system/limits/ns1/example.db
+++ b/bind/bind9/bin/tests/system/limits/ns1/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/limits/ns1/named.conf.in b/bind/bind9/bin/tests/system/limits/ns1/named.conf.in
index 31899676..fac681c7 100644
--- a/bind/bind9/bin/tests/system/limits/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/limits/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/limits/ns1/root.db b/bind/bind9/bin/tests/system/limits/ns1/root.db
index 12486d71..0012a58d 100644
--- a/bind/bind9/bin/tests/system/limits/ns1/root.db
+++ b/bind/bind9/bin/tests/system/limits/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/limits/setup.sh b/bind/bind9/bin/tests/system/limits/setup.sh
index 985a4bcb..c2be7228 100644
--- a/bind/bind9/bin/tests/system/limits/setup.sh
+++ b/bind/bind9/bin/tests/system/limits/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/limits/tests.sh b/bind/bind9/bin/tests/system/limits/tests.sh
index 5fbdd1d6..2aa4d898 100644
--- a/bind/bind9/bin/tests/system/limits/tests.sh
+++ b/bind/bind9/bin/tests/system/limits/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/logfileconfig/clean.sh b/bind/bind9/bin/tests/system/logfileconfig/clean.sh
index 61d41e4c..923d51de 100644
--- a/bind/bind9/bin/tests/system/logfileconfig/clean.sh
+++ b/bind/bind9/bin/tests/system/logfileconfig/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/logfileconfig/ns1/controls.conf.in b/bind/bind9/bin/tests/system/logfileconfig/ns1/controls.conf.in
index 74084d96..587d5108 100644
--- a/bind/bind9/bin/tests/system/logfileconfig/ns1/controls.conf.in
+++ b/bind/bind9/bin/tests/system/logfileconfig/ns1/controls.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/logfileconfig/ns1/named.dirconf b/bind/bind9/bin/tests/system/logfileconfig/ns1/named.dirconf
index dcc02d32..5b5b4471 100644
--- a/bind/bind9/bin/tests/system/logfileconfig/ns1/named.dirconf
+++ b/bind/bind9/bin/tests/system/logfileconfig/ns1/named.dirconf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/logfileconfig/ns1/named.pipeconf b/bind/bind9/bin/tests/system/logfileconfig/ns1/named.pipeconf
index cc8fe36b..837d3509 100644
--- a/bind/bind9/bin/tests/system/logfileconfig/ns1/named.pipeconf
+++ b/bind/bind9/bin/tests/system/logfileconfig/ns1/named.pipeconf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/logfileconfig/ns1/named.plain b/bind/bind9/bin/tests/system/logfileconfig/ns1/named.plain
index 0ef78325..84cc5817 100644
--- a/bind/bind9/bin/tests/system/logfileconfig/ns1/named.plain
+++ b/bind/bind9/bin/tests/system/logfileconfig/ns1/named.plain
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/logfileconfig/ns1/named.plainconf b/bind/bind9/bin/tests/system/logfileconfig/ns1/named.plainconf
index 75e0c793..21275cea 100644
--- a/bind/bind9/bin/tests/system/logfileconfig/ns1/named.plainconf
+++ b/bind/bind9/bin/tests/system/logfileconfig/ns1/named.plainconf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/logfileconfig/ns1/named.symconf b/bind/bind9/bin/tests/system/logfileconfig/ns1/named.symconf
index 34a0e121..6543c7f0 100644
--- a/bind/bind9/bin/tests/system/logfileconfig/ns1/named.symconf
+++ b/bind/bind9/bin/tests/system/logfileconfig/ns1/named.symconf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/logfileconfig/ns1/named.unlimited b/bind/bind9/bin/tests/system/logfileconfig/ns1/named.unlimited
index cca39827..2582c6dc 100644
--- a/bind/bind9/bin/tests/system/logfileconfig/ns1/named.unlimited
+++ b/bind/bind9/bin/tests/system/logfileconfig/ns1/named.unlimited
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/logfileconfig/ns1/named.versconf b/bind/bind9/bin/tests/system/logfileconfig/ns1/named.versconf
index 6e293c7c..e34cb373 100644
--- a/bind/bind9/bin/tests/system/logfileconfig/ns1/named.versconf
+++ b/bind/bind9/bin/tests/system/logfileconfig/ns1/named.versconf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/logfileconfig/ns1/rndc.conf.in b/bind/bind9/bin/tests/system/logfileconfig/ns1/rndc.conf.in
index 7e67a240..de33b5a9 100644
--- a/bind/bind9/bin/tests/system/logfileconfig/ns1/rndc.conf.in
+++ b/bind/bind9/bin/tests/system/logfileconfig/ns1/rndc.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/logfileconfig/ns1/root.db b/bind/bind9/bin/tests/system/logfileconfig/ns1/root.db
index 8aaa4ea9..0bd2ebde 100644
--- a/bind/bind9/bin/tests/system/logfileconfig/ns1/root.db
+++ b/bind/bind9/bin/tests/system/logfileconfig/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/logfileconfig/setup.sh b/bind/bind9/bin/tests/system/logfileconfig/setup.sh
index ef8a919e..9c05572b 100644
--- a/bind/bind9/bin/tests/system/logfileconfig/setup.sh
+++ b/bind/bind9/bin/tests/system/logfileconfig/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/logfileconfig/tests.sh b/bind/bind9/bin/tests/system/logfileconfig/tests.sh
index 3f690b3d..f322f4b9 100644
--- a/bind/bind9/bin/tests/system/logfileconfig/tests.sh
+++ b/bind/bind9/bin/tests/system/logfileconfig/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/lwresd/Makefile.in b/bind/bind9/bin/tests/system/lwresd/Makefile.in
index 47a3a1a1..011c5c89 100644
--- a/bind/bind9/bin/tests/system/lwresd/Makefile.in
+++ b/bind/bind9/bin/tests/system/lwresd/Makefile.in
@@ -2,13 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: Makefile.in,v 1.22 2009/12/05 23:31:40 each Exp $
-
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/bind/bind9/bin/tests/system/lwresd/clean.sh b/bind/bind9/bin/tests/system/lwresd/clean.sh
index 155c4792..1d2843c5 100644
--- a/bind/bind9/bin/tests/system/lwresd/clean.sh
+++ b/bind/bind9/bin/tests/system/lwresd/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/lwresd/lwresd1/lwresd.conf b/bind/bind9/bin/tests/system/lwresd/lwresd1/lwresd.conf
index 5c30f88e..68e4dd95 100644
--- a/bind/bind9/bin/tests/system/lwresd/lwresd1/lwresd.conf
+++ b/bind/bind9/bin/tests/system/lwresd/lwresd1/lwresd.conf
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwresd.conf,v 1.8 2007/06/19 23:47:04 tbox Exp $ */
-
 controls { /* empty */ };
 
 options {
diff --git a/bind/bind9/bin/tests/system/lwresd/lwresd1/nosearch.conf b/bind/bind9/bin/tests/system/lwresd/lwresd1/nosearch.conf
index 52c0b7db..bf5c1672 100644
--- a/bind/bind9/bin/tests/system/lwresd/lwresd1/nosearch.conf
+++ b/bind/bind9/bin/tests/system/lwresd/lwresd1/nosearch.conf
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwresd.conf,v 1.8 2007/06/19 23:47:04 tbox Exp $ */
-
 controls { /* empty */ };
 
 options {
diff --git a/bind/bind9/bin/tests/system/lwresd/lwresd1/resolv.conf b/bind/bind9/bin/tests/system/lwresd/lwresd1/resolv.conf
index 0d6f111b..b43ea1d4 100644
--- a/bind/bind9/bin/tests/system/lwresd/lwresd1/resolv.conf
+++ b/bind/bind9/bin/tests/system/lwresd/lwresd1/resolv.conf
@@ -2,13 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: resolv.conf,v 1.11 2007/06/19 23:47:04 tbox Exp $
-
 nameserver 10.53.0.1
 lwserver 10.53.0.1
 search example1.
diff --git a/bind/bind9/bin/tests/system/lwresd/lwtest.c b/bind/bind9/bin/tests/system/lwresd/lwtest.c
index 5bea6375..bdfb8322 100644
--- a/bind/bind9/bin/tests/system/lwresd/lwtest.c
+++ b/bind/bind9/bin/tests/system/lwresd/lwtest.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/lwresd/ns1/10.10.10.in-addr.arpa.db b/bind/bind9/bin/tests/system/lwresd/ns1/10.10.10.in-addr.arpa.db
index dcd8915d..ed888788 100644
--- a/bind/bind9/bin/tests/system/lwresd/ns1/10.10.10.in-addr.arpa.db
+++ b/bind/bind9/bin/tests/system/lwresd/ns1/10.10.10.in-addr.arpa.db
@@ -2,13 +2,11 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 
-; $Id: 10.10.10.in-addr.arpa.db,v 1.10 2007/06/19 23:47:04 tbox Exp $
-
 $TTL 300	; 5 minutes
 @	IN SOA  mname1. . (
 		2000062001	; serial
diff --git a/bind/bind9/bin/tests/system/lwresd/ns1/example1.db b/bind/bind9/bin/tests/system/lwresd/ns1/example1.db
index c2f0d80e..a56f8b19 100644
--- a/bind/bind9/bin/tests/system/lwresd/ns1/example1.db
+++ b/bind/bind9/bin/tests/system/lwresd/ns1/example1.db
@@ -2,13 +2,11 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 
-; $Id: example1.db,v 1.19 2008/04/02 23:46:57 tbox Exp $
-
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
 				2002082210 ; serial
diff --git a/bind/bind9/bin/tests/system/lwresd/ns1/example2.db b/bind/bind9/bin/tests/system/lwresd/ns1/example2.db
index 1eeedcd3..0caf5d79 100644
--- a/bind/bind9/bin/tests/system/lwresd/ns1/example2.db
+++ b/bind/bind9/bin/tests/system/lwresd/ns1/example2.db
@@ -2,13 +2,11 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 
-; $Id: example2.db,v 1.10 2007/06/19 23:47:04 tbox Exp $
-
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
 				2000062001 ; serial
diff --git a/bind/bind9/bin/tests/system/lwresd/ns1/ip6.arpa.db b/bind/bind9/bin/tests/system/lwresd/ns1/ip6.arpa.db
index dbcfe225..f682c75b 100644
--- a/bind/bind9/bin/tests/system/lwresd/ns1/ip6.arpa.db
+++ b/bind/bind9/bin/tests/system/lwresd/ns1/ip6.arpa.db
@@ -2,13 +2,11 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 
-; $Id: ip6.arpa.db,v 1.11 2007/06/19 23:47:04 tbox Exp $
-
 $TTL 300	; 5 minutes
 @	IN SOA  mname1. . (
 		2002082300	; serial
diff --git a/bind/bind9/bin/tests/system/lwresd/ns1/ip6.int.db b/bind/bind9/bin/tests/system/lwresd/ns1/ip6.int.db
index e2675c67..d8215aab 100644
--- a/bind/bind9/bin/tests/system/lwresd/ns1/ip6.int.db
+++ b/bind/bind9/bin/tests/system/lwresd/ns1/ip6.int.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/lwresd/ns1/named.conf b/bind/bind9/bin/tests/system/lwresd/ns1/named.conf
index 7e9e4487..73f0ffd9 100644
--- a/bind/bind9/bin/tests/system/lwresd/ns1/named.conf
+++ b/bind/bind9/bin/tests/system/lwresd/ns1/named.conf
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: named.conf,v 1.21 2008/04/02 23:46:57 tbox Exp $ */
-
 controls { /* empty */ };
 
 options {
diff --git a/bind/bind9/bin/tests/system/lwresd/ns1/root.db b/bind/bind9/bin/tests/system/lwresd/ns1/root.db
index e903f66f..89225b55 100644
--- a/bind/bind9/bin/tests/system/lwresd/ns1/root.db
+++ b/bind/bind9/bin/tests/system/lwresd/ns1/root.db
@@ -2,13 +2,11 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 
-; $Id: root.db,v 1.9 2007/06/19 23:47:04 tbox Exp $
-
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
 				2000042100   	; serial
diff --git a/bind/bind9/bin/tests/system/lwresd/resolv.conf b/bind/bind9/bin/tests/system/lwresd/resolv.conf
index 0d6f111b..b43ea1d4 100644
--- a/bind/bind9/bin/tests/system/lwresd/resolv.conf
+++ b/bind/bind9/bin/tests/system/lwresd/resolv.conf
@@ -2,13 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: resolv.conf,v 1.11 2007/06/19 23:47:04 tbox Exp $
-
 nameserver 10.53.0.1
 lwserver 10.53.0.1
 search example1.
diff --git a/bind/bind9/bin/tests/system/lwresd/tests.sh b/bind/bind9/bin/tests/system/lwresd/tests.sh
index 91850854..e26fdf0b 100644
--- a/bind/bind9/bin/tests/system/lwresd/tests.sh
+++ b/bind/bind9/bin/tests/system/lwresd/tests.sh
@@ -4,20 +4,18 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: tests.sh,v 1.22 2012/02/03 23:46:58 tbox Exp $
-
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
 common_options="-D lwresd-lwresd1 -X lwresd.lock -m record,size,mctx -T clienttest -d 99 -g -U 4 -i lwresd.pid -P 9210 -p 5300"
 
 status=0
-echo "I:waiting for nameserver to load"
+echo_i "waiting for nameserver to load"
 for i in 0 1 2 3 4 5 6 7 8 9
 do
 	ret=0
@@ -31,10 +29,10 @@ do
 	test $ret = 0 && break
 	sleep 1
 done
-if [ $ret != 0 ]; then echo "I:failed"; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo "I:using resolv.conf"
+echo_i "using resolv.conf"
 ret=0
 for i in 0 1 2 3 4 5 6 7 8 9
 do
@@ -43,7 +41,7 @@ do
 done
 $LWTEST || ret=1
 if [ $ret != 0 ]; then
-	echo "I:failed"
+	echo_i "failed"
 fi
 status=`expr $status + $ret`
 
@@ -53,7 +51,7 @@ mv lwresd1/lwresd.run lwresd1/lwresd.run.resolv
 
 $PERL $SYSTEMTESTTOP/start.pl --restart lwresd lwresd1 -- "-c lwresd.conf $common_options"
 
-echo "I:using lwresd.conf"
+echo_i "using lwresd.conf"
 ret=0
 for i in 0 1 2 3 4 5 6 7 8 9
 do
@@ -62,7 +60,7 @@ do
 done
 $LWTEST || ret=1
 if [ $ret != 0 ]; then
-	echo "I:failed"
+	echo_i "failed"
 fi
 status=`expr $status + $ret`
 
@@ -72,7 +70,7 @@ mv lwresd1/lwresd.run lwresd1/lwresd.run.lwresd
 
 $PERL $SYSTEMTESTTOP/start.pl --restart lwresd lwresd1 -- "-c nosearch.conf $common_options"
 
-echo "I:using nosearch.conf"
+echo_i "using nosearch.conf"
 ret=0
 for i in 0 1 2 3 4 5 6 7 8 9
 do
@@ -81,9 +79,9 @@ do
 done
 $LWTEST -nosearch || ret=1
 if [ $ret != 0 ]; then
-	echo "I:failed"
+	echo_i "failed"
 fi
 status=`expr $status + $ret`
 
-echo "I:exit status: $status"
+echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/masterfile/clean.sh b/bind/bind9/bin/tests/system/masterfile/clean.sh
index 894e75a0..1b0b494c 100644
--- a/bind/bind9/bin/tests/system/masterfile/clean.sh
+++ b/bind/bind9/bin/tests/system/masterfile/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterfile/ns1/include.db b/bind/bind9/bin/tests/system/masterfile/ns1/include.db
index 7836f961..4121bacf 100644
--- a/bind/bind9/bin/tests/system/masterfile/ns1/include.db
+++ b/bind/bind9/bin/tests/system/masterfile/ns1/include.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterfile/ns1/named.conf.in b/bind/bind9/bin/tests/system/masterfile/ns1/named.conf.in
index 13a813d1..3e479494 100644
--- a/bind/bind9/bin/tests/system/masterfile/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/masterfile/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterfile/ns1/sub.db b/bind/bind9/bin/tests/system/masterfile/ns1/sub.db
index 5c84cec4..16a5a921 100644
--- a/bind/bind9/bin/tests/system/masterfile/ns1/sub.db
+++ b/bind/bind9/bin/tests/system/masterfile/ns1/sub.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterfile/ns1/ttl1.db b/bind/bind9/bin/tests/system/masterfile/ns1/ttl1.db
index 6aa8f36e..a2f039f9 100644
--- a/bind/bind9/bin/tests/system/masterfile/ns1/ttl1.db
+++ b/bind/bind9/bin/tests/system/masterfile/ns1/ttl1.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterfile/ns1/ttl2.db b/bind/bind9/bin/tests/system/masterfile/ns1/ttl2.db
index 452d2092..b7f1bc6f 100644
--- a/bind/bind9/bin/tests/system/masterfile/ns1/ttl2.db
+++ b/bind/bind9/bin/tests/system/masterfile/ns1/ttl2.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterfile/ns2/example.db b/bind/bind9/bin/tests/system/masterfile/ns2/example.db
index 562a995e..4be602f5 100644
--- a/bind/bind9/bin/tests/system/masterfile/ns2/example.db
+++ b/bind/bind9/bin/tests/system/masterfile/ns2/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterfile/ns2/named.conf.in b/bind/bind9/bin/tests/system/masterfile/ns2/named.conf.in
index 96e7978c..f4ea69d0 100644
--- a/bind/bind9/bin/tests/system/masterfile/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/masterfile/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterfile/setup.sh b/bind/bind9/bin/tests/system/masterfile/setup.sh
index f3826d86..c3b29e62 100644
--- a/bind/bind9/bin/tests/system/masterfile/setup.sh
+++ b/bind/bind9/bin/tests/system/masterfile/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterfile/tests.sh b/bind/bind9/bin/tests/system/masterfile/tests.sh
index f31e2491..df5589bb 100644
--- a/bind/bind9/bin/tests/system/masterfile/tests.sh
+++ b/bind/bind9/bin/tests/system/masterfile/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -50,7 +50,7 @@ status=`expr $status + $ret`
 
 ret=0
 n=`expr $n + 1`
-echo_i "test owner inheritence after "'$INCLUDE'" ($n)"
+echo_i "test owner inheritance after "'$INCLUDE'" ($n)"
 $CHECKZONE -Dq example zone/inheritownerafterinclude.db > checkzone.out$n
 $DIFF checkzone.out$n zone/inheritownerafterinclude.good || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
diff --git a/bind/bind9/bin/tests/system/masterfile/zone/inheritownerafterinclude.db b/bind/bind9/bin/tests/system/masterfile/zone/inheritownerafterinclude.db
index ce7bffe0..ebd6395e 100644
--- a/bind/bind9/bin/tests/system/masterfile/zone/inheritownerafterinclude.db
+++ b/bind/bind9/bin/tests/system/masterfile/zone/inheritownerafterinclude.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterfile/zone/nameservers.db b/bind/bind9/bin/tests/system/masterfile/zone/nameservers.db
index 76a1e897..8a71f1cd 100644
--- a/bind/bind9/bin/tests/system/masterfile/zone/nameservers.db
+++ b/bind/bind9/bin/tests/system/masterfile/zone/nameservers.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterformat/clean.sh b/bind/bind9/bin/tests/system/masterformat/clean.sh
index 7a25ed8d..ab3b9487 100755
--- a/bind/bind9/bin/tests/system/masterformat/clean.sh
+++ b/bind/bind9/bin/tests/system/masterformat/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterformat/ns1/compile.sh b/bind/bind9/bin/tests/system/masterformat/ns1/compile.sh
index f5562707..559abc27 100755
--- a/bind/bind9/bin/tests/system/masterformat/ns1/compile.sh
+++ b/bind/bind9/bin/tests/system/masterformat/ns1/compile.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterformat/ns1/example.db b/bind/bind9/bin/tests/system/masterformat/ns1/example.db
index 0e48b79c..92b08276 100644
--- a/bind/bind9/bin/tests/system/masterformat/ns1/example.db
+++ b/bind/bind9/bin/tests/system/masterformat/ns1/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterformat/ns1/large.db.in b/bind/bind9/bin/tests/system/masterformat/ns1/large.db.in
index b30b456f..cf0a49a1 100644
--- a/bind/bind9/bin/tests/system/masterformat/ns1/large.db.in
+++ b/bind/bind9/bin/tests/system/masterformat/ns1/large.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterformat/ns1/named.conf.in b/bind/bind9/bin/tests/system/masterformat/ns1/named.conf.in
index e986041d..93ffa0a8 100644
--- a/bind/bind9/bin/tests/system/masterformat/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/masterformat/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterformat/ns1/signed.db b/bind/bind9/bin/tests/system/masterformat/ns1/signed.db
index 20fd00e8..626cad74 100644
--- a/bind/bind9/bin/tests/system/masterformat/ns1/signed.db
+++ b/bind/bind9/bin/tests/system/masterformat/ns1/signed.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterformat/ns2/formerly-text.db.in b/bind/bind9/bin/tests/system/masterformat/ns2/formerly-text.db.in
index 7a6fa8c4..9687ad6c 100644
--- a/bind/bind9/bin/tests/system/masterformat/ns2/formerly-text.db.in
+++ b/bind/bind9/bin/tests/system/masterformat/ns2/formerly-text.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterformat/ns2/named.conf.in b/bind/bind9/bin/tests/system/masterformat/ns2/named.conf.in
index ae286032..58612ae0 100644
--- a/bind/bind9/bin/tests/system/masterformat/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/masterformat/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterformat/ns3/named.conf.in b/bind/bind9/bin/tests/system/masterformat/ns3/named.conf.in
index f41dc2e8..c99ee136 100644
--- a/bind/bind9/bin/tests/system/masterformat/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/masterformat/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterformat/prereq.sh b/bind/bind9/bin/tests/system/masterformat/prereq.sh
index a0d4e9ce..f3e74853 100755
--- a/bind/bind9/bin/tests/system/masterformat/prereq.sh
+++ b/bind/bind9/bin/tests/system/masterformat/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterformat/setup.sh b/bind/bind9/bin/tests/system/masterformat/setup.sh
index b3a459c7..b50ccb5a 100755
--- a/bind/bind9/bin/tests/system/masterformat/setup.sh
+++ b/bind/bind9/bin/tests/system/masterformat/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/masterformat/tests.sh b/bind/bind9/bin/tests/system/masterformat/tests.sh
index b8c9a4f2..adbea950 100755
--- a/bind/bind9/bin/tests/system/masterformat/tests.sh
+++ b/bind/bind9/bin/tests/system/masterformat/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -234,15 +234,14 @@ grep "added text" "dig.out.dynamic1.ns3.test$n" > /dev/null 2>&1 || ret=1
 dig_with_opts +comm @10.53.0.3 added.dynamic txt > "dig.out.dynamic2.ns3.test$n"
 grep "NXDOMAIN" "dig.out.dynamic2.ns3.test$n" > /dev/null 2>&1 || ret=1
 # using "rndc halt" ensures that we don't dump the zone file
-$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --halt --port ${CONTROLPORT} rndc ns3
+$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --halt --port ${CONTROLPORT} masterformat ns3
 restart
-for i in 0 1 2 3 4 5 6 7 8 9; do
-    lret=0
-    dig_with_opts @10.53.0.3 newtext.dynamic txt > "dig.out.dynamic3.ns3.test$n"
-    grep "added text" "dig.out.dynamic3.ns3.test$n" > /dev/null 2>&1 || lret=1
-    [ $lret -eq 0 ] && break;
-done
-[ $lret -eq 1 ] && ret=1
+check_added_text() {
+	dig_with_opts @10.53.0.3 newtext.dynamic txt > "dig.out.dynamic3.ns3.test$n" || return 1
+	grep "added text" "dig.out.dynamic3.ns3.test$n" > /dev/null || return 1
+	return 0
+}
+retry_quiet 10 check_added_text || ret=1
 dig_with_opts +comm @10.53.0.3 added.dynamic txt > "dig.out.dynamic4.ns3.test$n"
 grep "NXDOMAIN" "dig.out.dynamic4.ns3.test$n" > /dev/null 2>&1 || ret=1
 n=$((n+1))
@@ -260,7 +259,7 @@ END
 dig_with_opts @10.53.0.3 moretext.dynamic txt > "dig.out.dynamic1.ns3.test$n"
 grep "more text" "dig.out.dynamic1.ns3.test$n" > /dev/null 2>&1 || ret=1
 # using "rndc stop" will cause the zone file to flush before shutdown
-$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} rndc ns3
+$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} masterformat ns3
 rm ns3/*.jnl
 restart
 #shellcheck disable=SC2034
diff --git a/bind/bind9/bin/tests/system/metadata/child.db b/bind/bind9/bin/tests/system/metadata/child.db
index 2905a563..81b87ed6 100644
--- a/bind/bind9/bin/tests/system/metadata/child.db
+++ b/bind/bind9/bin/tests/system/metadata/child.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/metadata/clean.sh b/bind/bind9/bin/tests/system/metadata/clean.sh
index af83095b..8c9f2525 100644
--- a/bind/bind9/bin/tests/system/metadata/clean.sh
+++ b/bind/bind9/bin/tests/system/metadata/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/metadata/parent.db b/bind/bind9/bin/tests/system/metadata/parent.db
index 6c6567f7..75644012 100644
--- a/bind/bind9/bin/tests/system/metadata/parent.db
+++ b/bind/bind9/bin/tests/system/metadata/parent.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/metadata/prereq.sh b/bind/bind9/bin/tests/system/metadata/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/metadata/prereq.sh
+++ b/bind/bind9/bin/tests/system/metadata/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/metadata/setup.sh b/bind/bind9/bin/tests/system/metadata/setup.sh
index ee15d94d..7c482f8d 100644
--- a/bind/bind9/bin/tests/system/metadata/setup.sh
+++ b/bind/bind9/bin/tests/system/metadata/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/metadata/tests.sh b/bind/bind9/bin/tests/system/metadata/tests.sh
index b6049694..8972b06c 100644
--- a/bind/bind9/bin/tests/system/metadata/tests.sh
+++ b/bind/bind9/bin/tests/system/metadata/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -137,7 +137,7 @@ status=`expr $status + $ret`
 
 echo_i "checking warning about permissions change on key with dnssec-settime ($n)"
 uname=`uname -o 2> /dev/null`
-if [ Cygwin == "$uname"  ]; then
+if [ Cygwin = "$uname"  ]; then
 	echo_i "Cygwin detected, skipping"
 else
 	ret=0
diff --git a/bind/bind9/bin/tests/system/mkeys/README b/bind/bind9/bin/tests/system/mkeys/README
index bb317df0..9da20421 100644
--- a/bind/bind9/bin/tests/system/mkeys/README
+++ b/bind/bind9/bin/tests/system/mkeys/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This is for testing managed-keys, in particular with problems
 with RFC 5011 Automated Updates of DNSSEC Trust Anchors.
diff --git a/bind/bind9/bin/tests/system/mkeys/clean.sh b/bind/bind9/bin/tests/system/mkeys/clean.sh
index 2c38baf3..e88b4b7b 100644
--- a/bind/bind9/bin/tests/system/mkeys/clean.sh
+++ b/bind/bind9/bin/tests/system/mkeys/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/mkeys/ns1/named1.conf.in b/bind/bind9/bin/tests/system/mkeys/ns1/named1.conf.in
index 412556b5..ccb7ea0d 100644
--- a/bind/bind9/bin/tests/system/mkeys/ns1/named1.conf.in
+++ b/bind/bind9/bin/tests/system/mkeys/ns1/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/mkeys/ns1/named2.conf.in b/bind/bind9/bin/tests/system/mkeys/ns1/named2.conf.in
index 5cb096b0..d760daa5 100644
--- a/bind/bind9/bin/tests/system/mkeys/ns1/named2.conf.in
+++ b/bind/bind9/bin/tests/system/mkeys/ns1/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/mkeys/ns1/named3.conf.in b/bind/bind9/bin/tests/system/mkeys/ns1/named3.conf.in
index a0f1dd36..9cd28741 100644
--- a/bind/bind9/bin/tests/system/mkeys/ns1/named3.conf.in
+++ b/bind/bind9/bin/tests/system/mkeys/ns1/named3.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/mkeys/ns1/root.db b/bind/bind9/bin/tests/system/mkeys/ns1/root.db
index 0070f139..a41f4578 100644
--- a/bind/bind9/bin/tests/system/mkeys/ns1/root.db
+++ b/bind/bind9/bin/tests/system/mkeys/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/mkeys/ns1/sign.sh b/bind/bind9/bin/tests/system/mkeys/ns1/sign.sh
index e88da0e3..42ec7efb 100644
--- a/bind/bind9/bin/tests/system/mkeys/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/mkeys/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/mkeys/ns2/named.conf.in b/bind/bind9/bin/tests/system/mkeys/ns2/named.conf.in
index 90762434..3c35f135 100644
--- a/bind/bind9/bin/tests/system/mkeys/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/mkeys/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/mkeys/ns3/named.conf.in b/bind/bind9/bin/tests/system/mkeys/ns3/named.conf.in
index 0227aba0..f083ad25 100644
--- a/bind/bind9/bin/tests/system/mkeys/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/mkeys/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/mkeys/ns5/named.conf.in b/bind/bind9/bin/tests/system/mkeys/ns5/named.conf.in
index 63148889..2a984368 100644
--- a/bind/bind9/bin/tests/system/mkeys/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/mkeys/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/mkeys/ns6/named.conf.in b/bind/bind9/bin/tests/system/mkeys/ns6/named.conf.in
index 8d76f7f2..94b93f0f 100644
--- a/bind/bind9/bin/tests/system/mkeys/ns6/named.conf.in
+++ b/bind/bind9/bin/tests/system/mkeys/ns6/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/mkeys/ns6/setup.sh b/bind/bind9/bin/tests/system/mkeys/ns6/setup.sh
index 6f196c20..716d0989 100644
--- a/bind/bind9/bin/tests/system/mkeys/ns6/setup.sh
+++ b/bind/bind9/bin/tests/system/mkeys/ns6/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/mkeys/ns7/named.conf.in b/bind/bind9/bin/tests/system/mkeys/ns7/named.conf.in
index a9aba007..c4fb74ef 100644
--- a/bind/bind9/bin/tests/system/mkeys/ns7/named.conf.in
+++ b/bind/bind9/bin/tests/system/mkeys/ns7/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/mkeys/prereq.sh b/bind/bind9/bin/tests/system/mkeys/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/mkeys/prereq.sh
+++ b/bind/bind9/bin/tests/system/mkeys/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/mkeys/setup.sh b/bind/bind9/bin/tests/system/mkeys/setup.sh
index e92069f0..19624fd7 100644
--- a/bind/bind9/bin/tests/system/mkeys/setup.sh
+++ b/bind/bind9/bin/tests/system/mkeys/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/mkeys/tests.sh b/bind/bind9/bin/tests/system/mkeys/tests.sh
index ce6de6a9..0e7a96e2 100644
--- a/bind/bind9/bin/tests/system/mkeys/tests.sh
+++ b/bind/bind9/bin/tests/system/mkeys/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -371,27 +371,27 @@ mkeys_loadkeys_on 1 || ret=1
 mkeys_refresh_on 2 || ret=1
 mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1
 # four keys listed
-count=`grep -c "keyid: " rndc.out.1.$n`
-[ "$count" -eq 4 ] || { echo "keyid: count ($count) != 4"; ret=1; }
+count=$(grep -c "keyid: " rndc.out.1.$n) || true
+[ "$count" -eq 4 ] || { echo_i "keyid: count ($count) != 4"; ret=1; }
 # one revoked
-count=`grep -c "trust revoked" rndc.out.1.$n`
-[ "$count" -eq 1 ] || { echo "trust revoked count ($count) != 1"; ret=1; }
+count=$(grep -c "trust revoked" rndc.out.1.$n) || true
+[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; }
 # two pending
-count=`grep -c "trust pending" rndc.out.1.$n`
-[ "$count" -eq 2 ] || { echo "trust pending count ($count) != 2"; ret=1; }
+count=$(grep -c "trust pending" rndc.out.1.$n) || true
+[ "$count" -eq 2 ] || { echo_i "trust pending count ($count) != 2"; ret=1; }
 $SETTIME -R now -K ns1 "$standby3" > /dev/null
 mkeys_loadkeys_on 1 || ret=1
 mkeys_refresh_on 2 || ret=1
 mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1
 # now three keys listed
-count=`grep -c "keyid: " rndc.out.2.$n`
-[ "$count" -eq 3 ] || { echo "keyid: count ($count) != 3"; ret=1; }
+count=$(grep -c "keyid: " rndc.out.2.$n) || true
+[ "$count" -eq 3 ] || { echo_i "keyid: count ($count) != 3"; ret=1; }
 # one revoked
-count=`grep -c "trust revoked" rndc.out.2.$n`
-[ "$count" -eq 1 ] || { echo "trust revoked count ($count) != 1"; ret=1; }
+count=$(grep -c "trust revoked" rndc.out.2.$n) || true
+[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; }
 # one pending
-count=`grep -c "trust pending" rndc.out.2.$n`
-[ "$count" -eq 1 ] || { echo "trust pending count ($count) != 1"; ret=1; }
+count=$(grep -c "trust pending" rndc.out.2.$n) || true
+[ "$count" -eq 1 ] || { echo_i "trust pending count ($count) != 1"; ret=1; }
 $SETTIME -D now -K ns1 "$standby3" > /dev/null
 mkeys_loadkeys_on 1 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -506,19 +506,19 @@ mkeys_reload_on 1 || ret=1
 mkeys_refresh_on 2 || ret=1
 mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
 # one key listed
-count=`grep -c "keyid: " rndc.out.$n`
-[ "$count" -eq 1 ] || { echo "'keyid:' count ($count) != 1"; ret=1; }
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 1 ] || { echo_i "'keyid:' count ($count) != 1"; ret=1; }
 # it's the original key id
-count=`grep -c "keyid: $originalid" rndc.out.$n`
-[ "$count" -eq 1 ] || { echo "'keyid: $originalid' count ($count) != 1"; ret=1; }
+count=$(grep -c "keyid: $originalid" rndc.out.$n) || true
+[ "$count" -eq 1 ] || { echo_i "'keyid: $originalid' count ($count) != 1"; ret=1; }
 # not revoked
-count=`grep -c "REVOKE" rndc.out.$n`
-[ "$count" -eq 0 ] || { echo "'REVOKE' count ($count) != 0"; ret=1; }
+count=$(grep -c "REVOKE" rndc.out.$n) || true
+[ "$count" -eq 0 ] || { echo_i "'REVOKE' count ($count) != 0"; ret=1; }
 # trust is still current
-count=`grep -c "trust" rndc.out.$n`
-[ "$count" -eq 1 ] || { echo "'trust' count != 1"; ret=1; }
-count=`grep -c "trusted since" rndc.out.$n`
-[ "$count" -eq 1 ] || { echo "'trusted since' count != 1"; ret=1; }
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 1 ] || { echo_i "'trust' count != 1"; ret=1; }
+count=$(grep -c "trusted since" rndc.out.$n) || true
+[ "$count" -eq 1 ] || { echo_i "'trusted since' count != 1"; ret=1; }
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
diff --git a/bind/bind9/bin/tests/system/names/clean.sh b/bind/bind9/bin/tests/system/names/clean.sh
index b7e34ebe..5c843e39 100644
--- a/bind/bind9/bin/tests/system/names/clean.sh
+++ b/bind/bind9/bin/tests/system/names/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/names/ns1/example.db b/bind/bind9/bin/tests/system/names/ns1/example.db
index 0ce948a7..a7e63c72 100644
--- a/bind/bind9/bin/tests/system/names/ns1/example.db
+++ b/bind/bind9/bin/tests/system/names/ns1/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/names/ns1/named.conf.in b/bind/bind9/bin/tests/system/names/ns1/named.conf.in
index f885cc9a..ad40cbe7 100644
--- a/bind/bind9/bin/tests/system/names/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/names/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/names/setup.sh b/bind/bind9/bin/tests/system/names/setup.sh
index 3a45a706..f9aa5f04 100644
--- a/bind/bind9/bin/tests/system/names/setup.sh
+++ b/bind/bind9/bin/tests/system/names/setup.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/names/tests.sh b/bind/bind9/bin/tests/system/names/tests.sh
index 8b88ed82..f879e881 100644
--- a/bind/bind9/bin/tests/system/names/tests.sh
+++ b/bind/bind9/bin/tests/system/names/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/notify/clean.sh b/bind/bind9/bin/tests/system/notify/clean.sh
index f10f563d..e04f1bfa 100644
--- a/bind/bind9/bin/tests/system/notify/clean.sh
+++ b/bind/bind9/bin/tests/system/notify/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/notify/ns1/named.conf.in b/bind/bind9/bin/tests/system/notify/ns1/named.conf.in
index b4a2fa8c..755a20c2 100644
--- a/bind/bind9/bin/tests/system/notify/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/notify/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/notify/ns1/root.db b/bind/bind9/bin/tests/system/notify/ns1/root.db
index dab5cea7..e5f65ab6 100644
--- a/bind/bind9/bin/tests/system/notify/ns1/root.db
+++ b/bind/bind9/bin/tests/system/notify/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/notify/ns2/example1.db b/bind/bind9/bin/tests/system/notify/ns2/example1.db
index 38dd4437..58fc1dd9 100644
--- a/bind/bind9/bin/tests/system/notify/ns2/example1.db
+++ b/bind/bind9/bin/tests/system/notify/ns2/example1.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/notify/ns2/example2.db b/bind/bind9/bin/tests/system/notify/ns2/example2.db
index 5de0776d..5cddc1fa 100644
--- a/bind/bind9/bin/tests/system/notify/ns2/example2.db
+++ b/bind/bind9/bin/tests/system/notify/ns2/example2.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/notify/ns2/example3.db b/bind/bind9/bin/tests/system/notify/ns2/example3.db
index 01befbcf..01a0c830 100644
--- a/bind/bind9/bin/tests/system/notify/ns2/example3.db
+++ b/bind/bind9/bin/tests/system/notify/ns2/example3.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/notify/ns2/example4.db b/bind/bind9/bin/tests/system/notify/ns2/example4.db
index 9ff70f8e..5e1111a9 100644
--- a/bind/bind9/bin/tests/system/notify/ns2/example4.db
+++ b/bind/bind9/bin/tests/system/notify/ns2/example4.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/notify/ns2/generic.db b/bind/bind9/bin/tests/system/notify/ns2/generic.db
index fc688ab5..f4631ea7 100644
--- a/bind/bind9/bin/tests/system/notify/ns2/generic.db
+++ b/bind/bind9/bin/tests/system/notify/ns2/generic.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/notify/ns2/named.conf.in b/bind/bind9/bin/tests/system/notify/ns2/named.conf.in
index 2e5bd287..f663c944 100644
--- a/bind/bind9/bin/tests/system/notify/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/notify/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/notify/ns3/named.conf.in b/bind/bind9/bin/tests/system/notify/ns3/named.conf.in
index 70d90aef..31460a8f 100644
--- a/bind/bind9/bin/tests/system/notify/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/notify/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/notify/ns4/named.conf.in b/bind/bind9/bin/tests/system/notify/ns4/named.conf.in
index 607cdda7..6aa83693 100644
--- a/bind/bind9/bin/tests/system/notify/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/notify/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/notify/ns5/named.conf.in b/bind/bind9/bin/tests/system/notify/ns5/named.conf.in
index cfcfe8fa..157ef16b 100644
--- a/bind/bind9/bin/tests/system/notify/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/notify/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/notify/ns5/x21.db b/bind/bind9/bin/tests/system/notify/ns5/x21.db
index e3800436..7032eee3 100644
--- a/bind/bind9/bin/tests/system/notify/ns5/x21.db
+++ b/bind/bind9/bin/tests/system/notify/ns5/x21.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/notify/setup.sh b/bind/bind9/bin/tests/system/notify/setup.sh
index e2cd0a37..81673a09 100644
--- a/bind/bind9/bin/tests/system/notify/setup.sh
+++ b/bind/bind9/bin/tests/system/notify/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/notify/tests.sh b/bind/bind9/bin/tests/system/notify/tests.sh
index 1f6e6d07..f9fd3f56 100644
--- a/bind/bind9/bin/tests/system/notify/tests.sh
+++ b/bind/bind9/bin/tests/system/notify/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -174,7 +174,7 @@ grep "10.0.0.4" dig.out.ns2.test$n > /dev/null || ret=1
 status=`expr $ret + $status`
 
 n=`expr $n + 1`
-echo_i "checking example4 contents have been transfered after restart ($n)"
+echo_i "checking example4 contents have been transferred after restart ($n)"
 ret=0
 $DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
 grep "10.0.0.4" dig.out.ns2.test$n > /dev/null || ret=1
diff --git a/bind/bind9/bin/tests/system/nslookup/clean.sh b/bind/bind9/bin/tests/system/nslookup/clean.sh
index 46d78fa7..ea311277 100644
--- a/bind/bind9/bin/tests/system/nslookup/clean.sh
+++ b/bind/bind9/bin/tests/system/nslookup/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nslookup/ns1/example.net.db b/bind/bind9/bin/tests/system/nslookup/ns1/example.net.db
index e9c133b8..acf30ed4 100644
--- a/bind/bind9/bin/tests/system/nslookup/ns1/example.net.db
+++ b/bind/bind9/bin/tests/system/nslookup/ns1/example.net.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nslookup/ns1/named.conf.in b/bind/bind9/bin/tests/system/nslookup/ns1/named.conf.in
index 2be830f3..0b7dd335 100644
--- a/bind/bind9/bin/tests/system/nslookup/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/nslookup/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nslookup/setup.sh b/bind/bind9/bin/tests/system/nslookup/setup.sh
index 6f547254..dd5e7f1f 100644
--- a/bind/bind9/bin/tests/system/nslookup/setup.sh
+++ b/bind/bind9/bin/tests/system/nslookup/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nslookup/tests.sh b/bind/bind9/bin/tests/system/nslookup/tests.sh
index 86304345..f5f0619a 100644
--- a/bind/bind9/bin/tests/system/nslookup/tests.sh
+++ b/bind/bind9/bin/tests/system/nslookup/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ans4/ans.pl b/bind/bind9/bin/tests/system/nsupdate/ans4/ans.pl
index 6a4461b2..7ffcbc8a 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ans4/ans.pl
+++ b/bind/bind9/bin/tests/system/nsupdate/ans4/ans.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/clean.sh b/bind/bind9/bin/tests/system/nsupdate/clean.sh
index c7802190..04124d65 100644
--- a/bind/bind9/bin/tests/system/nsupdate/clean.sh
+++ b/bind/bind9/bin/tests/system/nsupdate/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -13,20 +13,28 @@
 # Clean up after zone transfer tests.
 #
 
-rm -f verylarge
+rm -f */*.jnl
+rm -f */named.conf
 rm -f */named.memstats
 rm -f */named.run */ans.run
-rm -f */named.conf
+rm -f */named.run.prev
 rm -f Kxxx.*
+rm -f check.out.*
 rm -f dig.out.*
 rm -f jp.out.ns3.*
+rm -f nextpart.out.*
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
 rm -f ns*/named.lock
-rm -f */*.jnl
 rm -f ns1/example.db ns1/unixtime.db ns1/yyyymmddvv.db ns1/update.db ns1/other.db ns1/keytests.db
 rm -f ns1/many.test.db
 rm -f ns1/md5.key ns1/sha1.key ns1/sha224.key ns1/sha256.key ns1/sha384.key
+rm -f ns1/sample.db
 rm -f ns1/sha512.key ns1/ddns.key
+rm -f ns10/_default.tsigkeys
+rm -f ns10/example.com.db
+rm -f ns10/in-addr.db
 rm -f ns2/example.bk
+rm -f ns2/sample.db
 rm -f ns2/update.bk ns2/update.alt.bk
 rm -f ns3/*.signed
 rm -f ns3/K*
@@ -39,22 +47,18 @@ rm -f ns3/nsec3param.test.db
 rm -f ns3/too-big.test.db
 rm -f ns5/local.db
 rm -f ns6/in-addr.db
-rm -f ns7/in-addr.db
-rm -f ns7/example.com.db
 rm -f ns7/_default.tsigkeys
-rm -f ns8/in-addr.db
-rm -f ns8/example.com.db
+rm -f ns7/example.com.db
+rm -f ns7/in-addr.db
 rm -f ns8/_default.tsigkeys
-rm -f ns9/in-addr.db
-rm -f ns9/example.com.db
+rm -f ns8/example.com.db
+rm -f ns8/in-addr.db
 rm -f ns9/_default.tsigkeys
-rm -f ns10/example.com.db
-rm -f ns10/in-addr.db
-rm -f ns10/_default.tsigkeys
+rm -f ns9/denyname.example.db
+rm -f ns9/example.com.db
+rm -f ns9/in-addr.db
+rm -f perl.update_test.out
 rm -f nsupdate.out*
 rm -f typelist.out.*
-rm -f ns1/sample.db
-rm -f ns2/sample.db
-rm -f update.out.*
-rm -f check.out.*
 rm -f update.out.*
+rm -f verylarge
diff --git a/bind/bind9/bin/tests/system/nsupdate/krb/setup.sh b/bind/bind9/bin/tests/system/nsupdate/krb/setup.sh
index 3c37777d..150b2050 100644
--- a/bind/bind9/bin/tests/system/nsupdate/krb/setup.sh
+++ b/bind/bind9/bin/tests/system/nsupdate/krb/setup.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -101,7 +101,7 @@ kinit -V -k -t krb5-machine.keytab -l ${lifetime}d -c krb5-machine.ccache host/m
 kinit -V -k -t ms-machine.keytab -l ${lifetime}d -c ms-machine.ccache 'machine$@EXAMPLE.COM'
 
 cp ns7-server.keytab ../ns7/dns.keytab
-cp ns8-server.keytab ../ns8/dns.keytab
+cp ns8-server.keytab ../ns8/dns-other-than-KRB5_KTNAME.keytab
 cp ns9-server.keytab ../ns9/dns.keytab
 cp ns10-server.keytab ../ns10/dns.keytab
 
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns1/example1.db b/bind/bind9/bin/tests/system/nsupdate/ns1/example1.db
index 1ca65891..686c6e5c 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns1/example1.db
+++ b/bind/bind9/bin/tests/system/nsupdate/ns1/example1.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns1/many.test.db.in b/bind/bind9/bin/tests/system/nsupdate/ns1/many.test.db.in
index 2c846705..3e87c980 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns1/many.test.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns1/many.test.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns1/max-ttl.db b/bind/bind9/bin/tests/system/nsupdate/ns1/max-ttl.db
index 02509605..b9c1bd1a 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns1/max-ttl.db
+++ b/bind/bind9/bin/tests/system/nsupdate/ns1/max-ttl.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns1/named.conf.in b/bind/bind9/bin/tests/system/nsupdate/ns1/named.conf.in
index 1d999adc..b0ded3ab 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -36,6 +36,16 @@ key altkey {
 	secret "1234abcd8765";
 };
 
+key restricted.example.nil {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+key zonesub-key.example.nil {
+	algorithm hmac-md5;
+	secret "1234subk8765";
+};
+
 include "ddns.key";
 
 zone "example.nil" {
@@ -44,7 +54,9 @@ zone "example.nil" {
 	check-integrity no;
 	check-mx ignore;
 	update-policy {
+		grant zonesub-key.example.nil zonesub TXT;
 		grant ddns-key.example.nil subdomain example.nil ANY;
+		grant restricted.example.nil subdomain restricted.example.nil ANY;
 	};
 	allow-transfer { any; };
 };
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns1/sample.db.in b/bind/bind9/bin/tests/system/nsupdate/ns1/sample.db.in
index 49212a12..ea3cf307 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns1/sample.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns1/sample.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns10/example.com.db.in b/bind/bind9/bin/tests/system/nsupdate/ns10/example.com.db.in
index 984274b5..c83153d1 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns10/example.com.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns10/example.com.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns10/in-addr.db.in b/bind/bind9/bin/tests/system/nsupdate/ns10/in-addr.db.in
index 984274b5..c83153d1 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns10/in-addr.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns10/in-addr.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns10/named.conf.in b/bind/bind9/bin/tests/system/nsupdate/ns10/named.conf.in
index 44b207a0..5bf3b53d 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns10/named.conf.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns10/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -20,7 +20,7 @@ options {
 	recursion no;
 	notify yes;
 	minimal-responses no;
-	tkey-gssapi-keytab "dns.keytab";
+	@TKEY_CONFIGURATION@
 };
 
 key rndc_key {
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns2/named.conf.in b/bind/bind9/bin/tests/system/nsupdate/ns2/named.conf.in
index 45491849..e6e23822 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns2/sample.db.in b/bind/bind9/bin/tests/system/nsupdate/ns2/sample.db.in
index 0c8a1c05..b6d4c12b 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns2/sample.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns2/sample.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns3/delegation.test.db.in b/bind/bind9/bin/tests/system/nsupdate/ns3/delegation.test.db.in
index a75bcd24..0202dcf8 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns3/delegation.test.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns3/delegation.test.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns3/dnskey.test.db.in b/bind/bind9/bin/tests/system/nsupdate/ns3/dnskey.test.db.in
index d3393a27..5dcc34f1 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns3/dnskey.test.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns3/dnskey.test.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns3/example.db.in b/bind/bind9/bin/tests/system/nsupdate/ns3/example.db.in
index e1513339..1f0b466c 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns3/example.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns3/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns3/named.conf.in b/bind/bind9/bin/tests/system/nsupdate/ns3/named.conf.in
index e5b414f6..c382a2b5 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns3/nsec3param.test.db.in b/bind/bind9/bin/tests/system/nsupdate/ns3/nsec3param.test.db.in
index 6969414e..20170b99 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns3/nsec3param.test.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns3/nsec3param.test.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns3/sign.sh b/bind/bind9/bin/tests/system/nsupdate/ns3/sign.sh
index 4e6e6451..ad553936 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns3/sign.sh
+++ b/bind/bind9/bin/tests/system/nsupdate/ns3/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns3/too-big.test.db.in b/bind/bind9/bin/tests/system/nsupdate/ns3/too-big.test.db.in
index f271d271..cafa60ff 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns3/too-big.test.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns3/too-big.test.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns5/local.db.in b/bind/bind9/bin/tests/system/nsupdate/ns5/local.db.in
index 08f16b8f..735b2439 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns5/local.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns5/local.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns5/named.conf.in b/bind/bind9/bin/tests/system/nsupdate/ns5/named.conf.in
index 2ffacb1e..5eee1ab4 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns6/in-addr.db.in b/bind/bind9/bin/tests/system/nsupdate/ns6/in-addr.db.in
index c719192f..b636475a 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns6/in-addr.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns6/in-addr.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns6/named.conf.in b/bind/bind9/bin/tests/system/nsupdate/ns6/named.conf.in
index da64d061..1d56a443 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns6/named.conf.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns6/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns7/example.com.db.in b/bind/bind9/bin/tests/system/nsupdate/ns7/example.com.db.in
index c327325f..b7d3f853 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns7/example.com.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns7/example.com.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns7/in-addr.db.in b/bind/bind9/bin/tests/system/nsupdate/ns7/in-addr.db.in
index c327325f..b7d3f853 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns7/in-addr.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns7/in-addr.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns7/named.conf.in b/bind/bind9/bin/tests/system/nsupdate/ns7/named.conf.in
index f0ef6d36..98bce4c7 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns7/named.conf.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns7/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns8/dns.keytab b/bind/bind9/bin/tests/system/nsupdate/ns8/dns-other-than-KRB5_KTNAME.keytab
index 33400498..33400498 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns8/dns.keytab
+++ b/bind/bind9/bin/tests/system/nsupdate/ns8/dns-other-than-KRB5_KTNAME.keytab
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns8/example.com.db.in b/bind/bind9/bin/tests/system/nsupdate/ns8/example.com.db.in
index eb24766f..35cd94c8 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns8/example.com.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns8/example.com.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns8/in-addr.db.in b/bind/bind9/bin/tests/system/nsupdate/ns8/in-addr.db.in
index eb24766f..35cd94c8 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns8/in-addr.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns8/in-addr.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns8/named.conf.in b/bind/bind9/bin/tests/system/nsupdate/ns8/named.conf.in
index 56195cd2..12935014 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns8/named.conf.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns8/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -20,7 +20,7 @@ options {
 	recursion no;
 	notify yes;
 	minimal-responses no;
-	tkey-gssapi-keytab "dns.keytab";
+	tkey-gssapi-keytab "dns-other-than-KRB5_KTNAME.keytab";
 };
 
 key rndc_key {
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns9/example.com.db.in b/bind/bind9/bin/tests/system/nsupdate/ns9/example.com.db.in
index a618fdcc..46f4b6a5 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns9/example.com.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns9/example.com.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns9/in-addr.db.in b/bind/bind9/bin/tests/system/nsupdate/ns9/in-addr.db.in
index a618fdcc..46f4b6a5 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns9/in-addr.db.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns9/in-addr.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/ns9/named.conf.in b/bind/bind9/bin/tests/system/nsupdate/ns9/named.conf.in
index 1b41cc64..40b9e9f7 100644
--- a/bind/bind9/bin/tests/system/nsupdate/ns9/named.conf.in
+++ b/bind/bind9/bin/tests/system/nsupdate/ns9/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -20,7 +20,7 @@ options {
 	recursion no;
 	notify yes;
 	minimal-responses no;
-	tkey-gssapi-keytab "dns.keytab";
+	@TKEY_CONFIGURATION@
 };
 
 key rndc_key {
@@ -28,6 +28,11 @@ key rndc_key {
 	algorithm hmac-sha256;
 };
 
+key subkey {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
 controls {
 	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
@@ -46,3 +51,12 @@ zone "example.com" {
 		grant EXAMPLE.COM ms-subdomain _tcp.example.com SRV;
 	};
 };
+
+zone "denyname.example" {
+	type master;
+	file "denyname.example.db";
+	update-policy {
+		deny subkey name denyname.example;
+		grant subkey subdomain denyname.example;
+	};
+};
diff --git a/bind/bind9/bin/tests/system/nsupdate/prereq.sh b/bind/bind9/bin/tests/system/nsupdate/prereq.sh
index 9c1d276e..c82ea52a 100644
--- a/bind/bind9/bin/tests/system/nsupdate/prereq.sh
+++ b/bind/bind9/bin/tests/system/nsupdate/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nsupdate/setup.sh b/bind/bind9/bin/tests/system/nsupdate/setup.sh
index a35b8ee3..2b3b1549 100644
--- a/bind/bind9/bin/tests/system/nsupdate/setup.sh
+++ b/bind/bind9/bin/tests/system/nsupdate/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -21,8 +21,23 @@ copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
 copy_setports ns7/named.conf.in ns7/named.conf
 copy_setports ns8/named.conf.in ns8/named.conf
-copy_setports ns9/named.conf.in ns9/named.conf
-copy_setports ns10/named.conf.in ns10/named.conf
+
+# If "tkey-gssapi-credential" is set in the configuration and GSSAPI support is
+# not available, named will refuse to start.  As the test system framework does
+# not support starting named instances conditionally, ensure that
+# "tkey-gssapi-credential" is only present in named.conf if GSSAPI support is
+# available.
+copy_setports ns9/named.conf.in ns9/named.conf.in.tkey
+copy_setports ns10/named.conf.in ns10/named.conf.in.tkey
+if $FEATURETEST --gssapi; then
+	sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns9.example.com@EXAMPLE.COM";|' ns9/named.conf.in.tkey > ns9/named.conf
+	sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns10.example.com@EXAMPLE.COM";|' ns10/named.conf.in.tkey > ns10/named.conf
+else
+	sed 's|@TKEY_CONFIGURATION@||' ns9/named.conf.in.tkey > ns9/named.conf
+	sed 's|@TKEY_CONFIGURATION@||' ns10/named.conf.in.tkey > ns10/named.conf
+fi
+rm -f ns9/named.conf.in.tkey
+rm -f ns10/named.conf.in.tkey
 
 copy_setports verylarge.in verylarge
 
@@ -75,5 +90,6 @@ cp -f ns8/in-addr.db.in ns8/in-addr.db
 cp -f ns8/example.com.db.in ns8/example.com.db
 cp -f ns9/in-addr.db.in ns9/in-addr.db
 cp -f ns9/example.com.db.in ns9/example.com.db
+cp -f ns9/example.com.db.in ns9/denyname.example.db
 cp -f ns10/in-addr.db.in ns10/in-addr.db
 cp -f ns10/example.com.db.in ns10/example.com.db
diff --git a/bind/bind9/bin/tests/system/nsupdate/tests.sh b/bind/bind9/bin/tests/system/nsupdate/tests.sh
index 4da48490..60cf7ee9 100755
--- a/bind/bind9/bin/tests/system/nsupdate/tests.sh
+++ b/bind/bind9/bin/tests/system/nsupdate/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -243,7 +243,7 @@ n=`expr $n + 1`
 ret=0
 echo_i "check that TYPE=0 update is handled ($n)"
 echo "a0e4280000010000000100000000060001c00c000000fe000000000000" |
-$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1
 $DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
 grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -252,7 +252,7 @@ n=`expr $n + 1`
 ret=0
 echo_i "check that TYPE=0 additional data is handled ($n)"
 echo "a0e4280000010000000000010000060001c00c000000fe000000000000" |
-$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1
 $DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
 grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -261,7 +261,7 @@ n=`expr $n + 1`
 ret=0
 echo_i "check that update to undefined class is handled ($n)"
 echo "a0e4280000010001000000000000060101c00c000000fe000000000000" |
-$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1
 $DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
 grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -302,32 +302,43 @@ elif [ "$serial" -gt "$now" ]; then
 fi
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
-ret=0
 if $PERL -e 'use Net::DNS;' 2>/dev/null
 then
-    echo_i "running update.pl test"
-    {
-      $PERL update_test.pl -s 10.53.0.1 -p ${PORT} update.nil. || ret=1
-    } | cat_i
+    n=`expr $n + 1`
+    ret=0
+    echo_i "running update.pl test ($n)"
+    $PERL update_test.pl -s 10.53.0.1 -p ${PORT} update.nil. > perl.update_test.out || ret=1
     [ $ret -eq 1 ] && { echo_i "failed"; status=1; }
+
+    if $PERL -e 'use Net::DNS; die "Net::DNS too old ($Net::DNS::VERSION < 1.01)" if ($Net::DNS::VERSION < 1.01)' > /dev/null
+    then
+	n=`expr $n + 1`
+	ret=0
+	echo_i "check for too many NSEC3 iterations log ($n)"
+	grep "updating zone 'update.nil/IN': too many NSEC3 iterations (151)" ns1/named.run > /dev/null || ret=1
+	[ $ret -eq 1 ] && { echo_i "failed"; status=1; }
+    fi
 else
     echo_i "The second part of this test requires the Net::DNS library." >&2
 fi
 
+n=`expr $n + 1`
 ret=0
-echo_i "fetching first copy of test zone"
+echo_i "fetching first copy of test zone ($n)"
 $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
 	@10.53.0.1 axfr > dig.out.ns1 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+n=`expr $n + 1`
 ret=0
-echo_i "fetching second copy of test zone"
+echo_i "fetching second copy of test zone ($n)"
 $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
 	@10.53.0.2 axfr > dig.out.ns2 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+n=`expr $n + 1`
 ret=0
-echo_i "comparing zones"
+echo_i "comparing zones ($n)"
 digcomp dig.out.ns1 dig.out.ns2 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
@@ -347,21 +358,24 @@ else
 fi
 sleep 10
 
+n=`expr $n + 1`
 ret=0
-echo_i "fetching ns1 after hard restart"
+echo_i "fetching ns1 after hard restart ($n)"
 $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
 	@10.53.0.1 axfr > dig.out.ns1.after || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+n=`expr $n + 1`
 ret=0
-echo_i "comparing zones"
+echo_i "comparing zones ($n)"
 digcomp dig.out.ns1 dig.out.ns1.after || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
 echo_i "begin RT #482 regression test"
 
+n=`expr $n + 1`
 ret=0
-echo_i "update master"
+echo_i "update master ($n)"
 $NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1
 server 10.53.0.1 ${PORT}
 update add updated2.example.nil. 600 A 10.10.10.2
@@ -383,8 +397,9 @@ fi
 
 sleep 5
 
+n=`expr $n + 1`
 ret=0
-echo_i "update master again"
+echo_i "update master again ($n)"
 $NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1
 server 10.53.0.1 ${PORT}
 update add updated3.example.nil. 600 A 10.10.10.3
@@ -406,7 +421,8 @@ fi
 
 sleep 5
 
-echo_i "check to 'out of sync' message"
+n=`expr $n + 1`
+echo_i "check to 'out of sync' message ($n)"
 if grep "out of sync" ns2/named.run
 then
 	echo_i "failed (found 'out of sync')"
@@ -428,7 +444,7 @@ EOF
 # this also proves that the server is still running.
 $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\
 	@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
-grep "ANSWER: 0" dig.out.ns3.$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1
 grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
@@ -443,7 +459,7 @@ EOF
 
 $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
         @10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
-grep "ANSWER: 1" dig.out.ns3.$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1
 grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1
 grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -460,7 +476,7 @@ EOF
 _ret=1
 for i in 0 1 2 3 4 5 6 7 8 9; do
 	$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
-	if grep "ANSWER: 2" dig.out.ns3.$n > /dev/null; then
+	if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then
 		_ret=0
 		break
 	fi
@@ -485,7 +501,7 @@ EOF
 _ret=1
 for i in 0 1 2 3 4 5 6 7 8 9; do
 	$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
-	if grep "ANSWER: 1" dig.out.ns3.$n > /dev/null; then
+	if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then
 		_ret=0
 		break
 	fi
@@ -527,8 +543,8 @@ digcomp knowngood.ns1.afterstop dig.out.ns1 || ret=1
 
 ret=0
 echo_i "check that 'nsupdate -l' with a missing keyfile reports the missing file"
-$NSUPDATE -l -p ${PORT} -k ns1/nonexistant.key 2> nsupdate.out < /dev/null
-grep ns1/nonexistant.key nsupdate.out > /dev/null || ret=1
+$NSUPDATE -l -p ${PORT} -k ns1/nonexistent.key 2> nsupdate.out < /dev/null
+grep ns1/nonexistent.key nsupdate.out > /dev/null || ret=1
 if test $ret -ne 0
 then
 echo_i "failed"; status=1
@@ -633,6 +649,86 @@ fi
 
 n=`expr $n + 1`
 ret=0
+echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
+# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
+# and thus this UPDATE should succeed.
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
+server 10.53.0.1 ${PORT}
+key restricted.example.nil 1234abcd8765
+update add restricted.example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
+grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
+# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
+# thus this UPDATE should fail.
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
+server 10.53.0.1 ${PORT}
+key restricted.example.nil 1234abcd8765
+update add example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=`expr $n + 1`
+ret=0
+echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
+# grant zonesub-key.example.nil zonesub TXT;
+# the A record update should be rejected as it is not in the type list
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
+server 10.53.0.1 ${PORT}
+key zonesub-key.example.nil 1234subk8765
+update add zonesub.example.nil 0 IN A 1.2.3.4
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1
+grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
+# the TXT record update should be accepted as it is in the type list
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
+server 10.53.0.1 ${PORT}
+key zonesub-key.example.nil 1234subk8765
+update add zonesub.example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1
+grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1
+grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=`expr $n + 1`
+ret=0
+echo_i "check 'grant' in deny name + grant subdomain ($n)"
+$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+key hmac-sha256:subkey 1234abcd8765
+server 10.53.0.9 ${PORT}
+zone denyname.example
+update add foo.denyname.example 3600 IN TXT added
+send
+EOF
+$DIG $DIGOPTS +tcp @10.53.0.9 foo.denyname.example TXT > dig.out.ns9.test$n
+grep "added" dig.out.ns9.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=`expr $n + 1`
+ret=0
+echo_i "check 'deny' in deny name + grant subdomain ($n)"
+$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+key hmac-sha256:subkey 1234abcd8765
+server 10.53.0.9 ${PORT}
+zone denyname.example
+update add denyname.example 3600 IN TXT added
+send
+EOF
+$DIG $DIGOPTS +tcp @10.53.0.9 denyname.example TXT > dig.out.ns9.test$n
+grep "added" dig.out.ns9.test$n > /dev/null && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=`expr $n + 1`
+ret=0
 echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
 $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
         @10.53.0.3 dnskey | \
@@ -955,6 +1051,17 @@ grep "UPDATE, status: NOERROR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
 grep "UPDATE, status: FORMERR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+n=`expr $n + 1`
+ret=0
+echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)"
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone example
+update add example 0 in NSEC3PARAM 1 0 151 -
+END
+grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 if $FEATURETEST --gssapi ; then
   n=`expr $n + 1`
   ret=0
diff --git a/bind/bind9/bin/tests/system/nsupdate/update_test.pl b/bind/bind9/bin/tests/system/nsupdate/update_test.pl
index b9f083f6..987c2107 100644
--- a/bind/bind9/bin/tests/system/nsupdate/update_test.pl
+++ b/bind/bind9/bin/tests/system/nsupdate/update_test.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -58,7 +58,7 @@ sub assert {
     my ($cond, $explanation) = @_;
     if (!$cond) {
 	print "Test Failed: $explanation ***\n";
-	$failures++
+	$failures++;
     }
 }
 
@@ -79,6 +79,7 @@ sub test {
         assert($rcode eq $expected, "expected $expected, got $rcode");
     } else {
 	print "Update failed: ", $res->errorstring, "\n";
+	$failures++;
     }
 }
 
@@ -410,6 +411,14 @@ test("NOERROR", ["update", rr_add("u.$zone 300 NS ns.u.$zone")]);
 
 test("NOERROR", ["update", rr_del("u.$zone NS ns.u.$zone")]);
 
+if ($Net::DNS::VERSION < 1.01) {
+    print "skipped Excessive NSEC3PARAM iterations; Net::DNS too old.\n";
+} else {
+    section("Excessive NSEC3PARAM iterations");
+    test("REFUSED", ["update", rr_add("$zone 300 NSEC3PARAM 1 0 151 -")]);
+    test("NOERROR", ["update", rr_add("$zone 300 NSEC3PARAM 1 0 150 -")]);
+}
+
 if ($failures) {
     print "$failures tests failed.\n";
 } else {
diff --git a/bind/bind9/bin/tests/system/nzd2nzf/clean.sh b/bind/bind9/bin/tests/system/nzd2nzf/clean.sh
index 8b58ed33..d1df9626 100644
--- a/bind/bind9/bin/tests/system/nzd2nzf/clean.sh
+++ b/bind/bind9/bin/tests/system/nzd2nzf/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nzd2nzf/ns1/added.db b/bind/bind9/bin/tests/system/nzd2nzf/ns1/added.db
index 9b54d192..82f34308 100644
--- a/bind/bind9/bin/tests/system/nzd2nzf/ns1/added.db
+++ b/bind/bind9/bin/tests/system/nzd2nzf/ns1/added.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nzd2nzf/ns1/named.conf.in b/bind/bind9/bin/tests/system/nzd2nzf/ns1/named.conf.in
index 2a0fb7e9..58189f42 100644
--- a/bind/bind9/bin/tests/system/nzd2nzf/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/nzd2nzf/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nzd2nzf/prereq.sh b/bind/bind9/bin/tests/system/nzd2nzf/prereq.sh
index 85e03606..63e5551c 100644
--- a/bind/bind9/bin/tests/system/nzd2nzf/prereq.sh
+++ b/bind/bind9/bin/tests/system/nzd2nzf/prereq.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nzd2nzf/setup.sh b/bind/bind9/bin/tests/system/nzd2nzf/setup.sh
index 985a4bcb..c2be7228 100644
--- a/bind/bind9/bin/tests/system/nzd2nzf/setup.sh
+++ b/bind/bind9/bin/tests/system/nzd2nzf/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/nzd2nzf/tests.sh b/bind/bind9/bin/tests/system/nzd2nzf/tests.sh
index 2a43b8e5..de5c1e2b 100644
--- a/bind/bind9/bin/tests/system/nzd2nzf/tests.sh
+++ b/bind/bind9/bin/tests/system/nzd2nzf/tests.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/org.isc.bind.system b/bind/bind9/bin/tests/system/org.isc.bind.system
index 2096af2a..49004bba 100644
--- a/bind/bind9/bin/tests/system/org.isc.bind.system
+++ b/bind/bind9/bin/tests/system/org.isc.bind.system
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/packet.pl b/bind/bind9/bin/tests/system/packet.pl
index 9cd55d6c..1ce059f9 100644
--- a/bind/bind9/bin/tests/system/packet.pl
+++ b/bind/bind9/bin/tests/system/packet.pl
@@ -4,17 +4,17 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
 # This is a tool for sending an arbitrary packet via UDP or TCP to an
 # arbitrary address and port.  The packet is specified in a file or on
-# the standard input, in the form of a series of bytes in hexidecimal.
+# the standard input, in the form of a series of bytes in hexadecimal.
 # Whitespace is ignored, as is anything following a '#' symbol.
 #
-# For example, the following input would generate normal query for 
+# For example, the following input would generate normal query for
 # isc.org/NS/IN":
 #
 #     # QID:
@@ -31,7 +31,7 @@
 # Note that we do not wait for a response for the server.  This is simply
 # a way of injecting arbitrary packets to test server resposnes.
 #
-# Usage: packet.pl [-a <address>] [-p <port>] [-t (udp|tcp)] [filename]
+# Usage: packet.pl [-a <address>] [-d] [-p <port>] [-t (udp|tcp)] [-r <repeats>] [filename]
 #
 # If not specified, address defaults to 127.0.0.1, port to 53, protocol
 # to udp, and file to stdin.
@@ -46,12 +46,12 @@ use IO::File;
 use IO::Socket;
 
 sub usage {
-    print ("Usage: packet.pl [-a address] [-p port] [-t (tcp|udp)] [file]\n");
+    print ("Usage: packet.pl [-a address] [-d] [-p port] [-t (tcp|udp)] [-r <repeats>] [file]\n");
     exit 1;
 }
 
 my %options={};
-getopts("a:p:t:", \%options);
+getopts("a:dp:t:r:", \%options);
 
 my $addr = "127.0.0.1";
 $addr = $options{a} if defined $options{a};
@@ -63,6 +63,9 @@ my $proto = "udp";
 $proto = lc $options{t} if defined $options{t};
 usage if ($proto !~ /^(udp|tcp)$/);
 
+my $repeats = 1;
+$repeats = $options{r} if defined $options{r};
+
 my $file = "STDIN";
 if (@ARGV >= 1) {
     my $filename = shift @ARGV;
@@ -82,19 +85,56 @@ my $data = pack("H*", $input);
 my $len = length $data;
 
 my $output = unpack("H*", $data);
-print ("sending: $output\n");
+print ("sending $repeats time(s): $output\n");
 
 my $sock = IO::Socket::INET->new(PeerAddr => $addr, PeerPort => $port,
 				 Proto => $proto,) or die "$!";
 
 my $bytes;
-if ($proto eq "udp") {
-    $bytes = $sock->send($data);
-} else {
-    $bytes = $sock->syswrite(pack("n", $len), 2);
-    $bytes += $sock->syswrite($data, $len);
+while ($repeats > 0) {
+    if ($proto eq "udp") {
+	$bytes = $sock->send($data);
+    } else {
+	$bytes = $sock->syswrite(pack("n", $len), 2);
+	$bytes += $sock->syswrite($data, $len);
+    }
+
+    $repeats = $repeats - 1;
 }
 
 print ("sent $bytes bytes to $addr:$port\n");
+if (defined $options{d}) {
+	use Net::DNS;
+	use Net::DNS::Packet;
+
+	my $rin;
+	my $rout;
+	$rin = '';
+        vec($rin, fileno($sock), 1) = 1;
+	select($rout = $rin, undef, undef, 1);
+	if (vec($rout, fileno($sock), 1)) {{
+                my $buf;
+		if ($proto eq "udp") {
+			$sock->recv($buf, 512);
+		} else {
+			my $n = $sock->sysread($buf, 2);
+			last unless $n == 2;
+			my $len = unpack("n", $buf);
+			$n = $sock->sysread($buf, $len);
+			last unless $n == $len;
+		}
+
+		my $response;
+		if ($Net::DNS::VERSION > 0.68) {
+			$response = new Net::DNS::Packet(\$buf, 0);
+			$@ and die $@;
+		} else {
+			my $err;
+			($response, $err) = new Net::DNS::Packet(\$buf, 0);
+			$err and die $err;
+		}
+		$response->print;
+	}}
+}
 $sock->close;
 close $file;
diff --git a/bind/bind9/bin/tests/system/parallel.sh b/bind/bind9/bin/tests/system/parallel.sh
index e59b4d58..a8175505 100644
--- a/bind/bind9/bin/tests/system/parallel.sh
+++ b/bind/bind9/bin/tests/system/parallel.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/clean.sh b/bind/bind9/bin/tests/system/pending/clean.sh
index f0041837..7dbfc153 100644
--- a/bind/bind9/bin/tests/system/pending/clean.sh
+++ b/bind/bind9/bin/tests/system/pending/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/ns1/named.conf.in b/bind/bind9/bin/tests/system/pending/ns1/named.conf.in
index e36b0b11..cb8b168b 100644
--- a/bind/bind9/bin/tests/system/pending/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/pending/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/ns1/root.db.in b/bind/bind9/bin/tests/system/pending/ns1/root.db.in
index 271a8e50..e7da6ceb 100644
--- a/bind/bind9/bin/tests/system/pending/ns1/root.db.in
+++ b/bind/bind9/bin/tests/system/pending/ns1/root.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/ns1/sign.sh b/bind/bind9/bin/tests/system/pending/ns1/sign.sh
index 8a69e1a7..b43ee8ec 100644
--- a/bind/bind9/bin/tests/system/pending/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/pending/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/ns2/example.com.db.in b/bind/bind9/bin/tests/system/pending/ns2/example.com.db.in
index 6ec93625..12478ab4 100644
--- a/bind/bind9/bin/tests/system/pending/ns2/example.com.db.in
+++ b/bind/bind9/bin/tests/system/pending/ns2/example.com.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/ns2/example.db.in b/bind/bind9/bin/tests/system/pending/ns2/example.db.in
index a5dc49c7..06f586da 100644
--- a/bind/bind9/bin/tests/system/pending/ns2/example.db.in
+++ b/bind/bind9/bin/tests/system/pending/ns2/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/ns2/forgery.db b/bind/bind9/bin/tests/system/pending/ns2/forgery.db
index 89f94591..e38274a9 100644
--- a/bind/bind9/bin/tests/system/pending/ns2/forgery.db
+++ b/bind/bind9/bin/tests/system/pending/ns2/forgery.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/ns2/named.conf.in b/bind/bind9/bin/tests/system/pending/ns2/named.conf.in
index df2e1682..eebfaa27 100644
--- a/bind/bind9/bin/tests/system/pending/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/pending/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/ns2/sign.sh b/bind/bind9/bin/tests/system/pending/ns2/sign.sh
index df3f500f..4e3c15ca 100644
--- a/bind/bind9/bin/tests/system/pending/ns2/sign.sh
+++ b/bind/bind9/bin/tests/system/pending/ns2/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/ns3/hostile.db b/bind/bind9/bin/tests/system/pending/ns3/hostile.db
index 021258a7..70bb0d64 100644
--- a/bind/bind9/bin/tests/system/pending/ns3/hostile.db
+++ b/bind/bind9/bin/tests/system/pending/ns3/hostile.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/ns3/mail.example.db b/bind/bind9/bin/tests/system/pending/ns3/mail.example.db
index 2da8b451..2af9a53e 100644
--- a/bind/bind9/bin/tests/system/pending/ns3/mail.example.db
+++ b/bind/bind9/bin/tests/system/pending/ns3/mail.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/ns3/named.conf.in b/bind/bind9/bin/tests/system/pending/ns3/named.conf.in
index 97129c93..5d2c7b83 100644
--- a/bind/bind9/bin/tests/system/pending/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/pending/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/ns4/named.conf.in b/bind/bind9/bin/tests/system/pending/ns4/named.conf.in
index 78ffed7e..d3edb271 100644
--- a/bind/bind9/bin/tests/system/pending/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/pending/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/prereq.sh b/bind/bind9/bin/tests/system/pending/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/pending/prereq.sh
+++ b/bind/bind9/bin/tests/system/pending/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/setup.sh b/bind/bind9/bin/tests/system/pending/setup.sh
index 45b63651..21dfc662 100644
--- a/bind/bind9/bin/tests/system/pending/setup.sh
+++ b/bind/bind9/bin/tests/system/pending/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pending/tests.sh b/bind/bind9/bin/tests/system/pending/tests.sh
index e9347587..076d629d 100644
--- a/bind/bind9/bin/tests/system/pending/tests.sh
+++ b/bind/bind9/bin/tests/system/pending/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pipelined/Makefile.in b/bind/bind9/bin/tests/system/pipelined/Makefile.in
index 8bb1097e..ecfd31b6 100644
--- a/bind/bind9/bin/tests/system/pipelined/Makefile.in
+++ b/bind/bind9/bin/tests/system/pipelined/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pipelined/clean.sh b/bind/bind9/bin/tests/system/pipelined/clean.sh
index f4c4b131..78215ce5 100644
--- a/bind/bind9/bin/tests/system/pipelined/clean.sh
+++ b/bind/bind9/bin/tests/system/pipelined/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pipelined/ns1/named.conf.in b/bind/bind9/bin/tests/system/pipelined/ns1/named.conf.in
index 828bc40b..c275993f 100644
--- a/bind/bind9/bin/tests/system/pipelined/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/pipelined/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pipelined/ns1/root.db b/bind/bind9/bin/tests/system/pipelined/ns1/root.db
index 2cddcd23..49371f86 100644
--- a/bind/bind9/bin/tests/system/pipelined/ns1/root.db
+++ b/bind/bind9/bin/tests/system/pipelined/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pipelined/ns2/examplea.db b/bind/bind9/bin/tests/system/pipelined/ns2/examplea.db
index 9f0427e1..40a1b856 100644
--- a/bind/bind9/bin/tests/system/pipelined/ns2/examplea.db
+++ b/bind/bind9/bin/tests/system/pipelined/ns2/examplea.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pipelined/ns2/named.conf.in b/bind/bind9/bin/tests/system/pipelined/ns2/named.conf.in
index 6df0c663..ef3773db 100644
--- a/bind/bind9/bin/tests/system/pipelined/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/pipelined/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pipelined/ns3/exampleb.db b/bind/bind9/bin/tests/system/pipelined/ns3/exampleb.db
index 98a61f05..08111d40 100644
--- a/bind/bind9/bin/tests/system/pipelined/ns3/exampleb.db
+++ b/bind/bind9/bin/tests/system/pipelined/ns3/exampleb.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pipelined/ns3/named.conf.in b/bind/bind9/bin/tests/system/pipelined/ns3/named.conf.in
index a17babd5..f8a0b74d 100644
--- a/bind/bind9/bin/tests/system/pipelined/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/pipelined/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pipelined/ns4/named.conf.in b/bind/bind9/bin/tests/system/pipelined/ns4/named.conf.in
index 0b8a54b5..a23240b7 100644
--- a/bind/bind9/bin/tests/system/pipelined/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/pipelined/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pipelined/pipequeries.c b/bind/bind9/bin/tests/system/pipelined/pipequeries.c
index c6ab7f8d..e16ec116 100644
--- a/bind/bind9/bin/tests/system/pipelined/pipequeries.c
+++ b/bind/bind9/bin/tests/system/pipelined/pipequeries.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -117,8 +117,8 @@ recvresponse(isc_task_t *task, isc_event_t *event) {
 	       (char *)isc_buffer_base(&outbuf));
 	fflush(stdout);
 
-	dns_message_destroy(&query);
-	dns_message_destroy(&response);
+	dns_message_detach(&query);
+	dns_message_detach(&response);
 	dns_request_destroy(&reqev->request);
 	isc_event_free(&event);
 
diff --git a/bind/bind9/bin/tests/system/pipelined/setup.sh b/bind/bind9/bin/tests/system/pipelined/setup.sh
index 57c3d667..048c95b4 100644
--- a/bind/bind9/bin/tests/system/pipelined/setup.sh
+++ b/bind/bind9/bin/tests/system/pipelined/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pipelined/tests.sh b/bind/bind9/bin/tests/system/pipelined/tests.sh
index 61f1ff70..c0a99a26 100644
--- a/bind/bind9/bin/tests/system/pipelined/tests.sh
+++ b/bind/bind9/bin/tests/system/pipelined/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt b/bind/bind9/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt
new file mode 100644
index 00000000..09b06f07
--- /dev/null
+++ b/bind/bind9/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt
@@ -0,0 +1,20 @@
+edda 2800 0001 0000 0001 0000 0972 7361
+7368 6132 3536 0765 7861 6d70 6c65 0000
+0600 01c0 0c00 3000 0100 0001 2c01 0801
+0003 0803 0100 0100 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 00
diff --git a/bind/bind9/bin/tests/system/pkcs11/clean.sh b/bind/bind9/bin/tests/system/pkcs11/clean.sh
index f5be432d..b527e102 100644
--- a/bind/bind9/bin/tests/system/pkcs11/clean.sh
+++ b/bind/bind9/bin/tests/system/pkcs11/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -13,4 +13,5 @@ rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
 rm -f dig.out* pin upd.log*
 rm -f ns1/*.key ns1/named.memstats
 rm -f supported
+rm -f ns*/named.run
 rm -f ns*/named.lock
diff --git a/bind/bind9/bin/tests/system/pkcs11/ns1/example.db.in b/bind/bind9/bin/tests/system/pkcs11/ns1/example.db.in
index 95d2a63a..8888c620 100644
--- a/bind/bind9/bin/tests/system/pkcs11/ns1/example.db.in
+++ b/bind/bind9/bin/tests/system/pkcs11/ns1/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pkcs11/ns1/named.conf b/bind/bind9/bin/tests/system/pkcs11/ns1/named.conf
index 5ac9a2fb..3c1fc04b 100644
--- a/bind/bind9/bin/tests/system/pkcs11/ns1/named.conf
+++ b/bind/bind9/bin/tests/system/pkcs11/ns1/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pkcs11/prereq.sh b/bind/bind9/bin/tests/system/pkcs11/prereq.sh
deleted file mode 100644
index 0eb3b78a..00000000
--- a/bind/bind9/bin/tests/system/pkcs11/prereq.sh
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-echo "I:(Native PKCS#11)" >&2
-rsafail=0 eccfail=0 ecxfail=0
-
-$SHELL ../testcrypto.sh -q rsa || rsafail=1
-$SHELL ../testcrypto.sh -q ecdsa || eccfail=1
-$SHELL ../testcrypto.sh -q eddsa || ecxfail=1
-
-if [ $rsafail = 1 -a $eccfail = 1 ]; then
-	echo "I:This test requires PKCS#11 support for either RSA or ECDSA cryptography." >&2
-	exit 255
-fi
-rm -f supported
-touch supported
-if [ $rsafail = 0 ]; then
-	echo rsa >> supported
-fi
-if [ $eccfail = 0 ]; then
-	echo ecc >> supported
-fi
-if [ $ecxfail = 0 ]; then
-	echo ecx >> supported
-fi
diff --git a/bind/bind9/bin/tests/system/pkcs11/setup.sh b/bind/bind9/bin/tests/system/pkcs11/setup.sh
index 4fc5ec5b..09f618b8 100644
--- a/bind/bind9/bin/tests/system/pkcs11/setup.sh
+++ b/bind/bind9/bin/tests/system/pkcs11/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -12,6 +12,19 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
+echo_i "(Native PKCS#11)" >&2
+ecxfail=0
+
+$SHELL ../testcrypto.sh -q eddsa || ecxfail=1
+
+rm -f supported
+touch supported
+echo rsa >> supported
+echo ecc >> supported
+if [ $ecxfail = 0 ]; then
+	echo ecx >> supported
+fi
+
 infile=ns1/example.db.in
 
 /bin/echo -n ${HSMPIN:-1234}> pin
diff --git a/bind/bind9/bin/tests/system/pkcs11/tests.sh b/bind/bind9/bin/tests/system/pkcs11/tests.sh
index cf3b5492..41d420d3 100644
--- a/bind/bind9/bin/tests/system/pkcs11/tests.sh
+++ b/bind/bind9/bin/tests/system/pkcs11/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -26,26 +26,26 @@ have_ecc=`grep ecc supported`
 if [ "x$have_ecc" != "x" ]; then
     algs=$algs"ecc "
 fi
-have_ecx=`grep ecc supported`
+have_ecx=`grep ecx supported`
 if [ "x$have_ecx" != "x" ]; then
     algs=$algs"ecx "
 fi
 
 for alg in $algs; do
     zonefile=ns1/$alg.example.db 
-    echo "I:testing PKCS#11 key generation ($alg)"
+    echo_i "testing PKCS#11 key generation ($alg)"
     count=`$PK11LIST | grep robie-$alg-ksk | wc -l`
-    if [ $count != 2 ]; then echo "I:failed"; status=1; fi
+    if [ $count != 2 ]; then echo_i "failed"; status=1; fi
 
-    echo "I:testing offline signing with PKCS#11 keys ($alg)"
+    echo_i "testing offline signing with PKCS#11 keys ($alg)"
 
     count=`grep RRSIG $zonefile.signed | wc -l`
-    if [ $count != 12 ]; then echo "I:failed"; status=1; fi
+    if [ $count != 12 ]; then echo_i "failed"; status=1; fi
 
-    echo "I:testing inline signing with PKCS#11 keys ($alg)"
+    echo_i "testing inline signing with PKCS#11 keys ($alg)"
 
     $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out.$alg.0 || ret=1
-    if [ $ret != 0 ]; then echo "I:failed"; fi
+    if [ $ret != 0 ]; then echo_i "failed"; fi
     status=`expr $status + $ret`
     count0=`grep RRSIG dig.out.$alg.0 | wc -l`
 
@@ -57,16 +57,16 @@ update add `grep -v ';' ns1/${alg}.key`
 send
 END
 
-    echo "I:waiting 20 seconds for key changes to take effect"
+    echo_i "waiting 20 seconds for key changes to take effect"
     sleep 20
 
     $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out.$alg || ret=1
-    if [ $ret != 0 ]; then echo "I:failed"; fi
+    if [ $ret != 0 ]; then echo_i "failed"; fi
     status=`expr $status + $ret`
     count=`grep RRSIG dig.out.$alg | wc -l`
-    if [ $count -le $count0 ]; then echo "I:failed"; status=1; fi
+    if [ $count -le $count0 ]; then echo_i "failed"; status=1; fi
 
-    echo "I:testing PKCS#11 key destroy ($alg)"
+    echo_i "testing PKCS#11 key destroy ($alg)"
     ret=0
     $PK11DEL -l robie-$alg-ksk -w0 > /dev/null 2>&1 || ret=1
     $PK11DEL -l robie-$alg-zsk1 -w0 > /dev/null 2>&1 || ret=1
@@ -76,12 +76,19 @@ END
 	ecx) id=06 ;;
     esac
     $PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
-    if [ $ret != 0 ]; then echo "I:failed"; fi
+    if [ $ret != 0 ]; then echo_i "failed"; fi
     status=`expr $status + $ret`
     count=`$PK11LIST | grep robie-$alg | wc -l`
-    if [ $count != 0 ]; then echo "I:failed"; fi
+    if [ $count != 0 ]; then echo_i "failed"; fi
     status=`expr $status + $count`
 done
 
-echo "I:exit status: $status"
-[ $status -eq 0 ] || exit 1
+echo_i "Checking for assertion failure in pk11_numbits()"
+ret=0
+$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt || ret=1
+$DIG $DIGOPTS @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ "$status" -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/pkcs11ssl/clean.sh b/bind/bind9/bin/tests/system/pkcs11ssl/clean.sh
index 4af1c397..b5eee2f2 100644
--- a/bind/bind9/bin/tests/system/pkcs11ssl/clean.sh
+++ b/bind/bind9/bin/tests/system/pkcs11ssl/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pkcs11ssl/ns1/example.db.in b/bind/bind9/bin/tests/system/pkcs11ssl/ns1/example.db.in
index 95d2a63a..8888c620 100644
--- a/bind/bind9/bin/tests/system/pkcs11ssl/ns1/example.db.in
+++ b/bind/bind9/bin/tests/system/pkcs11ssl/ns1/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pkcs11ssl/ns1/named.conf b/bind/bind9/bin/tests/system/pkcs11ssl/ns1/named.conf
index 7cd80742..264a7e09 100644
--- a/bind/bind9/bin/tests/system/pkcs11ssl/ns1/named.conf
+++ b/bind/bind9/bin/tests/system/pkcs11ssl/ns1/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pkcs11ssl/prereq.sh b/bind/bind9/bin/tests/system/pkcs11ssl/prereq.sh
index 489bebbb..8796eca6 100644
--- a/bind/bind9/bin/tests/system/pkcs11ssl/prereq.sh
+++ b/bind/bind9/bin/tests/system/pkcs11ssl/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -12,5 +12,5 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-echo "I:(PKCS#11 via OpenSSL)" >&2
+echo_i "(PKCS#11 via OpenSSL)" >&2
 exec $SHELL ../testcrypto.sh rsa
diff --git a/bind/bind9/bin/tests/system/pkcs11ssl/setup.sh b/bind/bind9/bin/tests/system/pkcs11ssl/setup.sh
index d2fbe922..29b4c8b6 100644
--- a/bind/bind9/bin/tests/system/pkcs11ssl/setup.sh
+++ b/bind/bind9/bin/tests/system/pkcs11ssl/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/pkcs11ssl/tests.sh b/bind/bind9/bin/tests/system/pkcs11ssl/tests.sh
index 2d7437e6..ac344bed 100644
--- a/bind/bind9/bin/tests/system/pkcs11ssl/tests.sh
+++ b/bind/bind9/bin/tests/system/pkcs11ssl/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -19,16 +19,16 @@ ret=0
 
 alg=rsa
 zonefile=ns1/rsa.example.db 
-echo "I:testing PKCS#11 key generation (rsa)"
+echo_i "testing PKCS#11 key generation (rsa)"
 count=`$PK11LIST | grep robie-rsa-ksk | wc -l`
-if [ $count != 2 ]; then echo "I:failed"; status=1; fi
+if [ $count != 2 ]; then echo_i "failed"; status=1; fi
 
-echo "I:testing offline signing with PKCS#11 keys (rsa)"
+echo_i "testing offline signing with PKCS#11 keys (rsa)"
 
 count=`grep RRSIG $zonefile.signed | wc -l`
-if [ $count != 12 ]; then echo "I:failed"; status=1; fi
+if [ $count != 12 ]; then echo_i "failed"; status=1; fi
 
-echo "I:testing inline signing with PKCS#11 keys (rsa)"
+echo_i "testing inline signing with PKCS#11 keys (rsa)"
 
 $NSUPDATE > /dev/null <<END || status=1
 server 10.53.0.1 5300
@@ -38,25 +38,25 @@ update add `grep -v ';' ns1/${alg}.key`
 send
 END
 
-echo "I:waiting 20 seconds for key changes to take effect"
+echo_i "waiting 20 seconds for key changes to take effect"
 sleep 20
 
 $DIG $DIGOPTS ns.rsa.example. @10.53.0.1 a > dig.out || ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 count=`grep RRSIG dig.out | wc -l`
-if [ $count != 4 ]; then echo "I:failed"; status=1; fi
+if [ $count != 4 ]; then echo_i "failed"; status=1; fi
 
-echo "I:testing PKCS#11 key destroy (rsa)"
+echo_i "testing PKCS#11 key destroy (rsa)"
 ret=0
 $PK11DEL -l robie-rsa-ksk -w0 > /dev/null 2>&1 || ret=1
 $PK11DEL -l robie-rsa-zsk1 -w0 > /dev/null 2>&1 || ret=1
 $PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 count=`$PK11LIST | grep robie-rsa | wc -l`
-if [ $count != 0 ]; then echo "I:failed"; fi
+if [ $count != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $count`
 
-echo "I:exit status: $status"
+echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/reclimit/README b/bind/bind9/bin/tests/system/reclimit/README
index 02b1ba19..e66994eb 100644
--- a/bind/bind9/bin/tests/system/reclimit/README
+++ b/bind/bind9/bin/tests/system/reclimit/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 system test for recursion limits
 
diff --git a/bind/bind9/bin/tests/system/reclimit/ans2/ans.pl b/bind/bind9/bin/tests/system/reclimit/ans2/ans.pl
index da3d192a..2fa84f8c 100644
--- a/bind/bind9/bin/tests/system/reclimit/ans2/ans.pl
+++ b/bind/bind9/bin/tests/system/reclimit/ans2/ans.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/reclimit/ans4/ans.pl b/bind/bind9/bin/tests/system/reclimit/ans4/ans.pl
index 57ba9621..2b5c4615 100644
--- a/bind/bind9/bin/tests/system/reclimit/ans4/ans.pl
+++ b/bind/bind9/bin/tests/system/reclimit/ans4/ans.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/reclimit/ans7/ans.pl b/bind/bind9/bin/tests/system/reclimit/ans7/ans.pl
index 50504270..e28c32c1 100644
--- a/bind/bind9/bin/tests/system/reclimit/ans7/ans.pl
+++ b/bind/bind9/bin/tests/system/reclimit/ans7/ans.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -55,7 +55,7 @@ sub reply_handler {
         $rcode = "REFUSED";
     }
 
-    # mark the answer as authoritive (by setting the 'aa' flag
+    # mark the answer as authoritative (by setting the 'aa' flag
     return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
 }
 
diff --git a/bind/bind9/bin/tests/system/reclimit/clean.sh b/bind/bind9/bin/tests/system/reclimit/clean.sh
index fbeaee35..950e6653 100644
--- a/bind/bind9/bin/tests/system/reclimit/clean.sh
+++ b/bind/bind9/bin/tests/system/reclimit/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/reclimit/ns1/named.conf.in b/bind/bind9/bin/tests/system/reclimit/ns1/named.conf.in
index f8868f51..d7b51a79 100644
--- a/bind/bind9/bin/tests/system/reclimit/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/reclimit/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/reclimit/ns1/root.db b/bind/bind9/bin/tests/system/reclimit/ns1/root.db
index 3a6f7880..bd4a98df 100644
--- a/bind/bind9/bin/tests/system/reclimit/ns1/root.db
+++ b/bind/bind9/bin/tests/system/reclimit/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/reclimit/ns3/hints.db b/bind/bind9/bin/tests/system/reclimit/ns3/hints.db
index f7637294..a630fe69 100644
--- a/bind/bind9/bin/tests/system/reclimit/ns3/hints.db
+++ b/bind/bind9/bin/tests/system/reclimit/ns3/hints.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/reclimit/ns3/named1.conf.in b/bind/bind9/bin/tests/system/reclimit/ns3/named1.conf.in
index f7f6c6a7..ff82fc85 100644
--- a/bind/bind9/bin/tests/system/reclimit/ns3/named1.conf.in
+++ b/bind/bind9/bin/tests/system/reclimit/ns3/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/reclimit/ns3/named2.conf.in b/bind/bind9/bin/tests/system/reclimit/ns3/named2.conf.in
index f051cf53..4c44082f 100644
--- a/bind/bind9/bin/tests/system/reclimit/ns3/named2.conf.in
+++ b/bind/bind9/bin/tests/system/reclimit/ns3/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/reclimit/ns3/named3.conf.in b/bind/bind9/bin/tests/system/reclimit/ns3/named3.conf.in
index 6c235aff..55167b31 100644
--- a/bind/bind9/bin/tests/system/reclimit/ns3/named3.conf.in
+++ b/bind/bind9/bin/tests/system/reclimit/ns3/named3.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/reclimit/ns3/named4.conf.in b/bind/bind9/bin/tests/system/reclimit/ns3/named4.conf.in
index 2d7d5c18..c0041eb9 100644
--- a/bind/bind9/bin/tests/system/reclimit/ns3/named4.conf.in
+++ b/bind/bind9/bin/tests/system/reclimit/ns3/named4.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/reclimit/prereq.sh b/bind/bind9/bin/tests/system/reclimit/prereq.sh
index 3c854d2d..dcdc0c5c 100644
--- a/bind/bind9/bin/tests/system/reclimit/prereq.sh
+++ b/bind/bind9/bin/tests/system/reclimit/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/reclimit/setup.sh b/bind/bind9/bin/tests/system/reclimit/setup.sh
index d09a0125..6800532a 100644
--- a/bind/bind9/bin/tests/system/reclimit/setup.sh
+++ b/bind/bind9/bin/tests/system/reclimit/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/reclimit/tests.sh b/bind/bind9/bin/tests/system/reclimit/tests.sh
index 9a30a204..c7d088af 100644
--- a/bind/bind9/bin/tests/system/reclimit/tests.sh
+++ b/bind/bind9/bin/tests/system/reclimit/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/clean.sh b/bind/bind9/bin/tests/system/redirect/clean.sh
index c13d918d..4b36bc72 100644
--- a/bind/bind9/bin/tests/system/redirect/clean.sh
+++ b/bind/bind9/bin/tests/system/redirect/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/conf/bad1.conf b/bind/bind9/bin/tests/system/redirect/conf/bad1.conf
index 4928878e..593e886d 100644
--- a/bind/bind9/bin/tests/system/redirect/conf/bad1.conf
+++ b/bind/bind9/bin/tests/system/redirect/conf/bad1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/conf/bad2.conf b/bind/bind9/bin/tests/system/redirect/conf/bad2.conf
index 87a23fdd..fdb7794b 100644
--- a/bind/bind9/bin/tests/system/redirect/conf/bad2.conf
+++ b/bind/bind9/bin/tests/system/redirect/conf/bad2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/conf/bad3.conf b/bind/bind9/bin/tests/system/redirect/conf/bad3.conf
index ad7063cd..46f9c74c 100644
--- a/bind/bind9/bin/tests/system/redirect/conf/bad3.conf
+++ b/bind/bind9/bin/tests/system/redirect/conf/bad3.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/conf/good1.conf b/bind/bind9/bin/tests/system/redirect/conf/good1.conf
index 4e092108..1b455c36 100644
--- a/bind/bind9/bin/tests/system/redirect/conf/good1.conf
+++ b/bind/bind9/bin/tests/system/redirect/conf/good1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/conf/good2.conf b/bind/bind9/bin/tests/system/redirect/conf/good2.conf
index a01d6456..b92c9adf 100644
--- a/bind/bind9/bin/tests/system/redirect/conf/good2.conf
+++ b/bind/bind9/bin/tests/system/redirect/conf/good2.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/conf/good3.conf b/bind/bind9/bin/tests/system/redirect/conf/good3.conf
index 3d91ba3b..c71e93af 100644
--- a/bind/bind9/bin/tests/system/redirect/conf/good3.conf
+++ b/bind/bind9/bin/tests/system/redirect/conf/good3.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/conf/good4.conf b/bind/bind9/bin/tests/system/redirect/conf/good4.conf
index f70b723d..560cb1f1 100644
--- a/bind/bind9/bin/tests/system/redirect/conf/good4.conf
+++ b/bind/bind9/bin/tests/system/redirect/conf/good4.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns1/example.db b/bind/bind9/bin/tests/system/redirect/ns1/example.db
index 83140c25..759e5f7b 100644
--- a/bind/bind9/bin/tests/system/redirect/ns1/example.db
+++ b/bind/bind9/bin/tests/system/redirect/ns1/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns1/named.conf.in b/bind/bind9/bin/tests/system/redirect/ns1/named.conf.in
index 47b385a8..b2bc6863 100644
--- a/bind/bind9/bin/tests/system/redirect/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/redirect/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns1/redirect.db b/bind/bind9/bin/tests/system/redirect/ns1/redirect.db
index 0797462a..33f25e2f 100644
--- a/bind/bind9/bin/tests/system/redirect/ns1/redirect.db
+++ b/bind/bind9/bin/tests/system/redirect/ns1/redirect.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns1/root.db b/bind/bind9/bin/tests/system/redirect/ns1/root.db
index 532063c0..ccb4ef1f 100644
--- a/bind/bind9/bin/tests/system/redirect/ns1/root.db
+++ b/bind/bind9/bin/tests/system/redirect/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns1/sign.sh b/bind/bind9/bin/tests/system/redirect/ns1/sign.sh
index fb38190f..187b3b87 100644
--- a/bind/bind9/bin/tests/system/redirect/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/redirect/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns2/example.db.in b/bind/bind9/bin/tests/system/redirect/ns2/example.db.in
index bb8b66d9..b866f7a8 100644
--- a/bind/bind9/bin/tests/system/redirect/ns2/example.db.in
+++ b/bind/bind9/bin/tests/system/redirect/ns2/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns2/named.conf.in b/bind/bind9/bin/tests/system/redirect/ns2/named.conf.in
index 3e897900..a067e0d6 100644
--- a/bind/bind9/bin/tests/system/redirect/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/redirect/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns2/redirect.db.in b/bind/bind9/bin/tests/system/redirect/ns2/redirect.db.in
index 46e5db81..c031c4e4 100644
--- a/bind/bind9/bin/tests/system/redirect/ns2/redirect.db.in
+++ b/bind/bind9/bin/tests/system/redirect/ns2/redirect.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns3/example.db b/bind/bind9/bin/tests/system/redirect/ns3/example.db
index 065ad2dd..0c330a55 100644
--- a/bind/bind9/bin/tests/system/redirect/ns3/example.db
+++ b/bind/bind9/bin/tests/system/redirect/ns3/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns3/named.conf.in b/bind/bind9/bin/tests/system/redirect/ns3/named.conf.in
index 04a651b0..9e4f6e3d 100644
--- a/bind/bind9/bin/tests/system/redirect/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/redirect/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns3/redirect.db b/bind/bind9/bin/tests/system/redirect/ns3/redirect.db
index b8ca047d..9996a122 100644
--- a/bind/bind9/bin/tests/system/redirect/ns3/redirect.db
+++ b/bind/bind9/bin/tests/system/redirect/ns3/redirect.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns3/root.db b/bind/bind9/bin/tests/system/redirect/ns3/root.db
index 1befd933..5b62f764 100644
--- a/bind/bind9/bin/tests/system/redirect/ns3/root.db
+++ b/bind/bind9/bin/tests/system/redirect/ns3/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns3/sign.sh b/bind/bind9/bin/tests/system/redirect/ns3/sign.sh
index fb38190f..187b3b87 100644
--- a/bind/bind9/bin/tests/system/redirect/ns3/sign.sh
+++ b/bind/bind9/bin/tests/system/redirect/ns3/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns4/example.db.in b/bind/bind9/bin/tests/system/redirect/ns4/example.db.in
index 4d3a0824..e424ecaf 100644
--- a/bind/bind9/bin/tests/system/redirect/ns4/example.db.in
+++ b/bind/bind9/bin/tests/system/redirect/ns4/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns4/named.conf.in b/bind/bind9/bin/tests/system/redirect/ns4/named.conf.in
index 70f0df07..961e0b5d 100644
--- a/bind/bind9/bin/tests/system/redirect/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/redirect/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/ns4/root.hint b/bind/bind9/bin/tests/system/redirect/ns4/root.hint
index 20d2a27c..db7f8d52 100644
--- a/bind/bind9/bin/tests/system/redirect/ns4/root.hint
+++ b/bind/bind9/bin/tests/system/redirect/ns4/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/prereq.sh b/bind/bind9/bin/tests/system/redirect/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/redirect/prereq.sh
+++ b/bind/bind9/bin/tests/system/redirect/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/setup.sh b/bind/bind9/bin/tests/system/redirect/setup.sh
index f3050d39..4d8ca8af 100644
--- a/bind/bind9/bin/tests/system/redirect/setup.sh
+++ b/bind/bind9/bin/tests/system/redirect/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/redirect/tests.sh b/bind/bind9/bin/tests/system/redirect/tests.sh
index 82fdad68..f2051f1d 100644
--- a/bind/bind9/bin/tests/system/redirect/tests.sh
+++ b/bind/bind9/bin/tests/system/redirect/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ans2/ans.pl b/bind/bind9/bin/tests/system/resolver/ans2/ans.pl
index a242a998..89defcd5 100644
--- a/bind/bind9/bin/tests/system/resolver/ans2/ans.pl
+++ b/bind/bind9/bin/tests/system/resolver/ans2/ans.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ans3/ans.pl b/bind/bind9/bin/tests/system/resolver/ans3/ans.pl
index 46d76737..ca2ed08c 100644
--- a/bind/bind9/bin/tests/system/resolver/ans3/ans.pl
+++ b/bind/bind9/bin/tests/system/resolver/ans3/ans.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ans8/ans.pl b/bind/bind9/bin/tests/system/resolver/ans8/ans.pl
index fd7dafe0..25c06dcf 100644
--- a/bind/bind9/bin/tests/system/resolver/ans8/ans.pl
+++ b/bind/bind9/bin/tests/system/resolver/ans8/ans.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/clean.sh b/bind/bind9/bin/tests/system/resolver/clean.sh
index 4dfde1f3..db81e185 100644
--- a/bind/bind9/bin/tests/system/resolver/clean.sh
+++ b/bind/bind9/bin/tests/system/resolver/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -17,8 +17,7 @@ rm -f */named.memstats
 rm -f */named.run
 rm -f */ans.run
 rm -f */*.jdb
-rm -f dig.out dig.out.*
-rm -f dig.*.out.*
+rm -f dig.out dig.out.* dig.*.out.*
 rm -f dig.*.foo.*
 rm -f dig.*.bar.*
 rm -f dig.*.prime.*
@@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db
 rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
 rm -f ns6/dsset-ds.example.net*
 rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl
+rm -f ns6/named.stats*
 rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
 rm -f ns7/server.db ns7/server.db.jnl
 rm -f resolve.out.*.test*
diff --git a/bind/bind9/bin/tests/system/resolver/ns1/named.conf.in b/bind/bind9/bin/tests/system/resolver/ns1/named.conf.in
index a2c19dbc..49cd56ec 100644
--- a/bind/bind9/bin/tests/system/resolver/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/resolver/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns1/root.hint b/bind/bind9/bin/tests/system/resolver/ns1/root.hint
index 64769b9f..8b55c604 100644
--- a/bind/bind9/bin/tests/system/resolver/ns1/root.hint
+++ b/bind/bind9/bin/tests/system/resolver/ns1/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns4/broken.db b/bind/bind9/bin/tests/system/resolver/ns4/broken.db
index 886614c4..85510c8c 100644
--- a/bind/bind9/bin/tests/system/resolver/ns4/broken.db
+++ b/bind/bind9/bin/tests/system/resolver/ns4/broken.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns4/child.server.db b/bind/bind9/bin/tests/system/resolver/ns4/child.server.db
index e0dc65e9..99a7b296 100644
--- a/bind/bind9/bin/tests/system/resolver/ns4/child.server.db
+++ b/bind/bind9/bin/tests/system/resolver/ns4/child.server.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns4/moves.db b/bind/bind9/bin/tests/system/resolver/ns4/moves.db
index cfd04de5..fbcf7e50 100644
--- a/bind/bind9/bin/tests/system/resolver/ns4/moves.db
+++ b/bind/bind9/bin/tests/system/resolver/ns4/moves.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns4/named.conf.in b/bind/bind9/bin/tests/system/resolver/ns4/named.conf.in
index c679dc31..596c2b10 100644
--- a/bind/bind9/bin/tests/system/resolver/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/resolver/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -50,6 +50,11 @@ zone "broken" {
 	file "broken.db";
 };
 
+zone "sourcens" {
+    type master;
+    file "sourcens.db";
+};
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm hmac-sha256;
diff --git a/bind/bind9/bin/tests/system/resolver/ns4/named.noaa b/bind/bind9/bin/tests/system/resolver/ns4/named.noaa
index 0f215fcd..3b121ad9 100644
--- a/bind/bind9/bin/tests/system/resolver/ns4/named.noaa
+++ b/bind/bind9/bin/tests/system/resolver/ns4/named.noaa
@@ -1,5 +1,5 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Add -T noaa.
diff --git a/bind/bind9/bin/tests/system/resolver/ns4/root.db b/bind/bind9/bin/tests/system/resolver/ns4/root.db
index 721765d1..92cf65f3 100644
--- a/bind/bind9/bin/tests/system/resolver/ns4/root.db
+++ b/bind/bind9/bin/tests/system/resolver/ns4/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
@@ -24,3 +24,7 @@ example.net.		NS	ns.example.net.
 ns.example.net.		A	10.53.0.6
 no-questions.		NS	ns.no-questions.
 ns.no-questions.	A	10.53.0.8
+sourcens.		NS	ns.sourcens.
+ns.sourcens.		A	10.53.0.4
+targetns. 		NS	ns.targetns.
+ns.targetns.		A	10.53.0.6
diff --git a/bind/bind9/bin/tests/system/resolver/ns4/sourcens.db b/bind/bind9/bin/tests/system/resolver/ns4/sourcens.db
new file mode 100644
index 00000000..12707cae
--- /dev/null
+++ b/bind/bind9/bin/tests/system/resolver/ns4/sourcens.db
@@ -0,0 +1,89 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This zone contains a set of delegations with varying numbers of NS
+; records.  This is used to check that BIND is limiting the number of
+; NS records it follows when resolving a delegation.  It tests all
+; numbers of NS records up to twice the number followed.
+
+$TTL 60
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	ns
+ns			A	10.53.0.4
+
+target1  		NS	ns.fake11.targetns.
+
+target2  		NS	ns.fake21.targetns.
+			NS	ns.fake22.targetns.
+
+target3  		NS	ns.fake31.targetns.
+			NS	ns.fake32.targetns.
+			NS	ns.fake33.targetns.
+
+target4  		NS	ns.fake41.targetns.
+			NS	ns.fake42.targetns.
+			NS	ns.fake43.targetns.
+			NS	ns.fake44.targetns.
+
+target5  		NS	ns.fake51.targetns.
+			NS	ns.fake52.targetns.
+			NS	ns.fake53.targetns.
+			NS	ns.fake54.targetns.
+			NS	ns.fake55.targetns.
+
+target6  		NS	ns.fake61.targetns.
+			NS	ns.fake62.targetns.
+			NS	ns.fake63.targetns.
+			NS	ns.fake64.targetns.
+			NS	ns.fake65.targetns.
+			NS	ns.fake66.targetns.
+
+target7  		NS	ns.fake71.targetns.
+			NS	ns.fake72.targetns.
+			NS	ns.fake73.targetns.
+			NS	ns.fake74.targetns.
+			NS	ns.fake75.targetns.
+			NS	ns.fake76.targetns.
+			NS	ns.fake77.targetns.
+
+target8  		NS	ns.fake81.targetns.
+			NS	ns.fake82.targetns.
+			NS	ns.fake83.targetns.
+			NS	ns.fake84.targetns.
+			NS	ns.fake85.targetns.
+			NS	ns.fake86.targetns.
+			NS	ns.fake87.targetns.
+			NS	ns.fake88.targetns.
+
+target9  		NS	ns.fake91.targetns.
+			NS	ns.fake92.targetns.
+			NS	ns.fake93.targetns.
+			NS	ns.fake94.targetns.
+			NS	ns.fake95.targetns.
+			NS	ns.fake96.targetns.
+			NS	ns.fake97.targetns.
+			NS	ns.fake98.targetns.
+			NS	ns.fake99.targetns.
+
+target10  		NS	ns.fake101.targetns.
+			NS	ns.fake102.targetns.
+			NS	ns.fake103.targetns.
+			NS	ns.fake104.targetns.
+			NS	ns.fake105.targetns.
+			NS	ns.fake106.targetns.
+			NS	ns.fake107.targetns.
+			NS	ns.fake108.targetns.
+			NS	ns.fake109.targetns.
+			NS	ns.fake1010.targetns.
diff --git a/bind/bind9/bin/tests/system/resolver/ns4/tld1.db b/bind/bind9/bin/tests/system/resolver/ns4/tld1.db
index f9a94634..3423148f 100644
--- a/bind/bind9/bin/tests/system/resolver/ns4/tld1.db
+++ b/bind/bind9/bin/tests/system/resolver/ns4/tld1.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns4/tld2.db b/bind/bind9/bin/tests/system/resolver/ns4/tld2.db
index 24ed348d..38e099ec 100644
--- a/bind/bind9/bin/tests/system/resolver/ns4/tld2.db
+++ b/bind/bind9/bin/tests/system/resolver/ns4/tld2.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns5/child.server.db b/bind/bind9/bin/tests/system/resolver/ns5/child.server.db
index 73eb8479..799d0a93 100644
--- a/bind/bind9/bin/tests/system/resolver/ns5/child.server.db
+++ b/bind/bind9/bin/tests/system/resolver/ns5/child.server.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns5/moves.db b/bind/bind9/bin/tests/system/resolver/ns5/moves.db
index d2594b68..79806880 100644
--- a/bind/bind9/bin/tests/system/resolver/ns5/moves.db
+++ b/bind/bind9/bin/tests/system/resolver/ns5/moves.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns5/named.conf.in b/bind/bind9/bin/tests/system/resolver/ns5/named.conf.in
index f6f96f3f..685dda3d 100644
--- a/bind/bind9/bin/tests/system/resolver/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/resolver/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -47,4 +47,11 @@ zone "delegation-only" {
        type delegation-only;
 };
 
-include "trusted.conf";
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bind/bind9/bin/tests/system/resolver/ns5/root.hint b/bind/bind9/bin/tests/system/resolver/ns5/root.hint
index e8cdaecd..03b840bc 100644
--- a/bind/bind9/bin/tests/system/resolver/ns5/root.hint
+++ b/bind/bind9/bin/tests/system/resolver/ns5/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns6/broken.db b/bind/bind9/bin/tests/system/resolver/ns6/broken.db
index 10edff8a..1c285f12 100644
--- a/bind/bind9/bin/tests/system/resolver/ns6/broken.db
+++ b/bind/bind9/bin/tests/system/resolver/ns6/broken.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns6/delegation-only.db b/bind/bind9/bin/tests/system/resolver/ns6/delegation-only.db
index c9a7ad18..090e0327 100644
--- a/bind/bind9/bin/tests/system/resolver/ns6/delegation-only.db
+++ b/bind/bind9/bin/tests/system/resolver/ns6/delegation-only.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns6/ds.example.net.db.in b/bind/bind9/bin/tests/system/resolver/ns6/ds.example.net.db.in
index d38d1a94..1f2010d3 100644
--- a/bind/bind9/bin/tests/system/resolver/ns6/ds.example.net.db.in
+++ b/bind/bind9/bin/tests/system/resolver/ns6/ds.example.net.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns6/example.net.db.in b/bind/bind9/bin/tests/system/resolver/ns6/example.net.db.in
index eab3267b..22aeb62e 100644
--- a/bind/bind9/bin/tests/system/resolver/ns6/example.net.db.in
+++ b/bind/bind9/bin/tests/system/resolver/ns6/example.net.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns6/keygen.sh b/bind/bind9/bin/tests/system/resolver/ns6/keygen.sh
index 7b87d97e..4a711fd0 100644
--- a/bind/bind9/bin/tests/system/resolver/ns6/keygen.sh
+++ b/bind/bind9/bin/tests/system/resolver/ns6/keygen.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns6/moves.db b/bind/bind9/bin/tests/system/resolver/ns6/moves.db
index 27ce6d11..4cf4effa 100644
--- a/bind/bind9/bin/tests/system/resolver/ns6/moves.db
+++ b/bind/bind9/bin/tests/system/resolver/ns6/moves.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns6/named.conf.in b/bind/bind9/bin/tests/system/resolver/ns6/named.conf.in
index 7df48558..cbf88881 100644
--- a/bind/bind9/bin/tests/system/resolver/ns6/named.conf.in
+++ b/bind/bind9/bin/tests/system/resolver/ns6/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -22,6 +22,7 @@ options {
 	recursion no;
 	// minimal-responses yes;
 	querylog yes;
+	statistics-file "named.stats";
 	/*
 	 * test that named loads with root-delegation-only that
 	 * has a exclude list.
@@ -67,3 +68,17 @@ zone "delegation-only" {
 	type master;
 	file "delegation-only.db";
 };
+
+zone "targetns" {
+	type master;
+	file "targetns.db";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bind/bind9/bin/tests/system/resolver/ns6/no-edns-version.tld.db b/bind/bind9/bin/tests/system/resolver/ns6/no-edns-version.tld.db
index 736c2e55..4ce1049f 100644
--- a/bind/bind9/bin/tests/system/resolver/ns6/no-edns-version.tld.db
+++ b/bind/bind9/bin/tests/system/resolver/ns6/no-edns-version.tld.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns6/root.db b/bind/bind9/bin/tests/system/resolver/ns6/root.db
index 09b23fc3..15a99bd0 100644
--- a/bind/bind9/bin/tests/system/resolver/ns6/root.db
+++ b/bind/bind9/bin/tests/system/resolver/ns6/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
@@ -22,7 +22,7 @@ server.			NS	ns7.server.
 ns7.server.		A	10.53.0.7
 ;
 ; These two delegations are strictly not necessary as the test resolver (ns5)
-; doesn't have this zone as its root.  They are just done for consistancy with
+; doesn't have this zone as its root.  They are just done for consistency with
 ; the delegations in ns4/tld.
 ;
 no-edns-version.tld.	NS	ns.no-edns-version.tld.
diff --git a/bind/bind9/bin/tests/system/resolver/ns6/targetns.db b/bind/bind9/bin/tests/system/resolver/ns6/targetns.db
new file mode 100644
index 00000000..a5dab6fd
--- /dev/null
+++ b/bind/bind9/bin/tests/system/resolver/ns6/targetns.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; In the test for checking how many NS records BIND will follow, this
+; zone marks the server as the one to which the NS lookups will be
+; directed.
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+			NS	ns
+ns			A	10.53.0.6
diff --git a/bind/bind9/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in b/bind/bind9/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in
index 2a1c9602..a3fee538 100644
--- a/bind/bind9/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in
+++ b/bind/bind9/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns7/all-cnames.db b/bind/bind9/bin/tests/system/resolver/ns7/all-cnames.db
index 3adcd1d7..11eb6ce5 100644
--- a/bind/bind9/bin/tests/system/resolver/ns7/all-cnames.db
+++ b/bind/bind9/bin/tests/system/resolver/ns7/all-cnames.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns7/edns-version.tld.db b/bind/bind9/bin/tests/system/resolver/ns7/edns-version.tld.db
index f94d84ad..4291bec0 100644
--- a/bind/bind9/bin/tests/system/resolver/ns7/edns-version.tld.db
+++ b/bind/bind9/bin/tests/system/resolver/ns7/edns-version.tld.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns7/named1.conf.in b/bind/bind9/bin/tests/system/resolver/ns7/named1.conf.in
index 6828ad26..3c6f3326 100644
--- a/bind/bind9/bin/tests/system/resolver/ns7/named1.conf.in
+++ b/bind/bind9/bin/tests/system/resolver/ns7/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns7/named2.conf.in b/bind/bind9/bin/tests/system/resolver/ns7/named2.conf.in
index ad8988f3..ba298a8c 100644
--- a/bind/bind9/bin/tests/system/resolver/ns7/named2.conf.in
+++ b/bind/bind9/bin/tests/system/resolver/ns7/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns7/root.hint b/bind/bind9/bin/tests/system/resolver/ns7/root.hint
index a623df91..db0cd720 100644
--- a/bind/bind9/bin/tests/system/resolver/ns7/root.hint
+++ b/bind/bind9/bin/tests/system/resolver/ns7/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/ns7/server.db.in b/bind/bind9/bin/tests/system/resolver/ns7/server.db.in
index ab42f26e..233e94dd 100644
--- a/bind/bind9/bin/tests/system/resolver/ns7/server.db.in
+++ b/bind/bind9/bin/tests/system/resolver/ns7/server.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/prereq.sh b/bind/bind9/bin/tests/system/resolver/prereq.sh
index 264ab4c9..8b547cfe 100644
--- a/bind/bind9/bin/tests/system/resolver/prereq.sh
+++ b/bind/bind9/bin/tests/system/resolver/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/setup.sh b/bind/bind9/bin/tests/system/resolver/setup.sh
index 9926dc69..1ac693b0 100644
--- a/bind/bind9/bin/tests/system/resolver/setup.sh
+++ b/bind/bind9/bin/tests/system/resolver/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/resolver/tests.sh b/bind/bind9/bin/tests/system/resolver/tests.sh
index 312de585..6eb52fe0 100755
--- a/bind/bind9/bin/tests/system/resolver/tests.sh
+++ b/bind/bind9/bin/tests/system/resolver/tests.sh
@@ -4,14 +4,13 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
-echo .
 
 DIGOPTS="-p ${PORT}"
 RESOLVOPTS="-p ${PORT}"
@@ -248,6 +247,41 @@ if [ -x ${RESOLVE} ] ; then
 fi
 
 n=`expr $n + 1`
+echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)"
+# ns5 is the recusor being tested.  ns4 holds the sourcens zone containing names with varying numbers of NS
+# records pointing to non-existent nameservers in the targetns zone on ns6.
+ret=0
+$RNDCCMD 10.53.0.5 flush || ret=1   # Ensure cache is empty before doing this test
+for nscount in 1 2 3 4 5 6 7 8 9 10
+do
+        # Verify number of NS records at source server
+        $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n}
+        sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l`
+        test $sourcerecs -eq $nscount || ret=1
+        test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens"
+        # Expected queries = 2 * number of NS records, up to a maximum of 10.
+        expected=`expr 2 \* $nscount`
+        if [ $expected -gt 10 ]; then expected=10; fi
+        half=`expr $expected / 2`
+        # Work out the queries made by checking statistics on the target before and after the test
+        $RNDCCMD 10.53.0.6 stats || ret=1
+        initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
+        mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n}
+        $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1
+        $RNDCCMD 10.53.0.6 stats || ret=1
+        final_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
+        mv ns6/named.stats ns6/named.stats.final.${nscount}.${n}
+        # Check number of queries during the test is as expected
+        actual=`expr $final_count - $initial_count`
+        if [ $actual -ne $expected ] && [ $actual -ne $half ]; then
+                echo_i "query count error: $nscount NS records: expected queries $expected or $half (no IPv6), actual $actual"
+                ret=1
+        fi
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
 echo_i "RT21594 regression test check setup ($n)"
 ret=0
 # Check that "aa" is not being set by the authoritative server.
@@ -454,7 +488,7 @@ sleep ${interval:-0}
 $DIG $DIGOPTS @10.53.0.5 fetch.tld txt > dig.out.2.${n} || ret=1
 ttl2=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}`
 sleep 1
-# check that prefetch occured
+# check that prefetch occurred
 $DIG $DIGOPTS @10.53.0.5 fetch.tld txt > dig.out.3.${n} || ret=1
 ttl=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.3.${n}`
 test ${ttl:-0} -gt ${ttl2:-1} || ret=1
@@ -473,7 +507,7 @@ sleep ${interval:-0}
 $DIG $DIGOPTS @10.53.0.5 ds.example.net ds > dig.out.2.${n} || ret=1
 dsttl2=`awk '$4 == "DS" && $7 == "1" { print $2 }' dig.out.2.${n}`
 sleep 1
-# check that prefetch occured
+# check that prefetch occurred
 $DIG $DIGOPTS @10.53.0.5 ds.example.net ds +dnssec > dig.out.3.${n} || ret=1
 dsttl=`awk '$4 == "DS" && $7 == "1" { print $2 }' dig.out.3.${n}`
 sigttl=`awk '$4 == "RRSIG" && $5 == "DS" { print $2 }' dig.out.3.${n}`
@@ -498,7 +532,7 @@ no_prefetch() {
 	# the previous one.
 	$DIG $DIGOPTS @10.53.0.7 fetch.example.net txt > dig.out.2.${n} || return 1
 	ttl2=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}`
-        # check that prefetch has not occured
+        # check that prefetch has not occurred
         if [ $ttl2 -ge $tmp_ttl ]; then
                 return 1
         fi
diff --git a/bind/bind9/bin/tests/system/rndc/Makefile.in b/bind/bind9/bin/tests/system/rndc/Makefile.in
index 186464ff..1cb664fe 100644
--- a/bind/bind9/bin/tests/system/rndc/Makefile.in
+++ b/bind/bind9/bin/tests/system/rndc/Makefile.in
@@ -2,14 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id$
-
-
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/bind/bind9/bin/tests/system/rndc/clean.sh b/bind/bind9/bin/tests/system/rndc/clean.sh
index a6ac3379..e1dd94cc 100644
--- a/bind/bind9/bin/tests/system/rndc/clean.sh
+++ b/bind/bind9/bin/tests/system/rndc/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rndc/gencheck.c b/bind/bind9/bin/tests/system/rndc/gencheck.c
index 9021b501..9e19a2e6 100644
--- a/bind/bind9/bin/tests/system/rndc/gencheck.c
+++ b/bind/bind9/bin/tests/system/rndc/gencheck.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rndc/ns2/incl.db b/bind/bind9/bin/tests/system/rndc/ns2/incl.db
index f40cac4b..1531a541 100644
--- a/bind/bind9/bin/tests/system/rndc/ns2/incl.db
+++ b/bind/bind9/bin/tests/system/rndc/ns2/incl.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rndc/ns2/named.conf.in b/bind/bind9/bin/tests/system/rndc/ns2/named.conf.in
index e4dfe3fd..7048e1fd 100644
--- a/bind/bind9/bin/tests/system/rndc/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/rndc/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rndc/ns2/secondkey.conf b/bind/bind9/bin/tests/system/rndc/ns2/secondkey.conf
index 2563b694..d0bae565 100644
--- a/bind/bind9/bin/tests/system/rndc/ns2/secondkey.conf
+++ b/bind/bind9/bin/tests/system/rndc/ns2/secondkey.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rndc/ns3/named.conf.in b/bind/bind9/bin/tests/system/rndc/ns3/named.conf.in
index dd352955..d51461bf 100644
--- a/bind/bind9/bin/tests/system/rndc/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/rndc/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rndc/ns4/named.conf.in b/bind/bind9/bin/tests/system/rndc/ns4/named.conf.in
index 2466e695..25683b87 100644
--- a/bind/bind9/bin/tests/system/rndc/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/rndc/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rndc/ns5/named.conf.in b/bind/bind9/bin/tests/system/rndc/ns5/named.conf.in
index 889623ea..4c096716 100644
--- a/bind/bind9/bin/tests/system/rndc/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/rndc/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rndc/ns6/named.conf.in b/bind/bind9/bin/tests/system/rndc/ns6/named.conf.in
index 5a577309..dcf6d927 100644
--- a/bind/bind9/bin/tests/system/rndc/ns6/named.conf.in
+++ b/bind/bind9/bin/tests/system/rndc/ns6/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rndc/setup.sh b/bind/bind9/bin/tests/system/rndc/setup.sh
index 8521ff8f..2eb2cd50 100644
--- a/bind/bind9/bin/tests/system/rndc/setup.sh
+++ b/bind/bind9/bin/tests/system/rndc/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rndc/tests.sh b/bind/bind9/bin/tests/system/rndc/tests.sh
index 57e066d5..4e25e51a 100644
--- a/bind/bind9/bin/tests/system/rndc/tests.sh
+++ b/bind/bind9/bin/tests/system/rndc/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -580,7 +580,7 @@ n=`expr $n + 1`
 echo_i "wait for the zones to be loaded ($n)"
 ret=1
 try=0
-while test $try -lt 100
+while test $try -lt 180
 do
     sleep 1
     sed -n "$cur,"'$p' < ns6/named.run | grep "any newly configured zones are now loaded" > /dev/null && {
diff --git a/bind/bind9/bin/tests/system/rootkeysentinel/clean.sh b/bind/bind9/bin/tests/system/rootkeysentinel/clean.sh
index 702002bc..1c4e453f 100644
--- a/bind/bind9/bin/tests/system/rootkeysentinel/clean.sh
+++ b/bind/bind9/bin/tests/system/rootkeysentinel/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rootkeysentinel/ns1/named.conf.in b/bind/bind9/bin/tests/system/rootkeysentinel/ns1/named.conf.in
index 6312ca16..b1e7e71c 100644
--- a/bind/bind9/bin/tests/system/rootkeysentinel/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/rootkeysentinel/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rootkeysentinel/ns1/root.db.in b/bind/bind9/bin/tests/system/rootkeysentinel/ns1/root.db.in
index 065bc6e9..e3ec1975 100644
--- a/bind/bind9/bin/tests/system/rootkeysentinel/ns1/root.db.in
+++ b/bind/bind9/bin/tests/system/rootkeysentinel/ns1/root.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rootkeysentinel/ns1/sign.sh b/bind/bind9/bin/tests/system/rootkeysentinel/ns1/sign.sh
index 369f75e0..8f901c35 100644
--- a/bind/bind9/bin/tests/system/rootkeysentinel/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/rootkeysentinel/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rootkeysentinel/ns2/example.db.in b/bind/bind9/bin/tests/system/rootkeysentinel/ns2/example.db.in
index 77425b19..a1184341 100644
--- a/bind/bind9/bin/tests/system/rootkeysentinel/ns2/example.db.in
+++ b/bind/bind9/bin/tests/system/rootkeysentinel/ns2/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rootkeysentinel/ns2/named.conf.in b/bind/bind9/bin/tests/system/rootkeysentinel/ns2/named.conf.in
index 2da0567c..990bd651 100644
--- a/bind/bind9/bin/tests/system/rootkeysentinel/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/rootkeysentinel/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rootkeysentinel/ns2/sign.sh b/bind/bind9/bin/tests/system/rootkeysentinel/ns2/sign.sh
index 861337b7..8c2faa9a 100644
--- a/bind/bind9/bin/tests/system/rootkeysentinel/ns2/sign.sh
+++ b/bind/bind9/bin/tests/system/rootkeysentinel/ns2/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rootkeysentinel/ns3/hint.db b/bind/bind9/bin/tests/system/rootkeysentinel/ns3/hint.db
index 4a736374..262650d3 100644
--- a/bind/bind9/bin/tests/system/rootkeysentinel/ns3/hint.db
+++ b/bind/bind9/bin/tests/system/rootkeysentinel/ns3/hint.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rootkeysentinel/ns3/named.conf.in b/bind/bind9/bin/tests/system/rootkeysentinel/ns3/named.conf.in
index ea118ce4..a5c3608d 100644
--- a/bind/bind9/bin/tests/system/rootkeysentinel/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/rootkeysentinel/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rootkeysentinel/ns4/hint.db b/bind/bind9/bin/tests/system/rootkeysentinel/ns4/hint.db
index 4a736374..262650d3 100644
--- a/bind/bind9/bin/tests/system/rootkeysentinel/ns4/hint.db
+++ b/bind/bind9/bin/tests/system/rootkeysentinel/ns4/hint.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rootkeysentinel/ns4/named.conf.in b/bind/bind9/bin/tests/system/rootkeysentinel/ns4/named.conf.in
index 3a42b3f4..e23038a3 100644
--- a/bind/bind9/bin/tests/system/rootkeysentinel/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/rootkeysentinel/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rootkeysentinel/prereq.sh b/bind/bind9/bin/tests/system/rootkeysentinel/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/rootkeysentinel/prereq.sh
+++ b/bind/bind9/bin/tests/system/rootkeysentinel/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rootkeysentinel/setup.sh b/bind/bind9/bin/tests/system/rootkeysentinel/setup.sh
index 90c6d445..59032e53 100644
--- a/bind/bind9/bin/tests/system/rootkeysentinel/setup.sh
+++ b/bind/bind9/bin/tests/system/rootkeysentinel/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rootkeysentinel/tests.sh b/bind/bind9/bin/tests/system/rootkeysentinel/tests.sh
index a36ec57f..d0405753 100644
--- a/bind/bind9/bin/tests/system/rootkeysentinel/tests.sh
+++ b/bind/bind9/bin/tests/system/rootkeysentinel/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/README b/bind/bind9/bin/tests/system/rpz/README
index 12b0e4ca..593913d1 100644
--- a/bind/bind9/bin/tests/system/rpz/README
+++ b/bind/bind9/bin/tests/system/rpz/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 The test setup for the RPZ tests prepares a query perf tool and sets up
 policy zones.
diff --git a/bind/bind9/bin/tests/system/rpz/clean.sh b/bind/bind9/bin/tests/system/rpz/clean.sh
index 574606a8..25a39afc 100644
--- a/bind/bind9/bin/tests/system/rpz/clean.sh
+++ b/bind/bind9/bin/tests/system/rpz/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns1/named.conf.in b/bind/bind9/bin/tests/system/rpz/ns1/named.conf.in
index 21a0a824..b1ec9c9d 100644
--- a/bind/bind9/bin/tests/system/rpz/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/rpz/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns1/root.db b/bind/bind9/bin/tests/system/rpz/ns1/root.db
index 2e8ce08e..4c879375 100644
--- a/bind/bind9/bin/tests/system/rpz/ns1/root.db
+++ b/bind/bind9/bin/tests/system/rpz/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns2/base-tld2s.db b/bind/bind9/bin/tests/system/rpz/ns2/base-tld2s.db
index 039b1601..f53ed360 100644
--- a/bind/bind9/bin/tests/system/rpz/ns2/base-tld2s.db
+++ b/bind/bind9/bin/tests/system/rpz/ns2/base-tld2s.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns2/bl.tld2.db.in b/bind/bind9/bin/tests/system/rpz/ns2/bl.tld2.db.in
index 98b9e578..f14f1c6c 100644
--- a/bind/bind9/bin/tests/system/rpz/ns2/bl.tld2.db.in
+++ b/bind/bind9/bin/tests/system/rpz/ns2/bl.tld2.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns2/blv2.tld2.db.in b/bind/bind9/bin/tests/system/rpz/ns2/blv2.tld2.db.in
index e30db4b2..52765945 100644
--- a/bind/bind9/bin/tests/system/rpz/ns2/blv2.tld2.db.in
+++ b/bind/bind9/bin/tests/system/rpz/ns2/blv2.tld2.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns2/blv3.tld2.db.in b/bind/bind9/bin/tests/system/rpz/ns2/blv3.tld2.db.in
index 8a3d547f..c68f6603 100644
--- a/bind/bind9/bin/tests/system/rpz/ns2/blv3.tld2.db.in
+++ b/bind/bind9/bin/tests/system/rpz/ns2/blv3.tld2.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns2/hints b/bind/bind9/bin/tests/system/rpz/ns2/hints
index 28e5850c..2feedea3 100644
--- a/bind/bind9/bin/tests/system/rpz/ns2/hints
+++ b/bind/bind9/bin/tests/system/rpz/ns2/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns2/named.conf.in b/bind/bind9/bin/tests/system/rpz/ns2/named.conf.in
index 5cdc60e1..e570a87b 100644
--- a/bind/bind9/bin/tests/system/rpz/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/rpz/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns2/tld2.db b/bind/bind9/bin/tests/system/rpz/ns2/tld2.db
index a16d196e..7abcde87 100644
--- a/bind/bind9/bin/tests/system/rpz/ns2/tld2.db
+++ b/bind/bind9/bin/tests/system/rpz/ns2/tld2.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns3/base.db b/bind/bind9/bin/tests/system/rpz/ns3/base.db
index fee71705..6615b5d9 100644
--- a/bind/bind9/bin/tests/system/rpz/ns3/base.db
+++ b/bind/bind9/bin/tests/system/rpz/ns3/base.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns3/broken.db.in b/bind/bind9/bin/tests/system/rpz/ns3/broken.db.in
index 671ed38a..508a7f82 100644
--- a/bind/bind9/bin/tests/system/rpz/ns3/broken.db.in
+++ b/bind/bind9/bin/tests/system/rpz/ns3/broken.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns3/hints b/bind/bind9/bin/tests/system/rpz/ns3/hints
index 28e5850c..2feedea3 100644
--- a/bind/bind9/bin/tests/system/rpz/ns3/hints
+++ b/bind/bind9/bin/tests/system/rpz/ns3/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns3/manual-update-rpz-2.db.in b/bind/bind9/bin/tests/system/rpz/ns3/manual-update-rpz-2.db.in
index 5c826518..6086c415 100644
--- a/bind/bind9/bin/tests/system/rpz/ns3/manual-update-rpz-2.db.in
+++ b/bind/bind9/bin/tests/system/rpz/ns3/manual-update-rpz-2.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns3/manual-update-rpz.db.in b/bind/bind9/bin/tests/system/rpz/ns3/manual-update-rpz.db.in
index 81fa1f07..dfb46ce3 100644
--- a/bind/bind9/bin/tests/system/rpz/ns3/manual-update-rpz.db.in
+++ b/bind/bind9/bin/tests/system/rpz/ns3/manual-update-rpz.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns3/named.conf.in b/bind/bind9/bin/tests/system/rpz/ns3/named.conf.in
index fc6984b5..19c0af6a 100644
--- a/bind/bind9/bin/tests/system/rpz/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/rpz/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns4/hints b/bind/bind9/bin/tests/system/rpz/ns4/hints
index 28e5850c..2feedea3 100644
--- a/bind/bind9/bin/tests/system/rpz/ns4/hints
+++ b/bind/bind9/bin/tests/system/rpz/ns4/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns4/named.conf.in b/bind/bind9/bin/tests/system/rpz/ns4/named.conf.in
index 2cf36f26..68f72c61 100644
--- a/bind/bind9/bin/tests/system/rpz/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/rpz/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns4/tld4.db b/bind/bind9/bin/tests/system/rpz/ns4/tld4.db
index a1648182..f2181b3c 100644
--- a/bind/bind9/bin/tests/system/rpz/ns4/tld4.db
+++ b/bind/bind9/bin/tests/system/rpz/ns4/tld4.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns5/empty.db.in b/bind/bind9/bin/tests/system/rpz/ns5/empty.db.in
index 7edcc177..cba18d5a 100644
--- a/bind/bind9/bin/tests/system/rpz/ns5/empty.db.in
+++ b/bind/bind9/bin/tests/system/rpz/ns5/empty.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns5/hints b/bind/bind9/bin/tests/system/rpz/ns5/hints
index 28e5850c..2feedea3 100644
--- a/bind/bind9/bin/tests/system/rpz/ns5/hints
+++ b/bind/bind9/bin/tests/system/rpz/ns5/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns5/named.args b/bind/bind9/bin/tests/system/rpz/ns5/named.args
index 5ff9e54e..14371cc8 100644
--- a/bind/bind9/bin/tests/system/rpz/ns5/named.args
+++ b/bind/bind9/bin/tests/system/rpz/ns5/named.args
@@ -1,2 +1,2 @@
-# run the performace test close to real life
+# run the performance test close to real life
 -c named.conf -D rpz-ns5 -X named.lock -gd3
diff --git a/bind/bind9/bin/tests/system/rpz/ns5/named.conf.in b/bind/bind9/bin/tests/system/rpz/ns5/named.conf.in
index 28b8906b..ba767311 100644
--- a/bind/bind9/bin/tests/system/rpz/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/rpz/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns5/tld5.db b/bind/bind9/bin/tests/system/rpz/ns5/tld5.db
index cfdab74a..71b2985c 100644
--- a/bind/bind9/bin/tests/system/rpz/ns5/tld5.db
+++ b/bind/bind9/bin/tests/system/rpz/ns5/tld5.db
@@ -2,14 +2,14 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 
 
 
-; RPZ preformance test
+; RPZ performance test
 
 $TTL	120
 @	SOA	.  hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 )
diff --git a/bind/bind9/bin/tests/system/rpz/ns6/hints b/bind/bind9/bin/tests/system/rpz/ns6/hints
index 28e5850c..2feedea3 100644
--- a/bind/bind9/bin/tests/system/rpz/ns6/hints
+++ b/bind/bind9/bin/tests/system/rpz/ns6/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns6/named.conf.in b/bind/bind9/bin/tests/system/rpz/ns6/named.conf.in
index f22f7b1b..87e56c35 100644
--- a/bind/bind9/bin/tests/system/rpz/ns6/named.conf.in
+++ b/bind/bind9/bin/tests/system/rpz/ns6/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns7/hints b/bind/bind9/bin/tests/system/rpz/ns7/hints
index 28e5850c..2feedea3 100644
--- a/bind/bind9/bin/tests/system/rpz/ns7/hints
+++ b/bind/bind9/bin/tests/system/rpz/ns7/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns7/named.conf.in b/bind/bind9/bin/tests/system/rpz/ns7/named.conf.in
index 434e2460..49beb3f7 100644
--- a/bind/bind9/bin/tests/system/rpz/ns7/named.conf.in
+++ b/bind/bind9/bin/tests/system/rpz/ns7/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns9/hints b/bind/bind9/bin/tests/system/rpz/ns9/hints
index 28e5850c..2feedea3 100644
--- a/bind/bind9/bin/tests/system/rpz/ns9/hints
+++ b/bind/bind9/bin/tests/system/rpz/ns9/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns9/named.conf.in b/bind/bind9/bin/tests/system/rpz/ns9/named.conf.in
index 12d3a7b3..783991db 100644
--- a/bind/bind9/bin/tests/system/rpz/ns9/named.conf.in
+++ b/bind/bind9/bin/tests/system/rpz/ns9/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/ns9/rpz.db b/bind/bind9/bin/tests/system/rpz/ns9/rpz.db
index 8840a096..cb05088e 100644
--- a/bind/bind9/bin/tests/system/rpz/ns9/rpz.db
+++ b/bind/bind9/bin/tests/system/rpz/ns9/rpz.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/prereq.sh b/bind/bind9/bin/tests/system/rpz/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/rpz/prereq.sh
+++ b/bind/bind9/bin/tests/system/rpz/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/qperf.sh b/bind/bind9/bin/tests/system/rpz/qperf.sh
index 9c8b391a..52d05117 100644
--- a/bind/bind9/bin/tests/system/rpz/qperf.sh
+++ b/bind/bind9/bin/tests/system/rpz/qperf.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/setup.sh b/bind/bind9/bin/tests/system/rpz/setup.sh
index ec698ac2..3c05fec3 100644
--- a/bind/bind9/bin/tests/system/rpz/setup.sh
+++ b/bind/bind9/bin/tests/system/rpz/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/test1 b/bind/bind9/bin/tests/system/rpz/test1
index f6292530..a03a95f5 100644
--- a/bind/bind9/bin/tests/system/rpz/test1
+++ b/bind/bind9/bin/tests/system/rpz/test1
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/test2 b/bind/bind9/bin/tests/system/rpz/test2
index 29f302c0..d260b960 100644
--- a/bind/bind9/bin/tests/system/rpz/test2
+++ b/bind/bind9/bin/tests/system/rpz/test2
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/test3 b/bind/bind9/bin/tests/system/rpz/test3
index 1a6f373b..beae0522 100644
--- a/bind/bind9/bin/tests/system/rpz/test3
+++ b/bind/bind9/bin/tests/system/rpz/test3
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/test4 b/bind/bind9/bin/tests/system/rpz/test4
index 37aabb3e..a84be92e 100644
--- a/bind/bind9/bin/tests/system/rpz/test4
+++ b/bind/bind9/bin/tests/system/rpz/test4
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/test4a b/bind/bind9/bin/tests/system/rpz/test4a
index fdc388e7..ec19add2 100644
--- a/bind/bind9/bin/tests/system/rpz/test4a
+++ b/bind/bind9/bin/tests/system/rpz/test4a
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/test5 b/bind/bind9/bin/tests/system/rpz/test5
index 1a3747c6..6b868e2f 100644
--- a/bind/bind9/bin/tests/system/rpz/test5
+++ b/bind/bind9/bin/tests/system/rpz/test5
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/test6 b/bind/bind9/bin/tests/system/rpz/test6
index ec04681b..982ab2cf 100644
--- a/bind/bind9/bin/tests/system/rpz/test6
+++ b/bind/bind9/bin/tests/system/rpz/test6
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpz/tests.sh b/bind/bind9/bin/tests/system/rpz/tests.sh
index 5636b8d3..a8929b9d 100644
--- a/bind/bind9/bin/tests/system/rpz/tests.sh
+++ b/bind/bind9/bin/tests/system/rpz/tests.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -115,7 +115,7 @@ ck_soa() {
     done
 }
 
-# (re)load the reponse policy zones with the rules in the file $TEST_FILE
+# (re)load the response policy zones with the rules in the file $TEST_FILE
 load_db () {
     if test -n "$TEST_FILE"; then
         copy_setports $TEST_FILE tmp
@@ -246,22 +246,25 @@ clean_result () {
 # $2=other dig output file
 ckresult () {
     #ckalive "$1" "server crashed by 'dig $1'" || return 1
+    expr "$1" : 'TCP ' > /dev/null && tcp=1 || tcp=0
+    digarg=${1#TCP }
+
     if grep "flags:.* aa .*ad;" $DIGNM; then
-	setret "'dig $1' AA and AD set;"
+	setret "'dig $digarg' AA and AD set;"
     elif grep "flags:.* aa .*ad;" $DIGNM; then
-	setret "'dig $1' AD set;"
+	setret "'dig $digarg' AD set;"
     fi
+
     if $PERL $SYSTEMTESTTOP/digcomp.pl $DIGNM $2 >/dev/null; then
-	NEED_TCP=`echo "$1" | sed -n -e 's/[Tt][Cc][Pp].*/TCP/p'`
-	RESULT_TCP=`sed -n -e 's/.*Truncated, retrying in TCP.*/TCP/p' $DIGNM`
-	if test "$NEED_TCP" != "$RESULT_TCP"; then
-	    setret "'dig $1' wrong; no or unexpected truncation in $DIGNM"
+	grep -q 'Truncated, retrying in TCP' $DIGNM && trunc=1 || trunc=0
+	if [ "$tcp" -ne "$trunc" ]; then
+	    setret "'dig $digarg' wrong; no or unexpected truncation in $DIGNM"
 	    return 1
 	fi
 	clean_result ${DIGNM}*
 	return 0
     fi
-    setret "'dig $1' wrong; diff $DIGNM $2"
+    setret "'dig $digarg' wrong; diff $DIGNM $2"
     return 1
 }
 
@@ -363,12 +366,30 @@ EOF
   sleep 2
 }
 
+#
+# generate prototype NXDOMAIN response to compare against.
+#
+make_proto_nxdomain() {
+  digcmd nonexistent @$ns2 >proto.nxdomain || return 1
+  grep "status: NXDOMAIN" proto.nxdomain >/dev/null || return 1
+  return 0
+}
+
+#
+# generate prototype NODATA response to compare against.
+#
+make_proto_nodata() {
+  digcmd txt-only.tld2 @$ns2 >proto.nodata || return 1
+  grep "status: NOERROR" proto.nodata >/dev/null || return 1
+  return 0
+}
+
 # this for loop is not necessary; it's here to make it easier
 # to backport changes from later versions, where it is.
 for mode in native; do
   # make prototype files to check against rewritten results
-  digcmd nonexistent @$ns2 >proto.nxdomain
-  digcmd txt-only.tld2 @$ns2 >proto.nodata
+  retry_quiet 10 make_proto_nxdomain
+  retry_quiet 10 make_proto_nodata
 
   start_group "QNAME rewrites" test1
   nochange .					# 1 do not crash or rewrite root
@@ -403,7 +424,7 @@ for mode in native; do
   nochange a0-1.tld2s srv +auth +dnssec		# 30 no write for DNSSEC and no record
   nxdomain a0-1.tld2s srv +nodnssec		# 31
   drop a3-8.tld2 any				# 32 drop
-  nochange tcp a3-9.tld2			# 33 tcp-only
+  nochange TCP a3-9.tld2			# 33 tcp-only
   here x.servfail <<'EOF'			# 34 qname-wait-recurse yes
     ;; status: SERVFAIL, x
 EOF
@@ -469,7 +490,7 @@ EOF
 	sleep 1
   done
   nochange a7-1.tld2				# 19 PASSTHRU
-  # ensure that a clock tick has occured so that the reload takes effect
+  # ensure that a clock tick has occurred so that the reload takes effect
   sleep 1
   cp ns2/blv3.tld2.db.in ns2/bl.tld2.db
   goodsoa="rpz.tld2. hostmaster.ns.tld2. 3 3600 1200 604800 60"
@@ -708,7 +729,7 @@ EOF
   $DIG -p ${PORT} @$ns3 ns example.com > dig.out.delegation
   grep "status: SERVFAIL" dig.out.delegation > /dev/null || setret "I:failed"
 
-  # RPZ 'CNAME *.' (NODATA) trumps DNS64.  Test against various DNS64 senarios.
+  # RPZ 'CNAME *.' (NODATA) trumps DNS64.  Test against various DNS64 scenarios.
   for label in a-only no-a-no-aaaa a-plus-aaaa
   do
     for type in AAAA A
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/README b/bind/bind9/bin/tests/system/rpzrecurse/README
index 67546bb5..62b4667f 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/README
+++ b/bind/bind9/bin/tests/system/rpzrecurse/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 These tests check RPZ recursion behavior (including skipping
 recursion when appropriate).
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/clean.sh b/bind/bind9/bin/tests/system/rpzrecurse/clean.sh
index 188164de..38ac0254 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/clean.sh
+++ b/bind/bind9/bin/tests/system/rpzrecurse/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns1/db.l0 b/bind/bind9/bin/tests/system/rpzrecurse/ns1/db.l0
index af0d9e85..cc3b3758 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns1/db.l0
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns1/db.l0
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns1/db.l1.l0 b/bind/bind9/bin/tests/system/rpzrecurse/ns1/db.l1.l0
index 36ed1e57..837c519b 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns1/db.l1.l0
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns1/db.l1.l0
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns1/example.com.db b/bind/bind9/bin/tests/system/rpzrecurse/ns1/example.com.db
new file mode 100644
index 00000000..c8c6d82f
--- /dev/null
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns1/example.com.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@ IN SOA ns.example.com. root.example.com. 1 3600 3600 3600 3600
+@    NS	 ns.example.com.
+
+ns.example.com.     A   10.53.0.1
+@                   A   1.2.3.4
+www                 A   1.2.3.5
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns1/example.db b/bind/bind9/bin/tests/system/rpzrecurse/ns1/example.db
index fd3e8877..153434bf 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns1/example.db
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns1/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns1/named.conf.in b/bind/bind9/bin/tests/system/rpzrecurse/ns1/named.conf.in
index e8105a2e..22e8311e 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -65,3 +65,8 @@ zone "test2.example.net" {
      type master;
      file "test2.example.net.db";
 };
+
+zone "example.com" {
+     type master;
+     file "example.com.db";
+};
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns1/root.db b/bind/bind9/bin/tests/system/rpzrecurse/ns1/root.db
index 1b1de3fc..8abde833 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns1/root.db
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns1/test1.example.net.db b/bind/bind9/bin/tests/system/rpzrecurse/ns1/test1.example.net.db
index 4d07a412..6c7f8af3 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns1/test1.example.net.db
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns1/test1.example.net.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns1/test2.example.net.db b/bind/bind9/bin/tests/system/rpzrecurse/ns1/test2.example.net.db
index bfe46aa2..4bcbe507 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns1/test2.example.net.db
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns1/test2.example.net.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.clientip1 b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.clientip1
index 9b99e451..7cafde8c 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.clientip1
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.clientip1
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.clientip2 b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.clientip2
index 49ab8812..593e745d 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.clientip2
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.clientip2
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.clientip21 b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.clientip21
index 770269cb..e620dc07 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.clientip21
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.clientip21
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.given b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.given
new file mode 100644
index 00000000..373fe0b1
--- /dev/null
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.given
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN given.zone.
+$TTL 3600
+@               IN SOA ns.given.zone.  hostmaster.given.zone. 1 600 300 604800 3600
+                IN NS  ns.given.zone.
+
+ns IN A  127.0.0.1
+; this should be ignores as it matches earlier passthru entry.
+example.com CNAME .
+; this should be ignored as it matches earlier wildcard passthru entry.
+www.example.com CNAME .
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.log1 b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.log1
index f18cfe19..c1fabb76 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.log1
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.log1
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.log2 b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.log2
index 88722ff0..8bbe4485 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.log2
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.log2
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.log3 b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.log3
index b432802f..e3d5e5e4 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.log3
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.log3
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.passthru b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.passthru
new file mode 100644
index 00000000..3b5f0db5
--- /dev/null
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.passthru
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN passthru.zone.
+$TTL 3600
+@               IN SOA ns.passthru.zone.  hostmaster.passthru.zone. 1 600 300 604800 3600
+                IN NS  ns.passthru.zone.
+
+ns IN A 127.0.0.1
+example.com     CNAME rpz-passthru.
+*.example.com   CNAME rpz-passthru.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard1 b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard1
index 8d6e8adc..2cd3ca2a 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard1
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard1
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard2a b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard2a
index 8d6e8adc..2cd3ca2a 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard2a
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard2a
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard2b b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard2b
index c362314d..59849a95 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard2b
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard2b
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard3 b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard3
index b60bdd19..7d822b08 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard3
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns2/db.wildcard3
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns2/named.conf.header.in b/bind/bind9/bin/tests/system/rpzrecurse/ns2/named.conf.header.in
index cd64d3d5..2c124697 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns2/named.conf.header.in
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns2/named.conf.header.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns2/root.hint b/bind/bind9/bin/tests/system/rpzrecurse/ns2/root.hint
index f627479b..3a8b7039 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns2/root.hint
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns2/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns3/example.db b/bind/bind9/bin/tests/system/rpzrecurse/ns3/example.db
index 3fb4a243..5cdcadbd 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns3/example.db
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns3/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns3/named1.conf.in b/bind/bind9/bin/tests/system/rpzrecurse/ns3/named1.conf.in
index fa5ee303..f1403001 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns3/named1.conf.in
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns3/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns3/named2.conf.in b/bind/bind9/bin/tests/system/rpzrecurse/ns3/named2.conf.in
index a50a9cd5..0e3df4d5 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns3/named2.conf.in
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns3/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns3/policy.db b/bind/bind9/bin/tests/system/rpzrecurse/ns3/policy.db
index c2437d28..bdb61d45 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns3/policy.db
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns3/policy.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns3/root.db b/bind/bind9/bin/tests/system/rpzrecurse/ns3/root.db
index b12a1843..ab013b84 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns3/root.db
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns3/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns4/child.example.db b/bind/bind9/bin/tests/system/rpzrecurse/ns4/child.example.db
index 66cd956e..26372778 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns4/child.example.db
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns4/child.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/ns4/named.conf.in b/bind/bind9/bin/tests/system/rpzrecurse/ns4/named.conf.in
index 707b5778..71186bb9 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/rpzrecurse/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/prereq.sh b/bind/bind9/bin/tests/system/rpzrecurse/prereq.sh
index 6f0487ea..38cf775c 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/prereq.sh
+++ b/bind/bind9/bin/tests/system/rpzrecurse/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -17,7 +17,7 @@ $FEATURETEST --rpz-nsdname || ret=1
 $FEATURETEST --rpz-nsip || ret=1
 
 if [ $ret != 0 ]; then
-    echo "I:This test requires NSIP AND NSDNAME support in RPZ." >&2
+    echo_i "This test requires NSIP AND NSDNAME support in RPZ." >&2
     exit 1
 fi
 
@@ -27,6 +27,6 @@ if $PERL -e 'use Net::DNS;' 2>/dev/null
 then
     :
 else
-    echo "I:This test requires the Net::DNS library." >&2
+    echo_i "This test requires the Net::DNS library." >&2
     exit 1
 fi
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/setup.sh b/bind/bind9/bin/tests/system/rpzrecurse/setup.sh
index 46806558..e162f712 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/setup.sh
+++ b/bind/bind9/bin/tests/system/rpzrecurse/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/testgen.pl b/bind/bind9/bin/tests/system/rpzrecurse/testgen.pl
index af43bbd9..abd9df98 100755
--- a/bind/bind9/bin/tests/system/rpzrecurse/testgen.pl
+++ b/bind/bind9/bin/tests/system/rpzrecurse/testgen.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rpzrecurse/tests.sh b/bind/bind9/bin/tests/system/rpzrecurse/tests.sh
index 92b06efb..dd413ea8 100644
--- a/bind/bind9/bin/tests/system/rpzrecurse/tests.sh
+++ b/bind/bind9/bin/tests/system/rpzrecurse/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -309,15 +309,15 @@ expected4="view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0${AIN} via 3
 expected3="view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0${AIN} via 32.3.0.53.10.rpz-client-ip.log2"
 expected2="view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0${AIN} via 32.2.0.53.10.rpz-client-ip.log3"
 sed -n "$cur,"'$p' < ns2/named.run | grep "$expected4" > /dev/null && {
-    echo_i " failed: unexpected rewrite message for policy zone log1 was logged"
+    echo_ic "failed: unexpected rewrite message for policy zone log1 was logged"
     status=1
 }
 sed -n "$cur,"'$p' < ns2/named.run | grep "$expected3" > /dev/null || {
-    echo_i " failed: expected rewrite message for policy zone log2 was not logged"
+    echo_ic "failed: expected rewrite message for policy zone log2 was not logged"
     status=1
 }
 sed -n "$cur,"'$p' < ns2/named.run | grep "$expected2" > /dev/null || {
-    echo_i " failed: expected rewrite message for policy zone log3 was not logged"
+    echo_ic "failed: expected rewrite message for policy zone log3 was not logged"
     status=1
 }
 
@@ -390,5 +390,19 @@ if test $p1 -le $p2; then ret=1; fi
 if test $ret != 0; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+t=`expr $t + 1`
+echo_i "testing wildcard passthru before explicit drop (${t})"
+run_server wildcard4
+$DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} > dig.out.${t}.1
+grep "status: NOERROR" dig.out.${t}.1 > /dev/null || {
+	echo_i "test ${t} failed"
+	status=1
+}
+$DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} > dig.out.${t}.2
+grep "status: NOERROR" dig.out.${t}.2 > /dev/null || {
+	echo_i "test ${t} failed"
+	status=1
+}
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/rrchecker/clean.sh b/bind/bind9/bin/tests/system/rrchecker/clean.sh
index 11e7d2d2..e3b7f677 100644
--- a/bind/bind9/bin/tests/system/rrchecker/clean.sh
+++ b/bind/bind9/bin/tests/system/rrchecker/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrchecker/tests.sh b/bind/bind9/bin/tests/system/rrchecker/tests.sh
index 29440161..88892fcc 100644
--- a/bind/bind9/bin/tests/system/rrchecker/tests.sh
+++ b/bind/bind9/bin/tests/system/rrchecker/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrl/broken.conf b/bind/bind9/bin/tests/system/rrl/broken.conf
index 75df4fcc..1aec1626 100644
--- a/bind/bind9/bin/tests/system/rrl/broken.conf
+++ b/bind/bind9/bin/tests/system/rrl/broken.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrl/clean.sh b/bind/bind9/bin/tests/system/rrl/clean.sh
index 55a1c12b..d53d4848 100644
--- a/bind/bind9/bin/tests/system/rrl/clean.sh
+++ b/bind/bind9/bin/tests/system/rrl/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrl/ns1/named.conf.in b/bind/bind9/bin/tests/system/rrl/ns1/named.conf.in
index 4605e46e..969c89ae 100644
--- a/bind/bind9/bin/tests/system/rrl/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/rrl/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrl/ns1/root.db b/bind/bind9/bin/tests/system/rrl/ns1/root.db
index c628370d..acb1be7a 100644
--- a/bind/bind9/bin/tests/system/rrl/ns1/root.db
+++ b/bind/bind9/bin/tests/system/rrl/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrl/ns2/hints b/bind/bind9/bin/tests/system/rrl/ns2/hints
index cb67a8b3..72cf578f 100644
--- a/bind/bind9/bin/tests/system/rrl/ns2/hints
+++ b/bind/bind9/bin/tests/system/rrl/ns2/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrl/ns2/named.conf.in b/bind/bind9/bin/tests/system/rrl/ns2/named.conf.in
index 73e32964..50e6fc38 100644
--- a/bind/bind9/bin/tests/system/rrl/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/rrl/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrl/ns2/tld2.db b/bind/bind9/bin/tests/system/rrl/ns2/tld2.db
index 4a4b97aa..47080662 100644
--- a/bind/bind9/bin/tests/system/rrl/ns2/tld2.db
+++ b/bind/bind9/bin/tests/system/rrl/ns2/tld2.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrl/ns3/hints b/bind/bind9/bin/tests/system/rrl/ns3/hints
index cb67a8b3..72cf578f 100644
--- a/bind/bind9/bin/tests/system/rrl/ns3/hints
+++ b/bind/bind9/bin/tests/system/rrl/ns3/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrl/ns3/named.conf.in b/bind/bind9/bin/tests/system/rrl/ns3/named.conf.in
index 5be45fac..9c08ca24 100644
--- a/bind/bind9/bin/tests/system/rrl/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/rrl/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrl/ns3/tld3.db b/bind/bind9/bin/tests/system/rrl/ns3/tld3.db
index 26e9f330..22e35253 100644
--- a/bind/bind9/bin/tests/system/rrl/ns3/tld3.db
+++ b/bind/bind9/bin/tests/system/rrl/ns3/tld3.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrl/ns4/hints b/bind/bind9/bin/tests/system/rrl/ns4/hints
index cb67a8b3..72cf578f 100644
--- a/bind/bind9/bin/tests/system/rrl/ns4/hints
+++ b/bind/bind9/bin/tests/system/rrl/ns4/hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrl/ns4/named.conf.in b/bind/bind9/bin/tests/system/rrl/ns4/named.conf.in
index a35e353b..9391923b 100644
--- a/bind/bind9/bin/tests/system/rrl/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/rrl/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrl/ns4/tld4.db b/bind/bind9/bin/tests/system/rrl/ns4/tld4.db
index 5b746a01..e3c56ce6 100644
--- a/bind/bind9/bin/tests/system/rrl/ns4/tld4.db
+++ b/bind/bind9/bin/tests/system/rrl/ns4/tld4.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrl/setup.sh b/bind/bind9/bin/tests/system/rrl/setup.sh
index 607a3417..e677e86e 100644
--- a/bind/bind9/bin/tests/system/rrl/setup.sh
+++ b/bind/bind9/bin/tests/system/rrl/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrl/tests.sh b/bind/bind9/bin/tests/system/rrl/tests.sh
index 977950f7..9b8c8107 100644
--- a/bind/bind9/bin/tests/system/rrl/tests.sh
+++ b/bind/bind9/bin/tests/system/rrl/tests.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -81,7 +81,7 @@ burst () {
         eval BURST_DOM="$BURST_DOM_BASE"
         DOMS="$DOMS $BURST_DOM"
     done
-    ARGS="+nocookie +continue +time=1 +tries=1 -p ${PORT} $* @$ns2 $DOMS"
+    ARGS="+burst +nocookie +continue +time=1 +tries=1 -p ${PORT} $* @$ns2 $DOMS"
     $MDIG $ARGS 2>&1 |                                                  \
         tr -d '\r' |                                                    \
         tee -a full-$FILENAME |                                         \
@@ -93,7 +93,7 @@ burst () {
 		-e 's/;; .* status: NOERROR.*/NOERROR/p'		\
 		-e 's/;; .* status: SERVFAIL.*/SERVFAIL/p'		\
 		-e 's/response failed with timed out.*/drop/p'		\
-		-e 's/;; communications error to.*/drop/p' >> $FILENAME
+		-e 's/;; communications error to.*/drop/p' >> $FILENAME &
     QNUM=`expr $QNUM + $BURST_LIMIT`
 }
 
@@ -105,6 +105,8 @@ range () {
 #   $1=domain  $2=IP address  $3=# of IP addresses  $4=TC  $5=drop
 #	$6=NXDOMAIN  $7=SERVFAIL or other errors
 ck_result() {
+    # wait to the background mdig calls to complete.
+    wait
     BAD=no
     ADDRS=`egrep "^$2$" mdig.out-$1				2>/dev/null | wc -l`
     # count simple truncated and truncated NXDOMAIN as TC
diff --git a/bind/bind9/bin/tests/system/rrsetorder/clean.sh b/bind/bind9/bin/tests/system/rrsetorder/clean.sh
index b88c8d1a..58696333 100644
--- a/bind/bind9/bin/tests/system/rrsetorder/clean.sh
+++ b/bind/bind9/bin/tests/system/rrsetorder/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrsetorder/ns1/named.conf.in b/bind/bind9/bin/tests/system/rrsetorder/ns1/named.conf.in
index e3430f7c..66b7786c 100644
--- a/bind/bind9/bin/tests/system/rrsetorder/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/rrsetorder/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrsetorder/ns1/root.db b/bind/bind9/bin/tests/system/rrsetorder/ns1/root.db
index 3229825c..e3ab4a1c 100644
--- a/bind/bind9/bin/tests/system/rrsetorder/ns1/root.db
+++ b/bind/bind9/bin/tests/system/rrsetorder/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrsetorder/ns2/named.conf.in b/bind/bind9/bin/tests/system/rrsetorder/ns2/named.conf.in
index ae7eb959..e8effe6e 100644
--- a/bind/bind9/bin/tests/system/rrsetorder/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/rrsetorder/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrsetorder/ns3/named.conf.in b/bind/bind9/bin/tests/system/rrsetorder/ns3/named.conf.in
index 9597bb7c..54654217 100644
--- a/bind/bind9/bin/tests/system/rrsetorder/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/rrsetorder/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrsetorder/ns4/named.conf.in b/bind/bind9/bin/tests/system/rrsetorder/ns4/named.conf.in
index fea31e1d..759111e1 100644
--- a/bind/bind9/bin/tests/system/rrsetorder/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/rrsetorder/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrsetorder/setup.sh b/bind/bind9/bin/tests/system/rrsetorder/setup.sh
index 607a3417..e677e86e 100644
--- a/bind/bind9/bin/tests/system/rrsetorder/setup.sh
+++ b/bind/bind9/bin/tests/system/rrsetorder/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rrsetorder/tests.sh b/bind/bind9/bin/tests/system/rrsetorder/tests.sh
index 1b4245a4..1b5b24b1 100644
--- a/bind/bind9/bin/tests/system/rrsetorder/tests.sh
+++ b/bind/bind9/bin/tests/system/rrsetorder/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/Makefile.in b/bind/bind9/bin/tests/system/rsabigexponent/Makefile.in
index 83b41b8b..b1fd3fd6 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/Makefile.in
+++ b/bind/bind9/bin/tests/system/rsabigexponent/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/README.md b/bind/bind9/bin/tests/system/rsabigexponent/README.md
new file mode 100644
index 00000000..4142221e
--- /dev/null
+++ b/bind/bind9/bin/tests/system/rsabigexponent/README.md
@@ -0,0 +1,24 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+The `rsabigexponent` test is used to `check max-rsa-exponent-size`.
+
+We only run this test on builds without PKCS#11, as we have control over
+the RSA exponent size with plain OpenSSL. We have not explored how to do
+this with PKCS#11, which would require generating such a key and then
+signing a zone with it. Additionally, even with control of the exponent
+size with PKCS#11, generating a DNSKEY with this property and signing
+such a zone would be slow and undesirable for each test run; instead, we
+use a pregenerated DNSKEY and a saved signed zone.  These are located in
+`rsabigexponent/ns2` and currently use RSASHA1 for the `DNSKEY`
+algorithm; however, that may need to be changed in the future.
+
+To generate the `DNSKEY` used in this test, we used `bigkey.c`, as
+dnssec-keygen is not capable of generating such keys.
+
+Do **not** remove `bigkey.c` as it may be needed to generate a new
+`DNSKEY` for testing purposes.
+
+`bigkey` is used to both test that we are not running under PKCS#11 and
+generate a `DNSKEY` key with a large RSA exponent.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/bigkey.c b/bind/bind9/bin/tests/system/rsabigexponent/bigkey.c
index 4462f2e8..abf12edc 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/bigkey.c
+++ b/bind/bind9/bin/tests/system/rsabigexponent/bigkey.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/clean.sh b/bind/bind9/bin/tests/system/rsabigexponent/clean.sh
index bba0f117..db1e9a30 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/clean.sh
+++ b/bind/bind9/bin/tests/system/rsabigexponent/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/conf/bad01.conf b/bind/bind9/bin/tests/system/rsabigexponent/conf/bad01.conf
index 1c56cc33..b597ec6d 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/conf/bad01.conf
+++ b/bind/bind9/bin/tests/system/rsabigexponent/conf/bad01.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/conf/bad02.conf b/bind/bind9/bin/tests/system/rsabigexponent/conf/bad02.conf
index 671199d3..746fe18d 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/conf/bad02.conf
+++ b/bind/bind9/bin/tests/system/rsabigexponent/conf/bad02.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/conf/bad03.conf b/bind/bind9/bin/tests/system/rsabigexponent/conf/bad03.conf
index d7edae6d..71ac520f 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/conf/bad03.conf
+++ b/bind/bind9/bin/tests/system/rsabigexponent/conf/bad03.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/conf/good01.conf b/bind/bind9/bin/tests/system/rsabigexponent/conf/good01.conf
index bfa7a451..bd396d17 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/conf/good01.conf
+++ b/bind/bind9/bin/tests/system/rsabigexponent/conf/good01.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/conf/good02.conf b/bind/bind9/bin/tests/system/rsabigexponent/conf/good02.conf
index d87fb7fb..11f7144a 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/conf/good02.conf
+++ b/bind/bind9/bin/tests/system/rsabigexponent/conf/good02.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/conf/good03.conf b/bind/bind9/bin/tests/system/rsabigexponent/conf/good03.conf
index 0a70e29f..cefb943c 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/conf/good03.conf
+++ b/bind/bind9/bin/tests/system/rsabigexponent/conf/good03.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/ns1/named.conf.in b/bind/bind9/bin/tests/system/rsabigexponent/ns1/named.conf.in
index a43c02bc..bd7887d7 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/rsabigexponent/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/ns1/root.db.in b/bind/bind9/bin/tests/system/rsabigexponent/ns1/root.db.in
index d205fc87..b82688c8 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/ns1/root.db.in
+++ b/bind/bind9/bin/tests/system/rsabigexponent/ns1/root.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/ns1/sign.sh b/bind/bind9/bin/tests/system/rsabigexponent/ns1/sign.sh
index 8570855d..8983ea5e 100755
--- a/bind/bind9/bin/tests/system/rsabigexponent/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/rsabigexponent/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/ns2/example.db.bad b/bind/bind9/bin/tests/system/rsabigexponent/ns2/example.db.bad
index 1d0d4b58..af335f14 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/ns2/example.db.bad
+++ b/bind/bind9/bin/tests/system/rsabigexponent/ns2/example.db.bad
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/ns2/example.db.in b/bind/bind9/bin/tests/system/rsabigexponent/ns2/example.db.in
index 3a958b51..23b5708b 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/ns2/example.db.in
+++ b/bind/bind9/bin/tests/system/rsabigexponent/ns2/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/ns2/named.conf.in b/bind/bind9/bin/tests/system/rsabigexponent/ns2/named.conf.in
index 2e8eb7aa..4498177a 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/rsabigexponent/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/ns2/sign.sh b/bind/bind9/bin/tests/system/rsabigexponent/ns2/sign.sh
index da479b27..213925af 100755
--- a/bind/bind9/bin/tests/system/rsabigexponent/ns2/sign.sh
+++ b/bind/bind9/bin/tests/system/rsabigexponent/ns2/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/ns3/named.conf.in b/bind/bind9/bin/tests/system/rsabigexponent/ns3/named.conf.in
index 99d2a0d3..20db83e9 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/rsabigexponent/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/prereq.sh b/bind/bind9/bin/tests/system/rsabigexponent/prereq.sh
index 9c3580bc..e2370222 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/prereq.sh
+++ b/bind/bind9/bin/tests/system/rsabigexponent/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/setup.sh b/bind/bind9/bin/tests/system/rsabigexponent/setup.sh
index cf596c69..7b25573a 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/setup.sh
+++ b/bind/bind9/bin/tests/system/rsabigexponent/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/rsabigexponent/tests.sh b/bind/bind9/bin/tests/system/rsabigexponent/tests.sh
index b5305289..347bb45b 100644
--- a/bind/bind9/bin/tests/system/rsabigexponent/tests.sh
+++ b/bind/bind9/bin/tests/system/rsabigexponent/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/run.sh b/bind/bind9/bin/tests/system/run.sh
index a0d8b6d0..d0a59a5c 100755..100644
--- a/bind/bind9/bin/tests/system/run.sh
+++ b/bind/bind9/bin/tests/system/run.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -16,27 +16,32 @@
 SYSTEMTESTTOP="$(cd -P -- "$(dirname -- "$0")" && pwd -P)"
 . $SYSTEMTESTTOP/conf.sh
 
+if [ "`id -u`" -eq "0" ] && ! ${NAMED} -V | grep -q -F -- "enable-developer"; then
+    echofail "Refusing to run test as root. Build with --enable-developer to override." >&2
+    exit 1
+fi
+
 export SYSTEMTESTTOP
 
 stopservers=true
 baseport=5300
 
 if [ ${SYSTEMTEST_NO_CLEAN:-0} -eq 1 ]; then
-	clean=false
+    clean=false
 else
-	clean=true
+    clean=true
 fi
 
 while getopts "knp:r-:" flag; do
     case "$flag" in
-	-) case "${OPTARG}" in
+    -) case "${OPTARG}" in
                keep) stopservers=false ;;
                noclean) clean=false ;;
            esac
            ;;
-	k) stopservers=false ;;
-	n) clean=false ;;
-	p) baseport=$OPTARG ;;
+    k) stopservers=false ;;
+    n) clean=false ;;
+    p) baseport=$OPTARG ;;
     esac
 done
 shift `expr $OPTIND - 1`
@@ -190,48 +195,60 @@ $PERL stop.pl $systest
 
 status=`expr $status + $?`
 
-if [ $status != 0 ]; then
+get_core_dumps() {
+    find "$systest/" \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.gz' ! -name '*.txt' | sort
+}
+
+core_dumps=$(get_core_dumps | tr '\n' ' ')
+assertion_failures=$(find "$systest/" -name named.run -print0 | xargs -0 grep "assertion failure" | wc -l)
+sanitizer_summaries=$(find "$systest/" -name 'tsan.*' | wc -l)
+if [ -n "$core_dumps" ]; then
+    echoinfo "I:$systest:Core dump(s) found: $core_dumps"
+    echofail "R:$systest:FAIL"
+    get_core_dumps | while read -r coredump; do
+        SYSTESTDIR="$systest"
+        echoinfo "D:$systest:backtrace from $coredump:"
+        echoinfo "D:$systest:--------------------------------------------------------------------------------"
+        binary=$(gdb --batch --core="$coredump" 2>/dev/null | sed -ne "s|Core was generated by \`\([^' ]*\)[' ].*|\1|p")
+        if [ ! -f "${binary}" ]; then
+            binary=$(find "${TOP}" -path "*/.libs/${binary}" -type f)
+        fi
+        "${TOP}/libtool" --mode=execute gdb \
+                                  -batch \
+                                  -ex bt \
+                                  -core="$coredump" \
+                                  -- \
+                                  "$binary" 2>/dev/null | sed -n '/^Core was generated by/,$p' | cat_d
+        echoinfo "D:$systest:--------------------------------------------------------------------------------"
+        coredump_backtrace="${coredump}-backtrace.txt"
+        echoinfo "D:$systest:full backtrace from $coredump saved in $coredump_backtrace"
+        "${TOP}/libtool" --mode=execute gdb \
+                      -batch \
+                      -command=run.gdb \
+                      -core="$coredump" \
+                      -- \
+                      "$binary" > "$coredump_backtrace" 2>&1
+        echoinfo "D:$systest:core dump $coredump archived as $coredump.gz"
+        gzip -1 "${coredump}"
+    done
+elif [ "$assertion_failures" -ne 0 ]; then
+    echoinfo "I:$systest:$assertion_failures assertion failure(s) found"
+    find "$systest/" -name 'tsan.*' -print0 | xargs -0 grep "SUMMARY: " | sort -u | cat_d
+    echofail "R:$systest:FAIL"
+elif [ "$sanitizer_summaries" -ne 0 ]; then
+    echoinfo "I:$systest:$sanitizer_summaries sanitizer report(s) found"
+    echofail "R:$systest:FAIL"
+elif [ "$status" != 0 ]; then
     echofail "R:$systest:FAIL"
-    # Do not clean up - we need the evidence.
 else
-    core_dumps="`find $systest/ -name 'core*' -or -name '*.core' | sort | tr '\n' ' '`"
-    assertion_failures=`find $systest/ -name named.run | xargs grep "assertion failure" | wc -l`
-    sanitizer_summaries=`find $systest/ -type f | grep '^[-a-zA-Z0-9./_]*$' | xargs grep "SUMMARY: .*Sanitizer" | wc -l`
-    if [ -n "$core_dumps" ]; then
-        echoinfo "I:$systest:Test claims success despite crashes: $core_dumps"
-        echofail "R:$systest:FAIL"
-        # Do not clean up - we need the evidence.
-	find "$systest/" -name 'core*' -or -name '*.core' | while read -r coredump; do
-		SYSTESTDIR="$systest"
-		echoinfo "D:$systest:backtrace from $coredump start"
-		binary="`gdb --batch --core="$coredump" | sed -ne "s/Core was generated by .//;s/ .*'.$//p;"`"
-		"$TOP/libtool" --mode=execute gdb \
-			       --batch \
-			       --command=run.gdb \
-			       --core="$coredump" \
-			       -- \
-			       "$binary"
-		echoinfo "D:$systest:backtrace from $coredump end"
-	done
-    elif [ $assertion_failures -ne 0 ]; then
-        echoinfo "I:$systest:Test claims success despite $assertion_failures assertion failure(s)"
-        echofail "R:$systest:FAIL"
-        # Do not clean up - we need the evidence.
-    elif [ $sanitizer_summaries -ne 0 ]; then
-        echoinfo "I:$systest:Test claims success despite $sanitizer_summaries sanitizer reports(s)"
-        echofail "R:$systest:FAIL"
-    else
-        echopass "R:$systest:PASS"
-        if $clean
-        then
-            ( cd $systest && $SHELL clean.sh "$@" )
-            if test -d ../../../.git
-            then
-                git status -su --ignored $systest 2>/dev/null | \
-                sed -n -e 's|^?? \(.*\)|I:file \1 not removed|p' \
-                -e 's|^!! \(.*/named.run\)$|I:file \1 not removed|p' \
-                -e 's|^!! \(.*/named.memstats\)$|I:file \1 not removed|p'
-            fi
+    echopass "R:$systest:PASS"
+    if $clean; then
+        ( cd $systest && $SHELL clean.sh "$@" )
+        if test -d ../../../.git; then
+            git status -su --ignored "${systest}/" 2>/dev/null | \
+            sed -n -e 's|^?? \(.*\)|I:'${systest}':file \1 not removed|p' \
+            -e 's|^!! \(.*/named.run\)$|I:'${systest}':file \1 not removed|p' \
+            -e 's|^!! \(.*/named.memstats\)$|I:'${systest}':file \1 not removed|p'
         fi
     fi
 fi
diff --git a/bind/bind9/bin/tests/system/runall.sh b/bind/bind9/bin/tests/system/runall.sh
index 93df8dab..70c24f75 100755
--- a/bind/bind9/bin/tests/system/runall.sh
+++ b/bind/bind9/bin/tests/system/runall.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/runsequential.sh b/bind/bind9/bin/tests/system/runsequential.sh
index 6380f4c2..fad4210c 100644
--- a/bind/bind9/bin/tests/system/runsequential.sh
+++ b/bind/bind9/bin/tests/system/runsequential.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/runtime/README b/bind/bind9/bin/tests/system/runtime/README
index 11429a29..eeda486e 100644
--- a/bind/bind9/bin/tests/system/runtime/README
+++ b/bind/bind9/bin/tests/system/runtime/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Tests of runtime checks, e.g., that named prevents duplicate processes
 from running.
diff --git a/bind/bind9/bin/tests/system/runtime/clean.sh b/bind/bind9/bin/tests/system/runtime/clean.sh
index 896e20f5..5044e9dd 100644
--- a/bind/bind9/bin/tests/system/runtime/clean.sh
+++ b/bind/bind9/bin/tests/system/runtime/clean.sh
@@ -4,18 +4,21 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-rm -f ns2/named.conf ns2/named-alt*.conf
-rm -f */named.memstats
+[ -d ns2/nope ] && chmod 755 ns2/nope
+
+rm -f *.pid
 rm -f */named*.run
+rm -f */named.memstats
+rm -f kill*.out
+rm -f ns*/managed-keys.bind*
 rm -f ns*/named.lock ns*/named*.pid ns*/other.lock
-rm -f *.pid
+rm -f ns2/named.conf ns2/named-alt*.conf
 rm -f rndc.out*
-[ -d ns2/nope ] && chmod 755 ns2/nope
 rm -rf ns2/nope
 rm -f ns2/dir ns2/nopedir ns2/mkd ns2/nopemkd
 rm -rf ns2/tmp.*
diff --git a/bind/bind9/bin/tests/system/runtime/ns2/named-alt1.conf.in b/bind/bind9/bin/tests/system/runtime/ns2/named-alt1.conf.in
index 74724dc4..8d2c7e25 100644
--- a/bind/bind9/bin/tests/system/runtime/ns2/named-alt1.conf.in
+++ b/bind/bind9/bin/tests/system/runtime/ns2/named-alt1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/runtime/ns2/named-alt2.conf.in b/bind/bind9/bin/tests/system/runtime/ns2/named-alt2.conf.in
index f22d737a..ca362a94 100644
--- a/bind/bind9/bin/tests/system/runtime/ns2/named-alt2.conf.in
+++ b/bind/bind9/bin/tests/system/runtime/ns2/named-alt2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/runtime/ns2/named-alt3.conf.in b/bind/bind9/bin/tests/system/runtime/ns2/named-alt3.conf.in
index e9ae6c94..920b7b9e 100644
--- a/bind/bind9/bin/tests/system/runtime/ns2/named-alt3.conf.in
+++ b/bind/bind9/bin/tests/system/runtime/ns2/named-alt3.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/runtime/ns2/named-alt4.conf.in b/bind/bind9/bin/tests/system/runtime/ns2/named-alt4.conf.in
index 49c9e675..f63a728b 100644
--- a/bind/bind9/bin/tests/system/runtime/ns2/named-alt4.conf.in
+++ b/bind/bind9/bin/tests/system/runtime/ns2/named-alt4.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -14,7 +14,7 @@ options {
 	include "nopemkd";
 	port @PORT@;
 	pid-file "named.pid";
-	listen-on { 127.0.0.1; };
+	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	recursion yes;
 	dnssec-validation auto;
diff --git a/bind/bind9/bin/tests/system/runtime/ns2/named-alt5.conf.in b/bind/bind9/bin/tests/system/runtime/ns2/named-alt5.conf.in
index 7d413fdc..7843bfb7 100644
--- a/bind/bind9/bin/tests/system/runtime/ns2/named-alt5.conf.in
+++ b/bind/bind9/bin/tests/system/runtime/ns2/named-alt5.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -13,7 +13,7 @@ options {
 	include "nopedir";
 	port @PORT@;
 	pid-file "../named.pid";
-	listen-on { 127.0.0.1; };
+	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	recursion no;
 	dnssec-validation auto;
diff --git a/bind/bind9/bin/tests/system/runtime/ns2/named-alt6.conf.in b/bind/bind9/bin/tests/system/runtime/ns2/named-alt6.conf.in
index 4e35f26b..906cd734 100644
--- a/bind/bind9/bin/tests/system/runtime/ns2/named-alt6.conf.in
+++ b/bind/bind9/bin/tests/system/runtime/ns2/named-alt6.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -14,7 +14,7 @@ options {
 	include "../mkd";
 	port @PORT@;
 	pid-file "../named.pid";
-	listen-on { 127.0.0.1; };
+	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	recursion no;
 	dnssec-validation auto;
diff --git a/bind/bind9/bin/tests/system/runtime/ns2/named-alt9.conf.in b/bind/bind9/bin/tests/system/runtime/ns2/named-alt9.conf.in
index 7a5cb244..8354a4fd 100644
--- a/bind/bind9/bin/tests/system/runtime/ns2/named-alt9.conf.in
+++ b/bind/bind9/bin/tests/system/runtime/ns2/named-alt9.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -12,7 +12,7 @@
 options {
 	port @PORT@;
 	pid-file "named9.pid";
-	listen-on { 127.0.0.1; };
+	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	recursion no;
 };
diff --git a/bind/bind9/bin/tests/system/runtime/ns2/named1.conf.in b/bind/bind9/bin/tests/system/runtime/ns2/named1.conf.in
index 7eb7f6c6..d25f1612 100644
--- a/bind/bind9/bin/tests/system/runtime/ns2/named1.conf.in
+++ b/bind/bind9/bin/tests/system/runtime/ns2/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/runtime/setup.sh b/bind/bind9/bin/tests/system/runtime/setup.sh
index a14776aa..853429fd 100644
--- a/bind/bind9/bin/tests/system/runtime/setup.sh
+++ b/bind/bind9/bin/tests/system/runtime/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/runtime/tests.sh b/bind/bind9/bin/tests/system/runtime/tests.sh
index a3318cd9..bd9bb4d4 100644
--- a/bind/bind9/bin/tests/system/runtime/tests.sh
+++ b/bind/bind9/bin/tests/system/runtime/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -16,6 +16,7 @@ SYSTEMTESTTOP=..
 set -e
 
 RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+NAMED_DEFAULT_ARGS="-m record,size,mctx -d 99 -g -U 4"
 
 kill_named() {
 	pidfile="${1}"
@@ -44,21 +45,26 @@ kill_named() {
 	return 0
 }
 
-wait_for_named() {
-	retries=10
-	while [ "$retries" -gt 0 ]; do
-		if grep "$@" >/dev/null 2>&1; then
-			break
-		fi
-		sleep 1
-		retries=$((retries-1))
-	done
-	if [ "$retries" -eq 0 ]; then
-		return 1
-	fi
-	return 0
+check_named_log() {
+	grep "$@" >/dev/null 2>&1
 }
 
+run_named() (
+	dir="$1"
+	shift
+	run="$1"
+	shift
+	if cd "$dir" > /dev/null 2>&1
+	then
+		"${NAMED}" "$@" ${NAMED_DEFAULT_ARGS} >> "$run" 2>&1 &
+		echo $!
+	fi
+)
+
+check_pid() (
+	return $(! $KILL -0 "${1}" >/dev/null 2>&1)
+)
+
 status=0
 n=0
 
@@ -75,10 +81,12 @@ if [ ! "$CYGWIN" ]; then
     n=$((n+1))
     echo_i "verifying that named checks for conflicting listeners ($n)"
     ret=0
-    (cd ns2 && $NAMED -c named-alt1.conf -D ns2-extra-1 -X other.lock -m record,size,mctx -d 99 -g -U 4 >> named$n.run 2>&1 & )
-    wait_for_named "unable to listen on any configured interface" ns2/named$n.run || ret=1
-    wait_for_named "exiting (due to fatal error)" ns2/named$n.run || ret=1
+    testpid=$(run_named ns2 named$n.run -c named-alt1.conf -D ns2-extra-1 -X other.lock)
+    test -n "$testpid" || ret=1
+    retry_quiet 10 check_named_log "unable to listen on any configured interface" ns2/named$n.run || ret=1
+    retry_quiet 10 check_named_log "exiting (due to fatal error)" ns2/named$n.run || ret=1
     kill_named named.pid && ret=1
+    test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
     if [ $ret -ne 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
 fi
@@ -86,18 +94,24 @@ fi
 n=$((n+1))
 echo_i "verifying that named checks for conflicting named processes ($n)"
 ret=0
-(cd ns2 && $NAMED -c named-alt2.conf -D runtime-ns2-extra-2 -X named.lock -m record,size,mctx -d 99 -g -U 4 >> named$n.run 2>&1 & )
-wait_for_named "another named process" ns2/named$n.run || ret=1
+testpid=$(run_named ns2 named$n.run -c named-alt2.conf -D runtime-ns2-extra-2 -X named.lock)
+test -n "$testpid" || ret=1
+retry_quiet 10 check_named_log "another named process" ns2/named$n.run || ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
+test -n "$testpid" && $KILL -15 $testpid > kill$n.out 2>&1 && ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
 n=$((n+1))
 echo_i "verifying that 'lock-file none' disables process check ($n)"
 ret=0
-(cd ns2 && $NAMED -c named-alt3.conf -D runtime-ns2-extra-3 -m record,size,mctx -d 99 -g -U 4 >> named$n.run 2>&1 & )
-wait_for_named "running$" ns2/named$n.run || ret=1
+testpid=$(run_named ns2 named$n.run -c named-alt3.conf -D runtime-ns2-extra-3)
+test -n "$testpid" || ret=1
+retry_quiet 10 check_named_log "running$" ns2/named$n.run || ret=1
 grep "another named process" ns2/named$n.run > /dev/null && ret=1
 kill_named ns2/named-alt3.pid || ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
@@ -109,7 +123,7 @@ then
     copy_setports ns2/named-alt4.conf.in ns2/named.conf
     $RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 && ret=1
     grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
-    wait_for_named "managed-keys-directory '.*' is not writable" ns2/named.run || ret=1
+    retry_quiet 10 check_named_log "managed-keys-directory '.*' is not writable" ns2/named.run || ret=1
     if [ $ret -ne 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
 
@@ -119,7 +133,7 @@ then
     copy_setports ns2/named-alt5.conf.in ns2/named.conf
     $RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 && ret=1
     grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
-    wait_for_named "working directory '.*' is not writable" ns2/named.run || ret=1
+    retry_quiet 10 check_named_log "working directory '.*' is not writable" ns2/named.run || ret=1
     if [ $ret -ne 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
 
@@ -130,35 +144,41 @@ then
     $RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 || ret=1
     grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 && ret=1
     kill_named ns2/named.pid || ret=1
+    test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
     if [ $ret -ne 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
 
     n=$((n+1))
     echo_i "checking that named refuses to start if managed-keys-directory is set and not writable ($n)"
     ret=0
-    (cd ns2 && $NAMED -c named-alt4.conf -D runtime-ns2-extra-4 -d 99 -g > named$n.run 2>&1 &)
-    wait_for_named "exiting (due to fatal error)" ns2/named$n.run || ret=1
+    testpid=$(run_named ns2 named$n.run -c named-alt4.conf -D runtime-ns2-extra-4)
+    retry_quiet 10 check_named_log "exiting (due to fatal error)" ns2/named$n.run || ret=1
     grep "managed-keys-directory '.*' is not writable" ns2/named$n.run > /dev/null 2>&1 || ret=1
     kill_named ns2/named.pid && ret=1
+    test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
     if [ $ret -ne 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
 
     n=$((n+1))
     echo_i "checking that named refuses to start if managed-keys-directory is unset and working directory is not writable ($n)"
     ret=0
-    (cd ns2 && $NAMED -c named-alt5.conf -D runtime-ns2-extra-5 -d 99 -g > named$n.run 2>&1 &)
-    wait_for_named "exiting (due to fatal error)" ns2/named$n.run || ret=1
+    testpid=$(run_named ns2 named$n.run -c named-alt5.conf -D runtime-ns2-extra-5)
+    test -n "$testpid" || ret=1
+    retry_quiet 10 check_named_log "exiting (due to fatal error)" ns2/named$n.run || ret=1
     grep "working directory '.*' is not writable" ns2/named$n.run > /dev/null 2>&1 || ret=1
     kill_named ns2/named.pid && ret=1
+    test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
     if [ $ret -ne 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
 
     n=$((n+1))
     echo_i "checking that named starts if managed-keys-directory is writable and working directory is not writable ($n)"
     ret=0
-    (cd ns2/nope && $NAMED -c ../named-alt6.conf -D runtime-ns2-extra-6 -d 99 -g > ../named$n.run 2>&1 &)
-    wait_for_named " running$" ns2/named$n.run || ret=1
+    testpid=$(run_named ns2/nope ../named$n.run -c ../named-alt6.conf -D runtime-ns2-extra-6)
+    test -n "$testpid" || ret=1
+    retry_quiet 10 check_named_log " running$" ns2/named$n.run || ret=1
     kill_named ns2/named.pid || ret=1
+    test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
     if [ $ret -ne 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
 fi
@@ -175,11 +195,13 @@ if [ "`id -u`" -eq 0 ] && [ -z "$CYGWIN" ]; then
         sh -x "$TOP/bin/tests/prepare-softhsm2.sh"
         chown -R nobody: "${TEMP_NAMED_DIR}"
         chmod 0700 "${TEMP_NAMED_DIR}"
-        ( cd "${TEMP_NAMED_DIR}" && $NAMED -u nobody -c named-alt9.conf -d 99 -g -U 4 >> named$n.run 2>&1 & ) || ret=1
-        wait_for_named "running$" "${TEMP_NAMED_DIR}/named$n.run" || ret=1
+        testpid=$(run_named "${TEMP_NAMED_DIR}" named$n.run -u nobody -c named-alt9.conf)
+	test -n "$testpid" || ret=1
+        retry_quiet 10 check_named_log "running$" "${TEMP_NAMED_DIR}/named$n.run" || ret=1
         [ -s "${TEMP_NAMED_DIR}/named9.pid" ] || ret=1
         grep "loading configuration: permission denied" "${TEMP_NAMED_DIR}/named$n.run" > /dev/null && ret=1
         kill_named "${TEMP_NAMED_DIR}/named9.pid" || ret=1
+        test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
     else
         echo_i "mktemp failed"
         ret=1
diff --git a/bind/bind9/bin/tests/system/send.pl b/bind/bind9/bin/tests/system/send.pl
index 01368b12..a7879e1f 100644
--- a/bind/bind9/bin/tests/system/send.pl
+++ b/bind/bind9/bin/tests/system/send.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/setup.sh b/bind/bind9/bin/tests/system/setup.sh
index ff8c1bd2..180d7403 100644
--- a/bind/bind9/bin/tests/system/setup.sh
+++ b/bind/bind9/bin/tests/system/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sfcache/README b/bind/bind9/bin/tests/system/sfcache/README
index 14c3b915..8f981b7c 100644
--- a/bind/bind9/bin/tests/system/sfcache/README
+++ b/bind/bind9/bin/tests/system/sfcache/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 The test setup for the SERVFAIL ncache tests has a secure root.
 
diff --git a/bind/bind9/bin/tests/system/sfcache/clean.sh b/bind/bind9/bin/tests/system/sfcache/clean.sh
index b4a00389..eeadc6c0 100644
--- a/bind/bind9/bin/tests/system/sfcache/clean.sh
+++ b/bind/bind9/bin/tests/system/sfcache/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sfcache/ns1/named.conf.in b/bind/bind9/bin/tests/system/sfcache/ns1/named.conf.in
index a43c02bc..bd7887d7 100644
--- a/bind/bind9/bin/tests/system/sfcache/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/sfcache/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sfcache/ns1/root.db.in b/bind/bind9/bin/tests/system/sfcache/ns1/root.db.in
index 9ee20905..312199a4 100644
--- a/bind/bind9/bin/tests/system/sfcache/ns1/root.db.in
+++ b/bind/bind9/bin/tests/system/sfcache/ns1/root.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sfcache/ns1/sign.sh b/bind/bind9/bin/tests/system/sfcache/ns1/sign.sh
index 769978bb..13887e8a 100644
--- a/bind/bind9/bin/tests/system/sfcache/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/sfcache/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sfcache/ns2/example.db.in b/bind/bind9/bin/tests/system/sfcache/ns2/example.db.in
index 594a549d..e7cd0430 100644
--- a/bind/bind9/bin/tests/system/sfcache/ns2/example.db.in
+++ b/bind/bind9/bin/tests/system/sfcache/ns2/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sfcache/ns2/named.conf.in b/bind/bind9/bin/tests/system/sfcache/ns2/named.conf.in
index 693ee05f..017e4a62 100644
--- a/bind/bind9/bin/tests/system/sfcache/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/sfcache/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sfcache/ns2/sign.sh b/bind/bind9/bin/tests/system/sfcache/ns2/sign.sh
index 73e55e76..f183bfd7 100644
--- a/bind/bind9/bin/tests/system/sfcache/ns2/sign.sh
+++ b/bind/bind9/bin/tests/system/sfcache/ns2/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sfcache/ns5/named.conf.in b/bind/bind9/bin/tests/system/sfcache/ns5/named.conf.in
index 31c497ca..5baea186 100644
--- a/bind/bind9/bin/tests/system/sfcache/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/sfcache/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sfcache/ns5/trusted.conf.bad b/bind/bind9/bin/tests/system/sfcache/ns5/trusted.conf.bad
index ed30460b..75cf6994 100644
--- a/bind/bind9/bin/tests/system/sfcache/ns5/trusted.conf.bad
+++ b/bind/bind9/bin/tests/system/sfcache/ns5/trusted.conf.bad
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sfcache/prereq.sh b/bind/bind9/bin/tests/system/sfcache/prereq.sh
index 79589b7c..31fa9ac3 100644
--- a/bind/bind9/bin/tests/system/sfcache/prereq.sh
+++ b/bind/bind9/bin/tests/system/sfcache/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -18,6 +18,6 @@ if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r $RANDFILE foo > /dev/null 2>&1
 then
     rm -f Kfoo*
 else
-    echo "I:This test requires that --with-openssl was used." >&2
+    echo_i "This test requires that --with-openssl was used." >&2
     exit 255
 fi
diff --git a/bind/bind9/bin/tests/system/sfcache/setup.sh b/bind/bind9/bin/tests/system/sfcache/setup.sh
index 370e57f9..ab39919a 100644
--- a/bind/bind9/bin/tests/system/sfcache/setup.sh
+++ b/bind/bind9/bin/tests/system/sfcache/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sfcache/tests.sh b/bind/bind9/bin/tests/system/sfcache/tests.sh
index 7756e7d7..e9567c01 100644
--- a/bind/bind9/bin/tests/system/sfcache/tests.sh
+++ b/bind/bind9/bin/tests/system/sfcache/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/smartsign/child.db b/bind/bind9/bin/tests/system/smartsign/child.db
index 11af1a53..1c464b5c 100644
--- a/bind/bind9/bin/tests/system/smartsign/child.db
+++ b/bind/bind9/bin/tests/system/smartsign/child.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/smartsign/clean.sh b/bind/bind9/bin/tests/system/smartsign/clean.sh
index 0f23bf9e..c9cc6dfd 100644
--- a/bind/bind9/bin/tests/system/smartsign/clean.sh
+++ b/bind/bind9/bin/tests/system/smartsign/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/smartsign/parent.db b/bind/bind9/bin/tests/system/smartsign/parent.db
index 6c6567f7..75644012 100644
--- a/bind/bind9/bin/tests/system/smartsign/parent.db
+++ b/bind/bind9/bin/tests/system/smartsign/parent.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/smartsign/prereq.sh b/bind/bind9/bin/tests/system/smartsign/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/smartsign/prereq.sh
+++ b/bind/bind9/bin/tests/system/smartsign/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/smartsign/setup.sh b/bind/bind9/bin/tests/system/smartsign/setup.sh
index dd7dbb3f..5f7aced1 100644
--- a/bind/bind9/bin/tests/system/smartsign/setup.sh
+++ b/bind/bind9/bin/tests/system/smartsign/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/smartsign/tests.sh b/bind/bind9/bin/tests/system/smartsign/tests.sh
index bd586ff6..937a6ab9 100644
--- a/bind/bind9/bin/tests/system/smartsign/tests.sh
+++ b/bind/bind9/bin/tests/system/smartsign/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -162,7 +162,7 @@ grep "key id = $czinactive\$" $cfile.signed > /dev/null || {
 # should not be there, hence the &&
 grep "key id = $ckprerevoke\$" $cfile.signed > /dev/null && {
 	ret=1
-	echo_i "found unexpect child pre-revoke ZSK id = $ckprerevoke"
+	echo_i "found unexpected child pre-revoke ZSK id = $ckprerevoke"
 }
 grep "key id = $czgenerated\$" $cfile.signed > /dev/null && {
 	ret=1
diff --git a/bind/bind9/bin/tests/system/sortlist/clean.sh b/bind/bind9/bin/tests/system/sortlist/clean.sh
index e9102915..13815ffa 100644
--- a/bind/bind9/bin/tests/system/sortlist/clean.sh
+++ b/bind/bind9/bin/tests/system/sortlist/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sortlist/ns1/example.db b/bind/bind9/bin/tests/system/sortlist/ns1/example.db
index 94ebc739..36b5c5bb 100644
--- a/bind/bind9/bin/tests/system/sortlist/ns1/example.db
+++ b/bind/bind9/bin/tests/system/sortlist/ns1/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sortlist/ns1/named.conf.in b/bind/bind9/bin/tests/system/sortlist/ns1/named.conf.in
index 90156811..d50b3912 100644
--- a/bind/bind9/bin/tests/system/sortlist/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/sortlist/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sortlist/ns1/root.db b/bind/bind9/bin/tests/system/sortlist/ns1/root.db
index dab5cea7..e5f65ab6 100644
--- a/bind/bind9/bin/tests/system/sortlist/ns1/root.db
+++ b/bind/bind9/bin/tests/system/sortlist/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sortlist/setup.sh b/bind/bind9/bin/tests/system/sortlist/setup.sh
index 985a4bcb..c2be7228 100644
--- a/bind/bind9/bin/tests/system/sortlist/setup.sh
+++ b/bind/bind9/bin/tests/system/sortlist/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/sortlist/tests.sh b/bind/bind9/bin/tests/system/sortlist/tests.sh
index 2fc44b0f..d483c9ff 100644
--- a/bind/bind9/bin/tests/system/sortlist/tests.sh
+++ b/bind/bind9/bin/tests/system/sortlist/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/spf/clean.sh b/bind/bind9/bin/tests/system/spf/clean.sh
index df9a329b..73c01fdb 100644
--- a/bind/bind9/bin/tests/system/spf/clean.sh
+++ b/bind/bind9/bin/tests/system/spf/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/spf/ns1/named.conf.in b/bind/bind9/bin/tests/system/spf/ns1/named.conf.in
index 255da60e..a9a41de0 100644
--- a/bind/bind9/bin/tests/system/spf/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/spf/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/spf/ns1/spf.db b/bind/bind9/bin/tests/system/spf/ns1/spf.db
index 6c0e7e55..dfeaeb4f 100644
--- a/bind/bind9/bin/tests/system/spf/ns1/spf.db
+++ b/bind/bind9/bin/tests/system/spf/ns1/spf.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/spf/setup.sh b/bind/bind9/bin/tests/system/spf/setup.sh
index 985a4bcb..c2be7228 100644
--- a/bind/bind9/bin/tests/system/spf/setup.sh
+++ b/bind/bind9/bin/tests/system/spf/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/spf/tests.sh b/bind/bind9/bin/tests/system/spf/tests.sh
index dd54cf37..41c5ed4b 100644
--- a/bind/bind9/bin/tests/system/spf/tests.sh
+++ b/bind/bind9/bin/tests/system/spf/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/start.pl b/bind/bind9/bin/tests/system/start.pl
index d0365ca0..7738fa31 100755
--- a/bind/bind9/bin/tests/system/start.pl
+++ b/bind/bind9/bin/tests/system/start.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -212,7 +212,7 @@ sub start_server {
 		if (++$tries > 140) {
 			print "I:$test:Couldn't start server $command (pid=$child)\n";
 			print "I:$test:failed\n";
-			system "kill -9 $child" if ("$child" ne "");
+			kill "ABRT", $child if ("$child" ne "");
 			chdir "$testdir";
 			system "$PERL $topdir/stop.pl $test";
 			exit 1;
diff --git a/bind/bind9/bin/tests/system/start.sh b/bind/bind9/bin/tests/system/start.sh
index e71c7d64..162cc5f7 100755
--- a/bind/bind9/bin/tests/system/start.sh
+++ b/bind/bind9/bin/tests/system/start.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/clean.sh b/bind/bind9/bin/tests/system/staticstub/clean.sh
index 52c25cd9..4eadb3dc 100755
--- a/bind/bind9/bin/tests/system/staticstub/clean.sh
+++ b/bind/bind9/bin/tests/system/staticstub/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/bad01.conf b/bind/bind9/bin/tests/system/staticstub/conf/bad01.conf
index 6f9bf55a..37869ede 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/bad01.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/bad01.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/bad02.conf b/bind/bind9/bin/tests/system/staticstub/conf/bad02.conf
index dd23d739..a61995e1 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/bad02.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/bad02.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/bad03.conf b/bind/bind9/bin/tests/system/staticstub/conf/bad03.conf
index e8e92312..f3ae63f4 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/bad03.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/bad03.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/bad04.conf b/bind/bind9/bin/tests/system/staticstub/conf/bad04.conf
index 54b5d288..596fe359 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/bad04.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/bad04.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/bad05.conf b/bind/bind9/bin/tests/system/staticstub/conf/bad05.conf
index 7a3ba554..1a9cb7b3 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/bad05.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/bad05.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/bad06.conf b/bind/bind9/bin/tests/system/staticstub/conf/bad06.conf
index 8c2ad582..16aeaff3 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/bad06.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/bad06.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/bad07.conf b/bind/bind9/bin/tests/system/staticstub/conf/bad07.conf
index c347102f..89f61bb1 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/bad07.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/bad07.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/bad08.conf b/bind/bind9/bin/tests/system/staticstub/conf/bad08.conf
index 83f1f274..6a654982 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/bad08.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/bad08.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/bad09.conf b/bind/bind9/bin/tests/system/staticstub/conf/bad09.conf
index 349b252f..92636889 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/bad09.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/bad09.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/bad10.conf b/bind/bind9/bin/tests/system/staticstub/conf/bad10.conf
index f3ec7084..560a638b 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/bad10.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/bad10.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/bad11.conf b/bind/bind9/bin/tests/system/staticstub/conf/bad11.conf
index afe78a9b..a1194f1f 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/bad11.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/bad11.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/good01.conf b/bind/bind9/bin/tests/system/staticstub/conf/good01.conf
index 8f3558e8..3c2a9b78 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/good01.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/good01.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/good02.conf b/bind/bind9/bin/tests/system/staticstub/conf/good02.conf
index 1bbb5c11..88bc1bce 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/good02.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/good02.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/good03.conf b/bind/bind9/bin/tests/system/staticstub/conf/good03.conf
index af6fc8e6..b14b0146 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/good03.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/good03.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/good04.conf b/bind/bind9/bin/tests/system/staticstub/conf/good04.conf
index 02009c52..249392f7 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/good04.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/good04.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/conf/good05.conf b/bind/bind9/bin/tests/system/staticstub/conf/good05.conf
index 59054eef..5988d0b5 100644
--- a/bind/bind9/bin/tests/system/staticstub/conf/good05.conf
+++ b/bind/bind9/bin/tests/system/staticstub/conf/good05.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/ns1/named.conf.in b/bind/bind9/bin/tests/system/staticstub/ns1/named.conf.in
index 4f317551..989c5235 100644
--- a/bind/bind9/bin/tests/system/staticstub/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/staticstub/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/ns1/root.db b/bind/bind9/bin/tests/system/staticstub/ns1/root.db
index 3927582e..53456c75 100644
--- a/bind/bind9/bin/tests/system/staticstub/ns1/root.db
+++ b/bind/bind9/bin/tests/system/staticstub/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/ns2/named.conf.in b/bind/bind9/bin/tests/system/staticstub/ns2/named.conf.in
index 245c7c2a..df28393a 100644
--- a/bind/bind9/bin/tests/system/staticstub/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/staticstub/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/ns3/example.db.in b/bind/bind9/bin/tests/system/staticstub/ns3/example.db.in
index 85fc1d84..d12a7c1a 100644
--- a/bind/bind9/bin/tests/system/staticstub/ns3/example.db.in
+++ b/bind/bind9/bin/tests/system/staticstub/ns3/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/ns3/example.org.db b/bind/bind9/bin/tests/system/staticstub/ns3/example.org.db
index becf883a..6d2c188c 100644
--- a/bind/bind9/bin/tests/system/staticstub/ns3/example.org.db
+++ b/bind/bind9/bin/tests/system/staticstub/ns3/example.org.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/ns3/named.conf.in b/bind/bind9/bin/tests/system/staticstub/ns3/named.conf.in
index b5821965..c596f08b 100644
--- a/bind/bind9/bin/tests/system/staticstub/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/staticstub/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/ns3/sign.sh b/bind/bind9/bin/tests/system/staticstub/ns3/sign.sh
index 32af7d00..ed0e68b5 100755
--- a/bind/bind9/bin/tests/system/staticstub/ns3/sign.sh
+++ b/bind/bind9/bin/tests/system/staticstub/ns3/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/ns3/undelegated.db.in b/bind/bind9/bin/tests/system/staticstub/ns3/undelegated.db.in
index c85337dc..645b1bc5 100644
--- a/bind/bind9/bin/tests/system/staticstub/ns3/undelegated.db.in
+++ b/bind/bind9/bin/tests/system/staticstub/ns3/undelegated.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/ns4/example.com.db b/bind/bind9/bin/tests/system/staticstub/ns4/example.com.db
index feda956b..d56aa287 100644
--- a/bind/bind9/bin/tests/system/staticstub/ns4/example.com.db
+++ b/bind/bind9/bin/tests/system/staticstub/ns4/example.com.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/ns4/example.info.db b/bind/bind9/bin/tests/system/staticstub/ns4/example.info.db
index 42a0860c..6a70f704 100644
--- a/bind/bind9/bin/tests/system/staticstub/ns4/example.info.db
+++ b/bind/bind9/bin/tests/system/staticstub/ns4/example.info.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/ns4/example.org.db b/bind/bind9/bin/tests/system/staticstub/ns4/example.org.db
index 13b3a610..757c3177 100644
--- a/bind/bind9/bin/tests/system/staticstub/ns4/example.org.db
+++ b/bind/bind9/bin/tests/system/staticstub/ns4/example.org.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/ns4/named.conf.in b/bind/bind9/bin/tests/system/staticstub/ns4/named.conf.in
index b3a82c9e..4c03af4a 100644
--- a/bind/bind9/bin/tests/system/staticstub/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/staticstub/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/ns4/sign.sh b/bind/bind9/bin/tests/system/staticstub/ns4/sign.sh
index 26ca671f..ad30d674 100755
--- a/bind/bind9/bin/tests/system/staticstub/ns4/sign.sh
+++ b/bind/bind9/bin/tests/system/staticstub/ns4/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/ns4/sub.example.db.in b/bind/bind9/bin/tests/system/staticstub/ns4/sub.example.db.in
index 9d346eb7..5b314f0a 100644
--- a/bind/bind9/bin/tests/system/staticstub/ns4/sub.example.db.in
+++ b/bind/bind9/bin/tests/system/staticstub/ns4/sub.example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/prereq.sh b/bind/bind9/bin/tests/system/staticstub/prereq.sh
index a0d4e9ce..f3e74853 100755
--- a/bind/bind9/bin/tests/system/staticstub/prereq.sh
+++ b/bind/bind9/bin/tests/system/staticstub/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/setup.sh b/bind/bind9/bin/tests/system/staticstub/setup.sh
index c2742bdc..2e21dbe6 100755
--- a/bind/bind9/bin/tests/system/staticstub/setup.sh
+++ b/bind/bind9/bin/tests/system/staticstub/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/staticstub/tests.sh b/bind/bind9/bin/tests/system/staticstub/tests.sh
index a8e2e9ef..697de185 100755
--- a/bind/bind9/bin/tests/system/staticstub/tests.sh
+++ b/bind/bind9/bin/tests/system/staticstub/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -190,7 +190,7 @@ grep "3rd sub test data" dig.out.ns2.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-# reload with a different name server: exisitng zone shouldn't be reused.
+# reload with a different name server: existing zone shouldn't be reused.
 n=`expr $n + 1`
 echo_i "checking server reload with a different static-stub config ($n)"
 ret=0
diff --git a/bind/bind9/bin/tests/system/statistics/ans4/ans.pl b/bind/bind9/bin/tests/system/statistics/ans4/ans.pl
index f8feafc9..b82a00f5 100644
--- a/bind/bind9/bin/tests/system/statistics/ans4/ans.pl
+++ b/bind/bind9/bin/tests/system/statistics/ans4/ans.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statistics/clean.sh b/bind/bind9/bin/tests/system/statistics/clean.sh
index 8706b024..2bd45635 100644
--- a/bind/bind9/bin/tests/system/statistics/clean.sh
+++ b/bind/bind9/bin/tests/system/statistics/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statistics/ns1/named.conf.in b/bind/bind9/bin/tests/system/statistics/ns1/named.conf.in
index 762b0fdf..c5fe1238 100644
--- a/bind/bind9/bin/tests/system/statistics/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/statistics/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statistics/ns1/root.db b/bind/bind9/bin/tests/system/statistics/ns1/root.db
index dab5cea7..e5f65ab6 100644
--- a/bind/bind9/bin/tests/system/statistics/ns1/root.db
+++ b/bind/bind9/bin/tests/system/statistics/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statistics/ns1/zone.db b/bind/bind9/bin/tests/system/statistics/ns1/zone.db
index 868fffcd..d6797b2a 100644
--- a/bind/bind9/bin/tests/system/statistics/ns1/zone.db
+++ b/bind/bind9/bin/tests/system/statistics/ns1/zone.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statistics/ns2/example.db b/bind/bind9/bin/tests/system/statistics/ns2/example.db
index 4a3f33fb..22181216 100644
--- a/bind/bind9/bin/tests/system/statistics/ns2/example.db
+++ b/bind/bind9/bin/tests/system/statistics/ns2/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statistics/ns2/internal.db b/bind/bind9/bin/tests/system/statistics/ns2/internal.db
index 38a6b0d5..96c3910e 100644
--- a/bind/bind9/bin/tests/system/statistics/ns2/internal.db
+++ b/bind/bind9/bin/tests/system/statistics/ns2/internal.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statistics/ns2/named.conf.in b/bind/bind9/bin/tests/system/statistics/ns2/named.conf.in
index c046fe9e..e46a8aba 100644
--- a/bind/bind9/bin/tests/system/statistics/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/statistics/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statistics/ns3/internal.db b/bind/bind9/bin/tests/system/statistics/ns3/internal.db
index cdf26484..41f60710 100644
--- a/bind/bind9/bin/tests/system/statistics/ns3/internal.db
+++ b/bind/bind9/bin/tests/system/statistics/ns3/internal.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statistics/ns3/named.conf.in b/bind/bind9/bin/tests/system/statistics/ns3/named.conf.in
index 78f6a668..1ecdd028 100644
--- a/bind/bind9/bin/tests/system/statistics/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/statistics/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statistics/ns3/root.hint b/bind/bind9/bin/tests/system/statistics/ns3/root.hint
index 1acfd140..6466cd31 100644
--- a/bind/bind9/bin/tests/system/statistics/ns3/root.hint
+++ b/bind/bind9/bin/tests/system/statistics/ns3/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statistics/prereq.sh b/bind/bind9/bin/tests/system/statistics/prereq.sh
index ec3fefe0..f10ddd17 100644
--- a/bind/bind9/bin/tests/system/statistics/prereq.sh
+++ b/bind/bind9/bin/tests/system/statistics/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statistics/setup.sh b/bind/bind9/bin/tests/system/statistics/setup.sh
index def2a615..4c12eaf5 100644
--- a/bind/bind9/bin/tests/system/statistics/setup.sh
+++ b/bind/bind9/bin/tests/system/statistics/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statistics/tests.sh b/bind/bind9/bin/tests/system/statistics/tests.sh
index ccbca449..47d7c619 100644
--- a/bind/bind9/bin/tests/system/statistics/tests.sh
+++ b/bind/bind9/bin/tests/system/statistics/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statschannel/clean.sh b/bind/bind9/bin/tests/system/statschannel/clean.sh
index 477f209a..602e2753 100644
--- a/bind/bind9/bin/tests/system/statschannel/clean.sh
+++ b/bind/bind9/bin/tests/system/statschannel/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statschannel/fetch.pl b/bind/bind9/bin/tests/system/statschannel/fetch.pl
index e589c450..e2b2005f 100644
--- a/bind/bind9/bin/tests/system/statschannel/fetch.pl
+++ b/bind/bind9/bin/tests/system/statschannel/fetch.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statschannel/ns2/example.db b/bind/bind9/bin/tests/system/statschannel/ns2/example.db
index b65651aa..ed88ffcb 100644
--- a/bind/bind9/bin/tests/system/statschannel/ns2/example.db
+++ b/bind/bind9/bin/tests/system/statschannel/ns2/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statschannel/ns2/named.conf.in b/bind/bind9/bin/tests/system/statschannel/ns2/named.conf.in
index bababf64..ebf94167 100644
--- a/bind/bind9/bin/tests/system/statschannel/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/statschannel/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statschannel/prereq.sh b/bind/bind9/bin/tests/system/statschannel/prereq.sh
index f3d4fd17..c6933c03 100644
--- a/bind/bind9/bin/tests/system/statschannel/prereq.sh
+++ b/bind/bind9/bin/tests/system/statschannel/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statschannel/server-json.pl b/bind/bind9/bin/tests/system/statschannel/server-json.pl
index cb1f4633..b0cddfcd 100644
--- a/bind/bind9/bin/tests/system/statschannel/server-json.pl
+++ b/bind/bind9/bin/tests/system/statschannel/server-json.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statschannel/server-xml.pl b/bind/bind9/bin/tests/system/statschannel/server-xml.pl
index 20030241..ebc8fc79 100644
--- a/bind/bind9/bin/tests/system/statschannel/server-xml.pl
+++ b/bind/bind9/bin/tests/system/statschannel/server-xml.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statschannel/setup.sh b/bind/bind9/bin/tests/system/statschannel/setup.sh
index 71451f83..13a02d9d 100644
--- a/bind/bind9/bin/tests/system/statschannel/setup.sh
+++ b/bind/bind9/bin/tests/system/statschannel/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statschannel/tests.sh b/bind/bind9/bin/tests/system/statschannel/tests.sh
index 9b1c5a13..6610783e 100644
--- a/bind/bind9/bin/tests/system/statschannel/tests.sh
+++ b/bind/bind9/bin/tests/system/statschannel/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statschannel/traffic-json.pl b/bind/bind9/bin/tests/system/statschannel/traffic-json.pl
index 67b53c4e..e9030817 100644
--- a/bind/bind9/bin/tests/system/statschannel/traffic-json.pl
+++ b/bind/bind9/bin/tests/system/statschannel/traffic-json.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/statschannel/traffic-xml.pl b/bind/bind9/bin/tests/system/statschannel/traffic-xml.pl
index a866c645..f659933f 100644
--- a/bind/bind9/bin/tests/system/statschannel/traffic-xml.pl
+++ b/bind/bind9/bin/tests/system/statschannel/traffic-xml.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stop.pl b/bind/bind9/bin/tests/system/stop.pl
index e3bb2120..625d11bd 100644
--- a/bind/bind9/bin/tests/system/stop.pl
+++ b/bind/bind9/bin/tests/system/stop.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stop.sh b/bind/bind9/bin/tests/system/stop.sh
index ba1256bc..c3e7cb9c 100755
--- a/bind/bind9/bin/tests/system/stop.sh
+++ b/bind/bind9/bin/tests/system/stop.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stopall.sh b/bind/bind9/bin/tests/system/stopall.sh
index d9b57e0f..ab04a3a5 100644
--- a/bind/bind9/bin/tests/system/stopall.sh
+++ b/bind/bind9/bin/tests/system/stopall.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stress/clean.sh b/bind/bind9/bin/tests/system/stress/clean.sh
index 3d13acd1..d8c5bcb8 100644
--- a/bind/bind9/bin/tests/system/stress/clean.sh
+++ b/bind/bind9/bin/tests/system/stress/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stress/ns1/named.conf b/bind/bind9/bin/tests/system/stress/ns1/named.conf
index 59690e79..38856ad9 100644
--- a/bind/bind9/bin/tests/system/stress/ns1/named.conf
+++ b/bind/bind9/bin/tests/system/stress/ns1/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stress/ns2/named.conf b/bind/bind9/bin/tests/system/stress/ns2/named.conf
index c0fb05f5..8bf41615 100644
--- a/bind/bind9/bin/tests/system/stress/ns2/named.conf
+++ b/bind/bind9/bin/tests/system/stress/ns2/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stress/ns3/named.conf b/bind/bind9/bin/tests/system/stress/ns3/named.conf
index 9b905a92..dc4bfd3c 100644
--- a/bind/bind9/bin/tests/system/stress/ns3/named.conf
+++ b/bind/bind9/bin/tests/system/stress/ns3/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stress/ns4/named.conf b/bind/bind9/bin/tests/system/stress/ns4/named.conf
index 405f618e..5cff4972 100644
--- a/bind/bind9/bin/tests/system/stress/ns4/named.conf
+++ b/bind/bind9/bin/tests/system/stress/ns4/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stress/prereq.sh b/bind/bind9/bin/tests/system/stress/prereq.sh
index de147a4c..d2ca8fc2 100644
--- a/bind/bind9/bin/tests/system/stress/prereq.sh
+++ b/bind/bind9/bin/tests/system/stress/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -16,6 +16,6 @@ if $PERL -e 'use Net::DNS;' 2>/dev/null
 then
     :
 else
-    echo "I:This test requires the Net::DNS library." >&2
+    echo_i "This test requires the Net::DNS library." >&2
     exit 1
 fi
diff --git a/bind/bind9/bin/tests/system/stress/setup.pl b/bind/bind9/bin/tests/system/stress/setup.pl
index 40e3ceaa..45c86021 100644
--- a/bind/bind9/bin/tests/system/stress/setup.pl
+++ b/bind/bind9/bin/tests/system/stress/setup.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stress/setup.sh b/bind/bind9/bin/tests/system/stress/setup.sh
index dab4b9a4..bb4f7767 100644
--- a/bind/bind9/bin/tests/system/stress/setup.sh
+++ b/bind/bind9/bin/tests/system/stress/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stress/tests.sh b/bind/bind9/bin/tests/system/stress/tests.sh
index 53c3d20d..ef35d112 100644
--- a/bind/bind9/bin/tests/system/stress/tests.sh
+++ b/bind/bind9/bin/tests/system/stress/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -27,11 +27,11 @@ do
        $PERL update.pl -s 10.53.0.2 -p 5300 zone00000$i.example. &
 done
 
-echo "I:waiting for background processes to finish"
+echo_i "waiting for background processes to finish"
 wait
 
-echo "I:killing reload loop"
+echo_i "killing reload loop"
 kill `cat reload.pid`
 
-echo "I:exit status: $status"
+echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/stress/update.pl b/bind/bind9/bin/tests/system/stress/update.pl
index 6bb8afce..0ee18fad 100644
--- a/bind/bind9/bin/tests/system/stress/update.pl
+++ b/bind/bind9/bin/tests/system/stress/update.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stub/clean.sh b/bind/bind9/bin/tests/system/stub/clean.sh
index d5698ef8..3152710c 100644
--- a/bind/bind9/bin/tests/system/stub/clean.sh
+++ b/bind/bind9/bin/tests/system/stub/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -12,8 +12,9 @@
 #
 # Clean up after stub tests.
 #
-rm -f dig.out.ns3 ns3/child.example.st
+rm -f dig.out.ns[35] ns3/child.example.st
 rm -f */named.memstats
 rm -f */named.conf
 rm -f */named.run
 rm -f ns*/named.lock
+rm -f ns5/example.db
diff --git a/bind/bind9/bin/tests/system/stub/ns1/named.conf.in b/bind/bind9/bin/tests/system/stub/ns1/named.conf.in
index b4a2fa8c..755a20c2 100644
--- a/bind/bind9/bin/tests/system/stub/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/stub/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stub/ns1/root.db b/bind/bind9/bin/tests/system/stub/ns1/root.db
index 5d148992..0e4b0d4c 100644
--- a/bind/bind9/bin/tests/system/stub/ns1/root.db
+++ b/bind/bind9/bin/tests/system/stub/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stub/ns2/child.example.db b/bind/bind9/bin/tests/system/stub/ns2/child.example.db
index 12acc8ae..4a406fa2 100644
--- a/bind/bind9/bin/tests/system/stub/ns2/child.example.db
+++ b/bind/bind9/bin/tests/system/stub/ns2/child.example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stub/ns2/named.conf.in b/bind/bind9/bin/tests/system/stub/ns2/named.conf.in
index 4810cdec..be952613 100644
--- a/bind/bind9/bin/tests/system/stub/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/stub/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stub/ns3/example.db b/bind/bind9/bin/tests/system/stub/ns3/example.db
index cbf1392e..a4fda37a 100644
--- a/bind/bind9/bin/tests/system/stub/ns3/example.db
+++ b/bind/bind9/bin/tests/system/stub/ns3/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stub/ns3/named.conf.in b/bind/bind9/bin/tests/system/stub/ns3/named.conf.in
index ce9497da..ce6087d0 100644
--- a/bind/bind9/bin/tests/system/stub/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/stub/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/stub/ns4/example.db b/bind/bind9/bin/tests/system/stub/ns4/example.db
new file mode 100644
index 00000000..5fbf6aa3
--- /dev/null
+++ b/bind/bind9/bin/tests/system/stub/ns4/example.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns4.example. hostmaster.example. (
+				2000042795 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@        IN    NS      ns4
+ns4      IN    A       10.53.0.4
+         IN    AAAA    fd92:7065:b8e:ffff::4
+target   IN    TXT     "test"
diff --git a/bind/bind9/bin/tests/system/stub/ns4/named.conf.in b/bind/bind9/bin/tests/system/stub/ns4/named.conf.in
new file mode 100644
index 00000000..3165ccd5
--- /dev/null
+++ b/bind/bind9/bin/tests/system/stub/ns4/named.conf.in
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	minimal-responses yes;
+	dnssec-validation no;
+};
+
+zone "example" {
+	type master;
+	file "example.db";
+};
diff --git a/bind/bind9/bin/tests/system/stub/ns5/named.conf.in b/bind/bind9/bin/tests/system/stub/ns5/named.conf.in
new file mode 100644
index 00000000..cb920c79
--- /dev/null
+++ b/bind/bind9/bin/tests/system/stub/ns5/named.conf.in
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+    dnssec-validation no;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type stub;
+	file "example.db";
+    masters { 10.53.0.4 port @PORT@; };
+};
diff --git a/bind/bind9/bin/tests/system/stub/setup.sh b/bind/bind9/bin/tests/system/stub/setup.sh
index def2a615..09c42d76 100644
--- a/bind/bind9/bin/tests/system/stub/setup.sh
+++ b/bind/bind9/bin/tests/system/stub/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -15,3 +15,5 @@ SYSTEMTESTTOP=..
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
diff --git a/bind/bind9/bin/tests/system/stub/tests.sh b/bind/bind9/bin/tests/system/stub/tests.sh
index 730cd406..266c7bf7 100644
--- a/bind/bind9/bin/tests/system/stub/tests.sh
+++ b/bind/bind9/bin/tests/system/stub/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -60,5 +60,26 @@ digcomp knowngood.dig.out.rec dig.out.ns3 || ret=1
 }
 done
 
+echo_i "check that glue record is correctly transferred from master when minimal-responses is on"
+ret=0
+# First ensure that zone data was transfered.
+for i in 1 2 3 4 5 6 7; do
+    [ -f ns5/example.db ] && break
+    sleep 1
+done
+
+if [ -f ns5/example.db ]; then
+    # If NS glue wasn't transferred,  this query would fail.
+    $DIG $DIGOPTS +nodnssec @10.53.0.5 target.example. txt > dig.out.ns5 || ret=1
+    grep  'target\.example.*TXT.*"test"' dig.out.ns5 > /dev/null || ret=1
+    # Ensure both ipv4 and ipv6 glue records were transferred.
+    grep -E 'ns4[[:space:]]+A[[:space:]]+10.53.0.4' ns5/example.db > /dev/null || ret=1
+    grep -E 'AAAA[[:space:]]+fd92:7065:b8e:ffff::4' ns5/example.db > /dev/null || ret=1
+    [ $ret = 0 ] || { status=1;  echo_i "failed"; }
+else
+    status=1
+    echo_i "failed: stub zone transfer failed ns4(master) <---> ns5/example.db"
+fi
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/tcp/ans6/ans.py b/bind/bind9/bin/tests/system/tcp/ans6/ans.py
index 3debf19e..2597b3d9 100644
--- a/bind/bind9/bin/tests/system/tcp/ans6/ans.py
+++ b/bind/bind9/bin/tests/system/tcp/ans6/ans.py
@@ -3,7 +3,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tcp/clean.sh b/bind/bind9/bin/tests/system/tcp/clean.sh
index 323298c3..bf653273 100644
--- a/bind/bind9/bin/tests/system/tcp/clean.sh
+++ b/bind/bind9/bin/tests/system/tcp/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tcp/ns1/named.conf.in b/bind/bind9/bin/tests/system/tcp/ns1/named.conf.in
index b188783a..7f112788 100644
--- a/bind/bind9/bin/tests/system/tcp/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/tcp/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tcp/ns1/root.db b/bind/bind9/bin/tests/system/tcp/ns1/root.db
index dab5cea7..e5f65ab6 100644
--- a/bind/bind9/bin/tests/system/tcp/ns1/root.db
+++ b/bind/bind9/bin/tests/system/tcp/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tcp/ns2/example.db b/bind/bind9/bin/tests/system/tcp/ns2/example.db
index 4a3f33fb..22181216 100644
--- a/bind/bind9/bin/tests/system/tcp/ns2/example.db
+++ b/bind/bind9/bin/tests/system/tcp/ns2/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tcp/ns2/named.conf.in b/bind/bind9/bin/tests/system/tcp/ns2/named.conf.in
index 684b8810..afa478c1 100644
--- a/bind/bind9/bin/tests/system/tcp/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/tcp/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tcp/ns3/named.conf.in b/bind/bind9/bin/tests/system/tcp/ns3/named.conf.in
index 282bb2cd..da13390c 100644
--- a/bind/bind9/bin/tests/system/tcp/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/tcp/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tcp/ns4/named.conf.in b/bind/bind9/bin/tests/system/tcp/ns4/named.conf.in
index e6c7c229..b3e9e607 100644
--- a/bind/bind9/bin/tests/system/tcp/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/tcp/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tcp/ns5/named.conf.in b/bind/bind9/bin/tests/system/tcp/ns5/named.conf.in
index da68f9e6..46d94221 100644
--- a/bind/bind9/bin/tests/system/tcp/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/tcp/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tcp/prereq.sh b/bind/bind9/bin/tests/system/tcp/prereq.sh
index 375370b7..33c53753 100644
--- a/bind/bind9/bin/tests/system/tcp/prereq.sh
+++ b/bind/bind9/bin/tests/system/tcp/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tcp/setup.sh b/bind/bind9/bin/tests/system/tcp/setup.sh
index 17f65408..09c42d76 100644
--- a/bind/bind9/bin/tests/system/tcp/setup.sh
+++ b/bind/bind9/bin/tests/system/tcp/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tcp/tests.sh b/bind/bind9/bin/tests/system/tcp/tests.sh
index a98d2dca..0442b5f2 100644
--- a/bind/bind9/bin/tests/system/tcp/tests.sh
+++ b/bind/bind9/bin/tests/system/tcp/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/testcrypto.sh b/bind/bind9/bin/tests/system/testcrypto.sh
index e4747189..bf473fa3 100644
--- a/bind/bind9/bin/tests/system/testcrypto.sh
+++ b/bind/bind9/bin/tests/system/testcrypto.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -61,8 +61,8 @@ then
     rm -f Kfoo*
 else
     if test $quiet -eq 0; then
-        echo "I:This test requires support for $msg1" >&2
-        echo "I:configure with $msg2" >&2
+        echo_i "This test requires support for $msg1" >&2
+        echo_i "configure with $msg2" >&2
     fi
     exit 255
 fi
diff --git a/bind/bind9/bin/tests/system/testsock.pl b/bind/bind9/bin/tests/system/testsock.pl
index 35d9f932..57cabc44 100644
--- a/bind/bind9/bin/tests/system/testsock.pl
+++ b/bind/bind9/bin/tests/system/testsock.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/testsock6.pl b/bind/bind9/bin/tests/system/testsock6.pl
index ff49b67f..9071fdf5 100644
--- a/bind/bind9/bin/tests/system/testsock6.pl
+++ b/bind/bind9/bin/tests/system/testsock6.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/testsummary.sh b/bind/bind9/bin/tests/system/testsummary.sh
index a6f2bc03..defce2f8 100644
--- a/bind/bind9/bin/tests/system/testsummary.sh
+++ b/bind/bind9/bin/tests/system/testsummary.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -56,6 +56,24 @@ if [ -n "${FAILED_TESTS}" ]; then
 	status=1
 fi
 
+CRASHED_TESTS=$(find . \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.txt' | cut -d'/' -f2 | sort -u | sed -e 's/^/I:      /')
+if [ -n "${CRASHED_TESTS}" ]; then
+	echoinfo "I:Core dumps were found for the following system tests:"
+	echoinfo "${CRASHED_TESTS}"
+fi
+
+ASSERTION_FAILED_TESTS=`find . -name named.run | xargs grep "assertion failure" | cut -d'/' -f2 | sort -u | sed -e 's/^/I:      /'`
+if [ -n "${ASSERTION_FAILED_TESTS}" ]; then
+	echoinfo "I:Assertion failures were detected for the following system tests:"
+	echoinfo "${ASSERTION_FAILED_TESTS}"
+fi
+
+TSAN_REPORT_TESTS=`find . -name 'tsan.*' | cut -d'/' -f2 | sort -u | sed -e 's/^/I:      /'`
+if [ -n "${TSAN_REPORT_TESTS}" ]; then
+	echoinfo "I:ThreadSanitizer reported issues for the following system tests:"
+	echoinfo "${TSAN_REPORT_TESTS}"
+fi
+
 RESULTS_FOUND=`grep -c 'R:[a-z0-9_-][a-z0-9_-]*:[A-Z][A-Z]*' systests.output`
 TESTS_RUN=`echo "${SUBDIRS}" | wc -w`
 if [ "${RESULTS_FOUND}" -ne "${TESTS_RUN}" ]; then
diff --git a/bind/bind9/bin/tests/system/tkey/Makefile.in b/bind/bind9/bin/tests/system/tkey/Makefile.in
index df275ca0..cb3432b9 100644
--- a/bind/bind9/bin/tests/system/tkey/Makefile.in
+++ b/bind/bind9/bin/tests/system/tkey/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tkey/clean.sh b/bind/bind9/bin/tests/system/tkey/clean.sh
index a8ea8cf4..0a637880 100644
--- a/bind/bind9/bin/tests/system/tkey/clean.sh
+++ b/bind/bind9/bin/tests/system/tkey/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tkey/keycreate.c b/bind/bind9/bin/tests/system/tkey/keycreate.c
index 5a00f866..85b497f2 100644
--- a/bind/bind9/bin/tests/system/tkey/keycreate.c
+++ b/bind/bind9/bin/tests/system/tkey/keycreate.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -117,8 +117,8 @@ recvquery(isc_task_t *task, isc_event_t *event) {
 	result = dst_key_tofile(tsigkey->key, type, "");
 	CHECK("dst_key_tofile", result);
 
-	dns_message_destroy(&query);
-	dns_message_destroy(&response);
+	dns_message_detach(&query);
+	dns_message_detach(&response);
 	dns_request_destroy(&reqev->request);
 	isc_event_free(&event);
 	isc_app_shutdown();
diff --git a/bind/bind9/bin/tests/system/tkey/keydelete.c b/bind/bind9/bin/tests/system/tkey/keydelete.c
index bde66a45..ea7a09b0 100644
--- a/bind/bind9/bin/tests/system/tkey/keydelete.c
+++ b/bind/bind9/bin/tests/system/tkey/keydelete.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -96,8 +96,8 @@ recvquery(isc_task_t *task, isc_event_t *event) {
 	result = dns_tkey_processdeleteresponse(query, response, ring);
 	CHECK("dns_tkey_processdhresponse", result);
 
-	dns_message_destroy(&query);
-	dns_message_destroy(&response);
+	dns_message_detach(&query);
+	dns_message_detach(&response);
 	dns_request_destroy(&reqev->request);
 	isc_event_free(&event);
 	isc_app_shutdown();
diff --git a/bind/bind9/bin/tests/system/tkey/ns1/example.db b/bind/bind9/bin/tests/system/tkey/ns1/example.db
index 7771d288..5e2d2c1d 100644
--- a/bind/bind9/bin/tests/system/tkey/ns1/example.db
+++ b/bind/bind9/bin/tests/system/tkey/ns1/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tkey/ns1/named.conf.in b/bind/bind9/bin/tests/system/tkey/ns1/named.conf.in
index 93003976..a67c33e8 100644
--- a/bind/bind9/bin/tests/system/tkey/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/tkey/ns1/named.conf.in
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: named.conf.in,v 1.10 2011/11/03 23:46:26 tbox Exp $ */
-
 controls { /* empty */ };
 
 options {
diff --git a/bind/bind9/bin/tests/system/tkey/ns1/setup.sh b/bind/bind9/bin/tests/system/tkey/ns1/setup.sh
index 9b1bc451..30cb8cc9 100644
--- a/bind/bind9/bin/tests/system/tkey/ns1/setup.sh
+++ b/bind/bind9/bin/tests/system/tkey/ns1/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tkey/prereq.sh b/bind/bind9/bin/tests/system/tkey/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/tkey/prereq.sh
+++ b/bind/bind9/bin/tests/system/tkey/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tkey/setup.sh b/bind/bind9/bin/tests/system/tkey/setup.sh
index bd3afcb0..9ab6cff0 100644
--- a/bind/bind9/bin/tests/system/tkey/setup.sh
+++ b/bind/bind9/bin/tests/system/tkey/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tkey/tests.sh b/bind/bind9/bin/tests/system/tkey/tests.sh
index 9f90dd7f..b265156e 100644
--- a/bind/bind9/bin/tests/system/tkey/tests.sh
+++ b/bind/bind9/bin/tests/system/tkey/tests.sh
@@ -4,105 +4,112 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: tests.sh,v 1.11 2011/11/03 23:46:26 tbox Exp $
-
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
 DIGOPTS="@10.53.0.1 -p 5300"
 
 status=0
+n=1
 
-echo "I:generating new DH key"
+echo_i "generating new DH key ($n)"
 ret=0
 dhkeyname=`$KEYGEN -T KEY -a DH -b 768 -n host -r $RANDFILE client` || ret=1
 if [ $ret != 0 ]; then
-	echo "I:failed"
-	status=`expr $status + $ret`
-	echo "I:exit status: $status"
+	echo_i "failed"
+	status=$((status+ret))
+	echo_i "exit status: $status"
 	exit $status
 fi
 status=`expr $status + $ret`
+n=$((n+1))
 
 for owner in . foo.example.
 do
-	echo "I:creating new key using owner name \"$owner\""
+	echo_i "creating new key using owner name \"$owner\" ($n)"
 	ret=0
 	keyname=`$KEYCREATE $dhkeyname $owner` || ret=1
 	if [ $ret != 0 ]; then
-		echo "I:failed"
-		status=`expr $status + $ret`
-		echo "I:exit status: $status"
+		echo_i "failed"
+		status=$((status+ret))
+		echo_i "exit status: $status"
 		exit $status
 	fi
 	status=`expr $status + $ret`
+	n=$((n+1))
 
-	echo "I:checking the new key"
+	echo_i "checking the new key ($n)"
 	ret=0
 	$DIG $DIGOPTS . ns -k $keyname > dig.out.1 || ret=1
 	grep "status: NOERROR" dig.out.1 > /dev/null || ret=1
 	grep "TSIG.*hmac-md5.*NOERROR" dig.out.1 > /dev/null || ret=1
 	grep "Some TSIG could not be validated" dig.out.1 > /dev/null && ret=1
 	if [ $ret != 0 ]; then
-		echo "I:failed"
+		echo_i "failed"
 	fi
 	status=`expr $status + $ret`
+	n=$((n+1))
 
-	echo "I:deleting new key"
+	echo_i "deleting new key ($n)"
 	ret=0
 	$KEYDELETE $keyname || ret=1
 	if [ $ret != 0 ]; then
-		echo "I:failed"
+		echo_i "failed"
 	fi
 	status=`expr $status + $ret`
+	n=$((n+1))
 
-	echo "I:checking that new key has been deleted"
+	echo_i "checking that new key has been deleted ($n)"
 	ret=0
 	$DIG $DIGOPTS . ns -k $keyname > dig.out.2 || ret=1
 	grep "status: NOERROR" dig.out.2 > /dev/null && ret=1
 	grep "TSIG.*hmac-md5.*NOERROR" dig.out.2 > /dev/null && ret=1
 	grep "Some TSIG could not be validated" dig.out.2 > /dev/null || ret=1
 	if [ $ret != 0 ]; then
-		echo "I:failed"
+		echo_i "failed"
 	fi
 	status=`expr $status + $ret`
+	n=$((n+1))
 done
 
-echo "I:creating new key using owner name bar.example."
+echo_i "creating new key using owner name bar.example. ($n)"
 ret=0
 keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
 if [ $ret != 0 ]; then
-        echo "I:failed"
-	status=`expr $status + $ret`
-        echo "I:exit status: $status"
+        echo_i "failed"
+	status=$((status+ret))
+        echo_i "exit status: $status"
         exit $status
 fi
 status=`expr $status + $ret`
+n=$((n+1))
 
-echo "I:checking the key with 'rndc tsig-list'"
+echo_i "checking the key with 'rndc tsig-list' ($n)"
 ret=0
 $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out.1
 grep "key \"bar.example.server" rndc.out.1 > /dev/null || ret=1
 if [ $ret != 0 ]; then
-        echo "I:failed"
+        echo_i "failed"
 fi
 status=`expr $status + $ret`
+n=$((n+1))
 
-echo "I:using key in a request"
+echo_i "using key in a request ($n)"
 ret=0
 $DIG $DIGOPTS -k $keyname txt.example txt > dig.out.3 || ret=1
 grep "status: NOERROR" dig.out.3 > /dev/null || ret=1
 if [ $ret != 0 ]; then
-        echo "I:failed"
+        echo_i "failed"
 fi
 status=`expr $status + $ret`
+n=$((n+1))
 
-echo "I:deleting the key with 'rndc tsig-delete'"
+echo_i "deleting the key with 'rndc tsig-delete' ($n)"
 ret=0
 $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-delete bar.example.server > /dev/null || ret=1
 $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out.2
@@ -110,38 +117,42 @@ grep "key \"bar.example.server" rndc.out.2 > /dev/null && ret=1
 $DIG $DIGOPTS -k $keyname txt.example txt > dig.out.4 || ret=1
 grep "TSIG could not be validated" dig.out.4 > /dev/null || ret=1
 if [ $ret != 0 ]; then
-        echo "I:failed"
+        echo_i "failed"
 fi
 status=`expr $status + $ret`
+n=$((n+1))
 
-echo "I:recreating the bar.example. key"
+echo_i "recreating the bar.example. key ($n)"
 ret=0
 keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
 if [ $ret != 0 ]; then
-        echo "I:failed"
-	status=`expr $status + $ret`
-        echo "I:exit status: $status"
+        echo_i "failed"
+	status=$((status+ret))
+        echo_i "exit status: $status"
         exit $status
 fi
 status=`expr $status + $ret`
+n=$((n+1))
 
-echo "I:checking the new key with 'rndc tsig-list'"
+echo_i "checking the new key with 'rndc tsig-list' ($n)"
 ret=0
 $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out.3
 grep "key \"bar.example.server" rndc.out.3 > /dev/null || ret=1
 if [ $ret != 0 ]; then
-        echo "I:failed"
+        echo_i "failed"
 fi
 status=`expr $status + $ret`
+n=$((n+1))
 
-echo "I:using the new key in a request"
+echo_i "using the new key in a request ($n)"
 ret=0
 $DIG $DIGOPTS -k $keyname txt.example txt > dig.out.5 || ret=1
 grep "status: NOERROR" dig.out.5 > /dev/null || ret=1
 if [ $ret != 0 ]; then
-        echo "I:failed"
+        echo_i "failed"
 fi
 status=`expr $status + $ret`
+n=$((n+1))
 
-echo "I:exit status: $status"
+echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/tsig/ans2/ans.pl b/bind/bind9/bin/tests/system/tsig/ans2/ans.pl
new file mode 100644
index 00000000..578d1bec
--- /dev/null
+++ b/bind/bind9/bin/tests/system/tsig/ans2/ans.pl
@@ -0,0 +1,50 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# An adhoc server that returns a TC=1 response with the final byte
+# removed to generate UNEXPECTEDEND form dns_message_parse.
+#
+
+use IO::File;
+use IO::Socket;
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+printf "localport %u\n", $localport;
+
+my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.2",
+   LocalPort => $localport, Proto => "udp") or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+sub arraystring {
+    my $string = join("", @_);
+    return $string;
+}
+
+for (;;) {
+	$from = $sock->recv($buf, 512);
+	($port, $ip_address) = unpack_sockaddr_in($from);
+	$l = length($buf);
+	printf "received %u bytes from %s#%u\n", $l, inet_ntoa($ip_address), $port;
+	@up = unpack("C[$l]", $buf);
+	$up[2] |= 0x80; # QR
+	$up[2] |= 0x02; # TC
+	$up[3] |= 0x80; # RA
+	$l -= 1;	# truncate the response 1 byte
+	$replydata = pack("C[$l]", @up);
+	printf "sent %u bytes\n", $sock->send($replydata);
+}
diff --git a/bind/bind9/bin/tests/system/tsig/badlocation b/bind/bind9/bin/tests/system/tsig/badlocation
new file mode 100644
index 00000000..44774236
--- /dev/null
+++ b/bind/bind9/bin/tests/system/tsig/badlocation
@@ -0,0 +1,37 @@
+# Transaction ID
+1122
+# Standard query
+0000
+# Questions: 1, Additional: 1
+0001 0000 0001 0000
+# QNAME: isc.org
+03 69 73 63 03 6F 72 67 00
+# Type: A (Host Address)
+0001
+# Class: IN
+0001
+# Specially crafted TSIG Resource Record
+# Name: "sha256"
+06 73 68 61 32 35 36 00
+# Type: TSIG (Transaction Signature)
+00fa
+# Class: ANY
+00ff
+# TTL: 0
+00000000
+# RdLen: 29
+001d
+# Algorithm Name: hmac-sha256
+0b 68 6D 61 63 2D 73 68 61 32 35 36 00
+# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
+00 00 00 00 00 00
+# Fudge: 300
+012c
+# MAC Size: 0; MAC: empty
+0000
+# Original ID: 0
+0000
+# Error: no error
+0000
+# Other Data Length: 0
+0000
diff --git a/bind/bind9/bin/tests/system/tsig/badtime b/bind/bind9/bin/tests/system/tsig/badtime
new file mode 100644
index 00000000..7926404c
--- /dev/null
+++ b/bind/bind9/bin/tests/system/tsig/badtime
@@ -0,0 +1,37 @@
+# Transaction ID
+1122
+# Standard query
+0000
+# Questions: 1, Additional: 1
+0001 0000 0000 0001
+# QNAME: isc.org
+03 69 73 63 03 6F 72 67 00
+# Type: A (Host Address)
+0001
+# Class: IN
+0001
+# Specially crafted TSIG Resource Record
+# Name: "sha256"
+06 73 68 61 32 35 36 00
+# Type: TSIG (Transaction Signature)
+00fa
+# Class: ANY
+00ff
+# TTL: 0
+00000000
+# RdLen: 29
+001d
+# Algorithm Name: hmac-sha256
+0b 68 6D 61 63 2D 73 68 61 32 35 36 00
+# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
+00 00 00 00 00 00
+# Fudge: 300
+012c
+# MAC Size: 0; MAC: empty
+0000
+# Original ID: 0
+0000
+# Error: BADSIG
+0010
+# Other Data Length: 0
+0000
diff --git a/bind/bind9/bin/tests/system/tsig/clean.sh b/bind/bind9/bin/tests/system/tsig/clean.sh
index 576ec70f..da89ced3 100644
--- a/bind/bind9/bin/tests/system/tsig/clean.sh
+++ b/bind/bind9/bin/tests/system/tsig/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -20,3 +20,4 @@ rm -f */named.run
 rm -f ns*/named.lock
 rm -f Kexample.net.+163+*
 rm -f keygen.out?
+rm -f packet.out
diff --git a/bind/bind9/bin/tests/system/tsig/ns1/example.db b/bind/bind9/bin/tests/system/tsig/ns1/example.db
index 05d8dd86..51abcd32 100644
--- a/bind/bind9/bin/tests/system/tsig/ns1/example.db
+++ b/bind/bind9/bin/tests/system/tsig/ns1/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tsig/ns1/named.conf.in b/bind/bind9/bin/tests/system/tsig/ns1/named.conf.in
index fbf30c6d..4905ffd5 100644
--- a/bind/bind9/bin/tests/system/tsig/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/tsig/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -17,7 +17,7 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
-	recursion no;
+	recursion yes;
 	notify no;
 };
 
@@ -85,3 +85,13 @@ zone "example.nil" {
 	type master;
 	file "example.db";
 };
+
+server 10.53.0.2 {
+	keys sha256;
+};
+
+zone "bad-tsig" {
+	type forward;
+	forwarders { 10.53.0.2; };
+	forward only;
+};
diff --git a/bind/bind9/bin/tests/system/tsig/prereq.sh b/bind/bind9/bin/tests/system/tsig/prereq.sh
new file mode 100644
index 00000000..657bc8e2
--- /dev/null
+++ b/bind/bind9/bin/tests/system/tsig/prereq.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+if test -z "$PERL"; then
+    echo_i "This test requires Perl." >&2
+    exit 1
+fi
+
+exit 0
diff --git a/bind/bind9/bin/tests/system/tsig/setup.sh b/bind/bind9/bin/tests/system/tsig/setup.sh
index 9a8ab2ea..f42aa79d 100644
--- a/bind/bind9/bin/tests/system/tsig/setup.sh
+++ b/bind/bind9/bin/tests/system/tsig/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tsig/tests.sh b/bind/bind9/bin/tests/system/tsig/tests.sh
index f731fa60..e0c2903c 100644
--- a/bind/bind9/bin/tests/system/tsig/tests.sh
+++ b/bind/bind9/bin/tests/system/tsig/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -208,14 +208,42 @@ if [ $ret -eq 1 ] ; then
 	echo_i "failed"; status=1
 fi
 
-echo "I:check that multiple dnssec-keygen calls don't emit dns_dnssec_findmatchingkeys warning"
+echo_i "check that multiple dnssec-keygen calls don't emit dns_dnssec_findmatchingkeys warning"
 ret=0
 $KEYGEN -r $RANDFILE -a hmac-sha256 -b 128 -n host example.net > keygen.out1 2>&1 || ret=1
 grep dns_dnssec_findmatchingkeys keygen.out1 > /dev/null && ret=1
 $KEYGEN -r $RANDFILE -a hmac-sha256 -b 128 -n host example.net > keygen.out2 2>&1 || ret=1
 grep dns_dnssec_findmatchingkeys keygen.out2 > /dev/null && ret=1
 if [ $ret -eq 1 ] ; then
-	echo "I: failed"; status=1
+	echo_i " failed"; status=1
+fi
+
+echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
+ret=0
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null || ret=1
+$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1
+grep "status: NOERROR" dig.out.verify > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=1
+fi
+
+if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet;' > /dev/null 2>&1
+then
+  echo_i "check that TSIG in the wrong place returns FORMERR"
+  ret=0
+  $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t udp -d < badlocation > packet.out
+  grep "rcode  = FORMERR" packet.out > /dev/null || ret=1
+  if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=1
+  fi
+fi
+
+echo_i "check that a malformed truncated response to a TSIG query is handled"
+ret=0
+$DIG -p $PORT @10.53.0.1 bad-tsig > dig.out.bad-tsig || ret=1
+grep "status: SERVFAIL" dig.out.bad-tsig > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=1
 fi
 
 echo_i "exit status: $status"
diff --git a/bind/bind9/bin/tests/system/tsiggss/authsock.pl b/bind/bind9/bin/tests/system/tsiggss/authsock.pl
index 57a72b2a..ab3833d2 100644
--- a/bind/bind9/bin/tests/system/tsiggss/authsock.pl
+++ b/bind/bind9/bin/tests/system/tsiggss/authsock.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -42,6 +42,11 @@ open(my $pid,">",$pidfile)
 print $pid "$$\n";
 close($pid);
 
+# close gracefully
+sub rmpid { unlink "$pidfile"; exit 1; };
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
 if ($timeout != 0) {
     # die after the given timeout
     alarm($timeout);
diff --git a/bind/bind9/bin/tests/system/tsiggss/clean.sh b/bind/bind9/bin/tests/system/tsiggss/clean.sh
index 332a87f3..d9fae68e 100644
--- a/bind/bind9/bin/tests/system/tsiggss/clean.sh
+++ b/bind/bind9/bin/tests/system/tsiggss/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tsiggss/ns1/named.conf.in b/bind/bind9/bin/tests/system/tsiggss/ns1/named.conf.in
index 583cb379..2a652809 100644
--- a/bind/bind9/bin/tests/system/tsiggss/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/tsiggss/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tsiggss/prereq.sh b/bind/bind9/bin/tests/system/tsiggss/prereq.sh
index 8fbe0167..17eae7ef 100644
--- a/bind/bind9/bin/tests/system/tsiggss/prereq.sh
+++ b/bind/bind9/bin/tests/system/tsiggss/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tsiggss/setup.sh b/bind/bind9/bin/tests/system/tsiggss/setup.sh
index 49510b43..f04c9076 100644
--- a/bind/bind9/bin/tests/system/tsiggss/setup.sh
+++ b/bind/bind9/bin/tests/system/tsiggss/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/tsiggss/tests.sh b/bind/bind9/bin/tests/system/tsiggss/tests.sh
index e4c32dcc..456ce612 100644
--- a/bind/bind9/bin/tests/system/tsiggss/tests.sh
+++ b/bind/bind9/bin/tests/system/tsiggss/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -32,9 +32,9 @@ update add $host $cmd
 send
 answer
 EOF
-    echo "I:testing update for $host $type $cmd"
+    echo_i "testing update for $host $type $cmd"
     $NSUPDATE -g -d ns1/update.txt > nsupdate.out${num} 2>&1 || {
-	echo "I:update failed for $host $type $cmd"
+	echo_i "update failed for $host $type $cmd"
 	sed "s/^/I:/" nsupdate.out${num}
 	return 1
     }
@@ -43,20 +43,20 @@ EOF
     tkeyout=`awk '/recvmsg reply from GSS-TSIG query/,/Sending update to/' nsupdate.out${num}`
     pattern="recvmsg reply from GSS-TSIG query .* opcode: QUERY, status: NOERROR, id: .* flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;.* ANY TKEY ;; ANSWER SECTION: .* 0 ANY TKEY gss-tsig\. .* ;; TSIG PSEUDOSECTION: .* 0 ANY TSIG gss-tsig\. .* NOERROR 0"
     echo $tkeyout | grep "$pattern" > /dev/null || {
-	echo "I:bad tkey response (not tsig signed)"
+	echo_i "bad tkey response (not tsig signed)"
 	return 1
     }
 
     # Weak verification that TKEY response is signed.
     grep -q "flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" nsupdate.out${num} || {
-	echo "I:bad tkey response (not tsig signed)"
+	echo_i "bad tkey response (not tsig signed)"
 	return 1
     }
 
     out=`$DIG $DIGOPTS -t $type -q $host | egrep "^${host}"`
     lines=`echo "$out" | grep "$digout" | wc -l`
     [ $lines -eq 1 ] || {
-	echo "I:dig output incorrect for $host $type $cmd: $out"
+	echo_i "dig output incorrect for $host $type $cmd: $out"
 	return 1
     }
     return 0
@@ -67,21 +67,21 @@ EOF
 KRB5CCNAME="FILE:"`pwd`/ns1/administrator.ccache
 export KRB5CCNAME
 
-echo "I:testing updates to testdc1 as administrator ($n)"
+echo_i "testing updates to testdc1 as administrator ($n)"
 ret=0
 test_update $n testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
 n=$((n+1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
-echo "I:testing updates to testdc2 as administrator ($n)"
+echo_i "testing updates to testdc2 as administrator ($n)"
 ret=0
 test_update $n testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || ret=1
 n=$((n+1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
-echo "I:testing updates to denied as administrator ($n)"
+echo_i "testing updates to denied as administrator ($n)"
 ret=0
 test_update $n denied.example.nil. TXT "86400 TXT helloworld" "helloworld" > /dev/null && ret=1
 n=$((n+1))
@@ -93,28 +93,28 @@ status=$((status+ret))
 KRB5CCNAME="FILE:"`pwd`/ns1/testdenied.ccache
 export KRB5CCNAME
 
-echo "I:testing updates to denied (A) as a user ($n)"
+echo_i "testing updates to denied (A) as a user ($n)"
 ret=0
 test_update $n testdenied.example.nil. A "86400 A 10.53.0.12" "10.53.0.12" > /dev/null && ret=1
 n=$((n+1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
-echo "I:testing updates to denied (TXT) as a user ($n)"
+echo_i "testing updates to denied (TXT) as a user ($n)"
 ret=0
 test_update $n testdenied.example.nil. TXT "86400 TXT helloworld" "helloworld" || ret=1
 n=$((n+1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
-echo "I:testing external update policy (CNAME) ($n)"
+echo_i "testing external update policy (CNAME) ($n)"
 ret=0
 test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" > /dev/null && ret=1
 n=$((n+1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
-echo "I:testing external update policy (CNAME) with auth sock ($n)"
+echo_i "testing external update policy (CNAME) with auth sock ($n)"
 ret=0
 $PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
 sleep 1
@@ -123,14 +123,14 @@ n=$((n+1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
-echo "I:testing external update policy (A) ($n)"
+echo_i "testing external update policy (A) ($n)"
 ret=0
 test_update $n testcname.example.nil. A "86400 A 10.53.0.13" "10.53.0.13" > /dev/null && ret=1
 n=$((n+1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
-echo "I:testing external policy with SIG(0) key ($n)"
+echo_i "testing external policy with SIG(0) key ($n)"
 ret=0
 $NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
 server 10.53.0.1 ${PORT}
@@ -140,12 +140,12 @@ send
 END
 output=`$DIG $DIGOPTS +short cname fred.example.nil.`
 [ -n "$output" ] || ret=1
-[ $ret -eq 0 ] || echo "I:failed"
+[ $ret -eq 0 ] || echo_i "failed"
 n=$((n+1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
-echo "I:ensure too long realm name is fatal in non-interactive mode ($n)"
+echo_i "ensure too long realm name is fatal in non-interactive mode ($n)"
 ret=0
 $NSUPDATE <<END > nsupdate.out${n} 2>&1 && ret=1
     realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename
@@ -156,20 +156,20 @@ n=$((n+1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
-echo "I:ensure too long realm name is not fatal in interactive mode ($n)"
+echo_i "ensure too long realm name is not fatal in interactive mode ($n)"
 ret=0
 $NSUPDATE -i <<END > nsupdate.out${n} 2>&1 || ret=1
     realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename
 END
 grep "realm is too long" nsupdate.out${n} > /dev/null || ret=1
-[ $ret = 0 ] || { echo I:failed; status=1; }
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
 n=$((n+1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
-[ $status -eq 0 ] && echo "I:tsiggss tests all OK"
+[ $status -eq 0 ] && echo_i "tsiggss tests all OK"
 
 kill `cat authsock.pid`
 
-echo "I:exit status: $status"
+echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bind/bind9/bin/tests/system/unknown/clean.sh b/bind/bind9/bin/tests/system/unknown/clean.sh
index 8d734fae..4c785daf 100644
--- a/bind/bind9/bin/tests/system/unknown/clean.sh
+++ b/bind/bind9/bin/tests/system/unknown/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/ns1/broken1.db b/bind/bind9/bin/tests/system/unknown/ns1/broken1.db
index 0c5a4a51..119cd6df 100644
--- a/bind/bind9/bin/tests/system/unknown/ns1/broken1.db
+++ b/bind/bind9/bin/tests/system/unknown/ns1/broken1.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/ns1/broken2.db b/bind/bind9/bin/tests/system/unknown/ns1/broken2.db
index a3c84fff..49c9dcce 100644
--- a/bind/bind9/bin/tests/system/unknown/ns1/broken2.db
+++ b/bind/bind9/bin/tests/system/unknown/ns1/broken2.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/ns1/broken3.db b/bind/bind9/bin/tests/system/unknown/ns1/broken3.db
index 17dde882..92cfccbb 100644
--- a/bind/bind9/bin/tests/system/unknown/ns1/broken3.db
+++ b/bind/bind9/bin/tests/system/unknown/ns1/broken3.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/ns1/broken4.db b/bind/bind9/bin/tests/system/unknown/ns1/broken4.db
index a4042562..7c19da51 100644
--- a/bind/bind9/bin/tests/system/unknown/ns1/broken4.db
+++ b/bind/bind9/bin/tests/system/unknown/ns1/broken4.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/ns1/broken5.db b/bind/bind9/bin/tests/system/unknown/ns1/broken5.db
index c31e2791..8747de4b 100644
--- a/bind/bind9/bin/tests/system/unknown/ns1/broken5.db
+++ b/bind/bind9/bin/tests/system/unknown/ns1/broken5.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/ns1/class10.hints b/bind/bind9/bin/tests/system/unknown/ns1/class10.hints
index 440b36fa..709eb096 100644
--- a/bind/bind9/bin/tests/system/unknown/ns1/class10.hints
+++ b/bind/bind9/bin/tests/system/unknown/ns1/class10.hints
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/ns1/example-class10.db b/bind/bind9/bin/tests/system/unknown/ns1/example-class10.db
index a8e1d4d4..274fd00a 100644
--- a/bind/bind9/bin/tests/system/unknown/ns1/example-class10.db
+++ b/bind/bind9/bin/tests/system/unknown/ns1/example-class10.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/ns1/example-in.db b/bind/bind9/bin/tests/system/unknown/ns1/example-in.db
index d29f8da5..0fa672a5 100644
--- a/bind/bind9/bin/tests/system/unknown/ns1/example-in.db
+++ b/bind/bind9/bin/tests/system/unknown/ns1/example-in.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/ns1/large.db b/bind/bind9/bin/tests/system/unknown/ns1/large.db
index 2c826d7e..d29ab306 100644
--- a/bind/bind9/bin/tests/system/unknown/ns1/large.db
+++ b/bind/bind9/bin/tests/system/unknown/ns1/large.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/ns1/named.conf.in b/bind/bind9/bin/tests/system/unknown/ns1/named.conf.in
index e92b9c4e..77fa6014 100644
--- a/bind/bind9/bin/tests/system/unknown/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/unknown/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/ns2/named.conf.in b/bind/bind9/bin/tests/system/unknown/ns2/named.conf.in
index 2571626b..371671a2 100644
--- a/bind/bind9/bin/tests/system/unknown/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/unknown/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/ns3/named.conf.in b/bind/bind9/bin/tests/system/unknown/ns3/named.conf.in
index 2ccb0742..39a55af9 100644
--- a/bind/bind9/bin/tests/system/unknown/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/unknown/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/ns3/sign.sh b/bind/bind9/bin/tests/system/unknown/ns3/sign.sh
index 475c42e6..241293c1 100644
--- a/bind/bind9/bin/tests/system/unknown/ns3/sign.sh
+++ b/bind/bind9/bin/tests/system/unknown/ns3/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/prereq.sh b/bind/bind9/bin/tests/system/unknown/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/unknown/prereq.sh
+++ b/bind/bind9/bin/tests/system/unknown/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/setup.sh b/bind/bind9/bin/tests/system/unknown/setup.sh
index e1c4b1de..af9a0f74 100644
--- a/bind/bind9/bin/tests/system/unknown/setup.sh
+++ b/bind/bind9/bin/tests/system/unknown/setup.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/unknown/tests.sh b/bind/bind9/bin/tests/system/unknown/tests.sh
index 190b8402..deb9a419 100644
--- a/bind/bind9/bin/tests/system/unknown/tests.sh
+++ b/bind/bind9/bin/tests/system/unknown/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -24,7 +24,7 @@ do
 	echo 10.0.0.1 | $DIFF - dig.out || ret=1
 	if [ $ret != 0 ]
 	then
-		echo "#$i failed"
+		echo_i "#$i failed"
 	fi
 	status=`expr $status + $ret`
 done
@@ -37,7 +37,7 @@ do
 	echo '"hello"' | $DIFF - dig.out || ret=1
 	if [ $ret != 0 ]
 	then
-		echo "#$i failed"
+		echo_i "#$i failed"
 	fi
 	status=`expr $status + $ret`
 done
@@ -50,7 +50,7 @@ do
 	echo '\# 1 00' | $DIFF - dig.out || ret=1
 	if [ $ret != 0 ]
 	then
-		echo "#$i failed"
+		echo_i "#$i failed"
 	fi
 	status=`expr $status + $ret`
 done
@@ -77,7 +77,7 @@ do
 	echo '\# 4 0A000001' | $DIFF - dig.out || ret=1
 	if [ $ret != 0 ]
 	then
-		echo "#$i failed"
+		echo_i "#$i failed"
 	fi
 	status=`expr $status + $ret`
 done
@@ -90,7 +90,7 @@ do
 	echo '"hello"' | $DIFF - dig.out || ret=1
 	if [ $ret != 0 ]
 	then
-		echo "#$i failed"
+		echo_i "#$i failed"
 	fi
 	status=`expr $status + $ret`
 done
@@ -103,7 +103,7 @@ do
 	echo '\# 1 00' | $DIFF - dig.out || ret=1
 	if [ $ret != 0 ]
 	then
-		echo "#$i failed"
+		echo_i "#$i failed"
 	fi
 	status=`expr $status + $ret`
 done
@@ -116,7 +116,7 @@ do
 	grep "SERVFAIL" dig.out > /dev/null || ret=1
 	if [ $ret != 0 ]
 	then
-		echo "#$i failed"
+		echo_i "#$i failed"
 	fi
 	status=`expr $status + $ret`
 done
diff --git a/bind/bind9/bin/tests/system/unknown/zones/nan.bad b/bind/bind9/bin/tests/system/unknown/zones/nan.bad
index 39efac78..a00d4f85 100644
--- a/bind/bind9/bin/tests/system/unknown/zones/nan.bad
+++ b/bind/bind9/bin/tests/system/unknown/zones/nan.bad
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/upforwd/ans4/ans.pl b/bind/bind9/bin/tests/system/upforwd/ans4/ans.pl
index e98c2cfc..abe4b3ec 100644
--- a/bind/bind9/bin/tests/system/upforwd/ans4/ans.pl
+++ b/bind/bind9/bin/tests/system/upforwd/ans4/ans.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/upforwd/clean.sh b/bind/bind9/bin/tests/system/upforwd/clean.sh
index d6222042..15cf423b 100644
--- a/bind/bind9/bin/tests/system/upforwd/clean.sh
+++ b/bind/bind9/bin/tests/system/upforwd/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/upforwd/ns1/example1.db b/bind/bind9/bin/tests/system/upforwd/ns1/example1.db
index a703d022..da663fd3 100644
--- a/bind/bind9/bin/tests/system/upforwd/ns1/example1.db
+++ b/bind/bind9/bin/tests/system/upforwd/ns1/example1.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/upforwd/ns1/named.conf.in b/bind/bind9/bin/tests/system/upforwd/ns1/named.conf.in
index e0a30cda..4ddd7a4e 100644
--- a/bind/bind9/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/upforwd/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/upforwd/ns2/named.conf.in b/bind/bind9/bin/tests/system/upforwd/ns2/named.conf.in
index c650781c..e2fa6952 100644
--- a/bind/bind9/bin/tests/system/upforwd/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/upforwd/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/upforwd/ns3/named.conf.in b/bind/bind9/bin/tests/system/upforwd/ns3/named.conf.in
index d6fc26c9..e81cd1a4 100644
--- a/bind/bind9/bin/tests/system/upforwd/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/upforwd/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/upforwd/ns3/nomaster.db b/bind/bind9/bin/tests/system/upforwd/ns3/nomaster.db
index 443bedb7..370a0a26 100644
--- a/bind/bind9/bin/tests/system/upforwd/ns3/nomaster.db
+++ b/bind/bind9/bin/tests/system/upforwd/ns3/nomaster.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/upforwd/prereq.sh b/bind/bind9/bin/tests/system/upforwd/prereq.sh
index 0e299f4d..d2ca8fc2 100644
--- a/bind/bind9/bin/tests/system/upforwd/prereq.sh
+++ b/bind/bind9/bin/tests/system/upforwd/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/upforwd/setup.sh b/bind/bind9/bin/tests/system/upforwd/setup.sh
index 1031f7f5..74c7ba3a 100644
--- a/bind/bind9/bin/tests/system/upforwd/setup.sh
+++ b/bind/bind9/bin/tests/system/upforwd/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/upforwd/tests.sh b/bind/bind9/bin/tests/system/upforwd/tests.sh
index b0694bbd..1cf8d3be 100644
--- a/bind/bind9/bin/tests/system/upforwd/tests.sh
+++ b/bind/bind9/bin/tests/system/upforwd/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/verify/clean.sh b/bind/bind9/bin/tests/system/verify/clean.sh
index 74c9be2c..6e14f828 100644
--- a/bind/bind9/bin/tests/system/verify/clean.sh
+++ b/bind/bind9/bin/tests/system/verify/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/verify/prereq.sh b/bind/bind9/bin/tests/system/verify/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/verify/prereq.sh
+++ b/bind/bind9/bin/tests/system/verify/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/verify/setup.sh b/bind/bind9/bin/tests/system/verify/setup.sh
index 08e6be8e..90fef8d6 100644
--- a/bind/bind9/bin/tests/system/verify/setup.sh
+++ b/bind/bind9/bin/tests/system/verify/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/verify/tests.sh b/bind/bind9/bin/tests/system/verify/tests.sh
index e8b22101..36778535 100644
--- a/bind/bind9/bin/tests/system/verify/tests.sh
+++ b/bind/bind9/bin/tests/system/verify/tests.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/verify/zones/genzones.sh b/bind/bind9/bin/tests/system/verify/zones/genzones.sh
index 926c5ddb..2f7f0ea9 100644
--- a/bind/bind9/bin/tests/system/verify/zones/genzones.sh
+++ b/bind/bind9/bin/tests/system/verify/zones/genzones.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/verify/zones/unsigned.db b/bind/bind9/bin/tests/system/verify/zones/unsigned.db
index a1e250ed..c38592ec 100644
--- a/bind/bind9/bin/tests/system/verify/zones/unsigned.db
+++ b/bind/bind9/bin/tests/system/verify/zones/unsigned.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/clean.sh b/bind/bind9/bin/tests/system/views/clean.sh
index 3fbb4b0b..2686cdd4 100644
--- a/bind/bind9/bin/tests/system/views/clean.sh
+++ b/bind/bind9/bin/tests/system/views/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns1/named.conf.in b/bind/bind9/bin/tests/system/views/ns1/named.conf.in
index b4a2fa8c..755a20c2 100644
--- a/bind/bind9/bin/tests/system/views/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/views/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns1/root.db b/bind/bind9/bin/tests/system/views/ns1/root.db
index dab5cea7..e5f65ab6 100644
--- a/bind/bind9/bin/tests/system/views/ns1/root.db
+++ b/bind/bind9/bin/tests/system/views/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns2/1.10.in-addr.arpa.db b/bind/bind9/bin/tests/system/views/ns2/1.10.in-addr.arpa.db
index ffe6d0d1..6f09c98d 100644
--- a/bind/bind9/bin/tests/system/views/ns2/1.10.in-addr.arpa.db
+++ b/bind/bind9/bin/tests/system/views/ns2/1.10.in-addr.arpa.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns2/clone.db b/bind/bind9/bin/tests/system/views/ns2/clone.db
index 52bedaab..246832a8 100644
--- a/bind/bind9/bin/tests/system/views/ns2/clone.db
+++ b/bind/bind9/bin/tests/system/views/ns2/clone.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns2/example1.db b/bind/bind9/bin/tests/system/views/ns2/example1.db
index 4a3f33fb..22181216 100644
--- a/bind/bind9/bin/tests/system/views/ns2/example1.db
+++ b/bind/bind9/bin/tests/system/views/ns2/example1.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns2/example2.db b/bind/bind9/bin/tests/system/views/ns2/example2.db
index 85af6382..8bc27b5f 100644
--- a/bind/bind9/bin/tests/system/views/ns2/example2.db
+++ b/bind/bind9/bin/tests/system/views/ns2/example2.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns2/external/inline.db b/bind/bind9/bin/tests/system/views/ns2/external/inline.db
index e41e68c3..1173b576 100644
--- a/bind/bind9/bin/tests/system/views/ns2/external/inline.db
+++ b/bind/bind9/bin/tests/system/views/ns2/external/inline.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns2/internal.db b/bind/bind9/bin/tests/system/views/ns2/internal.db
index 38a6b0d5..96c3910e 100644
--- a/bind/bind9/bin/tests/system/views/ns2/internal.db
+++ b/bind/bind9/bin/tests/system/views/ns2/internal.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns2/internal/inline.db b/bind/bind9/bin/tests/system/views/ns2/internal/inline.db
index 8da79408..af93dc39 100644
--- a/bind/bind9/bin/tests/system/views/ns2/internal/inline.db
+++ b/bind/bind9/bin/tests/system/views/ns2/internal/inline.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns2/named1.conf.in b/bind/bind9/bin/tests/system/views/ns2/named1.conf.in
index b91f95b0..a3425c32 100644
--- a/bind/bind9/bin/tests/system/views/ns2/named1.conf.in
+++ b/bind/bind9/bin/tests/system/views/ns2/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns2/named2.conf.in b/bind/bind9/bin/tests/system/views/ns2/named2.conf.in
index b9456e0b..c751bb34 100644
--- a/bind/bind9/bin/tests/system/views/ns2/named2.conf.in
+++ b/bind/bind9/bin/tests/system/views/ns2/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns3/child.clone.db b/bind/bind9/bin/tests/system/views/ns3/child.clone.db
index 9ea8d121..3b598106 100644
--- a/bind/bind9/bin/tests/system/views/ns3/child.clone.db
+++ b/bind/bind9/bin/tests/system/views/ns3/child.clone.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns3/internal.db b/bind/bind9/bin/tests/system/views/ns3/internal.db
index cdf26484..41f60710 100644
--- a/bind/bind9/bin/tests/system/views/ns3/internal.db
+++ b/bind/bind9/bin/tests/system/views/ns3/internal.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns3/named1.conf.in b/bind/bind9/bin/tests/system/views/ns3/named1.conf.in
index 617df48b..1d576bd5 100644
--- a/bind/bind9/bin/tests/system/views/ns3/named1.conf.in
+++ b/bind/bind9/bin/tests/system/views/ns3/named1.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns3/named2.conf.in b/bind/bind9/bin/tests/system/views/ns3/named2.conf.in
index f72255c2..f60eb1b4 100644
--- a/bind/bind9/bin/tests/system/views/ns3/named2.conf.in
+++ b/bind/bind9/bin/tests/system/views/ns3/named2.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns5/child.clone.db b/bind/bind9/bin/tests/system/views/ns5/child.clone.db
index 8dd4ec13..d0b122e6 100644
--- a/bind/bind9/bin/tests/system/views/ns5/child.clone.db
+++ b/bind/bind9/bin/tests/system/views/ns5/child.clone.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/ns5/named.conf.in b/bind/bind9/bin/tests/system/views/ns5/named.conf.in
index d3099878..f2247bbd 100644
--- a/bind/bind9/bin/tests/system/views/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/views/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/setup.sh b/bind/bind9/bin/tests/system/views/setup.sh
index e3ae916b..4586375e 100644
--- a/bind/bind9/bin/tests/system/views/setup.sh
+++ b/bind/bind9/bin/tests/system/views/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/views/tests.sh b/bind/bind9/bin/tests/system/views/tests.sh
index 537928fc..cb1c9c94 100644
--- a/bind/bind9/bin/tests/system/views/tests.sh
+++ b/bind/bind9/bin/tests/system/views/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -36,14 +36,16 @@ nextpart ns3/named.run > /dev/null
 $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
 $RNDCCMD 10.53.0.3 reload 2>&1 | sed 's/^/ns3 /' | cat_i
 
-echo_i "wait for reload"
-a=0 b=0
-for i in 1 2 3 4 5 6 7 8 9 0; do
-        nextpart ns2/named.run | grep "all zones loaded" > /dev/null && a=1
-        nextpart ns3/named.run | grep "all zones loaded" > /dev/null && b=1
-        [ $a -eq 1 -a $b -eq 1 ] && break
-        sleep 1
-done
+echo_i "wait for reload to complete"
+ret=0
+_check_reload() (
+  nextpartpeek ns2/named.run | grep "all zones loaded" > /dev/null && \
+  nextpartpeek ns3/named.run | grep "all zones loaded" > /dev/null && \
+  nextpartpeek ns3/named.run | grep "zone_dump: zone example/IN: enter" > /dev/null
+)
+retry_quiet 10 _check_reload || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
 
 echo_i "fetching a.example from ns2's 10.53.0.4, source address 10.53.0.4"
 $DIG $DIGOPTS -b 10.53.0.4 a.example. @10.53.0.4 any > dig.out.ns4.2 || status=1
@@ -86,7 +88,7 @@ ret=0
 one=`$DIG $SHORTOPTS -b 10.53.0.2 @10.53.0.2 b.clone a`
 two=`$DIG $SHORTOPTS -b 10.53.0.4 @10.53.0.2 b.clone a`
 if [ "$one" != "$two" ]; then
-        echo "'$one' does not match '$two'"
+        echo_i "'$one' does not match '$two'"
         ret=1
 fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -98,18 +100,18 @@ one=`$DIG $SHORTOPTS -b 10.53.0.2 @10.53.0.2 child.clone txt`
 two=`$DIG $SHORTOPTS -b 10.53.0.4 @10.53.0.2 child.clone txt`
 three=`$DIG $SHORTOPTS @10.53.0.3 child.clone txt`
 four=`$DIG $SHORTOPTS @10.53.0.5 child.clone txt`
-echo "$three" | grep NS3 > /dev/null || { ret=1; echo "expected response from NS3 got '$three'"; }
-echo "$four" | grep NS5 > /dev/null || { ret=1; echo "expected response from NS5 got '$four'"; }
+echo "$three" | grep NS3 > /dev/null || { ret=1; echo_i "expected response from NS3 got '$three'"; }
+echo "$four" | grep NS5 > /dev/null || { ret=1; echo_i "expected response from NS5 got '$four'"; }
 if [ "$one" = "$two" ]; then
-        echo "'$one' matches '$two'"
+        echo_i "'$one' matches '$two'"
         ret=1
 fi
 if [ "$one" != "$three" ]; then
-        echo "'$one' does not match '$three'"
+        echo_i "'$one' does not match '$three'"
         ret=1
 fi
 if [ "$two" != "$four" ]; then
-        echo "'$two' does not match '$four'"
+        echo_i "'$two' does not match '$four'"
         ret=1
 fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
diff --git a/bind/bind9/bin/tests/system/wildcard/clean.sh b/bind/bind9/bin/tests/system/wildcard/clean.sh
index 8f993289..44048ddd 100644
--- a/bind/bind9/bin/tests/system/wildcard/clean.sh
+++ b/bind/bind9/bin/tests/system/wildcard/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/wildcard/ns1/dlv.db.in b/bind/bind9/bin/tests/system/wildcard/ns1/dlv.db.in
index 413ca28f..81e297fe 100644
--- a/bind/bind9/bin/tests/system/wildcard/ns1/dlv.db.in
+++ b/bind/bind9/bin/tests/system/wildcard/ns1/dlv.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/wildcard/ns1/named.conf.in b/bind/bind9/bin/tests/system/wildcard/ns1/named.conf.in
index e02ee67d..72da9dcc 100644
--- a/bind/bind9/bin/tests/system/wildcard/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/wildcard/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -30,8 +30,8 @@ zone "nsec" { type master; file "nsec.db.signed"; };
 zone "private.nsec" { type master; file "private.nsec.db.signed"; };
 
 /*
- * The contents of nsec3 and private.nsec3 are specially choosen to
- * have seperate NSEC3 records for the "no qname proof" and the
+ * The contents of nsec3 and private.nsec3 are specially chosen to
+ * have separate NSEC3 records for the "no qname proof" and the
  * "closest encloser proof".
  */
 zone "nsec3" { type master; file "nsec3.db.signed"; };
diff --git a/bind/bind9/bin/tests/system/wildcard/ns1/nsec.db.in b/bind/bind9/bin/tests/system/wildcard/ns1/nsec.db.in
index 940e8e1d..17e4632c 100644
--- a/bind/bind9/bin/tests/system/wildcard/ns1/nsec.db.in
+++ b/bind/bind9/bin/tests/system/wildcard/ns1/nsec.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/wildcard/ns1/nsec3.db.in b/bind/bind9/bin/tests/system/wildcard/ns1/nsec3.db.in
index 940e8e1d..17e4632c 100644
--- a/bind/bind9/bin/tests/system/wildcard/ns1/nsec3.db.in
+++ b/bind/bind9/bin/tests/system/wildcard/ns1/nsec3.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/wildcard/ns1/private.nsec.db.in b/bind/bind9/bin/tests/system/wildcard/ns1/private.nsec.db.in
index 5114ac4b..8ea456aa 100644
--- a/bind/bind9/bin/tests/system/wildcard/ns1/private.nsec.db.in
+++ b/bind/bind9/bin/tests/system/wildcard/ns1/private.nsec.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/wildcard/ns1/private.nsec3.db.in b/bind/bind9/bin/tests/system/wildcard/ns1/private.nsec3.db.in
index 98b78758..03abf89c 100644
--- a/bind/bind9/bin/tests/system/wildcard/ns1/private.nsec3.db.in
+++ b/bind/bind9/bin/tests/system/wildcard/ns1/private.nsec3.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/wildcard/ns1/root.db.in b/bind/bind9/bin/tests/system/wildcard/ns1/root.db.in
index 493140f2..3f43657f 100644
--- a/bind/bind9/bin/tests/system/wildcard/ns1/root.db.in
+++ b/bind/bind9/bin/tests/system/wildcard/ns1/root.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/wildcard/ns1/sign.sh b/bind/bind9/bin/tests/system/wildcard/ns1/sign.sh
index 91650656..6c52cb9f 100755
--- a/bind/bind9/bin/tests/system/wildcard/ns1/sign.sh
+++ b/bind/bind9/bin/tests/system/wildcard/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/wildcard/ns2/named.conf.in b/bind/bind9/bin/tests/system/wildcard/ns2/named.conf.in
index af0e57b3..a4a4312d 100644
--- a/bind/bind9/bin/tests/system/wildcard/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/wildcard/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/wildcard/ns3/named.conf.in b/bind/bind9/bin/tests/system/wildcard/ns3/named.conf.in
index cb0d38fc..e6a6ffe0 100644
--- a/bind/bind9/bin/tests/system/wildcard/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/wildcard/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/wildcard/ns4/named.conf.in b/bind/bind9/bin/tests/system/wildcard/ns4/named.conf.in
index 0b432c05..0ade7a77 100644
--- a/bind/bind9/bin/tests/system/wildcard/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/wildcard/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/wildcard/ns5/named.conf.in b/bind/bind9/bin/tests/system/wildcard/ns5/named.conf.in
index 012a032a..e2ef2094 100644
--- a/bind/bind9/bin/tests/system/wildcard/ns5/named.conf.in
+++ b/bind/bind9/bin/tests/system/wildcard/ns5/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/wildcard/prereq.sh b/bind/bind9/bin/tests/system/wildcard/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/wildcard/prereq.sh
+++ b/bind/bind9/bin/tests/system/wildcard/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/wildcard/setup.sh b/bind/bind9/bin/tests/system/wildcard/setup.sh
index f988158e..9291fd04 100644
--- a/bind/bind9/bin/tests/system/wildcard/setup.sh
+++ b/bind/bind9/bin/tests/system/wildcard/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/wildcard/tests.sh b/bind/bind9/bin/tests/system/wildcard/tests.sh
index 5037a72b..fd88ec7b 100644
--- a/bind/bind9/bin/tests/system/wildcard/tests.sh
+++ b/bind/bind9/bin/tests/system/wildcard/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -20,7 +20,7 @@ rm -f dig.out.*
 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
 
 n=`expr $n + 1`
-echo_i "checking that NSEC wildcard non-existance proof is returned auth ($n)"
+echo_i "checking that NSEC wildcard non-existence proof is returned auth ($n)"
 ret=0
 $DIG $DIGOPTS a b.wild.nsec +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC'  dig.out.ns1.test$n > /dev/null || ret=1
@@ -28,7 +28,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that NSEC wildcard non-existance proof is returned non-validating ($n)"
+echo_i "checking that NSEC wildcard non-existence proof is returned non-validating ($n)"
 ret=0
 $DIG $DIGOPTS a b.wild.nsec @10.53.0.2 > dig.out.ns2.test$n || ret=1
 grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC'  dig.out.ns2.test$n > /dev/null || ret=1
@@ -37,7 +37,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that NSEC wildcard non-existance proof is returned validating ($n)"
+echo_i "checking that NSEC wildcard non-existence proof is returned validating ($n)"
 ret=0
 $DIG $DIGOPTS a b.wild.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1
 grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC'  dig.out.ns3.test$n > /dev/null || ret=1
@@ -46,7 +46,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that NSEC wildcard non-existance proof is returned validating + CD ($n)"
+echo_i "checking that NSEC wildcard non-existence proof is returned validating + CD ($n)"
 ret=0
 $DIG $DIGOPTS +cd a b.wild.nsec @10.53.0.5 > dig.out.ns5.test$n || ret=1
 grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC'  dig.out.ns5.test$n > /dev/null || ret=1
@@ -55,7 +55,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 n=`expr $n + 1`
 
-echo_i "checking that returned NSEC wildcard non-existance proof validates ($n)"
+echo_i "checking that returned NSEC wildcard non-existence proof validates ($n)"
 ret=0
 $DIG $DIGOPTS a b.wild.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1
 grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC'  dig.out.ns4.test$n > /dev/null || ret=1
@@ -64,7 +64,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that NSEC wildcard non-existance proof is returned private, validating ($n)"
+echo_i "checking that NSEC wildcard non-existence proof is returned private, validating ($n)"
 ret=0
 $DIG $DIGOPTS a b.wild.private.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1
 grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC'  dig.out.ns3.test$n > /dev/null || ret=1
@@ -73,7 +73,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that returned NSEC wildcard non-existance proof for private zone validates ($n)"
+echo_i "checking that returned NSEC wildcard non-existence proof for private zone validates ($n)"
 ret=0
 $DIG $DIGOPTS a b.wild.private.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1
 grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC'  dig.out.ns4.test$n > /dev/null || ret=1
@@ -82,7 +82,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that NSEC3 wildcard non-existance proof is returned auth ($n)"
+echo_i "checking that NSEC3 wildcard non-existence proof is returned auth ($n)"
 ret=0
 $DIG $DIGOPTS a b.wild.nsec3 +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A'  dig.out.ns1.test$n > /dev/null || ret=1
@@ -90,7 +90,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that NSEC3 wildcard non-existance proof is returned non-validating ($n)"
+echo_i "checking that NSEC3 wildcard non-existence proof is returned non-validating ($n)"
 ret=0
 $DIG $DIGOPTS a b.wild.nsec3 @10.53.0.2 > dig.out.ns2.test$n || ret=1
 grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A'  dig.out.ns2.test$n > /dev/null || ret=1
@@ -99,7 +99,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that NSEC3 wildcard non-existance proof is returned validating ($n)"
+echo_i "checking that NSEC3 wildcard non-existence proof is returned validating ($n)"
 ret=0
 $DIG $DIGOPTS a b.wild.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
 grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A'  dig.out.ns3.test$n > /dev/null || ret=1
@@ -108,7 +108,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that NSEC3 wildcard non-existance proof is returned validating + CD ($n)"
+echo_i "checking that NSEC3 wildcard non-existence proof is returned validating + CD ($n)"
 ret=0
 $DIG $DIGOPTS +cd a b.wild.nsec3 @10.53.0.5 > dig.out.ns5.test$n || ret=1
 grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A'  dig.out.ns5.test$n > /dev/null || ret=1
@@ -117,7 +117,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that returned NSEC3 wildcard non-existance proof validates ($n)"
+echo_i "checking that returned NSEC3 wildcard non-existence proof validates ($n)"
 ret=0
 $DIG $DIGOPTS a b.wild.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1
 grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A'  dig.out.ns4.test$n > /dev/null || ret=1
@@ -126,7 +126,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that NSEC3 wildcard non-existance proof is returned private, validating ($n)"
+echo_i "checking that NSEC3 wildcard non-existence proof is returned private, validating ($n)"
 ret=0
 $DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
 grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns3.test$n > /dev/null || ret=1
@@ -135,7 +135,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that returned NSEC3 wildcard non-existance proof for private zone validates ($n)"
+echo_i "checking that returned NSEC3 wildcard non-existence proof for private zone validates ($n)"
 ret=0
 $DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1
 grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns4.test$n > /dev/null || ret=1
diff --git a/bind/bind9/bin/tests/system/win32/bigkey.vcxproj.in b/bind/bind9/bin/tests/system/win32/bigkey.vcxproj.in
index 0ad231ac..26685c45 100644
--- a/bind/bind9/bin/tests/system/win32/bigkey.vcxproj.in
+++ b/bind/bind9/bin/tests/system/win32/bigkey.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/system/win32/feature-test.vcxproj.in b/bind/bind9/bin/tests/system/win32/feature-test.vcxproj.in
index 7e6fe379..1b8a5806 100644
--- a/bind/bind9/bin/tests/system/win32/feature-test.vcxproj.in
+++ b/bind/bind9/bin/tests/system/win32/feature-test.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/system/win32/gencheck.vcxproj.in b/bind/bind9/bin/tests/system/win32/gencheck.vcxproj.in
index 33e1bd77..653af387 100644
--- a/bind/bind9/bin/tests/system/win32/gencheck.vcxproj.in
+++ b/bind/bind9/bin/tests/system/win32/gencheck.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/system/win32/keycreate.vcxproj.in b/bind/bind9/bin/tests/system/win32/keycreate.vcxproj.in
index b1982d60..2474f183 100644
--- a/bind/bind9/bin/tests/system/win32/keycreate.vcxproj.in
+++ b/bind/bind9/bin/tests/system/win32/keycreate.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/system/win32/keydelete.vcxproj.in b/bind/bind9/bin/tests/system/win32/keydelete.vcxproj.in
index 9eabef32..9e944d15 100644
--- a/bind/bind9/bin/tests/system/win32/keydelete.vcxproj.in
+++ b/bind/bind9/bin/tests/system/win32/keydelete.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/system/win32/lwtest.vcxproj.in b/bind/bind9/bin/tests/system/win32/lwtest.vcxproj.in
index d0621c0d..53bf3723 100644
--- a/bind/bind9/bin/tests/system/win32/lwtest.vcxproj.in
+++ b/bind/bind9/bin/tests/system/win32/lwtest.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/system/win32/pipequeries.vcxproj.in b/bind/bind9/bin/tests/system/win32/pipequeries.vcxproj.in
index b2601212..b9f66d31 100644
--- a/bind/bind9/bin/tests/system/win32/pipequeries.vcxproj.in
+++ b/bind/bind9/bin/tests/system/win32/pipequeries.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/system/xfer/ans5/badmessageid b/bind/bind9/bin/tests/system/xfer/ans5/badmessageid
new file mode 100644
index 00000000..e0dc0416
--- /dev/null
+++ b/bind/bind9/bin/tests/system/xfer/ans5/badmessageid
@@ -0,0 +1,10 @@
+/SOA tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
+/AXFR tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
+/AXFR bad-id tsig_key LSAnCU+Z/
+nil.      	300	NS	ns.nil.
+nil.		300	TXT	"bad message id"
+a.nil.		60	A	10.0.0.61
+/AXFR bad-id tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
diff --git a/bind/bind9/bin/tests/system/xfer/clean.sh b/bind/bind9/bin/tests/system/xfer/clean.sh
index 0a7440d3..0f0355b9 100644
--- a/bind/bind9/bin/tests/system/xfer/clean.sh
+++ b/bind/bind9/bin/tests/system/xfer/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -13,23 +13,26 @@
 # Clean up after zone transfer tests.
 #
 
-rm -f dig.out.*
+rm -f */ans.run
+rm -f */named.conf
+rm -f */named.memstats
+rm -f */named.run
+rm -f */named.run.prev
 rm -f axfr.out
-rm -f ns1/slave.db ns2/slave.db
+rm -f dig.out.*
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named.lock
 rm -f ns1/edns-expire.db
+rm -f ns1/ixfr-too-big.db ns1/ixfr-too-big.db.jnl
+rm -f ns1/slave.db ns2/slave.db
 rm -f ns2/example.db ns2/tsigzone.db ns2/example.db.jnl
+rm -f ns2/mapped.db
 rm -f ns3/example.bk ns3/tsigzone.bk ns3/example.bk.jnl
+rm -f ns3/example.bk ns3/xfer-stats.bk ns3/tsigzone.bk ns3/example.bk.jnl
+rm -f ns3/mapped.bk
 rm -f ns3/master.bk ns3/master.bk.jnl
 rm -f ns4/*.db ns4/*.jnl
 rm -f ns6/*.db ns6/*.bk ns6/*.jnl
 rm -f ns7/*.db ns7/*.bk ns7/*.jnl
 rm -f ns8/large.db ns8/small.db
-rm -f */named.conf
-rm -f */named.run
-rm -f */named.memstats
-rm -f */named.run
-rm -f */ans.run
-rm -f ns*/named.lock
-rm -f ns2/mapped.db
-rm -f ns3/mapped.bk
-rm -f ns1/ixfr-too-big.db ns1/ixfr-too-big.db.jnl
+rm -f stats.*
diff --git a/bind/bind9/bin/tests/system/xfer/dig1.good b/bind/bind9/bin/tests/system/xfer/dig1.good
index dde3a55e..0f8fad0f 100644
--- a/bind/bind9/bin/tests/system/xfer/dig1.good
+++ b/bind/bind9/bin/tests/system/xfer/dig1.good
@@ -57,7 +57,7 @@ gpos01.example.		3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
 gpos02.example.		3600	IN	GPOS	"" "" ""
 hinfo01.example.	3600	IN	HINFO	"Generic PC clone" "NetBSD-1.4"
 hinfo02.example.	3600	IN	HINFO	"PC" "NetBSD"
-hip1.example.		3600	IN	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D 
+hip1.example.		3600	IN	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
 hip2.example.		3600	IN	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com.
 ipseckey01.example.	3600	IN	IPSECKEY  10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
 ipseckey02.example.	3600	IN	IPSECKEY  10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
@@ -166,7 +166,8 @@ wks01.example.		3600	IN	WKS	10.0.0.1 6 0 1 2 21 23
 wks02.example.		3600	IN	WKS	10.0.0.1 17 0 1 2 53
 wks03.example.		3600	IN	WKS	10.0.0.2 6 65535
 x2501.example.		3600	IN	X25	"123456789"
-zonemd01.example.	3600    IN	ZONEMD	2019020700 1 0 C220B8A6ED5728A971902F7E3D4FD93ADEEA88B0453C2E8E8C863D46 5AB06CF34EB95B266398C98B59124FA239CB7EEB
+zonemd01.example.	3600    IN	ZONEMD	2019020700 1 1 C220B8A6ED5728A971902F7E3D4FD93ADEEA88B0453C2E8E8C863D46 5AB06CF34EB95B266398C98B59124FA239CB7EEB
+zonemd02.example.	3600	IN	ZONEMD	2019020700 1 2 08CFA1115C7B948C4163A901270395EA226A930CD2CBCF2FA9A5E6EB 85F37C8A4E114D884E66F176EAB121CB02DB7D652E0CC4827E7A3204 F166B47E5613FD27
 8f1tmio9avcom2k0frp92lgcumak0cad.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C 8FPNS2UCT7FBS643THP2B77PEQ77K6IU A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM
 kcd3juae64f9c5csl1kif1htaui7un0g.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C KD5MN2M20340DGO0BL7NTSB8JP4BSC7E
 mr5ukvsk1l37btu4q7b1dfevft4hkqdk.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C MT38J6VG7S0SN5G17MCUF6IQIKFUAJ05 A AAAA RRSIG
diff --git a/bind/bind9/bin/tests/system/xfer/dig2.good b/bind/bind9/bin/tests/system/xfer/dig2.good
index 106d03a0..fed89268 100644
--- a/bind/bind9/bin/tests/system/xfer/dig2.good
+++ b/bind/bind9/bin/tests/system/xfer/dig2.good
@@ -66,7 +66,7 @@ isdn01.example.		3600	IN	ISDN	"isdn-address"
 isdn02.example.		3600	IN	ISDN	"isdn-address" "subaddress"
 isdn03.example.		3600	IN	ISDN	"isdn-address"
 isdn04.example.		3600	IN	ISDN	"isdn-address" "subaddress"
-hip1.example.		3600	IN	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D 
+hip1.example.		3600	IN	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
 hip2.example.		3600	IN 	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com.
 dnskey01.example.	3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
 keydata.example.	3600	IN	TYPE65533 \# 0
@@ -166,7 +166,8 @@ wks01.example.		3600	IN	WKS	10.0.0.1 6 0 1 2 21 23
 wks02.example.		3600	IN	WKS	10.0.0.1 17 0 1 2 53
 wks03.example.		3600	IN	WKS	10.0.0.2 6 65535
 x2501.example.		3600	IN	X25	"123456789"
-zonemd01.example.	3600    IN	ZONEMD	2019020700 1 0 C220B8A6ED5728A971902F7E3D4FD93ADEEA88B0453C2E8E8C863D46 5AB06CF34EB95B266398C98B59124FA239CB7EEB
+zonemd01.example.	3600    IN	ZONEMD	2019020700 1 1 C220B8A6ED5728A971902F7E3D4FD93ADEEA88B0453C2E8E8C863D46 5AB06CF34EB95B266398C98B59124FA239CB7EEB
+zonemd02.example.	3600	IN	ZONEMD	2019020700 1 2 08CFA1115C7B948C4163A901270395EA226A930CD2CBCF2FA9A5E6EB 85F37C8A4E114D884E66F176EAB121CB02DB7D652E0CC4827E7A3204 F166B47E5613FD27
 8f1tmio9avcom2k0frp92lgcumak0cad.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C 8FPNS2UCT7FBS643THP2B77PEQ77K6IU A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM
 kcd3juae64f9c5csl1kif1htaui7un0g.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C KD5MN2M20340DGO0BL7NTSB8JP4BSC7E
 mr5ukvsk1l37btu4q7b1dfevft4hkqdk.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C MT38J6VG7S0SN5G17MCUF6IQIKFUAJ05 A AAAA RRSIG
diff --git a/bind/bind9/bin/tests/system/xfer/ns1/axfr-too-big.db b/bind/bind9/bin/tests/system/xfer/ns1/axfr-too-big.db
index ff6e4b96..8bd89e3d 100644
--- a/bind/bind9/bin/tests/system/xfer/ns1/axfr-too-big.db
+++ b/bind/bind9/bin/tests/system/xfer/ns1/axfr-too-big.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/ns1/ixfr-too-big.db.in b/bind/bind9/bin/tests/system/xfer/ns1/ixfr-too-big.db.in
index 7372793e..e912a4ab 100644
--- a/bind/bind9/bin/tests/system/xfer/ns1/ixfr-too-big.db.in
+++ b/bind/bind9/bin/tests/system/xfer/ns1/ixfr-too-big.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/ns1/named.conf.in b/bind/bind9/bin/tests/system/xfer/ns1/named.conf.in
index c0e8112e..82cf3fa3 100644
--- a/bind/bind9/bin/tests/system/xfer/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/xfer/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/ns1/root.db b/bind/bind9/bin/tests/system/xfer/ns1/root.db
index 8aaa4ea9..0bd2ebde 100644
--- a/bind/bind9/bin/tests/system/xfer/ns1/root.db
+++ b/bind/bind9/bin/tests/system/xfer/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/ns2/mapped.db.in b/bind/bind9/bin/tests/system/xfer/ns2/mapped.db.in
index fc791180..22b5ed05 100644
--- a/bind/bind9/bin/tests/system/xfer/ns2/mapped.db.in
+++ b/bind/bind9/bin/tests/system/xfer/ns2/mapped.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/ns2/named.conf.in b/bind/bind9/bin/tests/system/xfer/ns2/named.conf.in
index 547a9b0d..5dea3866 100644
--- a/bind/bind9/bin/tests/system/xfer/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/xfer/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/ns2/slave.db.in b/bind/bind9/bin/tests/system/xfer/ns2/slave.db.in
index 4ee2094a..9569ac97 100644
--- a/bind/bind9/bin/tests/system/xfer/ns2/slave.db.in
+++ b/bind/bind9/bin/tests/system/xfer/ns2/slave.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/ns3/named.conf.in b/bind/bind9/bin/tests/system/xfer/ns3/named.conf.in
index 11436139..f3856ddf 100644
--- a/bind/bind9/bin/tests/system/xfer/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/xfer/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/ns4/named.conf.base b/bind/bind9/bin/tests/system/xfer/ns4/named.conf.base
index 14a5e057..b588cdf1 100644
--- a/bind/bind9/bin/tests/system/xfer/ns4/named.conf.base
+++ b/bind/bind9/bin/tests/system/xfer/ns4/named.conf.base
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/ns4/root.db.in b/bind/bind9/bin/tests/system/xfer/ns4/root.db.in
index c675b902..d384767e 100644
--- a/bind/bind9/bin/tests/system/xfer/ns4/root.db.in
+++ b/bind/bind9/bin/tests/system/xfer/ns4/root.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/ns6/named.conf.in b/bind/bind9/bin/tests/system/xfer/ns6/named.conf.in
index 5983f982..e4986eda 100644
--- a/bind/bind9/bin/tests/system/xfer/ns6/named.conf.in
+++ b/bind/bind9/bin/tests/system/xfer/ns6/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/ns7/named.conf.in b/bind/bind9/bin/tests/system/xfer/ns7/named.conf.in
index 04f1e4ef..3bf71cdb 100644
--- a/bind/bind9/bin/tests/system/xfer/ns7/named.conf.in
+++ b/bind/bind9/bin/tests/system/xfer/ns7/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/ns8/example.db b/bind/bind9/bin/tests/system/xfer/ns8/example.db
index d9a664ba..f872853e 100644
--- a/bind/bind9/bin/tests/system/xfer/ns8/example.db
+++ b/bind/bind9/bin/tests/system/xfer/ns8/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/ns8/named.conf.in b/bind/bind9/bin/tests/system/xfer/ns8/named.conf.in
index ab6e0c98..479e1ec6 100644
--- a/bind/bind9/bin/tests/system/xfer/ns8/named.conf.in
+++ b/bind/bind9/bin/tests/system/xfer/ns8/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/prereq.sh b/bind/bind9/bin/tests/system/xfer/prereq.sh
index 75cd53ad..e2f81228 100644
--- a/bind/bind9/bin/tests/system/xfer/prereq.sh
+++ b/bind/bind9/bin/tests/system/xfer/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/setup.sh b/bind/bind9/bin/tests/system/xfer/setup.sh
index ca690373..a1a59d82 100644
--- a/bind/bind9/bin/tests/system/xfer/setup.sh
+++ b/bind/bind9/bin/tests/system/xfer/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xfer/tests.sh b/bind/bind9/bin/tests/system/xfer/tests.sh
index ab851781..ba510b0f 100755
--- a/bind/bind9/bin/tests/system/xfer/tests.sh
+++ b/bind/bind9/bin/tests/system/xfer/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -21,29 +21,24 @@ n=0
 n=`expr $n + 1`
 echo_i "testing basic zone transfer functionality (from primary) ($n)"
 tmp=0
-$DIG $DIGOPTS example. \
-	@10.53.0.2 axfr > dig.out.ns2.test$n || tmp=1
+$DIG $DIGOPTS example. @10.53.0.2 axfr > dig.out.ns2.test$n || tmp=1
 grep "^;" dig.out.ns2.test$n | cat_i
-
 digcomp dig1.good dig.out.ns2.test$n || tmp=1
-
 if test $tmp != 0 ; then echo_i "failed"; fi
 status=`expr $status + $tmp`
 
 n=`expr $n + 1`
 echo_i "testing basic zone transfer functionality (from secondary) ($n)"
+tmp=0
 #
-# Spin to allow the zone to tranfer.
+# Spin to allow the zone to transfer.
 #
-for i in 1 2 3 4 5
-do
-    tmp=0
-    $DIG $DIGOPTS example. \
-	@10.53.0.3 axfr > dig.out.ns3.test$n || tmp=1
-    grep "^;" dig.out.ns3.test$n > /dev/null || break
-    echo_i "plain zone re-transfer"
-    sleep 5
-done
+wait_for_xfer () {
+	$DIG $DIGOPTS example. @10.53.0.3 axfr > dig.out.ns3.test$n || return 1
+	grep "^;" dig.out.ns3.test$n > /dev/null && return 1
+	return 0
+}
+retry_quiet 25 wait_for_xfer || tmp=1
 grep "^;" dig.out.ns3.test$n | cat_i
 digcomp dig1.good dig.out.ns3.test$n || tmp=1
 if test $tmp != 0 ; then echo_i "failed"; fi
@@ -51,25 +46,23 @@ status=`expr $status + $tmp`
 
 n=`expr $n + 1`
 echo_i "testing TSIG signed zone transfers ($n)"
-$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y tsigzone.:1234abcd8765 > dig.out.ns2.test$n || status=1
+tmp=0
+$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y tsigzone.:1234abcd8765 > dig.out.ns2.test$n || tmp=1
 grep "^;" dig.out.ns2.test$n | cat_i
 
 #
-# Spin to allow the zone to tranfer.
+# Spin to allow the zone to transfer.
 #
-for i in 1 2 3 4 5
-do
-tmp=0
-	$DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y tsigzone.:1234abcd8765 > dig.out.ns3.test$n || tmp=1
-	grep "^;" dig.out.ns3.test$n > /dev/null
-	if test $? -ne 0 ; then break; fi
-	echo_i "plain zone re-transfer"
-	sleep 5
-done
-if test $tmp -eq 1 ; then status=1; fi
+wait_for_xfer_tsig () {
+	$DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y tsigzone.:1234abcd8765 > dig.out.ns3.test$n || return 1
+	grep "^;" dig.out.ns3.test$n > /dev/null && return 1
+	return 0
+}
+retry_quiet 25 wait_for_xfer_tsig || tmp=1
 grep "^;" dig.out.ns3.test$n | cat_i
-
-digcomp dig.out.ns2.test$n dig.out.ns3.test$n || status=1
+digcomp dig.out.ns2.test$n dig.out.ns3.test$n || tmp=1
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
 
 echo_i "reload servers for in preparation for ixfr-from-differences tests"
 
@@ -115,6 +108,7 @@ sleep 3
 
 n=`expr $n + 1`
 echo_i "testing zone is dumped after successful transfer ($n)"
+tmp=0
 $DIG $DIGOPTS +noall +answer +multi @10.53.0.2 \
 	slave. soa > dig.out.ns2.test$n || tmp=1
 grep "1397051952 ; serial" dig.out.ns2.test$n > /dev/null 2>&1 || tmp=1
@@ -126,38 +120,36 @@ n=`expr $n + 1`
 echo_i "testing ixfr-from-differences yes; ($n)"
 tmp=0
 
-for i in 0 1 2 3 4 5 6 7 8 9
-do
-	a=0 b=0 c=0 d=0
-	echo_i "wait for reloads..."
+echo_i "wait for reloads..."
+wait_for_reloads() (
 	$DIG $DIGOPTS @10.53.0.6 +noall +answer soa master > dig.out.soa1.ns6.test$n
-	grep "1397051953" dig.out.soa1.ns6.test$n > /dev/null && a=1
+	grep "1397051953" dig.out.soa1.ns6.test$n > /dev/null || return 1
 	$DIG $DIGOPTS @10.53.0.1 +noall +answer soa slave  > dig.out.soa2.ns1.test$n
-	grep "1397051953" dig.out.soa2.ns1.test$n > /dev/null && b=1
+	grep "1397051953" dig.out.soa2.ns1.test$n > /dev/null || return 1
 	$DIG $DIGOPTS @10.53.0.2 +noall +answer soa example > dig.out.soa3.ns2.test$n
-	grep "1397051953" dig.out.soa3.ns2.test$n > /dev/null && c=1
-	[ $a -eq 1 -a $b -eq 1 -a $c -eq 1 ] && break
-	sleep 2
-done
+	grep "1397051953" dig.out.soa3.ns2.test$n > /dev/null || return 1
+	return 0
+)
+retry_quiet 20 wait_for_reloads || tmp=1
 
-for i in 0 1 2 3 4 5 6 7 8 9
-do
+echo_i "wait for transfers..."
+wait_for_transfers() (
 	a=0 b=0 c=0 d=0
-	echo_i "wait for transfers..."
 	$DIG $DIGOPTS @10.53.0.3 +noall +answer soa example > dig.out.soa1.ns3.test$n
 	grep "1397051953" dig.out.soa1.ns3.test$n > /dev/null && a=1
 	$DIG $DIGOPTS @10.53.0.3 +noall +answer soa master > dig.out.soa2.ns3.test$n
 	grep "1397051953" dig.out.soa2.ns3.test$n > /dev/null && b=1
 	$DIG $DIGOPTS @10.53.0.6 +noall +answer soa slave  > dig.out.soa3.ns6.test$n
 	grep "1397051953" dig.out.soa3.ns6.test$n > /dev/null && c=1
-	[ $a -eq 1 -a $b -eq 1 -a $c -eq 1 ] && break
+	[ $a -eq 1 -a $b -eq 1 -a $c -eq 1 ] && return 0
 
 	# re-notify if necessary
 	$RNDCCMD 10.53.0.6 notify master 2>&1 | sed 's/^/ns6 /' | cat_i
 	$RNDCCMD 10.53.0.1 notify slave 2>&1 | sed 's/^/ns1 /' | cat_i
 	$RNDCCMD 10.53.0.2 notify example 2>&1 | sed 's/^/ns2 /' | cat_i
-	sleep 2
-done
+	return 1
+)
+retry_quiet 20 wait_for_transfers || tmp=1
 
 $DIG $DIGOPTS example. \
 	@10.53.0.3 axfr > dig.out.ns3.test$n || tmp=1
@@ -260,10 +252,10 @@ DIGCMD="$DIG $DIGOPTS @10.53.0.4"
 SENDCMD="$PERL ../send.pl 10.53.0.5 $EXTRAPORT1"
 
 echo_i "testing that incorrectly signed transfers will fail..."
-echo_i "initial correctly-signed transfer should succeed"
+n=$((n+1))
+echo_i "initial correctly-signed transfer should succeed ($n)"
 
 $SENDCMD < ans5/goodaxfr
-sleep 1
 
 # Initially, ns4 is not authoritative for anything.
 # Now that ans is up and running with the right data, we make ns4
@@ -277,122 +269,115 @@ zone "nil" {
 };
 EOF
 
-cur=`awk 'END {print NR}' ns4/named.run`
+nextpart ns4/named.run >/dev/null
 
 $RNDCCMD 10.53.0.4 reload | sed 's/^/ns4 /' | cat_i
 
-for i in 0 1 2 3 4 5 6 7 8 9
-do
+wait_for_soa() (
 	$DIGCMD nil. SOA > dig.out.ns4.test$n
-	grep SOA dig.out.ns4.test$n > /dev/null && break
-	sleep 1
-done
+	grep SOA dig.out.ns4.test$n > /dev/null
+)
+retry_quiet 10 wait_for_soa
 
-sed -n "$cur,\$p" < ns4/named.run | grep "Transfer status: success" > /dev/null || {
+nextpart ns4/named.run | grep "Transfer status: success" > /dev/null || {
     echo_i "failed: expected status was not logged"
     status=`expr $status + 1`
 }
-cur=`awk 'END {print NR}' ns4/named.run`
 
 $DIGCMD nil. TXT | grep 'initial AXFR' >/dev/null || {
     echo_i "failed"
     status=`expr $status + 1`
 }
 
-echo_i "unsigned transfer"
+n=$((n+1))
+echo_i "unsigned transfer ($n)"
 
 $SENDCMD < ans5/unsigned
-sleep 1
 
 $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
 
 sleep 2
 
-sed -n "$cur,\$p" < ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" > /dev/null || {
+nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" > /dev/null || {
     echo_i "failed: expected status was not logged"
     status=`expr $status + 1`
 }
-cur=`awk 'END {print NR}' ns4/named.run`
 
 $DIGCMD nil. TXT | grep 'unsigned AXFR' >/dev/null && {
     echo_i "failed"
     status=`expr $status + 1`
 }
 
-echo_i "bad keydata"
+n=$((n+1))
+echo_i "bad keydata ($n)"
 
 $SENDCMD < ans5/badkeydata
-sleep 1
 
 $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
 
 sleep 2
 
-sed -n "$cur,\$p" < ns4/named.run | grep "Transfer status: tsig verify failure" > /dev/null || {
+nextpart ns4/named.run | grep "Transfer status: tsig verify failure" > /dev/null || {
     echo_i "failed: expected status was not logged"
     status=`expr $status + 1`
 }
-cur=`awk 'END {print NR}' ns4/named.run`
 
 $DIGCMD nil. TXT | grep 'bad keydata AXFR' >/dev/null && {
     echo_i "failed"
     status=`expr $status + 1`
 }
 
-echo_i "partially-signed transfer"
+n=$((n+1))
+echo_i "partially-signed transfer ($n)"
 
 $SENDCMD < ans5/partial
-sleep 1
 
 $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
 
 sleep 2
 
-sed -n "$cur,\$p" < ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" > /dev/null || {
+nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" > /dev/null || {
     echo_i "failed: expected status was not logged"
     status=`expr $status + 1`
 }
-cur=`awk 'END {print NR}' ns4/named.run`
 
 $DIGCMD nil. TXT | grep 'partially signed AXFR' >/dev/null && {
     echo_i "failed"
     status=`expr $status + 1`
 }
 
-echo_i "unknown key"
+n=$((n+1))
+echo_i "unknown key ($n)"
 
 $SENDCMD < ans5/unknownkey
-sleep 1
 
 $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
 
 sleep 2
 
-sed -n "$cur,\$p" < ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" > /dev/null || {
+nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" > /dev/null || {
     echo_i "failed: expected status was not logged"
     status=`expr $status + 1`
 }
-cur=`awk 'END {print NR}' ns4/named.run`
 
 $DIGCMD nil. TXT | grep 'unknown key AXFR' >/dev/null && {
     echo_i "failed"
     status=`expr $status + 1`
 }
 
-echo_i "incorrect key"
+n=$((n+1))
+echo_i "incorrect key ($n)"
 
 $SENDCMD < ans5/wrongkey
-sleep 1
 
 $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
 
 sleep 2
 
-sed -n "$cur,\$p" < ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" > /dev/null || {
+nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" > /dev/null || {
     echo_i "failed: expected status was not logged"
     status=`expr $status + 1`
 }
-cur=`awk 'END {print NR}' ns4/named.run`
 
 $DIGCMD nil. TXT | grep 'incorrect key AXFR' >/dev/null && {
     echo_i "failed"
@@ -400,6 +385,29 @@ $DIGCMD nil. TXT | grep 'incorrect key AXFR' >/dev/null && {
 }
 
 n=`expr $n + 1`
+echo_i "bad message id ($n)"
+
+$SENDCMD < ans5/badmessageid
+
+# Uncomment to see AXFR stream with mismatching IDs.
+# $DIG $DIGOPTS @10.53.0.5 -y tsig_key:LSAnCU+Z nil. AXFR +all
+
+$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
+
+sleep 2
+
+msg="detected message ID mismatch on incoming AXFR stream, transfer will fail in BIND 9.17.2 and later if AXFR source is not fixed"
+nextpart ns4/named.run | grep "$msg" > /dev/null || {
+    echo_i "failed: expected status was not logged"
+    status=`expr $status + 1`
+}
+
+$DIGCMD nil. TXT | grep 'bad message id' >/dev/null || {
+    echo_i "failed"
+    status=`expr $status + 1`
+}
+
+n=`expr $n + 1`
 echo_i "check that we ask for and get a EDNS EXPIRE response ($n)"
 # force a refresh query
 $RNDCCMD 10.53.0.7 refresh edns-expire 2>&1 | sed 's/^/ns7 /' | cat_i
@@ -438,14 +446,15 @@ $DIG -p ${PORT} txt mapped @10.53.0.3 > dig.out.1.test$n
 grep "status: NOERROR," dig.out.1.test$n > /dev/null || tmp=1
 $PERL $SYSTEMTESTTOP/stop.pl xfer ns3
 $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} xfer ns3
-$DIG -p ${PORT} txt mapped @10.53.0.3 > dig.out.2.test$n
-grep "status: NOERROR," dig.out.2.test$n > /dev/null || tmp=1
-if [ "$tmp" -eq 0 ]
-then
+check_mapped () {
+	$DIG -p ${PORT} txt mapped @10.53.0.3 > dig.out.2.test$n
+	grep "status: NOERROR," dig.out.2.test$n > /dev/null || return 1
 	$DIG -p ${PORT} axfr mapped @10.53.0.3 > dig.out.3.test$n
-	digcomp knowngood.mapped dig.out.3.test$n || tmp=1
-fi
-if test $tmp != 0 ; then echo_i "failed"; fi
+	digcomp knowngood.mapped dig.out.3.test$n || return 1
+	return 0
+}
+retry_quiet 10 check_mapped || tmp=1
+[ "$tmp" -ne 0 ] && echo_i "failed"
 status=`expr $status + $tmp`
 
 n=`expr $n + 1`
@@ -458,19 +467,15 @@ status=`expr $status + $tmp`
 n=`expr $n + 1`
 echo_i "test that a zone with too many records is rejected (IXFR) ($n)"
 tmp=0
-grep "'ixfr-too-big./IN.*: too many records" ns6/named.run >/dev/null && tmp=1
+nextpart ns6/named.run > /dev/null
 $NSUPDATE << EOF
 zone ixfr-too-big
 server 10.53.0.1 ${PORT}
 update add the-31st-record.ixfr-too-big 0 TXT this is it
 send
 EOF
-for i in 1 2 3 4 5 6 7 8
-do
-    grep "'ixfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null && break
-    sleep 1
-done
-grep "'ixfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1
+msg="'ixfr-too-big/IN' from 10.53.0.1#${PORT}: Transfer status: too many records"
+wait_for_log 10 "$msg" ns6/named.run || tmp=1
 if test $tmp != 0 ; then echo_i "failed"; fi
 status=`expr $status + $tmp`
 
diff --git a/bind/bind9/bin/tests/system/xferquota/clean.sh b/bind/bind9/bin/tests/system/xferquota/clean.sh
index e823c917..32ef9868 100644
--- a/bind/bind9/bin/tests/system/xferquota/clean.sh
+++ b/bind/bind9/bin/tests/system/xferquota/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xferquota/ns1/changing1.db b/bind/bind9/bin/tests/system/xferquota/ns1/changing1.db
index f103492d..28553c70 100644
--- a/bind/bind9/bin/tests/system/xferquota/ns1/changing1.db
+++ b/bind/bind9/bin/tests/system/xferquota/ns1/changing1.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xferquota/ns1/changing2.db b/bind/bind9/bin/tests/system/xferquota/ns1/changing2.db
index 9afaf71b..b63b3f74 100644
--- a/bind/bind9/bin/tests/system/xferquota/ns1/changing2.db
+++ b/bind/bind9/bin/tests/system/xferquota/ns1/changing2.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xferquota/ns1/named.conf.in b/bind/bind9/bin/tests/system/xferquota/ns1/named.conf.in
index 290778e0..a885d152 100644
--- a/bind/bind9/bin/tests/system/xferquota/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/xferquota/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xferquota/ns1/root.db b/bind/bind9/bin/tests/system/xferquota/ns1/root.db
index 91692f79..e689c7ce 100644
--- a/bind/bind9/bin/tests/system/xferquota/ns1/root.db
+++ b/bind/bind9/bin/tests/system/xferquota/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xferquota/ns2/example.db b/bind/bind9/bin/tests/system/xferquota/ns2/example.db
index e47efcb4..801d186f 100644
--- a/bind/bind9/bin/tests/system/xferquota/ns2/example.db
+++ b/bind/bind9/bin/tests/system/xferquota/ns2/example.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xferquota/ns2/named.conf.in b/bind/bind9/bin/tests/system/xferquota/ns2/named.conf.in
index 8b68164e..aba1c88f 100644
--- a/bind/bind9/bin/tests/system/xferquota/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/xferquota/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xferquota/setup.pl b/bind/bind9/bin/tests/system/xferquota/setup.pl
index 6acbb736..baa5f44b 100644
--- a/bind/bind9/bin/tests/system/xferquota/setup.pl
+++ b/bind/bind9/bin/tests/system/xferquota/setup.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xferquota/setup.sh b/bind/bind9/bin/tests/system/xferquota/setup.sh
index 6b653493..c25aa3dc 100644
--- a/bind/bind9/bin/tests/system/xferquota/setup.sh
+++ b/bind/bind9/bin/tests/system/xferquota/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/xferquota/tests.sh b/bind/bind9/bin/tests/system/xferquota/tests.sh
index 0fbc1149..e24ecc72 100755
--- a/bind/bind9/bin/tests/system/xferquota/tests.sh
+++ b/bind/bind9/bin/tests/system/xferquota/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zero/ans5/ans.pl b/bind/bind9/bin/tests/system/zero/ans5/ans.pl
index 6f81e7c5..5671f9c9 100644
--- a/bind/bind9/bin/tests/system/zero/ans5/ans.pl
+++ b/bind/bind9/bin/tests/system/zero/ans5/ans.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zero/clean.sh b/bind/bind9/bin/tests/system/zero/clean.sh
index 00fc10a0..21ceff4a 100644
--- a/bind/bind9/bin/tests/system/zero/clean.sh
+++ b/bind/bind9/bin/tests/system/zero/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zero/ns1/named.conf.in b/bind/bind9/bin/tests/system/zero/ns1/named.conf.in
index 9731fdff..5168e877 100644
--- a/bind/bind9/bin/tests/system/zero/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/zero/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zero/ns1/root.db b/bind/bind9/bin/tests/system/zero/ns1/root.db
index c20b5fc4..966db309 100644
--- a/bind/bind9/bin/tests/system/zero/ns1/root.db
+++ b/bind/bind9/bin/tests/system/zero/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zero/ns2/named.conf.in b/bind/bind9/bin/tests/system/zero/ns2/named.conf.in
index b764a96c..023f8fda 100644
--- a/bind/bind9/bin/tests/system/zero/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/zero/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zero/ns2/tld.db b/bind/bind9/bin/tests/system/zero/ns2/tld.db
index 11b5b137..e6484911 100644
--- a/bind/bind9/bin/tests/system/zero/ns2/tld.db
+++ b/bind/bind9/bin/tests/system/zero/ns2/tld.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zero/ns3/named.conf.in b/bind/bind9/bin/tests/system/zero/ns3/named.conf.in
index 613af5d9..1573c18d 100644
--- a/bind/bind9/bin/tests/system/zero/ns3/named.conf.in
+++ b/bind/bind9/bin/tests/system/zero/ns3/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zero/ns3/root.hint b/bind/bind9/bin/tests/system/zero/ns3/root.hint
index c1784c7e..c808d202 100644
--- a/bind/bind9/bin/tests/system/zero/ns3/root.hint
+++ b/bind/bind9/bin/tests/system/zero/ns3/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zero/ns4/named.conf.in b/bind/bind9/bin/tests/system/zero/ns4/named.conf.in
index c88881ea..ef910eed 100644
--- a/bind/bind9/bin/tests/system/zero/ns4/named.conf.in
+++ b/bind/bind9/bin/tests/system/zero/ns4/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zero/ns4/one.tld.db b/bind/bind9/bin/tests/system/zero/ns4/one.tld.db
index 7706e443..923569a3 100644
--- a/bind/bind9/bin/tests/system/zero/ns4/one.tld.db
+++ b/bind/bind9/bin/tests/system/zero/ns4/one.tld.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zero/prereq.sh b/bind/bind9/bin/tests/system/zero/prereq.sh
index de147a4c..d2ca8fc2 100644
--- a/bind/bind9/bin/tests/system/zero/prereq.sh
+++ b/bind/bind9/bin/tests/system/zero/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -16,6 +16,6 @@ if $PERL -e 'use Net::DNS;' 2>/dev/null
 then
     :
 else
-    echo "I:This test requires the Net::DNS library." >&2
+    echo_i "This test requires the Net::DNS library." >&2
     exit 1
 fi
diff --git a/bind/bind9/bin/tests/system/zero/setup.sh b/bind/bind9/bin/tests/system/zero/setup.sh
index 83c35ea6..2e24c6be 100644
--- a/bind/bind9/bin/tests/system/zero/setup.sh
+++ b/bind/bind9/bin/tests/system/zero/setup.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zero/tests.sh b/bind/bind9/bin/tests/system/zero/tests.sh
index 99998d42..6e682281 100644
--- a/bind/bind9/bin/tests/system/zero/tests.sh
+++ b/bind/bind9/bin/tests/system/zero/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zonechecks/a.db b/bind/bind9/bin/tests/system/zonechecks/a.db
index 637d5eda..3f1fe9f7 100644
--- a/bind/bind9/bin/tests/system/zonechecks/a.db
+++ b/bind/bind9/bin/tests/system/zonechecks/a.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zonechecks/aaaa.db b/bind/bind9/bin/tests/system/zonechecks/aaaa.db
index 9c833a75..7f8df86b 100644
--- a/bind/bind9/bin/tests/system/zonechecks/aaaa.db
+++ b/bind/bind9/bin/tests/system/zonechecks/aaaa.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zonechecks/bigserial.db b/bind/bind9/bin/tests/system/zonechecks/bigserial.db
index 8925fc1e..52c5ca46 100644
--- a/bind/bind9/bin/tests/system/zonechecks/bigserial.db
+++ b/bind/bind9/bin/tests/system/zonechecks/bigserial.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zonechecks/clean.sh b/bind/bind9/bin/tests/system/zonechecks/clean.sh
index 16cad7a8..6a2302fc 100644
--- a/bind/bind9/bin/tests/system/zonechecks/clean.sh
+++ b/bind/bind9/bin/tests/system/zonechecks/clean.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zonechecks/cname.db b/bind/bind9/bin/tests/system/zonechecks/cname.db
index 0bd91060..2d6c768b 100644
--- a/bind/bind9/bin/tests/system/zonechecks/cname.db
+++ b/bind/bind9/bin/tests/system/zonechecks/cname.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zonechecks/dname.db b/bind/bind9/bin/tests/system/zonechecks/dname.db
index a5b4f078..2f28d59f 100644
--- a/bind/bind9/bin/tests/system/zonechecks/dname.db
+++ b/bind/bind9/bin/tests/system/zonechecks/dname.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zonechecks/noaddress.db b/bind/bind9/bin/tests/system/zonechecks/noaddress.db
index 4227bd5f..f9e5bc2b 100644
--- a/bind/bind9/bin/tests/system/zonechecks/noaddress.db
+++ b/bind/bind9/bin/tests/system/zonechecks/noaddress.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zonechecks/ns1/named.conf.in b/bind/bind9/bin/tests/system/zonechecks/ns1/named.conf.in
index eacbd5b9..59209fbd 100644
--- a/bind/bind9/bin/tests/system/zonechecks/ns1/named.conf.in
+++ b/bind/bind9/bin/tests/system/zonechecks/ns1/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zonechecks/ns2/named.conf.in b/bind/bind9/bin/tests/system/zonechecks/ns2/named.conf.in
index 936d4a4a..9f126762 100644
--- a/bind/bind9/bin/tests/system/zonechecks/ns2/named.conf.in
+++ b/bind/bind9/bin/tests/system/zonechecks/ns2/named.conf.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zonechecks/nxdomain.db b/bind/bind9/bin/tests/system/zonechecks/nxdomain.db
index 7512e98c..a539e7c3 100644
--- a/bind/bind9/bin/tests/system/zonechecks/nxdomain.db
+++ b/bind/bind9/bin/tests/system/zonechecks/nxdomain.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zonechecks/prereq.sh b/bind/bind9/bin/tests/system/zonechecks/prereq.sh
index a0d4e9ce..f3e74853 100644
--- a/bind/bind9/bin/tests/system/zonechecks/prereq.sh
+++ b/bind/bind9/bin/tests/system/zonechecks/prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zonechecks/setup.sh b/bind/bind9/bin/tests/system/zonechecks/setup.sh
index 37d897d4..1eb72903 100644
--- a/bind/bind9/bin/tests/system/zonechecks/setup.sh
+++ b/bind/bind9/bin/tests/system/zonechecks/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/system/zonechecks/tests.sh b/bind/bind9/bin/tests/system/zonechecks/tests.sh
index fb3b4660..46defd16 100644
--- a/bind/bind9/bin/tests/system/zonechecks/tests.sh
+++ b/bind/bind9/bin/tests/system/zonechecks/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/Makefile.in b/bind/bind9/bin/tests/virtual-time/Makefile.in
index bd51ce98..e0fa0b33 100644
--- a/bind/bind9/bin/tests/virtual-time/Makefile.in
+++ b/bind/bind9/bin/tests/virtual-time/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/README b/bind/bind9/bin/tests/virtual-time/README
index a58940fb..dcf4d28a 100644
--- a/bind/bind9/bin/tests/virtual-time/README
+++ b/bind/bind9/bin/tests/virtual-time/README
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This is copied from ../system.
 
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-ksk/clean.sh b/bind/bind9/bin/tests/virtual-time/autosign-ksk/clean.sh
index 5fd766ee..c0200e04 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-ksk/clean.sh
+++ b/bind/bind9/bin/tests/virtual-time/autosign-ksk/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/example.db.in b/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/example.db.in
index c61ebd38..78076e6a 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/example.db.in
+++ b/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/named.conf b/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/named.conf
index 141ce62a..a8fa72ba 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/named.conf
+++ b/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/root.db b/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/root.db
index d2c6cd48..2f3772e9 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/root.db
+++ b/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/sign.sh b/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/sign.sh
index acccdf06..72bcf0ff 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/sign.sh
+++ b/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/wrap.sh b/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/wrap.sh
index 9bc15bb2..0967d3de 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/wrap.sh
+++ b/bind/bind9/bin/tests/virtual-time/autosign-ksk/ns1/wrap.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-ksk/setup.sh b/bind/bind9/bin/tests/virtual-time/autosign-ksk/setup.sh
index 85a723a3..3acfcdb9 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-ksk/setup.sh
+++ b/bind/bind9/bin/tests/virtual-time/autosign-ksk/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-ksk/tests.sh b/bind/bind9/bin/tests/virtual-time/autosign-ksk/tests.sh
index 8588b0f5..abeaebde 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-ksk/tests.sh
+++ b/bind/bind9/bin/tests/virtual-time/autosign-ksk/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-zsk/clean.sh b/bind/bind9/bin/tests/virtual-time/autosign-zsk/clean.sh
index 5fd766ee..c0200e04 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-zsk/clean.sh
+++ b/bind/bind9/bin/tests/virtual-time/autosign-zsk/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/example.db.in b/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/example.db.in
index c61ebd38..78076e6a 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/example.db.in
+++ b/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/named.conf b/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/named.conf
index 94e91267..44d2d652 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/named.conf
+++ b/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/root.db b/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/root.db
index d2c6cd48..2f3772e9 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/root.db
+++ b/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/sign.sh b/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/sign.sh
index d0723db1..1be5c7b0 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/sign.sh
+++ b/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/sign.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/wrap.sh b/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/wrap.sh
index 9bc15bb2..0967d3de 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/wrap.sh
+++ b/bind/bind9/bin/tests/virtual-time/autosign-zsk/ns1/wrap.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-zsk/setup.sh b/bind/bind9/bin/tests/virtual-time/autosign-zsk/setup.sh
index 85a723a3..3acfcdb9 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-zsk/setup.sh
+++ b/bind/bind9/bin/tests/virtual-time/autosign-zsk/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/autosign-zsk/tests.sh b/bind/bind9/bin/tests/virtual-time/autosign-zsk/tests.sh
index e71af8fc..9647fc32 100644
--- a/bind/bind9/bin/tests/virtual-time/autosign-zsk/tests.sh
+++ b/bind/bind9/bin/tests/virtual-time/autosign-zsk/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/cleanall.sh b/bind/bind9/bin/tests/virtual-time/cleanall.sh
index ad1f105b..73595b9e 100644
--- a/bind/bind9/bin/tests/virtual-time/cleanall.sh
+++ b/bind/bind9/bin/tests/virtual-time/cleanall.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/common/controls.conf b/bind/bind9/bin/tests/virtual-time/common/controls.conf
index 021bf861..c4d66e05 100644
--- a/bind/bind9/bin/tests/virtual-time/common/controls.conf
+++ b/bind/bind9/bin/tests/virtual-time/common/controls.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/common/rndc.conf b/bind/bind9/bin/tests/virtual-time/common/rndc.conf
index b47ca45e..d9e906d6 100644
--- a/bind/bind9/bin/tests/virtual-time/common/rndc.conf
+++ b/bind/bind9/bin/tests/virtual-time/common/rndc.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/common/root.hint b/bind/bind9/bin/tests/virtual-time/common/root.hint
index 418ea963..9883426b 100644
--- a/bind/bind9/bin/tests/virtual-time/common/root.hint
+++ b/bind/bind9/bin/tests/virtual-time/common/root.hint
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/conf.sh.in b/bind/bind9/bin/tests/virtual-time/conf.sh.in
index 79cf4e05..1b9e0fc2 100644
--- a/bind/bind9/bin/tests/virtual-time/conf.sh.in
+++ b/bind/bind9/bin/tests/virtual-time/conf.sh.in
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/run.sh b/bind/bind9/bin/tests/virtual-time/run.sh
index c29d2ed5..26738608 100644
--- a/bind/bind9/bin/tests/virtual-time/run.sh
+++ b/bind/bind9/bin/tests/virtual-time/run.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/runall.sh b/bind/bind9/bin/tests/virtual-time/runall.sh
index 82b26bd4..af6473ed 100644
--- a/bind/bind9/bin/tests/virtual-time/runall.sh
+++ b/bind/bind9/bin/tests/virtual-time/runall.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/setup.sh b/bind/bind9/bin/tests/virtual-time/setup.sh
index e2db2e55..dd797505 100644
--- a/bind/bind9/bin/tests/virtual-time/setup.sh
+++ b/bind/bind9/bin/tests/virtual-time/setup.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/slave/clean.sh b/bind/bind9/bin/tests/virtual-time/slave/clean.sh
index 780e8b29..f135528c 100644
--- a/bind/bind9/bin/tests/virtual-time/slave/clean.sh
+++ b/bind/bind9/bin/tests/virtual-time/slave/clean.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/slave/ns1/example.db.in b/bind/bind9/bin/tests/virtual-time/slave/ns1/example.db.in
index 9b54373d..611c8cbc 100644
--- a/bind/bind9/bin/tests/virtual-time/slave/ns1/example.db.in
+++ b/bind/bind9/bin/tests/virtual-time/slave/ns1/example.db.in
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/slave/ns1/named.conf b/bind/bind9/bin/tests/virtual-time/slave/ns1/named.conf
index 5cd39313..d5b04826 100644
--- a/bind/bind9/bin/tests/virtual-time/slave/ns1/named.conf
+++ b/bind/bind9/bin/tests/virtual-time/slave/ns1/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/slave/ns1/root.db b/bind/bind9/bin/tests/virtual-time/slave/ns1/root.db
index d2c6cd48..2f3772e9 100644
--- a/bind/bind9/bin/tests/virtual-time/slave/ns1/root.db
+++ b/bind/bind9/bin/tests/virtual-time/slave/ns1/root.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/slave/ns1/wrap.sh b/bind/bind9/bin/tests/virtual-time/slave/ns1/wrap.sh
index 9bc15bb2..0967d3de 100644
--- a/bind/bind9/bin/tests/virtual-time/slave/ns1/wrap.sh
+++ b/bind/bind9/bin/tests/virtual-time/slave/ns1/wrap.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/slave/setup.sh b/bind/bind9/bin/tests/virtual-time/slave/setup.sh
index 4b385e8e..5a6bf5f5 100644
--- a/bind/bind9/bin/tests/virtual-time/slave/setup.sh
+++ b/bind/bind9/bin/tests/virtual-time/slave/setup.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/slave/tests.sh b/bind/bind9/bin/tests/virtual-time/slave/tests.sh
index 37689109..cc7ae380 100644
--- a/bind/bind9/bin/tests/virtual-time/slave/tests.sh
+++ b/bind/bind9/bin/tests/virtual-time/slave/tests.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/start.pl b/bind/bind9/bin/tests/virtual-time/start.pl
index 8e290335..9d06e259 100644
--- a/bind/bind9/bin/tests/virtual-time/start.pl
+++ b/bind/bind9/bin/tests/virtual-time/start.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/start.sh b/bind/bind9/bin/tests/virtual-time/start.sh
index 78fb0443..24033b2f 100644
--- a/bind/bind9/bin/tests/virtual-time/start.sh
+++ b/bind/bind9/bin/tests/virtual-time/start.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/stop.pl b/bind/bind9/bin/tests/virtual-time/stop.pl
index b46aa600..12aaa735 100644
--- a/bind/bind9/bin/tests/virtual-time/stop.pl
+++ b/bind/bind9/bin/tests/virtual-time/stop.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/stop.sh b/bind/bind9/bin/tests/virtual-time/stop.sh
index a2ae614d..3d55e821 100644
--- a/bind/bind9/bin/tests/virtual-time/stop.sh
+++ b/bind/bind9/bin/tests/virtual-time/stop.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/testsock.pl b/bind/bind9/bin/tests/virtual-time/testsock.pl
index b793baef..c96579dc 100644
--- a/bind/bind9/bin/tests/virtual-time/testsock.pl
+++ b/bind/bind9/bin/tests/virtual-time/testsock.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/virtual-time/vtwrapper.c b/bind/bind9/bin/tests/virtual-time/vtwrapper.c
index 36471f2e..df26ec72 100644
--- a/bind/bind9/bin/tests/virtual-time/vtwrapper.c
+++ b/bind/bind9/bin/tests/virtual-time/vtwrapper.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tests/win32/backtrace_test.vcxproj.in b/bind/bind9/bin/tests/win32/backtrace_test.vcxproj.in
index 9cb684f3..3a468857 100644
--- a/bind/bind9/bin/tests/win32/backtrace_test.vcxproj.in
+++ b/bind/bind9/bin/tests/win32/backtrace_test.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/win32/inter_test.vcxproj.in b/bind/bind9/bin/tests/win32/inter_test.vcxproj.in
index 749c0447..7a6828ae 100644
--- a/bind/bind9/bin/tests/win32/inter_test.vcxproj.in
+++ b/bind/bind9/bin/tests/win32/inter_test.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/win32/makejournal.vcxproj.in b/bind/bind9/bin/tests/win32/makejournal.vcxproj.in
index 55c836ae..fa96a5d4 100644
--- a/bind/bind9/bin/tests/win32/makejournal.vcxproj.in
+++ b/bind/bind9/bin/tests/win32/makejournal.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/win32/rwlock_test.vcxproj.in b/bind/bind9/bin/tests/win32/rwlock_test.vcxproj.in
index df89ed3d..49baa237 100644
--- a/bind/bind9/bin/tests/win32/rwlock_test.vcxproj.in
+++ b/bind/bind9/bin/tests/win32/rwlock_test.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/win32/shutdown_test.vcxproj.in b/bind/bind9/bin/tests/win32/shutdown_test.vcxproj.in
index 4c670ba9..c670f4b7 100644
--- a/bind/bind9/bin/tests/win32/shutdown_test.vcxproj.in
+++ b/bind/bind9/bin/tests/win32/shutdown_test.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/win32/sock_test.vcxproj.in b/bind/bind9/bin/tests/win32/sock_test.vcxproj.in
index 786c07f8..4cb620cd 100644
--- a/bind/bind9/bin/tests/win32/sock_test.vcxproj.in
+++ b/bind/bind9/bin/tests/win32/sock_test.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/win32/task_test.vcxproj.in b/bind/bind9/bin/tests/win32/task_test.vcxproj.in
index 87adb819..264fd3b4 100644
--- a/bind/bind9/bin/tests/win32/task_test.vcxproj.in
+++ b/bind/bind9/bin/tests/win32/task_test.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/win32/timer_test.vcxproj.in b/bind/bind9/bin/tests/win32/timer_test.vcxproj.in
index 0ea6b343..3c9624ea 100644
--- a/bind/bind9/bin/tests/win32/timer_test.vcxproj.in
+++ b/bind/bind9/bin/tests/win32/timer_test.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tests/wire_test.c b/bind/bind9/bin/tests/wire_test.c
index f95d2ccb..7fb84463 100644
--- a/bind/bind9/bin/tests/wire_test.c
+++ b/bind/bind9/bin/tests/wire_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -328,7 +328,7 @@ process_message(isc_buffer_t *source) {
 		dns_compress_invalidate(&cctx);
 
 		message->from_to_wire = DNS_MESSAGE_INTENTPARSE;
-		dns_message_destroy(&message);
+		dns_message_detach(&message);
 
 		printf("Message rendered.\n");
 		if (printmemstats)
@@ -344,5 +344,5 @@ process_message(isc_buffer_t *source) {
 		result = printmessage(message);
 		CHECKRESULT(result, "printmessage() failed");
 	}
-	dns_message_destroy(&message);
+	dns_message_detach(&message);
 }
diff --git a/bind/bind9/bin/tools/Makefile.in b/bind/bind9/bin/tools/Makefile.in
index 9352155d..d34bac11 100644
--- a/bind/bind9/bin/tools/Makefile.in
+++ b/bind/bind9/bin/tools/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -87,16 +87,16 @@ nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 
 isc-hmac-fixup@EXEEXT@: isc-hmac-fixup.@O@ ${ISCDEPLIBS}
 	export BASEOBJS="isc-hmac-fixup.@O@"; \
-	export LIBS0="${ISCLIBS}"; \
+	export LIBS0=""; \
 	${FINALBUILDCMD}
 
 genrandom@EXEEXT@: genrandom.@O@
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
 		-o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS}
 
-mdig@EXEEXT@: mdig.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS}
+mdig@EXEEXT@: mdig.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCCFGDEPLIBS}
 	export BASEOBJS="mdig.@O@"; \
-	export LIBS0="${DNSLIBS} ${BIND9LIBS}"; \
+	export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
 	${FINALBUILDCMD}
 
 dnstap-read@EXEEXT@: dnstap-read.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
@@ -104,9 +104,9 @@ dnstap-read@EXEEXT@: dnstap-read.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	export LIBS0="${DNSLIBS}"; \
 	${FINALBUILDCMD}
 
-named-nzd2nzf@EXEEXT@: named-nzd2nzf.@O@ ${NZDDEPLIBS}
+named-nzd2nzf@EXEEXT@: named-nzd2nzf.@O@ ${ISCDEPLIBS}
 	export BASEOBJS="named-nzd2nzf.@O@"; \
-	export LIBS0="${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS}"; \
+	export LIBS0=""; \
 	${FINALBUILDCMD}
 
 doc man:: ${MANOBJS}
diff --git a/bind/bind9/bin/tools/arpaname.1 b/bind/bind9/bin/tools/arpaname.1
index 96425f0f..6fb54cad 100644
--- a/bind/bind9/bin/tools/arpaname.1
+++ b/bind/bind9/bin/tools/arpaname.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: arpaname
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2009-03-03
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -52,5 +52,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/tools/arpaname.c b/bind/bind9/bin/tools/arpaname.c
index c154ee52..d8a3fbaa 100644
--- a/bind/bind9/bin/tools/arpaname.c
+++ b/bind/bind9/bin/tools/arpaname.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tools/arpaname.docbook b/bind/bind9/bin/tools/arpaname.docbook
index cdef494f..5d90183b 100644
--- a/bind/bind9/bin/tools/arpaname.docbook
+++ b/bind/bind9/bin/tools/arpaname.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.arpaname">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.arpaname">
   <info>
     <date>2009-03-03</date>
   </info>
@@ -38,6 +38,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/tools/arpaname.html b/bind/bind9/bin/tools/arpaname.html
index 769a31f4..6d9420a4 100644
--- a/bind/bind9/bin/tools/arpaname.html
+++ b/bind/bind9/bin/tools/arpaname.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,48 +10,30 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>arpaname</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.arpaname"></a><div class="titlepage"></div>
-  
-  
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">arpaname</span>
-     &#8212; translate IP addresses to the corresponding ARPA names
-  </p>
+<p><span class="application">arpaname</span> &#8212; translate IP addresses to the corresponding ARPA names</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">arpaname</code> 
-       {<em class="replaceable"><code>ipaddress </code></em>...}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">arpaname</code>  {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       <span class="command"><strong>arpaname</strong></span> translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>SEE ALSO</h2>
-
-    <p>
+<p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/tools/dnstap-read.1 b/bind/bind9/bin/tools/dnstap-read.1
index 06ff6009..b820a0c2 100644
--- a/bind/bind9/bin/tools/dnstap-read.1
+++ b/bind/bind9/bin/tools/dnstap-read.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2015, 2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2015, 2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: dnstap-read
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2015-09-13
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -82,5 +82,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2015, 2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2015, 2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/tools/dnstap-read.c b/bind/bind9/bin/tools/dnstap-read.c
index 70ae7ebe..cf0c884c 100644
--- a/bind/bind9/bin/tools/dnstap-read.c
+++ b/bind/bind9/bin/tools/dnstap-read.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -362,7 +362,7 @@ main(int argc, char *argv[]) {
 	if (handle != NULL)
 		dns_dt_close(&handle);
 	if (message != NULL)
-		dns_message_destroy(&message);
+		dns_message_detach(&message);
 	if (b != NULL)
 		isc_buffer_free(&b);
 	isc_mem_destroy(&mctx);
diff --git a/bind/bind9/bin/tools/dnstap-read.docbook b/bind/bind9/bin/tools/dnstap-read.docbook
index a70811dd..90f79ff5 100644
--- a/bind/bind9/bin/tools/dnstap-read.docbook
+++ b/bind/bind9/bin/tools/dnstap-read.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnstap-read">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnstap-read">
   <info>
     <date>2015-09-13</date>
   </info>
@@ -37,6 +37,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/tools/dnstap-read.html b/bind/bind9/bin/tools/dnstap-read.html
index 9a63ed55..172ef3b6 100644
--- a/bind/bind9/bin/tools/dnstap-read.html
+++ b/bind/bind9/bin/tools/dnstap-read.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2015, 2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2015, 2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,40 +10,21 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnstap-read</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.dnstap-read"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnstap-read</span>
-     &#8212; print dnstap data in human-readable form
-  </p>
+<p><span class="application">dnstap-read</span> &#8212; print dnstap data in human-readable form</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnstap-read</code> 
-       [<code class="option">-m</code>]
-       [<code class="option">-p</code>]
-       [<code class="option">-y</code>]
-       {<em class="replaceable"><code>file</code></em>}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">dnstap-read</code>  [<code class="option">-m</code>] [<code class="option">-p</code>] [<code class="option">-y</code>] {<em class="replaceable"><code>file</code></em>}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       <span class="command"><strong>dnstap-read</strong></span>
       reads <span class="command"><strong>dnstap</strong></span> data from a specified file
       and prints it in a human-readable format.  By default,
@@ -51,50 +32,34 @@
       format, but if the <code class="option">-y</code> option is specified,
       then a longer and more detailed YAML format is used instead.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-m</span></dt>
-<dd>
-          <p>
+<dd><p>
             Trace memory allocations; used for debugging memory leaks.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p</span></dt>
-<dd>
-          <p>
+<dd><p>
             After printing the <span class="command"><strong>dnstap</strong></span> data, print
             the text form of the DNS message that was encapsulated in the
             <span class="command"><strong>dnstap</strong></span> frame.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-y</span></dt>
-<dd>
-          <p>
+<dd><p>
             Print <span class="command"><strong>dnstap</strong></span> data in a detailed YAML
             format.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">rndc</span>(8)
-      </span>,
+<p>
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/tools/genrandom.8 b/bind/bind9/bin/tools/genrandom.8
index ef7d5c41..c622f026 100644
--- a/bind/bind9/bin/tools/genrandom.8
+++ b/bind/bind9/bin/tools/genrandom.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009-2011, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009-2011, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: genrandom
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2011-08-08
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -73,5 +73,5 @@ The file name into which random data should be written\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009-2011, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009-2011, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/tools/genrandom.c b/bind/bind9/bin/tools/genrandom.c
index cedd13df..4684d5f7 100644
--- a/bind/bind9/bin/tools/genrandom.c
+++ b/bind/bind9/bin/tools/genrandom.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tools/genrandom.docbook b/bind/bind9/bin/tools/genrandom.docbook
index 7ad86233..94d9dcf2 100644
--- a/bind/bind9/bin/tools/genrandom.docbook
+++ b/bind/bind9/bin/tools/genrandom.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.genrandom">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.genrandom">
   <info>
     <date>2011-08-08</date>
   </info>
@@ -41,6 +41,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/tools/genrandom.html b/bind/bind9/bin/tools/genrandom.html
index 94e9f953..f5b6d748 100644
--- a/bind/bind9/bin/tools/genrandom.html
+++ b/bind/bind9/bin/tools/genrandom.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009-2011, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009-2011, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,84 +10,51 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>genrandom</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.genrandom"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">genrandom</span>
-     &#8212; generate a file containing random data
-  </p>
+<p><span class="application">genrandom</span> &#8212; generate a file containing random data</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">genrandom</code> 
-       [<code class="option">-n <em class="replaceable"><code>number</code></em></code>]
-       {<em class="replaceable"><code>size</code></em>}
-       {<em class="replaceable"><code>filename</code></em>}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">genrandom</code>  [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       <span class="command"><strong>genrandom</strong></span>
       generates a file or a set of files containing a specified quantity
       of pseudo-random data, which can be used as a source of entropy for
       other commands on systems with no random device.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>ARGUMENTS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             In place of generating one file, generates <code class="option">number</code>
             (from 2 to 9) files, appending <code class="option">number</code> to the name.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">size</span></dt>
-<dd>
-          <p>
+<dd><p>
             The size of the file, in kilobytes, to generate.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">filename</span></dt>
-<dd>
-          <p>
+<dd><p>
             The file name into which random data should be written.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">rand</span>(3)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">arc4random</span>(3)
-      </span>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/tools/isc-hmac-fixup.8 b/bind/bind9/bin/tools/isc-hmac-fixup.8
index 38de91e4..ebccb411 100644
--- a/bind/bind9/bin/tools/isc-hmac-fixup.8
+++ b/bind/bind9/bin/tools/isc-hmac-fixup.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2010, 2013-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: isc-hmac-fixup
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2013-04-28
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -65,5 +65,5 @@ RFC 2104\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2010, 2013-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/tools/isc-hmac-fixup.c b/bind/bind9/bin/tools/isc-hmac-fixup.c
index 27e9fbb7..fab5d5a5 100644
--- a/bind/bind9/bin/tools/isc-hmac-fixup.c
+++ b/bind/bind9/bin/tools/isc-hmac-fixup.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: isc-hmac-fixup.c,v 1.4 2010/03/10 02:17:52 marka Exp $ */
-
 #include <config.h>
 
 #include <isc/base64.h>
diff --git a/bind/bind9/bin/tools/isc-hmac-fixup.docbook b/bind/bind9/bin/tools/isc-hmac-fixup.docbook
index cb103ed2..6827ff8f 100644
--- a/bind/bind9/bin/tools/isc-hmac-fixup.docbook
+++ b/bind/bind9/bin/tools/isc-hmac-fixup.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-hmac-fixup">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-hmac-fixup">
   <info>
     <date>2013-04-28</date>
   </info>
@@ -41,6 +41,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/tools/isc-hmac-fixup.html b/bind/bind9/bin/tools/isc-hmac-fixup.html
index f821ef9f..ec5aee6f 100644
--- a/bind/bind9/bin/tools/isc-hmac-fixup.html
+++ b/bind/bind9/bin/tools/isc-hmac-fixup.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2010, 2013-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,38 +10,21 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>isc-hmac-fixup</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">isc-hmac-fixup</span>
-     &#8212; fixes HMAC keys generated by older versions of BIND
-  </p>
+<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">isc-hmac-fixup</code> 
-       {<em class="replaceable"><code>algorithm</code></em>}
-       {<em class="replaceable"><code>secret</code></em>}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       Versions of BIND 9 up to and including BIND 9.6 had a bug causing
       HMAC-SHA* TSIG keys which were longer than the digest length of the
       hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
@@ -49,13 +32,13 @@
       message authentication code that was incompatible with other DNS
       implementations.
     </p>
-    <p>
+<p>
       This bug was fixed in BIND 9.7.  However, the fix may
       cause incompatibility between older and newer versions of
       BIND, when using long keys.  <span class="command"><strong>isc-hmac-fixup</strong></span>
       modifies those keys to restore compatibility.
     </p>
-    <p>
+<p>
       To modify a key, run <span class="command"><strong>isc-hmac-fixup</strong></span> and
       specify the key's algorithm and secret on the command line.  If the
       secret is longer than the digest length of the algorithm (64 bytes
@@ -64,12 +47,10 @@
       secret.  (If the secret did not require conversion, then it will be
       printed without modification.)
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>SECURITY CONSIDERATIONS</h2>
-
-    <p>
+<p>
       Secrets that have been converted by <span class="command"><strong>isc-hmac-fixup</strong></span>
       are shortened, but as this is how the HMAC protocol works in
       operation anyway, it does not affect security.  RFC 2104 notes,
@@ -77,16 +58,13 @@
       extra length would not significantly increase the function
       strength."
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p>
+<p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2104</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/tools/mdig.1 b/bind/bind9/bin/tools/mdig.1
index 8b8e1876..c688a4be 100644
--- a/bind/bind9/bin/tools/mdig.1
+++ b/bind/bind9/bin/tools/mdig.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2015-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2015-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: mdig
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2015-01-05
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -152,6 +152,11 @@ Display [do not display] the authority section of a reply\&. The default is to d
 Attempt to display the contents of messages which are malformed\&. The default is to not display malformed answers\&.
 .RE
 .PP
+\fB+burst\fR
+.RS 4
+This option delays queries until the start of the next second\&.
+.RE
+.PP
 \fB+[no]cl\fR
 .RS 4
 Display [do not display] the CLASS when printing the record\&.
@@ -404,5 +409,5 @@ RFC1035\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2015-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2015-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/tools/mdig.c b/bind/bind9/bin/tools/mdig.c
index bf6dbb6c..26fa609c 100644
--- a/bind/bind9/bin/tools/mdig.c
+++ b/bind/bind9/bin/tools/mdig.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -82,10 +82,15 @@
 #define UDPTIMEOUT 5
 #define MAXTRIES 0xffffffff
 
+#define NS_PER_US  1000	   /*%< Nanoseconds per microsecond. */
+#define US_PER_SEC 1000000 /*%< Microseconds per second. */
+#define US_PER_MS  1000	   /*%< Microseconds per millisecond. */
+
 static isc_mem_t *mctx;
 static dns_requestmgr_t *requestmgr;
 static const char *batchname;
 static FILE *batchfp;
+static bool burst = false;
 static bool have_ipv4 = false;
 static bool have_ipv6 = false;
 static bool have_src = false;
@@ -478,9 +483,9 @@ cleanup:
 	if (style != NULL)
 		dns_master_styledestroy(&style, mctx);
 	if (query != NULL)
-		dns_message_destroy(&query);
+		dns_message_detach(&query);
 	if (response != NULL)
-		dns_message_destroy(&response);
+		dns_message_detach(&response);
 	dns_request_destroy(&reqev->request);
 	isc_event_free(&event);
 
@@ -1151,16 +1156,29 @@ plus_option(char *option, struct query *query, bool global)
 			GLOBAL();
 			besteffort = state;
 			break;
-		case 'u':/* bufsize */
-			FULLCHECK("bufsize");
-			if (value == NULL)
-				goto need_value;
-			if (!state)
+		case 'u':
+			switch (cmd[2]) {
+			case 'f': /* bufsize */
+				FULLCHECK("bufsize");
+				if (value == NULL) {
+					goto need_value;
+				}
+				if (!state) {
+					goto invalid_option;
+				}
+				result = parse_uint(&num, value, COMMSIZE,
+						    "buffer size");
+				CHECK("parse_uint(buffer size)", result);
+				query->udpsize = num;
+				break;
+			case 'r': /* burst */
+				FULLCHECK("burst");
+				GLOBAL();
+				burst = state;
+				break;
+			default:
 				goto invalid_option;
-			result = parse_uint(&num, value, COMMSIZE,
-					    "buffer size");
-			CHECK("parse_uint(buffer size)", result);
-			query->udpsize = num;
+			}
 			break;
 		default:
 			goto invalid_option;
@@ -1930,6 +1948,21 @@ parse_args(bool is_batchfile, int argc, char **argv)
 	}
 }
 
+#ifdef WIN32
+static void
+usleep(unsigned int usec) {
+	HANDLE timer;
+	LARGE_INTEGER ft;
+
+	ft.QuadPart = -(10 * (__int64)usec);
+
+	timer = CreateWaitableTimer(NULL, TRUE, NULL);
+	SetWaitableTimer(timer, &ft, 0, NULL, NULL, 0);
+	WaitForSingleObject(timer, INFINITE);
+	CloseHandle(timer);
+}
+#endif
+
 /*% Main processing routine for mdig */
 int
 main(int argc, char *argv[]) {
@@ -2043,6 +2076,32 @@ main(int argc, char *argv[]) {
 	query = ISC_LIST_HEAD(queries);
 	RUNCHECK(isc_app_onrun(mctx, task, sendqueries, query));
 
+	/*
+	 * Stall to the start of a new second.
+	 */
+	if (burst) {
+		isc_time_t start, now;
+		RUNCHECK(isc_time_now(&start));
+		/*
+		 * Sleep to 1ms of the end of the second then run a busy loop
+		 * until the second changes.
+		 */
+		do {
+			RUNCHECK(isc_time_now(&now));
+			if (isc_time_seconds(&start) == isc_time_seconds(&now))
+			{
+				int us = US_PER_SEC -
+					 (isc_time_nanoseconds(&now) /
+					  NS_PER_US);
+				if (us > US_PER_MS) {
+					usleep(us - US_PER_MS);
+				}
+			} else {
+				break;
+			}
+		} while (1);
+	}
+
 	(void)isc_app_run();
 
 	query = ISC_LIST_HEAD(queries);
diff --git a/bind/bind9/bin/tools/mdig.docbook b/bind/bind9/bin/tools/mdig.docbook
index 90599564..b49798b7 100644
--- a/bind/bind9/bin/tools/mdig.docbook
+++ b/bind/bind9/bin/tools/mdig.docbook
@@ -5,14 +5,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.mdig">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.mdig">
   <info>
     <date>2015-01-05</date>
   </info>
@@ -38,6 +38,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -241,6 +242,15 @@
         </varlistentry>
 
         <varlistentry>
+          <term><option>+burst</option></term>
+          <listitem>
+            <para>
+              This option delays queries until the start of the next second.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
           <term><option>+[no]cl</option></term>
           <listitem>
             <para>
diff --git a/bind/bind9/bin/tools/mdig.html b/bind/bind9/bin/tools/mdig.html
index a3834bc8..d00115ea 100644
--- a/bind/bind9/bin/tools/mdig.html
+++ b/bind/bind9/bin/tools/mdig.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2015-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2015-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,73 +10,33 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>mdig</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.mdig"></a><div class="titlepage"></div>
-  
-  
-  
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">mdig</span>
-     &#8212; DNS pipelined lookup utility
-  </p>
+<p><span class="application">mdig</span> &#8212; DNS pipelined lookup utility</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">mdig</code> 
-       {@server}
-       [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-v</code>]
-       [
-	[<code class="option">-4</code>]
-	 |  [<code class="option">-6</code>]
-      ]
-       [<code class="option">-m</code>]
-       [<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
-       [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
-       [<code class="option">-i</code>]
-       [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
-       [plusopt...]
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">mdig</code> 
-       {-h}
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">mdig</code> 
-       [@server]
-       {global-opt...}
-       {
+<div class="cmdsynopsis"><p><code class="command">mdig</code>  {@server} [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v</code>] [[<code class="option">-4</code>] |  [<code class="option">-6</code>]] [<code class="option">-m</code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-i</code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [plusopt...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">mdig</code>  {-h}</p></div>
+<div class="cmdsynopsis"><p><code class="command">mdig</code>  [@server] {global-opt...} {
          {local-opt...}
           {query}
-      ...}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+      ...}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>mdig</strong></span>
+<p><span class="command"><strong>mdig</strong></span>
       is a multiple/pipelined query version of <span class="command"><strong>dig</strong></span>:
       instead of waiting for a response after sending each query,
       it begins by sending all queries. Responses are displayed in
       the order in which they are received, not in the order the
       corresponding queries were sent.
     </p>
-
-    <p>
+<p>
       <span class="command"><strong>mdig</strong></span> options are a subset of the
       <span class="command"><strong>dig</strong></span> options, and are divided into "anywhere
       options" which can occur anywhere, "global options" which must
@@ -84,8 +44,7 @@
       and "local options" which apply to the next query on the command
       line.
     </p>
-
-    <p>
+<p>
       The {@server} option is a mandatory global
       option.  It is the name or IP address of the name server to query.
       (Unlike <span class="command"><strong>dig</strong></span>, this value is not retrieved from
@@ -96,16 +55,14 @@
       <span class="command"><strong>mdig</strong></span> resolves that name before querying
       the name server.
     </p>
-
-    <p><span class="command"><strong>mdig</strong></span>
+<p><span class="command"><strong>mdig</strong></span>
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
       these set or reset flag bits in the query header, some determine which
       sections of the answer get printed, and others determine the timeout
       and retry strategies.
     </p>
-
-    <p>
+<p>
       Each query option is identified by a keyword preceded by a plus
       sign (<code class="literal">+</code>).  Some keywords set or reset an
       option.  These may be preceded by the string <code class="literal">no</code>
@@ -113,13 +70,10 @@
       values to options like the timeout interval.  They have the
       form <code class="option">+keyword=value</code>.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>ANYWHERE OPTIONS</h2>
-
-
-    <p>
+<p>
       The <code class="option">-f</code> option makes <span class="command"><strong>mdig</strong></span>
       operate in batch mode by reading a list of lookup requests to
       process from the file <em class="parameter"><code>filename</code></em>.  The file
@@ -127,45 +81,36 @@
       file should be organized in the same way they would be presented
       as queries to <span class="command"><strong>mdig</strong></span> using the command-line interface.
     </p>
-
-    <p>
+<p>
       The <code class="option">-h</code> causes <span class="command"><strong>mdig</strong></span> to
       print the detailed help with the full list of options and exit.
     </p>
-
-    <p>
+<p>
       The <code class="option">-v</code> causes <span class="command"><strong>mdig</strong></span> to
       print the version number and exit.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>GLOBAL OPTIONS</h2>
-
-
-    <p>
+<p>
       The <code class="option">-4</code> option forces <span class="command"><strong>mdig</strong></span> to
       only use IPv4 query transport.
     </p>
-
-    <p>
+<p>
       The <code class="option">-6</code> option forces <span class="command"><strong>mdig</strong></span> to
       only use IPv6 query transport.
     </p>
-
-    <p>
+<p>
       The <code class="option">-b</code> option sets the source IP address of the
       query to <em class="parameter"><code>address</code></em>.  This must be a valid
       address on one of the host's network interfaces or "0.0.0.0" or
       "::".  An optional port may be specified by appending
       "#&lt;port&gt;"
     </p>
-
-    <p>
+<p>
       The <code class="option">-m</code> option enables memory usage debugging.
     </p>
-
-    <p>
+<p>
       The <code class="option">-p</code> option is used when a non-standard port
       number is to be queried.
       <em class="parameter"><code>port#</code></em> is the port number
@@ -174,69 +119,55 @@
       test a name server that has been configured to listen for
       queries on a non-standard port number.
     </p>
-
-    <p>
+<p>
       The global query options are:
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="option">+[no]additional</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Display [do not display] the additional section of a
               reply.  The default is to display it.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Set or clear all display flags.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]answer</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Display [do not display] the answer section of a
               reply.  The default is to display it.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]authority</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Display [do not display] the authority section of a
               reply.  The default is to display it.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Attempt to display the contents of messages which are
               malformed.  The default is to not display malformed
               answers.
-            </p>
-          </dd>
+            </p></dd>
+<dt><span class="term"><code class="option">+burst</code></span></dt>
+<dd><p>
+              This option delays queries until the start of the next second.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]cl</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Display [do not display] the CLASS when printing the
               record.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]comments</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Toggle the display of comment lines in the output.
               The default is to print comments.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]continue</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Continue on errors (e.g. timeouts).
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Toggle the display of cryptographic fields in DNSSEC
               records.  The contents of these field are unnecessary
               to debug most DNSSEC validation failures and removing
@@ -245,53 +176,41 @@
               are replaced by the string "[omitted]" or in the
               DNSKEY case the key id is displayed as the replacement,
               e.g. "[ key id = value ]".
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+dscp[=value]</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Set the DSCP code point to be used when sending the
               query.  Valid DSCP code points are in the range
               [0..63].  By default no code point is explicitly set.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Print records like the SOA records in a verbose
               multi-line format with human-readable comments.  The
               default is to print each record on a single line, to
               facilitate machine parsing of the <span class="command"><strong>mdig</strong></span>
               output.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]question</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Print [do not print] the question section of a query
               when an answer is returned.  The default is to print
               the question section as a comment.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Toggle the display of per-record comments in the
               output (for example, human-readable key information
               about DNSKEY records).  The default is not to print
               record comments unless multiline mode is active.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Provide a terse answer.  The default is to print the
               answer in a verbose form.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+split=W</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Split long hex- or base64-formatted fields in resource
               records into chunks of <em class="parameter"><code>W</code></em>
               characters (where <em class="parameter"><code>W</code></em> is rounded
@@ -300,69 +219,54 @@
               <em class="parameter"><code>+split=0</code></em> causes fields not to
               be split at all.  The default is 56 characters, or
               44 characters when multiline mode is active.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Use [do not use] TCP when querying name servers. The
               default behavior is to use UDP.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Display [do not display] the TTL when printing the
               record.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]ttlunits</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Display [do not display] the TTL in friendly human-readable
               time units of "s", "m", "h", "d", and "w", representing
               seconds, minutes, hours, days and weeks.  Implies +ttlid.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]vc</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Use [do not use] TCP when querying name servers.  This
               alternate syntax to <em class="parameter"><code>+[no]tcp</code></em>
               is provided for backwards compatibility.  The "vc"
               stands for "virtual circuit".
-            </p>
-          </dd>
+            </p></dd>
 </dl></div>
 <p>
 
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>LOCAL OPTIONS</h2>
-
-
-    <p>
+<p>
       The <code class="option">-c</code> option sets the query class to
       <em class="parameter"><code>class</code></em>.  It can be any valid query class
       which is supported in BIND 9.  The default query class is "IN".
     </p>
-
-    <p>
+<p>
       The <code class="option">-t</code> option sets the query type to
       <em class="parameter"><code>type</code></em>.  It can be any valid query type
       which is supported in BIND 9.  The default query type is "A",
       unless the <code class="option">-x</code> option is supplied to indicate
       a reverse lookup with the "PTR" query type.
     </p>
-
-    <p>
+<p>
       The <code class="option">-i</code> option sets the reverse domain for
       IPv6 addresses to IP6.INT.
     </p>
-
-    <p>
+<p>
       Reverse lookups &#8212; mapping addresses to names &#8212; are
       simplified by the <code class="option">-x</code> option.
       <em class="parameter"><code>addr</code></em> is an IPv4
@@ -374,26 +278,20 @@
       under the IP6.ARPA domain.  To use the older RFC1886 method
       using the IP6.INT domain specify the <code class="option">-i</code> option.
     </p>
-
-    <p>
+<p>
       The local query options are:
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Sets the "aa" flag in the query.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Set [do not set] the AD (authentic data) bit in the
               query.  This requests the server to return whether
               all of the answer and authority sections have all
@@ -403,110 +301,87 @@
               from a OPT-OUT range.  AD=0 indicate that some part
               of the answer was insecure or not validated.  This
               bit is set by default.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Set the UDP message buffer size advertised using EDNS0
               to <em class="parameter"><code>B</code></em> bytes.  The maximum and
               minimum sizes of this buffer are 65535 and 0 respectively.
               Values outside this range are rounded up or down
               appropriately.  Values other than zero will cause a
               EDNS query to be sent.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Set [do not set] the CD (checking disabled) bit in
               the query.  This requests the server to not perform
               DNSSEC validation of responses.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Send a COOKIE EDNS option, with optional value.
 	      Replaying a COOKIE from a previous response will allow
 	      the server to identify a previous client.  The default
 	      is <code class="option">+nocookie</code>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Requests DNSSEC records be sent by setting the DNSSEC
               OK bit (DO) in the OPT record in the additional section
               of the query.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]edns[=#]</code></span></dt>
-<dd>
-            <p>
+<dd><p>
                Specify the EDNS version to query with.  Valid values
                are 0 to 255.  Setting the EDNS version will cause
                a EDNS query to be sent.  <code class="option">+noedns</code>
                clears the remembered EDNS version.  EDNS is set to
                0 by default.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]ednsflags[=#]</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Set the must-be-zero EDNS flags bits (Z bits) to the
               specified value. Decimal, hex and octal encodings are
               accepted. Setting a named flag (e.g. DO) will silently be
               ignored. By default, no Z bits are set.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]ednsopt[=code[:value]]</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Specify EDNS option with code point <code class="option">code</code>
               and optionally payload of <code class="option">value</code> as a
               hexadecimal string.  <code class="option">+noednsopt</code>
               clears the EDNS options to be sent.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]expire</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Send an EDNS Expire option.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Include an EDNS name server ID request when sending
               a query.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Toggle the setting of the RD (recursion desired) bit
               in the query.  This bit is set by default, which means
               <span class="command"><strong>mdig</strong></span> normally sends recursive
               queries.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+retry=T</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Sets the number of times to retry UDP queries to
               server to <em class="parameter"><code>T</code></em> instead of the
               default, 2.  Unlike <em class="parameter"><code>+tries</code></em>,
               this does not include the initial query.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Send (don't send) an EDNS Client Subnet option with the
               specified IP address or network prefix.
 	    </p>
-	    <p>
+<p>
               <span class="command"><strong>mdig +subnet=0.0.0.0/0</strong></span>, or simply
               <span class="command"><strong>mdig +subnet=0</strong></span> for short, sends an EDNS
               client-subnet option with an empty address and a source
@@ -515,63 +390,49 @@
               <span class="emphasis"><em>not</em></span> be used when resolving
               this query.
 	    </p>
-          </dd>
+</dd>
 <dt><span class="term"><code class="option">+timeout=T</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Sets the timeout for a query to
               <em class="parameter"><code>T</code></em> seconds.  The default
               timeout is 5 seconds for UDP transport and 10 for TCP.
               An attempt to set <em class="parameter"><code>T</code></em> to less
               than 1 will result
               in a query timeout of 1 second being applied.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+tries=T</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Sets the number of times to try UDP queries to server
               to <em class="parameter"><code>T</code></em> instead of the default,
               3.  If <em class="parameter"><code>T</code></em> is less than or equal
               to zero, the number of tries is silently rounded up
               to 1.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+udptimeout=T</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Sets the timeout between UDP query retries.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print all RDATA in unknown RR type presentation format
 	      (RFC 3597). The default is to print RDATA for known types
 	      in the type's presentation format.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]zflag</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Set [do not set] the last unassigned DNS header flag in a
               DNS query.  This flag is off by default.
-            </p>
-          </dd>
+            </p></dd>
 </dl></div>
 <p>
 
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dig</span>(1)
-      </span>,
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
       <em class="citetitle">RFC1035</em>.
     </p>
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/tools/named-journalprint.8 b/bind/bind9/bin/tools/named-journalprint.8
index a53132d1..81061ba9 100644
--- a/bind/bind9/bin/tools/named-journalprint.8
+++ b/bind/bind9/bin/tools/named-journalprint.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: named-journalprint
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2009-12-04
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -64,5 +64,5 @@ BIND 9 Administrator Reference Manual\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/tools/named-journalprint.c b/bind/bind9/bin/tools/named-journalprint.c
index 1bca1b2a..b19d3bbf 100644
--- a/bind/bind9/bin/tools/named-journalprint.c
+++ b/bind/bind9/bin/tools/named-journalprint.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tools/named-journalprint.docbook b/bind/bind9/bin/tools/named-journalprint.docbook
index 89c70b57..27257a05 100644
--- a/bind/bind9/bin/tools/named-journalprint.docbook
+++ b/bind/bind9/bin/tools/named-journalprint.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-journalprint">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-journalprint">
   <info>
     <date>2009-12-04</date>
   </info>
@@ -40,6 +40,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/tools/named-journalprint.html b/bind/bind9/bin/tools/named-journalprint.html
index 843b6407..87721cab 100644
--- a/bind/bind9/bin/tools/named-journalprint.html
+++ b/bind/bind9/bin/tools/named-journalprint.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,42 +10,26 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-journalprint</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.named-journalprint"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">named-journalprint</span>
-     &#8212; print zone journal in human-readable form
-  </p>
+<p><span class="application">named-journalprint</span> &#8212; print zone journal in human-readable form</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named-journalprint</code> 
-       {<em class="replaceable"><code>journal</code></em>}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">named-journalprint</code>  {<em class="replaceable"><code>journal</code></em>}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       <span class="command"><strong>named-journalprint</strong></span>
       prints the contents of a zone journal file in a human-readable
       form.
     </p>
-    <p>
+<p>
       Journal files are automatically created by <span class="command"><strong>named</strong></span>
       when changes are made to dynamic zones (e.g., by
       <span class="command"><strong>nsupdate</strong></span>).  They record each addition
@@ -56,28 +40,21 @@
       <code class="filename">.jnl</code> to the name of the corresponding
       zone file.
     </p>
-    <p>
+<p>
       <span class="command"><strong>named-journalprint</strong></span> converts the contents of a given
       journal file into a human-readable text format.  Each line begins
       with "add" or "del", to indicate whether the record was added or
       deleted, and continues with the resource record in master-file
       format.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">nsupdate</span>(1)
-      </span>,
+<p>
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/tools/named-nzd2nzf.8 b/bind/bind9/bin/tools/named-nzd2nzf.8
index ae801720..99dc3d06 100644
--- a/bind/bind9/bin/tools/named-nzd2nzf.8
+++ b/bind/bind9/bin/tools/named-nzd2nzf.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: named-nzd2nzf
 .\"    Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: May 5, 2016
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -63,5 +63,5 @@ BIND 9 Administrator Reference Manual
 Internet Systems Consortium
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/tools/named-nzd2nzf.c b/bind/bind9/bin/tools/named-nzd2nzf.c
index d1b64277..7db9f18b 100644
--- a/bind/bind9/bin/tools/named-nzd2nzf.c
+++ b/bind/bind9/bin/tools/named-nzd2nzf.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tools/named-nzd2nzf.docbook b/bind/bind9/bin/tools/named-nzd2nzf.docbook
index 6c60be8f..9c2b167a 100644
--- a/bind/bind9/bin/tools/named-nzd2nzf.docbook
+++ b/bind/bind9/bin/tools/named-nzd2nzf.docbook
@@ -6,13 +6,13 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
-<refentry id="man.named-nzd2nzf">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" id="man.named-nzd2nzf">
   <refentryinfo>
     <date>May 5, 2016</date>
   </refentryinfo>
@@ -36,6 +36,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/tools/named-nzd2nzf.html b/bind/bind9/bin/tools/named-nzd2nzf.html
index 132bd40e..f005b009 100644
--- a/bind/bind9/bin/tools/named-nzd2nzf.html
+++ b/bind/bind9/bin/tools/named-nzd2nzf.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,38 +10,23 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-nzd2nzf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.named-nzd2nzf"></a><div class="titlepage"></div>
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">named-nzd2nzf</span>
-     &#8212; 
+<p><span class="application">named-nzd2nzf</span> &#8212; 
       Convert an NZD database to NZF text format
-    
-  </p>
+    </p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named-nzd2nzf</code> 
-       {filename}
-    </p></div>
-  </div>
-
-  <div class="refsect1">
+<div class="cmdsynopsis"><p><code class="command">named-nzd2nzf</code>  {filename}</p></div>
+</div>
+<div class="refsect1">
 <a name="id-1.6"></a><h2>DESCRIPTION</h2>
-    
-    <p>
+<p>
       <span class="command"><strong>named-nzd2nzf</strong></span> converts an NZD database to NZF
       format and prints it to standard output.  This can be used to
       review the configuration of zones that were added to
@@ -50,36 +35,27 @@
       when rolling back from a newer version
       of BIND to an older version.
     </p>
-  </div>
-
-  <div class="refsect1">
+</div>
+<div class="refsect1">
 <a name="id-1.7"></a><h2>ARGUMENTS</h2>
-    
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">filename</span></dt>
-<dd>
-          <p>
+<dd><p>
             The name of the <code class="filename">.nzd</code> file whose contents
             should be printed.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsect1">
+</div>
+<div class="refsect1">
 <a name="id-1.8"></a><h2>SEE ALSO</h2>
-    
-    <p>
+<p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>
     </p>
-  </div>
-
-  <div class="refsect1">
+</div>
+<div class="refsect1">
 <a name="id-1.9"></a><h2>AUTHOR</h2>
-    
-    <p><span class="corpauthor">Internet Systems Consortium</span>
+<p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/tools/named-rrchecker.1 b/bind/bind9/bin/tools/named-rrchecker.1
index 0054b171..d5970ee8 100644
--- a/bind/bind9/bin/tools/named-rrchecker.1
+++ b/bind/bind9/bin/tools/named-rrchecker.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2013-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: named-rrchecker
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2013-11-12
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -77,5 +77,5 @@ RFC 1035,
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2013-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/tools/named-rrchecker.c b/bind/bind9/bin/tools/named-rrchecker.c
index 5c1d36d6..31ff88fe 100644
--- a/bind/bind9/bin/tools/named-rrchecker.c
+++ b/bind/bind9/bin/tools/named-rrchecker.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -42,7 +42,7 @@ usage(void) {
 	fprintf(stderr, "usage: named-rrchecker [-o origin] [-hpCPTu]\n");
 	fprintf(stderr, "\t-h: print this help message\n");
 	fprintf(stderr, "\t-o origin: set origin to be used when "
-			"interpeting the record\n");
+			"interpreting the record\n");
 	fprintf(stderr, "\t-p: print the record in canonical format\n");
 	fprintf(stderr, "\t-C: list the supported class names\n");
 	fprintf(stderr, "\t-P: list the supported private type names\n");
diff --git a/bind/bind9/bin/tools/named-rrchecker.docbook b/bind/bind9/bin/tools/named-rrchecker.docbook
index 7293cf26..92e62aba 100644
--- a/bind/bind9/bin/tools/named-rrchecker.docbook
+++ b/bind/bind9/bin/tools/named-rrchecker.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-rrchecker">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-rrchecker">
   <info>
     <date>2013-11-12</date>
   </info>
@@ -37,6 +37,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/tools/named-rrchecker.html b/bind/bind9/bin/tools/named-rrchecker.html
index 64cb5f66..f7058ac3 100644
--- a/bind/bind9/bin/tools/named-rrchecker.html
+++ b/bind/bind9/bin/tools/named-rrchecker.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2013-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,78 +10,53 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-rrchecker</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.named-rrchecker"></a><div class="titlepage"></div>
-  
-  
-  
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">named-rrchecker</span>
-     &#8212; syntax checker for individual DNS resource records
-  </p>
+<p><span class="application">named-rrchecker</span> &#8212; syntax checker for individual DNS resource records</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named-rrchecker</code> 
-       [<code class="option">-h</code>]
-       [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
-       [<code class="option">-p</code>]
-       [<code class="option">-u</code>]
-       [<code class="option">-C</code>]
-       [<code class="option">-T</code>]
-       [<code class="option">-P</code>]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">named-rrchecker</code>  [<code class="option">-h</code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-u</code>] [<code class="option">-C</code>] [<code class="option">-T</code>] [<code class="option">-P</code>]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>named-rrchecker</strong></span>
+<p><span class="command"><strong>named-rrchecker</strong></span>
      read a individual DNS resource record from standard input and checks if it
      is syntactically correct.
     </p>
-    <p>
+<p>
       The <code class="option">-h</code> prints out the help menu.
     </p>
-    <p>
+<p>
       The <code class="option">-o <em class="replaceable"><code>origin</code></em></code>
       option specifies a origin to be used when interpreting the record.
     </p>
-    <p>
+<p>
       The <code class="option">-p</code> prints out the resulting record in canonical
       form.  If there is no canonical form defined then the record will be
       printed in unknown record format.
     </p>
-    <p>
+<p>
       The <code class="option">-u</code> prints out the resulting record in unknown record
       form.
     </p>
-    <p>
+<p>
       The <code class="option">-C</code>, <code class="option">-T</code> and <code class="option">-P</code>
       print out the known class, standard type and private type mnemonics
       respectively.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>SEE ALSO</h2>
-
-    <p>
+<p>
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 1035</em>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/tools/nsec3hash.8 b/bind/bind9/bin/tools/nsec3hash.8
index 767289d7..64ba1cd2 100644
--- a/bind/bind9/bin/tools/nsec3hash.8
+++ b/bind/bind9/bin/tools/nsec3hash.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: nsec3hash
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2009-03-02
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -74,5 +74,5 @@ RFC 5155\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/bin/tools/nsec3hash.c b/bind/bind9/bin/tools/nsec3hash.c
index 1e109214..527f181c 100644
--- a/bind/bind9/bin/tools/nsec3hash.c
+++ b/bind/bind9/bin/tools/nsec3hash.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/tools/nsec3hash.docbook b/bind/bind9/bin/tools/nsec3hash.docbook
index 08e6cbc5..81c1bb99 100644
--- a/bind/bind9/bin/tools/nsec3hash.docbook
+++ b/bind/bind9/bin/tools/nsec3hash.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nsec3hash">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nsec3hash">
   <info>
     <date>2009-03-02</date>
   </info>
@@ -39,6 +39,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/bin/tools/nsec3hash.html b/bind/bind9/bin/tools/nsec3hash.html
index 4e3a5963..7780be19 100644
--- a/bind/bind9/bin/tools/nsec3hash.html
+++ b/bind/bind9/bin/tools/nsec3hash.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,88 +10,56 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>nsec3hash</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.nsec3hash"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">nsec3hash</span>
-     &#8212; generate NSEC3 hash
-  </p>
+<p><span class="application">nsec3hash</span> &#8212; generate NSEC3 hash</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">nsec3hash</code> 
-       {<em class="replaceable"><code>salt</code></em>}
-       {<em class="replaceable"><code>algorithm</code></em>}
-       {<em class="replaceable"><code>iterations</code></em>}
-       {<em class="replaceable"><code>domain</code></em>}
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">nsec3hash</code>  {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       <span class="command"><strong>nsec3hash</strong></span> generates an NSEC3 hash based on
       a set of NSEC3 parameters.  This can be used to check the validity
       of NSEC3 records in a signed zone.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>ARGUMENTS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">salt</span></dt>
-<dd>
-          <p>
+<dd><p>
             The salt provided to the hash algorithm.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">algorithm</span></dt>
-<dd>
-          <p>
+<dd><p>
             A number indicating the hash algorithm.  Currently the
             only supported hash algorithm for NSEC3 is SHA-1, which is
             indicated by the number 1; consequently "1" is the only
             useful value for this argument.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">iterations</span></dt>
-<dd>
-          <p>
+<dd><p>
             The number of additional times the hash should be performed.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">domain</span></dt>
-<dd>
-          <p>
+<dd><p>
             The domain name to be hashed.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p>
+<p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5155</em>.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/bin/tools/win32/arpaname.vcxproj.in b/bind/bind9/bin/tools/win32/arpaname.vcxproj.in
index 38af238f..eebbad32 100644
--- a/bind/bind9/bin/tools/win32/arpaname.vcxproj.in
+++ b/bind/bind9/bin/tools/win32/arpaname.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tools/win32/genrandom.vcxproj.in b/bind/bind9/bin/tools/win32/genrandom.vcxproj.in
index dd93728c..a4b3909a 100644
--- a/bind/bind9/bin/tools/win32/genrandom.vcxproj.in
+++ b/bind/bind9/bin/tools/win32/genrandom.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tools/win32/ischmacfixup.vcxproj.in b/bind/bind9/bin/tools/win32/ischmacfixup.vcxproj.in
index 5e4e61b6..7b105baa 100644
--- a/bind/bind9/bin/tools/win32/ischmacfixup.vcxproj.in
+++ b/bind/bind9/bin/tools/win32/ischmacfixup.vcxproj.in
@@ -44,19 +44,21 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>isc-hmac-fixup</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
-    <TargetName>isc-hmac-fixup</TargetName>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +80,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tools/win32/journalprint.vcxproj.in b/bind/bind9/bin/tools/win32/journalprint.vcxproj.in
index 1de3a827..b6b88b4a 100644
--- a/bind/bind9/bin/tools/win32/journalprint.vcxproj.in
+++ b/bind/bind9/bin/tools/win32/journalprint.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>named-$(ProjectName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>named-$(ProjectName)</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tools/win32/mdig.vcxproj.in b/bind/bind9/bin/tools/win32/mdig.vcxproj.in
index 60add35f..67cfb308 100644
--- a/bind/bind9/bin/tools/win32/mdig.vcxproj.in
+++ b/bind/bind9/bin/tools/win32/mdig.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tools/win32/nsec3hash.vcxproj.in b/bind/bind9/bin/tools/win32/nsec3hash.vcxproj.in
index 763b356a..092e463f 100644
--- a/bind/bind9/bin/tools/win32/nsec3hash.vcxproj.in
+++ b/bind/bind9/bin/tools/win32/nsec3hash.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/tools/win32/rrchecker.vcxproj.in b/bind/bind9/bin/tools/win32/rrchecker.vcxproj.in
index 2060d01a..c7181904 100644
--- a/bind/bind9/bin/tools/win32/rrchecker.vcxproj.in
+++ b/bind/bind9/bin/tools/win32/rrchecker.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>named-$(ProjectName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <TargetName>named-$(ProjectName)</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/bin/win32/BINDInstall/AccountInfo.cpp b/bind/bind9/bin/win32/BINDInstall/AccountInfo.cpp
index 99d9afa7..bbf01c0a 100644
--- a/bind/bind9/bin/win32/BINDInstall/AccountInfo.cpp
+++ b/bind/bind9/bin/win32/BINDInstall/AccountInfo.cpp
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/win32/BINDInstall/AccountInfo.h b/bind/bind9/bin/win32/BINDInstall/AccountInfo.h
index 1eb684d3..e9633e56 100644
--- a/bind/bind9/bin/win32/BINDInstall/AccountInfo.h
+++ b/bind/bind9/bin/win32/BINDInstall/AccountInfo.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/win32/BINDInstall/BINDInstall.cpp b/bind/bind9/bin/win32/BINDInstall/BINDInstall.cpp
index 5ee09817..2046546b 100644
--- a/bind/bind9/bin/win32/BINDInstall/BINDInstall.cpp
+++ b/bind/bind9/bin/win32/BINDInstall/BINDInstall.cpp
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/win32/BINDInstall/BINDInstall.h b/bind/bind9/bin/win32/BINDInstall/BINDInstall.h
index 1d12d5ed..86742f05 100644
--- a/bind/bind9/bin/win32/BINDInstall/BINDInstall.h
+++ b/bind/bind9/bin/win32/BINDInstall/BINDInstall.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/win32/BINDInstall/BINDInstall.rc b/bind/bind9/bin/win32/BINDInstall/BINDInstall.rc
index 96fe44fd..5c7dd80d 100644
--- a/bind/bind9/bin/win32/BINDInstall/BINDInstall.rc
+++ b/bind/bind9/bin/win32/BINDInstall/BINDInstall.rc
@@ -277,12 +277,12 @@ BEGIN
     IDS_BAD_PRIVILEGES      "This user cannot acquire the privileges necessary to install BIND.  Please ensure you are logged on as a member of the Administrators group."
     IDS_ERR_CREATE_DIR      "An error occurred while creating directory %s\n(%s)"
     IDS_VERSION             "Version %s"
-    IDS_ERR_CREATE_KEY      "An error occured while creating registry keys\n(%s)"
+    IDS_ERR_CREATE_KEY      "An error occurred while creating registry keys\n(%s)"
 END
 
 STRINGTABLE 
 BEGIN
-    IDS_ERR_SET_VALUE       "An error occured while setting registry key values\n(%s)"
+    IDS_ERR_SET_VALUE       "An error occurred while setting registry key values\n(%s)"
     IDS_NO_VERSION          "Version Unknown"
     IDS_EXISTING_NEWER      "%s\nThe existing version of this file is newer than the version being installed.\nDo you wish to overwrite the existing file?"
     IDS_FILE_BAD            "Could not retrieve version info for file %s.  Do you wish to continue?\n(Continuing may overwrite a newer version of the file) "
diff --git a/bind/bind9/bin/win32/BINDInstall/BINDInstall.vcxproj.in b/bind/bind9/bin/win32/BINDInstall/BINDInstall.vcxproj.in
index 7bc608fa..faf2c290 100644
--- a/bind/bind9/bin/win32/BINDInstall/BINDInstall.vcxproj.in
+++ b/bind/bind9/bin/win32/BINDInstall/BINDInstall.vcxproj.in
@@ -46,17 +46,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
       <PrecompiledHeader>Use</PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;@CRYPTO@@USE_GSSAPI@@USE_PYTHON@_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <AdditionalIncludeDirectories>..\..\..;..\include;..\..\..\include;..\..\named\win32\include;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
@@ -83,7 +86,8 @@
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>Use</PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
diff --git a/bind/bind9/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bind/bind9/bin/win32/BINDInstall/BINDInstallDlg.cpp
index 0d35977c..77ccb463 100644
--- a/bind/bind9/bin/win32/BINDInstall/BINDInstallDlg.cpp
+++ b/bind/bind9/bin/win32/BINDInstall/BINDInstallDlg.cpp
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -648,7 +648,7 @@ void CBINDInstallDlg::OnInstall() {
 	}
 	catch(DWORD dw)	{
 		CString msg;
-		msg.Format("A fatal error occured\n(%s)", GetErrMessage(dw));
+		msg.Format("A fatal error occurred\n(%s)", GetErrMessage(dw));
 		MessageBox(msg);
 		SetCurrent(IDS_CLEANUP);
 		FailedInstall();
diff --git a/bind/bind9/bin/win32/BINDInstall/BINDInstallDlg.h b/bind/bind9/bin/win32/BINDInstall/BINDInstallDlg.h
index cdc3a432..b67ea5d9 100644
--- a/bind/bind9/bin/win32/BINDInstall/BINDInstallDlg.h
+++ b/bind/bind9/bin/win32/BINDInstall/BINDInstallDlg.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/win32/BINDInstall/DirBrowse.cpp b/bind/bind9/bin/win32/BINDInstall/DirBrowse.cpp
index 9692b5b0..e165107f 100644
--- a/bind/bind9/bin/win32/BINDInstall/DirBrowse.cpp
+++ b/bind/bind9/bin/win32/BINDInstall/DirBrowse.cpp
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/bin/win32/BINDInstall/DirBrowse.h b/bind/bind9/bin/win32/BINDInstall/DirBrowse.h
index 080cacfa..e182edad 100644
--- a/bind/bind9/bin/win32/BINDInstall/DirBrowse.h
+++ b/bind/bind9/bin/win32/BINDInstall/DirBrowse.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/config.h.win32 b/bind/bind9/config.h.win32
index 66aaacdf..a317ec43 100644
--- a/bind/bind9/config.h.win32
+++ b/bind/bind9/config.h.win32
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/configure.ac b/bind/bind9/configure.ac
index 4ab10a05..030c4d79 100644
--- a/bind/bind9/configure.ac
+++ b/bind/bind9/configure.ac
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -60,6 +60,8 @@ AC_SUBST(BACKTRACECFLAGS)
 PKG_PROG_PKG_CONFIG
 
 # Warn if the user specified libbind, which is now deprecated
+#
+# [pairwise: skip]
 AC_ARG_ENABLE(libbind, AS_HELP_STRING([--enable-libbind], [deprecated]))
 
 case "$enable_libbind" in
@@ -71,6 +73,7 @@ It is available from http://www.isc.org as a separate download.])
 		;;
 esac
 
+# [pairwise: --enable-buffer-useinline, --disable-buffer-useinline]
 AC_ARG_ENABLE(buffer_useinline, AS_HELP_STRING([--enable-buffer-useinline],
 	      [define ISC_BUFFER_USEINLINE when compiling [[default=yes]]]),
 	      if test yes = "${enable}"
@@ -80,14 +83,17 @@ AC_ARG_ENABLE(buffer_useinline, AS_HELP_STRING([--enable-buffer-useinline],
 	      fi,
 	      AC_DEFINE([ISC_BUFFER_USEINLINE], [1]))
 
+# [pairwise: --enable-warn-shadow, --disable-warn-shadow]
 AC_ARG_ENABLE(warn_shadow,
 	      AS_HELP_STRING([--enable-warn-shadow],
 			     [turn on -Wshadow when compiling]))
 
+# [pairwise: --enable-warn-error, --disable-warn-error]
 AC_ARG_ENABLE(warn_error,
 	      AS_HELP_STRING([--enable-warn-error],
 			    [turn on -Werror when compiling]))
 
+# [pairwise: --enable-developer, --disable-developer]
 AC_ARG_ENABLE(developer,
 	      AS_HELP_STRING([--enable-developer],
 			     [enable developer build settings]))
@@ -109,7 +115,10 @@ yes)
 esac
 AC_SUBST(XTARGETS)
 
-# American Fuzzy Lop
+# American Fuzzy Lop is not included in pairwise testing as fuzzing
+# tools are not present in the relevant Docker image.
+#
+# [pairwise: skip]
 AC_ARG_ENABLE(afl,
 	      AS_HELP_STRING([--enable-afl],
 			     [enable American Fuzzy Lop test harness
@@ -123,8 +132,11 @@ yes)
 esac
 
 
-#libseccomp sandboxing
 AC_CHECK_FUNCS(getrandom)
+
+# libseccomp sandboxing
+#
+# [pairwise: --enable-seccomp, --disable-seccomp]
 AC_ARG_ENABLE(seccomp,
 	      AS_HELP_STRING([--enable-seccomp],
 			     [enable support for libseccomp system call
@@ -260,14 +272,17 @@ except: exit(1)'
 testsetup='try: from distutils.core import setup
 except: exit(1)'
 
-default_with_python="python python3 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python2 python2.7"
+default_with_python="python python3 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python2 python2.7"
 
 AC_ARG_VAR([PYTHON], [path to python executable])
 
+# [pairwise: --with-python, --without-python]
 AC_ARG_WITH([python],
 	    AS_HELP_STRING([--with-python=PATH],
 			   [specify path to Python interpreter]),
 	    [], [with_python=$default_with_python])
+
+# [pairwise: skip]
 AC_ARG_WITH([python-install-dir],
 	    AS_HELP_STRING([--with-python-install-dir=PATH],
 			   [installation directory for Python modules]),
@@ -609,6 +624,7 @@ AC_SUBST(ISC_PLATFORM_HAVELIFCONF)
 #
 # check if we have kqueue
 #
+# [pairwise: --enable-kqueue, --disable-kqueue]
 AC_ARG_ENABLE(kqueue,
 	      AS_HELP_STRING([--enable-kqueue],
 			     [use BSD kqueue when available [default=yes]]),
@@ -635,6 +651,7 @@ AC_SUBST(ISC_PLATFORM_HAVEKQUEUE)
 # check if we have epoll.  Linux kernel 2.4 has epoll_create() which fails,
 # so we need to try running the code, not just test its existence.
 #
+# [pairwise: --enable-epoll, --disable-epoll]
 AC_ARG_ENABLE(epoll,
 	      AS_HELP_STRING([--enable-epoll],
 			     [use Linux epoll when available [default=auto]]),
@@ -669,6 +686,7 @@ AC_SUBST(ISC_PLATFORM_HAVEEPOLL)
 #
 # check if we support /dev/poll
 #
+# [pairwise: --enable-devpoll, --disable-devpoll]
 AC_ARG_ENABLE(devpoll,
 	      AS_HELP_STRING([--enable-devpoll],
 			     [use /dev/poll when available [default=yes]]),
@@ -736,6 +754,8 @@ AC_C_BIGENDIAN
 # GeoIP support?
 #
 geoip2_default="no"
+
+# [pairwise: --with-geoip --without-geoip2, --without-geoip --with-geoip2=auto, --without-geoip --with-geoip2=yes, --without-geoip --without-geoip2]
 AC_ARG_WITH(geoip,
 	    AS_HELP_STRING([--with-geoip=PATH],
 			   [Build with legacy GeoIP support (yes|no|path)]),
@@ -744,6 +764,8 @@ AC_ARG_WITH(geoip,
                             geoip2_default="no"
                            ],
                            [use_geoip="no"])
+
+# [pairwise: skip]
 AC_ARG_WITH([geoip2],
 	    [AS_HELP_STRING([--with-geoip2=PATH],
 			    [Build with MaxMind GeoIP2 support (auto|yes|no|path) [default=no]])],
@@ -779,7 +801,7 @@ AS_CASE([$with_geoip2],
 			   [AC_DEFINE([HAVE_GEOIP2], [1], [Build with GeoIP2 support])
 			    GEOIP2LINKSRCS='${GEOIP2LINKSRCS}'
 			    GEOIP2LINKOBJS='${GEOIP2LINKOBJS}'
-			    MAXMINDDB_LIBS="$MAXMINDDB_LIBS $ac_cv_search_mmdb_open"
+			    MAXMINDDB_LIBS="$MAXMINDDB_LIBS $ac_cv_search_MMDB_open"
 			    AC_MSG_NOTICE([GeoIP2 default database path set to $with_geoip2/share/GeoIP])
 			    AS_VAR_COPY([MAXMINDDB_PREFIX], [$with_geoip2])
 			   ],
@@ -880,6 +902,8 @@ AC_SUBST(GEOIPLINKSRCS)
 AC_SUBST(GEOIPLINKOBJS)
 
 AC_MSG_CHECKING(for GSSAPI library)
+
+# [pairwise: --with-gssapi=yes, --with-gssapi=auto, --without-gssapi]
 AC_ARG_WITH(gssapi,
 	    AS_HELP_STRING([--with-gssapi=[PATH|[/path/]krb5-config]],
 			   [Specify path for system-supplied GSSAPI
@@ -899,8 +923,10 @@ case "$use_gssapi" in
     fi
     gssapi_cflags=`$KRB5_CONFIG --cflags gssapi`
     gssapi_libs=`$KRB5_CONFIG --libs gssapi`
+    krb5_cflags=`$KRB5_CONFIG --cflags krb5`
+    krb5_libs=`$KRB5_CONFIG --libs krb5`
     saved_cppflags="$CPPFLAGS"
-    CPPFLAGS="$gssapi_cflags $CPPFLAGS"
+    CPPFLAGS="$gssapi_cflags $krb5_cflags $CPPFLAGS"
     AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h,
 	[ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"])
     if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then
@@ -917,7 +943,7 @@ case "$use_gssapi" in
 	else
 	    CPPFLAGS="$saved_cppflags"
 	    saved_libs="$LIBS"
-	    LIBS=$gssapi_libs
+	    LIBS="$gssapi_libs $krb5_libs $LIBS"
 	    AC_MSG_CHECKING([krb5-config linking as $LIBS])
 	    AC_TRY_LINK( , [gss_acquire_cred();krb5_init_context()],
 		gssapi_linked=yes, gssapi_linked=no)
@@ -993,8 +1019,8 @@ case "$use_gssapi" in
 		;;
 	*/krb5-config|krb5-config)
 		USE_GSSAPI='-DGSSAPI'
-		DST_GSSAPI_INC="$gssapi_cflags"
-		DNS_GSSAPI_LIBS="$gssapi_libs"
+		DST_GSSAPI_INC="$gssapi_cflags $krb5_cflags"
+		DNS_GSSAPI_LIBS="$gssapi_libs $krb5_libs"
 		;;
 	framework)
 		USE_GSSAPI='-DGSSAPI'
@@ -1163,6 +1189,8 @@ AC_SUBST(DNS_CRYPTO_LIBS)
 # was --with-randomdev specified?
 #
 AC_MSG_CHECKING(for random device)
+
+# [pairwise: skip]
 AC_ARG_WITH(randomdev,
 	    AS_HELP_STRING([--with-randomdev=PATH],
 			   [Specify path for random device]),
@@ -1256,7 +1284,7 @@ then
 			CCNOOPT="$CCNOOPT -pthread"
 			;;
 		*-solaris*)
-			CC="$CC -mt"
+			CC="$CC"
 			CCOPT="$CCOPT -mt"
 			CCNOOPT="$CCNOOPT -mt"
 			;;
@@ -1298,6 +1326,7 @@ then
 	AC_CHECK_FUNC(pthread_attr_setstacksize,
 		      AC_DEFINE(HAVE_PTHREAD_ATTR_SETSTACKSIZE),)
 
+	# [pairwise: --with-locktype=adaptive, --with-locktype=standard]
 	AC_ARG_WITH(locktype,
 		    AS_HELP_STRING([--with-locktype=ARG],
 				   [Specify mutex lock type
@@ -1415,6 +1444,8 @@ ISC_THREAD_DIR=$thread_dir
 AC_SUBST(ISC_THREAD_DIR)
 
 AC_MSG_CHECKING(for libtool)
+
+# [pairwise: --with-libtool, --without-libtool]
 AC_ARG_WITH(libtool, AS_HELP_STRING([--with-libtool], [use GNU libtool]),
 	    use_libtool="$withval", use_libtool="no")
 
@@ -1460,6 +1491,7 @@ AC_SUBST(INSTALL_LIBRARY)
 # was --enable-native-pkcs11 specified?
 #  (note it implies both --without-openssl and --with-pkcs11)
 #
+# [pairwise: --enable-native-pkcs11 --with-dlopen, --disable-native-pkcs11 --with-dlopen, --disable-native-pkcs11 --without-dlopen]
 AC_ARG_ENABLE(native-pkcs11,
 	      AS_HELP_STRING([--enable-native-pkcs11],
 			     [use native PKCS11 for all crypto [default=no]]),
@@ -1468,6 +1500,7 @@ AC_ARG_ENABLE(native-pkcs11,
 #
 # was --with-openssl specified?
 #
+# [pairwise: --with-openssl --enable-openssl-hash, --with-openssl --disable-openssl-hash, --without-openssl]
 AC_ARG_WITH(openssl,
 	    AS_HELP_STRING([--with-openssl[=PATH]],
 			   [Build with OpenSSL [yes|no|path].
@@ -1477,6 +1510,7 @@ AC_ARG_WITH(openssl,
 #
 # was --with-pkcs11 specified?
 #
+# [pairwise: skip]
 AC_ARG_WITH(pkcs11,
 	    AS_HELP_STRING([--with-pkcs11[=PATH]],
 			   [Build with PKCS11 support [yes|no|path]
@@ -1486,19 +1520,34 @@ AC_ARG_WITH(pkcs11,
 #
 # were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified
 #
+
+# [pairwise: --with-ecdsa, --without-ecdsa]
 AC_ARG_WITH(ecdsa, AS_HELP_STRING([--with-ecdsa], [Crypto ECDSA]),
 	    with_ecdsa="$withval", with_ecdsa="auto")
+
+# GOST is not included in pairwise testing as it is not supported by the
+# OpenSSL version present in the relevant Docker image.
+#
+# [pairwise: skip]
 AC_ARG_WITH(gost,
 	    AS_HELP_STRING([--with-gost], [Crypto GOST [yes|no|raw|asn1].]),
 	    with_gost="$withval", with_gost="auto")
+
+# EdDSA is not included in pairwise testing as it is not supported by
+# the SoftHSM version present in the relevant Docker image.
+#
+# [pairwise: skip]
 AC_ARG_WITH(eddsa, AS_HELP_STRING([--with-eddsa], [Crypto EDDSA [yes|all|no].]),
 	    with_eddsa="$withval", with_eddsa="auto")
+
+# [pairwise: --with-aes, --without-aes]
 AC_ARG_WITH(aes, AS_HELP_STRING([--with-aes], [Crypto AES]),
 	    with_aes="$withval", with_aes="yes")
 
 #
 # was --enable-openssl-hash specified?
 #
+# [pairwise: skip]
 AC_ARG_ENABLE(openssl-hash,
 	      AS_HELP_STRING([--enable-openssl-hash],
 			     [use OpenSSL for hash functions [default=no]]),
@@ -1510,6 +1559,7 @@ openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
 if test "yes" = "$want_native_pkcs11"
 then
 	use_openssl="native_pkcs11"
+	want_openssl_hash="no"
 	AC_MSG_RESULT(use of native PKCS11 instead)
 fi
 
@@ -1758,6 +1808,10 @@ int main() {
 	ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
 	if (ec256 == NULL || ec384 == NULL)
 		return (2);
+	if (ec256 != NULL)
+		EC_KEY_free(ec256);
+	if (ec384 != NULL)
+		EC_KEY_free(ec384);
 	return (0);
 }
 ],
@@ -1870,8 +1924,10 @@ int main() {
 	EVP_PKEY_CTX *ctx;
 
 	ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);
-	if (ctx == NULL)
+	if (ctx == NULL) {
 		return (2);
+	}
+	EVP_PKEY_CTX_free(ctx);
 	return (0);
 }
 ],
@@ -1911,8 +1967,10 @@ int main() {
 	EVP_PKEY_CTX *ctx;
 
 	ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL);
-	if (ctx == NULL)
+	if (ctx == NULL) {
 		return (2);
+	}
+	EVP_PKEY_CTX_free(ctx);
 	return (0);
 }
 ],
@@ -2033,6 +2091,7 @@ AC_SUBST(ISC_PLATFORM_WANTAES)
 #
 # Choose Client Cookie algorithm
 #
+# [pairwise: skip]
 AC_ARG_WITH([cc-alg],
 	    [AS_HELP_STRING([--with-cc-alg=ALG], [deprecated])],
 	    [:], [with_cc_alg="siphash24"])
@@ -2326,6 +2385,8 @@ fi
 # was --with-lmdb specified?
 #
 AC_MSG_CHECKING(for lmdb library)
+
+# [pairwise: --with-lmdb=auto, --with-lmdb=yes, --without-lmdb]
 AC_ARG_WITH(lmdb,
 	    AS_HELP_STRING([--with-lmdb[=PATH]],
 			   [build with LMDB library [yes|no|path]]),
@@ -2393,63 +2454,46 @@ AC_SUBST(NZDTARGETS)
 #
 # was --with-libxml2 specified?
 #
-AC_MSG_CHECKING(for libxml2 library)
-AC_ARG_WITH(libxml2,
-	    AS_HELP_STRING([--with-libxml2[=PATH]],
-			   [build with libxml2 library [yes|no|path]]),
-	    use_libxml2="$withval", use_libxml2="auto")
-
-case "$use_libxml2" in
-	no)
-		DST_LIBXML2_INC=""
-		;;
-	auto|yes)
-		case X`(xml2-config --version) 2>/dev/null` in
-		X2.[[6789]].*)
-			libxml2_libs=`xml2-config --libs`
-			libxml2_cflags=`xml2-config --cflags`
-			;;
-		*)
-			if test "yes" = "$use_libxml2" ; then
-				AC_MSG_RESULT(no)
-				AC_MSG_ERROR(required libxml2 version not available)
-			else
-				libxml2_libs=
-				libxml2_cflags=
-			fi
-			;;
-		esac
-		;;
-	*)
-		if test -f "$use_libxml2/bin/xml2-config" ; then
-			libxml2_libs=`$use_libxml2/bin/xml2-config --libs`
-			libxml2_cflags=`$use_libxml2/bin/xml2-config --cflags`
-		fi
-		;;
-esac
+# [pairwise: --with-libxml2=auto, --with-libxml2=yes, --without-libxml2]
+AC_ARG_WITH([libxml2],
+	    [AS_HELP_STRING([--with-libxml2[=PATH]],
+			   [build with libxml2 library (auto|yes|no|path) [default=auto]])],
+	    [:], [with_libxml2="auto"])
 
-if test "X$libxml2_libs" != "X"
-then
-	CFLAGS="$CFLAGS $libxml2_cflags"
-	LIBS="$LIBS $libxml2_libs"
-	#
-	# Sanity check xml2-config output.
-	#
-	AC_TRY_LINK([#include <libxml/xmlwriter.h>],
-		    [return(xmlTextWriterStartElement(NULL, NULL));],
-		    AC_MSG_RESULT(yes),
-		    AC_MSG_ERROR(xml2-config returns badness))
-	AC_DEFINE(HAVE_LIBXML2, 1, [Define if libxml2 was found])
-	XMLSTATS=1
-else
-	AC_MSG_RESULT(no)
-fi
-AC_SUBST(XMLSTATS)
+LIBXML2_CFLAGS=
+LIBXML2_LIBS=
+AS_CASE([$with_libxml2],
+	[no],[:],
+	[auto],[PKG_CHECK_MODULES([LIBXML2], [libxml-2.0 >= 2.6.0], [:], [:])],
+	[yes],[PKG_CHECK_MODULES([LIBXML2], [libxml-2.0 >= 2.6.0])],
+	[AC_MSG_CHECKING([for libxml2 library in $with_libxml2])
+	 AS_IF([test -x "$with_libxml2/bin/xml2-config"],
+	       [AC_MSG_RESULT([yes])
+		LIBXML2_LIBS=`$with_libxml2/bin/xml2-config --libs`
+		LIBXML2_CFLAGS=`$with_libxml2/bin/xml2-config --cflags`],
+	       [AC_MSG_ERROR([not found])])])
+
+AS_IF([test -n "$LIBXML2_LIBS"],
+      [AC_MSG_CHECKING([whether linking with libxml2 works])
+       CFLAGS="$CFLAGS $LIBXML2_CFLAGS"
+       LIBS="$LIBS $LIBXML2_LIBS"
+       #
+       # Sanity check xml2-config output.
+       #
+       AC_TRY_LINK([#include <libxml/xmlwriter.h>],
+		   [return(xmlTextWriterStartElement(NULL, NULL));],
+		   [AC_MSG_RESULT([yes])],
+		   [AC_MSG_ERROR([no])])
+       AC_DEFINE([HAVE_LIBXML2], [1], [Define if libxml2 was found])
+       XMLSTATS=1])
+AC_SUBST([XMLSTATS])
 
 #
 # was --with-libjson specified?
 #
 AC_MSG_CHECKING(for json library)
+
+# [pairwise: --with-libjson=auto, --with-libjson=yes, --without-libjson]
 AC_ARG_WITH(libjson,
 	    AS_HELP_STRING([--with-libjson[=PATH]],
 			   [build with libjson0 library [yes|no|path]]),
@@ -2531,6 +2575,8 @@ AC_SUBST(JSONSTATS)
 # was --with-zlib specified?
 #
 AC_MSG_CHECKING(for zlib library)
+
+# [pairwise: --with-zlib=auto, --with-zlib=yes, --without-zlib]
 AC_ARG_WITH(zlib,
 	    AS_HELP_STRING([--with-zlib[=PATH]],
 			   [build with zlib for HTTP compression
@@ -2621,6 +2667,7 @@ fi
 #
 # Large File
 #
+# [pairwise: --enable-largefile, --disable-largefile]
 AC_ARG_ENABLE(largefile,
 	      AS_HELP_STRING([--enable-largefile], [64-bit file support]),
 	      want_largefile="yes", want_largefile="no")
@@ -2773,6 +2820,11 @@ esac
 # Purify support
 #
 AC_MSG_CHECKING(whether to use purify)
+
+# Purify is not included in pairwise testing as that tool is not present
+# in the relevant Docker image.
+#
+# [pairwise: skip]
 AC_ARG_WITH(purify,
 	    AS_HELP_STRING([--with-purify[=PATH]], [use Rational purify]),
 	    use_purify="$withval", use_purify="no")
@@ -2815,6 +2867,12 @@ AC_SUBST(PURIFY)
 # Google/Great Performance Tools CPU Profiler
 #
 AC_MSG_CHECKING(whether to use gperftools profiler)
+
+# Google/Great Performance Tools CPU Profiler is not included in
+# pairwise testing as that tool is not present in the relevant Docker
+# image.
+#
+# [pairwise: skip]
 AC_ARG_WITH(gperftools-profiler,
 	    AS_HELP_STRING([--with-gperftools-profiler],
 			   [use gperftools CPU profiler]),
@@ -2836,6 +2894,7 @@ esac
 # enable/disable dumping stack backtrace.  Also check if the system supports
 # glibc-compatible backtrace() function.
 #
+# [pairwise: --enable-backtrace, --disable-backtrace]
 AC_ARG_ENABLE(backtrace,
 	      AS_HELP_STRING([--enable-backtrace],
 			     [log stack backtrace on abort [default=yes]]),
@@ -2845,7 +2904,10 @@ yes)
 	ISC_PLATFORM_USEBACKTRACE="#define ISC_PLATFORM_USEBACKTRACE 1"
 	AC_TRY_LINK([#include <execinfo.h>],
 	[return (backtrace((void **)0, 0));],
-	[AC_DEFINE([HAVE_LIBCTRACE], [], [if system have backtrace function])],)
+	[AC_DEFINE([HAVE_LIBCTRACE], [], [if system have backtrace function])],
+	[AC_TRY_LINK([#include <stddef.h>],
+		     [return _Unwind_Backtrace(NULL, NULL);],
+		     [AC_DEFINE([HAVE_UNWIND_BACKTRACE], [1], [define if the compiler supports _Unwind_Backtrace()])])])
 	;;
 *)
 	ISC_PLATFORM_USEBACKTRACE="#undef ISC_PLATFORM_USEBACKTRACE"
@@ -2853,6 +2915,7 @@ yes)
 esac
 AC_SUBST(ISC_PLATFORM_USEBACKTRACE)
 
+# [pairwise: --enable-symtable, --disable-symtable]
 AC_ARG_ENABLE(symtable,
 	      AS_HELP_STRING([--enable-symtable],
 			     [use internal symbol table for backtrace
@@ -2921,6 +2984,7 @@ AC_SUBST(BIND9_CO_RULE)
 #
 # IPv6
 #
+# [pairwise: --enable-ipv6, --disable-ipv6]
 AC_ARG_ENABLE(ipv6,
 	      AS_HELP_STRING([--enable-ipv6], [use IPv6 [default=autodetect]]))
 
@@ -2952,6 +3016,11 @@ AC_TRY_COMPILE([
 # This is done before other IPv6 linking tests to LIBS is properly set.
 #
 AC_MSG_CHECKING(for Kame IPv6 support)
+
+# Kame is not included in pairwise testing as it is not present in the
+# relevant Docker image.
+#
+# [pairwise: skip]
 AC_ARG_WITH(kame,
 	    AS_HELP_STRING([--with-kame[=PATH]],
 			   [use Kame IPv6 [default path /usr/local/v6]]),
@@ -3302,7 +3371,7 @@ AC_SUBST(ISC_PLATFORM_NEEDPORTT)
 # confusing results on some systems (e.g. FreeBSD; see set_tcp_fastopen()
 # comment in lib/isc/unix/socket.c).
 #
-
+# [pairwise: --enable-tcp-fastopen, --disable-tcp-fastopen]
 AC_ARG_ENABLE(tcp_fastopen,
 	      AS_HELP_STRING([--disable-tcp-fastopen],
 		     [disable TCP Fast Open support [default=autodetect]]))
@@ -3511,6 +3580,7 @@ AC_SUBST(ISC_LWRES_GETADDRINFOPROTO)
 AC_SUBST(ISC_LWRES_GETNAMEINFOPROTO)
 AC_SUBST(ISC_IRS_GETNAMEINFOSOCKLEN)
 
+# [pairwise: --enable-getifaddrs, --disable-getifaddrs]
 AC_ARG_ENABLE(getifaddrs,
 	      AS_HELP_STRING([--enable-getifaddrs],
 			     [enable the use of getifaddrs() [yes|no].]),
@@ -3604,6 +3674,8 @@ AC_CHECK_FUNC(strcasestr,
 AC_SUBST(ISC_PLATFORM_NEEDSTRCASESTR)
 
 AC_SUBST(READLINE_LIB)
+
+# [pairwise: --with-readline=auto, --with-readline=yes, --without-readline]
 AC_ARG_WITH(readline,
 	    AS_HELP_STRING([--with-readline[=LIBSPEC]],
 			   [specify readline library [default auto]]),
@@ -3727,29 +3799,6 @@ AC_SUBST(ISC_EXTRA_OBJS)
 AC_SUBST(ISC_EXTRA_SRCS)
 
 AC_CHECK_FUNC(strerror, AC_DEFINE(HAVE_STRERROR))
-#
-# Use our own SPNEGO implementation?
-#
-AC_ARG_ENABLE(isc-spnego,
-	      AS_HELP_STRING([--disable-isc-spnego],
-			     [use SPNEGO from GSSAPI library]))
-
-if test -n "$USE_GSSAPI"
-then
-	case "$enable_isc_spnego" in
-		yes|'')
-			USE_ISC_SPNEGO='-DUSE_ISC_SPNEGO'
-			DST_EXTRA_OBJS="$DST_EXTRA_OBJS spnego.$O"
-			DST_EXTRA_SRCS="$DST_EXTRA_SRCS spnego.c"
-			AC_MSG_RESULT(using SPNEGO from lib/dns)
-			;;
-		no)
-			AC_MSG_RESULT(using SPNEGO from GSSAPI library)
-			;;
-	esac
-fi
-
-AC_SUBST(USE_ISC_SPNEGO)
 
 AC_SUBST(DST_EXTRA_OBJS)
 AC_SUBST(DST_EXTRA_SRCS)
@@ -3759,6 +3808,8 @@ AC_SUBST(DST_EXTRA_SRCS)
 #
 # Note it is very recommended to *not* disable chroot(),
 # this is only because chroot() was made obsolete by Posix.
+#
+# [pairwise: --enable-chroot, --disable-chroot]
 AC_ARG_ENABLE(chroot, AS_HELP_STRING([--disable-chroot], [disable chroot]))
 case "$enable_chroot" in
 	yes|'')
@@ -3767,6 +3818,8 @@ case "$enable_chroot" in
 	no)
 		;;
 esac
+
+# [pairwise: --enable-linux-caps, --disable-linux-caps]
 AC_ARG_ENABLE(linux-caps,
 	      AS_HELP_STRING([--disable-linux-caps],
 			     [disable linux capabilities]))
@@ -3871,6 +3924,8 @@ ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE long long int"],
 ],[AC_MSG_ERROR(this cannot happen)])
 ],[AC_MSG_ERROR(this cannot happen)])
 ],[
+
+# [pairwise: skip]
 AC_ARG_WITH(rlimtype, , rlimtype="$withval", rlimtype="long long int")
 ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE $rlimtype"
 AC_MSG_RESULT(cannot determine type of rlim_cur when cross compiling - assuming $rlimtype)])
@@ -4049,6 +4104,7 @@ AC_TRY_COMPILE([
 	 have_stdatomic=no
 	 ISC_PLATFORM_HAVESTDATOMIC="#undef ISC_PLATFORM_HAVESTDATOMIC"])
 
+# [pairwise: --enable-atomic, --disable-atomic]
 AC_ARG_ENABLE(atomic,
 	      AS_HELP_STRING([--enable-atomic],
 			     [enable machine specific atomic operations [default=autodetect]]),
@@ -4143,7 +4199,7 @@ if test "yes" = "$use_atomic"; then
 	alpha*-*)
 		arch=alpha
 	;;
-	powerpc-*|powerpc64-*)
+	powerpc-*|powerpc64*-*|powerpc64el-*)
 		arch=powerpc
 	;;
 	mips-*|mipsel-*|mips64-*|mips64el-*)
@@ -4370,6 +4426,7 @@ AC_SUBST(ISC_PLATFORM_BUSYWAITNOP)
 #
 # Activate "rrset-order fixed" or not?
 #
+# [pairwise: --enable-fixed-rrset, --disable-fixed-rrset]
 AC_ARG_ENABLE(fixed-rrset,
 	      AS_HELP_STRING([--enable-fixed-rrset],
 			     [enable fixed rrset ordering [default=no]]),
@@ -4388,6 +4445,7 @@ esac
 #
 # Enable response policy rewriting using NS IP addresses
 #
+# [pairwise: --enable-rpz-nsip, --disable-rpz-nsip]
 AC_ARG_ENABLE(rpz-nsip,
 	      AS_HELP_STRING([--disable-rpz-nsip],
 			     [disable rpz nsip rules [default=enabled]]),
@@ -4406,6 +4464,7 @@ esac
 #
 # Enable response policy rewriting using NS name
 #
+# [pairwise: --enable-rpz-nsdname, --disable-rpz-nsdname]
 AC_ARG_ENABLE(rpz-nsdname,
 	      AS_HELP_STRING([--disable-rpz-nsdname],
 			     [disable rpz nsdname rules [default=enabled]]),
@@ -4424,6 +4483,7 @@ esac
 #
 # Activate "filter-aaaa-on-v4/v6" or not?
 #
+# [pairwise: --enable-filter-aaaa, --disable-filter-aaaa]
 AC_ARG_ENABLE(filter-aaaa,
 	[  --enable-filter-aaaa    enable filtering of AAAA records [[default=no]]],
 			enable_filter="$enableval",
@@ -4442,6 +4502,7 @@ esac
 #
 # Activate dnstap?
 #
+# [pairwise: --enable-dnstap, --disable-dnstap]
 AC_ARG_ENABLE(dnstap,
 	      AS_HELP_STRING([--enable-dnstap],
 			     [enable dnstap support
@@ -4456,6 +4517,8 @@ if test "x$use_dnstap" != "xno"; then
 	if ! $use_threads; then
 		AC_MSG_ERROR([Dnstap requires threads.])
 	fi
+
+	# [pairwise: skip]
 	AC_ARG_WITH([protobuf-c],
 		    AS_HELP_STRING([--with-protobuf-c=path],
 				   [Path where protobuf-c is installed,
@@ -4489,6 +4552,8 @@ if test "x$use_dnstap" != "xno"; then
 	if test -z "$PROTOC_C"; then
 		AC_MSG_ERROR([The protoc-c program was not found.])
 	fi
+
+	# [pairwise: skip]
 	AC_ARG_WITH([libfstrm], AS_HELP_STRING([--with-libfstrm=path],
 		    [Path where libfstrm is installed, for dnstap]), [
 	    CFLAGS="$CFLAGS -I$withval/include"
@@ -4642,6 +4707,8 @@ AC_SUBST($1)
 # of at the moment).
 #
 AC_MSG_CHECKING(for Docbook-XSL path)
+
+# [pairwise: skip]
 AC_ARG_WITH(docbook-xsl,
 	    AS_HELP_STRING([--with-docbook-xsl[=PATH]],
 			   [specify path for Docbook-XSL stylesheets]),
@@ -4674,6 +4741,10 @@ NOM_PATH_FILE(XSLT_DOCBOOK_MAKETOC_XHTML, xhtml/maketoc.xsl, $docbook_xsl_trees)
 #
 # IDN support using idnkit
 #
+# idnkit is not included in pairwise testing as it is not present in the
+# relevant Docker image.
+#
+# [pairwise: skip]
 AC_ARG_WITH(idnkit,
 	    AS_HELP_STRING([--with-idnkit[=PATH]],
 			   [enable IDN support using idnkit [yes|no|path]]),
@@ -4695,6 +4766,8 @@ esac
 
 iconvinc=
 iconvlib=
+
+# [pairwise: --with-libiconv, --without-libiconv]
 AC_ARG_WITH(libiconv,
 	    AS_HELP_STRING([--with-libiconv[=IPREFIX]],
 			   [GNU libiconv are in IPREFIX [default PREFIX]]),
@@ -4715,6 +4788,7 @@ no)
 	;;
 esac
 
+# [pairwise: --with-iconv, --without-iconv]
 AC_ARG_WITH(iconv,
 	    AS_HELP_STRING([--with-iconv[=LIBSPEC]],
 			   [specify iconv library [default -liconv]]),
@@ -4728,6 +4802,7 @@ yes)
 	;;
 esac
 
+# [pairwise: skip]
 AC_ARG_WITH(idnlib,
 	    AS_HELP_STRING([--with-idnlib=ARG], [specify libidnkit]),
 	    idnlib="$withval", idnlib="no")
@@ -4754,6 +4829,8 @@ AC_SUBST(IDNKIT_LIBS)
 LIBIDN2_CFLAGS=
 LIBIDN2_LDFLAGS=
 LIBIDN2_LIBS=
+
+# [pairwise: --with-libidn2=yes, --without-libidn2]
 AC_ARG_WITH(libidn2,
 	AS_HELP_STRING([--with-libidn2[=PATH]], [enable IDN support using GNU libidn2 [yes|no|path]]),
 	use_libidn2="$withval", use_libidn2="no")
@@ -4807,7 +4884,7 @@ fi
 #
 # Check whether to build with cmocka unit testing framework
 #
-
+# [pairwise: --with-cmocka, --without-cmocka]
 AC_ARG_WITH([cmocka],
 	    [AS_HELP_STRING([--with-cmocka=no],[enable cmocka based tests (default is no)])],
 	    [:],[with_cmocka=no])
@@ -4817,7 +4894,6 @@ AS_CASE([$with_cmocka],
 	[yes],[
             PKG_CHECK_MODULES([CMOCKA], [cmocka >= 1.0.0],
 			      [AC_DEFINE([HAVE_CMOCKA], [1], [Use cmocka])])
-            UNITTESTS=tests
             ],
 	[*],[
 	    save_CFLAGS="$CFLAGS"
@@ -4836,14 +4912,12 @@ AS_CASE([$with_cmocka],
 			   [
 			       CMOCKA_CFLAGS="-Iwith_cmocka/include"
 			       CMOCKA_LIBS="-L$with_cmocka/lib -lcmocka"
-                               UNITTESTS=tests
 			       AC_DEFINE([HAVE_CMOCKA], [1], [Use cmocka])
 			   ],
 			   [AC_MSG_ERROR([cmocka unit testing framework not found in $with_cmocka path])])
 	    ])
 AC_SUBST([CMOCKA_CFLAGS])
 AC_SUBST([CMOCKA_LIBS])
-AC_SUBST(UNITTESTS)
 
 #
 # Check for kyua execution engine if CMocka was requested
@@ -4853,9 +4927,10 @@ AC_ARG_VAR([KYUA], [path to kyua execution engine])
 AS_IF([test "$with_cmocka" != "no"],
       [AC_PATH_PROGS([KYUA], [kyua], [])
        AS_IF([test -z "$KYUA"],
-            [AC_MSG_WARN([kyua test execution engine not found])])])
-
+             [AC_MSG_WARN([kyua test execution engine not found])],
+             [UNITTESTS=tests])])
 AC_SUBST([KYUA])
+AC_SUBST([UNITTESTS])
 
 #
 # Check for -Wl,--wrap= support
@@ -4888,6 +4963,7 @@ AC_CHECK_FUNCS(setlocale)
 #
 # was --with-tuning specified?
 #
+# [pairwise: --with-tuning=large, --without-tuning]
 AC_ARG_WITH(tuning,
 	    AS_HELP_STRING([--with-tuning=ARG],
 			   [Specify server tuning (large or default)]),
@@ -4912,6 +4988,7 @@ esac
 #
 # was --enable-querytrace specified?
 #
+# [pairwise: --enable-querytrace, --disable-querytrace]
 AC_ARG_ENABLE(querytrace,
 	      AS_HELP_STRING([--enable-querytrace],
 			     [enable very verbose query trace logging
@@ -5064,6 +5141,7 @@ SO_LD=""
 SO_TARGETS=""
 SO_STRIP="cat"
 
+# [pairwise: skip]
 AC_ARG_WITH([dlopen],
 	    AS_HELP_STRING([--with-dlopen=ARG],
 			   [support dynamically loadable DLZ drivers]),
@@ -5084,7 +5162,8 @@ AS_IF([test "$pic_mode" = "no"],
 
 AS_CASE([$with_dlopen],
 	[auto|yes],[
-	  AC_SEARCH_LIBS([dlopen],[dl])
+	  # -fsanitize=thread hijacks dlopen and dlclose so use dlsym.
+	  AC_SEARCH_LIBS([dlsym],[dl])
 	  AC_CHECK_FUNCS([dlopen dlclose dlsym],
 			 [with_dlopen="yes"],
 			 [with_dlopen="no"])
@@ -5157,6 +5236,9 @@ AS_IF([test "$with_dlopen" = "yes"],
 	     ])
       ])
 
+AS_IF([test "$with_dlopen" = "no" -a "$want_native_pkcs11" = "yes"],
+      [AC_MSG_ERROR([PKCS11 requires dlopen() support])])
+
 CFLAGS="$CFLAGS $SO_CFLAGS"
 
 AC_SUBST(SO)
@@ -5345,8 +5427,6 @@ AC_CONFIG_COMMANDS(
 #
 
 AC_CONFIG_FILES([
-  make/Makefile
-  make/mkdep
 	Makefile
 	bin/Makefile
 	bin/check/Makefile
@@ -5360,12 +5440,10 @@ AC_CONFIG_FILES([
 	bin/nsupdate/Makefile
 	bin/pkcs11/Makefile
 	bin/python/Makefile
-	bin/python/isc/Makefile
-	bin/python/isc/utils.py
-	bin/python/isc/tests/Makefile
 	bin/python/dnssec-checkds.py
 	bin/python/dnssec-coverage.py
 	bin/python/dnssec-keymgr.py
+	bin/python/isc/Makefile
 	bin/python/isc/__init__.py
 	bin/python/isc/checkds.py
 	bin/python/isc/coverage.py
@@ -5378,8 +5456,10 @@ AC_CONFIG_FILES([
 	bin/python/isc/keyzone.py
 	bin/python/isc/policy.py
 	bin/python/isc/rndc.py
+	bin/python/isc/tests/Makefile
 	bin/python/isc/tests/dnskey_test.py
 	bin/python/isc/tests/policy_test.py
+	bin/python/isc/utils.py
 	bin/rndc/Makefile
 	bin/tests/Makefile
 	bin/tests/headerdep_test.sh
@@ -5447,8 +5527,8 @@ AC_CONFIG_FILES([
 	lib/isc/include/isc/platform.h
 	lib/isc/include/pk11/Makefile
 	lib/isc/include/pkcs11/Makefile
-	lib/isc/tests/Makefile
 	lib/isc/nls/Makefile
+	lib/isc/tests/Makefile
 	lib/isc/unix/Makefile
 	lib/isc/unix/include/Makefile
 	lib/isc/unix/include/isc/Makefile
@@ -5473,7 +5553,10 @@ AC_CONFIG_FILES([
 	lib/lwres/unix/include/lwres/Makefile
 	lib/samples/Makefile
 	lib/samples/Makefile-postinstall
+	make/Makefile
+	make/mkdep
 	unit/unittest.sh
+	util/check-make-install
 ])
 
 #
@@ -5485,6 +5568,7 @@ AC_OUTPUT
 #
 # Now that the Makefiles exist we can ensure that everything is rebuilt.
 #
+# [pairwise: --with-make-clean, --without-make-clean]
 AC_ARG_WITH(make-clean,
 	    AS_HELP_STRING([--with-make-clean],
 			   [run "make clean" at end of configure [yes|no]]),
@@ -5503,6 +5587,7 @@ yes)
 	;;
 esac
 
+# [pairwise: --enable-full-report, --disable-full-report]
 AC_ARG_ENABLE(full-report,
 	      AS_HELP_STRING([--enable-full-report],
 			     [report values of all configure options]))
@@ -5643,8 +5728,17 @@ report() {
     echo "    localstatedir: $localstatedir"
     echo "-------------------------------------------------------------------------------"
     echo "Compiler: $CC"
-    $CC --version 2>&1 | sed 's/^/    /'
-
+    if test "yes" = "$GCC"; then
+	$CC --version 2>&1 | sed 's/^/    /'
+    else
+	case "$host_os" in
+	    solaris*)
+		$CC -V 2>&1 | sed 's/^/    /'
+		;;
+	    *)
+		$CC --version 2>&1 | sed 's/^/    /'
+	esac
+    fi
     if test "X$ac_unrecognized_opts" != "X"; then
 	echo "Unrecognized options:"
 	echo "    $ac_unrecognized_opts"
diff --git a/bind/bind9/conftools/perllib/dnsconf/DNSConf-macros.h b/bind/bind9/conftools/perllib/dnsconf/DNSConf-macros.h
index 730dcb01..7fcca57b 100644
--- a/bind/bind9/conftools/perllib/dnsconf/DNSConf-macros.h
+++ b/bind/bind9/conftools/perllib/dnsconf/DNSConf-macros.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/conftools/perllib/dnsconf/DNSConf.i b/bind/bind9/conftools/perllib/dnsconf/DNSConf.i
index 3238acb8..43dd4ea5 100644
--- a/bind/bind9/conftools/perllib/dnsconf/DNSConf.i
+++ b/bind/bind9/conftools/perllib/dnsconf/DNSConf.i
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/conftools/perllib/dnsconf/Makefile.PL b/bind/bind9/conftools/perllib/dnsconf/Makefile.PL
index d600d48d..350a69ac 100644
--- a/bind/bind9/conftools/perllib/dnsconf/Makefile.PL
+++ b/bind/bind9/conftools/perllib/dnsconf/Makefile.PL
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/conftools/perllib/dnsconf/named1.conf b/bind/bind9/conftools/perllib/dnsconf/named1.conf
index b28640a9..ed9eb2e5 100644
--- a/bind/bind9/conftools/perllib/dnsconf/named1.conf
+++ b/bind/bind9/conftools/perllib/dnsconf/named1.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/conftools/perllib/dnsconf/test.pl b/bind/bind9/conftools/perllib/dnsconf/test.pl
index 5ff1b81e..32fb0cc6 100644
--- a/bind/bind9/conftools/perllib/dnsconf/test.pl
+++ b/bind/bind9/conftools/perllib/dnsconf/test.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/contrib/dlz/bin/dlzbdb/dlzbdb.c b/bind/bind9/contrib/dlz/bin/dlzbdb/dlzbdb.c
index 634d0f9e..6881ccc1 100644
--- a/bind/bind9/contrib/dlz/bin/dlzbdb/dlzbdb.c
+++ b/bind/bind9/contrib/dlz/bin/dlzbdb/dlzbdb.c
@@ -165,7 +165,7 @@ typedef struct bdb_instance {
 
 
 /*%
- * quit macro is used instead of exit.  quit always trys to close the lexer
+ * quit macro is used instead of exit.  quit always tries to close the lexer
  * and the BDB database before exiting.
  */
 
@@ -191,7 +191,7 @@ typedef struct bdb_instance {
 					 "be specified once\n", y); quit(2);}
 
 /*%
- * checkInvalidParam is used to only allow paramters which make sense for
+ * checkInvalidParam is used to only allow parameters which make sense for
  * the operation selected.  I.E. passing the key parameter makes no sense
  * for the add operation, and thus it isn't allowed.
  */
@@ -200,7 +200,7 @@ typedef struct bdb_instance {
 						"may not be specified %s\n", y, z); quit(2);}
 
 /*%
- * checkInvalidOption is used to only allow paramters which make sense for
+ * checkInvalidOption is used to only allow parameters which make sense for
  * the operation selected - but checks boolean options.
  * I.E. passing the "b" bare_list parameter makes no sense for the add
  * operation, and thus it isn't allowed.
@@ -768,7 +768,7 @@ operation_add(void) {
 	checkInvalidOption(list_everything, true, "e",
 			   "for add operation");
 
-	/* if open lexer fails it alread prints error messages. */
+	/* if open lexer fails it already prints error messages. */
 	if (open_lexer() != ISC_R_SUCCESS) {
 		quit(4);
 	}
diff --git a/bind/bind9/contrib/dlz/config.dlz.in b/bind/bind9/contrib/dlz/config.dlz.in
index 5ddde180..f769cf1f 100644
--- a/bind/bind9/contrib/dlz/config.dlz.in
+++ b/bind/bind9/contrib/dlz/config.dlz.in
@@ -251,7 +251,7 @@ case "$use_dlz_bdb" in
                 AC_MSG_RESULT( )
 		for dd in $bdbdirs
 		do
-			# Skip nonexistant directories
+			# Skip nonexistent directories
 			if test ! -d "$dd"
 			then
 				continue
diff --git a/bind/bind9/contrib/dlz/drivers/dlz_bdb_driver.c b/bind/bind9/contrib/dlz/drivers/dlz_bdb_driver.c
index f68bd9e0..d88d8b32 100644
--- a/bind/bind9/contrib/dlz/drivers/dlz_bdb_driver.c
+++ b/bind/bind9/contrib/dlz/drivers/dlz_bdb_driver.c
@@ -124,7 +124,7 @@ bdb_parse_data(char *in, parsed_data_t *pd) {
 	char *lastchar = (char *) &tmp[strlen(tmp) + 1];
 
 	/*%
-	 * String should be formated as:
+	 * String should be formatted as:
 	 * zone(a space)host(a space)ttl(a space)type(a space)remaining data
 	 * examples:
 	 * example.com www 10 A 127.0.0.1
@@ -196,7 +196,7 @@ bdb_parse_data(char *in, parsed_data_t *pd) {
 	if (*endp != '\0' || pd->ttl < 0) {
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
-			      "BDB driver ttl must be a postive number");
+			      "BDB driver ttl must be a positive number");
 		return ISC_R_FAILURE;
 	}
 
diff --git a/bind/bind9/contrib/dlz/drivers/dlz_bdbhpt_driver.c b/bind/bind9/contrib/dlz/drivers/dlz_bdbhpt_driver.c
index 8fbdf7fe..d0b6fd31 100644
--- a/bind/bind9/contrib/dlz/drivers/dlz_bdbhpt_driver.c
+++ b/bind/bind9/contrib/dlz/drivers/dlz_bdbhpt_driver.c
@@ -141,7 +141,7 @@ bdbhpt_parse_data(char *in, bdbhpt_parsed_data_t *pd) {
 	char *lastchar = (char *) &tmp[strlen(tmp)];
 
 	/*%
-	 * String should be formated as:
+	 * String should be formatted as:
 	 *   replication_id
 	 *   (a space)
 	 *   host_name
@@ -223,7 +223,7 @@ bdbhpt_parse_data(char *in, bdbhpt_parsed_data_t *pd) {
 	if (*endp != '\0' || pd->ttl < 0) {
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
-			      "bdbhpt driver ttl must be a postive number");
+			      "bdbhpt driver ttl must be a positive number");
 		return ISC_R_FAILURE;
 	}
 
@@ -498,7 +498,7 @@ bdbhpt_findzone(void *driverarg, void *dbdata, const char *name,
 
 	/*
 	 * reverse string to take advantage of BDB locality of reference
-	 * if we need futher lookups because the zone doesn't match the
+	 * if we need further lookups because the zone doesn't match the
 	 * first time.
 	 */
 	key.data = bdbhpt_strrev(key.data);
@@ -693,7 +693,7 @@ bdbhpt_create(const char *dlzname, unsigned int argc, char *argv[],
 		break;
 		/*
 		 * Private mode. No inter-process communication & no locking.
-		 * Lowest saftey - highest speed.
+		 * Lowest safety - highest speed.
 		 */
 	case 'P':
 	case 'p':
diff --git a/bind/bind9/contrib/dlz/drivers/dlz_filesystem_driver.c b/bind/bind9/contrib/dlz/drivers/dlz_filesystem_driver.c
index 7228fc74..1f543fa7 100644
--- a/bind/bind9/contrib/dlz/drivers/dlz_filesystem_driver.c
+++ b/bind/bind9/contrib/dlz/drivers/dlz_filesystem_driver.c
@@ -560,7 +560,7 @@ process_dir(isc_dir_t *dir, void *passback, config_data_t *cd,
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
 				      "Filesystem driver "
-				      "ttl must be a postive number");
+				      "ttl must be a positive number");
 		}
 
 		/* pass data back to Bind */
@@ -938,7 +938,7 @@ fs_create(const char *dlzname, unsigned int argc, char *argv[],
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
 			      "Directory split count must be zero (0) "
-			      "or a postive number");
+			      "or a positive number");
 	}
 
 	/* get and store our separator character */
diff --git a/bind/bind9/contrib/dlz/drivers/dlz_ldap_driver.c b/bind/bind9/contrib/dlz/drivers/dlz_ldap_driver.c
index cf153a97..6953a83f 100644
--- a/bind/bind9/contrib/dlz/drivers/dlz_ldap_driver.c
+++ b/bind/bind9/contrib/dlz/drivers/dlz_ldap_driver.c
@@ -87,7 +87,7 @@ static dns_sdlzimplementation_t *dlz_ldap = NULL;
 #define LOOKUP 5
 
 /*%
- * Structure to hold everthing needed by this "instance" of the LDAP
+ * Structure to hold everything needed by this "instance" of the LDAP
  * driver remember, the driver code is only loaded once, but may have
  * many separate instances.
  */
@@ -397,7 +397,7 @@ ldap_process_results(LDAP *dbc, LDAPMessage *msg, char ** attrs,
 
 			/* skip empty attributes. */
 			if (vals == NULL || vals[0] == NULL) {
-				/* increment attibute pointer */
+				/* increment attribute pointer */
 				attribute = attrs[++i];
 				/* start loop over */
 				continue;
@@ -422,7 +422,7 @@ ldap_process_results(LDAP *dbc, LDAPMessage *msg, char ** attrs,
 						      DNS_LOGMODULE_DLZ,
 						      ISC_LOG_ERROR,
 						      "LDAP driver ttl must "
-						      "be a postive number");
+						      "be a positive number");
 					goto cleanup;
 				}
 				break;
@@ -457,7 +457,7 @@ ldap_process_results(LDAP *dbc, LDAPMessage *msg, char ** attrs,
 			ldap_value_free(vals);
 			vals = NULL;
 
-			/* increment attibute pointer */
+			/* increment attribute pointer */
 			attribute = attrs[++i];
 		}	/* end while (attribute != NULL) */
 
@@ -734,7 +734,7 @@ ldap_get_results(const char *zone, const char *record,
 			}
 		}
 
-		/* perform ldap search syncronously */
+		/* perform ldap search synchronously */
 		ldap_result = ldap_search_s((LDAP *) dbi->dbconn,
 					    ldap_url->lud_dn,
 					    ldap_url->lud_scope,
diff --git a/bind/bind9/contrib/dlz/drivers/dlz_mysql_driver.c b/bind/bind9/contrib/dlz/drivers/dlz_mysql_driver.c
index e7ac52b2..5bcce202 100644
--- a/bind/bind9/contrib/dlz/drivers/dlz_mysql_driver.c
+++ b/bind/bind9/contrib/dlz/drivers/dlz_mysql_driver.c
@@ -66,6 +66,10 @@
 
 #include <mysql.h>
 
+#if !defined(LIBMARIADB) && MYSQL_VERSION_ID >= 80000
+typedef bool my_bool;
+#endif /* !defined(LIBMARIADB) && MYSQL_VERSION_ID >= 80000 */
+
 static dns_sdlzimplementation_t *dlz_mysql = NULL;
 
 #define dbc_search_limit 30
@@ -409,7 +413,7 @@ mysql_process_rs(dns_sdlzlookup_t *lookup, MYSQL_RES *rs)
 					      DNS_LOGCATEGORY_DATABASE,
 					      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
 					      "mysql driver ttl must be "
-					      "a postive number");
+					      "a positive number");
 			}
 			result = dns_sdlz_putrr(lookup, safeGet(row[1]), ttl,
 						safeGet(row[2]));
@@ -458,7 +462,7 @@ mysql_process_rs(dns_sdlzlookup_t *lookup, MYSQL_RES *rs)
 					      DNS_LOGCATEGORY_DATABASE,
 					      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
 					      "mysql driver ttl must be "
-					      "a postive number");
+					      "a positive number");
 			}
 			/* ok, now tell Bind about it. */
 			result = dns_sdlz_putrr(lookup, safeGet(row[1]),
@@ -638,7 +642,7 @@ mysql_allnodes(const char *zone, void *driverarg, void *dbdata,
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
 				      "mysql driver ttl must be "
-				      "a postive number");
+				      "a positive number");
 		}
 		if (fields == 4) {
 			/* tell Bind about it. */
@@ -668,7 +672,7 @@ mysql_allnodes(const char *zone, void *driverarg, void *dbdata,
 			}
 			/* copy this field to tmpString */
 			strcpy(tmpString, safeGet(row[3]));
-			/* concatonate the rest, with spaces between */
+			/* concatenate the rest, with spaces between */
 			for (j=4; j < fields; j++) {
 				strcat(tmpString, " ");
 				strcat(tmpString, safeGet(row[j]));
@@ -814,7 +818,7 @@ mysql_create(const char *dlzname, unsigned int argc, char *argv[],
 		return (ISC_R_FAILURE);
 	}
 
-	/* parse connection string and get paramters. */
+	/* parse connection string and get parameters. */
 
 	/* get db name - required */
 	dbname = getParameterValue(argv[1], "dbname=");
diff --git a/bind/bind9/contrib/dlz/drivers/dlz_odbc_driver.c b/bind/bind9/contrib/dlz/drivers/dlz_odbc_driver.c
index 27a85261..c50a595a 100644
--- a/bind/bind9/contrib/dlz/drivers/dlz_odbc_driver.c
+++ b/bind/bind9/contrib/dlz/drivers/dlz_odbc_driver.c
@@ -93,7 +93,7 @@ typedef struct{
 } odbc_db_t;
 
 /*
- * Structure to hold everthing needed by this "instance" of the odbc driver
+ * Structure to hold everything needed by this "instance" of the odbc driver
  * remember, the driver code is only loaded once, but may have many separate
  * instances
  */
@@ -132,7 +132,7 @@ safeLen(void *a) {
 	return strlen((char *) a);
 }
 
-/*% propertly cleans up an odbc_instance_t */
+/*% properly cleans up an odbc_instance_t */
 
 static void
 destroy_odbc_instance(odbc_instance_t *odbc_inst) {
@@ -461,9 +461,9 @@ odbc_makesafe(char *to, const char *from, size_t length)
  * database instance (DBI).  It will then run the query and hopefully
  * obtain a result set.  The data base instance that is used is returned
  * to the caller so they can get the data from the result set from it.
- * If successfull, it will be the responsibility of the caller to close
+ * If successful, it will be the responsibility of the caller to close
  * the cursor, and unlock the mutex of the DBI when they are done with it.
- * If not successfull, this function will perform all the cleanup.
+ * If not successful, this function will perform all the cleanup.
  */
 
 
@@ -718,7 +718,7 @@ odbc_get_resultset(const char *zone, const char *record,
 /*%
  * Gets a single field from the ODBC statement.  The memory for the
  * returned data is dynamically allocated.  If this method is successful
- * it is the reponsibility of the caller to free the memory using
+ * it is the responsibility of the caller to free the memory using
  * isc_mem_free(ns_g_mctx, *ptr);
  */
 
@@ -745,7 +745,7 @@ odbc_getField(SQLHSTMT *stmnt, SQLSMALLINT field, char **data) {
 /*%
  * Gets multiple fields from the ODBC statement.  The memory for the
  * returned data is dynamically allocated.  If this method is successful
- * it is the reponsibility of the caller to free the memory using
+ * it is the responsibility of the caller to free the memory using
  * isc_mem_free(ns_g_mctx, *ptr);
  */
 
@@ -899,7 +899,7 @@ odbc_process_rs(dns_sdlzlookup_t *lookup, dbinstance_t *dbi)
 						      DNS_LOGMODULE_DLZ,
 						      ISC_LOG_ERROR,
 						      "Odbc driver ttl must "
-						      "be a postive number");
+						      "be a positive number");
 					result = ISC_R_FAILURE;
 				} else {
 					/*
@@ -1131,7 +1131,7 @@ odbc_allnodes(const char *zone, void *driverarg, void *dbdata,
 					      DNS_LOGCATEGORY_DATABASE,
 					      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
 					      "Odbc driver ttl must be "
-					      "a postive number");
+					      "a positive number");
 				result = ISC_R_FAILURE;
 			} else {
 				/* successful converting TTL, tell Bind  */
@@ -1315,7 +1315,7 @@ odbc_create(const char *dlzname, unsigned int argc, char *argv[],
 		return (ISC_R_NOMEMORY);
 	memset(odbc_inst, 0, sizeof(odbc_instance_t));
 
-	/* parse connection string and get paramters. */
+	/* parse connection string and get parameters. */
 
 	/* get odbc database dsn - required */
 	odbc_inst->dsn = (SQLCHAR *) getParameterValue(argv[2],
diff --git a/bind/bind9/contrib/dlz/drivers/dlz_postgres_driver.c b/bind/bind9/contrib/dlz/drivers/dlz_postgres_driver.c
index 7fc9ee37..26ffad70 100644
--- a/bind/bind9/contrib/dlz/drivers/dlz_postgres_driver.c
+++ b/bind/bind9/contrib/dlz/drivers/dlz_postgres_driver.c
@@ -549,7 +549,7 @@ postgres_get_resultset(const char *zone, const char *record,
 			if (PQstatus((PGconn *) dbi->dbconn) == CONNECTION_OK)
 				break;
 		}
-		/* result set ok, break outter loop */
+		/* result set ok, break outer loop */
 		if (PQresultStatus(*rs) == PGRES_TUPLES_OK) {
 #if 0
 			/* temporary logging message */
@@ -725,7 +725,7 @@ postgres_process_rs(dns_sdlzlookup_t *lookup, PGresult *rs)
 					      DNS_LOGCATEGORY_DATABASE,
 					      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
 					      "Postgres driver ttl must be "
-					      "a postive number");
+					      "a positive number");
 			}
 			/* ok, now tell Bind about it. */
 			result = dns_sdlz_putrr(lookup, PQgetvalue(rs, i, 1),
@@ -907,7 +907,7 @@ postgres_allnodes(const char *zone, void *driverarg, void *dbdata,
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
 				      "Postgres driver ttl must be "
-				      "a postive number");
+				      "a positive number");
 		}
 		if (fields == 4) {
 			/* tell Bind about it. */
@@ -939,7 +939,7 @@ postgres_allnodes(const char *zone, void *driverarg, void *dbdata,
 			}
 			/* copy this field to tmpString */
 			strcpy(tmpString, PQgetvalue(rs, i, 3));
-			/* concatonate the rest, with spaces between */
+			/* concatenate the rest, with spaces between */
 			for (j=4; j < fields; j++) {
 				strcat(tmpString, " ");
 				strcat(tmpString, PQgetvalue(rs, i, j));
diff --git a/bind/bind9/contrib/dlz/drivers/include/dlz/sdlz_helper.h b/bind/bind9/contrib/dlz/drivers/include/dlz/sdlz_helper.h
index 66ed1183..f8850b44 100644
--- a/bind/bind9/contrib/dlz/drivers/include/dlz/sdlz_helper.h
+++ b/bind/bind9/contrib/dlz/drivers/include/dlz/sdlz_helper.h
@@ -106,7 +106,7 @@ sdlzh_destroy_sqldbinstance(dbinstance_t *dbi);
 char *
 sdlzh_get_parameter_value(isc_mem_t *mctx, const char *input, const char* key);
 
-/* Compatability with existing DLZ drivers */
+/* Compatibility with existing DLZ drivers */
 
 #define	build_querystring	sdlzh_build_querystring
 #define	build_sqldbinstance	sdlzh_build_sqldbinstance
diff --git a/bind/bind9/contrib/dlz/example/README b/bind/bind9/contrib/dlz/example/README
index 3c6ba8cf..f8667ac5 100644
--- a/bind/bind9/contrib/dlz/example/README
+++ b/bind/bind9/contrib/dlz/example/README
@@ -1,6 +1,6 @@
 OVERVIEW:
 
-DLZ (Dynamically Loadable Zones) is an extention to BIND 9 that
+DLZ (Dynamically Loadable Zones) is an extension to BIND 9 that
 allows zone data to be retrieved directly from an external database.
 There is no required format or schema.  DLZ drivers exist for several
 different database backends including PostgreSQL, MySQL, and LDAP and
@@ -136,7 +136,7 @@ The DLZ dlopen driver provides a set of callback functions:
 
   - isc_result_t writeable_zone(dns_view_t *view, const char *zone_name);
 
-    Allows the DLZ module to inform named that a given zone can recieve
+    Allows the DLZ module to inform named that a given zone can receive
     DDNS updates.  (Note: This is not currently supported for DLZ
     databases that are configured as 'search no;')
 
diff --git a/bind/bind9/contrib/dlz/example/named.conf b/bind/bind9/contrib/dlz/example/named.conf
index bc68beeb..c10fb57f 100644
--- a/bind/bind9/contrib/dlz/example/named.conf
+++ b/bind/bind9/contrib/dlz/example/named.conf
@@ -29,7 +29,7 @@
  *
  * Additionally, a query for 'source-addr.example.nil/TXT' is always
  * answered with the source address of the query.  This is used to
- * demonstrate the code that retreives client information from the
+ * demonstrate the code that retrieves client information from the
  * caller.
  *
  * To use this driver, "dlz_external.so" must be moved into the working
diff --git a/bind/bind9/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c b/bind/bind9/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c
index 39112a47..4d3116c7 100644
--- a/bind/bind9/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c
+++ b/bind/bind9/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c
@@ -492,7 +492,7 @@ dlz_findzonedb(void *dbdata, const char *name,
 
 	/*
 	 * reverse string to take advantage of BDB locality of reference
-	 * if we need futher lookups because the zone doesn't match the
+	 * if we need further lookups because the zone doesn't match the
 	 * first time.
 	 */
 	key.data = bdbhpt_strrev(key.data);
@@ -708,7 +708,7 @@ dlz_create(const char *dlzname, unsigned int argc, char *argv[],
 
 		/*
 		 * Private mode. No inter-process communication & no locking.
-		 * Lowest saftey - highest speed.
+		 * Lowest safety - highest speed.
 		 */
 	case 'P':
 	case 'p':
diff --git a/bind/bind9/contrib/dlz/modules/bdbhpt/testing/bdbhpt-populate.pl b/bind/bind9/contrib/dlz/modules/bdbhpt/testing/bdbhpt-populate.pl
index 909976a2..ec210c31 100755
--- a/bind/bind9/contrib/dlz/modules/bdbhpt/testing/bdbhpt-populate.pl
+++ b/bind/bind9/contrib/dlz/modules/bdbhpt/testing/bdbhpt-populate.pl
@@ -28,7 +28,7 @@ if (!defined $input_file || $input_file eq '') {
 
 my $zone_list = $opt->{zones};
 if (!defined $zone_list || $zone_list eq '') {
-    usage('Please specify a space seperated list of zones');
+    usage('Please specify a space separated list of zones');
     exit 1;
 }
 
@@ -128,7 +128,7 @@ sub usage {
     print STDERR "usage: $0 --bdb=<bdb-file> --input=<input-file> --zones=<zone-list>\n\n";
     print STDERR "\tbdb-file: The output BerkeleyDB file you wish to create and use with bdbhpt-dynamic\n\n";
     print STDERR "\tinput-file: The input text-file containing records to populate within your zones\n\n";
-    print STDERR "\tzone-list: The space-seperated list of zones you wish to create\n\n";
+    print STDERR "\tzone-list: The space-separated list of zones you wish to create\n\n";
 }
 
 sub populate_records {
diff --git a/bind/bind9/contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c b/bind/bind9/contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c
index a147a21c..be15dd98 100644
--- a/bind/bind9/contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c
+++ b/bind/bind9/contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c
@@ -528,7 +528,7 @@ process_dir(dir_t *dir, void *passback, config_data_t *cd,
 		if (*endp != '\0' || ttl < 0)
 			cd->log(ISC_LOG_ERROR,
 				"Filesystem driver "
-				"ttl must be a postive number");
+				"ttl must be a positive number");
 
 		/* pass data back to Bind */
 		if (dir_list == NULL)
@@ -898,7 +898,7 @@ dlz_create(const char *dlzname, unsigned int argc, char *argv[],
 	if (*endp != '\0' || cd->splitcnt < 0)
 		cd->log(ISC_LOG_ERROR,
 			"Directory split count must be zero (0) "
-			"or a postive number");
+			"or a positive number");
 
 	/* get and store our separator character */
 	cd->separator = *argv[5];
diff --git a/bind/bind9/contrib/dlz/modules/ldap/dlz_ldap_dynamic.c b/bind/bind9/contrib/dlz/modules/ldap/dlz_ldap_dynamic.c
index a2299bf9..2531312f 100644
--- a/bind/bind9/contrib/dlz/modules/ldap/dlz_ldap_dynamic.c
+++ b/bind/bind9/contrib/dlz/modules/ldap/dlz_ldap_dynamic.c
@@ -77,7 +77,7 @@
 #define LOOKUP 5
 
 /*%
- * Structure to hold everthing needed by this "instance" of the LDAP
+ * Structure to hold everything needed by this "instance" of the LDAP
  * driver remember, the driver code is only loaded once, but may have
  * many separate instances.
  */
@@ -381,7 +381,7 @@ ldap_process_results(ldap_instance_t *db, LDAP *dbc, LDAPMessage *msg,
 
 			/* skip empty attributes. */
 			if (vals == NULL || vals[0] == NULL) {
-				/* increment attibute pointer */
+				/* increment attribute pointer */
 				attribute = attrs[++i];
 				/* start loop over */
 				continue;
@@ -403,7 +403,7 @@ ldap_process_results(ldap_instance_t *db, LDAP *dbc, LDAPMessage *msg,
 				if (*endp != '\0' || ttl < 0) {
 					db->log(ISC_LOG_ERROR,
 						"LDAP driver ttl must "
-						"be a postive number");
+						"be a positive number");
 					goto cleanup;
 				}
 				break;
@@ -437,7 +437,7 @@ ldap_process_results(ldap_instance_t *db, LDAP *dbc, LDAPMessage *msg,
 			ldap_value_free(vals);
 			vals = NULL;
 
-			/* increment attibute pointer */
+			/* increment attribute pointer */
 			attribute = attrs[++i];
 		}
 
@@ -686,7 +686,7 @@ ldap_get_results(const char *zone, const char *record,
 			}
 		}
 
-		/* perform ldap search syncronously */
+		/* perform ldap search synchronously */
 		ldap_result = ldap_search_s((LDAP *) dbi->dbconn,
 					    ldap_url->lud_dn,
 					    ldap_url->lud_scope,
diff --git a/bind/bind9/contrib/dlz/modules/mysql/dlz_mysql_dynamic.c b/bind/bind9/contrib/dlz/modules/mysql/dlz_mysql_dynamic.c
index a325fc5d..67069ac1 100644
--- a/bind/bind9/contrib/dlz/modules/mysql/dlz_mysql_dynamic.c
+++ b/bind/bind9/contrib/dlz/modules/mysql/dlz_mysql_dynamic.c
@@ -57,6 +57,9 @@
 #include <dlz_pthread.h>
 
 #include <mysql/mysql.h>
+#if !defined(LIBMARIADB) && MYSQL_VERSION_ID >= 80000
+typedef bool my_bool;
+#endif /* !defined(LIBMARIADB) && MYSQL_VERSION_ID >= 80000 */
 
 #define dbc_search_limit 30
 #define ALLNODES 1
@@ -69,7 +72,7 @@
 #define safeGet(in) in == NULL ? "" : in
 
 /*%
- * Structure to hold everthing needed by this "instance" of the MySQL
+ * Structure to hold everything needed by this "instance" of the MySQL
  * module remember, the module code is only loaded once, but may have
  * many separate instances.
  */
@@ -475,7 +478,7 @@ mysql_process_rs(mysql_instance_t *db, dns_sdlzlookup_t *lookup,
 			if (*endp != '\0' || ttl < 0) {
 				db->log(ISC_LOG_ERROR,
 					"MySQL module ttl must be "
-					"a postive number");
+					"a positive number");
 				return (ISC_R_FAILURE);
 			}
 
@@ -514,7 +517,7 @@ mysql_process_rs(mysql_instance_t *db, dns_sdlzlookup_t *lookup,
 			if (*endp != '\0' || ttl < 0) {
 				db->log(ISC_LOG_ERROR,
 					"MySQL module ttl must be "
-					"a postive number");
+					"a positive number");
 				free(tmpString);
 				return (ISC_R_FAILURE);
 			}
@@ -672,7 +675,7 @@ dlz_allnodes(const char *zone, void *dbdata, dns_sdlzallnodes_t *allnodes) {
 		if (*endp != '\0' || ttl < 0) {
 			db->log(ISC_LOG_ERROR,
 				"MySQL module ttl must be "
-				"a postive number");
+				"a positive number");
 			result = ISC_R_FAILURE;
 			goto cleanup;
 		}
diff --git a/bind/bind9/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c b/bind/bind9/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c
index 9b126fda..44a5d909 100644
--- a/bind/bind9/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c
+++ b/bind/bind9/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c
@@ -60,6 +60,10 @@
 #include <dlz_list.h>
 #include <dlz_pthread.h>
 
+#if !defined(LIBMARIADB) && MYSQL_VERSION_ID >= 80000
+typedef bool my_bool;
+#endif /* !defined(LIBMARIADB) && MYSQL_VERSION_ID >= 80000 */
+
 /*
  * The SQL queries that will be used for lookups and updates are defined
  * here.  They will be processed into queries by the build_query()
diff --git a/bind/bind9/contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c b/bind/bind9/contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c
index 2d7d0b06..48ab9e09 100644
--- a/bind/bind9/contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c
+++ b/bind/bind9/contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c
@@ -69,7 +69,7 @@
 #define safeGet(in) in == NULL ? "" : in
 
 /*%
- * Structure to hold everthing needed by this "instance" of the SQLite3
+ * Structure to hold everything needed by this "instance" of the SQLite3
  * module remember, the module code is only loaded once, but may have
  * many separate instances.
  */
@@ -550,7 +550,7 @@ sqlite3_process_rs(sqlite3_instance_t *db, dns_sdlzlookup_t *lookup,
 			if (*endp != '\0' || ttl < 0) {
 				db->log(ISC_LOG_ERROR,
 					"SQLite3 module: TTL must be "
-					"a postive number");
+					"a positive number");
 				return (ISC_R_FAILURE);
 			}
 
@@ -589,7 +589,7 @@ sqlite3_process_rs(sqlite3_instance_t *db, dns_sdlzlookup_t *lookup,
 			if (*endp != '\0' || ttl < 0) {
 				db->log(ISC_LOG_ERROR,
 					"SQLite3 module: TTL must be "
-					"a postive number");
+					"a positive number");
 				free(tmpString);
 				return (ISC_R_FAILURE);
 			}
@@ -748,7 +748,7 @@ dlz_allnodes(const char *zone, void *dbdata, dns_sdlzallnodes_t *allnodes) {
 		if (*endp != '\0' || ttl < 0) {
 			db->log(ISC_LOG_ERROR,
 				"SQLite3 module: TTL must be "
-				"a postive number");
+				"a positive number");
 			result = ISC_R_FAILURE;
 			goto cleanup;
 		}
@@ -883,9 +883,6 @@ dlz_create(const char *dlzname, unsigned int argc, char *argv[],
 	char *tmp = NULL;
 	char *endp;
 	const char *helper_name;
-#if SQLITE3_VERSION_ID >= 50000
-        my_bool auto_reconnect = 1;
-#endif
 #if PTHREADS
 	int dbcount;
 	int i, ret;
diff --git a/bind/bind9/contrib/dlz/modules/wildcard/README b/bind/bind9/contrib/dlz/modules/wildcard/README
index b19009be..ffc2e684 100644
--- a/bind/bind9/contrib/dlz/modules/wildcard/README
+++ b/bind/bind9/contrib/dlz/modules/wildcard/README
@@ -20,7 +20,7 @@ as "thisexample.com", "exampleofthat.com", or "anexampleoftheotherthing.com".
         *      86400   A      192.0.0.100";
     };
 
-For any zone name matchin the wildcard, it would return the data from
+For any zone name matching the wildcard, it would return the data from
 the template.  "$zone$" is replaced with zone name: i.e., the shortest
 possible string of labels in the query name that matches the wildcard.
 "$record$" is replaced with the remainder of the query name.  In the
diff --git a/bind/bind9/contrib/dnspriv/README.md b/bind/bind9/contrib/dnspriv/README.md
index 8fa67952..0c8b2bae 100644
--- a/bind/bind9/contrib/dnspriv/README.md
+++ b/bind/bind9/contrib/dnspriv/README.md
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/contrib/dnspriv/named.conf b/bind/bind9/contrib/dnspriv/named.conf
index 12d07a38..637225ba 100644
--- a/bind/bind9/contrib/dnspriv/named.conf
+++ b/bind/bind9/contrib/dnspriv/named.conf
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/contrib/dnspriv/nginx.conf b/bind/bind9/contrib/dnspriv/nginx.conf
index 65e38683..763ff35f 100644
--- a/bind/bind9/contrib/dnspriv/nginx.conf
+++ b/bind/bind9/contrib/dnspriv/nginx.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/contrib/idn/idnkit-1.0-src/ChangeLog b/bind/bind9/contrib/idn/idnkit-1.0-src/ChangeLog
index 085e3bda..da39c57b 100644
--- a/bind/bind9/contrib/idn/idnkit-1.0-src/ChangeLog
+++ b/bind/bind9/contrib/idn/idnkit-1.0-src/ChangeLog
@@ -653,7 +653,7 @@
 	include/idn/utf8.h, include/idn/version.h: include export.h. mark
 	exportable functions with IDN_EXPORT macro.
 	* lib/make.wnt: modify to create DLLs.
-	* configure.in: add existance check for pwd.h.
+	* configure.in: add existence check for pwd.h.
 	* configure, include/config.h.in: rebuilt.
 	* lib/resconf.c, lib/localencoding.c: port to Win32.
 	* include/mdn/version.h: include <idn/version.h> for the declaration
diff --git a/bind/bind9/contrib/idn/idnkit-1.0-src/include/idn/filechecker.h b/bind/bind9/contrib/idn/idnkit-1.0-src/include/idn/filechecker.h
index c69c2b1e..f226ce57 100644
--- a/bind/bind9/contrib/idn/idnkit-1.0-src/include/idn/filechecker.h
+++ b/bind/bind9/contrib/idn/idnkit-1.0-src/include/idn/filechecker.h
@@ -105,7 +105,7 @@ idn__filechecker_destroy(idn__filechecker_t ctx);
  *
  * Check if there is any characters pecified by the context 'ctx' in
  * the UCS4 string 'str'.  If there are none, NULL is stored in '*found'.
- * Otherwise, the pointer to the first occurence of such character is
+ * Otherwise, the pointer to the first occurrence of such character is
  * stored in '*found'.
  *
  * Returns:
diff --git a/bind/bind9/contrib/idn/idnkit-1.0-src/lib/converter.c b/bind/bind9/contrib/idn/idnkit-1.0-src/lib/converter.c
index b08984c3..8fc92c6f 100644
--- a/bind/bind9/contrib/idn/idnkit-1.0-src/lib/converter.c
+++ b/bind/bind9/contrib/idn/idnkit-1.0-src/lib/converter.c
@@ -697,7 +697,7 @@ static idn_result_t
 roundtrip_check(idn_converter_t ctx, const unsigned long *from, const char *to)
 {
 	/*
-	 * One problem with iconv() convertion is that
+	 * One problem with iconv() conversion is that
 	 * iconv() doesn't signal an error if the input
 	 * string contains characters which are valid but
 	 * do not have mapping to the output codeset.
diff --git a/bind/bind9/contrib/idn/idnkit-1.0-src/lib/punycode.c b/bind/bind9/contrib/idn/idnkit-1.0-src/lib/punycode.c
index 292763d5..353b0569 100644
--- a/bind/bind9/contrib/idn/idnkit-1.0-src/lib/punycode.c
+++ b/bind/bind9/contrib/idn/idnkit-1.0-src/lib/punycode.c
@@ -293,7 +293,7 @@ idn__punycode_encode(idn_converter_t ctx, void *privdata,
 		/*
 		 * Find the smallest code point equal to or greater
 		 * than 'cur_code'.  Also remember the index of the
-		 * last occurence of the code point.
+		 * last occurrence of the code point.
 		 */
 		for (next_code = MAX_UCS, uidx = fromlen - 1;
 		     uidx >= 0; uidx--) {
diff --git a/bind/bind9/contrib/idn/idnkit-1.0-src/tools/runidn/resolver.c b/bind/bind9/contrib/idn/idnkit-1.0-src/tools/runidn/resolver.c
index eaa93288..305dd293 100644
--- a/bind/bind9/contrib/idn/idnkit-1.0-src/tools/runidn/resolver.c
+++ b/bind/bind9/contrib/idn/idnkit-1.0-src/tools/runidn/resolver.c
@@ -111,7 +111,7 @@ typedef struct obj_lock {
 static obj_lock_t *obj_lock_hash[OBJLOCKHASH_SIZE];
 
 /*
- * This variable is to prevent IDN processing occuring more than once for
+ * This variable is to prevent IDN processing occurring more than once for
  * a single name resolution.  This will happen if some resolver function
  * is implemented using another function (e.g. gethostbyname() implemented
  * using gethostbyname2()).
diff --git a/bind/bind9/contrib/idn/idnkit-1.0-src/win/README.WIN b/bind/bind9/contrib/idn/idnkit-1.0-src/win/README.WIN
index 425200bd..2466ec59 100644
--- a/bind/bind9/contrib/idn/idnkit-1.0-src/win/README.WIN
+++ b/bind/bind9/contrib/idn/idnkit-1.0-src/win/README.WIN
@@ -1,12 +1,12 @@
 To build idnkit for Windows, follow the instruction below.
 
 To build Windows version, you need `iconv' library.  A LGPL
-implemenation is available from the following place.
+implementation is available from the following place.
 
     http://www.gnu.org/software/libiconv/
 
 Follow the instructions described in README.woe32 file which can be
-found in the distribution, and you'll get a DLL vesion of `libiconv'.
+found in the distribution, and you'll get a DLL version of `libiconv'.
 Copy the DLL (iconv.dll), the header (iconv.h) and the import library
 (iconv.lib) here.
 
diff --git a/bind/bind9/contrib/idn/idnkit-1.0-src/wsock/README.txt b/bind/bind9/contrib/idn/idnkit-1.0-src/wsock/README.txt
index e7723b44..653d7e62 100644
--- a/bind/bind9/contrib/idn/idnkit-1.0-src/wsock/README.txt
+++ b/bind/bind9/contrib/idn/idnkit-1.0-src/wsock/README.txt
@@ -507,7 +507,7 @@
     |                                           +--------+ +--------+ |
     +-----------------------------------------------------------------+
 
-    Logging level can be selected from the followings.
+    Logging level can be selected from the following.
 	None	no logging at all
 	Fatal   only records fatal errors
 	Error	also records non-fatal errors
diff --git a/bind/bind9/contrib/kasp/kasp2policy.py b/bind/bind9/contrib/kasp/kasp2policy.py
index b78a968f..360b062f 100644
--- a/bind/bind9/contrib/kasp/kasp2policy.py
+++ b/bind/bind9/contrib/kasp/kasp2policy.py
@@ -21,17 +21,21 @@
 
 from xml.etree import cElementTree as ET
 from collections import defaultdict
-from isc import dnskey
-import ply.yacc as yacc
-import ply.lex as lex
 import re
+from ply import yacc
+from ply import lex
+from isc import dnskey
+
 
 ############################################################################
 # Translate KASP duration values into seconds
 ############################################################################
-class kasptime:
-    class ktlex:
-        tokens = ( 'P', 'T', 'Y', 'M', 'D', 'H', 'S', 'NUM' )
+class KaspTime:
+    # pylint: disable=invalid-name
+    class KTLex:
+        # pylint: disable=invalid-name
+
+        tokens = ('P', 'T', 'Y', 'M', 'D', 'H', 'S', 'NUM')
 
         t_P = r'(?i)P'
         t_T = r'(?i)T'
@@ -41,12 +45,14 @@ class kasptime:
         t_H = r'(?i)H'
         t_S = r'(?i)S'
 
-        def t_NUM(self, t):
+        @staticmethod
+        def t_NUM(t):
             r'\d+'
             t.value = int(t.value)
             return t
 
-        def t_error(self, t):
+        @staticmethod
+        def t_error(t):
             print("Illegal character '%s'" % t.value[0])
             t.lexer.skip(1)
 
@@ -54,7 +60,7 @@ class kasptime:
             self.lexer = lex.lex(object=self)
 
     def __init__(self):
-        self.lexer = self.ktlex()
+        self.lexer = self.KTLex()
         self.tokens = self.lexer.tokens
         self.parser = yacc.yacc(debug=False, write_tables=False, module=self)
 
@@ -62,35 +68,43 @@ class kasptime:
         self.lexer.lexer.lineno = 0
         return self.parser.parse(text)
 
-    def p_ktime_4(self, p):
+    @staticmethod
+    def p_ktime_4(p):
         "ktime : P periods T times"
         p[0] = p[2] + p[4]
 
-    def p_ktime_3(self, p):
+    @staticmethod
+    def p_ktime_3(p):
         "ktime : P T times"
         p[0] = p[3]
 
-    def p_ktime_2(self, p):
+    @staticmethod
+    def p_ktime_2(p):
         "ktime : P periods"
         p[0] = p[2]
 
-    def p_periods_1(self, p):
+    @staticmethod
+    def p_periods_1(p):
         "periods : period"
         p[0] = p[1]
 
-    def p_periods_2(self, p):
+    @staticmethod
+    def p_periods_2(p):
         "periods : periods period"
         p[0] = p[1] + p[2]
 
-    def p_times_1(self, p):
+    @staticmethod
+    def p_times_1(p):
         "times : time"
         p[0] = p[1]
 
-    def p_times_2(self, p):
+    @staticmethod
+    def p_times_2(p):
         "times : times time"
         p[0] = p[1] + p[2]
 
-    def p_period(self, p):
+    @staticmethod
+    def p_period(p):
         '''period : NUM Y
                   | NUM M
                   | NUM D'''
@@ -101,7 +115,8 @@ class kasptime:
         elif p[2].lower() == 'd':
             p[0] += int(p[1]) * 86400
 
-    def p_time(self, p):
+    @staticmethod
+    def p_time(p):
         '''time : NUM H
                 | NUM M
                 | NUM S'''
@@ -112,24 +127,28 @@ class kasptime:
         elif p[2].lower() == 's':
             p[0] = int(p[1])
 
-    def p_error(self, p):
+    @staticmethod
+    def p_error():
         print("Syntax error")
 
+
 ############################################################################
 # Load the contents of a KASP XML file as a python dictionary
 ############################################################################
-class kasp():
+class Kasp():
+    # pylint: disable=invalid-name
+
     @staticmethod
     def _todict(t):
         d = {t.tag: {} if t.attrib else None}
         children = list(t)
         if children:
             dd = defaultdict(list)
-            for dc in map(kasp._todict, children):
+            for dc in map(Kasp._todict, children):
                 for k, v in dc.iteritems():
                     dd[k].append(v)
-            d = {t.tag:
-                    {k:v[0] if len(v) == 1 else v for k, v in dd.iteritems()}}
+            k = {k: v[0] if len(v) == 1 else v for k, v in dd.items()}
+            d = {t.tag: k}
         if t.attrib:
             d[t.tag].update(('@' + k, v) for k, v in t.attrib.iteritems())
         if t.text:
@@ -142,7 +161,7 @@ class kasp():
         return d
 
     def __init__(self, filename):
-        self._dict = kasp._todict(ET.parse(filename).getroot())
+        self._dict = Kasp._todict(ET.parse(filename).getroot())
 
     def __getitem__(self, key):
         return self._dict[key]
@@ -156,52 +175,54 @@ class kasp():
     def __repr__(self):
         return repr(self._dict)
 
+
 ############################################################################
 # Load the contents of a KASP XML file as a python dictionary
 ############################################################################
 if __name__ == "__main__":
-    from pprint import *
     import sys
 
     if len(sys.argv) < 2:
         print("Usage: kasp2policy <filename>")
-        exit(1)
+        sys.exit(1)
 
+    KINFO = Kasp(sys.argv[1])
     try:
-        kinfo = kasp(sys.argv[1])
-    except:
+        KINFO = Kasp(sys.argv[1])
+    except FileNotFoundError:
         print("%s: unable to load KASP file '%s'" % (sys.argv[0], sys.argv[1]))
-        exit(1)
+        sys.exit(1)
 
-    kt = kasptime()
-    first = True
+    KT = KaspTime()
+    FIRST = True
 
-    for p in kinfo['KASP']['Policy']:
-        if not p['@name'] or not p['Keys']: continue
-        if not first:
+    for policy in KINFO['KASP']['Policy']:
+        if not policy['@name'] or not policy['Keys']:
+            continue
+        if not FIRST:
             print("")
-        first = False
-        if p['Description']:
-            d = p['Description'].strip()
-            print("# %s" % re.sub(r"\n\s*", "\n# ", d))
-        print("policy %s {" % p['@name'])
-        ksk = p['Keys']['KSK']
-        zsk = p['Keys']['ZSK']
+        FIRST = False
+        if policy['Description']:
+            desc = policy['Description'].strip()
+            print("# %s" % re.sub(r"\n\s*", "\n# ", desc))
+        print("policy %s {" % policy['@name'])
+        ksk = policy['Keys']['KSK']
+        zsk = policy['Keys']['ZSK']
         kalg = ksk['Algorithm']
         zalg = zsk['Algorithm']
         algnum = kalg['#text'] or zalg['#text']
         if algnum:
             print("\talgorithm %s;" % dnskey.algstr(int(algnum)))
-        if p['Keys']['TTL']:
-            print("\tkeyttl %d;" % kt.parse(p['Keys']['TTL']))
+        if policy['Keys']['TTL']:
+            print("\tkeyttl %d;" % KT.parse(policy['Keys']['TTL']))
         if kalg['@length']:
             print("\tkey-size ksk %d;" % int(kalg['@length']))
         if zalg['@length']:
             print("\tkey-size zsk %d;" % int(zalg['@length']))
         if ksk['Lifetime']:
-            print("\troll-period ksk %d;" % kt.parse(ksk['Lifetime']))
+            print("\troll-period ksk %d;" % KT.parse(ksk['Lifetime']))
         if zsk['Lifetime']:
-            print("\troll-period zsk %d;" % kt.parse(zsk['Lifetime']))
+            print("\troll-period zsk %d;" % KT.parse(zsk['Lifetime']))
         if ksk['Standby']:
             print("\tstandby ksk %d;" % int(ksk['Standby']))
         if zsk['Standby']:
diff --git a/bind/bind9/contrib/perftcpdns/Makefile.in b/bind/bind9/contrib/perftcpdns/Makefile.in
index bff2db00..df8892b8 100644
--- a/bind/bind9/contrib/perftcpdns/Makefile.in
+++ b/bind/bind9/contrib/perftcpdns/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/contrib/perftcpdns/configure.in b/bind/bind9/contrib/perftcpdns/configure.in
index 35dc8208..9f7c98b8 100644
--- a/bind/bind9/contrib/perftcpdns/configure.in
+++ b/bind/bind9/contrib/perftcpdns/configure.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/contrib/perftcpdns/perftcpdns.c b/bind/bind9/contrib/perftcpdns/perftcpdns.c
index 55486e46..0507ccfc 100644
--- a/bind/bind9/contrib/perftcpdns/perftcpdns.c
+++ b/bind/bind9/contrib/perftcpdns/perftcpdns.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -204,7 +204,7 @@ uint64_t xscount;				/* sent counters */
 uint64_t xrcount;				/* received counters */
 
 /*
- * statictics counters and accumulators
+ * statistics counters and accumulators
  */
 
 uint64_t recverr, tooshort, locallimit;		/* error counters */
@@ -2356,7 +2356,7 @@ main(const int argc, char * const argv[])
 	(void) pthread_cancel(sender);
 	(void) pthread_cancel(receiver);
 
-	/* main statictics */
+	/* main statistics */
 	printf("connect: %llu, sent: %llu, received: %llu\n",
 	       (unsigned long long) xccount,
 	       (unsigned long long) xscount,
diff --git a/bind/bind9/contrib/queryperf/queryperf.c b/bind/bind9/contrib/queryperf/queryperf.c
index ba898fac..27de753e 100644
--- a/bind/bind9/contrib/queryperf/queryperf.c
+++ b/bind/bind9/contrib/queryperf/queryperf.c
@@ -1152,7 +1152,7 @@ next_input_line(char *line, int n) {
 
 /*
  * identify_directive:
- *   Gives us a numerical value equivelant for a directive string
+ *   Gives us a numerical value equivalent for a directive string
  *
  *   Returns the value for the directive
  *   Returns -1 if not a valid directive
@@ -1654,7 +1654,7 @@ register_response(unsigned short int id, unsigned int rcode, char *qname,
 
 /*
  * process_single_response:
- *   Receive from the given socket & process an invididual response packet.
+ *   Receive from the given socket & process an individual response packet.
  *   Remove it from the list of open queries (status[]) and decrement the
  *   number of outstanding queries if it matches an open query.
  */
diff --git a/bind/bind9/contrib/scripts/catzhash.py b/bind/bind9/contrib/scripts/catzhash.py
new file mode 100644
index 00000000..8ad61c39
--- /dev/null
+++ b/bind/bind9/contrib/scripts/catzhash.py
@@ -0,0 +1,32 @@
+#!/usr/bin/python
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# catzhash.py: generate the SHA-1 hash of a domain name in wire format.
+#
+# This can be used to determine the label to use in a catalog zone to
+# represent the specified zone. For example, the zone
+# "domain.example" can be represented in a catalog zone called
+# "catalog.example" by adding the following record:
+#
+# 5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. \
+#    IN PTR domain.example.
+#
+# The label "5960775ba382e7a4e09263fc06e7c00569b6a05c" is the output of
+# this script when run with the argument "domain.example".
+
+import sys
+import hashlib
+import dns.name
+
+if len(sys.argv) < 2:
+    print("Usage: %s name" % sys.argv[0])
+
+NAME = dns.name.from_text(sys.argv[1]).to_wire()
+print(hashlib.sha1(NAME).hexdigest())
diff --git a/bind/bind9/contrib/scripts/check-secure-delegation.pl.in b/bind/bind9/contrib/scripts/check-secure-delegation.pl.in
index 528900ad..8a792435 100644
--- a/bind/bind9/contrib/scripts/check-secure-delegation.pl.in
+++ b/bind/bind9/contrib/scripts/check-secure-delegation.pl.in
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/contrib/scripts/named-bootconf.sh b/bind/bind9/contrib/scripts/named-bootconf.sh
index 29e41059..cef5f8af 100644
--- a/bind/bind9/contrib/scripts/named-bootconf.sh
+++ b/bind/bind9/contrib/scripts/named-bootconf.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/contrib/scripts/nanny.pl b/bind/bind9/contrib/scripts/nanny.pl
index cb93441a..380b8711 100644
--- a/bind/bind9/contrib/scripts/nanny.pl
+++ b/bind/bind9/contrib/scripts/nanny.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/contrib/scripts/zone-edit.sh.in b/bind/bind9/contrib/scripts/zone-edit.sh.in
index 18132f9f..e40f173c 100644
--- a/bind/bind9/contrib/scripts/zone-edit.sh.in
+++ b/bind/bind9/contrib/scripts/zone-edit.sh.in
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/contrib/sdb/bdb/zone2bdb.c b/bind/bind9/contrib/sdb/bdb/zone2bdb.c
index 6599db19..a6688f6b 100644
--- a/bind/bind9/contrib/sdb/bdb/zone2bdb.c
+++ b/bind/bind9/contrib/sdb/bdb/zone2bdb.c
@@ -42,7 +42,7 @@
  * Returns a valid 'DB' handle.
  *
  * Requires:
- *	'file' is a valid non-existant path.
+ *	'file' is a valid non-existent path.
  */
 DB *
 bdb_init(const char *file)
diff --git a/bind/bind9/contrib/sdb/dir/dirdb.c b/bind/bind9/contrib/sdb/dir/dirdb.c
index a83c4f31..9a23e09c 100644
--- a/bind/bind9/contrib/sdb/dir/dirdb.c
+++ b/bind/bind9/contrib/sdb/dir/dirdb.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/contrib/sdb/dir/dirdb.h b/bind/bind9/contrib/sdb/dir/dirdb.h
index e72dd69d..3f0421fe 100644
--- a/bind/bind9/contrib/sdb/dir/dirdb.h
+++ b/bind/bind9/contrib/sdb/dir/dirdb.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/contrib/sdb/ldap/zone2ldap.1 b/bind/bind9/contrib/sdb/ldap/zone2ldap.1
index 781114bc..5b1fb244 100644
--- a/bind/bind9/contrib/sdb/ldap/zone2ldap.1
+++ b/bind/bind9/contrib/sdb/ldap/zone2ldap.1
@@ -7,7 +7,7 @@ zone2ldap  [-D Bind DN] [-w Bind Password] [-b Base DN] [-z Zone] [-f Zone File
 zone2ldap will parse a complete BIND 9 format DNS zone file, and load
 the contents into an LDAP directory, for use with the LDAP sdb back-end.
 
-If the zone already exists, zone2ldap will exit succesfully. If the zone does not exists, or 
+If the zone already exists, zone2ldap will exit successfully. If the zone does not exists, or
 partially exists, zone2ldap will attempt to add all/missing zone data.
 
 .SS Options
@@ -18,7 +18,7 @@ If the zone you are loading is different from the base, then you will need to te
 base is. 
 .TP
 -v 
-Print version information, and immediatly exit.
+Print version information, and immediately exit.
 .TP
 -f 
 Zone file.  Bind 9.1 compatible zone file, from which zone information will be read.
@@ -31,7 +31,7 @@ LDAP Bind password, corresponding the the value of "-b".
 .TP
 -h 
 LDAP Directory host. This is the hostname of the LDAP system you wish to store zone information on.
-An LDAP server should be listening on port 389 of the target system. This may be ommited, and will default
+An LDAP server should be listening on port 389 of the target system. This may be omitted, and will default
 to "localhost".
 .TP
 -c 
diff --git a/bind/bind9/contrib/sdb/ldap/zone2ldap.c b/bind/bind9/contrib/sdb/ldap/zone2ldap.c
index 113d8814..23c99e94 100644
--- a/bind/bind9/contrib/sdb/ldap/zone2ldap.c
+++ b/bind/bind9/contrib/sdb/ldap/zone2ldap.c
@@ -322,7 +322,7 @@ main (int argc, char **argv)
 		    sprintf (fullbasedn, "%s", ctmp);
 		}
 	      result = ldap_add_s (conn, fullbasedn, base_attrs);
-	      ldap_result_check ("intial ldap_add_s", fullbasedn, result);
+	      ldap_result_check ("initial ldap_add_s", fullbasedn, result);
 	    }
 
 	}
@@ -432,7 +432,7 @@ locate_by_dn (char *dn)
  * If locate_by_dn does not return, alloc a new ldap_info structure, and then
  * calloc a LDAPMod array, fill in the default "everyone needs this" information,
  * including object classes and dc's. If it locate_by_dn does return, then we'll
- * realloc for more LDAPMod structs, and appened the new data.  If an LDAPMod exists
+ * realloc for more LDAPMod structs, and append the new data.  If an LDAPMod exists
  * for the parameter we're adding, then we'll realloc the mod_values array, and
  * add the new value to the existing LDAPMod. Finnaly, it assures linkage exists
  * within the Run queue linked ilst*/
diff --git a/bind/bind9/contrib/sdb/pgsql/pgsqldb.c b/bind/bind9/contrib/sdb/pgsql/pgsqldb.c
index 25510993..9730f1cf 100644
--- a/bind/bind9/contrib/sdb/pgsql/pgsqldb.c
+++ b/bind/bind9/contrib/sdb/pgsql/pgsqldb.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/contrib/sdb/pgsql/pgsqldb.h b/bind/bind9/contrib/sdb/pgsql/pgsqldb.h
index cd60f144..19167233 100644
--- a/bind/bind9/contrib/sdb/pgsql/pgsqldb.h
+++ b/bind/bind9/contrib/sdb/pgsql/pgsqldb.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/contrib/sdb/pgsql/zonetodb.c b/bind/bind9/contrib/sdb/pgsql/zonetodb.c
index df7e9392..e46b808c 100644
--- a/bind/bind9/contrib/sdb/pgsql/zonetodb.c
+++ b/bind/bind9/contrib/sdb/pgsql/zonetodb.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/contrib/sdb/tcl/lookup.tcl b/bind/bind9/contrib/sdb/tcl/lookup.tcl
index 7672ed1a..b23503d7 100644
--- a/bind/bind9/contrib/sdb/tcl/lookup.tcl
+++ b/bind/bind9/contrib/sdb/tcl/lookup.tcl
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/contrib/sdb/tcl/tcldb.c b/bind/bind9/contrib/sdb/tcl/tcldb.c
index 61be7df8..2d2ab480 100644
--- a/bind/bind9/contrib/sdb/tcl/tcldb.c
+++ b/bind/bind9/contrib/sdb/tcl/tcldb.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/contrib/sdb/tcl/tcldb.h b/bind/bind9/contrib/sdb/tcl/tcldb.h
index 1d4d16c2..da0c25c6 100644
--- a/bind/bind9/contrib/sdb/tcl/tcldb.h
+++ b/bind/bind9/contrib/sdb/tcl/tcldb.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/contrib/sdb/time/timedb.c b/bind/bind9/contrib/sdb/time/timedb.c
index 98d3f418..b8d8a81e 100644
--- a/bind/bind9/contrib/sdb/time/timedb.c
+++ b/bind/bind9/contrib/sdb/time/timedb.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/contrib/sdb/time/timedb.h b/bind/bind9/contrib/sdb/time/timedb.h
index 30899880..b2c639eb 100644
--- a/bind/bind9/contrib/sdb/time/timedb.h
+++ b/bind/bind9/contrib/sdb/time/timedb.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/dangerfile.py b/bind/bind9/dangerfile.py
new file mode 100644
index 00000000..f9db5bd7
--- /dev/null
+++ b/bind/bind9/dangerfile.py
@@ -0,0 +1,272 @@
+############################################################################
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+############################################################################
+
+import re
+
+# Helper functions and variables
+
+def added_lines(target_branch, paths):
+    import subprocess
+    subprocess.check_output(['/usr/bin/git', 'fetch', '--depth', '1', 'origin',
+                             target_branch])
+    diff = subprocess.check_output(['/usr/bin/git', 'diff', 'FETCH_HEAD..',
+                                    '--'] + paths)
+    added_lines = []
+    for line in diff.splitlines():
+        if line.startswith(b'+') and not line.startswith(b'+++'):
+            added_lines.append(line)
+    return added_lines
+
+def lines_containing(lines, string):
+    return [l for l in lines if bytes(string, 'utf-8') in l]
+
+issue_or_mr_id_regex = re.compile(br'\[(GL [#!]|RT #)[0-9]+\]')
+release_notes_regex = re.compile(r'doc/(arm|notes)/notes-.*\.(rst|xml)')
+
+modified_files = danger.git.modified_files
+mr_labels = danger.gitlab.mr.labels
+target_branch = danger.gitlab.mr.target_branch
+
+###############################################################################
+# COMMIT MESSAGES
+###############################################################################
+#
+# - FAIL if any of the following is true for any commit on the MR branch:
+#
+#     * The subject line starts with "fixup!" or "Apply suggestion".
+#
+#     * The subject line contains a trailing dot.
+#
+#     * There is no empty line between the subject line and the log message.
+#
+# - WARN if any of the following is true for any commit on the MR branch:
+#
+#     * The length of the subject line for a non-merge commit exceeds 72
+#       characters.
+#
+#     * There is no log message present (i.e. commit only has a subject) and
+#       the subject line does not contain any of the following strings:
+#       "fixup!", " CHANGES ", " release note".
+#
+#     * Any line of the log message is longer than 72 characters.  This rule is
+#       not evaluated for:
+#
+#         - lines starting with four spaces, which allows long lines to be
+#           included in the commit log message by prefixing them with four
+#           spaces (useful for pasting compiler warnings, static analyzer
+#           messages, log lines, etc.),
+#
+#         - lines which contain references (i.e. those starting with "[1]",
+#           "[2]", etc.) which allows e.g. long URLs to be included in the
+#           commit log message.
+
+fixup_error_logged = False
+for commit in danger.git.commits:
+    message_lines = commit.message.splitlines()
+    subject = message_lines[0]
+    if (not fixup_error_logged and
+            (subject.startswith('fixup!') or
+             subject.startswith('Apply suggestion'))):
+        fail('Fixup commits are still present in this merge request. '
+             'Please squash them before merging.')
+        fixup_error_logged = True
+    if len(subject) > 72 and not subject.startswith('Merge branch '):
+        warn(
+            f'Subject line for commit {commit.sha} is too long: '
+            f'```{subject}``` ({len(subject)} > 72 characters).'
+        )
+    if subject[-1] == '.':
+        fail(f'Trailing dot found in the subject of commit {commit.sha}.')
+    if len(message_lines) > 1 and message_lines[1]:
+        fail(f'No empty line after subject for commit {commit.sha}.')
+    if (len(message_lines) < 3 and
+            'fixup! ' not in subject and
+            ' CHANGES ' not in subject and
+            ' release note' not in subject):
+        warn(f'Please write a log message for commit {commit.sha}.')
+    for line in message_lines[2:]:
+        if (len(line) > 72 and
+                not line.startswith('    ') and
+                not re.match(r'\[[0-9]+\]', line)):
+            warn(
+                f'Line too long in log message for commit {commit.sha}: '
+                f'```{line}``` ({len(line)} > 72 characters).'
+            )
+
+###############################################################################
+# MILESTONE
+###############################################################################
+#
+# FAIL if the merge request is not assigned to any milestone.
+
+if not danger.gitlab.mr.milestone:
+    fail('Please assign this merge request to a milestone.')
+
+###############################################################################
+# VERSION LABELS
+###############################################################################
+#
+# FAIL if any of the following is true for the merge request:
+#
+# * The "Backport" label is set and the number of version labels set is
+#   different than 1.  (For backports, the version label is used for indicating
+#   its target branch.  This is a rather ugly attempt to address a UI
+#   deficiency - the target branch for each MR is not visible on milestone
+#   dashboards.)
+#
+# * Neither the "Backport" label nor any version label is set.  (If the merge
+#   request is not a backport, version labels are used for indicating
+#   backporting preferences.)
+
+backport_label_set = 'Backport' in mr_labels
+version_labels = [l for l in mr_labels if l.startswith('v9.')]
+if backport_label_set and len(version_labels) != 1:
+    fail('The *Backport* label is set for this merge request. '
+         'Please also set exactly one version label (*v9.x*).')
+if not backport_label_set and not version_labels:
+    fail('If this merge request is a backport, set the *Backport* label and '
+         'a single version label (*v9.x*) indicating the target branch. '
+         'If not, set version labels for all targeted backport branches.')
+
+###############################################################################
+# OTHER LABELS
+###############################################################################
+#
+# WARN if any of the following is true for the merge request:
+#
+# * The "Review" label is not set.  (It may be intentional, but rarely is.)
+#
+# * The "Review" label is set, but the "LGTM" label is not set.  (This aims to
+#   remind developers about the need to set the latter on merge requests which
+#   passed review.)
+
+if 'Review' not in mr_labels:
+    warn('This merge request does not have the *Review* label set. '
+         'Please set it if you would like the merge request to be reviewed.')
+elif 'LGTM (Merge OK)' not in mr_labels:
+    warn('This merge request is currently in review. '
+         'It should not be merged until it is marked with the *LGTM* label.')
+
+###############################################################################
+# 'CHANGES' FILE
+###############################################################################
+#
+# FAIL if any of the following is true:
+#
+# * The merge request does not update the CHANGES file, but it does not have
+#   the "No CHANGES" label set.  (This attempts to ensure that the author of
+#   the MR did not forget about adding a CHANGES entry.)
+#
+# * The merge request updates the CHANGES file, but it has the "No CHANGES"
+#   label set.  (This attempts to ensure that the "No CHANGES" label is used in
+#   a sane way.)
+#
+# * The merge request adds any placeholder entries to the CHANGES file, but it
+#   does not target the "main" branch.
+#
+# * The merge request adds a new CHANGES entry that is not a placeholder and
+#   does not contain any GitLab/RT issue/MR identifiers.
+
+changes_modified = 'CHANGES' in modified_files
+no_changes_label_set = 'No CHANGES' in mr_labels
+if not changes_modified and not no_changes_label_set:
+    fail('This merge request does not modify `CHANGES`. '
+         'Add a `CHANGES` entry or set the *No CHANGES* label.')
+if changes_modified and no_changes_label_set:
+    fail('This merge request modifies `CHANGES`. '
+         'Revert `CHANGES` modifications or unset the *No Changes* label.')
+
+changes_added_lines = added_lines(target_branch, ['CHANGES'])
+placeholders_added = lines_containing(changes_added_lines, '[placeholder]')
+identifiers_found = filter(issue_or_mr_id_regex.search, changes_added_lines)
+if changes_added_lines:
+    if placeholders_added:
+        if target_branch != 'main':
+            fail('This MR adds at least one placeholder entry to `CHANGES`. '
+                 'It should be targeting the `main` branch.')
+    elif not any(identifiers_found):
+        fail('No valid issue/MR identifiers found in added `CHANGES` entries.')
+
+###############################################################################
+# RELEASE NOTES
+###############################################################################
+#
+# - FAIL if any of the following is true:
+#
+#     * The merge request does not update release notes and has the "Release
+#       Notes" label set.  (This attempts to point out missing release notes.)
+#
+#     * The merge request updates release notes but does not have the "Release
+#       Notes" label set.  (This ensures that merge requests updating release
+#       notes can be easily found using the "Release Notes" label.)
+#
+# - WARN if any of the following is true:
+#
+#     * This merge request does not update release notes and has the "Customer"
+#       label set.  (Except for trivial changes, all merge requests which may
+#       be of interest to customers should include a release note.)
+#
+#     * This merge request updates release notes, but no GitLab/RT issue/MR
+#       identifiers are found in the lines added to the release notes by this
+#       MR.
+
+release_notes_regex = re.compile(r'doc/(arm|notes)/notes-.*\.(rst|xml)')
+release_notes_changed = list(filter(release_notes_regex.match, modified_files))
+release_notes_label_set = 'Release Notes' in mr_labels
+if not release_notes_changed:
+    if release_notes_label_set:
+        fail('This merge request has the *Release Notes* label set. '
+             'Add a release note or unset the *Release Notes* label.')
+    elif 'Customer' in mr_labels:
+        warn('This merge request has the *Customer* label set. '
+             'Add a release note unless the changes introduced are trivial.')
+if release_notes_changed and not release_notes_label_set:
+    fail('This merge request modifies release notes. '
+         'Revert release note modifications or set the *Release Notes* label.')
+
+if release_notes_changed:
+    notes_added_lines = added_lines(target_branch, release_notes_changed)
+    identifiers_found = filter(issue_or_mr_id_regex.search, notes_added_lines)
+    if notes_added_lines and not any(identifiers_found):
+        warn('No valid issue/MR identifiers found in added release notes.')
+else:
+    notes_added_lines = []
+
+###############################################################################
+# CVE IDENTIFIERS
+###############################################################################
+#
+# FAIL if the merge request adds a CHANGES entry of type [security] and a CVE
+# identifier is missing from either the added CHANGES entry or the added
+# release note.
+
+if lines_containing(changes_added_lines, '[security]'):
+    if not lines_containing(changes_added_lines, '(CVE-20'):
+        fail('This merge request fixes a security issue. '
+             'Please add a CHANGES entry which includes a CVE identifier.')
+    if not lines_containing(notes_added_lines, 'CVE-20'):
+        fail('This merge request fixes a security issue. '
+             'Please add a release note which includes a CVE identifier.')
+
+###############################################################################
+# PAIRWISE TESTING
+###############################################################################
+#
+# FAIL if the merge request adds any new ./configure switch without an
+# associated annotation used for pairwise testing.
+
+configure_added_lines = added_lines(target_branch, ['configure.ac'])
+switches_added = (lines_containing(configure_added_lines, 'AC_ARG_ENABLE') +
+                  lines_containing(configure_added_lines, 'AC_ARG_WITH'))
+annotations_added = lines_containing(configure_added_lines, '# [pairwise: ')
+if len(switches_added) > len(annotations_added):
+    fail('This merge request adds at least one new `./configure` switch that '
+         'is not annotated for pairwise testing purposes.')
diff --git a/bind/bind9/doc/Makefile.in b/bind/bind9/doc/Makefile.in
index 760dde41..cc32b3fa 100644
--- a/bind/bind9/doc/Makefile.in
+++ b/bind/bind9/doc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/Bv9ARM-book.xml b/bind/bind9/doc/arm/Bv9ARM-book.xml
index 705c7b85..29d8aa59 100644
--- a/bind/bind9/doc/arm/Bv9ARM-book.xml
+++ b/bind/bind9/doc/arm/Bv9ARM-book.xml
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<book xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<book xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <title>BIND 9 Administrator Reference Manual</title>
     <!-- insert copyright start -->
@@ -36,6 +36,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <!-- insert copyright end -->
@@ -226,9 +227,9 @@
     <section xml:id="dns_overview"><info><title>The Domain Name System (<acronym>DNS</acronym>)</title></info>
 
       <para>
-	The purpose of this document is to explain the installation
+	This document explains the installation
 	and upkeep of the <acronym>BIND</acronym> (Berkeley Internet
-	Name Domain) software package, and we
+	Name Domain) software package. We
 	begin by reviewing the fundamentals of the Domain Name System
 	(<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
       </para>
@@ -283,7 +284,7 @@
 	<para>
 	  For administrative purposes, the name space is partitioned into
 	  areas called <emphasis>zones</emphasis>, each starting at a node and
-	  extending down to the leaf nodes or to nodes where other zones
+	  extending down to the "leaf" nodes or to nodes where other zones
 	  start.
 	  The data for each zone is stored in a <emphasis>name server</emphasis>, which answers queries about the zone using the
 	  <emphasis>DNS protocol</emphasis>.
@@ -341,7 +342,7 @@
 	  <emphasis>terminal</emphasis>, that is, has no
 	  <emphasis>subdomains</emphasis>.  Every subdomain is a domain and
 	  every domain except the root is also a subdomain. The terminology is
-	  not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
+	  not intuitive and we suggest reading RFCs 1033, 1034, and 1035
 	  to
 	  gain a complete understanding of this difficult and subtle
 	  topic.
@@ -350,12 +351,12 @@
 	<para>
 	  Though <acronym>BIND</acronym> is called a "domain name
 	  server",
-	  it deals primarily in terms of zones. The master and slave
+	  it deals primarily in terms of zones. The "primary" and "secondary"
 	  declarations in the <filename>named.conf</filename> file
 	  specify
-	  zones, not domains. When you ask some other site if it is willing to
-	  be a slave server for your <emphasis>domain</emphasis>, you are
-	  actually asking for slave service for some collection of zones.
+	  zones, not domains. When BIND asks some other site if it is willing to
+	  be a secondary server for a <emphasis>domain</emphasis>, it is
+	  actually asking for secondary service for some collection of <emphasis>zones</emphasis>.
 	</para>
       </section>
 
@@ -377,12 +378,13 @@
 	  <command>dig</command> (<xref linkend="diagnostic_tools"/>).
 	</para>
 
-	<section xml:id="primary_master"><info><title>The Primary Master</title></info>
+	<section xml:id="primary_master"><info><title>The Primary Server</title></info>
 
 	  <para>
-	    The authoritative server where the master copy of the zone
+	    The authoritative server where the main copy of the zone
 	    data is maintained is called the
-	    <emphasis>primary master</emphasis> server, or simply the
+	    <emphasis>primary</emphasis> (or
+	    <command>master</command>) server, or simply the
 	    <emphasis>primary</emphasis>.  Typically it loads the zone
 	    contents from some local file edited by humans or perhaps
 	    generated mechanically from some other local file which is
@@ -392,32 +394,33 @@
 	  </para>
 
 	  <para>
-	    In some cases, however, the master file may not be edited
+	    In some cases, however, the zone file may not be edited
 	    by humans at all, but may instead be the result of
 	    <emphasis>dynamic update</emphasis> operations.
 	  </para>
 	</section>
 
-	<section xml:id="slave_server"><info><title>Slave Servers</title></info>
+	<section xml:id="slave_server"><info><title>Secondary Servers</title></info>
 
 	  <para>
-	    The other authoritative servers, the <emphasis>slave</emphasis>
-	    servers (also known as <emphasis>secondary</emphasis> servers)
-	    load the zone contents from another server using a replication
+	    The other authoritative servers, called the
+	    <emphasis>secondary</emphasis>
+	    (or <command>slave</command>) servers, load the zone
+	    contents from another server using a replication
 	    process known as a <emphasis>zone transfer</emphasis>.
-	    Typically the data are transferred directly from the primary
+	    Typically the data is transferred directly from the primary
 	    master, but it is also possible to transfer it from another
-	    slave.  In other words, a slave server may itself act as a
-	    master to a subordinate slave server.
+	    secondary.  In other words, a secondary server may itself act as a
+	    primary to a subordinate secondary server.
 	  </para>
 	  <para>
-	    Periodically, the slave server must send a refresh query to
+	    Periodically, the secondary server must send a refresh query to
 	    determine whether the zone contents have been updated. This
-	    is done by sending a query for the zone's SOA record and
+	    is done by sending a query for the zone's Start of Authority (SOA) record and
 	    checking whether the SERIAL field has been updated; if so,
 	    a new transfer request is initiated. The timing of these
 	    refresh queries is controlled by the SOA REFRESH and RETRY
-	    fields, but can be overrridden with the
+	    fields, but can be overridden with the
 	    <command>max-refresh-time</command>,
 	    <command>min-refresh-time</command>,
 	    <command>max-retry-time</command>, and
@@ -426,23 +429,22 @@
 	  <para>
 	    If the zone data cannot be updated within the time specified
 	    by the SOA EXPIRE option (up to a hard-coded maximum of
-	    24 weeks) then the slave zone expires and will no longer
-	    respond to queries.
+	    24 weeks), the secondary zone expires and no longer
+	    responds to queries.
 	  </para>
 	</section>
 
 	<section xml:id="stealth_server"><info><title>Stealth Servers</title></info>
 
 	  <para>
-	    Usually all of the zone's authoritative servers are listed in
+	    Usually, all of the zone's authoritative servers are listed in
 	    NS records in the parent zone.  These NS records constitute
 	    a <emphasis>delegation</emphasis> of the zone from the parent.
 	    The authoritative servers are also listed in the zone file itself,
 	    at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
-	    of the zone.  You can list servers in the zone's top-level NS
-	    records that are not in the parent's NS delegation, but you cannot
-	    list servers in the parent's delegation that are not present at
-	    the zone's top level.
+	    of the zone.  Servers that are not in the parent's NS delegation can be listed in the zone's top-level NS
+	    records, but servers that are not present at
+	    the zone's top level cannot be listed in the parent's delegation.
 	  </para>
 
 	  <para>
@@ -450,7 +452,7 @@
 	    authoritative for a zone but is not listed in that zone's NS
 	    records.  Stealth servers can be used for keeping a local copy of
 	    a
-	    zone to speed up access to the zone's records or to make sure that
+	    zone, to speed up access to the zone's records, or to make sure that
 	    the
 	    zone is available even if all the "official" servers for the zone
 	    are
@@ -458,11 +460,10 @@
 	  </para>
 
 	  <para>
-	    A configuration where the primary master server itself is a
+	    A configuration where the primary server itself is a
 	    stealth server is often referred to as a "hidden primary"
 	    configuration.  One use for this configuration is when the primary
-	    master
-	    is behind a firewall and therefore unable to communicate directly
+	    is behind a firewall and is therefore unable to communicate directly
 	    with the outside world.
 	  </para>
 
@@ -501,7 +502,7 @@
 	<para>
 	  The length of time for which a record may be retained in
 	  the cache of a caching name server is controlled by the
-	  Time To Live (TTL) field associated with each resource record.
+	  Time-To-Live (TTL) field associated with each resource record.
 	</para>
 
 	<section xml:id="forwarder"><info><title>Forwarding</title></info>
@@ -516,18 +517,35 @@
 	  </para>
 
 	  <para>
-	    There may be one or more forwarders,
-	    and they are queried in turn until the list is exhausted or an
-	    answer
-	    is found. Forwarders are typically used when you do not
-	    wish all the servers at a given site to interact directly with the
-	    rest of
-	    the Internet servers. A typical scenario would involve a number
-	    of internal <acronym>DNS</acronym> servers and an
-	    Internet firewall. Servers unable
-	    to pass packets through the firewall would forward to the server
-	    that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
-	    on the internal server's behalf.
+	    Forwarders are typically used when an administrator does not
+	    wish for all the servers at a given site to interact
+	    directly with the rest of the Internet. For example, a
+	    common scenario is when multiple internal DNS servers are
+	    behind an Internet firewall. Servers behind the firewall
+	    forward their requests to the server with external access,
+	    which queries Internet DNS servers on the internal servers'
+	    behalf.
+	  </para>
+
+	  <para>
+	    Another scenario (largely now superseded by Response Policy
+	    Zones) is to send queries first to a custom server for RBL
+	    processing before forwarding them to the wider Internet.
+	  </para>
+
+	  <para>
+	    There may be one or more forwarders in a given setup. The
+	    order in which the forwarders are listed in
+	    <filename>named.conf</filename> does not determine the
+	    sequence in which they are queried; rather,
+	    <command>named</command> uses the response times from
+	    previous queries to select the server that is likely to
+	    respond the most quickly. A server that has not yet been
+	    queried is given an initial small random response time to
+	    ensure that it is tried at least once. Dynamic adjustment of
+	    the recorded response times ensures that all forwarders are
+	    queried, even those with slower response times.  This
+	    permits changes in behavior based on server responsiveness.
 	  </para>
 	</section>
 
@@ -538,7 +556,7 @@
 	<para>
 	  The <acronym>BIND</acronym> name server can
 	  simultaneously act as
-	  a master for some zones, a slave for other zones, and as a caching
+	  a primary for some zones, a secondary for other zones, and a caching
 	  (recursive) server for a set of local clients.
 	</para>
 
@@ -569,13 +587,13 @@
       <para>
 	<acronym>DNS</acronym> hardware requirements have
 	traditionally been quite modest.
-	For many installations, servers that have been pensioned off from
+	For many installations, servers that have been retired from
 	active duty have performed admirably as <acronym>DNS</acronym> servers.
       </para>
       <para>
-	The DNSSEC features of <acronym>BIND</acronym> 9
-	may prove to be quite
-	CPU intensive however, so organizations that make heavy use of these
+	However, the DNSSEC features of <acronym>BIND</acronym> 9
+	may be quite
+	CPU-intensive, so organizations that make heavy use of these
 	features may wish to consider larger systems for these applications.
 	<acronym>BIND</acronym> 9 is fully multithreaded, allowing
 	full utilization of
@@ -585,29 +603,29 @@
     <section xml:id="cpu_req"><info><title>CPU Requirements</title></info>
       <para>
 	CPU requirements for <acronym>BIND</acronym> 9 range from
-	i486-class machines
-	for serving of static zones without caching, to enterprise-class
-	machines if you intend to process many dynamic updates and DNSSEC
-	signed zones, serving many thousands of queries per second.
+	i386-class machines,
+	for serving static zones without caching, to enterprise-class
+	machines to process many dynamic updates and DNSSEC-signed zones,
+	serving many thousands of queries per second.
       </para>
     </section>
     <section xml:id="mem_req"><info><title>Memory Requirements</title></info>
       <para>
-	The memory of the server has to be large enough to fit the
-	cache and zones loaded off disk.  The <command>max-cache-size</command>
-	option can be used to limit the amount of memory used by the cache,
+	Server memory must be sufficient to hold both the
+	cache and the zones loaded from disk.  The <command>max-cache-size</command>
+	option can limit the amount of memory used by the cache,
 	at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
 	traffic.
-	Additionally, if additional section caching
+	If additional section caching
 	(<xref linkend="acache"/>) is enabled,
 	the <command>max-acache-size</command> option can be used to
 	limit the amount
 	of memory used by the mechanism.
 	It is still good practice to have enough memory to load
-	all zone and cache data into memory — unfortunately, the best
+	all zone and cache data into memory; unfortunately, the best
 	way
 	to determine this for a given installation is to watch the name server
-	in operation. After a few weeks the server process should reach
+	in operation. After a few weeks, the server process should reach
 	a relatively stable size where entries are expiring from the cache as
 	fast as they are being inserted.
       </para>
@@ -617,17 +635,17 @@
 	-->
     </section>
 
-    <section xml:id="intensive_env"><info><title>Name Server Intensive Environment Issues</title></info>
+    <section xml:id="intensive_env"><info><title>Name Server-Intensive Environment Issues</title></info>
 
       <para>
-	For name server intensive environments, there are two alternative
-	configurations that may be used. The first is where clients and
+	For name server-intensive environments, there are two
+	configurations that may be used. The first is one where clients and
 	any second-level internal name servers query a main name server, which
-	has enough memory to build a large cache. This approach minimizes
+	has enough memory to build a large cache; this approach minimizes
 	the bandwidth used by external name lookups. The second alternative
 	is to set up second-level internal name servers to make queries
 	independently.
-	In this configuration, none of the individual machines needs to
+	In this configuration, none of the individual machines need to
 	have as much memory or CPU power as in the first alternative, but
 	this has the disadvantage of making many more external queries,
 	as none of the name servers share their cached data.
@@ -637,12 +655,11 @@
     <section xml:id="supported_os"><info><title>Supported Operating Systems</title></info>
 
       <para>
-	ISC <acronym>BIND</acronym> 9 compiles and runs on a large
-	number
-	of Unix-like operating systems and on
-	Microsoft Windows Server 2003 and 2008, and Windows XP and Vista.
+	ISC <acronym>BIND</acronym> 9 compiles and runs on many
+	Unix-like operating systems and on
+	Microsoft Windows Server 2012 R2, 2016 and Windows 10.
 	For an up-to-date
-	list of supported systems, see the README file in the top level
+	list of supported systems, see the PLATFORMS.md file in the top-level
 	directory
 	of the BIND 9 source distribution.
       </para>
@@ -652,7 +669,7 @@
   <chapter xml:id="Bv9ARM.ch03"><info><title>Name Server Configuration</title></info>
 
     <para>
-      In this chapter we provide some suggested configurations along
+      In this chapter we provide some suggested configurations, along
       with guidelines for their use.  We suggest reasonable values for
       certain option settings.
     </para>
@@ -666,7 +683,7 @@
 	  name server for use by clients internal to a corporation.  All
 	  queries
 	  from outside clients are refused using the <command>allow-query</command>
-	  option.  Alternatively, the same effect could be achieved using
+	  option.  The same effect can be achieved using
 	  suitable
 	  firewall rules.
 	</para>
@@ -695,8 +712,8 @@ zone "0.0.127.in-addr.arpa" {
 
 	<para>
 	  This sample configuration is for an authoritative-only server
-	  that is the master server for "<filename>example.com</filename>"
-	  and a slave for the subdomain "<filename>eng.example.com</filename>".
+	  that is the primary server for "<filename>example.com</filename>"
+	  and a secondary server for the subdomain "<filename>eng.example.com</filename>".
 	</para>
 
 <programlisting>
@@ -718,22 +735,22 @@ zone "0.0.127.in-addr.arpa" {
      file "localhost.rev";
      notify no;
 };
-// We are the master server for example.com
+// We are the primary server for example.com
 zone "example.com" {
      type master;
      file "example.com.db";
-     // IP addresses of slave servers allowed to
+     // IP addresses of secondary servers allowed to
      // transfer example.com
      allow-transfer {
 	  192.168.4.14;
 	  192.168.5.53;
      };
 };
-// We are a slave server for eng.example.com
+// We are a secondary server for eng.example.com
 zone "eng.example.com" {
      type slave;
      file "eng.example.com.bk";
-     // IP address of eng.example.com master server
+     // IP address of eng.example.com primary server
      masters { 192.168.4.12; };
 };
 </programlisting>
@@ -755,9 +772,9 @@ zone "eng.example.com" {
       </para>
 
       <para>
-	For example, if you have three WWW servers with network addresses
-	of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
-	following means that clients will connect to each machine one third
+	For example, assuming three HTTP servers with network addresses
+	of 10.0.0.1, 10.0.0.2, and 10.0.0.3, a set of records such as the
+	following means that clients will connect to each machine one-third
 	of the time:
       </para>
 
@@ -877,11 +894,11 @@ zone "eng.example.com" {
 	</tgroup>
       </informaltable>
       <para>
-	When a resolver queries for these records, <acronym>BIND</acronym> will rotate
-	them and respond to the query with the records in a different
-	order.  In the example above, clients will randomly receive
+	When a resolver queries for these records, <acronym>BIND</acronym> rotates
+	them and responds to the query with the records in a different
+	order.  In the example above, clients randomly receive
 	records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
-	will use the first record returned and discard the rest.
+	use the first record returned and discard the rest.
       </para>
       <para>
 	For more detail on ordering responses, check the
@@ -897,15 +914,14 @@ zone "eng.example.com" {
       <section xml:id="tools"><info><title>Tools for Use With the Name Server Daemon</title></info>
 	<para>
 	  This section describes several indispensable diagnostic,
-	  administrative and monitoring tools available to the system
+	  administrative, and monitoring tools available to the system
 	  administrator for controlling and debugging the name server
 	  daemon.
 	</para>
 	<section xml:id="diagnostic_tools"><info><title>Diagnostic Tools</title></info>
 	  <para>
 	    The <command>dig</command>, <command>host</command>, and
-	    <command>nslookup</command> programs are all command
-	    line tools
+	    <command>nslookup</command> programs are all command-line tools
 	    for manually querying name servers.  They differ in style and
 	    output format.
 	  </para>
@@ -918,7 +934,7 @@ zone "eng.example.com" {
 		  <command>dig</command>
 		  is the most versatile and complete of these lookup tools.
 		  It has two modes: simple interactive
-		  mode for a single query, and batch mode which executes a
+		  mode for a single query, and batch mode, which executes a
 		  query for
 		  each in a list of several query lines. All query options are
 		  accessible
@@ -935,7 +951,7 @@ zone "eng.example.com" {
 		  <arg choice="opt" rep="norepeat">%<replaceable>comment</replaceable></arg>
 		</cmdsynopsis>
 		<para>
-		  The usual simple use of <command>dig</command> will take the form
+		  The usual simple use of <command>dig</command> takes the form
 		</para>
 		<simpara>
 		  <command>dig @server domain query-type query-class</command>
@@ -988,7 +1004,7 @@ zone "eng.example.com" {
 		  has two modes: interactive and
 		  non-interactive. Interactive mode allows the user to
 		  query name servers for information about various
-		  hosts and domains or to print a list of hosts in a
+		  hosts and domains, or to print a list of hosts in a
 		  domain. Non-interactive mode is used to print just
 		  the name and requested information for a host or
 		  domain.
@@ -1003,9 +1019,9 @@ zone "eng.example.com" {
 		</cmdsynopsis>
 		<para>
 		  Interactive mode is entered when no arguments are given (the
-		  default name server will be used) or when the first argument
+		  default name server is used) or when the first argument
 		  is a
-		  hyphen (`-') and the second argument is the host name or
+		  hyphen ("-") and the second argument is the host name or
 		  Internet address
 		  of a name server.
 		</para>
@@ -1056,7 +1072,7 @@ zone "eng.example.com" {
 	      <listitem>
 		<para>
 		  The <command>named-checkzone</command> program
-		  checks a master file for
+		  checks a zone file for
 		  syntax and consistency.
 		</para>
 		<cmdsynopsis label="Usage" sepchar=" ">
@@ -1078,7 +1094,7 @@ zone "eng.example.com" {
 	      <term><command>named-compilezone</command></term>
 	      <listitem>
 		<para>
-		  Similar to <command>named-checkzone,</command> but
+		  This tool is similar to <command>named-checkzone,</command> but
 		  it always dumps the zone content to a specified file
 		  (typically in a different format).
 		</para>
@@ -1093,15 +1109,9 @@ zone "eng.example.com" {
 		  (<command>rndc</command>) program allows the
 		  system
 		  administrator to control the operation of a name server.
-		  Since <acronym>BIND</acronym> 9.2, <command>rndc</command>
-		  supports all the commands of the BIND 8 <command>ndc</command>
-		  utility except <command>ndc start</command> and
-		  <command>ndc restart</command>, which were also
-		  not supported in <command>ndc</command>'s
-		  channel mode.
-		  If you run <command>rndc</command> without any
-		  options
-		  it will display a usage message as follows:
+		  If <command>rndc</command> is run without any
+		  options,
+		  it displays a usage message as follows:
 		</para>
 		<cmdsynopsis label="Usage" sepchar=" ">
 		  <command>rndc</command>
@@ -1129,7 +1139,7 @@ zone "eng.example.com" {
 		  alternate
 		  location can be specified with the <option>-c</option>
 		  option.  If the configuration file is not found,
-		  <command>rndc</command> will also look in
+		  <command>rndc</command> also looks in
 		  <filename>/etc/rndc.key</filename> (or whatever
 		  <varname>sysconfdir</varname> was defined when
 		  the <acronym>BIND</acronym> build was
@@ -1143,10 +1153,10 @@ zone "eng.example.com" {
 
 		<para>
 		  The format of the configuration file is similar to
-		  that of <filename>named.conf</filename>, but
+		  that of <filename>named.conf</filename>, but is
 		  limited to
-		  only four statements, the <command>options</command>,
-		  <command>key</command>, <command>server</command> and
+		  only four statements: the <command>options</command>,
+		  <command>key</command>, <command>server</command>, and
 		  <command>include</command>
 		  statements.  These statements are what associate the
 		  secret keys to the servers with which they are meant to
@@ -1160,9 +1170,9 @@ zone "eng.example.com" {
 		  <command>default-server</command>, <command>default-key</command>,
 		  and <command>default-port</command>.
 		  <command>default-server</command> takes a
-		  host name or address argument  and represents the server
-		  that will
-		  be contacted if no <option>-s</option>
+		  host name or address argument and represents the server
+		  that
+		  is contacted if no <option>-s</option>
 		  option is provided on the command line.
 		  <command>default-key</command> takes
 		  the name of a key as its argument, as defined by a <command>key</command> statement.
@@ -1190,16 +1200,16 @@ zone "eng.example.com" {
 		  The <command>key</command> statement has two
 		  clauses:
 		  <command>algorithm</command> and <command>secret</command>.
-		  While the configuration parser will accept any string as the
+		  While the configuration parser accepts any string as the
 		  argument
-		  to algorithm, currently only the strings
+		  to <command>algorithm</command>, currently only the strings
 		  "<userinput>hmac-md5</userinput>",
 		  "<userinput>hmac-sha1</userinput>",
 		  "<userinput>hmac-sha224</userinput>",
 		  "<userinput>hmac-sha256</userinput>",
-		  "<userinput>hmac-sha384</userinput>"
+		  "<userinput>hmac-sha384</userinput>",
 		  and "<userinput>hmac-sha512</userinput>"
-		  have any meaning.  The secret is a Base64 encoded string
+		  have any meaning.  The secret is a Base64-encoded string
 		  as specified in RFC 3548.
 		</para>
 
@@ -1238,7 +1248,7 @@ options {
 
 		<para>
 		  This file, if installed as <filename>/etc/rndc.conf</filename>,
-		  would allow the command:
+		  allows the command:
 		</para>
 
 		<para>
@@ -1246,8 +1256,8 @@ options {
 		</para>
 
 		<para>
-		  to connect to 127.0.0.1 port 953 and cause the name server
-		  to reload, if a name server on the local machine were
+		  to connect to 127.0.0.1 port 953 and causes the name server
+		  to reload, if a name server on the local machine is
 		  running with
 		  following controls statements:
 		</para>
@@ -1260,22 +1270,22 @@ controls {
 </programlisting>
 
 		<para>
-		  and it had an identical key statement for
+		  and it has an identical key statement for
 		  <literal>rndc_key</literal>.
 		</para>
 
 		<para>
 		  Running the <command>rndc-confgen</command>
-		  program will
-		  conveniently create a <filename>rndc.conf</filename>
-		  file for you, and also display the
+		  program
+		  conveniently creates an <filename>rndc.conf</filename>
+		  file, and also displays the
 		  corresponding <command>controls</command>
-		  statement that you need to
+		  statement needed to
 		  add to <filename>named.conf</filename>.
 		  Alternatively,
-		  you can run <command>rndc-confgen -a</command>
+		  it is possible to run <command>rndc-confgen -a</command>
 		  to set up
-		  a <filename>rndc.key</filename> file and not
+		  an <filename>rndc.key</filename> file and not
 		  modify
 		  <filename>named.conf</filename> at all.
 		</para>
@@ -1289,7 +1299,7 @@ controls {
 
       <section xml:id="signals"><info><title>Signals</title></info>
 	<para>
-	  Certain UNIX signals cause the name server to take specific
+	  Certain Unix signals cause the name server to take specific
 	  actions, as described in the following table.  These signals can
 	  be sent using the <command>kill</command> command.
 	</para>
@@ -1340,11 +1350,11 @@ controls {
 
     <section xml:id="notify"><info><title>Notify</title></info>
       <para>
-	<acronym>DNS</acronym> NOTIFY is a mechanism that allows master
-	servers to notify their slave servers of changes to a zone's data. In
-	response to a <command>NOTIFY</command> from a master server, the
-	slave will check to see that its version of the zone is the
-	current version and, if not, initiate a zone transfer.
+	<acronym>DNS</acronym> NOTIFY is a mechanism that allows primary
+	servers to notify their secondary servers of changes to a zone's data. In
+	response to a <command>NOTIFY</command> from a primary server, the
+	secondary checks to see that its version of the zone is the
+	current version and, if not, initiates a zone transfer.
       </para>
 
       <para>
@@ -1357,10 +1367,10 @@ controls {
       </para>
 
       <note><simpara>
-	As a slave zone can also be a master to other slaves, <command>named</command>,
+	As a secondary zone can also be a primary to other secondaries, <command>named</command>,
 	by default, sends <command>NOTIFY</command> messages for every zone
-	it loads.  Specifying <command>notify master-only;</command> will
-	cause <command>named</command> to only send <command>NOTIFY</command> for master
+	it loads.  Specifying <command>notify primary-only;</command>
+	causes <command>named</command> to only send <command>NOTIFY</command> for primary
 	zones that it loads.
       </simpara></note>
 
@@ -1369,8 +1379,8 @@ controls {
     <section xml:id="dynamic_update"><info><title>Dynamic Update</title></info>
 
       <para>
-	Dynamic Update is a method for adding, replacing or deleting
-	records in a master server by sending it a special form of DNS
+	Dynamic Update is a method for adding, replacing, or deleting
+	records in a primary server by sending it a special form of DNS
 	messages.  The format and meaning of these messages is specified
 	in RFC 2136.
       </para>
@@ -1384,31 +1394,31 @@ controls {
       <para>
 	If the zone's <command>update-policy</command> is set to
 	<userinput>local</userinput>, updates to the zone
-	will be permitted for the key <varname>local-ddns</varname>,
-	which will be generated by <command>named</command> at startup.
+	are permitted for the key <varname>local-ddns</varname>,
+	which is generated by <command>named</command> at startup.
 	See <xref linkend="dynamic_update_policies"/> for more details.
       </para>
 
       <para>
-	Dynamic updates using Kerberos signed requests can be made
-	using the TKEY/GSS protocol by setting either the
-	<command>tkey-gssapi-keytab</command> option, or alternatively
+	Dynamic updates using Kerberos-signed requests can be made
+	using the TKEY/GSS protocol, either by setting the
+	<command>tkey-gssapi-keytab</command> option, or
 	by setting both the <command>tkey-gssapi-credential</command>
 	and <command>tkey-domain</command> options. Once enabled,
-	Kerberos signed requests will be matched against the update
+	Kerberos-signed requests are matched against the update
 	policies for the zone, using the Kerberos principal as the
 	signer for the request.
       </para>
 
       <para>
 	Updating of secure zones (zones using DNSSEC) follows RFC
-	3007: RRSIG, NSEC and NSEC3 records affected by updates are
+	3007: RRSIG, NSEC, and NSEC3 records affected by updates are
 	automatically regenerated by the server using an online
 	zone key.  Update authorization is based on transaction
 	signatures and an explicit server policy.
       </para>
 
-      <section xml:id="journal"><info><title>The journal file</title></info>
+      <section xml:id="journal"><info><title>The Journal File</title></info>
 
 	<para>
 	  All changes made to a zone using dynamic update are stored
@@ -1417,27 +1427,27 @@ controls {
 	  The name of the journal file is formed by appending the extension
 	  <filename>.jnl</filename> to the name of the
 	  corresponding zone
-	  file unless specifically overridden.  The journal file is in a
+	  file, unless specifically overridden.  The journal file is in a
 	  binary format and should not be edited manually.
 	</para>
 
 	<para>
-	  The server will also occasionally write ("dump")
+	  The server also occasionally writes ("dumps")
 	  the complete contents of the updated zone to its zone file.
 	  This is not done immediately after
 	  each dynamic update, because that would be too slow when a large
 	  zone is updated frequently.  Instead, the dump is delayed by
 	  up to 15 minutes, allowing additional updates to take place.
-	  During the dump process, transient files will be created
+	  During the dump process, transient files are created
 	  with the extensions <filename>.jnw</filename> and
 	  <filename>.jbk</filename>; under ordinary circumstances, these
-	  will be removed when the dump is complete, and can be safely
+	  are removed when the dump is complete, and can be safely
 	  ignored.
 	</para>
 
 	<para>
-	  When a server is restarted after a shutdown or crash, it will replay
-	      the journal file to incorporate into the zone any updates that
+	  When a server is restarted after a shutdown or crash, it replays
+	  the journal file to incorporate into the zone any updates that
 	  took
 	  place after the last zone dump.
 	</para>
@@ -1445,32 +1455,32 @@ controls {
 	<para>
 	  Changes that result from incoming incremental zone transfers are
 	  also
-	  journalled in a similar way.
+	  journaled in a similar way.
 	</para>
 
 	<para>
 	  The zone files of dynamic zones cannot normally be edited by
 	  hand because they are not guaranteed to contain the most recent
-	  dynamic changes — those are only in the journal file.
+	  dynamic changes; those are only in the journal file.
 	  The only way to ensure that the zone file of a dynamic zone
-	  is up to date is to run <command>rndc stop</command>.
+	  is up-to-date is to run <command>rndc stop</command>.
 	</para>
 
 	<para>
-	  If you have to make changes to a dynamic zone
-	  manually, the following procedure will work:
-	  Disable dynamic updates to the zone using
+	  To make changes to a dynamic zone
+	  manually, follow these steps:
+	  first, disable dynamic updates to the zone using
 	  <command>rndc freeze <replaceable>zone</replaceable></command>.
-	  This will update the zone's master file with the changes
+	  This updates the zone file with the changes
 	  stored in its <filename>.jnl</filename> file.
-	  Edit the zone file.  Run
+	  Then, edit the zone file.  Finally, run
 	  <command>rndc thaw <replaceable>zone</replaceable></command>
 	  to reload the changed zone and re-enable dynamic updates.
 	</para>
 
 	<para>
 	  <command>rndc sync <replaceable>zone</replaceable></command>
-	  will update the zone file with changes from the journal file
+	  updates the zone file with changes from the journal file
 	  without stopping dynamic updates; this may be useful for viewing
 	  the current zone state.  To remove the <filename>.jnl</filename>
 	  file after updating the zone file, use
@@ -1485,26 +1495,26 @@ controls {
 
       <para>
 	The incremental zone transfer (IXFR) protocol is a way for
-	slave servers to transfer only changed data, instead of having to
-	transfer the entire zone. The IXFR protocol is specified in RFC
+	secondary servers to transfer only changed data, instead of having to
+	transfer an entire zone. The IXFR protocol is specified in RFC
 	1995. See <xref linkend="proposed_standards"/>.
       </para>
 
       <para>
-	When acting as a master, <acronym>BIND</acronym> 9
+	When acting as a primary server, <acronym>BIND</acronym> 9
 	supports IXFR for those zones
 	where the necessary change history information is available. These
-	include master zones maintained by dynamic update and slave zones
-	whose data was obtained by IXFR.  For manually maintained master
-	zones, and for slave zones obtained by performing a full zone
+	include primary zones maintained by dynamic update and secondary zones
+	whose data was obtained by IXFR.  For manually maintained primary
+	zones, and for secondary zones obtained by performing a full zone
 	transfer (AXFR), IXFR is supported only if the option
 	<command>ixfr-from-differences</command> is set
 	to <userinput>yes</userinput>.
       </para>
 
       <para>
-	When acting as a slave, <acronym>BIND</acronym> 9 will
-	attempt to use IXFR unless
+	When acting as a secondary server, <acronym>BIND</acronym> 9
+	attempts to use IXFR unless
 	it is explicitly disabled. For more information about disabling
 	IXFR, see the description of the <command>request-ixfr</command> clause
 	of the <command>server</command> statement.
@@ -1514,15 +1524,15 @@ controls {
     <section xml:id="split_dns"><info><title>Split DNS</title></info>
 
       <para>
-	Setting up different views, or visibility, of the DNS space to
+	Setting up different views of the DNS space to
 	internal and external resolvers is usually referred to as a
-	<emphasis>Split DNS</emphasis> setup. There are several
-	reasons an organization would want to set up its DNS this way.
+	<emphasis>split DNS</emphasis> setup. There are several
+	reasons an organization might want to set up its DNS this way.
       </para>
       <para>
-	One common reason for setting up a DNS system this way is
+	One common reason to use split DNS is
 	to hide "internal" DNS information from "external" clients on the
-	Internet. There is some debate as to whether or not this is actually
+	Internet. There is some debate as to whether this is actually
 	useful.
 	Internal DNS information leaks out in many ways (via email headers,
 	for example) and most savvy "attackers" can find the information
@@ -1530,17 +1540,17 @@ controls {
 	However, since listing addresses of internal servers that
 	external clients cannot possibly reach can result in
 	connection delays and other annoyances, an organization may
-	choose to use a Split DNS to present a consistent view of itself
+	choose to use split DNS to present a consistent view of itself
 	to the outside world.
       </para>
       <para>
-	Another common reason for setting up a Split DNS system is
+	Another common reason for setting up a split DNS system is
 	to allow internal networks that are behind filters or in RFC 1918
 	space (reserved IP space, as documented in RFC 1918) to resolve DNS
 	on the Internet. Split DNS can also be used to allow mail from outside
-	back in to the internal network.
+	back into the internal network.
       </para>
-      <section xml:id="split_dns_sample"><info><title>Example split DNS setup</title></info>
+      <section xml:id="split_dns_sample"><info><title>Example Split DNS Setup</title></info>
 	<para>
 	  Let's say a company named <emphasis>Example, Inc.</emphasis>
 	  (<literal>example.com</literal>)
@@ -1557,15 +1567,15 @@ controls {
 	  at all outside of the internal network.
 	</para>
 	<para>
-	  In order to accomplish this, the company will set up two sets
-	  of name servers. One set will be on the inside network (in the
+	  In order to accomplish this, the company sets up two sets
+	  of name servers. One set is on the inside network (in the
 	  reserved
-	  IP space) and the other set will be on bastion hosts, which are
+	  IP space) and the other set is on bastion hosts, which are
 	  "proxy"
-	  hosts that can talk to both sides of its network, in the DMZ.
+	  hosts in the DMZ that can talk to both sides of its network.
 	</para>
 	<para>
-	  The internal servers will be configured to forward all queries,
+	  The internal servers are configured to forward all queries,
 	  except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
 	  and <filename>site2.example.com</filename>, to the servers
 	  in the
@@ -1580,19 +1590,19 @@ controls {
 	  hosts.
 	</para>
 	<para>
-	  The external servers, which are on the bastion hosts, will
-	  be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
+	  The external servers, which are on the bastion hosts, are
+	  configured to serve the "public" version of the <filename>site1.example.com</filename> and <filename>site2.example.com</filename> zones.
 	  This could include things such as the host records for public servers
-	  (<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
-	  and mail exchange (MX)  records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).
+	  (<filename>www.example.com</filename> and <filename>ftp.example.com</filename>)
+	  and mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).
 	</para>
 	<para>
-	  In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
-	  should have special MX records that contain wildcard (`*') records
+	  In addition, the public <filename>site1.example.com</filename> and <filename>site2.example.com</filename> zones
+	  should have special MX records that contain wildcard ("*") records
 	  pointing to the bastion hosts. This is needed because external mail
 	  servers do not have any other way of looking up how to deliver mail
-	  to those internal hosts. With the wildcard records, the mail will
-	  be delivered to the bastion host, which can then forward it on to
+	  to those internal hosts. With the wildcard records, the mail is
+	  delivered to the bastion host, which can then forward it on to
 	  internal hosts.
 	</para>
 	<para>
@@ -1601,19 +1611,19 @@ controls {
 	<programlisting>*   IN MX 10 external1.example.com.</programlisting>
 	<para>
 	  Now that they accept mail on behalf of anything in the internal
-	  network, the bastion hosts will need to know how to deliver mail
-	  to internal hosts. In order for this to work properly, the resolvers
+	  network, the bastion hosts need to know how to deliver mail
+	  to internal hosts. The resolvers
 	  on
-	  the bastion hosts will need to be configured to point to the internal
+	  the bastion hosts need to be configured to point to the internal
 	  name servers for DNS resolution.
 	</para>
 	<para>
-	  Queries for internal hostnames will be answered by the internal
-	  servers, and queries for external hostnames will be forwarded back
+	  Queries for internal hostnames are answered by the internal
+	  servers, and queries for external hostnames are forwarded back
 	  out to the DNS servers on the bastion hosts.
 	</para>
 	<para>
-	  In order for all this to work properly, internal clients will
+	  For all of this to work properly, internal clients
 	  need to be configured to query <emphasis>only</emphasis> the internal
 	  name servers for DNS queries. This could also be enforced via
 	  selective
@@ -1621,12 +1631,12 @@ controls {
 	</para>
 	<para>
 	  If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
-	  internal clients will now be able to:
+	  internal clients are now able to:
 	</para>
 	<itemizedlist>
 	  <listitem>
 	    <simpara>
-	      Look up any hostnames in the <literal>site1</literal>
+	      Look up any hostnames in the <literal>site1.example.com</literal>
 	      and
 	      <literal>site2.example.com</literal> zones.
 	    </simpara>
@@ -1641,32 +1651,32 @@ controls {
 	    <simpara>Look up any hostnames on the Internet.</simpara>
 	  </listitem>
 	  <listitem>
-	    <simpara>Exchange mail with both internal and external people.</simpara>
+	    <simpara>Exchange mail with both internal and external users.</simpara>
 	  </listitem>
 	</itemizedlist>
 	<para>
-	  Hosts on the Internet will be able to:
+	  Hosts on the Internet are able to:
 	</para>
 	<itemizedlist>
 	  <listitem>
 	    <simpara>
-	      Look up any hostnames in the <literal>site1</literal>
+	      Look up any hostnames in the <literal>site1.example.com</literal>
 	      and
 	      <literal>site2.example.com</literal> zones.
 	    </simpara>
 	  </listitem>
 	  <listitem>
 	    <simpara>
-	      Exchange mail with anyone in the <literal>site1</literal> and
+	      Exchange mail with anyone in the <literal>site1.example.com</literal> and
 	      <literal>site2.example.com</literal> zones.
 	    </simpara>
 	  </listitem>
 	</itemizedlist>
 
 	<para>
-	  Here is an example configuration for the setup we just
+	  Here is an example configuration for the setup just
 	  described above. Note that this is only configuration information;
-	  for information on how to configure your zone files, see <xref linkend="sample_configuration"/>.
+	  for information on how to configure the zone files, see <xref linkend="sample_configuration"/>.
 	</para>
 
 	<para>
@@ -1697,7 +1707,7 @@ options {
     ...
 };
 
-// sample master zone
+// sample primary zone
 zone "site1.example.com" {
   type master;
   file "m/site1.example.com";
@@ -1707,7 +1717,7 @@ zone "site1.example.com" {
   allow-transfer { internals; };
 };
 
-// sample slave zone
+// sample secondary zone
 zone "site2.example.com" {
   type slave;
   file "s/site2.example.com";
@@ -1759,7 +1769,7 @@ options {
   ...
 };
 
-// sample slave zone
+// sample secondary zone
 zone "site1.example.com" {
   type master;
   file "m/site1.foo.com";
@@ -1799,10 +1809,10 @@ nameserver 172.16.72.4
 	clients when IP-based access control is insufficient or needs to
 	be overridden, or as a way to ensure message authenticity when it
 	is critical to the integrity of the server, such as with dynamic
-	UPDATE messages or zone transfers from a master to a slave server.
+	UPDATE messages or zone transfers from a primary to a secondary server.
       </para>
       <para>
-	This is a guide to setting up TSIG in <acronym>BIND</acronym>.
+	This section is a guide to setting up TSIG in <acronym>BIND</acronym>.
 	It describes the configuration syntax and the process of creating
 	TSIG keys.
       </para>
@@ -1814,15 +1824,15 @@ nameserver 172.16.72.4
 	<itemizedlist>
 	  <listitem>
 	    <xref linkend="man.nsupdate"/> supports TSIG via the
-	    <option>-k</option>, <option>-l</option> and
-	    <option>-y</option> command line options, or via
+	    <option>-k</option>, <option>-l</option>, and
+	    <option>-y</option> command-line options, or via
 	    the <command>key</command> command when running
 	    interactively.
 	  </listitem>
 	  <listitem>
 	    <xref linkend="man.dig"/> supports TSIG via the
-	    <option>-k</option> and <option>-y</option> command
-	    line options.
+	    <option>-k</option> and <option>-y</option>
+		command-line options.
 	  </listitem>
 	</itemizedlist>
       </para>
@@ -1832,14 +1842,14 @@ nameserver 172.16.72.4
 	  TSIG keys can be generated using the <command>tsig-keygen</command>
 	  command; the output of the command is a <command>key</command> directive
 	  suitable for inclusion in <filename>named.conf</filename>.  The
-	  key name, algorithm and size can be specified by command line parameters;
+	  key name, algorithm, and size can be specified by command-line parameters;
 	  the defaults are "tsig-key", HMAC-SHA256, and 256 bits, respectively.
 	</para>
 	<para>
 	  Any string which is a valid DNS name can be used as a key name.
 	  For example, a key to be shared between servers called
 	  <emphasis>host1</emphasis> and <emphasis>host2</emphasis> could
-	  be called "host1-host2.", and this key could be generated using:
+	  be called "host1-host2.", and this key can be generated using:
 	</para>
 <programlisting>
   $ tsig-keygen host1-host2. > host1-host2.key
@@ -1860,7 +1870,7 @@ nameserver 172.16.72.4
 	</para>
       </section>
 
-      <section><info><title>Loading A New Key</title></info>
+      <section><info><title>Loading a New Key</title></info>
 	<para>
 	  For a key shared between servers called
 	  <emphasis>host1</emphasis> and <emphasis>host2</emphasis>,
@@ -1881,7 +1891,7 @@ key "host1-host2." {
 	  Since this text contains a secret, it
 	  is recommended that either <filename>named.conf</filename> not be
 	  world-readable, or that the <command>key</command> directive
-	  be stored in a file which is not world-readable, and which is
+	  be stored in a file which is not world-readable and which is
 	  included in <filename>named.conf</filename> via the
 	  <command>include</command> directive.
 	</para>
@@ -1889,8 +1899,8 @@ key "host1-host2." {
 	  Once a key has been added to <filename>named.conf</filename> and the
 	  server has been restarted or reconfigured, the server can recognize
 	  the key.  If the server receives a message signed by the
-	  key, it will be able to verify the signature.  If the signature
-	  is valid, the response will be signed using the same key.
+	  key, it is able to verify the signature.  If the signature
+	  is valid, the response is signed using the same key.
 	</para>
 	<para>
 	  TSIG keys that are known to a server can be listed using the
@@ -1906,11 +1916,11 @@ key "host1-host2." {
 	<para>
 	  For example, a key may be specified for each server in the
 	  <command>masters</command> statement in the definition of a
-	  slave zone; in this case, all SOA QUERY messages, NOTIFY
-	  messages, and zone transfer requests (AXFR or IXFR) will be
+	  secondary zone; in this case, all SOA QUERY messages, NOTIFY
+	  messages, and zone transfer requests (AXFR or IXFR) are
 	  signed using the specified key.  Keys may also be specified
-	  in the <command>also-notify</command> statement of a master
-	  or slave zone, causing NOTIFY messages to be signed using
+	  in the <command>also-notify</command> statement of a primary
+	  or secondary zone, causing NOTIFY messages to be signed using
 	  the specified key.
 	</para>
 	<para>
@@ -1938,9 +1948,9 @@ server 10.1.2.3 {
 	  configuration file.
 	</para>
 	<para>
-	  Whenever any server sends a TSIG-signed DNS request, it will expect
+	  Whenever any server sends a TSIG-signed DNS request, it expects
 	  the response to be signed with the same key. If a response is not
-	  signed, or if the signature is not valid, the response will be
+	  signed, or if the signature is not valid, the response is
 	  rejected.
 	</para>
       </section>
@@ -1948,13 +1958,13 @@ server 10.1.2.3 {
       <section><info><title>TSIG-Based Access Control</title></info>
 	<para>
 	  TSIG keys may be specified in ACL definitions and ACL directives
-	  such as <command>allow-query</command>, <command>allow-transfer</command>
+	  such as <command>allow-query</command>, <command>allow-transfer</command>,
 	  and <command>allow-update</command>.
 	  The above key would be denoted in an ACL element as
 	  <command>key host1-host2.</command>
 	</para>
 	<para>
-	  An example of an <command>allow-update</command> directive using
+	  Here is an example of an <command>allow-update</command> directive using
 	  a TSIG key:
 	</para>
 <programlisting>
@@ -1988,13 +1998,13 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	    </listitem>
 	    <listitem>
 	      If a TSIG-aware server receives a message with a time
-	      outside of the allowed range, the response will be signed, with
+	      outside of the allowed range, the response will be signed but
 	      the TSIG extended error code set to BADTIME, and the time values
 	      will be adjusted so that the response can be successfully
 	      verified.
 	    </listitem>
 	  </itemizedlist>
-	  In all of the above cases, the server will return a response code
+	  In all of the above cases, the server returns a response code
 	  of NOTAUTH (not authenticated).
 	</para>
       </section>
@@ -2018,9 +2028,9 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	a query of type TKEY to a TKEY-aware server.  The query must include
 	an appropriate KEY record in the additional section, and
 	must be signed using either TSIG or SIG(0) with a previously
-	established key.  The server's response, if successful, will
-	contain a TKEY record in its answer section.  After this transaction,
-	both participants will have enough information to calculate a
+	established key.  The server's response, if successful,
+	contains a TKEY record in its answer section.  After this transaction,
+	both participants have enough information to calculate a
 	shared secret using Diffie-Hellman key exchange.  The shared secret
 	can then be used by to sign subsequent transactions between the
 	two servers.
@@ -2043,13 +2053,13 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	<acronym>BIND</acronym> partially supports DNSSEC SIG(0)
 	transaction signatures as specified in RFC 2535 and RFC 2931.
 	SIG(0) uses public/private keys to authenticate messages.  Access control
-	is performed in the same manner as TSIG keys; privileges can be
+	is performed in the same manner as with TSIG keys; privileges can be
 	granted or denied in ACL directives based on the key name.
       </para>
       <para>
-	When a SIG(0) signed message is received, it will only be
+	When a SIG(0) signed message is received, it is only
 	verified if the key is known and trusted by the server. The
-	server will not attempt to recursively fetch or validate the
+	server does not attempt to recursively fetch or validate the
 	key.
       </para>
       <para>
@@ -2078,15 +2088,13 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	below.  In all cases, the <option>-h</option> option prints a
 	full list of parameters.  Note that the DNSSEC tools require the
 	keyset files to be in the working directory or the
-	directory specified by the <option>-d</option> option, and
-	that the tools shipped with BIND 9.2.x and earlier are not compatible
-	with the current ones.
+	directory specified by the <option>-d</option> option.
       </para>
 
       <para>
 	There must also be communication with the administrators of
 	the parent and/or child zone to transmit keys.  A zone's security
-	status must be indicated by the parent zone for a DNSSEC capable
+	status must be indicated by the parent zone for a DNSSEC-capable
 	resolver to trust its data.  This is done through the presence
 	or absence of a <literal>DS</literal> record at the
 	delegation
@@ -2095,7 +2103,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 
       <para>
 	For other servers to trust data in this zone, they must
-	either be statically configured with this zone's zone key or the
+	be statically configured with either this zone's zone key or the
 	zone key of another zone above this one in the DNS tree.
       </para>
 
@@ -2110,8 +2118,8 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	  A secure zone must contain one or more zone keys.  The
 	  zone keys will sign all other records in the zone, as well as
 	  the zone keys of any secure delegated zones.  Zone keys must
-	  have the same name as the zone, a name type of
-	  <command>ZONE</command>, and must be usable for
+	  have the same name as the zone, have a name type of
+	  <command>ZONE</command>, and be usable for
 	  authentication.
 	  It is recommended that zone keys use a cryptographic algorithm
 	  designated as "mandatory to implement" by the IETF; currently
@@ -2119,7 +2127,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	</para>
 
 	<para>
-	  The following command will generate a 768-bit RSASHA1 key for
+	  The following command generates a 768-bit RSASHA1 key for
 	  the <filename>child.example</filename> zone:
 	</para>
 
@@ -2128,12 +2136,12 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	</para>
 
 	<para>
-	  Two output files will be produced:
+	  Two output files are produced:
 	  <filename>Kchild.example.+005+12345.key</filename> and
 	  <filename>Kchild.example.+005+12345.private</filename>
 	  (where
 	  12345 is an example of a key tag).  The key filenames contain
-	  the key name (<filename>child.example.</filename>),
+	  the key name (<filename>child.example.</filename>), the
 	  algorithm (3
 	  is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
 	  this case).
@@ -2145,13 +2153,13 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	</para>
 
 	<para>
-	  To generate another key with the same properties (but with
-	  a different key tag), repeat the above command.
+	  To generate another key with the same properties but with
+	  a different key tag, repeat the above command.
 	</para>
 
 	<para>
 	  The <command>dnssec-keyfromlabel</command> program is used
-	  to get a key pair from a crypto hardware and build the key
+	  to get a key pair from a crypto hardware device and build the key
 	  files. Its usage is similar to <command>dnssec-keygen</command>.
 	</para>
 
@@ -2171,20 +2179,19 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 
 	<para>
 	  Any <filename>keyset</filename> files corresponding to
-	  secure subzones should be present.  The zone signer will
-	  generate <literal>NSEC</literal>, <literal>NSEC3</literal>
+	  secure sub-zones should be present.  The zone signer
+	  generates <literal>NSEC</literal>, <literal>NSEC3</literal>,
 	  and <literal>RRSIG</literal> records for the zone, as
 	  well as <literal>DS</literal> for the child zones if
-	  <literal>'-g'</literal> is specified.  If <literal>'-g'</literal>
+	  <literal>-g</literal> is specified.  If <literal>-g</literal>
 	  is not specified, then DS RRsets for the secure child
 	  zones need to be added manually.
 	</para>
 
 	<para>
-	  The following command signs the zone, assuming it is in a
-	  file called <filename>zone.child.example</filename>.  By
-		default, all zone keys which have an available private key are
-		used to generate signatures.
+	  By default, all zone keys which have an available private key are
+	  used to generate signatures. The following command signs the zone, assuming it is in a
+	  file called <filename>zone.child.example</filename>:
 	</para>
 
 	<para>
@@ -2201,8 +2208,8 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	</para>
 
 	<para><command>dnssec-signzone</command>
-	  will also produce a keyset and dsset files and optionally a
-	  dlvset file.  These are used to provide the parent zone
+	  also produces keyset and dsset files.
+	  These are used to provide the parent zone
 	  administrators with the <literal>DNSKEYs</literal> (or their
 	  corresponding <literal>DS</literal> records) that are the
 	  secure entry point to the zone.
@@ -2210,11 +2217,11 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 
       </section>
 
-      <section xml:id="dnssec_config"><info><title>Configuring Servers</title></info>
+      <section xml:id="dnssec_config"><info><title>Configuring Servers for DNSSEC</title></info>
 
 	<para>
 	  To enable <command>named</command> to respond appropriately
-	  to DNS requests from DNSSEC aware clients,
+	  to DNS requests from DNSSEC-aware clients,
 	  <command>dnssec-enable</command> must be set to yes.
 	  (This is the default setting.)
 	</para>
@@ -2223,14 +2230,14 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	  To enable <command>named</command> to validate answers from
 	  other servers, the <command>dnssec-enable</command> option
 	  must be set to <userinput>yes</userinput>, and the
-	  <command>dnssec-validation</command> options must be set to
+	  <command>dnssec-validation</command> option must be set to
 	  <userinput>yes</userinput> or <userinput>auto</userinput>.
 	</para>
 
 	<para>
 	  If <command>dnssec-validation</command> is set to
 	  <userinput>auto</userinput>, then a default
-	  trust anchor for the DNS root zone will be used.
+	  trust anchor for the DNS root zone is used.
 	  If it is set to <userinput>yes</userinput>, however,
 	  then at least one trust anchor must be configured
 	  with a <command>trusted-keys</command> or
@@ -2245,13 +2252,13 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	  for zones that are used to form the first link in the
 	  cryptographic chain of trust.  All keys listed in
 	  <command>trusted-keys</command> (and corresponding zones)
-	  are deemed to exist and only the listed keys will be used
-	  to validated the DNSKEY RRset that they are from.
+	  are deemed to exist and only the listed keys are used
+	  to validate the DNSKEY RRset that they are from.
 	</para>
 
 	<para>
 	  <command>managed-keys</command> are trusted keys which are
-	  automatically kept up to date via RFC 5011 trust anchor
+	  automatically kept up-to-date via RFC 5011 trust anchor
 	  maintenance.
 	</para>
 
@@ -2262,20 +2269,20 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	</para>
 
 	<para>
-	  Unlike <acronym>BIND</acronym> 8, <acronym>BIND</acronym>
+	  <acronym>BIND</acronym>
 	  9 does not verify signatures on load, so zone keys for
 	  authoritative zones do not need to be specified in the
 	  configuration file.
 	</para>
 
 	<para>
-	  After DNSSEC gets established, a typical DNSSEC configuration
-	  will look something like the following.  It has one or
-	  more public keys for the root.  This allows answers from
-	  outside the organization to be validated.  It will also
-	  have several keys for parts of the namespace the organization
+	  After DNSSEC is established, a typical DNSSEC configuration
+	  looks something like the following.  It has one or
+	  more public keys for the root, which allows answers from
+	  outside the organization to be validated.  It also
+	  has several keys for parts of the namespace that the organization
 	  controls.  These are here to ensure that <command>named</command>
-	  is immune to compromises in the DNSSEC components of the security
+	  is immune to compromised security in the DNSSEC components
 	  of parent zones.
 	</para>
 
@@ -2339,8 +2346,8 @@ options {
 
 	<para>
 	  When DNSSEC validation is enabled and properly configured,
-	  the resolver will reject any answers from signed, secure zones
-	  which fail to validate, and will return SERVFAIL to the client.
+	  the resolver rejects any answers from signed, secure zones
+	  which fail to validate, and returns SERVFAIL to the client.
 	</para>
 
 	<para>
@@ -2362,7 +2369,7 @@ options {
 	  <para>
 	    If the validator <emphasis>can</emphasis> prove that the zone
 	    is insecure, then the response is accepted.  However, if it
-	    cannot, then it must assume an insecure response to be a
+	    cannot, the validator must assume an insecure response to be a
 	    forgery; it rejects the response and logs an error.
 	  </para>
 	  <para>
@@ -2388,9 +2395,9 @@ options {
     <section xml:id="ipv6"><info><title>IPv6 Support in <acronym>BIND</acronym> 9</title></info>
       <para>
 	<acronym>BIND</acronym> 9 fully supports all currently
-	defined forms of IPv6 name to address and address to name
-	lookups.  It will also use IPv6 addresses to make queries when
-	running on an IPv6 capable system.
+	defined forms of IPv6 name-to-address and address-to-name
+	lookups.  It also uses IPv6 addresses to make queries when
+	running on an IPv6-capable system.
       </para>
 
       <para>
@@ -2414,8 +2421,8 @@ options {
 	but support of binary labels has been completely removed per
 	RFC 3363.
 	Many applications in <acronym>BIND</acronym> 9 do not understand
-	the binary label format at all any more, and will return an
-	error if given.
+	the binary label format at all anymore, and return an
+	error if one is given.
 	In particular, an authoritative <acronym>BIND</acronym> 9
 	name server will not load a zone file containing binary labels.
       </para>
@@ -2430,7 +2437,7 @@ options {
 	<para>
 	  The IPv6 AAAA record is a parallel to the IPv4 A record,
 	  and, unlike the deprecated A6 record, specifies the entire
-	  IPv6 address in a single record.  For example,
+	  IPv6 address in a single record.  For example:
 	</para>
 
 <programlisting>
@@ -2445,7 +2452,7 @@ host            3600    IN      AAAA    2001:db8::1
 	  the address.
 	</para>
       </section>
-      <section><info><title>Address to Name Lookups Using Nibble Format</title></info>
+      <section><info><title>Address-to-Name Lookups Using Nibble Format</title></info>
 
 	<para>
 	  When looking up an address in nibble format, the address
@@ -2454,7 +2461,7 @@ host            3600    IN      AAAA    2001:db8::1
 	  resulting name.
 	  For example, the following would provide reverse name lookup for
 	  a host with address
-	  <literal>2001:db8::1</literal>.
+	  <literal>2001:db8::1</literal>:
 	</para>
 
 <programlisting>
@@ -2472,12 +2479,12 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
     <section xml:id="lightweight_resolver"><info><title>The Lightweight Resolver Library</title></info>
 
       <para>
-	Traditionally applications have been linked with a stub resolver
+	Traditionally, applications have been linked with a stub resolver
 	library that sends recursive DNS queries to a local caching name
 	server.
       </para>
       <para>
-	IPv6 once introduced new complexity into the resolution process,
+	At first, IPv6 introduced new complexity into the resolution process,
 	such as following A6 chains and DNAME records, and simultaneous
 	lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
 	then removed, these are hard or impossible
@@ -2488,7 +2495,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	services to local clients
 	using a combination of a lightweight resolver library and a resolver
 	daemon process running on the local host.  These communicate using
-	a simple UDP-based protocol, the "lightweight resolver protocol"
+	a simple UDP-based protocol, the "lightweight resolver protocol,"
 	that is distinct from and simpler than the full DNS protocol.
       </para>
     </section>
@@ -2503,7 +2510,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
       </para>
 
       <para>
-	By default, applications using the lightweight resolver library will
+	By default, applications using the lightweight resolver library
 	make
 	UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
 	The
@@ -2513,19 +2520,13 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
       </para>
 
       <para>
-	The daemon currently only looks in the DNS, but in the future
-	it may use other sources such as <filename>/etc/hosts</filename>,
-	NIS, etc.
-      </para>
-
-      <para>
 	The <command>lwresd</command> daemon is essentially a
 	caching-only name server that responds to requests using the
 	lightweight
 	resolver protocol rather than the DNS protocol.  Because it needs
 	to run on each host, it is designed to require no or minimal
 	configuration.
-	Unless configured otherwise, it uses the name servers listed on
+	Unless otherwise instructed, it uses the name servers listed on
 	<command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
 	as forwarders, but is also capable of doing the resolution
 	autonomously if
@@ -2534,7 +2535,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
       <para>
 	The <command>lwresd</command> daemon may also be
 	configured with a
-	<filename>named.conf</filename> style configuration file,
+	<filename>named.conf</filename>-style configuration file,
 	in
 	<filename>/etc/lwresd.conf</filename> by default.  A name
 	server may also
@@ -2543,7 +2544,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
       </para>
       <para>
 	The number of client queries that the <command>lwresd</command>
-	daemon is able to serve can be set using the
+	daemon serves can be set using the
 	<option>lwres-tasks</option> and <option>lwres-clients</option>
 	statements in the configuration.
       </para>
@@ -2552,23 +2553,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
   <chapter xml:id="Bv9ARM.ch06"><info><title><acronym>BIND</acronym> 9 Configuration Reference</title></info>
 
-    <para>
-      <acronym>BIND</acronym> 9 configuration is broadly similar
-      to <acronym>BIND</acronym> 8; however, there are a few new
-      areas
-      of configuration, such as views. <acronym>BIND</acronym>
-      8 configuration files should work with few alterations in <acronym>BIND</acronym>
-      9, although more complex configurations should be reviewed to check
-      if they can be more efficiently implemented using the new features
-      found in <acronym>BIND</acronym> 9.
-    </para>
-
-    <para>
-      <acronym>BIND</acronym> 4 configuration files can be
-      converted to the new format
-      using the shell script
-      <filename>contrib/named-bootconf/named-bootconf.sh</filename>.
-    </para>
     <section xml:id="configuration_file_elements"><info><title>Configuration File Elements</title></info>
 
       <para>
@@ -2604,7 +2588,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 		  A list of one or more
 		  <varname>ip_addr</varname>,
 		  <varname>ip_prefix</varname>, <varname>key_id</varname>,
-		  or <varname>acl_name</varname> elements, see
+		  or <varname>acl_name</varname> elements; see
 		  <xref linkend="address_match_lists"/>.
 		</para>
 	      </entry>
@@ -2621,7 +2605,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 		  with optional <varname>key_id</varname> and/or
 		  <varname>ip_port</varname>.
 		  A <varname>masters_list</varname> may include other
-		  <varname>masters_lists</varname>.
+		  <varname>masters_list</varname>s.
 		</para>
 	      </entry>
 	    </row>
@@ -2633,8 +2617,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  A quoted string which will be used as
-		  a DNS name, for example "<literal>my.test.domain</literal>".
+		  A quoted string which is used as
+		  a DNS name; for example, <literal>my.test.domain</literal>.
 		</para>
 	      </entry>
 	    </row>
@@ -2660,8 +2644,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      <entry colname="2">
 		<para>
 		  One to four integers valued 0 through
-		  255 separated by dots (`.'), such as <command>123</command>,
-		  <command>45.67</command> or <command>89.123.45.67</command>.
+		  255 separated by dots ("."), such as <command>123.45.67</command> or <command>89.123.45.67</command>.
 		</para>
 	      </entry>
 	    </row>
@@ -2687,22 +2670,22 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      <entry colname="2">
 		<para>
 		  An IPv6 address, such as <command>2001:db8::1234</command>.
-		  IPv6 scoped addresses that have ambiguity on their
+		  IPv6-scoped addresses that have ambiguity on their
 		  scope zones must be disambiguated by an appropriate
-		  zone ID with the percent character (`%') as
+		  zone ID with the percent character ("%") as a
 		  delimiter.  It is strongly recommended to use
 		  string zone names rather than numeric identifiers,
-		  in order to be robust against system configuration
+		  to be robust against system configuration
 		  changes.  However, since there is no standard
 		  mapping for such names and identifier values,
-		  currently only interface names as link identifiers
+		  only interface names as link identifiers
 		  are supported, assuming one-to-one mapping between
 		  interfaces and links.  For example, a link-local
 		  address <command>fe80::1</command> on the link
 		  attached to the interface <command>ne0</command>
 		  can be specified as <command>fe80::1%ne0</command>.
 		  Note that on most systems link-local addresses
-		  always have the ambiguity, and need to be
+		  always have ambiguity and need to be
 		  disambiguated.
 		</para>
 	      </entry>
@@ -2747,7 +2730,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 		  through 65535, with values
 		  below 1024 typically restricted to use by processes running
 		  as root.
-		  In some cases, an asterisk (`*') character can be used as a
+		  In some cases, an asterisk ("*") character can be used as a
 		  placeholder to
 		  select a random high-numbered port.
 		</para>
@@ -2762,19 +2745,19 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      <entry colname="2">
 		<para>
 		  An IP network specified as an <varname>ip_addr</varname>,
-		  followed by a slash (`/') and then the number of bits in the
+		  followed by a slash ("/") and then the number of bits in the
 		  netmask.
-		  Trailing zeros in a <varname>ip_addr</varname>
-		  may omitted.
+		  Trailing zeros in an <varname>ip_addr</varname>
+		  may be omitted.
 		  For example, <command>127/8</command> is the
 		  network <command>127.0.0.0</command> with
 		  netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
 		  network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.
 		</para>
 		<para>
-		  When specifying a prefix involving a IPv6 scoped address
-		  the scope may be omitted.  In that case the prefix will
-		  match packets from any scope.
+		  When specifying a prefix involving a IPv6-scoped address,
+		  the scope may be omitted.  In that case, the prefix
+		  matches packets from any scope.
 		</para>
 	      </entry>
 	    </row>
@@ -2830,11 +2813,11 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      <entry colname="2">
 		<para>
 		  A non-negative real number that can be specified to
-		  the nearest one hundredth.  Up to five digits can be
+		  the nearest one-hundredth.  Up to five digits can be
 		  specified before a decimal point, and up to two
 		  digits after, so the maximum value is 99999.99.
 		  Acceptable values might be further limited by the
-		  context in which it is used.
+		  contexts in which they are used.
 		</para>
 	      </entry>
 	    </row>
@@ -2846,7 +2829,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  A quoted string which will be used as
+		  A quoted string which is used as
 		  a pathname, such as <filename>zones/master/my.test.domain</filename>.
 		</para>
 	      </entry>
@@ -2873,7 +2856,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 		  For example,
 		  <userinput>range 1024 65535</userinput> represents
 		  ports from 1024 through 65535.
-		  In either case an asterisk (`*') character is not
+		  In either case an asterisk ("*") character is not
 		  allowed as a valid <varname>ip_port</varname>.
 		</para>
 	      </entry>
@@ -2898,7 +2881,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 		  use a more limited range within these extremes.
 		  In most cases, setting a value to 0 does not
 		  literally mean zero; it means "undefined" or
-		  "as big as possible", depending on the context.
+		  "as big as possible," depending on the context.
 		  See the explanations of particular parameters
 		  that use <varname>size_spec</varname>
 		  for details on how they interpret its use.
@@ -2916,7 +2899,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 		</para>
 		<para>
 		  <varname>unlimited</varname> generally means
-		  "as big as possible", and is usually the best
+		  "as big as possible," and is usually the best
 		  way to safely set a very large number.
 		</para>
 		<para>
@@ -2933,15 +2916,15 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  <varname>size_spec</varname> or integer value
-		  followed by '%' to represent percents.
+		  A <varname>size_spec</varname> or integer value
+		  followed by "%" to represent percent.
 		</para>
 		<para>
 		  The behavior is exactly the same as
 		  <varname>size_spec</varname>, but
-		  <varname>size_or_percent</varname> allows also
-		  to specify a positive integer value followed by
-		  '%' sign to represent percents.
+		  <varname>size_or_percent</varname> also allows
+		  specifying a positive integer value followed by the
+		  "%"" sign to represent percent.
 		</para>
 	      </entry>
 	    </row>
@@ -2970,11 +2953,11 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 		<para>
 		  One of <userinput>yes</userinput>,
 		  <userinput>no</userinput>, <userinput>notify</userinput>,
-		  <userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
+		  <userinput>notify-passive</userinput>, <userinput>refresh</userinput>, or
 		  <userinput>passive</userinput>.
 		  When used in a zone, <userinput>notify-passive</userinput>,
 		  <userinput>refresh</userinput>, and <userinput>passive</userinput>
-		  are restricted to slave and stub zones.
+		  are restricted to secondary and stub zones.
 		</para>
 	      </entry>
 	    </row>
@@ -3006,7 +2989,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      <simpara>an IP address (IPv4 or IPv6)</simpara>
 	    </listitem>
 	    <listitem>
-	      <simpara>an IP prefix (in `/' notation)</simpara>
+	      <simpara>an IP prefix (in "/" notation)</simpara>
 	    </listitem>
 	    <listitem>
 	      <simpara>
@@ -3025,10 +3008,11 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	  </itemizedlist>
 
 	  <para>
-	    Elements can be negated with a leading exclamation mark (`!'),
+	    Elements can be negated with a leading exclamation mark ("!"),
 	    and the match list names "any", "none", "localhost", and
 	    "localnets" are predefined. More information on those names
-	    can be found in the description of the acl statement.
+	    can be found in the description of the <command>acl</command>
+	    statement.
 	  </para>
 
 	  <para>
@@ -3069,7 +3053,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	    <command>allow-update-forwarding</command>,
 	    <command>blackhole</command>, and
 	    <command>keep-response-order</command> all use address match
-	    lists.  Similarly, the <command>listen-on</command> option will cause the
+	    lists.  Similarly, the <command>listen-on</command> option causes the
 	    server to refuse queries on any of the machine's
 	    addresses which do not match the list.
 	  </para>
@@ -3077,7 +3061,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	  <para>
 	    Order of insertion is significant.  If more than one element
 	    in an ACL is found to match a given IP address or prefix,
-	    preference will be given to the one that came
+	    preference is given to the one that came
 	    <emphasis>first</emphasis> in the ACL definition.
 	    Because of this first-match behavior, an element that
 	    defines a subset of another element in the list should
@@ -3085,10 +3069,10 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	    either is negated. For example, in
 	    <command>1.2.3/24; ! 1.2.3.13;</command>
 	    the 1.2.3.13 element is completely useless because the
-	    algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
+	    algorithm matches any lookup for 1.2.3.13 to the 1.2.3/24
 	    element.  Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
-	    that problem by having 1.2.3.13 blocked by the negation, but
-	    all other 1.2.3.* hosts fall through.
+	    that problem by blocking 1.2.3.13 via the negation, but
+	    all other 1.2.3.* hosts pass through.
 	  </para>
 	</section>
       </section>
@@ -3096,7 +3080,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
       <section xml:id="comment_syntax"><info><title>Comment Syntax</title></info>
 
 	<para>
-	  The <acronym>BIND</acronym> 9 comment syntax allows for
+	  The <acronym>BIND</acronym> 9 comment syntax allows
 	  comments to appear
 	  anywhere that whitespace may appear in a <acronym>BIND</acronym> configuration
 	  file. To appeal to programmers of all kinds, they can be written
@@ -3108,7 +3092,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	  <para>
 	    <programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
 	    <programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
-	    <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells
+	    <programlisting># This is a <acronym>BIND</acronym> comment as in common Unix shells
 # and perl</programlisting>
 	  </para>
 	</section>
@@ -3154,7 +3138,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
 	  </para>
 	  <para>
-	    Shell-style (or perl-style, if you prefer) comments start
+	    Shell-style (or perl-style) comments start
 	    with the character <literal>#</literal> (number sign)
 	    and continue to the end of the
 	    physical line, as in C++ comments.
@@ -3172,8 +3156,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
 	  <warning>
 	    <para>
-	      You cannot use the semicolon (`;') character
-	      to start a comment such as you would in a zone file. The
+	      The semicolon (";") character
+	      cannot start a comment, unlike in a zone file. The
 	      semicolon indicates the end of a configuration
 	      statement.
 	    </para>
@@ -3187,7 +3171,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
       <para>
 	A <acronym>BIND</acronym> 9 configuration consists of
 	statements and comments.
-	Statements end with a semicolon. Statements and comments are the
+	Statements end with a semicolon; statements and comments are the
 	only elements that can appear without enclosing braces. Many
 	statements contain a block of sub-statements, which are also
 	terminated with a semicolon.
@@ -3208,7 +3192,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  defines a named IP address
+		  Defines a named IP address
 		  matching list, for access control and other uses.
 		</para>
 	      </entry>
@@ -3219,7 +3203,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  declares control channels to be used
+		  Declares control channels to be used
 		  by the <command>rndc</command> utility.
 		</para>
 	      </entry>
@@ -3230,7 +3214,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  includes a file.
+		  Includes a file.
 		</para>
 	      </entry>
 	    </row>
@@ -3240,7 +3224,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  specifies key information for use in
+		  Specifies key information for use in
 		  authentication and authorization using TSIG.
 		</para>
 	      </entry>
@@ -3251,7 +3235,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  specifies what the server logs, and where
+		  Specifies what information the server logs and where
 		  the log messages are sent.
 		</para>
 	      </entry>
@@ -3262,8 +3246,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  configures <command>named</command> to
-		  also act as a light-weight resolver daemon (<command>lwresd</command>).
+		  Configures <command>named</command> to
+		  also act as a lightweight resolver daemon (<command>lwresd</command>).
 		</para>
 	      </entry>
 	    </row>
@@ -3273,8 +3257,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  defines a named masters list for
-		  inclusion in stub and slave zones'
+		  Defines a named list of primary servers for
+		  inclusion in stub and secondary zones'
 		  <command>masters</command> or
 		  <command>also-notify</command> lists.
 		</para>
@@ -3286,7 +3270,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  controls global server configuration
+		  Controls global server configuration
 		  options and sets defaults for other statements.
 		</para>
 	      </entry>
@@ -3297,7 +3281,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  sets certain configuration options on
+		  Sets certain configuration options on
 		  a per-server basis.
 		</para>
 	      </entry>
@@ -3308,7 +3292,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  declares communication channels to get access to
+		  Declares communication channels to get access to
 		  <command>named</command> statistics.
 		</para>
 	      </entry>
@@ -3319,7 +3303,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  defines trusted DNSSEC keys.
+		  Defines trusted DNSSEC keys.
 		</para>
 	      </entry>
 	    </row>
@@ -3329,7 +3313,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  lists DNSSEC keys to be kept up to date
+		  Lists DNSSEC keys to be kept up-to-date
 		  using RFC 5011 trust anchor maintenance.
 		</para>
 	      </entry>
@@ -3340,7 +3324,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  defines a view.
+		  Defines a view.
 		</para>
 	      </entry>
 	    </row>
@@ -3350,7 +3334,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  defines a zone.
+		  Defines a zone.
 		</para>
 	      </entry>
 	    </row>
@@ -3373,8 +3357,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
 	<para>
 	  The <command>acl</command> statement assigns a symbolic
-	  name to an address match list. It gets its name from a primary
-	  use of address match lists: Access Control Lists (ACLs).
+	  name to an address match list. It gets its name from one of the primary
+	  uses of address match lists: Access Control Lists (ACLs).
 	</para>
 
 	<para>
@@ -3432,8 +3416,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 		    ACL element is updated to reflect the changes.
 		    Some systems do not provide a way to determine the prefix
 		    lengths of
-		    local IPv6 addresses.
-		    In such a case, <command>localnets</command>
+		    local IPv6 addresses;
+		    in such cases, <command>localnets</command>
 		    only matches the local
 		    IPv6 addresses, just like <command>localhost</command>.
 		  </para>
@@ -3452,7 +3436,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
 	<para>
 	  The <command>controls</command> statement declares control
-	  channels to be used by system administrators to control the
+	  channels to be used by system administrators to manage the
 	  operation of the name server. These control channels are
 	  used by the <command>rndc</command> utility to send
 	  commands to and retrieve non-DNS results from a name server.
@@ -3463,11 +3447,11 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	  listening at the specified <command>ip_port</command> on the
 	  specified <command>ip_addr</command>, which can be an IPv4 or IPv6
 	  address.  An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
-	  interpreted as the IPv4 wildcard address; connections will be
+	  interpreted as the IPv4 wildcard address; connections are
 	  accepted on any of the system's IPv4 addresses.
 	  To listen on the IPv6 wildcard address,
 	  use an <command>ip_addr</command> of <literal>::</literal>.
-	  If you will only use <command>rndc</command> on the local host,
+	  If <command>rndc</command> is only used on the local host,
 	  using the loopback address (<literal>127.0.0.1</literal>
 	  or <literal>::1</literal>) is recommended for maximum security.
 	</para>
@@ -3483,17 +3467,17 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	  <command>keys</command> clauses.
 	  Connections to the control channel are permitted based on the
 	  <command>address_match_list</command>.  This is for simple
-	  IP address based filtering only; any <command>key_id</command>
+	  IP address-based filtering only; any <command>key_id</command>
 	  elements of the <command>address_match_list</command>
 	  are ignored.
 	</para>
 
 	<para>
-	  A <command>unix</command> control channel is a UNIX domain
+	  A <command>unix</command> control channel is a Unix domain
 	  socket listening at the specified path in the file system.
 	  Access to the socket is specified by the <command>perm</command>,
-	  <command>owner</command> and <command>group</command> clauses.
-	  Note on some platforms (SunOS and Solaris) the permissions
+	  <command>owner</command>, and <command>group</command> clauses.
+	  Note on some platforms (SunOS and Solaris), the permissions
 	  (<command>perm</command>) are applied to the parent directory
 	  as the permissions on the socket itself are ignored.
 	</para>
@@ -3521,52 +3505,30 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
 	<para>
 	  If no <command>controls</command> statement is present,
-	  <command>named</command> will set up a default
+	  <command>named</command> sets up a default
 	  control channel listening on the loopback address 127.0.0.1
 	  and its IPv6 counterpart ::1.
 	  In this case, and also when the <command>controls</command> statement
 	  is present but does not have a <command>keys</command> clause,
-	  <command>named</command> will attempt to load the command channel key
+	  <command>named</command> attempts to load the command channel key
 	  from the file <filename>rndc.key</filename> in
 	  <filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
-	  was specified as when <acronym>BIND</acronym> was built).
-	  To create a <filename>rndc.key</filename> file, run
+	  was specified when <acronym>BIND</acronym> was built).
+	  To create an <filename>rndc.key</filename> file, run
 	  <userinput>rndc-confgen -a</userinput>.
 	</para>
 
 	<para>
-	  The <filename>rndc.key</filename> feature was created to
-	  ease the transition of systems from <acronym>BIND</acronym> 8,
-	  which did not have digital signatures on its command channel
-	  messages and thus did not have a <command>keys</command> clause.
-
-	  It makes it possible to use an existing <acronym>BIND</acronym> 8
-	  configuration file in <acronym>BIND</acronym> 9 unchanged,
-	  and still have <command>rndc</command> work the same way
-	  <command>ndc</command> worked in BIND 8, simply by executing the
-	  command <userinput>rndc-confgen -a</userinput> after BIND 9 is
-	  installed.
-	</para>
-
-	<para>
-	  Since the <filename>rndc.key</filename> feature
-	  is only intended to allow the backward-compatible usage of
-	  <acronym>BIND</acronym> 8 configuration files, this
-	  feature does not
-	  have a high degree of configurability.  You cannot easily change
-	  the key name or the size of the secret, so you should make a
-	  <filename>rndc.conf</filename> with your own key if you
-	  wish to change
-	  those things.  The <filename>rndc.key</filename> file
+	  The key name and the size of the secret cannot be easily changed; if it
+	  is desirable to change those things, make a
+	  <filename>rndc.conf</filename> with a custom key.  The <filename>rndc.key</filename> file
 	  also has its
 	  permissions set such that only the owner of the file (the user that
 	  <command>named</command> is running as) can access it.
-	  If you
-	  desire greater flexibility in allowing other users to access
-	  <command>rndc</command> commands, then you need to create
+	  For greater flexibility in allowing other users to access
+	  <command>rndc</command> commands, create
 	  a
-	  <filename>rndc.conf</filename> file and make it group
-	  readable by a group
+	  <filename>rndc.conf</filename> file and make it group-readable by a group
 	  that contains the users who should have access.
 	</para>
 
@@ -3621,7 +3583,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
 	<para>
 	  The <replaceable>key_id</replaceable>, also known as the
-	  key name, is a domain name uniquely identifying the key. It can
+	  key name, is a domain name that uniquely identifies the key. It can
 	  be used in a <command>server</command>
 	  statement to cause requests sent to that
 	  server to be signed with this key, or in address match lists to
@@ -3634,14 +3596,13 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	  that specifies a security/authentication algorithm.  The
 	  <command>named</command> server supports <literal>hmac-md5</literal>,
 	  <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
-	  <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>
+	  <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>,
 	  and <literal>hmac-sha512</literal> TSIG authentication.
 	  Truncated hashes are supported by appending the minimum
-	  number of required bits preceded by a dash, e.g.
+	  number of required bits preceded by a dash, e.g.,
 	  <literal>hmac-sha1-80</literal>.  The
 	  <replaceable>secret_string</replaceable> is the secret
-	  to be used by the algorithm, and is treated as a Base64
-	  encoded string.
+	  to be used by the algorithm, and is treated as a Base64-encoded string.
 	</para>
 
       </section>
@@ -3655,15 +3616,15 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	  The <command>logging</command> statement configures a
 	  wide
 	  variety of logging options for the name server. Its <command>channel</command> phrase
-	  associates output methods, format options and severity levels with
+	  associates output methods, format options, and severity levels with
 	  a name that can then be used with the <command>category</command> phrase
 	  to select how various classes of messages are logged.
 	</para>
 	<para>
 	  Only one <command>logging</command> statement is used to
 	  define
-	  as many channels and categories as are wanted. If there is no <command>logging</command> statement,
-	  the logging configuration will be:
+	  as many channels and categories as desired. If there is no <command>logging</command> statement,
+	  the logging configuration is:
 	</para>
 
 <programlisting>logging {
@@ -3676,7 +3637,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	  If <command>named</command> is started with the
 	  <option>-L</option> option, it logs to the specified file
 	  at startup, instead of using syslog. In this case the logging
-	  configuration will be:
+	  configuration is:
 	</para>
 
 <programlisting>logging {
@@ -3686,12 +3647,9 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </programlisting>
 
 	<para>
-	  In <acronym>BIND</acronym> 9, the logging configuration
+	  The logging configuration
 	  is only established when
-	  the entire configuration file has been parsed.  In <acronym>BIND</acronym> 8, it was
-	  established as soon as the <command>logging</command>
-	  statement
-	  was parsed. When the server is starting up, all logging messages
+	  the entire configuration file has been parsed. When the server starts up, all logging messages
 	  regarding syntax errors in the configuration file go to the default
 	  channels, or to standard error if the <option>-g</option> option
 	  was specified.
@@ -3701,19 +3659,19 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
 	  <para>
 	    All log output goes to one or more <emphasis>channels</emphasis>;
-	    you can make as many of them as you want.
+	    there is no limit to the number of channels that can be created.
 	  </para>
 
 	  <para>
 	    Every channel definition must include a destination clause that
-	    says whether messages selected for the channel go to a file, to a
-	    particular syslog facility, to the standard error stream, or are
-	    discarded. It can optionally also limit the message severity level
-	    that will be accepted by the channel (the default is
+	    says whether messages selected for the channel go to a file, go to a
+	    particular syslog facility, go to the standard error stream, or are
+	    discarded. The definition can optionally also limit the message severity level
+	    that is accepted by the channel (the default is
 	    <command>info</command>), and whether to include a
 	    <command>named</command>-generated time stamp, the
-	    category name
-	    and/or severity level (the default is not to include any).
+	    category name,
+	    and/or the severity level (the default is not to include any).
 	  </para>
 
 	  <para>
@@ -3726,25 +3684,25 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	    The <command>file</command> destination clause directs
 	    the channel
 	    to a disk file.  It can include limitations
-	    both on how large the file is allowed to become, and how many
+	    both on how large the file is allowed to become, and on how many
 	    versions
-	    of the file will be saved each time the file is opened.
+	    of the file are saved each time the file is opened.
 	  </para>
 
 	  <para>
-	    If you use the <command>versions</command> log file
-	    option, then
-	    <command>named</command> will retain that many backup
+	    If the <command>versions</command> log file
+	    option is used, then
+	    <command>named</command> retains that many backup
 	    versions of the file by
-	    renaming them when opening.  For example, if you choose to keep
+	    renaming them when opening.  For example, to keep
 	    three old versions
-	    of the file <filename>lamers.log</filename>, then just
+	    of the file <filename>lamers.log</filename>, just
 	    before it is opened
 	    <filename>lamers.log.1</filename> is renamed to
 	    <filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
 	    to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
 	    renamed to <filename>lamers.log.0</filename>.
-	    You can say <command>versions unlimited</command> to
+	    The <command>versions unlimited</command> option can be set to
 	    not limit
 	    the number of versions.
 	    If a <command>size</command> option is associated with
@@ -3758,13 +3716,13 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	  <para>
 	    The <command>size</command> option for files is used
 	    to limit log
-	    growth. If the file ever exceeds the size, then <command>named</command> will
-	    stop writing to the file unless it has a <command>versions</command> option
+	    growth. If the file ever exceeds the size, then <command>named</command>
+	    stops writing to the file unless it also has a <command>versions</command> option
 	    associated with it.  If backup versions are kept, the files are
 	    rolled as
 	    described above and a new one begun.  If there is no
-	    <command>versions</command> option, no more data will
-	    be written to the log
+	    <command>versions</command> option, no more data is
+	    written to the log
 	    until some out-of-band mechanism removes or truncates the log to
 	    less than the
 	    maximum size.  The default behavior is not to limit the size of
@@ -3773,7 +3731,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	  </para>
 
 	  <para>
-	    Example usage of the <command>size</command> and
+	    Here is an example using the <command>size</command> and
 	    <command>versions</command> options:
 	  </para>
 
@@ -3795,35 +3753,35 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	    <command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
 	    <command>ftp</command>, <command>local0</command>, <command>local1</command>,
 	    <command>local2</command>, <command>local3</command>, <command>local4</command>,
-	    <command>local5</command>, <command>local6</command> and
-	    <command>local7</command>, however not all facilities
+	    <command>local5</command>, <command>local6</command>, and
+	    <command>local7</command>; however, not all facilities
 	    are supported on
 	    all operating systems.
-	    How <command>syslog</command> will handle messages
+	    How <command>syslog</command> handles messages
 	    sent to
 	    this facility is described in the <command>syslog.conf</command> man
-	    page. If you have a system which uses a very old version of <command>syslog</command> that
+	    page. On a system which uses a very old version of <command>syslog</command>, which
 	    only uses two arguments to the <command>openlog()</command> function,
 	    then this clause is silently ignored.
 	  </para>
 	  <para>
-	    On Windows machines syslog messages are directed to the EventViewer.
+	    On Windows machines, syslog messages are directed to the EventViewer.
 	  </para>
 	  <para>
 	    The <command>severity</command> clause works like <command>syslog</command>'s
-	    "priorities", except that they can also be used if you are writing
+	    "priorities," except that they can also be used when writing
 	    straight to a file rather than using <command>syslog</command>.
-	    Messages which are not at least of the severity level given will
-	    not be selected for the channel; messages of higher severity
+	    Messages which are not at least of the severity level given are
+	    not selected for the channel; messages of higher severity
 	    levels
-	    will be accepted.
+	    are accepted.
 	  </para>
 	  <para>
-	    If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
-	    will also determine what eventually passes through. For example,
-	    defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
-	    only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
-	    cause messages of severity <command>info</command> and
+	    When using <command>syslog</command>, the <command>syslog.conf</command> priorities
+	    also determine what eventually passes through. For example,
+	    defining a channel facility and severity as <command>daemon</command> and <command>debug</command>, but
+	    only logging <command>daemon.warning</command> via <command>syslog.conf</command>,
+	    causes messages of severity <command>info</command> and
 	    <command>notice</command> to
 	    be dropped. If the situation were reversed, with <command>named</command> writing
 	    messages of only <command>warning</command> or higher,
@@ -3836,23 +3794,22 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	    directs the
 	    channel to the server's standard error stream.  This is intended
 	    for
-	    use when the server is running as a foreground process, for
-	    example
-	    when debugging a configuration.
+	    use when the server is running as a foreground process, as
+	    when debugging a configuration, for example.
 	  </para>
 
 	  <para>
 	    The server can supply extensive debugging information when
 	    it is in debugging mode. If the server's global debug level is
 	    greater
-	    than zero, then debugging mode will be active. The global debug
+	    than zero, debugging mode is active. The global debug
 	    level is set either by starting the <command>named</command> server
 	    with the <option>-d</option> flag followed by a positive integer,
 	    or by running <command>rndc trace</command>.
 	    The global debug level
 	    can be set to zero, and debugging mode turned off, by running <command>rndc
-notrace</command>. All debugging messages in the server have a debug
-	    level, and higher debug levels give more detailed output. Channels
+		notrace</command>. All debugging messages in the server have a debug
+	    level; higher debug levels give more detailed output. Channels
 	    that specify a specific debug severity, for example:
 	  </para>
 
@@ -3863,25 +3820,25 @@ notrace</command>. All debugging messages in the server have a debug
 </programlisting>
 
 	  <para>
-	    will get debugging output of level 3 or less any time the
+	    get debugging output of level 3 or less any time the
 	    server is in debugging mode, regardless of the global debugging
 	    level. Channels with <command>dynamic</command>
 	    severity use the
 	    server's global debug level to determine what messages to print.
 	  </para>
 	  <para>
-	    If <command>print-time</command> has been turned on,
-	    then
-	    the date and time will be logged. <command>print-time</command> may
-	    be specified for a <command>syslog</command> channel,
-	    but is usually
-	    pointless since <command>syslog</command> also logs
-	    the date and
-	    time. If <command>print-category</command> is
-	    requested, then the
-	    category of the message will be logged as well. Finally, if <command>print-severity</command> is
-	    on, then the severity level of the message will be logged. The <command>print-</command> options may
-	    be used in any combination, and will always be printed in the
+	    If <command>print-time</command> is set to
+	    <userinput>yes</userinput>, then the date and time are logged.
+	    <command>print-time</command> may be specified for a
+	    <command>syslog</command> channel, but is usually
+	    unnecessary since <command>syslog</command> also logs
+	    the date and time. If <command>print-category</command> is
+	    set to <userinput>yes</userinput>, then the
+	    category of the message is logged as well. Finally, if
+	    <command>print-severity</command> is set, then the severity
+	    level of the message is logged.
+	    The <command>print-</command> options may
+	    be used in any combination, and are always printed in the
 	    following
 	    order: time, category, severity. Here is an example where all
 	    three <command>print-</command> options
@@ -3893,17 +3850,17 @@ notrace</command>. All debugging messages in the server have a debug
 	  </para>
 
 	  <para>
-	    If <command>buffered</command> has been turned on the output
-	    to files will not be flushed after each log entry.  By default
+	    If <command>buffered</command> has been turned on, the output
+	    to files is not flushed after each log entry.  By default
 	    all log messages are flushed.
 	  </para>
 
 	  <para>
 	    There are four predefined channels that are used for
-	    <command>named</command>'s default logging as follows.
+	    <command>named</command>'s default logging, as follows.
 	    If <command>named</command> is started with the
-	    <option>-L</option> then a
-	    fifth channel <command>default_logfile</command> is added.
+	    <option>-L</option>, then a
+	    fifth channel, <command>default_logfile</command>, is added.
 	    How they are
 	    used is described in <xref linkend="the_category_phrase"/>.
 	  </para>
@@ -3951,39 +3908,38 @@ channel default_logfile {
 	    special
 	    property that it only produces output when the server's debug
 	    level is
-	    nonzero.  It normally writes to a file called <filename>named.run</filename>
+	    non-zero.  It normally writes to a file called <filename>named.run</filename>
 	    in the server's working directory.
 	  </para>
 
 	  <para>
 	    For security reasons, when the <option>-u</option>
-	    command line option is used, the <filename>named.run</filename> file
+	    command-line option is used, the <filename>named.run</filename> file
 	    is created only after <command>named</command> has
 	    changed to the
 	    new UID, and any debug output generated while <command>named</command> is
-	    starting up and still running as root is discarded.  If you need
-	    to capture this output, you must run the server with the <option>-L</option>
+	    starting - and still running as root - is discarded.
+	    To capture this output, run the server with the <option>-L</option>
 	    option to specify a default logfile, or the <option>-g</option>
-	    option to log to standard error which you can redirect to a file.
+	    option to log to standard error which can be redirected to a file.
 	  </para>
 
 	  <para>
-	    Once a channel is defined, it cannot be redefined. Thus you
-	    cannot alter the built-in channels directly, but you can modify
-	    the default logging by pointing categories at channels you have
-	    defined.
+	    Once a channel is defined, it cannot be redefined.
+	    The built-in channels cannot be altered directly, but
+	    the default logging can be modified by pointing categories at defined channels.
 	  </para>
 	</section>
 
 	<section xml:id="the_category_phrase"><info><title>The <command>category</command> Phrase</title></info>
 
 	  <para>
-	    There are many categories, so you can send the logs you want
-	    to see wherever you want, without seeing logs you don't want. If
-	    you don't specify a list of channels for a category, then log
+	    There are many categories, so desired logs
+	    can be sent anywhere while unwanted logs are ignored. If
+	    a list of channels is not specified for a category, log
 	    messages
-	    in that category will be sent to the <command>default</command> category
-	    instead. If you don't specify a default category, the following
+	    in that category are sent to the <command>default</command> category
+	    instead. If no default category is specified, the following
 	    "default default" is used:
 	  </para>
 
@@ -3991,16 +3947,16 @@ channel default_logfile {
 </programlisting>
 
 	  <para>
-	    If you start <command>named</command> with the
-	    <option>-L</option> option then the default category is:
+	    If <command>named</command> is started with the
+	    <option>-L</option> option, the default category is:
 	  </para>
 
 <programlisting>category default { default_logfile; default_debug; };
 </programlisting>
 
 	  <para>
-	    As an example, let's say you want to log security events to
-	    a file, but you also want keep the default logging behavior. You'd
+	    As an example, let's say a user wants to log security events to
+	    a file, but also wants to keep the default logging behavior. They would
 	    specify the following:
 	  </para>
 
@@ -4023,7 +3979,7 @@ category notify { null; };
 </programlisting>
 
 	  <para>
-	    Following are the available categories and brief descriptions
+	    The following are the available categories and brief descriptions
 	    of the types of log information they contain. More
 	    categories may be added in future <acronym>BIND</acronym> releases.
 	  </para>
@@ -4032,69 +3988,64 @@ category notify { null; };
 	<section xml:id="query_errors"><info><title>The <command>query-errors</command> Category</title></info>
 	  <para>
 	    The <command>query-errors</command> category is
-	    specifically intended for debugging purposes: To identify
-	    why and how specific queries result in responses which
-	    indicate an error.
-	    Messages of this category are therefore only logged
-	    with <command>debug</command> levels.
+	    used to indicate why and how specific queries resulted in
+	    responses which indicate an error.  Normally, these messages
+	    will be logged at <command>debug</command> logging levels;
+	    note, however, that if query logging is active, some are
+	    logged at <command>info</command>. The logging levels are
+	    described below:
 	  </para>
 
 	  <para>
-	    At the debug levels of 1 or higher, each response with the
-	    rcode of SERVFAIL is logged as follows:
+	    At <command>debug</command> level 1 or higher - or at
+	    <command>info</command>, when query logging is active - each
+	    response with response code SERVFAIL is logged as follows:
 	  </para>
 	  <para>
 	    <computeroutput>client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</computeroutput>
 	  </para>
 	  <para>
-	    This means an error resulting in SERVFAIL was
-	    detected at line 3880 of source file
-	    <filename>query.c</filename>.
-	    Log messages of this level will particularly
-	    help identify the cause of SERVFAIL for an
-	    authoritative server.
+	    This means an error resulting in SERVFAIL was detected at line
+	    3880 of source file <filename>query.c</filename>.  Log messages
+	    of this level are particularly helpful in identifying the cause of
+	    SERVFAIL for an authoritative server.
 	  </para>
 	  <para>
-	    At the debug levels of 2 or higher, detailed context
-	    information of recursive resolutions that resulted in
-	    SERVFAIL is logged.
-	    The log message will look like as follows:
+	    At <command>debug</command> level 2 or higher, detailed
+	    context information about recursive resolutions that resulted in
+	    SERVFAIL is logged.  The log message looks like this:
 	  </para>
 	  <para>
 <!-- NOTE: newlines and some spaces added so this would fit on page -->
 	    <programlisting>
 fetch completed at resolver.c:2970 for www.example.com/A
-in 30.000183: timed out/success [domain:example.com,
-referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
+in 10.000183: timed out/success [domain:example.com,
+referral:2,restart:7,qrysent:8,timeout:5,lame:0,quota:0,neterr:0,
 badresp:1,adberr:0,findfail:0,valfail:0]
 	    </programlisting>
 	  </para>
 	  <para>
 	    The first part before the colon shows that a recursive
 	    resolution for AAAA records of www.example.com completed
-	    in 30.000183 seconds and the final result that led to the
+	    in 10.000183 seconds, and the final result that led to the
 	    SERVFAIL was determined at line 2970 of source file
 	    <filename>resolver.c</filename>.
 	  </para>
 	  <para>
-	    The following part shows the detected final result and the
-	    latest result of DNSSEC validation.
-	    The latter is always success when no validation attempt
-	    is made.
-	    In this example, this query resulted in SERVFAIL probably
-	    because all name servers are down or unreachable, leading
-	    to a timeout in 30 seconds.
-	    DNSSEC validation was probably not attempted.
+	    The next part shows the detected final result and the
+	    latest result of DNSSEC validation.  The latter is always
+	    "success" when no validation attempt was made.  In this example,
+	    this query probably resulted in SERVFAIL because all name
+	    servers are down or unreachable, leading to a timeout in 10
+	    seconds.  DNSSEC validation was probably not attempted.
 	  </para>
 	  <para>
-	    The last part enclosed in square brackets shows statistics
-	    information collected for this particular resolution
-	    attempt.
-	    The <varname>domain</varname> field shows the deepest zone
-	    that the resolver reached;
-	    it is the zone where the error was finally detected.
-	    The meaning of the other fields is summarized in the
-	    following table.
+	    The last part, enclosed in square brackets, shows statistics
+	    collected for this particular resolution attempt.
+	    The <varname>domain</varname> field shows the deepest zone that
+	    the resolver reached; it is the zone where the error was
+	    finally detected.  The meaning of the other fields is
+	    summarized in the following table.
 	  </para>
 
 	  <informaltable colsep="0" rowsep="0">
@@ -4110,7 +4061,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		    <para>
 		      The number of referrals the resolver received
 		      throughout the resolution process.
-		      In the above example this is 2, which are most
+		      In the above example there are two, which are most
 		      likely com and example.com.
 		    </para>
 		  </entry>
@@ -4124,7 +4075,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		      The number of cycles that the resolver tried
 		      remote servers at the <varname>domain</varname>
 		      zone.
-		      In each cycle the resolver sends one query
+		      In each cycle, the resolver sends one query
 		      (possibly resending it, depending on the response)
 		      to each known name server of
 		      the <varname>domain</varname> zone.
@@ -4163,13 +4114,25 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		      at the <varname>domain</varname> zone.
 		      A server is detected to be lame either by an
 		      invalid response or as a result of lookup in
-		      BIND9's address database (ADB), where lame
+		      BIND 9's address database (ADB), where lame
 		      servers are cached.
 		    </para>
 		  </entry>
 		</row>
 		<row rowsep="0">
 		  <entry colname="1">
+		    <para><varname>quota</varname></para>
+		  </entry>
+		  <entry colname="2">
+		    <para>
+		      The number of times the resolver was unable
+		      to send a query because it had exceeded the
+		      permissible fetch quota for a server.
+		    </para>
+		  </entry>
+		</row>
+		<row rowsep="0">
+		  <entry colname="1">
 		    <para><varname>neterr</varname></para>
 		  </entry>
 		  <entry colname="2">
@@ -4177,9 +4140,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		      The number of erroneous results that the
 		      resolver encountered in sending queries
 		      at the <varname>domain</varname> zone.
-		      One common case is the remote server is
-		      unreachable and the resolver receives an ICMP
-		      unreachable error message.
+		      One common case is when the remote server is
+		      unreachable and the resolver receives an "ICMP
+		      unreachable" error message.
 		    </para>
 		  </entry>
 		</row>
@@ -4214,7 +4177,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		  </entry>
 		  <entry colname="2">
 		    <para>
-		      Failures of resolving remote server addresses.
+		      Failures to resolve remote server addresses.
 		      This is a total number of failures throughout
 		      the resolution process.
 		    </para>
@@ -4238,20 +4201,17 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    </tgroup>
 	  </informaltable>
 	  <para>
-	    At the debug levels of 3 or higher, the same messages
-	    as those at the debug 1 level are logged for other errors
-	    than SERVFAIL.
-	    Note that negative responses such as NXDOMAIN are not
-	    regarded as errors here.
+	    At <command>debug</command> level 3 or higher, the same
+	    messages as those at <command>debug</command> level 1 are
+	    logged for errors other than SERVFAIL. Note that negative
+	    responses such as NXDOMAIN are not errors, and are not logged
+	    at this debug level.
 	  </para>
 	  <para>
-	    At the debug levels of 4 or higher, the same messages
-	    as those at the debug 2 level are logged for other errors
-	    than SERVFAIL.
-	    Unlike the above case of level 3, messages are logged for
-	    negative responses.
-	    This is because any unexpected results can be difficult to
-	    debug in the recursion case.
+	    At <command>debug</command> level 4 or higher, the
+	    detailed context information logged at <command>debug</command>
+	    level 2 is logged for errors other than SERVFAIL and
+	    for negative responses such as NXDOMAIN.
 	  </para>
 	</section>
       </section>
@@ -4295,7 +4255,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	  resolver daemon
 	  should accept requests on.  If no port is specified, port 921 is
 	  used.
-	  If this statement is omitted, requests will be accepted on
+	  If this statement is omitted, requests are accepted on
 	  127.0.0.1,
 	  port 921.
 	</para>
@@ -4305,11 +4265,11 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	  instance of a
 	  lightweight resolver daemon to a view in the DNS namespace, so that
 	  the
-	  response will be constructed in the same manner as a normal DNS
+	  response is constructed in the same manner as a normal DNS
 	  query
 	  matching this view.  If this statement is omitted, the default view
 	  is
-	  used, and if there is no default view, an error is triggered.
+	  used; if there is no default view, an error is triggered.
 	</para>
 
 	<para>
@@ -4328,25 +4288,25 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	  <filename>/etc/resolv.conf</filename>.  It indicates the
 	  minimum
 	  number of dots in a relative domain name that should result in an
-	  exact match lookup before search path elements are appended.
+	  exact-match lookup before search path elements are appended.
 	</para>
 	<para>
 	  The <option>lwres-tasks</option> statement specifies the number
-	  of worker threads the lightweight resolver will dedicate to serving
-	  clients.  By default the number is the same as the number of CPUs on
+	  of worker threads the lightweight resolver dedicates to serving
+	  clients.  By default, the number is the same as the number of CPUs on
 	  the system; this can be overridden using the <option>-n</option>
-	  command line option when starting the server.
+	  command-line option when starting the server.
 	</para>
 	<para>
-	  The <option>lwres-clients</option> specifies
+	  The <option>lwres-clients</option> statement specifies
 	  the number of client objects per thread the lightweight
 	  resolver should create to serve client queries.
 	  By default, if the lightweight resolver runs as a part
 	  of <command>named</command>, 256 client objects are
 	  created for each task; if it runs as <command>lwresd</command>,
 	  1024 client objects are created for each thread. The maximum
-	  value is 32768; higher values will be silently ignored and
-	  the maximum will be used instead.
+	  value is 32768; higher values are silently ignored and
+	  the maximum is used instead.
 	  Note that setting too high a value may overconsume
 	  system resources.
 	</para>
@@ -4364,8 +4324,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	  Usage</title></info>
 
 	<para><command>masters</command>
-	  lists allow for a common set of masters to be easily used by
-	  multiple stub and slave zones in their <command>masters</command>
+	  lists allow for a common set of primaries to be easily used by
+	  multiple stub and secondary zones in their <command>masters</command>
 	  or <command>also-notify</command> lists.
 	</para>
       </section>
@@ -4388,8 +4348,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	  to be used by <acronym>BIND</acronym>. This statement
 	  may appear only
 	  once in a configuration file. If there is no <command>options</command>
-	  statement, an options block with each option set to its default will
-	  be used.
+	  statement, an options block with each option set to its default is
+	  used.
 	</para>
 
 	<variablelist>
@@ -4398,13 +4358,13 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	      <term><command>attach-cache</command></term>
 	      <listitem>
 		<para>
-		  Allows multiple views to share a single cache
+		  This option allows multiple views to share a single cache
 		  database.
 		  Each view has its own cache database by default, but
 		  if multiple views have the same operational policy
 		  for name resolution and caching, those views can
-		  share a single cache to save memory and possibly
-		  improve resolution efficiency by using this option.
+		  share a single cache to save memory, and possibly
+		  improve resolution efficiency, by using this option.
 		</para>
 
 		<para>
@@ -4421,25 +4381,25 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		  views which are supposed to share a cache, it
 		  creates a cache with the specified name for the
 		  first view of these sharing views.
-		  The rest of the views will simply refer to the
-		  already created cache.
+		  The rest of the views simply refer to the
+		  already-created cache.
 		</para>
 
 		<para>
-		  One common configuration to share a cache would be to
+		  One common configuration to share a cache is to
 		  allow all views to share a single cache.
 		  This can be done by specifying
-		  the <command>attach-cache</command> as a global
+		  <command>attach-cache</command> as a global
 		  option with an arbitrary name.
 		</para>
 
 		<para>
 		  Another possible operation is to allow a subset of
-		  all views to share a cache while the others to
+		  all views to share a cache while the others
 		  retain their own caches.
 		  For example, if there are three views A, B, and C,
 		  and only A and B should share a cache, specify the
-		  <command>attach-cache</command> option as a view A (or
+		  <command>attach-cache</command> option as a view of A (or
 		  B)'s option, referring to the other view name:
 		</para>
 
@@ -4482,7 +4442,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		  forwarders that can return different answers for the
 		  same question, sharing the answer does not make
 		  sense or could even be harmful.
-		  It is administrator's responsibility to ensure
+		  It is administrator's responsibility to ensure that
 		  configuration differences in different views do
 		  not cause disruption with a shared cache.
 		</para>
@@ -4494,13 +4454,13 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>directory</command></term>
 	    <listitem>
 	      <para>
-		The working directory of the server.
-		Any non-absolute pathnames in the configuration file will
-		be taken as relative to this directory. The default
+		This sets the working directory of the server.
+		Any non-absolute pathnames in the configuration file are
+		taken as relative to this directory. The default
 		location for most server output files
-		(e.g. <filename>named.run</filename>) is this directory.
+		(e.g., <filename>named.run</filename>) is this directory.
 		If a directory is not specified, the working directory
-		defaults to `<filename>.</filename>', the directory from
+		defaults to "<filename>.</filename>", the directory from
 		which the server was started. The directory specified
 		should be an absolute path. It is
 		<emphasis>strongly recommended</emphasis>
@@ -4531,7 +4491,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	      <para>
 		To enable <command>dnstap</command> at compile time,
 		the <command>fstrm</command> and <command>protobuf-c</command>
-		libraries must be available, and BIND must be configured with
+		libraries must be available, and <acronym>BIND</acronym> must be configured with
 		<option>--enable-dnstap</option>.
 	      </para>
 	      <para>
@@ -4540,7 +4500,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		for each view. Supported types are <literal>client</literal>,
 		<literal>auth</literal>, <literal>resolver</literal>, and
 		<literal>forwarder</literal>.  Specifying type
-		<literal>all</literal> will cause all <command>dnstap</command>
+		<literal>all</literal> causes all <command>dnstap</command>
 		messages to be logged, regardless of type.
 	      </para>
 	      <para>
@@ -4603,7 +4563,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		<listitem>
 		  <simpara>
 		    <command>fstrm-set-output-queue-model</command>:
-		    Controls the queuing semantics to use for queue
+		    The queuing semantics to use for queue
 		    objects. The default is <literal>mpsc</literal>
 		    (multiple producer, single consumer); the other
 		    option is <literal>spsc</literal> (single producer,
@@ -4652,17 +4612,17 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>dnstap-output</command></term>
 	    <listitem>
 	      <para>
-		Configures the path to which the <command>dnstap</command>
-		frame stream will be sent if <command>dnstap</command>
+		This configures the path to which the <command>dnstap</command>
+		frame stream is sent if <command>dnstap</command>
 		is enabled at compile time and active.
 	      </para>
 	      <para>
 		The first argument is either <literal>file</literal> or
 		<literal>unix</literal>, indicating whether the destination
-		is a file or a UNIX domain socket.  The second argument
+		is a file or a Unix domain socket.  The second argument
 		is the path of the file or socket.  (Note: when using a
-		socket, <command>dnstap</command> messages will
-		only be sent if another process such as
+		socket, <command>dnstap</command> messages are
+		only sent if another process such as
 		<command>fstrm_capture</command>
 		(provided with <command>libfstrm</command>) is listening on
 		the socket.)
@@ -4682,11 +4642,11 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>dnstap-identity</command></term>
 	    <listitem>
 	      <para>
-		Specifies an <command>identity</command> string to send in
+		This specifies an <command>identity</command> string to send in
 		<command>dnstap</command> messages. If set to
 		<literal>hostname</literal>, which is the default, the
-		server's hostname will be sent. If set to
-		<literal>none</literal>, no identity string will be sent.
+		server's hostname is sent. If set to
+		<literal>none</literal>, no identity string is sent.
 	      </para>
 	    </listitem>
 	  </varlistentry>
@@ -4695,10 +4655,10 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>dnstap-version</command></term>
 	    <listitem>
 	      <para>
-		Specifies a <command>version</command> string to send in
+		This specifies a <command>version</command> string to send in
 		<command>dnstap</command> messages. The default is the
-		version number of the BIND release. If set to
-		<literal>none</literal>, no version string will be sent.
+		version number of the <acronym>BIND</acronym> release. If set to
+		<literal>none</literal>, no version string is sent.
 	      </para>
 	    </listitem>
 	  </varlistentry>
@@ -4712,9 +4672,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		this specifies the directory containing GeoIP
 		database files.  By default, the option is set based on
 		the prefix used to build the <command>libmaxminddb</command>
-		module: for example, if the library is installed in
+		module; for example, if the library is installed in
 		<filename>/usr/local/lib</filename>, then the default
-		<command>geoip-directory</command> will be
+		<command>geoip-directory</command> is
 		<filename>/usr/local/share/GeoIP</filename>. On Windows,
 		the default is the <command>named</command> working
 		directory.  See <xref linkend="acl"/> for details about
@@ -4727,13 +4687,13 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>key-directory</command></term>
 	    <listitem>
 	      <para>
-		When performing dynamic update of secure zones, the
+		This is the
 		directory where the public and private DNSSEC key files
-		should be found, if different than the current working
+		should be found when performing a dynamic update of secure zones, if different than the current working
 		directory.  (Note that this option has no effect on the
 		paths for files containing non-DNSSEC keys such as
 		<filename>bind.keys</filename>,
-		<filename>rndc.key</filename> or
+		<filename>rndc.key</filename>, or
 		<filename>session.key</filename>.)
 	      </para>
 	    </listitem>
@@ -4753,7 +4713,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	      </para>
 	      <para>
 		Because the database file is memory mapped, its size is
-		limited by the address space of the named process.  The
+		limited by the address space of the <command>named</command> process.  The
 		default of 32 megabytes was chosen to be usable with
 		32-bit <command>named</command> builds.  The largest
 		permitted value is 1 terabyte. Given typical zone
@@ -4768,7 +4728,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>managed-keys-directory</command></term>
 	    <listitem>
 	      <para>
-		Specifies the directory in which to store the files that
+		This specifies the directory in which to store the files that
 		track managed DNSSEC keys.  By default, this is the working
 		directory.  The directory <emphasis>must</emphasis>
 		be writable by the effective user ID of the
@@ -4776,20 +4736,20 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	      </para>
 	      <para>
 		If <command>named</command> is not configured to use views,
-		then managed keys for the server will be tracked in a single
+		managed keys for the server are tracked in a single
 		file called <filename>managed-keys.bind</filename>.
-		Otherwise, managed keys will be tracked in separate files,
-		one file per view; each file name will be the view name
+		Otherwise, managed keys are tracked in separate files,
+		one file per view; each file name is the view name
 		(or, if it contains characters that are incompatible with
 		use as a file name, the SHA256 hash of the view name),
 		followed by the extension
 		<filename>.mkeys</filename>.
 	      </para>
 	      <para>
-		(Note: in previous releases, file names for views
+		(Note: in earlier releases, file names for views
 		always used the SHA256 hash of the view name. To ensure
-		compatibility after upgrade, if a file using the old
-		name format is found to exist, it will be used instead
+		compatibility after upgrading, if a file using the old
+		name format is found to exist, it is used instead
 		of the new format.)
 	      </para>
 	    </listitem>
@@ -4799,10 +4759,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>named-xfer</command></term>
 	    <listitem>
 	      <para>
-		<emphasis>This option is obsolete.</emphasis> It
-		was used in <acronym>BIND</acronym> 8 to specify
-		the pathname to the <command>named-xfer</command>
-		program.  In <acronym>BIND</acronym> 9, no separate
+		<emphasis>This option is obsolete.</emphasis>
+		In <acronym>BIND</acronym> 9, no separate
 		<command>named-xfer</command> program is needed;
 		its functionality is built into the name server.
 	      </para>
@@ -4813,9 +4771,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>tkey-gssapi-keytab</command></term>
 	    <listitem>
 	      <para>
-		The KRB5 keytab file to use for GSS-TSIG updates. If
+		This is the KRB5 keytab file to use for GSS-TSIG updates. If
 		this option is set and tkey-gssapi-credential is not
-		set, then updates will be allowed with any key
+		set, updates are allowed with any key
 		matching a principal in the specified keytab.
 	      </para>
 	    </listitem>
@@ -4825,18 +4783,18 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>tkey-gssapi-credential</command></term>
 	    <listitem>
 	      <para>
-		The security credential with which the server should
+		This is the security credential with which the server should
 		authenticate keys requested by the GSS-TSIG protocol.
-		Currently only Kerberos 5 authentication is available
-		and the credential is a Kerberos principal which the
+		Currently only Kerberos 5 authentication is available;
+		the credential is a Kerberos principal which the
 		server can acquire through the default system key
 		file, normally <filename>/etc/krb5.keytab</filename>.
-		The location keytab file can be overridden using the
-		tkey-gssapi-keytab option. Normally this principal is
+		The location of the keytab file can be overridden using the
+		<command>tkey-gssapi-keytab</command> option. Normally this principal is
 		of the form "<userinput>DNS/</userinput><varname>server.domain</varname>".
 		To use GSS-TSIG, <command>tkey-domain</command> must
 		also be set if a specific keytab is not set with
-		tkey-gssapi-keytab.
+		<command>tkey-gssapi-keytab</command>.
 	      </para>
 	    </listitem>
 	  </varlistentry>
@@ -4845,21 +4803,21 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>tkey-domain</command></term>
 	    <listitem>
 	      <para>
-		The domain appended to the names of all shared keys
+		This domain is appended to the names of all shared keys
 		generated with <command>TKEY</command>.  When a
 		client requests a <command>TKEY</command> exchange,
 		it may or may not specify the desired name for the
-		key. If present, the name of the shared key will
-		be <varname>client specified part</varname> +
+		key. If present, the name of the shared key is
+		<varname>client-specified part</varname> +
 		<varname>tkey-domain</varname>.  Otherwise, the
-		name of the shared key will be <varname>random hex
+		name of the shared key is <varname>random hex
 		digits</varname> + <varname>tkey-domain</varname>.
 		In most cases, the <command>domainname</command>
 		should be the server's domain name, or an otherwise
-		non-existent subdomain like
-		"_tkey.<varname>domainname</varname>".  If you are
+		nonexistent subdomain like
+		"_tkey.<varname>domainname</varname>".  If
 		using GSS-TSIG, this variable must be defined, unless
-		you specify a specific keytab using tkey-gssapi-keytab.
+		a specific keytab is specified using <command>tkey-gssapi-keytab</command>.
 	      </para>
 	    </listitem>
 	  </varlistentry>
@@ -4868,7 +4826,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>tkey-dhkey</command></term>
 	    <listitem>
 	      <para>
-		The Diffie-Hellman key used by the server
+		This is the Diffie-Hellman key used by the server
 		to generate shared keys with clients using the Diffie-Hellman
 		mode
 		of <command>TKEY</command>. The server must be
@@ -4893,8 +4851,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>dump-file</command></term>
 	    <listitem>
 	      <para>
-		The pathname of the file the server dumps
-		the database to when instructed to do so with
+		This is the pathname of the file the server dumps
+		the database to, when instructed to do so with
 		<command>rndc dumpdb</command>.
 		If not specified, the default is <filename>named_dump.db</filename>.
 	      </para>
@@ -4905,7 +4863,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>memstatistics-file</command></term>
 	    <listitem>
 	      <para>
-		The pathname of the file the server writes memory
+		This is the pathname of the file the server writes memory
 		usage statistics to on exit. If not specified,
 		the default is <filename>named.memstats</filename>.
 	      </para>
@@ -4916,10 +4874,10 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>lock-file</command></term>
 	    <listitem>
 	      <para>
-		The pathname of a file on which <command>named</command> will
-		attempt to acquire a file lock when starting up for
-		the first time; if unsuccessful, the server will
-		will terminate, under the assumption that another
+		This is the pathname of a file on which <command>named</command>
+		attempts to acquire a file lock when starting for
+		the first time; if unsuccessful, the server
+		terminates, under the assumption that another
 		server is already running.  If not specified, the default is
 		<filename>none</filename>.
 	      </para>
@@ -4931,7 +4889,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		<command>lock-file</command> are ignored if
 		<command>named</command> is being reloaded or
 		reconfigured; it is only effective when the server is
-		first started up.
+		first started.
 	      </para>
 	    </listitem>
 	  </varlistentry>
@@ -4940,14 +4898,14 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>pid-file</command></term>
 	    <listitem>
 	      <para>
-		The pathname of the file the server writes its process ID
+		This is the pathname of the file the server writes its process ID
 		in. If not specified, the default is
 		<filename>/var/run/named/named.pid</filename>.
-		The PID file is used by programs that want to send signals to
+		The PID file is used by programs that send signals to
 		the running
 		name server. Specifying <command>pid-file none</command> disables the
-		use of a PID file — no file will be written and any
-		existing one will be removed.  Note that <command>none</command>
+		use of a PID file; no file is written and any
+		existing one is removed.  Note that <command>none</command>
 		is a keyword, not a filename, and therefore is not enclosed
 		in
 		double quotes.
@@ -4959,8 +4917,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>recursing-file</command></term>
 	    <listitem>
 	      <para>
-		The pathname of the file the server dumps
-		the queries that are currently recursing when instructed
+		This is the pathname of the file where the server dumps
+		the queries that are currently recursing, when instructed
 		to do so with <command>rndc recursing</command>.
 		If not specified, the default is <filename>named.recursing</filename>.
 	      </para>
@@ -4971,8 +4929,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>statistics-file</command></term>
 	    <listitem>
 	      <para>
-		The pathname of the file the server appends statistics
-		to when instructed to do so using <command>rndc stats</command>.
+		This is the pathname of the file the server appends statistics
+		to, when instructed to do so using <command>rndc stats</command>.
 		If not specified, the default is <filename>named.stats</filename> in the
 		server's current directory.  The format of the file is
 		described
@@ -4985,7 +4943,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>bindkeys-file</command></term>
 	    <listitem>
 	      <para>
-		The pathname of a file to override the built-in trusted
+		This is the pathname of a file to override the built-in trusted
 		keys provided by <command>named</command>.
 		See the discussion of <command>dnssec-validation</command>
 		for details.  If not specified, the default is
@@ -4998,8 +4956,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>secroots-file</command></term>
 	    <listitem>
 	      <para>
-		The pathname of the file the server dumps
-		security roots to when instructed to do so with
+		This is the pathname of the file the server dumps
+		security roots to, when instructed to do so with
 		<command>rndc secroots</command>.
 		If not specified, the default is
 		<filename>named.secroots</filename>.
@@ -5011,7 +4969,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>session-keyfile</command></term>
 	    <listitem>
 	      <para>
-		The pathname of the file into which to write a TSIG
+		This is the pathname of the file into which to write a TSIG
 		session key generated by <command>named</command> for use by
 		<command>nsupdate -l</command>.  If not specified, the
 		default is <filename>/var/run/named/session.key</filename>.
@@ -5028,8 +4986,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>session-keyname</command></term>
 	    <listitem>
 	      <para>
-		The key name to use for the TSIG session key.
-		If not specified, the default is "local-ddns".
+		This is the key name to use for the TSIG session key.
+		If not specified, the default is <varname>local-ddns</varname>.
 	      </para>
 	    </listitem>
 	  </varlistentry>
@@ -5038,9 +4996,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>session-keyalg</command></term>
 	    <listitem>
 	      <para>
-		The algorithm to use for the TSIG session key.
+		This is the algorithm to use for the TSIG session key.
 		Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
-		hmac-sha384, hmac-sha512 and hmac-md5.  If not
+		hmac-sha384, hmac-sha512, and hmac-md5.  If not
 		specified, the default is hmac-sha256.
 	      </para>
 	    </listitem>
@@ -5050,11 +5008,11 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>port</command></term>
 	    <listitem>
 	      <para>
-		The UDP/TCP port number the server uses for
-		receiving and sending DNS protocol traffic.
+		This is the UDP/TCP port number the server uses to
+		receive and send DNS protocol traffic.
 		The default is 53.  This option is mainly intended for server
 		testing;
-		a server using a port other than 53 will not be able to
+		a server using a port other than 53 is not able to
 		communicate with
 		the global DNS.
 	      </para>
@@ -5065,8 +5023,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>dscp</command></term>
 	    <listitem>
 	      <para>
-		The global Differentiated Services Code Point (DSCP)
-		value to classify outgoing DNS traffic on operating
+		This is the global Differentiated Services Code Point (DSCP)
+		value to classify outgoing DNS traffic, on operating
 		systems that support DSCP. Valid values are 0 through 63.
 		It is not configured by default.
 	      </para>
@@ -5077,15 +5035,15 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>random-device</command></term>
 	    <listitem>
 	      <para>
-		The source of entropy to be used by the server.  Entropy is
+		This specifies a source of entropy to be used by the server.  Entropy is
 		primarily needed
 		for DNSSEC operations, such as TKEY transactions and dynamic
 		update of signed
-		zones.  This options specifies the device (or file) from which
+		zones.  This option specifies the device (or file) from which
 		to read
-		entropy.  If this is a file, operations requiring entropy will
+		entropy.  If it is a file, operations requiring entropy will
 		fail when the
-		file has been exhausted.  If not specified, the default value
+		file has been exhausted.  If <command>random-device</command> is not specified, the default value
 		is
 		<filename>/dev/random</filename>
 		(or equivalent) when present, and none otherwise.  The
@@ -5101,7 +5059,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>preferred-glue</command></term>
 	    <listitem>
 	      <para>
-		If specified, the listed type (A or AAAA) will be emitted
+		If specified, the listed type (A or AAAA) is emitted
 		before other glue
 		in the additional section of a query response.
 		The default is to prefer A records when responding
@@ -5115,41 +5073,41 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>root-delegation-only</command></term>
 	    <listitem>
 	      <para>
-		Turn on enforcement of delegation-only in TLDs
-		(top level domains) and root zones with an optional
+		This turns on enforcement of delegation-only in TLDs
+		(top-level domains) and root zones with an optional
 		exclude list.
 	      </para>
 	      <para>
 		DS queries are expected to be made to and be answered by
-		delegation only zones.  Such queries and responses are
+		delegation-only zones.  Such queries and responses are
 		treated as an exception to delegation-only processing
-		and are not converted to NXDOMAIN responses provided
+		and are not converted to NXDOMAIN responses, provided
 		a CNAME is not discovered at the query name.
 	      </para>
 	      <para>
-		If a delegation only zone server also serves a child
-		zone it is not always possible to determine whether
-		an answer comes from the delegation only zone or the
-		child zone.  SOA NS and DNSKEY records are apex
-		only records and a matching response that contains
+		If a delegation-only zone server also serves a child
+		zone, it is not always possible to determine whether
+		an answer comes from the delegation-only zone or the
+		child zone.  SOA NS and DNSKEY records are apex-only
+		records and a matching response that contains
 		these records or DS is treated as coming from a
 		child zone.  RRSIG records are also examined to see
-		if they are signed by a child zone or not.  The
-		authority section is also examined to see if there
+		if they are signed by a child zone, and the
+		authority section is examined to see if there
 		is evidence that the answer is from the child zone.
 		Answers that are determined to be from a child zone
 		are not converted to NXDOMAIN responses.  Despite
-		all these checks there is still a possibility of
+		all these checks, there is still a possibility of
 		false negatives when a child zone is being served.
 	      </para>
 	      <para>
-		Similarly false positives can arise from empty nodes
-		(no records at the name) in the delegation only zone
-		when the query type is not ANY.
+		Similarly, false positives can arise from empty nodes
+		(no records at the name) in the delegation-only zone
+		when the query type is not <varname>ANY</varname>.
 	      </para>
 	      <para>
-		Note some TLDs are not delegation only (e.g. "DE", "LV",
-		"US" and "MUSEUM").  This list is not exhaustive.
+		Note that some TLDs are not delegation-only; e.g., "DE", "LV",
+		"US", and "MUSEUM".  This list is not exhaustive.
 	      </para>
 
 <programlisting>
@@ -5165,23 +5123,23 @@ options {
 	    <term><command>disable-algorithms</command></term>
 	    <listitem>
 	      <para>
-		Disable the specified DNSSEC algorithms at and below the
+		This disables the specified DNSSEC algorithms at and below the
 		specified name.
 		Multiple <command>disable-algorithms</command>
 		statements are allowed.
-		Only the best match <command>disable-algorithms</command>
-		clause will be used to determine which algorithms are used.
+		Only the best-match <command>disable-algorithms</command>
+		clause is used to determine the algorithms.
 	      </para>
 	      <para>
 		If all supported algorithms are disabled, the zones covered
-		by the <command>disable-algorithms</command> will be treated
+		by the <command>disable-algorithms</command> setting are treated
 		as insecure.
 	      </para>
 	      <para>
 		Configured trust anchors in <command>trusted-keys</command>
 		or <command>managed-keys</command> that match a disabled
-		algorithm will be ignored and treated as if they were not
-		configured at all.
+		algorithm are ignored and treated as if they were not
+		configured.
 	      </para>
 	    </listitem>
 	  </varlistentry>
@@ -5190,16 +5148,16 @@ options {
 	    <term><command>disable-ds-digests</command></term>
 	    <listitem>
 	      <para>
-		Disable the specified DS/DLV digest types at and below the
+		This disables the specified DS digest types at and below the
 		specified name.
 		Multiple <command>disable-ds-digests</command>
 		statements are allowed.
-		Only the best match <command>disable-ds-digests</command>
-		clause will be used to determine which digest types are used.
+		Only the best-match <command>disable-ds-digests</command>
+		clause is used to determine the digest types.
 	      </para>
 	      <para>
 		If all supported digest types are disabled, the zones covered
-		by the <command>disable-ds-digests</command> will be treated
+		by <command>disable-ds-digests</command> are treated
 		as insecure.
 	      </para>
 	    </listitem>
@@ -5215,22 +5173,22 @@ options {
 		below a domain specified by the deepest
 		<command>dnssec-lookaside</command>, and the normal DNSSEC
 		validation has left the key untrusted, the trust-anchor
-		will be appended to the key name and a DLV record will be
+		is appended to the key name and a DLV record is
 		looked up to see if it can validate the key.  If the DLV
 		record validates a DNSKEY (similarly to the way a DS
-		record does) the DNSKEY RRset is deemed to be trusted.
+		record does), the DNSKEY RRset is deemed to be trusted.
 	      </para>
 	      <para>
 		If <command>dnssec-lookaside</command> is set to
-		<userinput>no</userinput>, then dnssec-lookaside
+		<userinput>no</userinput>, then <command>dnssec-lookaside</command>
 		is not used.
 	      </para>
 	      <para>
-		NOTE: The ISC-provided DLV service at
-		<literal>dlv.isc.org</literal>, has been shut down.
+		Note: the ISC-provided DLV service at
+		<literal>dlv.isc.org</literal> has been shut down.
 		The <command>dnssec-lookaside auto;</command>
 		configuration option, which set <command>named</command>
-		up to use ISC DLV with minimal configuration, has
+		to use ISC DLV with minimal configuration, has
 		accordingly been removed.
 	      </para>
 	    </listitem>
@@ -5240,11 +5198,11 @@ options {
 	    <term><command>dnssec-must-be-secure</command></term>
 	    <listitem>
 	      <para>
-		Specify hierarchies which must be or may not be secure
+		This specifies hierarchies which must be or may not be secure
 		(signed and validated).  If <userinput>yes</userinput>,
-		then <command>named</command> will only accept answers if
+		then <command>named</command> only accepts answers if
 		they are secure.  If <userinput>no</userinput>, then normal
-		DNSSEC validation applies allowing for insecure answers to
+		DNSSEC validation applies, allowing insecure answers to
 		be accepted.  The specified domain must be under a
 		<command>trusted-keys</command> or
 		<command>managed-keys</command> statement, or
@@ -5266,19 +5224,19 @@ options {
 	      </para>
 	      <para>
 		Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
-		64 and 96 as per RFC 6052.  Bits 64..71 inclusive must
-		be zero with the most significate bit of the prefix in
+		64, and 96, per RFC 6052.  Bits 64..71 inclusive must
+		be zero, with the most significant bit of the prefix in
 		position 0.
 	      </para>
 	      <para>
-		Additionally a reverse IP6.ARPA zone will be created for
+		In addition, a reverse IP6.ARPA zone is created for
 		the prefix to provide a mapping from the IP6.ARPA names
 		to the corresponding IN-ADDR.ARPA names using synthesized
 		CNAMEs.  <command>dns64-server</command> and
 		<command>dns64-contact</command> can be used to specify
 		the name of the server and contact for the zones. These
-		are settable at the view / options level.  These are
-		not settable on a per-prefix basis.
+		can be set at the view/options level but not
+		on a per-prefix basis.
 	      </para>
 	      <para>
 		Each <command>dns64</command> supports an optional
@@ -5290,17 +5248,17 @@ options {
 		Each <command>dns64</command> supports an optional
 		<command>mapped</command> ACL that selects which
 		IPv4 addresses are to be mapped in the corresponding
-		A RRset.  If not defined it defaults to
+		A RRset.  If not defined, it defaults to
 		<userinput>any;</userinput>.
 	      </para>
 	      <para>
-		Normally, DNS64 won't apply to a domain name that
-		owns one or more AAAA records; these records will
-		simply be returned.  The optional
+		Normally, DNS64 does not apply to a domain name that
+		owns one or more AAAA records; these records are
+		simply returned.  The optional
 		<command>exclude</command> ACL allows specification
-		of a list of IPv6 addresses that will be ignored
-		if they appear in a domain name's AAAA records, and
-		DNS64 will be applied to any A records the domain
+		of a list of IPv6 addresses that are ignored
+		if they appear in a domain name's AAAA records;
+		DNS64 is applied to any A records the domain
 		name owns.  If not defined, <command>exclude</command>
 		defaults to ::ffff:0.0.0.0/96.
 	      </para>
@@ -5314,18 +5272,18 @@ options {
 	      </para>
 	      <para>
 		If <command>recursive-only</command> is set to
-		<command>yes</command> the DNS64 synthesis will
-		only happen for recursive queries.  The default
+		<command>yes</command>, the DNS64 synthesis
+		only happens for recursive queries.  The default
 		is <command>no</command>.
 	      </para>
 	      <para>
 		If <command>break-dnssec</command> is set to
-		<command>yes</command> the DNS64 synthesis will
-		happen even if the result, if validated, would
+		<command>yes</command>, the DNS64 synthesis
+		happens even if the result, if validated, would
 		cause a DNSSEC validation failure.  If this option
 		is set to <command>no</command> (the default), the DO
 		is set on the incoming query, and there are RRSIGs on
-		the applicable records, then synthesis will not happen.
+		the applicable records, then synthesis does not happen.
 	      </para>
 <programlisting>
 	acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
@@ -5345,7 +5303,7 @@ options {
 	    <listitem>
 		<para>
 		  When a zone is configured with <command>auto-dnssec
-		  maintain;</command> its key repository must be checked
+		  maintain;</command>, its key repository must be checked
 		  periodically to see if any new keys have been added
 		  or any existing keys' timing metadata has been updated
 		  (see <xref linkend="man.dnssec-keygen"/> and
@@ -5371,20 +5329,20 @@ options {
 		  <xref linkend="dynamic_update_policies"/>), and
 		  if <command>named</command> has access to the
 		  private signing key(s) for the zone, then
-		  <command>named</command> will automatically sign all new
-		  or changed records and maintain signatures for the zone
+		  <command>named</command> automatically signs all new
+		  or changed records and maintains signatures for the zone
 		  by regenerating RRSIG records whenever they approach
 		  their expiration date.
 		</para>
 		<para>
 		  If the option is changed to <literal>no-resign</literal>,
-		  then <command>named</command> will sign all new or
+		  then <command>named</command> signs all new or
 		  changed records, but scheduled maintenance of
 		  signatures is disabled.
 		</para>
 		<para>
 		  With either of these settings, <command>named</command>
-		  will reject updates to a DNSSEC-signed zone when the
+		  rejects updates to a DNSSEC-signed zone when the
 		  signing keys are inactive or unavailable to
 		  <command>named</command>.  (A planned third option,
 		  <literal>external</literal>, will disable all automatic
@@ -5398,27 +5356,27 @@ options {
 	    <term><command>nta-lifetime</command></term>
 	    <listitem>
 		<para>
-		  Species the default lifetime, in seconds,
-		  that will be used for negative trust anchors added
+		  This specifies the default lifetime, in seconds,
+		  for negative trust anchors added
 		  via <command>rndc nta</command>.
 		</para>
 		<para>
 		  A negative trust anchor selectively disables
 		  DNSSEC validation for zones that are known to be
-		  failing because of misconfiguration rather than
+		  failing because of misconfiguration, rather than
 		  an attack.  When data to be validated is
 		  at or below an active NTA (and above any other
-		  configured trust anchors), <command>named</command> will
-		  abort the DNSSEC validation process and treat the data as
+		  configured trust anchors), <command>named</command>
+		  aborts the DNSSEC validation process and treats the data as
 		  insecure rather than bogus.  This continues until the
 		  NTA's lifetime is elapsed. NTAs persist
 		  across <command>named</command> restarts.
 		</para>
 		<para>
-		  For convenience, TTL-style time unit suffixes can be
-		  used to specify the NTA lifetime in seconds, minutes
+		  For convenience, TTL-style time-unit suffixes can be
+		  used to specify the NTA lifetime in seconds, minutes,
 		  or hours.  <option>nta-lifetime</option> defaults to
-		  one hour.  It cannot exceed one week.
+		  one hour; it cannot exceed one week.
 		</para>
 	    </listitem>
 	  </varlistentry>
@@ -5427,7 +5385,7 @@ options {
 	    <term><command>nta-recheck</command></term>
 	    <listitem>
 		<para>
-		  Species how often to check whether negative
+		  This specifies how often to check whether negative
 		  trust anchors added via <command>rndc nta</command>
 		  are still necessary.
 		</para>
@@ -5437,7 +5395,7 @@ options {
 		  it temporarily disables DNSSEC validation for that
 		  domain. In the interest of ensuring that DNSSEC
 		  validation is turned back on as soon as possible,
-		  <command>named</command> will periodically send a
+		  <command>named</command> periodically sends a
 		  query to the domain, ignoring negative trust anchors,
 		  to find out whether it can now be validated.  If so,
 		  the negative trust anchor is allowed to expire early.
@@ -5449,11 +5407,11 @@ options {
 		  to zero.
 		</para>
 		<para>
-		  For convenience, TTL-style time unit suffixes can be
+		  For convenience, TTL-style time-unit suffixes can be
 		  used to specify the NTA recheck interval in seconds,
-		  minutes or hours.  The default is five minutes.  It
-		  cannot be longer than <option>nta-lifetime</option>
-		  (which cannot be longer than a week).
+		  minutes, or hours.  The default is five minutes.  It
+		  cannot be longer than <option>nta-lifetime</option>,
+		  which cannot be longer than a week.
 		</para>
 	    </listitem>
 	  </varlistentry>
@@ -5463,14 +5421,14 @@ options {
 	    <term><command>max-zone-ttl</command></term>
 	    <listitem>
 	      <para>
-		Specifies a maximum permissible TTL value in seconds.
-		For convenience, TTL-style time unit suffixes may be
+		This specifies a maximum permissible TTL value in seconds.
+		For convenience, TTL-style time-unit suffixes may be
 		used to specify the maximum value.
 		When loading a zone file using a
 		<option>masterfile-format</option> of
 		<constant>text</constant> or <constant>raw</constant>,
 		any record encountered with a TTL higher than
-		<option>max-zone-ttl</option> will cause the zone to
+		<option>max-zone-ttl</option> causes the zone to
 		be rejected.
 	      </para>
 	      <para>
@@ -5478,11 +5436,11 @@ options {
 		rolling to a new DNSKEY, the old key needs to remain
 		available until RRSIG records have expired from
 		caches.  The <option>max-zone-ttl</option> option guarantees
-		that the largest TTL in the zone will be no higher
+		that the largest TTL in the zone is no higher
 		than the set value.
 	      </para>
 	      <para>
-		(NOTE: Because <constant>map</constant>-format files
+		(Note: because <constant>map</constant>-format files
 		load directly into memory, this option cannot be
 		used with them.)
 	      </para>
@@ -5499,27 +5457,27 @@ options {
 	    <listitem>
 	      <para>
 		Zones configured for dynamic DNS may use this
-		option to set the update method that will be used for
+		option to set the update method to be used for
 		the zone serial number in the SOA record.
 	      </para>
 	      <para>
 		With the default setting of
 		<command>serial-update-method increment;</command>, the
-		SOA serial number will be incremented by one each time
+		SOA serial number is incremented by one each time
 		the zone is updated.
 	      </para>
 	      <para>
 		When set to
 		<command>serial-update-method unixtime;</command>, the
-		SOA serial number will be set to the number of seconds
-		since the UNIX epoch, unless the serial number is
+		SOA serial number is set to the number of seconds
+		since the Unix epoch, unless the serial number is
 		already greater than or equal to that value, in which
 		case it is simply incremented by one.
 	      </para>
 	      <para>
 		When set to
 		<command>serial-update-method date;</command>, the
-		new SOA serial number will be the current date
+		new SOA serial number is the current date
 		in the form "YYYYMMDD", followed by two zeroes,
 		unless the existing serial number is already greater
 		than or equal to that value, in which case it is
@@ -5532,12 +5490,12 @@ options {
 	    <term><command>zone-statistics</command></term>
 	    <listitem>
 	      <para>
-		If <userinput>full</userinput>, the server will collect
-		statistical data on all zones (unless specifically
+		If <userinput>full</userinput>, the server collects
+		statistical data on all zones, unless specifically
 		turned off on a per-zone basis by specifying
 		<command>zone-statistics terse</command> or
 		<command>zone-statistics none</command>
-		in the <command>zone</command> statement).
+		in the <command>zone</command> statement.
 		The default is <userinput>terse</userinput>, providing
 		minimal statistics on zones (including name and
 		current serial number, but not query type
@@ -5547,7 +5505,7 @@ options {
 		These statistics may be accessed via the
 		<command>statistics-channel</command> or
 		using <command>rndc stats</command>, which
-		will dump them to the file listed
+		dumps them to the file listed
 		in the <command>statistics-file</command>.  See
 		also <xref linkend="statsfile"/>.
 	      </para>
@@ -5575,19 +5533,19 @@ options {
 	      <listitem>
 		<para>
 		  If <userinput>yes</userinput> and supported by the operating
-		  system, automatically rescan network interfaces when the
+		  system, this automatically rescans network interfaces when the
 		  interface addresses are added or removed.  The default is
 		  <userinput>yes</userinput>.  This configuration option does
-		  not affect time based <command>interface-interval</command>
-		  option, and it is recommended to set the time based
+		  not affect the time-based <command>interface-interval</command>
+		  option; it is recommended to set the time-based
 		  <command>interface-interval</command> to 0 when the operator
 		  confirms that automatic interface scanning is supported by the
 		  operating system.
 		</para>
 		<para>
 		  The <command>automatic-interface-scan</command> implementation
-		  uses routing sockets for the network interface discovery,
-		  and therefore the operating system has to support the routing
+		  uses routing sockets for the network interface discovery;
+		  therefore, the operating system must support the routing
 		  sockets for this feature to work.
 		</para>
 	      </listitem>
@@ -5616,9 +5574,9 @@ options {
 		  cryptographic hash of the view name is used instead.
 		</para>
 		<para>
-		  Zones added at runtime will have their configuration
+		  Configurations for zones added at runtime are
 		  stored either in a new-zone file (NZF) or a new-zone
-		  database (NZD) depending on whether
+		  database (NZD), depending on whether
 		  <command>named</command> was linked with
 		  liblmdb at compile time.
 		  See <xref linkend="man.rndc"/> for further details
@@ -5634,11 +5592,7 @@ options {
 		  If <userinput>yes</userinput>, then the <command>AA</command> bit
 		  is always set on NXDOMAIN responses, even if the server is
 		  not actually
-		  authoritative. The default is <userinput>no</userinput>;
-		  this is
-		  a change from <acronym>BIND</acronym> 8. If you
-		  are using very old DNS software, you
-		  may need to set it to <userinput>yes</userinput>.
+		  authoritative. The default is <userinput>no</userinput>.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -5659,10 +5613,10 @@ options {
 	      <term><command>memstatistics</command></term>
 	      <listitem>
 		<para>
-		  Write memory statistics to the file specified by
+		  This writes memory statistics to the file specified by
 		  <command>memstatistics-file</command> at exit.
 		  The default is <userinput>no</userinput> unless
-		  '-m record' is specified on the command line in
+		  <userinput>-m record</userinput> is specified on the command line, in
 		  which case it is <userinput>yes</userinput>.
 		</para>
 	      </listitem>
@@ -5677,29 +5631,27 @@ options {
 		  across
 		  a dial-on-demand dialup link, which can be brought up by
 		  traffic
-		  originating from this server. This has different effects
+		  originating from this server. Although this setting has different effects
 		  according
-		  to zone type and concentrates the zone maintenance so that
-		  it all
-		  happens in a short interval, once every <command>heartbeat-interval</command> and
-		  hopefully during the one call. It also suppresses some of
-		  the normal
+		  to zone type, it concentrates the zone maintenance so that
+		  everything
+		  happens quickly, once every <command>heartbeat-interval</command>,
+		  ideally during a single call. It also suppresses some
+		  normal
 		  zone maintenance traffic. The default is <userinput>no</userinput>.
 		</para>
 		<para>
-		  The <command>dialup</command> option
-		  may also be specified in the <command>view</command> and
-		  <command>zone</command> statements,
-		  in which case it overrides the global <command>dialup</command>
-		  option.
+		  If specified in the <command>view</command> and
+		  <command>zone</command> statements, the <command>dialup</command> option
+		  overrides the global <command>dialup</command> option.
 		</para>
 		<para>
-		  If the zone is a master zone, then the server will send out a
+		  If the zone is a primary zone, the server sends out a
 		  NOTIFY
-		  request to all the slaves (default). This should trigger the
+		  request to all the secondaries (default). This should trigger the
 		  zone serial
-		  number check in the slave (providing it supports NOTIFY)
-		  allowing the slave
+		  number check in the secondary (providing it supports NOTIFY),
+		  allowing the secondary
 		  to verify the zone while the connection is active.
 		  The set of servers to which NOTIFY is sent can be controlled
 		  by
@@ -5707,26 +5659,26 @@ options {
 		</para>
 		<para>
 		  If the
-		  zone is a slave or stub zone, then the server will suppress
+		  zone is a secondary or stub zone, the server suppresses
 		  the regular
-		  "zone up to date" (refresh) queries and only perform them
+		  "zone up to date" (refresh) queries and only performs them
 		  when the
-		  <command>heartbeat-interval</command> expires in
+		  <command>heartbeat-interval</command> expires, in
 		  addition to sending
 		  NOTIFY requests.
 		</para>
 		<para>
 		  Finer control can be achieved by using
-		  <userinput>notify</userinput> which only sends NOTIFY
-		  messages,
-		  <userinput>notify-passive</userinput> which sends NOTIFY
+		  <userinput>notify</userinput>, which only sends NOTIFY
+		  messages;
+		  <userinput>notify-passive</userinput>, which sends NOTIFY
 		  messages and
-		  suppresses the normal refresh queries, <userinput>refresh</userinput>
+		  suppresses the normal refresh queries; <userinput>refresh</userinput>,
 		  which suppresses normal refresh processing and sends refresh
 		  queries
 		  when the <command>heartbeat-interval</command>
-		  expires, and
-		  <userinput>passive</userinput> which just disables normal
+		  expires; and
+		  <userinput>passive</userinput>, which disables normal
 		  refresh
 		  processing.
 		</para>
@@ -5912,7 +5864,7 @@ options {
 		  In BIND 8, <userinput>fetch-glue yes</userinput>
 		  caused the server to attempt to fetch glue resource records
 		  it
-		  didn't have when constructing the additional
+		  did not have when constructing the additional
 		  data section of a response.  This is now considered a bad
 		  idea
 		  and BIND 9 never does it.
@@ -5924,7 +5876,7 @@ options {
 	      <term><command>flush-zones-on-shutdown</command></term>
 	      <listitem>
 		<para>
-		  When the nameserver exits due receiving SIGTERM,
+		  When the nameserver exits upon receiving SIGTERM,
 		  flush or do not flush any pending zone writes.  The default
 		  is
 		  <command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
@@ -5968,7 +5920,7 @@ options {
 		  In BIND 8, this enabled keeping of
 		  statistics for every host that the name server interacts
 		  with.
-		  Not implemented in BIND 9.
+		  It is not implemented in BIND 9.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -5977,7 +5929,7 @@ options {
 	      <term><command>root-key-sentinel</command></term>
 	      <listitem>
 		<para>
-		  Respond to root key sentinel probes as described in
+		  If <userinput>yes</userinput>, respond to root key sentinel probes as described in
 		  draft-ietf-dnsop-kskroll-sentinel-08. The default is
 		  <userinput>yes</userinput>.
 		</para>
@@ -5992,7 +5944,7 @@ options {
 		  It was used in <acronym>BIND</acronym> 8 to
 		  determine whether a transaction log was
 		  kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
-		  log whenever possible.  If you need to disable outgoing
+		  log whenever possible.  To disable outgoing
 		  incremental zone
 		  transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
 		</para>
@@ -6004,7 +5956,7 @@ options {
 		<para>
 		  If <userinput>yes</userinput>, DNS name compression is
 		  used in responses to regular queries (not including
-		  AXFR or IXFR, which always uses compression).  Setting
+		  AXFR or IXFR, which always use compression).  Setting
 		  this option to <userinput>no</userinput> reduces CPU
 		  usage on servers and may improve throughput.  However,
 		  it increases response size, which may cause more queries
@@ -6020,14 +5972,14 @@ options {
 	      <listitem>
 		<para>
 		  If set to <userinput>yes</userinput>, then when generating
-		  responses the server will only add records to the authority
+		  responses the server only adds records to the authority
 		  and additional data sections when they are required (e.g.
 		  delegations, negative responses).  This may improve the
 		  performance of the server.
 		</para>
 		<para>
 		  When set to <userinput>no-auth</userinput>, the
-		  server will omit records from the authority section
+		  server omits records from the authority section
 		  unless they are required, but it may still add
 		  records to the additional section.  When set to
 		  <userinput>no-auth-recursive</userinput>, this
@@ -6035,7 +5987,7 @@ options {
 		  settings are useful when answering stub clients,
 		  which usually ignore the authority section.
 		  <userinput>no-auth-recursive</userinput> is
-		  designed for mixed-mode servers which handle
+		  designed for mixed-mode servers that handle
 		  both authoritative and recursive queries.
 		</para>
 		<para>
@@ -6048,13 +6000,13 @@ options {
 	      <term><command>minimal-any</command></term>
 	      <listitem>
 		<para>
-		  If set to <userinput>yes</userinput>, then when
-		  generating a positive response to a query of type
-		  ANY over UDP, the server will reply with only one
+		  If set to <userinput>yes</userinput>, the server replies with only one
 		  of the RRsets for the query name, and its covering
-		  RRSIGs if any, instead of replying with all known
+		  RRSIGs if any, when
+		  generating a positive response to a query of type
+		  ANY over UDP, instead of replying with all known
 		  RRsets for the name.  Similarly, a query for type
-		  RRSIG will be answered with the RRSIG records covering
+		  RRSIG is answered with the RRSIG records covering
 		  only one type. This can reduce the impact of some kinds
 		  of attack traffic, without harming legitimate
 		  clients.  (Note, however, that the RRset returned is the
@@ -6062,7 +6014,7 @@ options {
 		  the smallest available RRset.)
 		  Additionally, <option>minimal-responses</option> is
 		  turned on for these queries, so no unnecessary records
-		  will be added to the authority or additional sections.
+		  are added to the authority or additional sections.
 		  The default is <userinput>no</userinput>.
 		</para>
 	    </listitem>
@@ -6073,9 +6025,9 @@ options {
 	      <listitem>
 		<para>
 		  This option was used in <acronym>BIND</acronym> 8 to allow
-		  a domain name to have multiple CNAME records in violation of
+		  a domain name to have multiple CNAME records, in violation of
 		  the DNS standards.  <acronym>BIND</acronym> 9.2 onwards
-		  always strictly enforces the CNAME rules both in master
+		  always strictly enforces the CNAME rules both in primary
 		  files and dynamic updates.
 		</para>
 	      </listitem>
@@ -6088,9 +6040,9 @@ options {
 		  If <userinput>yes</userinput> (the default),
 		  DNS NOTIFY messages are sent when a zone the server is
 		  authoritative for
-		  changes, see <xref linkend="notify"/>.  The messages are
+		  changes; see <xref linkend="notify"/>.  The messages are
 		  sent to the
-		  servers listed in the zone's NS records (except the master
+		  servers listed in the zone's NS records (except the primary
 		  server identified
 		  in the SOA MNAME field), and to any servers listed in the
 		  <command>also-notify</command> option.
@@ -6098,7 +6050,7 @@ options {
 		<para>
 		  If <userinput>master-only</userinput>, notifies are only
 		  sent
-		  for master zones.
+		  for primary zones.
 		  If <userinput>explicit</userinput>, notifies are sent only
 		  to
 		  servers explicitly listed using <command>also-notify</command>.
@@ -6110,7 +6062,7 @@ options {
 		  statement,
 		  in which case it overrides the <command>options notify</command> statement.
 		  It would only be necessary to turn off this option if it
-		  caused slaves
+		  caused secondary zones
 		  to crash.
 		</para>
 	      </listitem>
@@ -6120,14 +6072,14 @@ options {
 	      <term><command>notify-to-soa</command></term>
 	      <listitem>
 		<para>
-		  If <userinput>yes</userinput> do not check the nameservers
+		  If <userinput>yes</userinput>, do not check the name servers
 		  in the NS RRset against the SOA MNAME.  Normally a NOTIFY
-		  message is not sent to the SOA MNAME (SOA ORIGIN) as it is
-		  supposed to contain the name of the ultimate master.
-		  Sometimes, however, a slave is listed as the SOA MNAME in
-		  hidden master configurations and in that case you would
-		  want the ultimate master to still send NOTIFY messages to
-		  all the nameservers listed in the NS RRset.
+		  message is not sent to the SOA MNAME (SOA ORIGIN), as it is
+		  supposed to contain the name of the ultimate primary server.
+		  Sometimes, however, a secondary server is listed as the SOA MNAME in
+		  hidden primary configurations; in that case,
+		  the ultimate primary should be set to still send NOTIFY messages to
+		  all the name servers listed in the NS RRset.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -6137,12 +6089,12 @@ options {
 	      <listitem>
 		<para>
 		  If <userinput>yes</userinput>, and a
-		  DNS query requests recursion, then the server will attempt
+		  DNS query requests recursion, then the server attempts
 		  to do
 		  all the work required to answer the query. If recursion is
 		  off
-		  and the server does not already know the answer, it will
-		  return a
+		  and the server does not already know the answer, it
+		  returns a
 		  referral response. The default is
 		  <userinput>yes</userinput>.
 		  Note that setting <command>recursion no</command> does not prevent
@@ -6184,19 +6136,19 @@ options {
 	      <term><command>require-server-cookie</command></term>
 	      <listitem>
 		<para>
-		  Require a valid server cookie before sending a full
-		  response to a UDP request from a cookie aware client.
-		  BADCOOKIE is sent if there is a bad or no existent
+		  If <userinput>yes</userinput>, require a valid server cookie before sending a full
+		  response to a UDP request from a cookie-aware client.
+		  BADCOOKIE is sent if there is a bad or nonexistent
 		  server cookie.
 		  The default is <userinput>no</userinput>.
 		</para>
 		<para>
-		  Set this to <userinput>yes</userinput> to test that DNS
-		  COOKIE clients correctly handle BADCOOKIE or if you are
+		  Users wishing to test that DNS COOKIE clients correctly handle BADCOOKIE, or who are
 		  getting a lot of forged DNS requests with DNS COOKIES
-		  present. Setting this to <userinput>yes</userinput> will
-		  result in reduced amplification effect in a reflection
-		  attack, as the BADCOOKIE response will be smaller than
+		  present, should set this to <userinput>yes</userinput>.
+		  Setting this to <userinput>yes</userinput>
+		  results in a reduced amplification effect in a reflection
+		  attack, as the BADCOOKIE response is smaller than
 		  a full response, while also requiring a legitimate client
 		  to follow up with a second query with the new, valid, cookie.
 		</para>
@@ -6208,10 +6160,10 @@ options {
 	      <listitem>
 		<para>
 		  When set to the default value of <userinput>yes</userinput>,
-		  COOKIE EDNS options will be sent when applicable in
+		  COOKIE EDNS options are sent when applicable in
 		  replies to client queries. If set to
-		  <userinput>no</userinput>, COOKIE EDNS options will not
-		  be sent in replies.  This can only be set at the global
+		  <userinput>no</userinput>, COOKIE EDNS options are not
+		  sent in replies.  This can only be set at the global
 		  options level, not per-view.
 		</para>
 		<para>
@@ -6235,7 +6187,7 @@ options {
 		<para>
 		  If <userinput>yes</userinput>, then a COOKIE EDNS
 		  option is sent along with the query.  If the
-		  resolver has previously talked to the server, the
+		  resolver has previously communicated with the server, the
 		  COOKIE returned in the previous transaction is sent.
 		  This is used by the server to determine whether
 		  the resolver has talked to it before. A resolver
@@ -6257,11 +6209,12 @@ options {
 	      <term><command>nocookie-udp-size</command></term>
 	      <listitem>
 		<para>
-		  Sets the maximum size of UDP responses that will be
+		  This sets the maximum size of UDP responses that are
 		  sent to queries without a valid server COOKIE. A value
-		  below 128 will be silently raised to 128. The default
+		  below 128 is silently raised to 128. The default
 		  value is 4096, but the <command>max-udp-size</command>
-		  option may further limit the response size.
+		  option may further limit the response size as the default
+		  for <command>max-udp-size</command> is 1232.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -6279,10 +6232,10 @@ options {
 	      <term><command>cookie-algorithm</command></term>
 	      <listitem>
 		<para>
-		  Set the algorithm to be used when generating the
-		  server cookie.  One of "aes", "sha1" or "sha256".
+		  This sets the algorithm to be used when generating the
+		  server cookie; the options are "aes", "sha1", or "sha256".
 		  The default is "aes" if supported by the cryptographic
-		  library or otherwise "sha256".
+		  library; otherwise, "sha256".
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -6294,16 +6247,16 @@ options {
 		  If set, this is a shared secret used for generating
 		  and verifying EDNS COOKIE options
 		  within an anycast cluster.  If not set, the system
-		  will generate a random secret at startup.  The
+		  generates a random secret at startup.  The
 		  shared secret is encoded as a hex string and needs
-		  to be 128 bits for AES128, 160 bits for SHA1 and
+		  to be 128 bits for AES128, 160 bits for SHA1, and
 		  256 bits for SHA256.
 		</para>
 		<para>
 		  If there are multiple secrets specified, the first
 		  one listed in <filename>named.conf</filename> is
 		  used to generate new server cookies.  The others
-		  will only be used to verify returned cookies.
+		  are only used to verify returned cookies.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -6312,14 +6265,14 @@ options {
 	      <term><command>rfc2308-type1</command></term>
 	      <listitem>
 		<para>
-		  Setting this to <userinput>yes</userinput> will
-		  cause the server to send NS records along with the SOA
+		  Setting this to <userinput>yes</userinput>
+		  causes the server to send NS records along with the SOA
 		  record for negative
 		  answers. The default is <userinput>no</userinput>.
 		</para>
 		<note>
 		  <simpara>
-		    Not yet implemented in <acronym>BIND</acronym>
+		    This is not yet implemented in <acronym>BIND</acronym>
 		    9.
 		  </simpara>
 		</note>
@@ -6330,7 +6283,7 @@ options {
 	      <term><command>trust-anchor-telemetry</command></term>
 	      <listitem>
 		<para>
-		  Causes <command>named</command> to send specially-formed
+		  This causes <command>named</command> to send specially formed
 		  queries once per day to domains for which trust anchors
 		  have been configured via <command>trusted-keys</command>,
 		  <command>managed-keys</command>, or
@@ -6345,8 +6298,8 @@ options {
 		  to largest prior to encoding. The query type is NULL.
 		</para>
 		<para>
-		  By monitoring these queries, zone operators will
-		  be able to see which resolvers have been updated to
+		  By monitoring these queries, zone operators are
+		  able to see which resolvers have been updated to
 		  trust a new key; this may help them decide when it
 		  is safe to remove an old one.
 		</para>
@@ -6372,7 +6325,7 @@ options {
 	      <listitem>
 		<para>
 		  <emphasis>This option is obsolete</emphasis>.
-		  If you need to disable IXFR to a particular server or
+		  To disable IXFR to a particular server or
 		  servers, see
 		  the information on the <command>provide-ixfr</command> option
 		  in <xref linkend="server_statement_definition_and_usage"/>.
@@ -6423,7 +6376,7 @@ options {
 		  8 to make
 		  the server treat carriage return ("<command>\r</command>") characters the same way
 		  as a space or tab character,
-		  to facilitate loading of zone files on a UNIX system that
+		  to facilitate loading of zone files on a Unix system that
 		  were generated
 		  on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
 		  and NT/DOS "<command>\r\n</command>" newlines
@@ -6452,15 +6405,15 @@ options {
 		  query is being answered from authoritative data (a zone
 		  configured into the server), the additional data section of
 		  the
-		  reply will be filled in using data from other authoritative
+		  reply is filled in using data from other authoritative
 		  zones
 		  and from the cache.  In some situations this is undesirable,
 		  such
 		  as when there is concern over the correctness of the cache,
 		  or
-		  in servers where slave zones may be added and modified by
+		  in servers where secondary zones may be added and modified by
 		  untrusted third parties.  Also, avoiding
-		  the search for this additional data will speed up server
+		  the search for this additional data speeds up server
 		  operations
 		  at the possible expense of additional queries to resolve
 		  what would
@@ -6470,7 +6423,7 @@ options {
 		<para>
 		  For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
 		  and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
-		  records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
+		  records (A and AAAA) for <literal>mail.example.net</literal> are provided as well,
 		  if known, even though they are not in the example.com zone.
 		  Setting these options to <command>no</command>
 		  disables this behavior and makes
@@ -6508,10 +6461,10 @@ options {
 		  some other
 		  known parent of the query name.  Since the data in an
 		  upwards referral
-		  comes from the cache, the server will not be able to provide
+		  comes from the cache, the server is not able to provide
 		  upwards
 		  referrals when <command>additional-from-cache no</command>
-		  has been specified.  Instead, it will respond to such
+		  has been specified.  Instead, it responds to such
 		  queries
 		  with REFUSED.  This should not cause any problems since
 		  upwards referrals are not required for the resolution
@@ -6526,15 +6479,15 @@ options {
 	      <listitem>
 		<para>
 		  If <userinput>yes</userinput>, then an
-		  IPv4-mapped IPv6 address will match any address match
+		  IPv4-mapped IPv6 address matches any address-match
 		  list entries that match the corresponding IPv4 address.
 		</para>
 		<para>
 		  This option was introduced to work around a kernel quirk
 		  in some operating systems that causes IPv4 TCP
 		  connections, such as zone transfers, to be accepted on an
-		  IPv6 socket using mapped addresses.  This caused address
-		  match lists designed for IPv4 to fail to match.  However,
+		  IPv6 socket using mapped addresses.  This caused address-match
+		  lists designed for IPv4 to fail to match.  However,
 		  <command>named</command> now solves this problem
 		  internally.  The use of this option is discouraged.
 		</para>
@@ -6569,15 +6522,15 @@ options {
 		<para>
 		  If <userinput>break-dnssec</userinput>,
 		  then AAAA records are deleted even when DNSSEC is enabled.
-		  As suggested by the name, this makes the response not verify,
-		  because the DNSSEC protocol is designed detect deletions.
+		  As suggested by the name, this causes the response to not verify,
+		  because the DNSSEC protocol is designed to detect deletions.
 		</para>
 		<para>
 		  This mechanism can erroneously cause other servers to
 		  not give AAAA records to their clients.
-		  A recursing server with both IPv6 and IPv4 network connections
+		  A recursing server with both IPv6 and IPv4 network connections,
 		  that queries an authoritative server using this mechanism
-		  via IPv4 will be denied AAAA records even if its client is
+		  via IPv4, is denied AAAA records even if its client is
 		  using IPv6.
 		</para>
 		<para>
@@ -6599,7 +6552,7 @@ options {
 	      <term><command>filter-aaaa-on-v6</command></term>
 	      <listitem>
 		<para>
-		  Identical to <command>filter-aaaa-on-v4</command>,
+		  This is identical to <command>filter-aaaa-on-v4</command>,
 		  except it filters AAAA responses to queries from IPv6
 		  clients instead of IPv4 clients.  To filter all
 		  responses, set both options to <userinput>yes</userinput>.
@@ -6612,33 +6565,32 @@ options {
 	      <listitem>
 		<para>
 		  When <userinput>yes</userinput> and the server loads a new
-		  version of a master zone from its zone file or receives a
-		  new version of a slave file via zone transfer, it will
-		  compare the new version to the previous one and calculate
+		  version of a primary zone from its zone file or receives a
+		  new version of a secondary file via zone transfer, it
+		  compares the new version to the previous one and calculates
 		  a set of differences.  The differences are then logged in
-		  the zone's journal file such that the changes can be
-		  transmitted to downstream slaves as an incremental zone
+		  the zone's journal file so that the changes can be
+		  transmitted to downstream secondaries as an incremental zone
 		  transfer.
 		</para>
 		<para>
 		  By allowing incremental zone transfers to be used for
 		  non-dynamic zones, this option saves bandwidth at the
 		  expense of increased CPU and memory consumption at the
-		  master.
+		  primary server.
 		  In particular, if the new version of a zone is completely
 		  different from the previous one, the set of differences
-		  will be of a size comparable to the combined size of the
-		  old and new zone version, and the server will need to
+		  is of a size comparable to the combined size of the
+		  old and new zone versions, and the server needs to
 		  temporarily allocate memory to hold this complete
 		  difference set.
 		</para>
 		<para><command>ixfr-from-differences</command>
 		  also accepts <command>master</command> and
 		  <command>slave</command> at the view and options
-		  levels which causes
+		  levels, which causes
 		  <command>ixfr-from-differences</command> to be enabled for
-		  all <command>master</command> or
-		  <command>slave</command> zones respectively.
+		  all primary or secondary zones, respectively.
 		  It is off by default.
 		</para>
 		<para>
@@ -6653,11 +6605,11 @@ options {
 	      <term><command>multi-master</command></term>
 	      <listitem>
 		<para>
-		  This should be set when you have multiple masters for a zone
+		  This should be set when there are multiple primary servers for a zone
 		  and the
-		  addresses refer to different machines.  If <userinput>yes</userinput>, <command>named</command> will
+		  addresses refer to different machines.  If <userinput>yes</userinput>, <command>named</command> does
 		  not log
-		  when the serial number on the master is less than what <command>named</command>
+		  when the serial number on the primary is less than what <command>named</command>
 		  currently
 		  has.  The default is <userinput>no</userinput>.
 		</para>
@@ -6681,7 +6633,7 @@ options {
 		<para>
 		  <command>auto-dnssec maintain;</command> includes the
 		  above, but also automatically adjusts the zone's DNSSEC
-		  keys on schedule, according to the keys' timing metadata
+		  keys on a schedule, according to the keys' timing metadata
 		  (see <xref linkend="man.dnssec-keygen"/> and
 		  <xref linkend="man.dnssec-settime"/>).  The command
 		  <command>rndc sign
@@ -6695,7 +6647,7 @@ options {
 		  repository and schedule key maintenance events to occur
 		  in the future, but it does not sign the full zone
 		  immediately.  Note: once keys have been loaded for a
-		  zone the first time, the repository will be searched
+		  zone the first time, the repository is searched
 		  for changes periodically, regardless of whether
 		  <command>rndc loadkeys</command> is used.  The recheck
 		  interval is defined by
@@ -6714,7 +6666,7 @@ options {
 		  This indicates whether DNSSEC-related resource
 		  records are to be returned by <command>named</command>.
 		  If set to <userinput>no</userinput>,
-		  <command>named</command> will not return DNSSEC-related
+		  <command>named</command> does not return DNSSEC-related
 		  resource records unless specifically queried for.
 		  The default is <userinput>yes</userinput>.
 		</para>
@@ -6725,15 +6677,15 @@ options {
 	      <term><command>dnssec-validation</command></term>
 	      <listitem>
 		<para>
-		  Enable DNSSEC validation in <command>named</command>.
-		  Note <command>dnssec-enable</command> also needs to be
+		  This option enables DNSSEC validation in <command>named</command>.
+		  Note that <command>dnssec-enable</command> also needs to be
 		  set to <userinput>yes</userinput> to be effective.
 		  If set to <userinput>no</userinput>, DNSSEC validation
 		  is disabled.
 		</para>
 	        <para>
 		  If set to <userinput>auto</userinput>, DNSSEC validation
-		  is enabled, and a default trust anchor for the DNS root
+		  is enabled and a default trust anchor for the DNS root
 		  zone is used.  If set to <userinput>yes</userinput>,
 		  DNSSEC validation is enabled, but a trust anchor must be
 		  manually configured using a <command>trusted-keys</command>
@@ -6743,7 +6695,7 @@ options {
 		<para>
 		  The default root trust anchor is stored in the file
 		  <filename>bind.keys</filename>.
-		  <command>named</command> will load that key at
+		  <command>named</command> loads that key at
 		  startup if <command>dnssec-validation</command> is
 		  set to <constant>auto</constant>.  A copy of the file is
 		  installed along with BIND 9, and is current as of the
@@ -6752,7 +6704,7 @@ options {
 		  from <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/bind-keys">https://www.isc.org/bind-keys</link>.
 		</para>
 		<para>
-		  To prevent problems if <filename>bind.keys</filename> is
+		  (To prevent problems if <filename>bind.keys</filename> is
 		  not found, the current trust anchor is also compiled in
 		  to <command>named</command>.  Relying on this is not
 		  recommended, however, as it requires <command>named</command>
@@ -6760,8 +6712,8 @@ options {
 		</para>
 		<note>
 		  <para>
-		    <command>named</command> <emphasis>only</emphasis>
-		    loads the root key from <filename>bind.keys</filename>.
+		    <command>named</command> loads <emphasis>only</emphasis>
+		    the root key from <filename>bind.keys</filename>.
 		    The file cannot be used to store keys for other zones.
 		    The root key in <filename>bind.keys</filename> is ignored
 		    if <command>dnssec-validation auto</command> is not in
@@ -6770,7 +6722,7 @@ options {
 		  <para>
 		    Whenever the resolver sends out queries to an
 		    EDNS-compliant server, it always sets the DO bit
-		    indicating it can support DNSSEC responses even if
+		    indicating it can support DNSSEC responses, even if
 		    <command>dnssec-validation</command> is off.
 		  </para>
 		</note>
@@ -6781,7 +6733,7 @@ options {
 	      <term><command>dnssec-accept-expired</command></term>
 	      <listitem>
 		<para>
-		  Accept expired signatures when verifying DNSSEC signatures.
+		  This accepts expired signatures when verifying DNSSEC signatures.
 		  The default is <userinput>no</userinput>.
 		  Setting this option to <userinput>yes</userinput>
 		  leaves <command>named</command> vulnerable to
@@ -6794,11 +6746,22 @@ options {
 	      <term><command>querylog</command></term>
 	      <listitem>
 		<para>
-		  Specify whether query logging should be started when <command>named</command>
-		  starts.
-		  If <command>querylog</command> is not specified,
-		  then the query logging
-		  is determined by the presence of the logging category <command>queries</command>.
+		  Query logging provides a complete log of all incoming
+		  queries and all query errors. This provides more insight
+		  into the server's activity, but with a cost to
+		  performance which may be significant on heavily loaded
+		  servers.
+		</para>
+		<para>
+		  The <command>querylog</command> option specifies
+		  whether query logging should be active when
+		  <command>named</command> first starts.
+		  If <command>querylog</command> is not specified, then
+		  query logging is determined by the presence of the
+		  logging category <command>queries</command>.
+		  Query logging can also be activated at runtime using the
+		  command <command>rndc querylog on</command>, or
+		  deactivated with <command>rndc querylog off</command>.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -6809,14 +6772,15 @@ options {
 		<para>
 		  This option is used to restrict the character set and syntax
 		  of
-		  certain domain names in master files and/or DNS responses
+		  certain domain names in zone files and/or DNS responses
 		  received
 		  from the network.  The default varies according to usage
-		  area.  For
-		  <command>master</command> zones the default is <command>fail</command>.
-		  For <command>slave</command> zones the default
-		  is <command>warn</command>.
-		  For answers received from the network (<command>response</command>)
+		  area.  For primary zones (i.e.,
+		  <command>type master</command>),
+		  the default is <command>fail</command>.
+		  For secondary zones (<command>type slave</command>), the
+		  default is <command>warn</command>.
+		  For answers received from the network (<command>response</command>),
 		  the default is <command>ignore</command>.
 		</para>
 		<para>
@@ -6824,11 +6788,11 @@ options {
 		  from RFC 952 and RFC 821 as modified by RFC 1123.
 		</para>
 		<para><command>check-names</command>
-		  applies to the owner names of A, AAAA and MX records.
+		  applies to the owner names of A, AAAA, and MX records.
 		  It also applies to the domain names in the RDATA of NS, SOA,
 		  MX, and SRV records.
-		  It also applies to the RDATA of PTR records where the owner
-		  name indicated that it is a reverse lookup of a hostname
+		  It further applies to the RDATA of PTR records where the owner
+		  name indicates that it is a reverse lookup of a hostname
 		  (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
 		</para>
 	      </listitem>
@@ -6838,7 +6802,7 @@ options {
 	      <term><command>check-dup-records</command></term>
 	      <listitem>
 		<para>
-		  Check master zones for records that are treated as different
+		  This checks primary zones for records that are treated as different
 		  by DNSSEC but are semantically equal in plain DNS.  The
 		  default is to <command>warn</command>.  Other possible
 		  values are <command>fail</command> and
@@ -6851,7 +6815,7 @@ options {
 	      <term><command>check-mx</command></term>
 	      <listitem>
 		<para>
-		  Check whether the MX record appears to refer to a IP address.
+		  This checks whether the MX record appears to refer to a IP address.
 		  The default is to <command>warn</command>.  Other possible
 		  values are <command>fail</command> and
 		  <command>ignore</command>.
@@ -6868,7 +6832,7 @@ options {
 		  result of a failure
 		  to understand the wildcard matching algorithm (RFC 1034).
 		  This option
-		  affects master zones.  The default (<command>yes</command>) is to check
+		  affects primary zones.  The default (<command>yes</command>) is to check
 		  for non-terminal wildcards and issue a warning.
 		</para>
 	      </listitem>
@@ -6878,26 +6842,26 @@ options {
 	      <term><command>check-integrity</command></term>
 	      <listitem>
 		<para>
-		  Perform post load zone integrity checks on master
-		  zones.  This checks that MX and SRV records refer
+		  This performs post-load zone integrity checks on primary
+		  zones.  It checks that MX and SRV records refer
 		  to address (A or AAAA) records and that glue
 		  address records exist for delegated zones.  For
-		  MX and SRV records only in-zone hostnames are
-		  checked (for out-of-zone hostnames use
+		  MX and SRV records, only in-zone hostnames are
+		  checked (for out-of-zone hostnames, use
 		  <command>named-checkzone</command>).
-		  For NS records only names below top of zone are
+		  For NS records, only names below top-of-zone are
 		  checked (for out-of-zone names and glue consistency
-		  checks use <command>named-checkzone</command>).
+		  checks, use <command>named-checkzone</command>).
 		  The default is <command>yes</command>.
 		</para>
 		<para>
-		  The use of the SPF record for publishing Sender
-		  Policy Framework is deprecated as the migration
+		  The use of the SPF record to publish Sender
+		  Policy Framework is deprecated, as the migration
 		  from using TXT records to SPF records was abandoned.
 		  Enabling this option also checks that a TXT Sender
 		  Policy Framework record exists (starts with "v=spf1")
 		  if there is an SPF record. Warnings are emitted if the
-		  TXT record does not exist and can be suppressed with
+		  TXT record does not exist; they can be suppressed with
 		  <command>check-spf</command>.
 		</para>
 	      </listitem>
@@ -6907,8 +6871,8 @@ options {
 	      <term><command>check-mx-cname</command></term>
 	      <listitem>
 		<para>
-		  If <command>check-integrity</command> is set then
-		  fail, warn or ignore MX records that refer
+		  If <command>check-integrity</command> is set, then
+		  fail, warn, or ignore MX records that refer
 		  to CNAMES.  The default is to <command>warn</command>.
 		</para>
 	      </listitem>
@@ -6918,8 +6882,8 @@ options {
 	      <term><command>check-srv-cname</command></term>
 	      <listitem>
 		<para>
-		  If <command>check-integrity</command> is set then
-		  fail, warn or ignore SRV records that refer
+		  If <command>check-integrity</command> is set, then
+		  fail, warn, or ignore SRV records that refer
 		  to CNAMES.  The default is to <command>warn</command>.
 		</para>
 	      </listitem>
@@ -6939,7 +6903,7 @@ options {
 	      <term><command>check-spf</command></term>
 	      <listitem>
 		<para>
-		  If <command>check-integrity</command> is set then
+		  If <command>check-integrity</command> is set,
 		  check that there is a TXT Sender Policy Framework
 		  record present (starts with "v=spf1") if there is an
 		  SPF record present. The default is
@@ -6952,8 +6916,8 @@ options {
 	      <term><command>zero-no-soa-ttl</command></term>
 	      <listitem>
 		<para>
-		  When returning authoritative negative responses to
-		  SOA queries set the TTL of the SOA record returned in
+		  If <userinput>yes</userinput>, when returning authoritative negative responses to
+		  SOA queries, set the TTL of the SOA record returned in
 		  the authority section to zero.
 		  The default is <command>yes</command>.
 		</para>
@@ -6964,7 +6928,7 @@ options {
 	      <term><command>zero-no-soa-ttl-cache</command></term>
 	      <listitem>
 		<para>
-		  When caching a negative response to a SOA query
+		  If <userinput>yes</userinput>, when caching a negative response to an SOA query
 		  set the TTL to zero.
 		  The default is <command>no</command>.
 		</para>
@@ -6988,14 +6952,14 @@ options {
 		  then the KSK bit is ignored; KSKs are treated as if they
 		  were ZSKs and are used to sign the entire zone.  This is
 		  similar to the <command>dnssec-signzone -z</command>
-		  command line option.
+		  command-line option.
 		</para>
 		<para>
 		  When this option is set to <literal>yes</literal>, there
 		  must be at least two active keys for every algorithm
 		  represented in the DNSKEY RRset: at least one KSK and one
 		  ZSK per algorithm.  If there is any algorithm for which
-		  this requirement is not met, this option will be ignored
+		  this requirement is not met, this option is ignored
 		  for that algorithm.
 		</para>
 	      </listitem>
@@ -7007,12 +6971,12 @@ options {
 		<para>
 		  When this option and <command>update-check-ksk</command>
 		  are both set to <literal>yes</literal>, only key-signing
-		  keys (that is, keys with the KSK bit set) will be used
+		  keys (that is, keys with the KSK bit set) are used
 		  to sign the DNSKEY RRset at the zone apex.  Zone-signing
-		  keys (keys without the KSK bit set) will be used to sign
+		  keys (keys without the KSK bit set) are used to sign
 		  the remainder of the zone, but not the DNSKEY RRset.
 		  This is similar to the
-		  <command>dnssec-signzone -x</command> command line option.
+		  <command>dnssec-signzone -x</command> command-line option.
 		</para>
 		<para>
 		  The default is <command>no</command>.  If
@@ -7026,8 +6990,8 @@ options {
 	      <term><command>try-tcp-refresh</command></term>
 	      <listitem>
 		<para>
-		  Try to refresh the zone using TCP if UDP queries fail.
-		  For BIND 8 compatibility, the default is
+		  If <userinput>yes</userinput>, try to refresh the zone using TCP if UDP queries fail.
+		  The default is
 		  <command>yes</command>.
 		</para>
 	      </listitem>
@@ -7037,17 +7001,17 @@ options {
 	      <term><command>dnssec-secure-to-insecure</command></term>
 	      <listitem>
 		<para>
-		  Allow a dynamic zone to transition from secure to
+		  This allows a dynamic zone to transition from secure to
 		  insecure (i.e., signed to unsigned) by deleting all
 		  of the DNSKEY records.  The default is <command>no</command>.
 		  If set to <command>yes</command>, and if the DNSKEY RRset
 		  at the zone apex is deleted, all RRSIG and NSEC records
-		  will be removed from the zone as well.
+		  are removed from the zone as well.
 		</para>
 		<para>
-		  If the zone uses NSEC3, then it is also necessary to
-		  delete the NSEC3PARAM RRset from the zone apex; this will
-		  cause the removal of all corresponding NSEC3 records.
+		  If the zone uses NSEC3, it is also necessary to
+		  delete the NSEC3PARAM RRset from the zone apex; this
+		  causes the removal of all corresponding NSEC3 records.
 		  (It is expected that this requirement will be eliminated
 		  in a future release.)
 		</para>
@@ -7084,14 +7048,14 @@ options {
 	      <listitem>
 		<para>
 		  This option is only meaningful if the
-		  forwarders list is not empty. A value of <varname>first</varname>,
-		  the default, causes the server to query the forwarders
-		  first — and
-		  if that doesn't answer the question, the server will then
-		  look for
+		  forwarders list is not empty. A value of <varname>first</varname> is
+		  the default and causes the server to query the forwarders
+		  first;
+		  if that does not answer the question, the server then
+		  looks for
 		  the answer itself. If <varname>only</varname> is
 		  specified, the
-		  server will only query the forwarders.
+		  server only queries the forwarders.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -7100,9 +7064,11 @@ options {
 	      <term><command>forwarders</command></term>
 	      <listitem>
 		<para>
-		  Specifies the IP addresses to be used
-		  for forwarding. The default is the empty list (no
-		  forwarding).
+		  This specifies a list of IP addresses to which queries are
+		  forwarded. The default is the empty list (no forwarding).
+		  Each address in the list can be associated with an optional
+		  port number and/or DSCP value, and a default port number and
+		  DSCP value can be set for the entire list.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -7112,17 +7078,17 @@ options {
 	  <para>
 	    Forwarding can also be configured on a per-domain basis, allowing
 	    for the global forwarding options to be overridden in a variety
-	    of ways. You can set particular domains to use different
+	    of ways. Particular domains can be set to use different
 	    forwarders,
 	    or have a different <command>forward only/first</command> behavior,
-	    or not forward at all, see <xref linkend="zone_statement_grammar"/>.
+	    or not forward at all; see <xref linkend="zone_statement_grammar"/>.
 	  </para>
 	</section>
 
 	<section xml:id="dual_stack"><info><title>Dual-stack Servers</title></info>
 
 	  <para>
-	    Dual-stack servers are used as servers of last resort to work
+	    Dual-stack servers are used as servers of last resort, to work
 	    around
 	    problems in reachability due the lack of support for either IPv4
 	    or IPv6
@@ -7134,14 +7100,13 @@ options {
 	      <term><command>dual-stack-servers</command></term>
 	      <listitem>
 		<para>
-		  Specifies host names or addresses of machines with access to
+		  This specifies host names or addresses of machines with access to
 		  both IPv4 and IPv6 transports. If a hostname is used, the
 		  server must be able
 		  to resolve the name using only the transport it has.  If the
-		  machine is dual
-		  stacked, then the <command>dual-stack-servers</command> have no effect unless
+		  machine is dual-stacked, the <command>dual-stack-servers</command> parameter has no effect unless
 		  access to a transport has been disabled on the command line
-		  (e.g. <command>named -4</command>).
+		  (e.g., <command>named -4</command>).
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -7163,18 +7128,18 @@ options {
 	      <term><command>allow-notify</command></term>
 	      <listitem>
 		<para>
-		  Specifies which hosts are allowed to
-		  notify this server, a slave, of zone changes in addition
-		  to the zone masters.
+		  This ACL specifies which hosts are allowed to
+		  notify this secondary server of zone changes in addition
+		  to the zone primaries.
 		  <command>allow-notify</command> may also be
 		  specified in the
 		  <command>zone</command> statement, in which case
 		  it overrides the
 		  <command>options allow-notify</command>
 		  statement.  It is only meaningful
-		  for a slave zone.  If not specified, the default is to
+		  for a secondary zone.  If not specified, the default is to
 		  process notify messages
-		  only from a zone's master.
+		  only from a zone's primary.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -7183,7 +7148,7 @@ options {
 	      <term><command>allow-query</command></term>
 	      <listitem>
 		<para>
-		  Specifies which hosts are allowed to ask ordinary
+		  This specifies which hosts are allowed to ask ordinary
 		  DNS questions. <command>allow-query</command> may
 		  also be specified in the <command>zone</command>
 		  statement, in which case it overrides the
@@ -7193,7 +7158,7 @@ options {
 		</para>
 		<note>
 		  <para>
-		    <command>allow-query-cache</command> is now
+		    <command>allow-query-cache</command> is
 		    used to specify access to the cache.
 		  </para>
 		</note>
@@ -7204,7 +7169,7 @@ options {
 	      <term><command>allow-query-on</command></term>
 	      <listitem>
 		<para>
-		  Specifies which local addresses can accept ordinary
+		  This specifies which local addresses can accept ordinary
 		  DNS questions. This makes it possible, for instance,
 		  to allow queries on internal-facing interfaces but
 		  disallow them on external-facing ones, without
@@ -7214,7 +7179,7 @@ options {
 		  Note that <command>allow-query-on</command> is only
 		  checked for queries that are permitted by
 		  <command>allow-query</command>.  A query must be
-		  allowed by both ACLs, or it will be refused.
+		  allowed by both ACLs, or it is refused.
 		</para>
 		<para>
 		  <command>allow-query-on</command> may
@@ -7239,13 +7204,14 @@ options {
 	      <term><command>allow-query-cache</command></term>
 	      <listitem>
 		<para>
-		  Specifies which hosts are allowed to get answers
+		  This specifies which hosts are allowed to get answers
 		  from the cache.  If <command>allow-query-cache</command>
-		  is not set then <command>allow-recursion</command>
-		  is used if set, otherwise <command>allow-query</command>
-		  is used if set unless <command>recursion no;</command> is
-		  set in which case <command>none;</command> is used,
-		  otherwise the default (<command>localnets;</command>
+		  is not set, BIND checks to see if the following parameters
+		  are set, in order: <command>allow-recursion</command> and
+		  <command>allow-query</command>
+		  (unless <command>recursion no;</command> is
+		  set, in which case <command>none;</command> is used).
+		  If neither of those parameters is set, the default (<command>localnets;</command>
 		  <command>localhost;</command>) is used.
 		</para>
 	      </listitem>
@@ -7255,10 +7221,10 @@ options {
 	      <term><command>allow-query-cache-on</command></term>
 	      <listitem>
 		<para>
-		  Specifies which local addresses can give answers
+		  This specifies which local addresses can send answers
 		  from the cache.  If not specified, the default is
 		  to allow cache queries on any address,
-		  <command>localnets</command> and
+		  <command>localnets</command>, and
 		  <command>localhost</command>.
 		</para>
 	      </listitem>
@@ -7268,12 +7234,12 @@ options {
 	      <term><command>allow-recursion</command></term>
 	      <listitem>
 		<para>
-		  Specifies which hosts are allowed to make recursive
-		  queries through this server. If
-		  <command>allow-recursion</command> is not set
-		  then <command>allow-query-cache</command> is
-		  used if set, otherwise <command>allow-query</command>
-		  is used if set, otherwise the default
+		  This specifies which hosts are allowed to make recursive
+		  queries through this server. BIND checks to see if the
+		  following parameters are set, in order:
+		  <command>allow-recursion</command>, <command>allow-query-cache</command>,
+		  and <command>allow-query</command>.
+		  If none of those parameters are set, the default
 		  (<command>localnets;</command>
 		  <command>localhost;</command>) is used.
 		</para>
@@ -7284,7 +7250,7 @@ options {
 	      <term><command>allow-recursion-on</command></term>
 	      <listitem>
 		<para>
-		  Specifies which local addresses can accept recursive
+		  This specifies which local addresses can accept recursive
 		  queries.  If not specified, the default is to allow
 		  recursive queries on all addresses.
 		</para>
@@ -7295,8 +7261,8 @@ options {
 	      <term><command>allow-update</command></term>
 	      <listitem>
 		<para>
-		  Specifies which hosts are allowed to
-		  submit Dynamic DNS updates for master zones. The default is
+		  This specifies which hosts are allowed to
+		  submit Dynamic DNS updates for primary zones. The default is
 		  to deny
 		  updates from all hosts.  Note that allowing updates based
 		  on the requestor's IP address is insecure; see
@@ -7309,28 +7275,28 @@ options {
 	      <term><command>allow-update-forwarding</command></term>
 	      <listitem>
 		<para>
-		  Specifies which hosts are allowed to
-		  submit Dynamic DNS updates to slave zones to be forwarded to
+		  This specifies which hosts are allowed to
+		  submit Dynamic DNS updates to secondary zones to be forwarded to
 		  the
-		  master.  The default is <userinput>{ none; }</userinput>,
+		  primary.  The default is <userinput>{ none; }</userinput>,
 		  which
-		  means that no update forwarding will be performed.  To
+		  means that no update forwarding is performed.  To
 		  enable
 		  update forwarding, specify
 		  <userinput>allow-update-forwarding { any; };</userinput>.
 		  Specifying values other than <userinput>{ none; }</userinput> or
 		  <userinput>{ any; }</userinput> is usually
-		  counterproductive, since
+		  counterproductive;
 		  the responsibility for update access control should rest
 		  with the
-		  master server, not the slaves.
+		  primary server, not the secondaries.
 		</para>
 		<para>
-		  Note that enabling the update forwarding feature on a slave
+		  Note that enabling the update forwarding feature on a secondary
 		  server
-		  may expose master servers relying on insecure IP address
-		  based
-		  access control to attacks; see <xref linkend="dynamic_update_security"/>
+		  may expose primary servers to attacks if they rely on insecure
+		  IP-address-based
+		  access control; see <xref linkend="dynamic_update_security"/>
 		  for more details.
 		</para>
 	      </listitem>
@@ -7355,7 +7321,7 @@ options {
 	      <term><command>allow-transfer</command></term>
 	      <listitem>
 		<para>
-		  Specifies which hosts are allowed to
+		  This specifies which hosts are allowed to
 		  receive zone transfers from the server. <command>allow-transfer</command> may
 		  also be specified in the <command>zone</command>
 		  statement, in which
@@ -7370,10 +7336,10 @@ options {
 	      <term><command>blackhole</command></term>
 	      <listitem>
 		<para>
-		  Specifies a list of addresses that the
-		  server will not accept queries from or use to resolve a
+		  This specifies a list of addresses which the
+		  server does accept queries from or use to resolve a
 		  query. Queries
-		  from these addresses will not be responded to. The default
+		  from these addresses are not responded to. The default
 		  is <userinput>none</userinput>.
 		</para>
 	      </listitem>
@@ -7383,7 +7349,7 @@ options {
 	      <term><command>filter-aaaa</command></term>
 	      <listitem>
 		<para>
-		  Specifies a list of addresses to which
+		  This specifies a list of addresses to which
 		  <command>filter-aaaa-on-v4</command>
 		  and <command>filter-aaaa-on-v6</command>
 		  apply.  The default is <userinput>any</userinput>.
@@ -7395,8 +7361,8 @@ options {
 	      <term><command>keep-response-order</command></term>
 	      <listitem>
 		<para>
-		  Specifies a list of addresses to which the server
-		  will send responses to TCP queries in the same order
+		  This specifies a list of addresses to which the server
+		  sends responses to TCP queries, in the same order
 		  in which they were received.  This disables the
 		  processing of TCP queries in parallel. The default
 		  is <userinput>none</userinput>.
@@ -7407,7 +7373,7 @@ options {
 	    <varlistentry>
 	      <term><command>no-case-compress</command></term> <listitem>
 		<para>
-		  Specifies a list of addresses which require responses
+		  This specifies a list of addresses which require responses
 		  to use case-insensitive compression.  This ACL can be
 		  used when <command>named</command> needs to work with
 		  clients that do not comply with the requirement in RFC
@@ -7417,19 +7383,19 @@ options {
 		<para>
 		  If left undefined, the ACL defaults to
 		  <command>none</command>: case-insensitive compression
-		  will be used for all clients.  If the ACL is defined and
-		  matches a client, then case will be ignored when
+		  is used for all clients.  If the ACL is defined and
+		  matches a client, case is ignored when
 		  compressing domain names in DNS responses sent to that
 		  client.
 		</para>
 		<para>
-		  This can result in slightly smaller responses: if
+		  This can result in slightly smaller responses; if
 		  a response contains the names "example.com" and
-		  "example.COM", case-insensitive compression would treat
+		  "example.COM", case-insensitive compression treats
 		  the second one as a duplicate.  It also ensures
 		  that the case of the query name exactly matches the
 		  case of the owner names of returned records, rather
-		  than matching the case of the records entered in
+		  than matches the case of the records entered in
 		  the zone file.  This allows responses to exactly
 		  match the query, which is required by some clients
 		  due to incorrect use of case-sensitive comparisons.
@@ -7441,16 +7407,16 @@ options {
 		</para>
 		<para>
 		  There are circumstances in which <command>named</command>
-		  will not preserve the case of owner names of records:
+		  does not preserve the case of owner names of records:
 		  if a zone file defines records of different types with
 		  the same name, but the capitalization of the name is
 		  different (e.g., "www.example.com/A" and
 		  "WWW.EXAMPLE.COM/AAAA"), then all responses for that
-		  name will use the <emphasis>first</emphasis> version
+		  name use the <emphasis>first</emphasis> version
 		  of the name that was used in the zone file.  This
 		  limitation may be addressed in a future release.  However,
 		  domain names specified in the rdata of resource records
-		  (i.e., records of type NS, MX, CNAME, etc) will always
+		  (i.e., records of type NS, MX, CNAME, etc.) always
 		  have their case preserved unless the client matches this
 		  ACL.
 		</para>
@@ -7461,12 +7427,12 @@ options {
 	      <term><command>resolver-query-timeout</command></term>
 	      <listitem>
 		<para>
-		  The amount of time in seconds that the resolver
-		  will spend attempting to resolve a recursive
+		  This is the amount of time in seconds that the
+		  resolver spends attempting to resolve a recursive
 		  query before failing.  The default and minimum
 		  is <literal>10</literal> and the maximum is
 		  <literal>30</literal>.  Setting it to
-		  <literal>0</literal> will result in the default
+		  <literal>0</literal> results in the default
 		  being used.
 		</para>
 	      </listitem>
@@ -7478,18 +7444,18 @@ options {
 	<section xml:id="interfaces"><info><title>Interfaces</title></info>
 
 	  <para>
-	    The interfaces and ports that the server will answer queries
+	    The interfaces and ports that the server answers queries
 	    from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
 	    an optional port and an <varname>address_match_list</varname>
 	    of IPv4 addresses.  (IPv6 addresses are ignored, with a
 	    logged warning.)
-	    The server will listen on all interfaces allowed by the address
-	    match list. If a port is not specified, port 53 will be used.
+	    The server listens on all interfaces allowed by the address
+	    match list. If a port is not specified, port 53 is used.
 	  </para>
 	  <para>
 	    Multiple <command>listen-on</command> statements are
 	    allowed.
-	    For example,
+	    For example:
 	  </para>
 
 <programlisting>listen-on { 5.6.7.8; };
@@ -7497,21 +7463,21 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; };
 </programlisting>
 
 	  <para>
-	    will enable the name server on port 53 for the IP address
+	    enables the name server on port 53 for the IP address
 	    5.6.7.8, and on port 1234 of an address on the machine in net
 	    1.2 that is not 1.2.3.4.
 	  </para>
 
 	  <para>
 	    If no <command>listen-on</command> is specified, the
-	    server will listen on port 53 on all IPv4 interfaces.
+	    server listens on port 53 on all IPv4 interfaces.
 	  </para>
 
 	  <para>
 	    The <command>listen-on-v6</command> option is used to
-	    specify the interfaces and the ports on which the server will
-	    listen for incoming queries sent using IPv6.  If not specified,
-	    the server will listen on port 53 on all IPv6 interfaces.
+	    specify the interfaces and the ports on which the server
+	    listens for incoming queries sent using IPv6.  If not specified,
+	    the server listens on port 53 on all IPv6 interfaces.
 	  </para>
 
 	  <para>
@@ -7520,8 +7486,8 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; };
 	    as the <varname>address_match_list</varname> for the
 	    <command>listen-on-v6</command> option,
 	    the server does not bind a separate socket to each IPv6 interface
-	    address as it does for IPv4 if the operating system has enough API
-	    support for IPv6 (specifically if it conforms to RFC 3493 and RFC
+	    address as it does for IPv4, if the operating system has enough API
+	    support for IPv6 (specifically, if it conforms to RFC 3493 and RFC
 	    3542).
 	    Instead, it listens on the IPv6 wildcard address.
 	    If the system only has incomplete API support for IPv6, however,
@@ -7535,13 +7501,13 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; };
 	    address,
 	    regardless of whether the desired API is supported by the system.
 	    IPv4 addresses specified in <command>listen-on-v6</command>
-	    will be ignored, with a logged warning.
+	    are ignored, with a logged warning.
 	  </para>
 
 	  <para>
 	    Multiple <command>listen-on-v6</command> options can
 	    be used.
-	    For example,
+	    For example:
 	  </para>
 
 <programlisting>listen-on-v6 { any; };
@@ -7549,14 +7515,14 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 </programlisting>
 
 	  <para>
-	    will enable the name server on port 53 for any IPv6 addresses
+	    enables the name server on port 53 for any IPv6 addresses
 	    (with a single wildcard socket),
-	    and on port 1234 of IPv6 addresses that is not in the prefix
-	    2001:db8::/32 (with separate sockets for each matched address.)
+	    and on port 1234 of IPv6 addresses that are not in the prefix
+	    2001:db8::/32 (with separate sockets for each matched address).
 	  </para>
 
 	  <para>
-	    To make the server not listen on any IPv6 address, use
+	    To instruct the server not to listen on any IPv6 address, use:
 	  </para>
 
 <programlisting>listen-on-v6 { none; };
@@ -7567,20 +7533,20 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 	<section xml:id="query_address"><info><title>Query Address</title></info>
 
 	  <para>
-	    If the server doesn't know the answer to a question, it will
-	    query other name servers. <command>query-source</command> specifies
+	    If the server does not know the answer to a question, it
+	    queries other name servers. <command>query-source</command> specifies
 	    the address and port used for such queries. For queries sent over
 	    IPv6, there is a separate <command>query-source-v6</command> option.
 	    If <command>address</command> is <command>*</command> (asterisk) or is omitted,
 	    a wildcard IP address (<command>INADDR_ANY</command>)
-	    will be used.
+	    is used.
 	  </para>
 
 	  <para>
 	    If <command>port</command> is <command>*</command> or is omitted,
 	    a random port number from a pre-configured
-	    range is picked up and will be used for each query.
-	    The port range(s) is that specified in
+	    range is picked up and used for each query.
+	    The port range(s) is specified in
 	    the <command>use-v4-udp-ports</command> (for IPv4)
 	    and <command>use-v6-udp-ports</command> (for IPv6)
 	    options, excluding the ranges specified in
@@ -7601,12 +7567,12 @@ query-source-v6 address * port *;
 	  <para>
 	    If <command>use-v4-udp-ports</command> or
 	    <command>use-v6-udp-ports</command> is unspecified,
-	    <command>named</command> will check if the operating
+	    <command>named</command> checks whether the operating
 	    system provides a programming interface to retrieve the
 	    system's default range for ephemeral ports.
 	    If such an interface is available,
-	    <command>named</command> will use the corresponding system
-	    default range; otherwise, it will use its own defaults:
+	    <command>named</command> uses the corresponding system
+	    default range; otherwise, it uses its own defaults:
 	 </para>
 
 <programlisting>use-v4-udp-ports { range 1024 65535; };
@@ -7614,18 +7580,18 @@ use-v6-udp-ports { range 1024 65535; };
 </programlisting>
 
 	  <para>
-	    Note: make sure the ranges be sufficiently large for
-	    security.  A desirable size depends on various parameters,
+	    Note: make sure the ranges are sufficiently large for
+	    security.  A desirable size depends on several parameters,
 	    but we generally recommend it contain at least 16384 ports
 	    (14 bits of entropy).
 	    Note also that the system's default range when used may be
 	    too small for this purpose, and that the range may even be
 	    changed while <command>named</command> is running; the new
-	    range will automatically be applied when <command>named</command>
+	    range is automatically applied when <command>named</command>
 	    is reloaded.
-	    It is encouraged to
-	    configure <command>use-v4-udp-ports</command> and
-	    <command>use-v6-udp-ports</command> explicitly so that the
+	    Explicit
+	    configuration of <command>use-v4-udp-ports</command> and
+	    <command>use-v6-udp-ports</command> is encouraged, so that the
 	    ranges are sufficiently large and are reasonably
 	    independent from the ranges used by other applications.
 	  </para>
@@ -7633,8 +7599,8 @@ use-v6-udp-ports { range 1024 65535; };
 	  <para>
 	    Note: the operational configuration
 	    where <command>named</command> runs may prohibit the use
-	    of some ports.  For example, UNIX systems will not allow
-	    <command>named</command> running without a root privilege
+	    of some ports.  For example, Unix systems do not allow
+	    <command>named</command>, if run without root privilege,
 	    to use ports less than 1024.
 	    If such ports are included in the specified (or detected)
 	    set of query ports, the corresponding query attempts will
@@ -7732,12 +7698,12 @@ avoid-v6-udp-ports {};
 	      <term><command>also-notify</command></term>
 	      <listitem>
 		<para>
-		  Defines a global list of IP addresses of name servers
+		  This option defines a global list of IP addresses of name servers
 		  that are also sent NOTIFY messages whenever a fresh copy of
 		  the
 		  zone is loaded, in addition to the servers listed in the
 		  zone's NS records.
-		  This helps to ensure that copies of the zones will
+		  This helps to ensure that copies of the zones
 		  quickly converge on stealth servers.
 		  Optionally, a port may be specified with each
 		  <command>also-notify</command> address to send
@@ -7752,13 +7718,13 @@ avoid-v6-udp-ports {};
 		<para>
 		  If an <command>also-notify</command> list
 		  is given in a <command>zone</command> statement,
-		  it will override
+		  it overrides
 		  the <command>options also-notify</command>
 		  statement. When a <command>zone notify</command>
 		  statement
 		  is set to <command>no</command>, the IP
-		  addresses in the global <command>also-notify</command> list will
-		  not be sent NOTIFY messages for that zone. The default is
+		  addresses in the global <command>also-notify</command> list are
+		  not sent NOTIFY messages for that zone. The default is
 		  the empty
 		  list (no global notification list).
 		</para>
@@ -7770,7 +7736,7 @@ avoid-v6-udp-ports {};
 	      <listitem>
 		<para>
 		  Inbound zone transfers running longer than
-		  this many minutes will be terminated. The default is 120
+		  this many minutes are terminated. The default is 120
 		  minutes
 		  (2 hours).  The maximum value is 28 days (40320 minutes).
 		</para>
@@ -7782,7 +7748,7 @@ avoid-v6-udp-ports {};
 	      <listitem>
 		<para>
 		  Inbound zone transfers making no progress
-		  in this many minutes will be terminated. The default is 60
+		  in this many minutes are terminated. The default is 60
 		  minutes
 		  (1 hour).  The maximum value is 28 days (40320 minutes).
 		</para>
@@ -7794,7 +7760,7 @@ avoid-v6-udp-ports {};
 	      <listitem>
 		<para>
 		  Outbound zone transfers running longer than
-		  this many minutes will be terminated. The default is 120
+		  this many minutes are terminated. The default is 120
 		  minutes
 		  (2 hours).  The maximum value is 28 days (40320 minutes).
 		</para>
@@ -7806,7 +7772,7 @@ avoid-v6-udp-ports {};
 	      <listitem>
 		<para>
 		  Outbound zone transfers making no progress
-		  in this many minutes will be terminated.  The default is 60
+		  in this many minutes are terminated.  The default is 60
 		  minutes (1
 		  hour).  The maximum value is 28 days (40320 minutes).
 		</para>
@@ -7817,13 +7783,13 @@ avoid-v6-udp-ports {};
 	      <term><command>notify-rate</command></term>
 	      <listitem>
 		<para>
-		  The rate at which NOTIFY requests will be sent
+		  This specifies the rate at which NOTIFY requests are sent
 		  during normal zone maintenance operations. (NOTIFY
 		  requests due to initial zone loading are subject
 		  to a separate rate limit; see below.) The default is
 		  20 per second.
 		  The lowest possible rate is one per second; when set
-		  to zero, it will be silently raised to one.
+		  to zero, it is silently raised to one.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -7832,12 +7798,12 @@ avoid-v6-udp-ports {};
 	      <term><command>startup-notify-rate</command></term>
 	      <listitem>
 		<para>
-		  The rate at which NOTIFY requests will be sent
+		  This is the rate at which NOTIFY requests are sent
 		  when the name server is first starting up, or when
-		  zones have been newly added to the nameserver.
+		  zones have been newly added to the name server.
 		  The default is 20 per second.
 		  The lowest possible rate is one per second; when set
-		  to zero, it will be silently raised to one.
+		  to zero, it is silently raised to one.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -7846,17 +7812,17 @@ avoid-v6-udp-ports {};
 	      <term><command>serial-query-rate</command></term>
 	      <listitem>
 		<para>
-		  Slave servers will periodically query master
+		  Secondary servers periodically query primary
 		  servers to find out if zone serial numbers have
 		  changed. Each such query uses a minute amount of
-		  the slave server's network bandwidth.  To limit
+		  the secondary server's network bandwidth.  To limit
 		  the amount of bandwidth used, BIND 9 limits the
 		  rate at which queries are sent.  The value of the
 		  <command>serial-query-rate</command> option, an
 		  integer, is the maximum number of queries sent
 		  per second.  The default is 20 per second.
 		  The lowest possible rate is one per second; when set
-		  to zero, it will be silently raised to one.
+		  to zero, it is silently raised to one.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -7865,10 +7831,6 @@ avoid-v6-udp-ports {};
 	      <term><command>serial-queries</command></term>
 	      <listitem>
 		<para>
-		  In BIND 8, the <command>serial-queries</command>
-		  option
-		  set the maximum number of concurrent serial number queries
-		  allowed to be outstanding at any given time.
 		  BIND 9 does not limit the number of outstanding
 		  serial queries and ignores the <command>serial-queries</command> option.
 		  Instead, it limits the rate at which the queries are sent
@@ -7886,18 +7848,14 @@ avoid-v6-udp-ports {};
 		  <command>one-answer</command> and
 		  <command>many-answers</command>.
 		  The <command>transfer-format</command> option is used
-		  on the master server to determine which format it sends.
+		  on the primary server to determine which format it sends.
 		  <command>one-answer</command> uses one DNS message per
 		  resource record transferred.
 		  <command>many-answers</command> packs as many resource
-		  records as possible into a message.
-		  <command>many-answers</command> is more efficient, but is
-		  only supported by relatively new slave servers,
-		  such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
-		  8.x and <acronym>BIND</acronym> 4.9.5 onwards.
+		  records as possible into one message.
+		  <command>many-answers</command> is more efficient; the default is <command>many-answers</command>.
 		  The <command>many-answers</command> format is also supported by
-		  recent Microsoft Windows nameservers.
-		  The default is <command>many-answers</command>.
+		  recent Microsoft Windows name servers.
 		  <command>transfer-format</command> may be overridden on a
 		  per-server basis by using the <command>server</command>
 		  statement.
@@ -7912,7 +7870,7 @@ avoid-v6-udp-ports {};
 		<para>
 		  This is an upper bound on the uncompressed size of DNS
 		  messages used in zone transfers over TCP.  If a message
-		  grows larger than this size, additional messages will be
+		  grows larger than this size, additional messages are
 		  used to complete the zone transfer.  (Note, however,
 		  that this is a hint, not a hard limit; if a message
 		  contains a single resource record whose RDATA does not
@@ -7920,10 +7878,10 @@ avoid-v6-udp-ports {};
 		  permitted so the record can be transferred.)
 		</para>
 		<para>
-		  Valid values are between 512 and 65535 octets, and any
-		  values outside that range will be adjusted to the nearest
+		  Valid values are between 512 and 65535 octets; any
+		  values outside that range are adjusted to the nearest
 		  value within it.  The default is <literal>20480</literal>,
-		  which was selected to improve message compression:
+		  which was selected to improve message compression;
 		  most DNS messages of this size will compress to less
 		  than 16536 bytes.  Larger messages cannot be compressed
 		  as effectively, because 16536 is the largest permissible
@@ -7941,11 +7899,11 @@ avoid-v6-udp-ports {};
 	      <term><command>transfers-in</command></term>
 	      <listitem>
 		<para>
-		  The maximum number of inbound zone transfers
-		  that can be running concurrently. The default value is <literal>10</literal>.
+		  This is the maximum number of inbound zone transfers
+		  that can run concurrently. The default value is <literal>10</literal>.
 		  Increasing <command>transfers-in</command> may
 		  speed up the convergence
-		  of slave zones, but it also may increase the load on the
+		  of secondary zones, but it also may increase the load on the
 		  local system.
 		</para>
 	      </listitem>
@@ -7955,10 +7913,10 @@ avoid-v6-udp-ports {};
 	      <term><command>transfers-out</command></term>
 	      <listitem>
 		<para>
-		  The maximum number of outbound zone transfers
-		  that can be running concurrently. Zone transfer requests in
+		  This is the maximum number of outbound zone transfers
+		  that can run concurrently. Zone transfer requests in
 		  excess
-		  of the limit will be refused. The default value is <literal>10</literal>.
+		  of the limit are refused. The default value is <literal>10</literal>.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -7967,13 +7925,13 @@ avoid-v6-udp-ports {};
 	      <term><command>transfers-per-ns</command></term>
 	      <listitem>
 		<para>
-		  The maximum number of inbound zone transfers
-		  that can be concurrently transferring from a given remote
+		  This is the maximum number of inbound zone transfers
+		  that can concurrently transfer from a given remote
 		  name server.
 		  The default value is <literal>2</literal>.
 		  Increasing <command>transfers-per-ns</command>
 		  may
-		  speed up the convergence of slave zones, but it also may
+		  speed up the convergence of secondary zones, but it also may
 		  increase
 		  the load on the remote name server. <command>transfers-per-ns</command> may
 		  be overridden on a per-server basis by using the <command>transfers</command> phrase
@@ -7986,13 +7944,13 @@ avoid-v6-udp-ports {};
 	      <term><command>transfer-source</command></term>
 	      <listitem>
 		<para><command>transfer-source</command>
-		  determines which local address will be bound to IPv4
+		  determines which local address is bound to IPv4
 		  TCP connections used to fetch zones transferred
 		  inbound by the server.  It also determines the
 		  source IPv4 address, and optionally the UDP port,
 		  used for the refresh queries and forwarded dynamic
-		  updates.  If not set, it defaults to a system
-		  controlled value which will usually be the address
+		  updates.  If not set, it defaults to a
+		  system-controlled value which is usually the address
 		  of the interface "closest to" the remote end. This
 		  address must appear in the remote end's
 		  <command>allow-transfer</command> option for the
@@ -8019,7 +7977,7 @@ avoid-v6-udp-ports {};
 	      <term><command>transfer-source-v6</command></term>
 	      <listitem>
 		<para>
-		  The same as <command>transfer-source</command>,
+		  This option is the same as <command>transfer-source</command>,
 		  except zone transfers are performed using IPv6.
 		</para>
 	      </listitem>
@@ -8029,16 +7987,15 @@ avoid-v6-udp-ports {};
 	      <term><command>alt-transfer-source</command></term>
 	      <listitem>
 		<para>
-		  An alternate transfer source if the one listed in
+		  This indicates an alternate transfer source if the one listed in
 		  <command>transfer-source</command> fails and
 		  <command>use-alt-transfer-source</command> is
 		  set.
 		</para>
 		<note><simpara>
-		  If you do not wish the alternate transfer source
-		  to be used, you should set
-		  <command>use-alt-transfer-source</command>
-		  appropriately and you should not depend upon
+		  To avoid using the alternate transfer source,
+		  set <command>use-alt-transfer-source</command>
+		  appropriately and do not depend upon
 		  getting an answer back to the first refresh
 		  query.
 		</simpara></note>
@@ -8049,7 +8006,7 @@ avoid-v6-udp-ports {};
 	      <term><command>alt-transfer-source-v6</command></term>
 	      <listitem>
 		<para>
-		  An alternate transfer source if the one listed in
+		  This indicates an alternate transfer source if the one listed in
 		  <command>transfer-source-v6</command> fails and
 		  <command>use-alt-transfer-source</command> is
 		  set.
@@ -8061,11 +8018,10 @@ avoid-v6-udp-ports {};
 	      <term><command>use-alt-transfer-source</command></term>
 	      <listitem>
 		<para>
-		  Use the alternate transfer sources or not.  If views are
-		  specified this defaults to <command>no</command>
-		  otherwise it defaults to
-		  <command>yes</command> (for BIND 8
-		  compatibility).
+		  This indicates whether the alternate transfer sources should be used.  If views are
+		  specified, this defaults to <command>no</command>;
+		  otherwise, it defaults to
+		  <command>yes</command>.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -8075,8 +8031,8 @@ avoid-v6-udp-ports {};
 	      <listitem>
 		<para><command>notify-source</command>
 		  determines which local source address, and
-		  optionally UDP port, will be used to send NOTIFY
-		  messages.  This address must appear in the slave
+		  optionally UDP port, is used to send NOTIFY
+		  messages.  This address must appear in the secondary
 		  server's <command>masters</command> zone clause or
 		  in an <command>allow-notify</command> clause.  This
 		  statement sets the <command>notify-source</command>
@@ -8100,7 +8056,7 @@ avoid-v6-udp-ports {};
 	      <term><command>notify-source-v6</command></term>
 	      <listitem>
 		<para>
-		  Like <command>notify-source</command>,
+		  This option acts like <command>notify-source</command>,
 		  but applies to notify messages sent to IPv6 addresses.
 		</para>
 	      </listitem>
@@ -8117,11 +8073,11 @@ avoid-v6-udp-ports {};
 	    <command>avoid-v4-udp-ports</command>,
 	    <command>use-v6-udp-ports</command>, and
 	    <command>avoid-v6-udp-ports</command>
-	    specify a list of IPv4 and IPv6 UDP ports that will be
-	    used or not used as source ports for UDP messages.
+	    specify a list of IPv4 and IPv6 UDP ports that are
+	    or are not used as source ports for UDP messages.
 	    See <xref linkend="query_address"/> about how the
 	    available ports are determined.
-	    For example, with the following configuration
+	    For example, with the following configuration:
 	  </para>
 
 <programlisting>
@@ -8131,7 +8087,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 	   <para>
 	     UDP ports of IPv6 messages sent
-	     from <command>named</command> will be in one
+	     from <command>named</command> are in one
 	     of the following ranges: 32768 to 39999, 40001 to 49999,
 	     and 60001 to 65535.
 	   </para>
@@ -8140,11 +8096,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	     <command>avoid-v4-udp-ports</command> and
 	     <command>avoid-v6-udp-ports</command> can be used
 	     to prevent <command>named</command> from choosing as its random source port a
-	     port that is blocked by your firewall or a port that is
+	     port that is blocked by a firewall or a port that is
 	     used by other applications;
 	     if a query went out with a source port blocked by a
 	     firewall, the
-	     answer would not get by the firewall and the name server would
+	     answer would not pass through the firewall and the name server would
 	     have to query again.
 	     Note: the desired range can also be represented only with
 	     <command>use-v4-udp-ports</command> and
@@ -8173,10 +8129,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 	  <para>
 	    The following options set operating system resource limits for
-	    the name server process.  Some operating systems don't support
+	    the name server process.  Some operating systems do not support
 	    some or
-	    any of the limits. On such systems, a warning will be issued if
-	    the
+	    any of the limits; on such systems, a warning is issued if
+	    an
 	    unsupported limit is used.
 	  </para>
 
@@ -8186,7 +8142,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>coresize</command></term>
 	      <listitem>
 		<para>
-		  The maximum size of a core dump. The default
+		  This sets the maximum size of a core dump. The default
 		  is <literal>default</literal>.
 		</para>
 	      </listitem>
@@ -8196,16 +8152,16 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>datasize</command></term>
 	      <listitem>
 		<para>
-		  The maximum amount of data memory the server
+		  This sets the maximum amount of data memory the server
 		  may use. The default is <literal>default</literal>.
-		  This is a hard limit on server memory usage.
-		  If the server attempts to allocate memory in excess of this
+		  This is a hard limit on server memory usage;
+		  if the server attempts to allocate memory in excess of this
 		  limit, the allocation will fail, which may in turn leave
 		  the server unable to perform DNS service.  Therefore,
-		  this option is rarely useful as a way of limiting the
+		  this option is rarely useful as a way to limit the
 		  amount of memory used by the server, but it can be used
 		  to raise an operating system data size limit that is
-		  too small by default.  If you wish to limit the amount
+		  too small by default.  To limit the amount
 		  of memory used by the server, use the
 		  <command>max-cache-size</command> and
 		  <command>recursive-clients</command>
@@ -8218,7 +8174,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>files</command></term>
 	      <listitem>
 		<para>
-		  The maximum number of files the server
+		  This sets the maximum number of files the server
 		  may have open concurrently. The default is <literal>unlimited</literal>.
 		</para>
 	      </listitem>
@@ -8228,7 +8184,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>stacksize</command></term>
 	      <listitem>
 		<para>
-		  The maximum amount of stack memory the server
+		  This sets the maximum amount of stack memory the server
 		  may use. The default is <literal>default</literal>.
 		</para>
 	      </listitem>
@@ -8238,12 +8194,12 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 	</section>
 
-	<section xml:id="server_resource_limits"><info><title>Server  Resource Limits</title></info>
+	<section xml:id="server_resource_limits"><info><title>Server Resource Limits</title></info>
 
 	  <para>
 	    The following options set limits on the server's
 	    resource consumption that are enforced internally by the
-	    server rather than the operating system.
+	    server rather than by the operating system.
 	  </para>
 
 	  <variablelist>
@@ -8264,16 +8220,16 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>max-journal-size</command></term>
 	      <listitem>
 		<para>
-		  Sets a maximum size for each journal file
+		  This sets a maximum size for each journal file
 		  (see <xref linkend="journal"/>).  When the journal file
 		  approaches
 		  the specified size, some of the oldest transactions in the
 		  journal
-		  will be automatically removed.  The largest permitted
+		  are automatically removed.  The largest permitted
 		  value is 2 gigabytes. The default is
 		  <literal>unlimited</literal>, which also
 		  means 2 gigabytes.
-		  This may also be set on a per-zone basis.
+		  This option may also be set on a per-zone basis.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -8282,8 +8238,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>max-records</command></term>
 	      <listitem>
 		<para>
-		  The maximum number of records permitted in a zone.
-		  The default is zero which means unlimited.
+		  This sets the maximum number of records permitted in a zone.
+		  The default is zero, which means the maximum is unlimited.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -8292,9 +8248,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>host-statistics-max</command></term>
 	      <listitem>
 		<para>
-		  In BIND 8, specifies the maximum number of host statistics
+		  In BIND 8, this specified the maximum number of host statistics
 		  entries to be kept.
-		  Not implemented in BIND 9.
+		  It is not implemented in BIND 9.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -8303,8 +8259,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>recursive-clients</command></term>
 	      <listitem>
 		<para>
-		  The maximum number ("hard quota") of simultaneous
-		  recursive lookups the server will perform on behalf
+		  This sets the maximum number (a "hard quota") of simultaneous
+		  recursive lookups the server performs on behalf
 		  of clients.  The default is
 		  <literal>1000</literal>.  Because each recursing
 		  client uses a fair
@@ -8315,15 +8271,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		</para>
 		<para>
 		  <option>recursive-clients</option> defines a "hard
-		  quota" limit for pending recursive clients: when more
+		  quota" limit for pending recursive clients; when more
 		  clients than this are pending, new incoming requests
-		  will not be accepted, and for each incoming request
-		  a previous pending request will also be dropped.
+		  are not accepted, and for each incoming request
+		  a previous pending request is dropped.
 		</para>
 		<para>
 		  A "soft quota" is also set.  When this lower
 		  quota is exceeded, incoming requests are accepted, but
-		  for each one, a pending request will be dropped.
+		  for each one, a pending request is dropped.
 		  If <option>recursive-clients</option> is greater than
 		  1000, the soft quota is set to
 		  <option>recursive-clients</option> minus 100;
@@ -8337,43 +8293,43 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>tcp-clients</command></term>
 	      <listitem>
 		<para>
-		  The maximum number of simultaneous client TCP
-		  connections that the server will accept.
+		  This is the maximum number of simultaneous client TCP
+		  connections that the server accepts.
 		  The default is <literal>150</literal>.
 		</para>
 	      </listitem>
 	    </varlistentry>
 
 	    <varlistentry xml:id="clients-per-query">
-	      <term xml:id="cpq_term"><command>clients-per-query</command></term>
+	      <term xml:id="cpq_term"><command>clients-per-query</command></term>;
 	      <term><command>max-clients-per-query</command></term>
 	      <listitem>
 		<para>These set the
 		  initial value (minimum) and maximum number of recursive
 		  simultaneous clients for any given query
-		  (&lt;qname,qtype,qclass&gt;) that the server will accept
-		  before dropping additional clients.  <command>named</command> will attempt to
-		  self tune this value and changes will be logged.  The
+		  (&lt;qname,qtype,qclass&gt;) that the server accepts
+		  before dropping additional clients.  <command>named</command> attempts to
+		  self-tune this value and changes are logged.  The
 		  default values are 10 and 100.
 		</para>
 		<para>
 		  This value should reflect how many queries come in for
 		  a given name in the time it takes to resolve that name.
-		  If the number of queries exceed this value, <command>named</command> will
-		  assume that it is dealing with a non-responsive zone
-		  and will drop additional queries.  If it gets a response
-		  after dropping queries, it will raise the estimate.  The
-		  estimate will then be lowered in 20 minutes if it has
+		  If the number of queries exceeds this value, <command>named</command>
+		  assumes that it is dealing with a non-responsive zone
+		  and drops additional queries.  If it gets a response
+		  after dropping queries, it raises the estimate.  The
+		  estimate is then lowered in 20 minutes if it has
 		  remained unchanged.
 		</para>
 		<para>
 		  If <command>clients-per-query</command> is set to zero,
-		  then there is no limit on the number of clients per query
-		  and no queries will be dropped.
+		  there is no limit on the number of clients per query
+		  and no queries are dropped.
 		</para>
 		<para>
 		  If <command>max-clients-per-query</command> is set to zero,
-		  then there is no upper bound other than imposed by
+		  there is no upper bound other than imposed by
 		  <command>recursive-clients</command>.
 		</para>
 	      </listitem>
@@ -8383,9 +8339,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>fetches-per-zone</command></term>
 	      <listitem>
 		<para>
-		  The maximum number of simultaneous iterative
-		  queries to any one domain that the server will
-		  permit before blocking new queries for data
+		  This sets the maximum number of simultaneous iterative
+		  queries to any one domain that the server
+		  permits before blocking new queries for data
 		  in or beneath that zone.
 		  This value should reflect how many fetches would
 		  normally be sent to any one zone in the time it
@@ -8394,13 +8350,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		</para>
 		<para>
 		  When many clients simultaneously query for the
-		  same name and type, the clients will all be attached
+		  same name and type, the clients are all attached
 		  to the same fetch, up to the
 		  <option>max-clients-per-query</option> limit,
-		  and only one iterative query will be sent.
+		  and only one iterative query is sent.
 		  However, when clients are simultaneously
 		  querying for <emphasis>different</emphasis> names
-		  or types, multiple queries will be sent and
+		  or types, multiple queries are sent and
 		  <option>max-clients-per-query</option> is not
 		  effective as a limit.
 		</para>
@@ -8408,14 +8364,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		  Optionally, this value may be followed by the keyword
 		  <literal>drop</literal> or <literal>fail</literal>,
 		  indicating whether queries which exceed the fetch
-		  quota for a zone will be dropped with no response,
+		  quota for a zone are dropped with no response,
 		  or answered with SERVFAIL.  The default is
 		  <literal>drop</literal>.
 		</para>
 		<para>
 		  If <command>fetches-per-zone</command> is set to zero,
-		  then there is no limit on the number of fetches per query
-		  and no queries will be dropped.  The default is zero.
+		  there is no limit on the number of fetches per query
+		  and no queries are dropped.  The default is zero.
 		</para>
 		<para>
 		  The current list of active fetches can be dumped by
@@ -8437,8 +8393,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>fetches-per-server</command></term>
 	      <listitem>
 		<para>
-		  The maximum number of simultaneous iterative
-		  queries that the server will allow to be sent to
+		  This sets the maximum number of simultaneous iterative
+		  queries that the server allows to be sent to
 		  a single upstream name server before blocking
 		  additional queries.
 		  This value should reflect how many fetches would
@@ -8449,16 +8405,16 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		<para>
 		  Optionally, this value may be followed by the keyword
 		  <literal>drop</literal> or <literal>fail</literal>,
-		  indicating whether queries will be dropped with no
-		  response, or answered with SERVFAIL, when all of the
+		  indicating whether queries are dropped with no
+		  response or answered with SERVFAIL, when all of the
 		  servers authoritative for a zone are found to have
 		  exceeded the per-server quota.  The default is
 		  <literal>fail</literal>.
 		</para>
 		<para>
 		  If <command>fetches-per-server</command> is set to zero,
-		  then there is no limit on the number of fetches per query
-		  and no queries will be dropped.  The default is zero.
+		  there is no limit on the number of fetches per query
+		  and no queries are dropped.  The default is zero.
 		</para>
 		<para>
 		  The <command>fetches-per-server</command> quota is
@@ -8483,7 +8439,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>fetch-quota-params</command></term>
 	      <listitem>
 		<para>
-		  Sets the parameters to use for dynamic resizing of
+		  This sets the parameters to use for dynamic resizing of
 		  the <option>fetches-per-server</option> quota in
 		  response to detected congestion.
 		</para>
@@ -8491,7 +8447,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		  The first argument is an integer value indicating
 		  how frequently to recalculate the moving average
 		  of the ratio of timeouts to responses for each
-		  server.  The default is 100, meaning we recalculate
+		  server.  The default is 100, meaning that BIND recalculates
 		  the average ratio after every 100 queries have either
 		  been answered or timed out.
 		</para>
@@ -8507,7 +8463,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		  events to weigh more heavily, smoothing out
 		  short-term blips in the timeout ratio.
 		  These arguments are all fixed-point numbers with
-		  precision of 1/100: at most two places after
+		  precision of 1/100; at most two places after
 		  the decimal point are significant.
 		</para>
 	      </listitem>
@@ -8517,14 +8473,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>reserved-sockets</command></term>
 	      <listitem>
 		<para>
-		  The number of file descriptors reserved for TCP, stdio,
+		  This sets the number of file descriptors reserved for TCP, stdio,
 		  etc.  This needs to be big enough to cover the number of
 		  interfaces <command>named</command> listens on plus
 		  <command>tcp-clients</command>, as well as
 		  to provide room for outgoing TCP queries and incoming zone
 		  transfers.  The default is <literal>512</literal>.
 		  The minimum value is <literal>128</literal> and the
-		  maximum value is <literal>128</literal> less than
+		  maximum value is <literal>128</literal> fewer than
 		  maxsockets (-S).  This option may be removed in the future.
 		</para>
 		<para>
@@ -8537,26 +8493,26 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>max-cache-size</command></term>
 	      <listitem>
 		<para>
-		  The maximum amount of memory to use for the
-		  server's cache, in bytes or % of total physical memory.
+		  This sets the maximum amount of memory to use for the
+		  server's cache, in bytes or percentage of total physical memory.
 		  When the amount of data in the cache
-		  reaches this limit, the server will cause records to
-		  expire prematurely based on an LRU based strategy so
+		  reaches this limit, the server causes records to
+		  expire prematurely, following an LRU-based strategy, so
 		  that the limit is not exceeded.
 		  The keyword <userinput>unlimited</userinput>,
-		  or the value 0, will place no limit on cache size;
-		  records will be purged from the cache only when their
+		  or the value 0, places no limit on the cache size;
+		  records are purged from the cache only when their
 		  TTLs expire.
-		  Any positive values less than 2MB will be ignored
+		  Any positive values less than 2MB are ignored
 		  and reset to 2MB.
 		  In a server with multiple views, the limit applies
 		  separately to the cache of each view.
 		  The default is <userinput>90%</userinput>.
-		  On systems where detection of amount of physical
-		  memory is not supported values represented as %
+		  On systems where detection of the amount of physical
+		  memory is not supported, values represented as a percentage
 		  fall back to unlimited.
 		  Note that the detection of physical memory is done only
-		  once at startup, so <command>named</command> will not
+		  once at startup, so <command>named</command> does not
 		  adjust the cache size if the amount of physical memory
 		  is changed during runtime.
 		</para>
@@ -8567,14 +8523,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>tcp-listen-queue</command></term>
 	      <listitem>
 		<para>
-		  The listen queue depth.  The default and minimum is 10.
-		  If the kernel supports the accept filter "dataready" this
+		  This sets the listen-queue depth.  The default and minimum is 10.
+		  If the kernel supports the accept filter "dataready", this
 		  also controls how
-		  many TCP connections that will be queued in kernel space
+		  many TCP connections are queued in kernel space
 		  waiting for
-		  some data before being passed to accept.  Nonzero values
-		  less than 10 will be silently raised. A value of 0 may also
-		  be used; on most platforms this sets the listen queue
+		  some data before being passed to accept.  Non-zero values
+		  less than 10 are silently raised. A value of 0 may also
+		  be used; on most platforms this sets the listen-queue
 		  length to a system-defined default value.
 		</para>
 	      </listitem>
@@ -8593,11 +8549,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <listitem>
 		<para>
 		  This interval is effectively obsolete.  Previously,
-		  the server would remove expired resource records
+		  the server removed expired resource records
 		  from the cache every <command>cleaning-interval</command> minutes.
 		  <acronym>BIND</acronym> 9 now manages cache
 		  memory in a more sophisticated manner and does not
-		  rely on the periodic cleaning any more.
+		  rely on periodic cleaning anymore.
 		  Specifying this option therefore has no effect on
 		  the server's behavior.
 		</para>
@@ -8608,13 +8564,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>heartbeat-interval</command></term>
 	      <listitem>
 		<para>
-		  The server will perform zone maintenance tasks
+		  The server performs zone maintenance tasks
 		  for all zones marked as <command>dialup</command> whenever this
 		  interval expires. The default is 60 minutes. Reasonable
 		  values are up
 		  to 1 day (1440 minutes).  The maximum value is 28 days
 		  (40320 minutes).
-		  If set to 0, no zone maintenance for these zones will occur.
+		  If set to 0, no zone maintenance for these zones occurs.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -8623,19 +8579,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>interface-interval</command></term>
 	      <listitem>
 		<para>
-		  The server will scan the network interface list
+		  The server scans the network interface list
 		  every <command>interface-interval</command>
 		  minutes. The default
-		  is 60 minutes. The maximum value is 28 days (40320 minutes).
-		  If set to 0, interface scanning will only occur when
+		  is 60 minutes; the maximum value is 28 days (40320 minutes).
+		  If set to 0, interface scanning only occurs when
 		  the configuration file is loaded, or when
 		  <command>automatic-interface-scan</command> is enabled
 		  and supported by the operating system. After the scan, the
-		  server will begin listening for queries on any newly
+		  server begins listening for queries on any newly
 		  discovered interfaces (provided they are allowed by the
 		  <command>listen-on</command> configuration), and
-		  will
-		  stop listening on interfaces that have gone away.
+		  stops listening on interfaces that have gone away.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -8644,14 +8599,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>statistics-interval</command></term>
 	      <listitem>
 		<para>
-		  Name server statistics will be logged
+		  Name server statistics are logged
 		  every <command>statistics-interval</command>
 		  minutes. The default is
-		  60. The maximum value is 28 days (40320 minutes).
-		  If set to 0, no statistics will be logged.
+		  60, and the maximum value is 28 days (40320 minutes).
+		  If set to 0, no statistics are logged.
 		  </para><note>
 		  <simpara>
-		    Not yet implemented in
+		    This option is not implemented in
 		    <acronym>BIND</acronym> 9.
 		  </simpara>
 		</note>
@@ -8664,7 +8619,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		<para>
 		  In BIND 8, this option indicated network topology
 		  so that preferential treatment could be given to
-		  the topologicaly closest name servers when sending
+		  the topologically closest name servers when sending
 		  queries. It is not implemented in BIND 9.
 		</para>
 	      </listitem>
@@ -8679,10 +8634,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	  <para>
 	    The response to a DNS query may consist of multiple resource
 	    records (RRs) forming a resource record set (RRset).  The name
-	    server will normally return the RRs within the RRset in an
+	    server normally returns the RRs within the RRset in an
 	    indeterminate order (but see the <command>rrset-order</command>
 	    statement in <xref linkend="rrset_ordering"/>).  The client
-	    resolver code should rearrange the RRs as appropriate, that is,
+	    resolver code should rearrange the RRs as appropriate: that is,
 	    using any addresses on the local net in preference to other
 	    addresses.  However, not all resolvers can do this or are
 	    correctly configured.  When a client is using a local server,
@@ -8694,37 +8649,37 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	  <para>
 	    The <command>sortlist</command> statement (see below) takes an
 	    <command>address_match_list</command> and interprets it in a
-	    special way.  Each top level statement in the
+	    special way.  Each top-level statement in the
 	    <command>sortlist</command> must itself be an explicit
 	    <command>address_match_list</command> with one or two elements.
 	    The first element (which may be an IP address, an IP prefix, an
-	    ACL name or a nested <command>address_match_list</command>) of
-	    each top level list is checked against the source address of
+	    ACL name, or a nested <command>address_match_list</command>) of
+	    each top-level list is checked against the source address of
 	    the query until a match is found. When the addresses in the
-	    first element overlap, the first rule to match gets selected.
+	    first element overlap, the first rule to match is selected.
 	  </para>
 	  <para>
 	    Once the source address of the query has been matched, if the
-	    top level statement contains only one element, the actual
+	    top-level statement contains only one element, the actual
 	    primitive element that matched the source address is used to
 	    select the address in the response to move to the beginning of
 	    the response. If the statement is a list of two elements, then
 	    the second element is interpreted as a topology preference
-	    list.  Each top level element is assigned a distance and the
+	    list.  Each top-level element is assigned a distance, and the
 	    address in the response with the minimum distance is moved to
 	    the beginning of the response.
 	  </para>
 	  <para>
 	    In the following example, any queries received from any of the
-	    addresses of the host itself will get responses preferring
+	    addresses of the host itself get responses preferring
 	    addresses on any of the locally connected networks. Next most
 	    preferred are addresses on the 192.168.1/24 network, and after
-	    that either the 192.168.2/24 or 192.168.3/24 network with no
+	    that either the 192.168.2/24 or 192.168.3/24 network, with no
 	    preference shown between these two networks. Queries received
-	    from a host on the 192.168.1/24 network will prefer other
+	    from a host on the 192.168.1/24 network prefer other
 	    addresses on that network to the 192.168.2/24 and 192.168.3/24
 	    networks. Queries received from a host on the 192.168.4/24 or
-	    the 192.168.5/24 network will only prefer other addresses on
+	    the 192.168.5/24 network only prefer other addresses on
 	    their directly connected networks.
 	  </para>
 
@@ -8753,14 +8708,12 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 };</programlisting>
 
 	  <para>
-	    The following example will give reasonable behavior for the
-	    local host and hosts on directly connected networks. It is
-	    similar to the behavior of the address sort in
-	    <acronym>BIND</acronym> 4.9.x. Responses sent to queries from
-	    the local host will favor any of the directly connected
+	    The following example illustrates reasonable behavior for the
+	    local host and hosts on directly connected networks. Responses sent to queries from
+	    the local host favor any of the directly connected
 	    networks. Responses sent to queries from any other hosts on a
-	    directly connected network will prefer addresses on that same
-	    network.  Responses to other queries will not be sorted.
+	    directly connected network prefer addresses on that same
+	    network.  Responses to other queries are not sorted.
 	  </para>
 
 <programlisting>sortlist {
@@ -8772,113 +8725,200 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	</section>
 	<section xml:id="rrset_ordering"><info><title xml:id="rrset_ordering_title">RRset Ordering</title></info>
 
-	  <para>
-	    When multiple records are returned in an answer it may be
-	    useful to configure the order of the records placed into the
-	    response.
-	    The <command>rrset-order</command> statement permits
-	    configuration
-	    of the ordering of the records in a multiple record response.
-	    See also the <command>sortlist</command> statement,
-	    <xref linkend="the_sortlist_statement"/>.
-	  </para>
-
-	  <para>
-	    An <command>order_spec</command> is defined as
-	    follows:
-	  </para>
-	  <para>
-	    <optional>class <replaceable>class_name</replaceable></optional>
-	    <optional>type <replaceable>type_name</replaceable></optional>
-	    <optional>name <replaceable>"domain_name"</replaceable></optional>
-	    order <replaceable>ordering</replaceable>
-	  </para>
-	  <para>
-	    If no class is specified, the default is <command>ANY</command>.
-	    If no type is specified, the default is <command>ANY</command>.
-	    If no name is specified, the default is "<command>*</command>" (asterisk).
-	  </para>
-	  <para>
-	    The legal values for <command>ordering</command> are:
-	  </para>
-	  <informaltable colsep="0" rowsep="0">
-	    <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-	      <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
-	      <colspec colname="2" colnum="2" colsep="0" colwidth="3.750in"/>
-	      <tbody>
-		<row rowsep="0">
-		  <entry colname="1">
-		    <para><command>fixed</command></para>
-		  </entry>
-		  <entry colname="2">
-		    <para>
-		      Records are returned in the order they
-		      are defined in the zone file.
-		    </para>
-		  </entry>
-		</row>
-		<row rowsep="0">
-		  <entry colname="1">
-		    <para><command>random</command></para>
-		  </entry>
-		  <entry colname="2">
-		    <para>
-		      Records are returned in some random order.
-		    </para>
-		  </entry>
-		</row>
-		<row rowsep="0">
-		  <entry colname="1">
-		    <para><command>cyclic</command></para>
-		  </entry>
-		  <entry colname="2">
-		    <para>
-		      Records are returned in a cyclic round-robin order.
-		    </para>
-		    <para>
-		      If <acronym>BIND</acronym> is configured with the
-		      "--enable-fixed-rrset" option at compile time, then
-		      the initial ordering of the RRset will match the
-		      one specified in the zone file.
-		    </para>
-		  </entry>
-		</row>
-	      </tbody>
-	    </tgroup>
-	  </informaltable>
-	  <para>
-	    For example:
-	  </para>
+          <note>
+            <simpara>
+              While alternating the order of records in a DNS response between
+              subsequent queries is a known load distribution technique, certain
+              caveats apply (mostly stemming from caching) which usually make it
+              a suboptimal choice for load balancing purposes when used on its
+              own.
+            </simpara>
+          </note>
+
+          <para>
+            The <command>rrset-order</command> statement permits configuration
+            of the ordering of the records in a multiple-record response.  See
+            also: <xref linkend="the_sortlist_statement"/>.
+          </para>
+
+          <para>
+            Each rule in an <command>rrset-order</command> statement is defined
+            as follows:
+          </para>
+
+          <para>
+            <optional>class <replaceable>&lt;class_name&gt;</replaceable></optional>
+            <optional>type <replaceable>&lt;type_name&gt;</replaceable></optional>
+            <optional>name <replaceable>"&lt;domain_name&gt;"</replaceable></optional>
+            order <replaceable>&lt;ordering&gt;</replaceable>
+          </para>
+
+          <para>
+            The default qualifiers for each rule are:
+            <itemizedlist>
+              <listitem>
+                If no <command>class</command> is specified, the default is
+                <command>ANY</command>.
+              </listitem>
+              <listitem>
+                If no <command>type</command> is specified, the default is
+                <command>ANY</command>.
+              </listitem>
+              <listitem>
+                If no <command>name</command> is specified, the default is
+                <command>*</command> (asterisk).
+              </listitem>
+            </itemizedlist>
+          </para>
+
+          <para>
+            <replaceable>&lt;domain_name&gt;</replaceable> only matches the name
+            itself, not any of its subdomains.  To make a rule match all
+            subdomains of a given name, a wildcard name
+            (<replaceable>*.&lt;domain_name&gt;</replaceable>) must be used.
+            Note that <replaceable>*.&lt;domain_name&gt;</replaceable> does
+            <emphasis>not</emphasis> match
+            <replaceable>&lt;domain_name&gt;</replaceable> itself; to specify
+            RRset ordering for a name and all of its subdomains, two separate
+            rules must be defined: one for
+            <replaceable>&lt;domain_name&gt;</replaceable> and one for
+            <replaceable>*.&lt;domain_name&gt;</replaceable>.
+          </para>
+
+          <para>
+            The legal values for <replaceable>&lt;ordering&gt;</replaceable>
+            are:
+          </para>
+
+          <variablelist>
+
+            <varlistentry>
+              <term><command>fixed</command></term>
+              <listitem>
+                <para>
+                  Records are returned in the order they are defined in the zone
+                  file.
+                </para>
+                <note>
+                  <simpara>
+                    The <command>fixed</command> option is only available if
+                    BIND is configured with
+                    <command>--enable-fixed-rrset</command> at compile time.
+                  </simpara>
+                </note>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>random</command></term>
+              <listitem>
+                <para>
+                  Records are returned in a random order.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>cyclic</command></term>
+              <listitem>
+                <para>
+                  Records are returned in a cyclic round-robin order, rotating
+                  by one record per query.
+                </para>
+              </listitem>
+            </varlistentry>
+
+          </variablelist>
+
+          <para>
+            By default, records are returned in random order.
+          </para>
+
+          <para>
+            Note that if multiple <command>rrset-order</command> statements are
+            present in the configuration file (at both the
+            <command>options</command> and <command>view</command> levels), they
+            are <emphasis>not</emphasis> combined; instead, the more-specific
+            one (<command>view</command>) replaces the less-specific one
+            (<command>options</command>).
+          </para>
+
+          <para>
+            If multiple rules within a single <command>rrset-order</command>
+            statement match a given RRset, the first matching rule is applied.
+          </para>
+
+          <para>
+            Example:
+          </para>
 
 <programlisting>rrset-order {
-   class IN type A name "host.example.com" order random;
-   order cyclic;
+    type A name "foo.isc.org" order random;
+    type AAAA name "foo.isc.org" order cyclic;
+    name "bar.isc.org" order fixed;
+    name "*.bar.isc.org" order random;
+    name "*.baz.isc.org" order cyclic;
 };
 </programlisting>
 
-	  <para>
-	    will cause any responses for type A records in class IN that
-	    have "<literal>host.example.com</literal>" as a
-	    suffix, to always be returned
-	    in random order. All other records are returned in cyclic order.
-	  </para>
-	  <para>
-	    If multiple <command>rrset-order</command> statements
-	    appear, they are not combined — the last one applies.
-	  </para>
-	  <para>
-	    By default, all records are returned in random order.
-	  </para>
+          <para>
+            With the above configuration, the following RRset ordering is used:
+          </para>
+
+          <informaltable>
+            <tgroup cols="3">
+              <thead>
+                <row>
+                  <entry><para>QNAME</para></entry>
+                  <entry><para>QTYPE</para></entry>
+                  <entry><para>RRset Order</para></entry>
+                </row>
+              </thead>
+              <tbody>
+                <row>
+                  <entry><para><userinput>foo.isc.org</userinput></para></entry>
+                  <entry><para><userinput>A</userinput></para></entry>
+                  <entry><para><command>random</command></para></entry>
+                </row>
+                <row>
+                  <entry><para><userinput>foo.isc.org</userinput></para></entry>
+                  <entry><para><userinput>AAAA</userinput></para></entry>
+                  <entry><para><command>cyclic</command></para></entry>
+                </row>
+                <row>
+                  <entry><para><userinput>foo.isc.org</userinput></para></entry>
+                  <entry><para><userinput>TXT</userinput></para></entry>
+                  <entry><para><command>random</command></para></entry>
+                </row>
+                <row>
+                  <entry><para><userinput>sub.foo.isc.org</userinput></para></entry>
+                  <entry><para>all</para></entry>
+                  <entry><para><command>random</command></para></entry>
+                </row>
+                <row>
+                  <entry><para><userinput>bar.isc.org</userinput></para></entry>
+                  <entry><para>all</para></entry>
+                  <entry><para><command>fixed</command></para></entry>
+                </row>
+                <row>
+                  <entry><para><userinput>sub.bar.isc.org</userinput></para></entry>
+                  <entry><para>all</para></entry>
+                  <entry><para><command>random</command></para></entry>
+                </row>
+                <row>
+                  <entry><para><userinput>baz.isc.org</userinput></para></entry>
+                  <entry><para>all</para></entry>
+                  <entry><para><command>random</command></para></entry>
+                </row>
+                <row>
+                  <entry><para><userinput>sub.baz.isc.org</userinput></para></entry>
+                  <entry><para>all</para></entry>
+                  <entry><para><command>cyclic</command></para></entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </informaltable>
 
-	  <note>
-	    <simpara>
-	      In this release of <acronym>BIND</acronym> 9, the
-	      <command>rrset-order</command> statement does not support
-	      "fixed" ordering by default.  Fixed ordering can be enabled
-	      at compile time by specifying "--enable-fixed-rrset" on
-	      the "configure" command line.
-	    </simpara>
-	  </note>
 	</section>
 
 	<section xml:id="tuning"><info><title>Tuning</title></info>
@@ -8889,12 +8929,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>lame-ttl</command></term>
 	      <listitem>
 		<para>
-		  Sets the number of seconds to cache a
-		  lame server indication. 0 disables caching. (This is
-		  <emphasis role="bold">NOT</emphasis> recommended.)
-		  The default is <literal>600</literal> (10 minutes) and the
-		  maximum value is
-		  <literal>1800</literal> (30 minutes).
+		  This is always set to 0. More information is available
+		  in the <link xmlns:xlink="http://www.w3.org/1999/xlink"
+		  xlink:href="https://kb.isc.org/docs/cve-2021-25219">security advisory for CVE-2021-25219</link>.
 		</para>
 
 	      </listitem>
@@ -8904,7 +8941,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>servfail-ttl</command></term>
 	      <listitem>
 		<para>
-		  Sets the number of seconds to cache a
+		  This sets the number of seconds to cache a
 		  SERVFAIL response due to DNSSEC validation failure or
 		  other general server failure.  If set to
 		  <literal>0</literal>, SERVFAIL caching is disabled.
@@ -8915,7 +8952,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		</para>
 		<para>
 		  The maximum value is <literal>30</literal>
-		  seconds; any higher value will be silently
+		  seconds; any higher value is silently
 		  reduced. The default is <literal>1</literal>
 		  second.
 		</para>
@@ -8929,12 +8966,12 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		  To reduce network traffic and increase performance,
 		  the server stores negative answers. <command>max-ncache-ttl</command> is
 		  used to set a maximum retention time for these answers in
-		  the server
+		  the server,
 		  in seconds. The default
 		  <command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
 		  <command>max-ncache-ttl</command> cannot exceed
-		  7 days and will
-		  be silently truncated to 7 days if set to a greater value.
+		  7 days and is
+		  silently truncated to 7 days if set to a greater value.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -8943,8 +8980,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>max-cache-ttl</command></term>
 	      <listitem>
 		<para>
-		  Sets the maximum time for which the server will
-		  cache ordinary (positive) answers in seconds.
+		  This sets the maximum time for which the server
+		  caches ordinary (positive) answers, in seconds.
 		  The default is 604800 (one week).
 		  A value of zero may cause all queries to return
 		  SERVFAIL, because of lost caches of intermediate
@@ -8958,65 +8995,45 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>min-roots</command></term>
 	      <listitem>
 		<para>
-		  The minimum number of root servers that
+		  This sets the minimum number of root servers that
 		  is required for a request for the root servers to be
 		  accepted. The default
 		  is <userinput>2</userinput>.
 		</para>
 		<note>
 		  <simpara>
-		    Not implemented in <acronym>BIND</acronym> 9.
+		    This is not implemented in <acronym>BIND</acronym> 9.
 		  </simpara>
 		</note>
 	      </listitem>
 	    </varlistentry>
 
 	    <varlistentry>
-	      <term><command>resolver-nonbackoff-tries</command></term>
-	      <listitem>
-		<para>
-		  Specifies how many retries occur before exponential
-		  backoff kicks in.  The default is <userinput>3</userinput>.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>resolver-retry-interval</command></term>
-	      <listitem>
-		<para>
-		  The base retry interval in milliseconds.
-		  The default is <userinput>800</userinput>.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
 	      <term><command>sig-validity-interval</command></term>
 	      <listitem>
 		<para>
-		  Specifies the number of days into the future when
-		  DNSSEC signatures automatically generated as a
+		  This specifies the number of days into the future that
+		  DNSSEC signatures that are automatically generated as a
 		  result of dynamic updates (<xref linkend="dynamic_update"/>) will expire.  There
 		  is an optional second field which specifies how
-		  long before expiry that the signatures will be
-		  regenerated.  If not specified, the signatures will
-		  be regenerated at 1/4 of base interval.  The second
+		  long before expiry that the signatures are
+		  regenerated.  If not specified, the signatures are
+		  regenerated at 1/4 of base interval.  The second
 		  field is specified in days if the base interval is
-		  greater than 7 days otherwise it is specified in hours.
-		  The default base interval is <literal>30</literal> days
+		  greater than 7 days; otherwise it is specified in hours.
+		  The default base interval is <literal>30</literal> days,
 		  giving a re-signing interval of 7 1/2 days.  The maximum
-		  values are 10 years (3660 days).
+		  value is 10 years (3660 days).
 		</para>
 		<para>
 		  The signature inception time is unconditionally
-		  set to one hour before the current time to allow
+		  set to one hour before the current time, to allow
 		  for a limited amount of clock skew.
 		</para>
 		<para>
 		  The <command>sig-validity-interval</command>
-		  should be, at least, several multiples of the SOA
-		  expire interval to allow for reasonable interaction
+		  should be at least several multiples of the SOA
+		  expire interval, to allow for reasonable interaction
 		  between the various timer and expiry dates.
 		</para>
 	      </listitem>
@@ -9026,8 +9043,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>sig-signing-nodes</command></term>
 	      <listitem>
 		<para>
-		  Specify the maximum number of nodes to be
-		  examined in each quantum when signing a zone with
+		  This specifies the maximum number of nodes to be
+		  examined in each quantum, when signing a zone with
 		  a new DNSKEY. The default is
 		  <literal>100</literal>.
 		</para>
@@ -9038,8 +9055,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>sig-signing-signatures</command></term>
 	      <listitem>
 		<para>
-		  Specify a threshold number of signatures that
-		  will terminate processing a quantum when signing
+		  This specifies a threshold number of signatures that
+		  terminates processing a quantum, when signing
 		  a zone with a new DNSKEY.  The default is
 		  <literal>10</literal>.
 		</para>
@@ -9050,27 +9067,27 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>sig-signing-type</command></term>
 	      <listitem>
 		<para>
-		  Specify a private RDATA type to be used when generating
-		  signing state records.  The default is
+		  This specifies a private RDATA type to be used when generating
+		  signing-state records.  The default is
 		  <literal>65534</literal>.
 		</para>
 		<para>
-		  It is expected that this parameter may be removed
-		  in a future version once there is a standard type.
+		  This parameter may be removed
+		  in a future version, once there is a standard type.
 		</para>
 		<para>
-		  Signing state records are used to internally by
+		  Signing-state records are used internally by
 		  <command>named</command> to track the current state of
 		  a zone-signing process, i.e., whether it is still active
 		  or has been completed.  The records can be inspected
 		  using the command
 		  <command>rndc signing -list <replaceable>zone</replaceable></command>.
 		  Once <command>named</command> has finished signing
-		  a zone with a particular key, the signing state
+		  a zone with a particular key, the signing-state
 		  record associated with that key can be removed from
 		  the zone by running
 		  <command>rndc signing -clear <replaceable>keyid/algorithm</replaceable> <replaceable>zone</replaceable></command>.
-		  To clear all of the completed signing state
+		  To clear all of the completed signing-state
 		  records for a zone, use
 		  <command>rndc signing -clear all <replaceable>zone</replaceable></command>.
 		</para>
@@ -9088,18 +9105,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		  zone (querying for SOA changes) or retrying failed
 		  transfers.  Usually the SOA values for the zone are used,
 		  up to a hard-coded maximum expiry of 24 weeks. However,
-		  these values are set by the master, giving slave server
+		  these values are set by the primary, giving secondary server
 		  administrators little control over their contents.
 		</para>
 		<para>
 		  These options allow the administrator to set a minimum and
 		  maximum refresh and retry time in seconds per-zone,
 		  per-view, or globally.  These options are valid for
-		  slave and stub zones, and clamp the SOA refresh and
+		  secondary and stub zones, and clamp the SOA refresh and
 		  retry times to the specified values.
 		</para>
 		<para>
-		  The following defaults apply.
+		  The following defaults apply:
 		  <command>min-refresh-time</command> 300 seconds,
 		  <command>max-refresh-time</command> 2419200 seconds
 		  (4 weeks), <command>min-retry-time</command> 500 seconds,
@@ -9113,12 +9130,12 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>edns-udp-size</command></term>
 	      <listitem>
 		<para>
-		  Sets the maximum advertised EDNS UDP buffer size in
+		  This sets the maximum advertised EDNS UDP buffer size, in
 		  bytes, to control the size of packets received from
 		  authoritative servers in response to recursive queries.
-		  Valid values are 512 to 4096 (values outside this range
-		  will be silently adjusted to the nearest value within
-		  it).  The default value is 4096.
+		  Valid values are 512 to 4096; values outside this range
+		  are silently adjusted to the nearest value within
+		  it.  The default value is 1232.
 		</para>
 		<para>
 		  The usual reason for setting
@@ -9129,33 +9146,33 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		</para>
 		<para>
 		  When <command>named</command> first queries a remote
-		  server, it will advertise a UDP buffer size of 512, as
+		  server, it advertises a UDP buffer size of 512, as
 		  this has the greatest chance of success on the first try.
 		</para>
 		<para>
 		  If the initial response times out, <command>named</command>
-		  will try again with plain DNS, and if that is successful,
-		  it will be taken as evidence that the server does not
+		  tries again with plain DNS; if that is successful,
+		  it is taken as evidence that the server does not
 		  support EDNS. After enough failures using EDNS and
 		  successes using plain DNS, <command>named</command>
-		  will default to plain DNS for future communications
-		  with that server.  (Periodically, <command>named</command>
-		  will send an EDNS query to see if the situation has
-		  improved.)
+		  defaults to plain DNS for future communications
+		  with that server.  If that happens, <command>named</command>
+		  periodically sends an EDNS query to see if the situation has
+		  improved.
 		</para>
 		<para>
 		  However, if the initial query is successful with
 		  EDNS advertising a buffer size of 512, then
-		  <command>named</command> will advertise progressively
+		  <command>named</command> advertises progressively
 		  larger buffer sizes on successive queries, until
 		  responses begin timing out or
 		  <command>edns-udp-size</command> is reached.
 		</para>
 		<para>
 		  The default buffer sizes used by <command>named</command>
-		  are 512, 1232, 1432, and 4096, but never exceeding
+		  are 512, 1232, 1432, and 4096, but never exceed
 		  <command>edns-udp-size</command>.  (The values 1232 and
-		  1432 are chosen to allow for an IPv4/IPv6 encapsulated
+		  1432 are chosen to allow for an IPv4-/IPv6-encapsulated
 		  UDP message to be sent without fragmentation at the
 		  minimum MTU sizes for Ethernet and IPv6 networks.)
 		</para>
@@ -9166,11 +9183,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>max-udp-size</command></term>
 	      <listitem>
 		<para>
-		  Sets the maximum EDNS UDP message size
-		  <command>named</command> will send in bytes.
-		  Valid values are 512 to 4096 (values outside this
-		  range will be silently adjusted to the nearest
-		  value within it).  The default value is 4096.
+		  This sets the maximum EDNS UDP message size that
+		  <command>named</command> sends, in bytes.
+		  Valid values are 512 to 4096; values outside this
+		  range are silently adjusted to the nearest
+		  value within it.  The default value is 1232.
 		</para>
 		<para>
 		  This value applies to responses sent by a server; to
@@ -9180,15 +9197,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		<para>
 		  The usual reason for setting
 		  <command>max-udp-size</command> to a non-default
-		  value is to get UDP answers to pass through broken
+		  value is to allow UDP answers to pass through broken
 		  firewalls that block fragmented packets and/or
 		  block UDP packets that are greater than 512 bytes.
 		  This is independent of the advertised receive
 		  buffer (<command>edns-udp-size</command>).
 		</para>
 		<para>
-		  Setting this to a low value will encourage additional
-		  TCP traffic to the nameserver.
+		  Setting this to a low value encourages additional
+		  TCP traffic to the name server.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -9196,22 +9213,22 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	    <varlistentry>
 	      <term><command>masterfile-format</command></term>
 	      <listitem>
-		<para>Specifies
+		<para>This specifies
 		  the file format of zone files (see
 		  <xref linkend="zonefile_format"/>).
 		  The default value is <constant>text</constant>, which is the
-		  standard textual representation, except for slave zones,
+		  standard textual representation, except for secondary zones,
 		  in which the default value is <constant>raw</constant>.
-		  Files in other formats than <constant>text</constant> are
+		  Files in formats other than <constant>text</constant> are
 		  typically expected to be generated by the
 		  <command>named-compilezone</command> tool, or dumped by
 		  <command>named</command>.
 		</para>
 		<para>
-		  Note that when a zone file in a different format than
+		  Note that when a zone file in a format other than
 		  <constant>text</constant> is loaded, <command>named</command>
 		  may omit some of the checks which would be performed for a
-		  file in the <constant>text</constant> format.  In particular,
+		  file in <constant>text</constant> format.  In particular,
 		  <command>check-names</command> checks do not apply
 		  for the <constant>raw</constant> format.  This means
 		  a zone file in the <constant>raw</constant> format
@@ -9237,14 +9254,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>masterfile-style</command></term>
 	      <listitem>
 		<para>
-		  Specifies the formatting of zone files during dump
+		  This specifies the formatting of zone files during dump,
 		  when the <option>masterfile-format</option> is
-		  <constant>text</constant>. (This option is ignored
-		  with any other <option>masterfile-format</option>.)
+		  <constant>text</constant>. This option is ignored
+		  with any other <option>masterfile-format</option>.
 		</para>
 		<para>
 		  When set to <constant>relative</constant>,
-		  records are printed in a multi-line format with owner
+		  records are printed in a multi-line format, with owner
 		  names expressed relative to a shared origin.  When set
 		  to <constant>full</constant>, records are printed in
 		  a single-line format with absolute owner names.
@@ -9262,12 +9279,12 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>max-recursion-depth</command></term>
 	      <listitem>
 		<para>
-		  Sets the maximum number of levels of recursion
+		  This sets the maximum number of levels of recursion
 		  that are permitted at any one time while servicing
 		  a recursive query. Resolving a name may require
 		  looking up a name server address, which in turn
-		  requires resolving another name, etc; if the number
-		  of indirections exceeds this value, the recursive
+		  requires resolving another name, etc.; if the number
+		  of recursions exceeds this value, the recursive
 		  query is terminated and returns SERVFAIL.  The
 		  default is 7.
 		</para>
@@ -9278,13 +9295,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>max-recursion-queries</command></term>
 	      <listitem>
 		<para>
-		  Sets the maximum number of iterative queries that
+		  This sets the maximum number of iterative queries that
 		  may be sent while servicing a recursive query.
 		  If more queries are sent, the recursive query
-		  is terminated and returns SERVFAIL. Queries to
-		  look up top level domains such as "com" and "net"
-		  and the DNS root zone are exempt from this limitation.
-		  The default is 75.
+		  is terminated and returns SERVFAIL.  The default is 100.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -9293,11 +9307,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>notify-delay</command></term>
 	      <listitem>
 		<para>
-		  The delay, in seconds, between sending sets of notify
-		  messages for a zone.  The default is five (5) seconds.
+		  This sets the delay, in seconds, between sending sets of NOTIFY
+		  messages for a zone.  The default is 5 seconds.
 		</para>
 		<para>
-		  The overall rate that NOTIFY messages are sent for all
+		  The overall rate at which NOTIFY messages are sent for all
 		  zones is controlled by <command>serial-query-rate</command>.
 		</para>
 	      </listitem>
@@ -9307,9 +9321,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>max-rsa-exponent-size</command></term>
 	      <listitem>
 		<para>
-		  The maximum RSA exponent size, in bits, that will
-		  be accepted when validating.  Valid values are 35
-		  to 4096 bits.  The default zero (0) is also accepted
+		  This sets the maximum RSA exponent size, in bits, that is
+		  accepted when validating.  Valid values are 35
+		  to 4096 bits.  The default, zero, is also accepted
 		  and is equivalent to 4096.
 		</para>
 	      </listitem>
@@ -9326,25 +9340,25 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		  answer available.
 		</para>
 		<para>
-		  The <option>prefetch</option> specifies the
+		  <option>prefetch</option> specifies the
 		  "trigger" TTL value at which prefetch of the current
-		  query will take place: when a cache record with a
+		  query takes place; when a cache record with a
 		  lower TTL value is encountered during query processing,
-		  it will be refreshed.  Valid trigger TTL values are 1 to
-		  10 seconds.  Values larger than 10 seconds will be silently
+		  it is refreshed.  Valid trigger TTL values are 1 to
+		  10 seconds.  Values larger than 10 seconds are silently
 		  reduced to 10.
-		  Setting a trigger TTL to zero (0) causes
+		  Setting a trigger TTL to zero causes
 		  prefetch to be disabled.
 		  The default trigger TTL is <literal>2</literal>.
 		</para>
 		<para>
 		  An optional second argument specifies the "eligibility"
 		  TTL: the smallest <emphasis>original</emphasis>
-		  TTL value that will be accepted for a record to be
+		  TTL value that is accepted for a record to be
 		  eligible for prefetching.  The eligibility TTL must
 		  be at least six seconds longer than the trigger TTL;
-		  if it isn't, <command>named</command> will silently
-		  adjust it upward.
+		  if not, <command>named</command> silently
+		  adjusts it upward.
 		  The default eligibility TTL is <literal>9</literal>.
 		</para>
 	      </listitem>
@@ -9354,8 +9368,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>v6-bias</command></term>
 	      <listitem>
 		<para>
-		  When determining the next nameserver to try
-		  preference IPv6 nameservers by this many milliseconds.
+		  When determining the next name server to try,
+		  this indicates by how many milliseconds to prefer IPv6 name servers.
 		  The default is <literal>50</literal> milliseconds.
 		</para>
 	      </listitem>
@@ -9364,7 +9378,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 	</section>
 
-	<section xml:id="builtin"><info><title>Built-in server information zones</title></info>
+	<section xml:id="builtin"><info><title>Built-in Server Information Zones</title></info>
 
 	  <para>
 	    The server provides some helpful diagnostic information
@@ -9374,20 +9388,20 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	    of a
 	    built-in view (see <xref linkend="view_statement_grammar"/>) of
 	    class
-	    <command>CHAOS</command> which is separate from the
+	    <command>CHAOS</command>, which is separate from the
 	    default view of class <command>IN</command>. Most global
 	    configuration options (<command>allow-query</command>,
-	    etc) will apply to this view, but some are locally
+	    etc.) apply to this view, but some are locally
 	    overridden: <command>notify</command>,
-	    <command>recursion</command> and
+	    <command>recursion</command>, and
 	    <command>allow-new-zones</command> are
 	    always set to <userinput>no</userinput>, and
 	    <command>rate-limit</command> is set to allow
 	    three responses per second.
 	  </para>
 	  <para>
-	    If you need to disable these zones, use the options
-	    below, or hide the built-in <command>CHAOS</command>
+	    To disable these zones, use the options
+	    below or hide the built-in <command>CHAOS</command>
 	    view by
 	    defining an explicit view of class <command>CHAOS</command>
 	    that matches all clients.
@@ -9399,13 +9413,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>version</command></term>
 	      <listitem>
 		<para>
-		  The version the server should report
+		  This is the version the server should report
 		  via a query of the name <literal>version.bind</literal>
-		  with type <command>TXT</command>, class <command>CHAOS</command>.
+		  with type <command>TXT</command> and class <command>CHAOS</command>.
 		  The default is the real version number of this server.
 		  Specifying <command>version none</command>
 		  disables processing of the queries.
 		</para>
+		<para>
+		  Setting <command>version</command> to any value
+		  (including <literal>none</literal>) also
+		  disables queries for <literal>authors.bind TXT CH</literal>.
+		</para>
 	      </listitem>
 	    </varlistentry>
 
@@ -9413,15 +9432,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>hostname</command></term>
 	      <listitem>
 		<para>
-		  The hostname the server should report via a query of
+		  This is the hostname the server should report via a query of
 		  the name <filename>hostname.bind</filename>
-		  with type <command>TXT</command>, class <command>CHAOS</command>.
+		  with type <command>TXT</command> and class <command>CHAOS</command>.
 		  This defaults to the hostname of the machine hosting the
-		  name server as
-		  found by the gethostname() function.  The primary purpose of such queries
+		  name server, as
+		  found by the <command>gethostname()</command> function.  The primary purpose of such queries
 		  is to
 		  identify which of a group of anycast servers is actually
-		  answering your queries.  Specifying <command>hostname none;</command>
+		  answering the queries.  Specifying <command>hostname none;</command>
 		  disables processing of the queries.
 		</para>
 	      </listitem>
@@ -9431,16 +9450,16 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>server-id</command></term>
 	      <listitem>
 		<para>
-		  The ID the server should report when receiving a Name
+		  This is the ID the server should report when receiving a Name
 		  Server Identifier (NSID) query, or a query of the name
 		  <filename>ID.SERVER</filename> with type
-		  <command>TXT</command>, class <command>CHAOS</command>.
+		  <command>TXT</command> and class <command>CHAOS</command>.
 		  The primary purpose of such queries is to
 		  identify which of a group of anycast servers is actually
-		  answering your queries.  Specifying <command>server-id none;</command>
+		  answering the queries.  Specifying <command>server-id none;</command>
 		  disables processing of the queries.
-		  Specifying <command>server-id hostname;</command> will cause <command>named</command> to
-		  use the hostname as found by the gethostname() function.
+		  Specifying <command>server-id hostname;</command> causes <command>named</command> to
+		  use the hostname as found by the <command>gethostname()</command> function.
 		  The default <command>server-id</command> is <command>none</command>.
 		</para>
 	      </listitem>
@@ -9454,22 +9473,22 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 	  <para>
 	    The <command>named</command> server has some built-in
-	    empty zones (SOA and NS records only).
+	    empty zones, for SOA and NS records only.
 	    These are for zones that should normally be answered locally
 	    and which queries should not be sent to the Internet's root
 	    servers.  The official servers which cover these namespaces
 	    return NXDOMAIN responses to these queries.  In particular,
 	    these cover the reverse namespaces for addresses from
-	    RFC 1918, RFC 4193, RFC 5737 and RFC 6598.  They also include the
-	    reverse namespace for IPv6 local address (locally assigned),
-	    IPv6 link local addresses, the IPv6 loopback address and the
+	    RFC 1918, RFC 4193, RFC 5737, and RFC 6598.  They also include the
+	    reverse namespace for the IPv6 local address (locally assigned),
+	    IPv6 link local addresses, the IPv6 loopback address, and the
 	    IPv6 unknown address.
 	  </para>
 	  <para>
-	    The server will attempt to determine if a built-in zone
+	    The server attempts to determine if a built-in zone
 	    already exists or is active (covered by a forward-only
-	    forwarding declaration) and will not create an empty
-	    zone in that case.
+	    forwarding declaration) and does not create an empty
+	    zone if either is true.
 	  </para>
 	  <para>
 	    The current list of empty zones is:
@@ -9576,38 +9595,38 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	    </itemizedlist>
 	  </para>
 	  <para>
-	    Empty zones are settable at the view level and only apply to
+	    Empty zones can be set at the view level and only apply to
 	    views of class IN.  Disabled empty zones are only inherited
 	    from options if there are no disabled empty zones specified
 	    at the view level.  To override the options list of disabled
-	    zones, you can disable the root zone at the view level, for example:
+	    zones, disable the root zone at the view level. For example:
 <programlisting>
 	    disable-empty-zone ".";
 </programlisting>
 	  </para>
 	  <para>
-	    If you are using the address ranges covered here, you should
-	    already have reverse zones covering the addresses you use.
-	    In practice this appears to not be the case with many queries
+	    If using the address ranges covered here,
+	    reverse zones covering the addresses should already be in place.
+	    In practice this appears to not be the case, with many queries
 	    being made to the infrastructure servers for names in these
-	    spaces.  So many in fact that sacrificial servers were needed
+	    spaces.  So many, in fact, that sacrificial servers had
 	    to be deployed to channel the query load away from the
 	    infrastructure servers.
 	  </para>
 	  <note><simpara>
 	    The real parent servers for these zones should disable all
-	    empty zone under the parent zone they serve.  For the real
-	    root servers, this is all built-in empty zones.  This will
-	    enable them to return referrals to deeper in the tree.
+	    empty zones under the parent zone they serve.  For the real
+	    root servers, this is all built-in empty zones.  This
+	    enables them to return referrals to deeper in the tree.
 	  </simpara></note>
 	  <variablelist>
 	    <varlistentry>
 	      <term><command>empty-server</command></term>
 	      <listitem>
 		<para>
-		  Specify what server name will appear in the returned
-		  SOA record for empty zones.  If none is specified, then
-		  the zone's name will be used.
+		  This specifies the server name that appears in the returned
+		  SOA record for empty zones.  If none is specified,
+		  the zone's name is used.
 		</para>
 	       </listitem>
 	    </varlistentry>
@@ -9616,9 +9635,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>empty-contact</command></term>
 	      <listitem>
 		<para>
-		  Specify what contact name will appear in the returned
-		  SOA record for empty zones.  If none is specified, then
-		  "." will be used.
+		  This specifies the contact name that appears in the returned
+		  SOA record for empty zones.  If none is specified,
+		  "." is used.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -9627,7 +9646,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>empty-zones-enable</command></term>
 	      <listitem>
 		<para>
-		  Enable or disable all empty zones.  By default, they
+		  This enables or disables all empty zones.  By default, they
 		  are enabled.
 		</para>
 	      </listitem>
@@ -9637,7 +9656,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	    <term><command>disable-empty-zone</command></term>
 	      <listitem>
 		<para>
-		  Disable individual empty zones.  By default, none are
+		  This disables individual empty zones.  By default, none are
 		  disabled.  This option can be specified multiple times.
 		</para>
 	      </listitem>
@@ -9651,8 +9670,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	  <para>
 	    The additional section cache, also called <command>acache</command>,
 	    is an internal cache to improve the response performance of BIND 9.
-	    When additional section caching is enabled, BIND 9 will
-	    cache an internal short-cut to the additional section content for
+	    When additional section caching is enabled, BIND 9
+	    caches an internal shortcut to the additional section content for
 	    each answer RR.
 	    Note that <command>acache</command> is an internal caching
 	    mechanism of BIND 9, and is not related to the DNS caching
@@ -9662,19 +9681,19 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	  <para>
 	    Additional section caching does not change the
 	    response content (except the RRsets ordering of the additional
-	    section, see below), but can improve the response performance
+	    section; see below), but can improve the response performance
 	    significantly.
 	    It is particularly effective when BIND 9 acts as an authoritative
 	    server for a zone that has many delegations with many glue RRs.
 	  </para>
 
 	  <para>
-	    In order to obtain the maximum performance improvement
+	    To obtain the maximum performance improvement
 	    from additional section caching, setting
 	    <command>additional-from-cache</command>
 	    to <command>no</command> is recommended, since the current
 	    implementation of <command>acache</command>
-	    does not short-cut of additional section information from the
+	    does not shortcut additional section information from the
 	    DNS cache data.
 	  </para>
 
@@ -9683,13 +9702,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	    that it requires much more
 	    memory for the internal cached data.
 	    Thus, if the response performance does not matter and memory
-	    consumption is much more critical, the
+	    consumption is more critical, the
 	    <command>acache</command> mechanism can be
 	    disabled by setting <command>acache-enable</command> to
 	    <command>no</command>.
 	    It is also possible to specify the upper limit of memory
 	    consumption
-	    for acache by using <command>max-acache-size</command>.
+	    for <command>acache</command> by using <command>max-acache-size</command>.
 	  </para>
 
 	  <para>
@@ -9697,16 +9716,16 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	    RRset ordering in the additional section.
 	    Without <command>acache</command>,
 	    <command>cyclic</command> order is effective for the additional
-	    section as well as the answer and authority sections.
+	    section as well as for the answer and authority sections.
 	    However, additional section caching fixes the ordering when it
 	    first caches an RRset for the additional section, and the same
-	    ordering will be kept in succeeding responses, regardless of the
+	    ordering is kept in succeeding responses, regardless of the
 	    setting of <command>rrset-order</command>.
 	    The effect of this should be minor, however, since an
 	    RRset in the additional section
 	    typically only contains a small number of RRs (and in many cases
-	    it only contains a single RR), in which case the
-	    ordering does not matter much.
+	    only a single RR), so the
+	    ordering is not significant.
 	  </para>
 
 	  <para>
@@ -9730,11 +9749,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>acache-cleaning-interval</command></term>
 	      <listitem>
 		<para>
-		  The server will remove stale cache entries, based on an LRU
-		  based
+		  The server removes stale cache entries, based on an LRU-based
 		  algorithm, every <command>acache-cleaning-interval</command> minutes.
 		  The default is 60 minutes.
-		  If set to 0, no periodic cleaning will occur.
+		  If set to 0, no periodic cleaning occurs.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -9743,14 +9761,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <term><command>max-acache-size</command></term>
 	      <listitem>
 		<para>
-		  The maximum amount of memory in bytes to use for the server's acache.
+		  This is the maximum amount of memory, in bytes, to use for the server's acache.
 		  When the amount of data in the acache reaches this limit,
 		  the server
-		  will clean more aggressively so that the limit is not
+		  cleans more aggressively so that the limit is not
 		  exceeded.
 		  In a server with multiple views, the limit applies
 		  separately to the
-		  acache of each view.
+		  <command>acache</command> of each view.
 		  The default is <literal>16M</literal>.
 		</para>
 	      </listitem>
@@ -9764,7 +9782,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 	  <para>
 	    <acronym>BIND</acronym> 9 provides the ability to filter
-	    out DNS responses from external DNS servers containing
+	    out responses from external DNS servers containing
 	    certain types of data in the answer section.
 	    Specifically, it can reject address (A or AAAA) records if
 	    the corresponding IPv4 or IPv6 addresses match the given
@@ -9779,18 +9797,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	    the <varname>name_list</varname> elements.
 	    If the optional <varname>namelist</varname> is specified
 	    with <command>except-from</command>, records whose query name
-	    matches the list will be accepted regardless of the filter
+	    matches the list are accepted regardless of the filter
 	    setting.
 	    Likewise, if the alias name is a subdomain of the
 	    corresponding zone, the <command>deny-answer-aliases</command>
-	    filter will not apply;
+	    filter does not apply;
 	    for example, even if "example.com" is specified for
 	    <command>deny-answer-aliases</command>,
 	  </para>
 <programlisting>www.example.com. CNAME xxx.example.com.</programlisting>
 
 	  <para>
-	    returned by an "example.com" server will be accepted.
+	    returned by an "example.com" server is accepted.
 	  </para>
 
 	  <para>
@@ -9799,35 +9817,35 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	    <varname>ip_addr</varname>
 	    and <varname>ip_prefix</varname>
 	    are meaningful;
-	    any <varname>key_id</varname> will be silently ignored.
+	    any <varname>key_id</varname> is silently ignored.
 	  </para>
 
 	  <para>
 	    If a response message is rejected due to the filtering,
 	    the entire message is discarded without being cached, and
-	    a SERVFAIL error will be returned to the client.
+	    a SERVFAIL error is returned to the client.
 	  </para>
 
 	  <para>
 	    This filtering is intended to prevent "DNS rebinding attacks," in
 	    which an attacker, in response to a query for a domain name the
-	    attacker controls, returns an IP address within your own network or
-	    an alias name within your own domain.
+	    attacker controls, returns an IP address within the user's own network or
+	    an alias name within the user's own domain.
 	    A naive web browser or script could then serve as an
 	    unintended proxy, allowing the attacker
-	    to get access to an internal node of your local network
-	    that couldn't be externally accessed otherwise.
+	    to get access to an internal node of the local network
+	    that could not be externally accessed otherwise.
 	    See the paper available at
-	    <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://portal.acm.org/citation.cfm?id=1315245.1315298">
-	    http://portal.acm.org/citation.cfm?id=1315245.1315298
+	    <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://dl.acm.org/doi/10.1145/1315245.1315298">
+	    https://dl.acm.org/doi/10.1145/1315245.1315298
 	    </link>
-	    for more details about the attacks.
+	    for more details about these attacks.
 	  </para>
 
 	  <para>
-	    For example, if you own a domain named "example.net" and
-	    your internal network uses an IPv4 prefix 192.0.2.0/24,
-	    you might specify the following rules:
+	    For example, with a domain named "example.net" and
+	    an internal network using an IPv4 prefix 192.0.2.0/24,
+	    an administrator might specify the following rules:
 	  </para>
 
 <programlisting>deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
@@ -9835,7 +9853,7 @@ deny-answer-aliases { "example.net"; };
 </programlisting>
 
 	  <para>
-	    If an external attacker lets a web browser in your local
+	    If an external attacker let a web browser in the local
 	    network look up an IPv4 address of "attacker.example.com",
 	    the attacker's DNS server would return a response like this:
 	  </para>
@@ -9845,35 +9863,35 @@ deny-answer-aliases { "example.net"; };
 	  <para>
 	    in the answer section.
 	    Since the rdata of this record (the IPv4 address) matches
-	    the specified prefix 192.0.2.0/24, this response will be
+	    the specified prefix 192.0.2.0/24, this response would be
 	    ignored.
 	  </para>
 
 	  <para>
-	    On the other hand, if the browser looks up a legitimate
+	    On the other hand, if the browser looked up a legitimate
 	    internal web server "www.example.net" and the
-	    following response is returned to
-	    the <acronym>BIND</acronym> 9 server
+	    following response were returned to
+	    the <acronym>BIND</acronym> 9 server:
 	  </para>
 
 <programlisting>www.example.net. A 192.0.2.2</programlisting>
 
 	  <para>
-	    it will be accepted since the owner name "www.example.net"
+	    it would be accepted, since the owner name "www.example.net"
 	    matches the <command>except-from</command> element,
 	    "example.net".
 	  </para>
 
 	  <para>
 	    Note that this is not really an attack on the DNS per se.
-	    In fact, there is nothing wrong for an "external" name to
-	    be mapped to your "internal" IP address or domain name
-	    from the DNS point of view.
-	    It might actually be provided for a legitimate purpose,
+	    In fact, there is nothing wrong with having an "external" name
+	    mapped to an "internal" IP address or domain name
+	    from the DNS point of view;
+	    it might actually be provided for a legitimate purpose,
 	    such as for debugging.
 	    As long as the mapping is provided by the correct owner,
-	    it is not possible or does not make sense to detect
-	    whether the intent of the mapping is legitimate or not
+	    it either is not possible or does not make sense to detect
+	    whether the intent of the mapping is legitimate
 	    within the DNS.
 	    The "rebinding" attack must primarily be protected at the
 	    application that uses the DNS.
@@ -9881,15 +9899,15 @@ deny-answer-aliases { "example.net"; };
 	    all possible applications at once.
 	    This filtering feature is provided only to help such an
 	    operational environment;
-	    it is generally discouraged to turn it on unless you are
-	    very sure you have no other choice and the attack is a
-	    real threat for your applications.
+	    turning it on is generally discouraged unless there is
+	    no other choice and the attack is a
+	    real threat to applications.
 	  </para>
 
 	  <para>
-	    Care should be particularly taken if you want to use this
+	    Care should be particularly taken if using this
 	    option for addresses within 127.0.0.0/8.
-	    These addresses are obviously "internal", but many
+	    These addresses are obviously "internal," but many
 	    applications conventionally rely on a DNS mapping from
 	    some name to such an address.
 	    Filtering out DNS records containing this address
@@ -9902,7 +9920,7 @@ deny-answer-aliases { "example.net"; };
 	  <para>
 	    <acronym>BIND</acronym> 9 includes a limited
 	    mechanism to modify DNS responses for requests
-	    analogous to email anti-spam DNS blacklists.
+	    analogous to email anti-spam DNS rejection lists.
 	    Responses can be changed to deny the existence of domains (NXDOMAIN),
 	    deny the existence of IP addresses for domains (NODATA),
 	    or contain other IP addresses or data.
@@ -9911,7 +9929,7 @@ deny-answer-aliases { "example.net"; };
 	  <para>
 	    Response policy zones are named in the
 	    <command>response-policy</command> option for the view or among the
-	    global options if there is no response-policy option for the view.
+	    global options if there is no <command>response-policy</command> option for the view.
 	    Response policy zones are ordinary DNS zones containing RRsets
 	    that can be queried normally if allowed.
 	    It is usually best to restrict those queries with something like
@@ -9932,9 +9950,9 @@ deny-answer-aliases { "example.net"; };
 
 	  <para>
 	    Rules encoded in response policy zones are processed after
-	    <link linkend="access_control">Access Control Lists
+	    those defined in <link linkend="access_control">Access Control Lists
 	    (ACLs)</link>.  All queries from clients which are not
-	    permitted access to the resolver will be answered with a
+	    permitted access to the resolver are answered with a
 	    status code of REFUSED, regardless of configured RPZ rules.
 	  </para>
 
@@ -9949,13 +9967,13 @@ deny-answer-aliases { "example.net"; };
 		    DNS client.
 		    Client IP address triggers are encoded in records that have
 		    owner names that are subdomains of
-		    <command>rpz-client-ip</command> relativized to the
-		    policy zone origin name
+		    <command>rpz-client-ip</command>, relativized to the
+		    policy zone origin name,
 		    and encode an address or address block.
 		    IPv4 addresses are represented as
 		    <userinput>prefixlength.B4.B3.B2.B1.rpz-client-ip</userinput>.
 		    The IPv4 prefix length must be between 1 and 32.
-		    All four bytes, B4, B3, B2, and B1, must be present.
+		    All four bytes - B4, B3, B2, and B1 - must be present.
 		    B4 is the decimal value of the least significant byte of the
 		    IPv4 address as in IN-ADDR.ARPA.
 		  </para>
@@ -9964,14 +9982,14 @@ deny-answer-aliases { "example.net"; };
 		    IPv6 addresses are encoded in a format similar
 		    to the standard IPv6 text representation,
 		    <userinput>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-client-ip</userinput>.
-		    Each of W8,...,W1 is a one to four digit hexadecimal number
+		    Each of W8,...,W1 is a one- to four-digit hexadecimal number
 		    representing 16 bits of the IPv6 address as in the standard
 		    text representation of IPv6 addresses, but reversed as in
 		    IP6.ARPA. (Note that this representation of IPv6
 		    address is different from IP6.ARPA where each hex
 		    digit occupies a label.)
 		    All 8 words must be present except when one set of consecutive
-		    zero words is replaced with <userinput>.zz.</userinput>
+		    zero words is replaced with <userinput>.zz.</userinput>,
 		    analogous to double colons (::) in standard IPv6 text
 		    encodings.
 		    The IPv6 prefix length must be between 1 and 128.
@@ -9998,7 +10016,7 @@ deny-answer-aliases { "example.net"; };
 		  <para>
 		    IP triggers are IP addresses in an
 		    A or AAAA record in the ANSWER section of a response.
-		    They are encoded like client-IP triggers except as
+		    They are encoded like client-IP triggers, except as
 		    subdomains of <command>rpz-ip</command>.
 		  </para>
 		</listitem>
@@ -10010,13 +10028,38 @@ deny-answer-aliases { "example.net"; };
 		  <para>
 		    NSDNAME triggers match names of authoritative servers
 		    for the query name, a parent of the query name, a CNAME for
-		    query name, or a parent of a CNAME.
+		    the query name, or a parent of a CNAME.
 		    They are encoded as subdomains of
-		    <command>rpz-nsdname</command> relativized
+		    <command>rpz-nsdname</command>, relativized
 		    to the RPZ origin name.
 		    NSIP triggers match IP addresses in A and
 		    AAAA RRsets for domains that can be checked against NSDNAME
-		    policy records.
+		    policy records.  The
+		    <command>nsdname-enable</command> phrase turns NSDNAME
+		    triggers off or on for a single policy zone or for all
+		    zones.
+		  </para>
+		</listitem>
+		<listitem>
+		  <para>
+		    If authoritative nameservers for the query name are not
+		    yet known, <command>named</command> recursively
+		    looks up the authoritative servers for the query name
+		    before applying an RPZ-NSDNAME rule,
+		    which can cause a processing delay. To speed up
+		    processing at the cost of precision, the
+		    <command>nsdname-wait-recurse</command> option
+		    can be used; when set to <userinput>no</userinput>,
+		    RPZ-NSDNAME rules are only applied when authoritative
+		    servers for the query name have already been looked up and
+		    cached.  If authoritative servers for the query name
+		    are not in the cache, the RPZ-NSDNAME rule is
+		    ignored, but the authoritative servers for the query name
+		    are looked up in the background and the rule is
+		    applied to subsequent queries. The default is
+		    <userinput>yes</userinput>, meaning RPZ-NSDNAME
+		    rules are always applied, even if authoritative
+		    servers for the query name need to be looked up first.
 		  </para>
 		</listitem>
 	      </varlistentry>
@@ -10031,25 +10074,25 @@ deny-answer-aliases { "example.net"; };
 		    NSDNAME and NSIP triggers are checked only for names with at
 		    least <command>min-ns-dots</command> dots.
 		    The default value of <command>min-ns-dots</command> is
-		    1, to exclude top level domains.
+		    1, to exclude top-level domains.
 		  </para>
 		  <para>
 		    If a name server's IP address is not yet known,
-		    <command>named</command> will recursively look up
-		    the IP address before applying an RPZ-NSIP rule.
-		    This can cause a processing delay. To speed up
+		    <command>named</command> recursively looks up
+		    the IP address before applying an RPZ-NSIP rule,
+		    which can cause a processing delay. To speed up
 		    processing at the cost of precision, the
 		    <command>nsip-wait-recurse</command> option
 		    can be used: when set to <userinput>no</userinput>,
-		    RPZ-NSIP rules will only be applied when a name
-		    servers's IP address has already been looked up and
+		    RPZ-NSIP rules are only applied when a name
+		    server's IP address has already been looked up and
 		    cached.  If a server's IP address is not in the
-		    cache, then the RPZ-NSIP rule will be ignored,
-		    but the address will be looked up in the
-		    background, and the rule will be applied
+		    cache, the RPZ-NSIP rule is ignored,
+		    but the address is looked up in the
+		    background and the rule is applied
 		    to subsequent queries.  The default is
 		    <userinput>yes</userinput>, meaning RPZ-NSIP
-		    rules should always be applied even if an
+		    rules are always applied, even if an
 		    address needs to be looked up first.
 		  </para>
 		</listitem>
@@ -10063,7 +10106,7 @@ deny-answer-aliases { "example.net"; };
 	    Because DNS responses are rewritten according to at most one
 	    policy record, a single record encoding an action (other than
 	    <command>DISABLED</command> actions) must be chosen.
-	    Triggers or the records that encode them are chosen for the
+	    Triggers, or the records that encode them, are chosen for
 	    rewriting in the following order:
 	    <orderedlist inheritnum="ignore" continuation="restarts">
 	      <listitem>Choose the triggered record in the zone that appears
@@ -10094,8 +10137,8 @@ deny-answer-aliases { "example.net"; };
 	  </para>
 
 	  <para>
-	    RPZ record sets are any types of DNS record except
-	    DNAME or DNSSEC that encode actions or responses to
+	    RPZ record sets are any types of DNS record, except
+	    DNAME or DNSSEC, that encode actions or responses to
 	    individual queries.
 	    Any of the policies can be used with any of the triggers.
 	    For example, while the <command>TCP-only</command> policy is
@@ -10107,7 +10150,7 @@ deny-answer-aliases { "example.net"; };
 		<term><command>PASSTHRU</command></term>
 		<listitem>
 		  <para>
-		    The whitelist policy is specified
+		    The auto-acceptance policy is specified
 		    by a CNAME whose target is <command>rpz-passthru</command>.
 		    It causes the response to not be rewritten
 		    and is most often used to "poke holes" in policies for
@@ -10120,7 +10163,7 @@ deny-answer-aliases { "example.net"; };
 		<term><command>DROP</command></term>
 		<listitem>
 		  <para>
-		    The blacklist policy is specified
+		    The auto-rejection policy is specified
 		    by a CNAME whose target is <command>rpz-drop</command>.
 		    It causes the response to be discarded.
 		    Nothing is sent to the DNS client.
@@ -10145,7 +10188,7 @@ deny-answer-aliases { "example.net"; };
 		<term><command>NXDOMAIN</command></term>
 		<listitem>
 		  <para>
-		    The domain undefined response is encoded
+		    The "domain undefined" response is encoded
 		    by a CNAME whose target is the root domain (.)
 		  </para>
 		</listitem>
@@ -10155,9 +10198,9 @@ deny-answer-aliases { "example.net"; };
 		<term><command>NODATA</command></term>
 		<listitem>
 		  <para>
-		    The empty set of resource records is specified by
+		    The empty set of resource records is specified by a
 		    CNAME whose target is the wildcard top-level
-		    domain (*.).
+		    domain (<literal>*.</literal>).
 		    It rewrites the response to NODATA or ANCOUNT=0.
 		  </para>
 		</listitem>
@@ -10175,10 +10218,10 @@ deny-answer-aliases { "example.net"; };
 		  <para>
 		    A special form of local data is a CNAME whose target is a
 		    wildcard such as *.example.com.
-		    It is used as if were an ordinary CNAME after the asterisk (*)
+		    It is used as if an ordinary CNAME after the asterisk (*)
 		    has been replaced with the query name.
-		    The purpose for this special form is query logging in the
-		    walled garden's authority DNS server.
+		    This special form is useful for query logging in the
+		    walled garden's authoritative DNS server.
 		  </para>
 		</listitem>
 	      </varlistentry>
@@ -10210,12 +10253,12 @@ deny-answer-aliases { "example.net"; };
 		    The testing override policy causes policy zone records to do
 		    nothing but log what they would have done if the
 		    policy zone were not disabled.
-		    The response to the DNS query will be written (or not)
+		    The response to the DNS query is written (or not)
 		    according to any triggered policy records that are not
 		    disabled.
 		    Disabled policy zones should appear first,
-		    because they will often not be logged
-		    if a higher precedence trigger is found first.
+		    because they are often not logged
+		    if a higher-precedence trigger is found first.
 		  </para>
 		</listitem>
 	      </varlistentry>
@@ -10229,7 +10272,7 @@ deny-answer-aliases { "example.net"; };
 		<term><command>NODATA</command></term>
 		<listitem>
 		  <para>
-		    override with the corresponding per-record policy.
+		    each override the corresponding per-record policy.
 		  </para>
 		</listitem>
 	      </varlistentry>
@@ -10249,8 +10292,8 @@ deny-answer-aliases { "example.net"; };
 	  <para>
 	    By default, the actions encoded in a response policy zone
 	    are applied only to queries that ask for recursion (RD=1).
-	    That default can be changed for a single policy zone or
-	    all response policy zones in a view
+	    That default can be changed for a single policy zone, or for
+	    all response policy zones in a view,
 	    with a <command>recursive-only no</command> clause.
 	    This feature is useful for serving the same zone files
 	    both inside and outside an RFC 1918 cloud and using RPZ to
@@ -10261,7 +10304,7 @@ deny-answer-aliases { "example.net"; };
 	  <para>
 	    Also by default, RPZ actions are applied only to DNS requests
 	    that either do not request DNSSEC metadata (DO=0) or when no
-	    DNSSEC records are available for request name in the original
+	    DNSSEC records are available for the requested name in the original
 	    zone (not the response policy zone).  This default can be
 	    changed for all response policy zones in a view with a
 	    <command>break-dnssec yes</command> clause.  In that case, RPZ
@@ -10271,27 +10314,27 @@ deny-answer-aliases { "example.net"; };
 	  </para>
 
 	  <para>
-	    No DNS records are needed for a QNAME or Client-IP trigger.
-	    The name or IP address itself is sufficient,
+	    No DNS records are needed for a QNAME or Client-IP trigger;
+	    the name or IP address itself is sufficient,
 	    so in principle the query name need not be recursively resolved.
 	    However, not resolving the requested
-	    name can leak the fact that response policy rewriting is in use
-	    and that the name is listed in a policy zone to operators of
+	    name can leak the fact that response policy rewriting is in use,
+	    and that the name is listed in a policy zone, to operators of
 	    servers for listed names.  To prevent that information leak, by
 	    default any recursion needed for a request is done before any
 	    policy triggers are considered.  Because listed domains often
-	    have slow authoritative servers, this default behavior can cost
+	    have slow authoritative servers, this behavior can cost
 	    significant time.
 	    The <command>qname-wait-recurse no</command> option
 	    overrides that default behavior when recursion cannot
 	    change a non-error response.
 	    The option does not affect QNAME or client-IP triggers
 	    in policy zones listed
-	    after other zones containing IP, NSIP and NSDNAME triggers, because
+	    after other zones containing IP, NSIP, and NSDNAME triggers, because
 	    those may depend on the A, AAAA, and NS records that would be
 	    found during recursive resolution.  It also does not affect
 	    DNSSEC requests (DO=1) unless <command>break-dnssec yes</command>
-	    is in use, because the response would depend on whether or not
+	    is in use, because the response would depend on whether
 	    RRSIG records were found during resolution.
 	    Using this option can cause error responses such as SERVFAIL to
 	    appear to be rewritten, since no recursion is being done to
@@ -10300,22 +10343,22 @@ deny-answer-aliases { "example.net"; };
 
 	  <para>
 	    The TTL of a record modified by RPZ policies is set from the
-	    TTL of the relevant record in policy zone.  It is then limited
+	    TTL of the relevant record in the policy zone.  It is then limited
 	    to a maximum value.
 	    The <command>max-policy-ttl</command> clause changes the
-	    maximum seconds from its default of 5.
+	    maximum number of seconds from its default of 5.
 	  </para>
 
 	  <para>
-	    For example, you might use this option statement
+	    For example, an administrator might use this option statement:
 	  </para>
 <programlisting>    response-policy { zone "badlist"; };</programlisting>
 	  <para>
-	    and this zone statement
+	    and this zone statement:
 	  </para>
 <programlisting>    zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</programlisting>
 	  <para>
-	    with this zone file
+	    with this zone file:
 	  </para>
 <programlisting>$TTL 1H
 @                       SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
@@ -10346,7 +10389,7 @@ ok.domain.com           CNAME   rpz-passthru.
 ns.domain.com.rpz-nsdname   CNAME   .
 48.zz.2.2001.rpz-nsip       CNAME   .
 
-; blacklist and whitelist some DNS clients
+; auto-reject and auto-accept some DNS clients
 112.zz.2001.rpz-client-ip    CNAME   rpz-drop.
 8.0.0.0.127.rpz-client-ip    CNAME   rpz-drop.
 
@@ -10362,12 +10405,12 @@ example.com                 CNAME   rpz-tcp-only.
 	    perform one to four additional database lookups before a
 	    query can be answered.
 	    For example, a DNS server with four policy zones, each with all
-	    four kinds of response triggers, QNAME, IP, NSIP, and
-	    NSDNAME, requires a total of 17 times as many database
+	    four kinds of response triggers (QNAME, IP, NSIP, and
+	    NSDNAME), requires a total of 17 times as many database
 	    lookups as a similar DNS server with no response policy zones.
-	    A <acronym>BIND9</acronym> server with adequate memory and one
+	    A <acronym>BIND</acronym> 9 server with adequate memory and one
 	    response policy zone with QNAME and IP triggers might achieve a
-	    maximum queries-per-second rate about 20% lower.
+	    maximum queries-per-second (QPS) rate about 20% lower.
 	    A server with four response policy zones with QNAME and IP
 	    triggers might have a maximum QPS rate about 50% lower.
 	  </para>
@@ -10387,22 +10430,22 @@ example.com                 CNAME   rpz-tcp-only.
 	<section xml:id="rrl"><info><title>Response Rate Limiting</title></info>
 
 	  <para>
-	    Excessive almost identical UDP <emphasis>responses</emphasis>
+	    Excessive, almost identical UDP <emphasis>responses</emphasis>
 	    can be controlled by configuring a
 	    <command>rate-limit</command> clause in an
 	    <command>options</command> or <command>view</command> statement.
 	    This mechanism keeps authoritative BIND 9 from being used
-	    in amplifying reflection denial of service (DoS) attacks.
-	    Short truncated (TC=1) responses can be sent to provide
+	    to amplify reflection denial of service (DoS) attacks.
+	    Short, truncated (TC=1) responses can be sent to provide
 	    rate-limited responses to legitimate clients within
 	    a range of forged, attacked IP addresses.
-	    Legitimate clients react to dropped or truncated response
-	    by retrying with UDP or with TCP respectively.
+	    Legitimate clients react to dropped or truncated responses
+	    by retrying with UDP or with TCP, respectively.
 	  </para>
 
 	  <para>
 	    This mechanism is intended for authoritative DNS servers.
-	    It can be used on recursive servers but can slow
+	    It can be used on recursive servers, but can slow
 	    applications such as SMTP servers (mail receivers) and
 	    HTTP clients (web browsers) that repeatedly request the
 	    same domains.
@@ -10412,13 +10455,13 @@ example.com                 CNAME   rpz-tcp-only.
 	  <para>
 	    Response rate limiting uses a "credit" or "token bucket" scheme.
 	    Each combination of identical response and client
-	    has a conceptual account that earns a specified number
+	    has a conceptual "account" that earns a specified number
 	    of credits every second.
 	    A prospective response debits its account by one.
 	    Responses are dropped or truncated
 	    while the account is negative.
 	    Responses are tracked within a rolling window of time
-	    which defaults to 15 seconds, but can be configured with
+	    which defaults to 15 seconds, but which can be configured with
 	    the <command>window</command> option to any value from
 	    1 to 3600 seconds (1 hour).
 	    The account cannot become more positive than
@@ -10426,7 +10469,7 @@ example.com                 CNAME   rpz-tcp-only.
 	    or more negative than <command>window</command>
 	    times the per-second limit.
 	    When the specified number of credits for a class of
-	    responses is set to 0, those responses are not rate limited.
+	    responses is set to 0, those responses are not rate-limited.
 	  </para>
 
 	  <para>
@@ -10434,7 +10477,7 @@ example.com                 CNAME   rpz-tcp-only.
 	    for rate limiting are not simplistic.
 	    All responses to an address block are counted as if to a
 	    single client.
-	    The prefix lengths of addresses blocks are
+	    The prefix lengths of address blocks are
 	    specified with <command>ipv4-prefix-length</command> (default 24)
 	    and <command>ipv6-prefix-length</command> (default 56).
 	  </para>
@@ -10457,7 +10500,7 @@ example.com                 CNAME   rpz-tcp-only.
 	    This controls some attacks using random names, but
 	    can be relaxed or turned off (set to 0)
 	    on servers that expect many legitimate
-	    NXDOMAIN responses, such as from anti-spam blacklists.
+	    NXDOMAIN responses, such as from anti-spam rejection lists.
 	    Referrals or delegations to the server of a given
 	    domain are identical and are limited by
 	    <command>referrals-per-second</command>
@@ -10493,22 +10536,22 @@ example.com                 CNAME   rpz-tcp-only.
 	    Setting <command>slip</command> to 2 (its default) causes every
 	    other UDP request to be answered with a small truncated (TC=1)
 	    response.
-	    The small size and reduced frequency, and so lack of
+	    The small size and reduced frequency, and resulting lack of
 	    amplification, of "slipped" responses make them unattractive
 	    for reflection DoS attacks.
 	    <command>slip</command> must be between 0 and 10.
-	    A value of 0 does not "slip":
-	    no truncated responses are sent due to rate limiting,
-	    all responses are dropped.
+	    A value of 0 does not "slip";
+	    no truncated responses are sent due to rate limiting.
+	    Rather, all responses are dropped.
 	    A value of 1 causes every response to slip;
-	    values between 2 and 10 cause every n'th response to slip.
-	    Some error responses including REFUSED and SERVFAIL
+	    values between 2 and 10 cause every nth response to slip.
+	    Some error responses, including REFUSED and SERVFAIL,
 	    cannot be replaced with truncated responses and are instead
 	    leaked at the <command>slip</command> rate.
 	  </para>
 
 	  <para>
-	    (NOTE: Dropped responses from an authoritative server may
+	    (Note: dropped responses from an authoritative server may
 	    reduce the difficulty of a third party successfully forging
 	    a response to a recursive resolver. The best security
 	    against forged responses is for authoritative operators
@@ -10522,11 +10565,11 @@ example.com                 CNAME   rpz-tcp-only.
 	  </para>
 
 	  <para>
-	    When the approximate query per second rate exceeds
+	    When the approximate query-per-second rate exceeds
 	    the <command>qps-scale</command> value,
-	    then the <command>responses-per-second</command>,
+	    the <command>responses-per-second</command>,
 	    <command>errors-per-second</command>,
-	    <command>nxdomains-per-second</command> and
+	    <command>nxdomains-per-second</command>, and
 	    <command>all-per-second</command> values are reduced by the
 	    ratio of the current rate to the <command>qps-scale</command> value.
 	    This feature can tighten defenses during attacks.
@@ -10535,19 +10578,19 @@ example.com                 CNAME   rpz-tcp-only.
 	    a total query rate of 1000 queries/second for all queries from
 	    all DNS clients including via TCP,
 	    then the effective responses/second limit changes to
-	    (250/1000)*20 or 5.
+	    (250/1000)*20, or 5.
 	    Responses sent via TCP are not limited
-	    but are counted to compute the query per second rate.
+	    but are counted to compute the query-per-second rate.
 	  </para>
 
 	  <para>
 	    Communities of DNS clients can be given their own parameters or no
 	    rate limiting by putting
 	    <command>rate-limit</command> statements in <command>view</command>
-	    statements instead of the global <command>option</command>
+	    statements instead of in the global <command>option</command>
 	    statement.
 	    A <command>rate-limit</command> statement in a view replaces,
-	    rather than supplementing, a <command>rate-limit</command>
+	    rather than supplements, a <command>rate-limit</command>
 	    statement among the main options.
 	    DNS clients within a view can be exempted from rate limits
 	    with the <command>exempt-clients</command> clause.
@@ -10559,7 +10602,7 @@ example.com                 CNAME   rpz-tcp-only.
 	    limiting is unlike the rate limiting provided by
 	    <command>responses-per-second</command>,
 	    <command>errors-per-second</command>, and
-	    <command>nxdomains-per-second</command> on a DNS server
+	    <command>nxdomains-per-second</command> on a DNS server,
 	    which are often invisible to the victim of a DNS
 	    reflection attack.  Unless the forged requests of the
 	    attack are the same as the legitimate requests of the
@@ -10574,11 +10617,11 @@ example.com                 CNAME   rpz-tcp-only.
 	    server for NS, PTR, A, and AAAA records as the incoming
 	    SMTP/TCP/IP connection is considered.  The SMTP server
 	    can need additional NS, A, AAAA, MX, TXT, and SPF records
-	    as it considers the STMP <command>Mail From</command>
+	    as it considers the SMTP <command>Mail From</command>
 	    command.  Web browsers often repeatedly resolve the
-	    same names that are repeated in HTML &lt;IMG&gt; tags
+	    same names that are duplicated in HTML &lt;IMG&gt; tags
 	    in a page.  <command>all-per-second</command> is similar
-	    to the rate limiting offered by firewalls but often
+	    to the rate limiting offered by firewalls but is often
 	    inferior.  Attacks that justify ignoring the contents
 	    of DNS responses are likely to be attacks on the DNS
 	    server itself.  They usually should be discarded before
@@ -10589,7 +10632,7 @@ example.com                 CNAME   rpz-tcp-only.
 
 	  <para>
 	    The maximum size of the table used to track requests and
-	    rate limit responses is set with <command>max-table-size</command>.
+	    rate-limit responses is set with <command>max-table-size</command>.
 	    Each entry in the table is between 40 and 80 bytes.
 	    The table needs approximately as many entries as the number
 	    of requests received per second.
@@ -10603,7 +10646,7 @@ example.com                 CNAME   rpz-tcp-only.
 	  </para>
 
 	  <para>
-	    Use <command>log-only yes</command> to test rate limiting parameters
+	    Use <command>log-only yes</command> to test rate-limiting parameters
 	    without actually dropping any requests.
 	  </para>
 
@@ -10616,16 +10659,16 @@ example.com                 CNAME   rpz-tcp-only.
 	  </para>
 	</section>
 
-	<section title="NXDOMAIN Redirection"><info/>
+	<section xml:id="nxdomain_redirect"><info><title>NXDOMAIN Redirection</title></info>
 	  <para>
-	    Named supports NXDOMAIN redirection via two methods:
+	    <command>named</command> supports NXDOMAIN redirection via two methods:
 	    <itemizedlist>
 	      <listitem>Redirect zone <xref linkend="zone_statement_grammar"/></listitem>
 	      <listitem>Redirect namespace</listitem>
 	    </itemizedlist>
 	  </para>
 	  <para>
-	    With both methods when named gets a NXDOMAIN response
+	    With either method, when <command>named</command> gets an NXDOMAIN response
 	    it examines a separate namespace to see if the NXDOMAIN
 	    response should be replaced with an alternative response.
 	  </para>
@@ -10638,13 +10681,13 @@ example.com                 CNAME   rpz-tcp-only.
 	  </para>
 	  <para>
 	    With a redirect namespace (<command>option { nxdomain-redirect
-	    &lt;suffix&gt; };</command>) the data used to replace the
+	    &lt;suffix&gt; };</command>), the data used to replace the
 	    NXDOMAIN is part of the normal namespace and is looked up by
 	    appending the specified suffix to the original query name.
 	    This roughly doubles the cache required to process NXDOMAIN
-	    responses as you have the original NXDOMAIN response and
-	    the replacement data or a NXDOMAIN indicating that there
-	    is no replacement.
+	    responses, as both the original NXDOMAIN response and
+	    the replacement data (or a NXDOMAIN indicating that there
+	    is no replacement) must be stored.
 	  </para>
 	  <para>
 	    If both a redirect zone and a redirect namespace are configured,
@@ -10666,7 +10709,7 @@ example.com                 CNAME   rpz-tcp-only.
 	    to be associated with a remote name server.  If a prefix length is
 	    specified, then a range of servers is covered.  Only the most
 	    specific
-	    server clause applies regardless of the order in
+	    server clause applies, regardless of the order in
 	    <filename>named.conf</filename>.
 	  </para>
 
@@ -10687,22 +10730,22 @@ example.com                 CNAME   rpz-tcp-only.
 	  </para>
 
 	  <para>
-	    If you discover that a remote server is giving out bad data,
-	    marking it as bogus will prevent further queries to it. The
+	    If a remote server is giving out bad data,
+	    marking it as bogus prevents further queries to it. The
 	    default
 	    value of <command>bogus</command> is <command>no</command>.
 	  </para>
 	  <para>
 	    The <command>provide-ixfr</command> clause determines
 	    whether
-	    the local server, acting as master, will respond with an
+	    the local server, acting as primary, responds with an
 	    incremental
-	    zone transfer when the given remote server, a slave, requests it.
+	    zone transfer when the given remote server, a secondary, requests it.
 	    If set to <command>yes</command>, incremental transfer
-	    will be provided
+	    is provided
 	    whenever possible. If set to <command>no</command>,
 	    all transfers
-	    to the remote server will be non-incremental. If not set, the
+	    to the remote server are non-incremental. If not set, the
 	    value
 	    of the <command>provide-ixfr</command> option in the
 	    view or
@@ -10712,16 +10755,16 @@ example.com                 CNAME   rpz-tcp-only.
 	  <para>
 	    The <command>request-ixfr</command> clause determines
 	    whether
-	    the local server, acting as a slave, will request incremental zone
-	    transfers from the given remote server, a master. If not set, the
+	    the local server, acting as a secondary, requests incremental zone
+	    transfers from the given remote server, a primary. If not set, the
 	    value of the <command>request-ixfr</command> option in
 	    the view or global options block is used as a default. It may
-	    also be set in the zone block and, if set there, it will
-	    override the global or view setting for that zone.
+	    also be set in the zone block; if set there, it
+	    overrides the global or view setting for that zone.
 	  </para>
 
 	  <para>
-	    IXFR requests to servers that do not support IXFR will
+	    IXFR requests to servers that do not support IXFR
 	    automatically
 	    fall back to AXFR.  Therefore, there is no need to manually list
 	    which servers support IXFR and which ones do not; the global
@@ -10730,17 +10773,17 @@ example.com                 CNAME   rpz-tcp-only.
 	    The purpose of the <command>provide-ixfr</command> and
 	    <command>request-ixfr</command> clauses is
 	    to make it possible to disable the use of IXFR even when both
-	    master
-	    and slave claim to support it, for example if one of the servers
+	    primary
+	    and secondary claim to support it: for example, if one of the servers
 	    is buggy and crashes or corrupts data when IXFR is used.
 	  </para>
 
 	  <para>
 	    The <command>request-expire</command> clause determines
-	    whether the local server, when acting as a slave, will
-	    request the EDNS EXPIRE value.  The EDNS EXPIRE value
-	    indicates the remaining time before the zone data will
-	    expire and need to be be refreshed.  This is used
+	    whether the local server, when acting as a secondary,
+	    requests the EDNS EXPIRE value.  The EDNS EXPIRE value
+	    indicates the remaining time before the zone data
+	    expires and needs to be refreshed.  This is used
 	    when a secondary server transfers a zone from another
 	    secondary server; when transferring from the primary, the
 	    expiration timer is set from the EXPIRE field of the SOA
@@ -10750,7 +10793,7 @@ example.com                 CNAME   rpz-tcp-only.
 
 	  <para>
 	    The <command>edns</command> clause determines whether
-	    the local server will attempt to use EDNS when communicating
+	    the local server attempts to use EDNS when communicating
 	    with the remote server.  The default is <command>yes</command>.
 	  </para>
 
@@ -10758,44 +10801,44 @@ example.com                 CNAME   rpz-tcp-only.
 	    The <command>edns-udp-size</command> option sets the
 	    EDNS UDP size that is advertised by <command>named</command>
 	    when querying the remote server.  Valid values are 512
-	    to 4096 bytes (values outside this range will be silently
-	    adjusted to the nearest value within it).  This option
-	    is useful when you wish to advertise a different value
-	    to this server than the value you advertise globally,
+	    to 4096 bytes; values outside this range are silently
+	    adjusted to the nearest value within it.  This option
+	    is useful when advertising a different value
+	    to this server than the value advertised globally:
 	    for example, when there is a firewall at the remote
-	    site that is blocking large replies. (Note: Currently,
+	    site that is blocking large replies. Note: currently,
 	    this sets a single UDP size for all packets sent to the
-	    server; <command>named</command> will not deviate from
+	    server; <command>named</command> does not deviate from
 	    this value.  This differs from the behavior of
 	    <command>edns-udp-size</command> in <command>options</command>
 	    or <command>view</command> statements, where it specifies
 	    a maximum value. The <command>server</command> statement
 	    behavior may be brought into conformance with the
-	    <command>options/view</command> behavior in future releases.)
+	    <command>options/view</command> behavior in future releases.
 	  </para>
 
 	  <para>
 	    The <command>edns-version</command> option sets the
-	    maximum EDNS VERSION that will be sent to the server(s)
+	    maximum EDNS VERSION that is sent to the server(s)
 	    by the resolver.  The actual EDNS version sent is still
-	    subject to normal EDNS version negotiation rules (see
+	    subject to normal EDNS version-negotiation rules (see
 	    RFC 6891), the maximum EDNS version supported by the
 	    server, and any other heuristics that indicate that a
 	    lower version should be sent.  This option is intended
 	    to be used when a remote server reacts badly to a given
 	    EDNS version or higher; it should be set to the highest
 	    version the remote server is known to support.  Valid
-	    values are 0 to 255; higher values will be silently
-	    adjusted.  This option will not be needed until higher
+	    values are 0 to 255; higher values are silently
+	    adjusted.  This option is not needed until higher
 	    EDNS versions than 0 are in use.
 	  </para>
 
 	  <para>
 	    The <command>max-udp-size</command> option sets the
 	    maximum EDNS UDP message size <command>named</command>
-	    will send.  Valid values are 512 to 4096 bytes (values
-	    outside this range will be silently adjusted).  This
-	    option is useful when you know that there is a firewall
+	    sends.  Valid values are 512 to 4096 bytes; values
+	    outside this range are silently adjusted.  This
+	    option is useful when there is a firewall
 	    that is blocking large replies from <command>named</command>.
 	  </para>
 
@@ -10809,15 +10852,12 @@ example.com                 CNAME   rpz-tcp-only.
 	  <para>
 	    The server supports two zone transfer methods. The first, <command>one-answer</command>,
 	    uses one DNS message per resource record transferred. <command>many-answers</command> packs
-	    as many resource records as possible into a message. <command>many-answers</command> is
-	    more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
-	    8.x, and patched versions of <acronym>BIND</acronym>
-	    4.9.5. You can specify which method
-	    to use for a server with the <command>transfer-format</command> option.
-	    If <command>transfer-format</command> is not
-	    specified, the <command>transfer-format</command>
+	    as many resource records as possible into a single message, which is
+	    more efficient. It is possible to specify which method
+	    to use for a server via the <command>transfer-format</command> option;
+	    If not set there, the <command>transfer-format</command>
 	    specified
-	    by the <command>options</command> statement will be
+	    by the <command>options</command> statement is
 	    used.
 	  </para>
 
@@ -10835,7 +10875,7 @@ example.com                 CNAME   rpz-tcp-only.
 	    to be used for transaction security (TSIG, <xref linkend="tsig"/>)
 	    when talking to the remote server.
 	    When a request is sent to the remote server, a request signature
-	    will be generated using the key specified here and appended to the
+	    is generated using the key specified here and appended to the
 	    message. A request originating from the remote server is not
 	    required
 	    to be signed by this key.
@@ -10849,8 +10889,7 @@ example.com                 CNAME   rpz-tcp-only.
 	    The <command>transfer-source</command> and
 	    <command>transfer-source-v6</command> clauses specify
 	    the IPv4 and IPv6 source
-	    address to be used for zone transfer with the remote server,
-	    respectively.
+	    address, respectively, to be used for zone transfer with the remote server.
 	    For an IPv4 remote server, only <command>transfer-source</command> can
 	    be specified.
 	    Similarly, for an IPv6 remote server, only
@@ -10865,8 +10904,8 @@ example.com                 CNAME   rpz-tcp-only.
 	  <para>
 	    The <command>notify-source</command> and
 	    <command>notify-source-v6</command> clauses specify the
-	    IPv4 and IPv6 source address to be used for notify
-	    messages sent to remote servers, respectively.  For an
+	    IPv4 and IPv6 source address, respectively, to be used for notify
+	    messages sent to remote servers.  For an
 	    IPv4 remote server, only <command>notify-source</command>
 	    can be specified.  Similarly, for an IPv6 remote server,
 	    only <command>notify-source-v6</command> can be specified.
@@ -10875,8 +10914,8 @@ example.com                 CNAME   rpz-tcp-only.
 	  <para>
 	    The <command>query-source</command> and
 	    <command>query-source-v6</command> clauses specify the
-	    IPv4 and IPv6 source address to be used for queries
-	    sent to remote servers, respectively.  For an IPv4
+	    IPv4 and IPv6 source address, respectively, to be used for queries
+	    sent to remote servers.  For an IPv4
 	    remote server, only <command>query-source</command> can
 	    be specified.  Similarly, for an IPv6 remote server,
 	    only <command>query-source-v6</command> can be specified.
@@ -10884,7 +10923,7 @@ example.com                 CNAME   rpz-tcp-only.
 
 	  <para>
 	    The <command>request-nsid</command> clause determines
-	    whether the local server will add a NSID EDNS option
+	    whether the local server adds an NSID EDNS option
 	    to requests sent to the server.  This overrides
 	    <command>request-nsid</command> set at the view or
 	    option level.
@@ -10892,7 +10931,7 @@ example.com                 CNAME   rpz-tcp-only.
 
 	  <para>
 	    The <command>send-cookie</command> clause determines
-	    whether the local server will add a COOKIE EDNS option
+	    whether the local server adds a COOKIE EDNS option
 	    to requests sent to the server.  This overrides
 	    <command>send-cookie</command> set at the view or
 	    option level.  The <command>named</command> server may
@@ -10911,19 +10950,19 @@ example.com                 CNAME   rpz-tcp-only.
 	<para>
 	  The <command>statistics-channels</command> statement
 	  declares communication channels to be used by system
-	  administrators to get access to statistics information of
+	  administrators to get access to statistics information on
 	  the name server.
 	</para>
 
 	<para>
-	  This statement intends to be flexible to support multiple
+	  This statement is intended to be flexible to support multiple
 	  communication protocols in the future, but currently only
 	  HTTP access is supported.
 	  It requires that BIND 9 be compiled with libxml2 and/or
 	  json-c (also known as libjson0); the
 	  <command>statistics-channels</command> statement is
 	  still accepted even if it is built without the library,
-	  but any HTTP access will fail with an error.
+	  but any HTTP access fails with an error.
 	</para>
 
 	<para>
@@ -10932,7 +10971,7 @@ example.com                 CNAME   rpz-tcp-only.
 	  specified <command>ip_addr</command>, which can be an IPv4 or IPv6
 	  address.  An <command>ip_addr</command> of <literal>*</literal>
 	  (asterisk) is
-	  interpreted as the IPv4 wildcard address; connections will be
+	  interpreted as the IPv4 wildcard address; connections are
 	  accepted on any of the system's IPv4 addresses.
 	  To listen on the IPv6 wildcard address,
 	  use an <command>ip_addr</command> of <literal>::</literal>.
@@ -10940,12 +10979,12 @@ example.com                 CNAME   rpz-tcp-only.
 
 	<para>
 	  If no port is specified, port 80 is used for HTTP channels.
-	  The asterisk "<literal>*</literal>" cannot be used for
+	  The asterisk (<literal>*</literal>) cannot be used for
 	  <command>ip_port</command>.
 	</para>
 
 	<para>
-	  The attempt of opening a statistics channel is
+	  Attempts to open a statistics channel are
 	  restricted by the optional <command>allow</command> clause.
 	  Connections to the statistics channel are permitted based on the
 	  <command>address_match_list</command>.
@@ -10959,20 +10998,20 @@ example.com                 CNAME   rpz-tcp-only.
 
 	<para>
 	  If no <command>statistics-channels</command> statement is present,
-	  <command>named</command> will not open any communication channels.
+	  <command>named</command> does not open any communication channels.
 	</para>
 
 	<para>
-	  The statistics are available in various formats and views
+	  The statistics are available in various formats and views,
 	  depending on the URI used to access them.  For example, if
 	  the statistics channel is configured to listen on 127.0.0.1
 	  port 8888, then the statistics are accessible in XML format at
 	  <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://127.0.0.1:8888/">http://127.0.0.1:8888/</link> or
 	  <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://127.0.0.1:8888/xml">http://127.0.0.1:8888/xml</link>. A CSS file is
-	  included which can format the XML statistics into tables
+	  included, which can format the XML statistics into tables
 	  when viewed with a stylesheet-capable browser, and into
 	  charts and graphs using the Google Charts API when using a
-	  javascript-capable browser.
+	  JavaScript-capable browser.
 	</para>
 
 	<para>
@@ -11027,31 +11066,31 @@ example.com                 CNAME   rpz-tcp-only.
 	    cannot be securely obtained through DNS, either because
 	    it is the DNS root zone or because its parent zone is
 	    unsigned.  Once a key has been configured as a trusted
-	    key, it is treated as if it had been validated and
+	    key, it is treated as if it has been validated and
 	    proven secure. The resolver attempts DNSSEC validation
 	    on all DNS data in subdomains of a security root.
 	  </para>
 	  <para>
 	    All keys (and corresponding zones) listed in
 	    <command>trusted-keys</command> are deemed to exist regardless
-	    of what parent zones say.  Similarly for all keys listed in
-	    <command>trusted-keys</command> only those keys are
+	    of what parent zones say.  Similarly, for all keys listed in
+	    <command>trusted-keys</command>, only those keys are
 	    used to validate the DNSKEY RRset.  The parent's DS RRset
-	    will not be used.
+	    is not used.
 	  </para>
 	  <para>
 	    The <command>trusted-keys</command> statement can contain
 	    multiple key entries, each consisting of the key's
-	    domain name, flags, protocol, algorithm, and the Base64
+	    domain name, flags, protocol, and algorithm, and the Base64
 	    representation of the key data.
-	    Spaces, tabs, newlines and carriage returns are ignored
-	    in the key data, so the configuration may be split up into
+	    Spaces, tabs, newlines, and carriage returns are ignored
+	    in the key data, so the configuration may be split into
 	    multiple lines.
 	  </para>
 	  <para>
 	    <command>trusted-keys</command> may be set at the top level
 	    of <filename>named.conf</filename> or within a view.  If it is
-	    set in both places, they are additive: keys defined at the top
+	    set in both places, they are additive; keys defined at the top
 	    level are inherited by all views, but keys defined in a view
 	    are only used within that view.
 	  </para>
@@ -11071,7 +11110,7 @@ example.com                 CNAME   rpz-tcp-only.
 	    The <command>managed-keys</command> statement, like
 	    <command>trusted-keys</command>, defines DNSSEC
 	    security roots.  The difference is that
-	    <command>managed-keys</command> can be kept up to date
+	    <command>managed-keys</command> can be kept up-to-date
 	    automatically, without intervention from the resolver
 	    operator.
 	  </para>
@@ -11080,19 +11119,19 @@ example.com                 CNAME   rpz-tcp-only.
 	    key was compromised, and the zone owner had to revoke and
 	    replace the key.  A resolver which had the old key in a
 	    <command>trusted-keys</command> statement would be
-	    unable to validate this zone any longer; it would
+	    unable to validate this zone; it would
 	    reply with a SERVFAIL response code.  This would
-	    continue until the resolver operator had updated the
+	    continue until the resolver operator updated the
 	    <command>trusted-keys</command> statement with the new key.
 	  </para>
 	  <para>
 	    If, however, the zone were listed in a
-	    <command>managed-keys</command> statement instead, then the
+	    <command>managed-keys</command> statement instead, the
 	    zone owner could add a "stand-by" key to the zone in advance.
 	    <command>named</command> would store the stand-by key, and
 	    when the original key was revoked, <command>named</command>
 	    would be able to transition smoothly to the new key.  It would
-	    also recognize that the old key had been revoked, and cease
+	    also recognize that the old key had been revoked and cease
 	    using that key to validate answers, minimizing the damage that
 	    the compromised key could do.
 	  </para>
@@ -11109,15 +11148,15 @@ example.com                 CNAME   rpz-tcp-only.
 	  </para>
 	  <para>
 	    Consequently, a <command>managed-keys</command> statement
-	    appears similar to a <command>trusted-keys</command>, differing
-	    in the presence of the second field, containing the keyword
+	    appears similar to a <command>trusted-keys</command> statement, differing
+	    by the presence of the second field, which contains the keyword
 	    <literal>initial-key</literal>.  The difference is, whereas the
 	    keys listed in a <command>trusted-keys</command> continue to be
 	    trusted until they are removed from
 	    <filename>named.conf</filename>, an initializing key listed
 	    in a <command>managed-keys</command> statement is only trusted
 	    <emphasis>once</emphasis>: for as long as it takes to load the
-	    managed key database and start the RFC 5011 key maintenance
+	    managed-key database and start the RFC 5011 key-maintenance
 	    process.
 	  </para>
 	  <para>
@@ -11126,58 +11165,58 @@ example.com                 CNAME   rpz-tcp-only.
 	    DNSKEY RRset directly from the zone apex, and validates it
 	    using the key specified in the <command>managed-keys</command>
 	    statement.  If the DNSKEY RRset is validly signed, then it is
-	    used as the basis for a new managed keys database.
+	    used as the basis for a new managed-keys database.
 	  </para>
 	  <para>
 	    From that point on, whenever <command>named</command> runs, it
 	    sees the <command>managed-keys</command> statement, checks to
 	    make sure RFC 5011 key maintenance has already been initialized
-	    for the specified domain, and if so, it simply moves on.  The
+	    for the specified domain, and if so, simply moves on.  The
 	    key specified in the <command>managed-keys</command>
-	    statement is not used to validate answers; it has been
-	    superseded by the key or keys stored in the managed keys database.
+	    statement is not used to validate answers; it is
+	    superseded by the key or keys stored in the managed-keys database.
 	  </para>
 	  <para>
 	    The next time <command>named</command> runs after a name
 	    has been <emphasis>removed</emphasis> from the
 	    <command>managed-keys</command> statement, the corresponding
-	    zone will be removed from the managed keys database,
-	    and RFC 5011 key maintenance will no longer be used for that
+	    zone is removed from the managed-keys database,
+	    and RFC 5011 key maintenance is no longer used for that
 	    domain.
 	  </para>
 	  <para>
-	    In the current implementation, the managed keys database
+	    In the current implementation, the managed-keys database
 	    is stored as a master-format zone file.
 	  </para>
 	  <para>
 	    On servers which do not use views, this file is named
 	    <filename>managed-keys.bind</filename>.  When views are in
-	    use, there will be a separate managed keys database for each
-	    view; the filename will be the view name (or, if a view name
+	    use, there is a separate managed-keys database for each
+	    view; the filename is the view name (or, if a view name
 	    contains characters which would make it illegal as a filename,
 	    a hash of the view name), followed by
 	    the suffix <filename>.mkeys</filename>.
 	  </para>
 	  <para>
 	    When the key database is changed, the zone is updated.
-	    As with any other dynamic zone, changes will be written
+	    As with any other dynamic zone, changes are written
 	    into a journal file, e.g.,
 	    <filename>managed-keys.bind.jnl</filename> or
 	    <filename>internal.mkeys.jnl</filename>.
-	    Changes are committed to the master file as soon as
-	    possible afterward; this will usually occur within 30
-	    seconds.  So, whenever <command>named</command> is using
+	    Changes are committed to the zone file as soon as
+	    possible afterward, usually within 30
+	    seconds.  Whenever <command>named</command> is using
 	    automatic key maintenance, the zone file and journal file
 	    can be expected to exist in the working directory.
-	    (For this reason among others, the working directory
+	    (For this reason, among others, the working directory
 	    should be always be writable by <command>named</command>.)
 	  </para>
 	  <para>
 	    If the <command>dnssec-validation</command> option is
 	    set to <userinput>auto</userinput>, <command>named</command>
-	    will automatically initialize a managed key for the
-	    root zone.  The key that is used to initialize the key
-	    maintenance process is stored in <filename>bind.keys</filename>;
+	    automatically initializes a managed key for the
+	    root zone.  The key that is used to initialize the
+		key-maintenance process is stored in <filename>bind.keys</filename>;
 	    the location of this file can be overridden with the
 	    <command>bindkeys-file</command> option. As a fallback
 	    in the event no <filename>bind.keys</filename> can be
@@ -11213,7 +11252,7 @@ example.com                 CNAME   rpz-tcp-only.
 	  <para>
 	    Each <command>view</command> statement defines a view
 	    of the
-	    DNS namespace that will be seen by a subset of clients.  A client
+	    DNS namespace that is seen by a subset of clients.  A client
 	    matches
 	    a view if its source IP address matches the
 	    <varname>address_match_list</varname> of the view's
@@ -11225,26 +11264,26 @@ example.com                 CNAME   rpz-tcp-only.
 	    specified, both
 	    <command>match-clients</command> and <command>match-destinations</command>
 	    default to matching all addresses.  In addition to checking IP
-	    addresses
+	    addresses,
 	    <command>match-clients</command> and <command>match-destinations</command>
 	    can also take <command>keys</command> which provide an
 	    mechanism for the
 	    client to select the view.  A view can also be specified
 	    as <command>match-recursive-only</command>, which
 	    means that only recursive
-	    requests from matching clients will match that view.
+	    requests from matching clients match that view.
 	    The order of the <command>view</command> statements is
-	    significant —
-	    a client request will be resolved in the context of the first
+	    significant;
+	    a client request is resolved in the context of the first
 	    <command>view</command> that it matches.
 	  </para>
 
 	  <para>
 	    Zones defined within a <command>view</command>
-	    statement will
-	    only be accessible to clients that match the <command>view</command>.
+	    statement are
+	    only accessible to clients that match the <command>view</command>.
 	    By defining a zone of the same name in multiple views, different
-	    zone data can be given to different clients, for example,
+	    zone data can be given to different clients: for example,
 	    "internal"
 	    and "external" clients in a split DNS setup.
 	  </para>
@@ -11264,7 +11303,7 @@ example.com                 CNAME   rpz-tcp-only.
 	  </para>
 
 	  <para>
-	    Views are class specific.  If no class is given, class IN
+	    Views are class-specific.  If no class is given, class IN
 	    is assumed.  Note that all non-IN views must contain a hint zone,
 	    since only the IN class has compiled-in default hints.
 	  </para>
@@ -11279,8 +11318,8 @@ example.com                 CNAME   rpz-tcp-only.
 	    the top level of the configuration file are considered to be part
 	    of
 	    this default view, and the <command>options</command>
-	    statement will
-	    apply to the default view. If any explicit <command>view</command>
+	    statement
+	    applies to the default view. If any explicit <command>view</command>
 	    statements are present, all <command>zone</command>
 	    statements must
 	    occur inside <command>view</command> statements.
@@ -11346,20 +11385,27 @@ view "external" {
 	      The <command>type</command> keyword is required
 	      for the <command>zone</command> configuration unless
 	      it is an <command>in-view</command> configuration. Its
-	      acceptable values include: <varname>delegation-only</varname>,
-	      <varname>forward</varname>, <varname>hint</varname>,
-	      <varname>master</varname>, <varname>redirect</varname>,
-	      <varname>slave</varname>, <varname>static-stub</varname>,
-	      and <varname>stub</varname>.
+	      acceptable values are: <varname>master</varname>,
+	      <varname>slave</varname>, <varname>hint</varname>,
+	      <varname>stub</varname>, <varname>static-stub</varname>,
+	      <varname>forward</varname>, <varname>redirect</varname>,
+	      or <varname>delegation-only</varname>.
 	    </para>
+	    <note>
+	      Later versions of BIND added <command>type primary</command>
+	      and <command>type secondary</command> as synonyms for
+	      <command>type master</command> and <command>type slave</command>,
+	      as those terms are in more common use now. BIND 9.11's
+	      configuration syntax predates this change.
+	    </note>
 
 	    <informaltable colsep="0" rowsep="0">
 	      <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
 		<!--colspec colname="1" colnum="1" colsep="0" colwidth="1.108in"/-->
 		<!--colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/-->
-		<colspec colname="1" colnum="1" colsep="0"/>
-		<colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/>
-		<tbody>
+		<colspec colname="1" colnum="1" colsep="0" colwidth="*"/>
+		<colspec colname="2" colnum="2" colsep="0" colwidth="4*"/>
+		<tbody valign="top">
 		  <row rowsep="0">
 		    <entry colname="1">
 		      <para>
@@ -11369,9 +11415,8 @@ view "external" {
 		    <entry colname="2">
 		      <para>
 			The server has a master copy of the data
-			for the zone and will be able to provide authoritative
-			answers for
-			it.
+			for the zone and is able to provide authoritative
+			answers for it.
 		      </para>
 		    </entry>
 		  </row>
@@ -11383,10 +11428,11 @@ view "external" {
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			A slave zone is a replica of a master
-			zone. The <command>masters</command> list
+			A secondary zone, replicating a primary zone
+			provided by another authoritative server.
+			The <command>masters</command> list
 			specifies one or more IP addresses
-			of master servers that the slave contacts to update
+			of primary servers that the secondary contacts to update
 			its copy of the zone.
 			Masters list elements can also be names of other
 			masters lists.
@@ -11396,10 +11442,10 @@ view "external" {
 			before the
 			list of IP addresses, or on a per-server basis after
 			the IP address.
-			Authentication to the master can also be done with
+			Authentication to the primary can also be done with
 			per-server TSIG keys.
 			If a file is specified, then the
-			replica will be written to this file whenever the zone
+			replica is written to this file whenever the zone
 			is changed,
 			and reloaded from this file on a server restart. Use
 			of a file is
@@ -11411,12 +11457,12 @@ view "external" {
 			is best to
 			use a two-level naming scheme for zone filenames. For
 			example,
-			a slave server for the zone <literal>example.com</literal> might place
+			a secondary server for the zone <literal>example.com</literal> might place
 			the zone contents into a file called
 			<filename>ex/example.com</filename> where <filename>ex/</filename> is
 			just the first two letters of the zone name. (Most
 			operating systems
-			behave very slowly if you put 100000 files into
+			behave very slowly if there are 100000 files in
 			a single directory.)
 		      </para>
 		    </entry>
@@ -11424,39 +11470,51 @@ view "external" {
 		  <row rowsep="0">
 		    <entry colname="1">
 		      <para>
+			<varname>hint</varname>
+		      </para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			The initial set of root name servers is
+			specified using a hint zone. When the server starts,
+			it uses
+			the root hints to find a root name server and get the
+			most recent
+			list of root name servers. If no hint zone is
+			specified for class
+			IN, the server uses a compiled-in default set of root
+			servers hints.
+			Classes other than IN have no built-in default hints.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
 			<varname>stub</varname>
 		      </para>
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			A stub zone is similar to a slave zone,
+			A stub zone is similar to a secondary zone,
 			except that it replicates only the NS records of a
-			master zone instead
+			primary zone instead
 			of the entire zone. Stub zones are not a standard part
 			of the DNS;
 			they are a feature specific to the <acronym>BIND</acronym> implementation.
 		      </para>
 
 		      <para>
-			Stub zones can be used to eliminate the need for glue
+			Stub zones can be used to eliminate the need for a glue
 			NS record
-			in a parent zone at the expense of maintaining a stub
+			in a parent zone, at the expense of maintaining a stub
 			zone entry and
 			a set of name server addresses in <filename>named.conf</filename>.
 			This usage is not recommended for new configurations,
 			and BIND 9
 			supports it only in a limited way.
-			In <acronym>BIND</acronym> 4/8, zone
-			transfers of a parent zone
-			included the NS records from stub children of that
-			zone. This meant
-			that, in some cases, users could get away with
-			configuring child stubs
-			only in the master server for the parent zone. <acronym>BIND</acronym>
-			9 never mixes together zone data from different zones
-			in this
-			way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
-			zone has child stub zones configured, all the slave
+			If a <acronym>BIND</acronym> 9 primary, serving a parent
+			zone, has child stub zones configured, all the secondary
 			servers for the
 			parent zone also need to have the same child stub
 			zones
@@ -11464,13 +11522,13 @@ view "external" {
 		      </para>
 
 		      <para>
-			Stub zones can also be used as a way of forcing the
+			Stub zones can also be used as a way to force the
 			resolution
 			of a given domain to use a particular set of
 			authoritative servers.
 			For example, the caching name servers on a private
 			network using
-			RFC1918 addressing may be configured with stub zones
+			RFC 1918 addressing may be configured with stub zones
 			for
 			<literal>10.in-addr.arpa</literal>
 			to use a set of internal name servers as the
@@ -11490,11 +11548,11 @@ view "external" {
 			A static-stub zone is similar to a stub zone
 			with the following exceptions:
 			the zone data is statically configured, rather
-			than transferred from a master server;
+			than transferred from a primary server; and
 			when recursion is necessary for a query that
 			matches a static-stub zone, the locally
-			configured data (nameserver names and glue addresses)
-			is always used even if different authoritative
+			configured data (name server names and glue addresses)
+			is always used, even if different authoritative
 			information is cached.
 		      </para>
 		      <para>
@@ -11509,9 +11567,9 @@ view "external" {
 			databases by <command>rndc dumpdb -all</command>.
 			The configured RRs are considered local configuration
 			parameters rather than public data.
-			Non recursive queries (i.e., those with the RD
+			Non-recursive queries (i.e., those with the RD
 			bit off) to a static-stub zone are therefore
-			prohibited and will be responded with REFUSED.
+			prohibited and are responded to with REFUSED.
 		      </para>
 		      <para>
 			Since the data is statically configured, no
@@ -11524,7 +11582,7 @@ view "external" {
 		      <para>
 			Each static-stub zone is configured with
 			internally generated NS and (if necessary)
-			glue A or AAAA RRs
+			glue A or AAAA RRs.
 		      </para>
 		    </entry>
 		  </row>
@@ -11536,27 +11594,27 @@ view "external" {
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			A "forward zone" is a way to configure
+			A forward zone is a way to configure
 			forwarding on a per-domain basis.  A <command>zone</command> statement
 			of type <command>forward</command> can
 			contain a <command>forward</command>
 			and/or <command>forwarders</command>
 			statement,
-			which will apply to queries within the domain given by
+			which applies to queries within the domain given by
 			the zone
 			name. If no <command>forwarders</command>
-			statement is present or
+			statement is present, or
 			an empty list for <command>forwarders</command> is given, then no
-			forwarding will be done for the domain, canceling the
+			forwarding is done for the domain, canceling the
 			effects of
-			any forwarders in the <command>options</command> statement. Thus
-			if you want to use this type of zone to change the
+			any forwarders in the <command>options</command> statement. Thus,
+			to use this type of zone to change the
 			behavior of the
 			global <command>forward</command> option
 			(that is, "forward first"
-			to, then "forward only", or vice versa, but want to
+			to, then "forward only", or vice versa), but
 			use the same
-			servers as set globally) you need to re-specify the
+			servers as set globally, re-specify the
 			global forwarders.
 		      </para>
 		    </entry>
@@ -11564,27 +11622,6 @@ view "external" {
 		  <row rowsep="0">
 		    <entry colname="1">
 		      <para>
-			<varname>hint</varname>
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			The initial set of root name servers is
-			specified using a "hint zone". When the server starts
-			up, it uses
-			the root hints to find a root name server and get the
-			most recent
-			list of root name servers. If no hint zone is
-			specified for class
-			IN, the server uses a compiled-in default set of root
-			servers hints.
-			Classes other than IN have no built-in defaults hints.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
 			<varname>redirect</varname>
 		      </para>
 		    </entry>
@@ -11599,26 +11636,26 @@ view "external" {
 		      </para>
 		      <para>
 			If the client has requested DNSSEC records (DO=1) and
-			the NXDOMAIN response is signed then no substitution
-			will occur.
+			the NXDOMAIN response is signed, no substitution
+			occurs.
 		      </para>
 		      <para>
 			To redirect all NXDOMAIN responses to
 			100.100.100.2 and
-			2001:ffff:ffff::100.100.100.2, one would
-			configure a type redirect zone named ".",
+			2001:ffff:ffff::100.100.100.2,
+			configure a type <varname>redirect</varname> zone named ".",
 			with the zone file containing wildcard records
 			that point to the desired addresses:
-			<literal>"*. IN A 100.100.100.2"</literal>
+			<literal>*. IN A 100.100.100.2</literal>
 			and
-			<literal>"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</literal>.
+			<literal>*. IN AAAA 2001:ffff:ffff::100.100.100.2</literal>.
 		      </para>
 		      <para>
-			To redirect all Spanish names (under .ES) one
-			would use similar entries but with the names
+			As another example, to redirect all Spanish names (under .ES),
+			use similar entries but with the names
 			"*.ES." instead of "*.".  To redirect all
-			commercial Spanish names (under COM.ES) one
-			would use wildcard entries called "*.COM.ES.".
+			commercial Spanish names (under COM.ES),
+			use wildcard entries called "*.COM.ES.".
 		      </para>
 		      <para>
 			Note that the redirect zone supports all
@@ -11628,14 +11665,14 @@ view "external" {
 		      <para>
 			Because redirect zones are not referenced
 			directly by name, they are not kept in the
-			zone lookup table with normal master and slave
+			zone lookup table with normal primary and secondary
 			zones. Consequently, it is not currently possible
 			to use
 			<command>rndc reload
 				<replaceable>zonename</replaceable></command>
 			to reload a redirect zone.  However, when using
 			<command>rndc reload</command> without specifying
-			a zone name, redirect zones will be reloaded along
+			a zone name, redirect zones are reloaded along
 			with other zones.
 		      </para>
 		    </entry>
@@ -11648,13 +11685,13 @@ view "external" {
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			This is used to enforce the delegation-only
-			status of infrastructure zones (e.g. COM,
+			This zone type is used to enforce the delegation-only
+			status of infrastructure zones (e.g., COM,
 			NET, ORG).  Any answer that is received
 			without an explicit or implicit delegation
-			in the authority section will be treated
+			in the authority section is treated
 			as NXDOMAIN.  This does not apply to the
-			zone apex.  This should not be applied to
+			zone apex, and should not be applied to
 			leaf zones.
 		      </para>
 		      <para>
@@ -11666,6 +11703,32 @@ view "external" {
 		      </para>
 		    </entry>
 		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
+			<varname>in-view</varname>
+		      </para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+                        When using multiple views, a primary or secondary zone
+			configured in one view can be referenced in a
+			subsequent view. This allows both views to serve the
+			same zone without the overhead of loading it more
+			than once. This is configured using a
+			<varname>zone</varname> statement, with an
+			<varname>in-view</varname> option specifying the
+			view in which the zone is defined.
+			A <varname>zone</varname> statement containing
+			<varname>in-view</varname> does not need to specify
+			a type, since that is part of the zone definition
+			in the other view.
+		      </para>
+		      <para>
+			See <xref linkend="multiple_views"/> for more information.
+		      </para>
+		    </entry>
+		  </row>
 		</tbody>
 	      </tgroup>
 	    </informaltable>
@@ -11680,10 +11743,9 @@ view "external" {
 	    </para>
 	    <para>
 	      The <literal>hesiod</literal> class is
-	      named for an information service from MIT's Project Athena. It
-	      is
+	      named for an information service from MIT's Project Athena. It was
 	      used to share information about various systems databases, such
-	      as users, groups, printers and so on. The keyword
+	      as users, groups, printers, and so on. The keyword
 	      <literal>HS</literal> is
 	      a synonym for hesiod.
 	    </para>
@@ -11751,7 +11813,7 @@ view "external" {
 		<term><command>update-policy</command></term>
 		<listitem>
 		  <para>
-		    Specifies a "Simple Secure Update" policy. See
+		    This specifies a "Simple Secure Update" policy. See
 		    <xref linkend="dynamic_update_policies"/>.
 		  </para>
 		</listitem>
@@ -11771,14 +11833,14 @@ view "external" {
 		<term><command>also-notify</command></term>
 		<listitem>
 		  <para>
-		    Only meaningful if <command>notify</command>
+		    This option is only meaningful if <command>notify</command>
 		    is
-		    active for this zone. The set of machines that will
+		    active for this zone. The set of machines that
 		    receive a
 		    <literal>DNS NOTIFY</literal> message
 		    for this zone is made up of all the listed name servers
 		    (other than
-		    the primary master) for the zone plus any IP addresses
+		    the primary) for the zone, plus any IP addresses
 		    specified
 		    with <command>also-notify</command>. A port
 		    may be specified
@@ -11801,10 +11863,11 @@ view "external" {
 		  <para>
 		    This option is used to restrict the character set and
 		    syntax of
-		    certain domain names in master files and/or DNS responses
+		    certain domain names in zone files and/or DNS responses
 		    received from the
-		    network.  The default varies according to zone type.  For <command>master</command> zones the default is <command>fail</command>.  For <command>slave</command>
-		    zones the default is <command>warn</command>.
+		    network.  The default varies according to zone type.
+		    For primary zones the default is <command>fail</command>;
+		    for secondary zones the default is <command>warn</command>.
 		    It is not implemented for <command>hint</command> zones.
 		  </para>
 		</listitem>
@@ -11924,7 +11987,7 @@ view "external" {
 		<term><command>database</command></term>
 		<listitem>
 		  <para>
-		    Specify the type of database to be used for storing the
+		    This specifies the type of database to be used to store the
 		    zone data.  The string following the <command>database</command> keyword
 		    is interpreted as a list of whitespace-delimited words.
 		    The first word
@@ -11937,7 +12000,7 @@ view "external" {
 		  <para>
 		    The default is <userinput>"rbt"</userinput>, BIND 9's
 		    native in-memory
-		    red-black-tree database.  This database does not take
+		    red-black tree database.  This database does not take
 		    arguments.
 		  </para>
 		  <para>
@@ -11963,9 +12026,9 @@ view "external" {
 		<term><command>delegation-only</command></term>
 		<listitem>
 		  <para>
-		    The flag only applies to forward, hint and stub
+		    This flag only applies to forward, hint, and stub
 		    zones.  If set to <userinput>yes</userinput>,
-		    then the zone will also be treated as if it is
+		    then the zone is treated as if it is
 		    also a delegation-only type zone.
 		  </para>
 		  <para>
@@ -11978,7 +12041,7 @@ view "external" {
 		<term><command>file</command></term>
 		<listitem>
 		  <para>
-		    Set the zone's filename. In <command>master</command>,
+		    This sets the zone's filename. In <command>master</command>,
 		    <command>hint</command>, and <command>redirect</command>
 		    zones which do not have <command>masters</command>
 		    defined, zone data is loaded from this file. In
@@ -11995,11 +12058,11 @@ view "external" {
 		<term><command>forward</command></term>
 		<listitem>
 		  <para>
-		    Only meaningful if the zone has a forwarders
+		    This option is only meaningful if the zone has a forwarders
 		    list. The <command>only</command> value causes
 		    the lookup to fail
-		    after trying the forwarders and getting no answer, while <command>first</command> would
-		    allow a normal lookup to be tried.
+		    after trying the forwarders and getting no answer, while <command>first</command>
+		    allows a normal lookup to be tried.
 		  </para>
 		</listitem>
 	      </varlistentry>
@@ -12008,7 +12071,7 @@ view "external" {
 		<term><command>forwarders</command></term>
 		<listitem>
 		  <para>
-		    Used to override the list of global forwarders.
+		    This is used to override the list of global forwarders.
 		    If it is not specified in a zone of type <command>forward</command>,
 		    no forwarding is done for the zone and the global options are
 		    not used.
@@ -12020,7 +12083,7 @@ view "external" {
 		<term><command>ixfr-base</command></term>
 		<listitem>
 		  <para>
-		    Was used in <acronym>BIND</acronym> 8 to
+		    This was used in <acronym>BIND</acronym> 8 to
 		    specify the name
 		    of the transaction log (journal) file for dynamic update
 		    and IXFR.
@@ -12037,8 +12100,8 @@ view "external" {
 		<term><command>ixfr-tmp-file</command></term>
 		<listitem>
 		  <para>
-		    Was an undocumented option in <acronym>BIND</acronym> 8.
-		    Ignored in <acronym>BIND</acronym> 9.
+		    This was an undocumented option in <acronym>BIND</acronym> 8.
+		    It is ignored in <acronym>BIND</acronym> 9.
 		  </para>
 		</listitem>
 	      </varlistentry>
@@ -12047,9 +12110,10 @@ view "external" {
 		<term><command>journal</command></term>
 		<listitem>
 		  <para>
-		    Allow the default journal's filename to be overridden.
+		    This allows the default journal's filename to be overridden.
 		    The default is the zone's filename with "<filename>.jnl</filename>" appended.
-		    This is applicable to <command>master</command> and <command>slave</command> zones.
+		    This is applicable to primary (<command>master</command>)
+		    and secondary (<command>slave</command>) zones.
 		  </para>
 		</listitem>
 	      </varlistentry>
@@ -12150,10 +12214,9 @@ view "external" {
 		<listitem>
 		  <para>
 		    In <acronym>BIND</acronym> 8, this option was
-		    intended for specifying
-		    a public zone key for verification of signatures in DNSSEC
-		    signed
-		    zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
+		    intended to specify
+		    a public zone key for verification of signatures in DNSSEC-signed
+		    zones when they were loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
 		    on load and ignores the option.
 		  </para>
 		</listitem>
@@ -12174,29 +12237,29 @@ view "external" {
 		<term><command>server-addresses</command></term>
 		<listitem>
 		  <para>
-		    Only meaningful for static-stub zones.
+		    This option is only meaningful for static-stub zones.
 		    This is a list of IP addresses to which queries
 		    should be sent in recursive resolution for the
 		    zone.
-		    A non empty list for this option will internally
-		    configure the apex NS RR with associated glue A or
+		    A non-empty list for this option internally
+		    configures the apex NS RR with associated glue A or
 		    AAAA RRs.
 		  </para>
 		  <para>
 		    For example, if "example.com" is configured as a
 		    static-stub zone with 192.0.2.1 and 2001:db8::1234
 		    in a <command>server-addresses</command> option,
-		    the following RRs will be internally configured.
+		    the following RRs are internally configured:
 		  </para>
 <programlisting>example.com. NS example.com.
 example.com. A 192.0.2.1
 example.com. AAAA 2001:db8::1234</programlisting>
 		  <para>
-		    These records are internally used to resolve
+		    These records are used internally to resolve
 		    names under the static-stub zone.
 		    For instance, if the server receives a query for
 		    "www.example.com" with the RD bit on, the server
-		    will initiate recursive resolution and send
+		    initiates recursive resolution and sends
 		    queries to 192.0.2.1 and/or 2001:db8::1234.
 		  </para>
 		</listitem>
@@ -12206,44 +12269,46 @@ example.com. AAAA 2001:db8::1234</programlisting>
 		<term><command>server-names</command></term>
 		<listitem>
 		  <para>
-		    Only meaningful for static-stub zones.
-		    This is a list of domain names of nameservers that
+		    This option is only meaningful for static-stub zones.
+		    This is a list of domain names of name servers that
 		    act as authoritative servers of the static-stub
 		    zone.
-		    These names will be resolved to IP addresses when
+		    These names are resolved to IP addresses when
 		    <command>named</command> needs to send queries to
 		    these servers.
-		    To make this supplemental resolution successful,
+		    For this supplemental resolution to be successful,
 		    these names must not be a subdomain of the origin
-		    name of static-stub zone.
+		    name of the static-stub zone.
 		    That is, when "example.net" is the origin of a
 		    static-stub zone, "ns.example" and
 		    "master.example.com" can be specified in the
 		    <command>server-names</command> option, but
-		    "ns.example.net" cannot, and will be rejected by
+		    "ns.example.net" cannot; it is rejected by
 		    the configuration parser.
 		  </para>
 		  <para>
-		    A non empty list for this option will internally
-		    configure the apex NS RR with the specified names.
+		    A non-empty list for this option internally
+		    configures the apex NS RR with the specified names.
 		    For example, if "example.com" is configured as a
 		    static-stub zone with "ns1.example.net" and
 		    "ns2.example.net"
 		    in a <command>server-names</command> option,
-		    the following RRs will be internally configured.
+		    the following RRs are internally configured:
 		  </para>
+
 <programlisting>example.com. NS ns1.example.net.
 example.com. NS ns2.example.net.
 </programlisting>
+
 		  <para>
-		    These records are internally used to resolve
+		    These records are used internally to resolve
 		    names under the static-stub zone.
 		    For instance, if the server receives a query for
 		    "www.example.com" with the RD bit on, the server
-		    initiate recursive resolution,
-		    resolve "ns1.example.net" and/or
-		    "ns2.example.net" to IP addresses, and then send
-		    queries to (one or more of) these addresses.
+		    initiates recursive resolution,
+		    resolves "ns1.example.net" and/or
+		    "ns2.example.net" to IP addresses, and then sends
+		    queries to one or more of these addresses.
 		  </para>
 		</listitem>
 	      </varlistentry>
@@ -12366,7 +12431,7 @@ example.com. NS ns2.example.net.
 		<term><command>max-retry-time</command></term>
 		<listitem>
 		  <para>
-		    See the description in <xref linkend="tuning"/>.
+		    See the descriptions in <xref linkend="tuning"/>.
 		  </para>
 		</listitem>
 	      </varlistentry>
@@ -12378,8 +12443,8 @@ example.com. NS ns2.example.net.
 		    See the description of
 		    <command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.
 		    (Note that the <command>ixfr-from-differences</command>
-		    <userinput>master</userinput> and
-		    <userinput>slave</userinput> choices are not
+		    choices of <userinput>master</userinput> and
+		    <userinput>slave</userinput> are not
 		    available at the zone level.)
 		  </para>
 		</listitem>
@@ -12422,10 +12487,10 @@ example.com. NS ns2.example.net.
 		<listitem>
 		  <para>
 		    If <literal>yes</literal>, this enables
-		    "bump in the wire" signing of a zone, where a
+		    "bump in the wire" signing of a zone, where an
 		    unsigned zone is transferred in or loaded from
 		    disk and a signed version of the zone is served,
-		    with possibly, a different serial number.  This
+		    with, possibly, a different serial number.  This
 		    behavior is disabled by default.
 		  </para>
 		</listitem>
@@ -12476,11 +12541,11 @@ example.com. NS ns2.example.net.
 	  </section>
 	  <section xml:id="dynamic_update_policies"><info><title>Dynamic Update Policies</title></info>
 
-	    <para><acronym>BIND</acronym> 9 supports two alternative
+	    <para><acronym>BIND</acronym> 9 supports two
 	      methods of granting clients the right to perform
 	      dynamic updates to a zone, configured by the
 	      <command>allow-update</command> and
-	      <command>update-policy</command> option, respectively.
+	      <command>update-policy</command> options.
 	    </para>
 	    <para>
 	      The <command>allow-update</command> clause is a simple
@@ -12490,12 +12555,12 @@ example.com. NS ns2.example.net.
 	    </para>
 	    <para>
 	      The <command>update-policy</command> clause
-	      allows more fine-grained control over what updates are
+	      allows more fine-grained control over which updates are
 	      allowed.  It specifies a set of rules, in which each rule
 	      either grants or denies permission for one or more
 	      names in the zone to be updated by one or more
 	      identities. Identity is determined by the key that
-	      signed the update request using either TSIG or SIG(0).
+	      signed the update request, using either TSIG or SIG(0).
 	      In most cases, <command>update-policy</command> rules
 	      only apply to key-based identities.  There is no way
 	      to specify update permissions based on client source
@@ -12503,7 +12568,7 @@ example.com. NS ns2.example.net.
 	    </para>
 	    <para>
 	      <command>update-policy</command> rules are only meaningful
-	      for zones of type <command>master</command>, and are
+	      for primary zones (type <command>master</command>), and are
 	      not allowed in any other zone type.
 	      It is a configuration error to specify both
 	      <command>allow-update</command> and
@@ -12513,9 +12578,8 @@ example.com. NS ns2.example.net.
 	      A pre-defined <command>update-policy</command> rule can be
 	      switched on with the command
 	      <command>update-policy local;</command>.
-	      Using this in a zone causes
-	      <command>named</command> to generate a TSIG session key
-	      when starting up and store it in a file; this key can then
+	      <command>named</command> automatically generates a TSIG session
+	      key when starting and stores it in a file; this key can then
 	      be used by local clients to update the zone while
 	      <command>named</command> is running.
 	      By default, the session key is stored in the file
@@ -12523,12 +12587,12 @@ example.com. NS ns2.example.net.
 	      is "local-ddns", and the key algorithm is HMAC-SHA256.
 	      These values are configurable with the
 	      <command>session-keyfile</command>,
-	      <command>session-keyname</command> and
+	      <command>session-keyname</command>, and
 	      <command>session-keyalg</command> options, respectively.
 	      A client running on the local system, if run with appropriate
 	      permissions, may read the session key from the key file and
 	      use it to sign update requests.  The zone's update
-	      policy will be set to allow that key to change any record
+	      policy is set to allow that key to change any record
 	      within the zone.  Assuming the key name is "local-ddns",
 	      this policy is equivalent to:
 	    </para>
@@ -12537,14 +12601,14 @@ example.com. NS ns2.example.net.
 	    </programlisting>
 
 	    <para>
-	      ...with the additional restriction that only clients
-	      connecting from the local system will be permitted to send
+	      with the additional restriction that only clients
+	      connecting from the local system are permitted to send
 	      updates.
 	    </para>
 	    <para>
 	      Note that only one session key is generated by
 	      <command>named</command>; all zones configured to use
-	      <command>update-policy local</command> will accept the same key.
+	      <command>update-policy local</command> accept the same key.
 	    </para>
 	    <para>
 	      The command <command>nsupdate -l</command> implements this
@@ -12582,13 +12646,13 @@ example.com. NS ns2.example.net.
 	    </para>
 	    <para>
 	      The <command>identity</command> field must be set to
-	      a fully-qualified domain name.  In most cases, this
-	      represensts the name of the TSIG or SIG(0) key that must be
+	      a fully qualified domain name.  In most cases, this
+	      represents the name of the TSIG or SIG(0) key that must be
 	      used to sign the update request.  If the specified name is a
 	      wildcard, it is subject to DNS wildcard expansion, and the
 	      rule may apply to multiple identities.  When a TKEY exchange
 	      has been used to create a shared secret, the identity of
-	      the key used to authenticate the TKEY exchange will be
+	      the key used to authenticate the TKEY exchange is
 	      used as the identity of the shared secret.  Some rule types
 	      use identities matching the client's Kerberos principal
 	      (e.g, <userinput>"host/machine@REALM"</userinput>) or
@@ -12596,16 +12660,16 @@ example.com. NS ns2.example.net.
 	    </para>
 	    <para>
 	      The <replaceable>name</replaceable> field also specifies
-	      a fully-qualified domain name. This often
+	      a fully qualified domain name. This often
 	      represents the name of the record to be updated.
 	      Interpretation of this field is dependent on rule type.
 	    </para>
 	    <para>
 	      If no <command>types</command> are explicitly specified,
-	      then a rule matches all types except RRSIG, NS, SOA, NSEC
+	      then a rule matches all types except RRSIG, NS, SOA, NSEC,
 	      and NSEC3. Types may be specified by name, including
-	      "ANY" (ANY matches all types except NSEC and NSEC3,
-	      which can never be updated).  Note that when an attempt
+	      "ANY"; ANY matches all types except NSEC and NSEC3,
+	      which can never be updated.  Note that when an attempt
 	      is made to delete all records associated with a name,
 	      the rules are checked for each existing record type.
 	    </para>
@@ -12613,14 +12677,13 @@ example.com. NS ns2.example.net.
 	      The <replaceable>ruletype</replaceable> field has 16
 	      values:
 	      <varname>name</varname>, <varname>subdomain</varname>,
-	      <varname>wildcard</varname>, <varname>self</varname>,
-	      <varname>selfsub</varname>, <varname>selfwild</varname>,
-	      <varname>krb5-self</varname>, <varname>ms-self</varname>,
-	      <varname>krb5-selfsub</varname>, <varname>ms-selfsub</varname>,
-	      <varname>krb5-subdomain</varname>,
-	      <varname>ms-subdomain</varname>,
-	      <varname>tcp-self</varname>, <varname>6to4-self</varname>,
-	      <varname>zonesub</varname>, and <varname>external</varname>.
+	      <varname>zonesub</varname>, <varname>wildcard</varname>,
+		  <varname>self</varname>, <varname>selfsub</varname>,
+		  <varname>selfwild</varname>, <varname>ms-self</varname>,
+	      <varname>ms-selfsub</varname>, <varname>ms-subdomain</varname>,
+	      <varname>krb5-self</varname>, <varname>krb5-selfsub</varname>,
+	      <varname>krb5-subdomain</varname>, <varname>tcp-self</varname>,
+		  <varname>6to4-self</varname>, and <varname>external</varname>.
 	    </para>
 	    <informaltable>
 	      <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
@@ -12634,7 +12697,7 @@ example.com. NS ns2.example.net.
 		      </para>
 		    </entry> <entry colname="2">
 		      <para>
-			Exact-match semantics.  This rule matches
+			With exact-match semantics, this rule matches
 			when the name being updated is identical
 			to the contents of the
 			<replaceable>name</replaceable> field.
@@ -12715,7 +12778,7 @@ example.com. NS ns2.example.net.
 			name as the record to be updated.  In this case,
 			the <replaceable>identity</replaceable> field
 			can be specified as <constant>*</constant>
-			(an asterisk).
+			(asterisk).
 		      </para>
 		    </entry>
 		  </row>
@@ -12726,7 +12789,7 @@ example.com. NS ns2.example.net.
 		      </para>
 		    </entry> <entry colname="2">
 		      <para>
-			This rule is similar to <varname>self</varname>
+			This rule is similar to <varname>self</varname>,
 			except that subdomains of <varname>self</varname>
 			can also be updated.
 		      </para>
@@ -12739,7 +12802,7 @@ example.com. NS ns2.example.net.
 		      </para>
 		    </entry> <entry colname="2">
 		      <para>
-			This rule is similar to <varname>self</varname>
+			This rule is similar to <varname>self</varname>,
 			except that only subdomains of
 			<varname>self</varname> can be updated.
 		      </para>
@@ -12753,9 +12816,9 @@ example.com. NS ns2.example.net.
 		    </entry> <entry colname="2">
 		      <para>
 			When a client sends an UPDATE using a Windows
-			machine principal (for example, 'machine$@REALM'),
+			machine principal (for example, "machine$@REALM"),
 			this rule allows records with the absolute name
-			of 'machine.REALM' to be updated.
+			of "machine.REALM" to be updated.
 		      </para>
 		      <para>
 			The realm to be matched is specified in the
@@ -12782,7 +12845,7 @@ example.com. NS ns2.example.net.
 		      </para>
 		    </entry> <entry colname="2">
 		      <para>
-			This is similar to <command>ms-self</command>
+			This is similar to <command>ms-self</command>,
 			except it also allows updates to any subdomain of
 			the name specified in the Windows machine
 			principal, not just to the name itself.
@@ -12797,7 +12860,7 @@ example.com. NS ns2.example.net.
 		    </entry> <entry colname="2">
 		      <para>
 			When a client sends an UPDATE using a Windows
-			machine principal (for example, 'machine$@REALM'),
+			machine principal (for example, "machine$@REALM"),
 			this rule allows any machine in the specified
 			realm to update any record in the zone or in a
 			specified subdomain of the zone.
@@ -12809,8 +12872,8 @@ example.com. NS ns2.example.net.
 		      <para>
 			The <replaceable>name</replaceable> field
 			specifies the subdomain that may be updated.
-			If set to "." (or any other name at or above
-			the zone apex), any name in the zone can be
+			If set to "." or any other name at or above
+			the zone apex, any name in the zone can be
 			updated.
 		      </para>
 		      <para>
@@ -12818,8 +12881,8 @@ example.com. NS ns2.example.net.
 			for the zone "example.com" includes
 			<userinput>grant EXAMPLE.COM ms-subdomain hosts.example.com. A AAAA</userinput>,
 			any machine with a valid principal in
-			the realm <userinput>EXAMPLE.COM</userinput> will
-			be able to update address records at or below
+			the realm <userinput>EXAMPLE.COM</userinput> is
+			able to update address records at or below
 			"hosts.example.com".
 		      </para>
 		    </entry>
@@ -12833,13 +12896,13 @@ example.com. NS ns2.example.net.
 		      <para>
 			When a client sends an UPDATE using a
 			Kerberos machine principal (for example,
-			'host/machine@REALM'), this rule allows
-			records with the absolute name of 'machine'
-			to be updated provided it has been authenticated
+			"host/machine@REALM"), this rule allows
+			records with the absolute name of "machine"
+			to be updated, provided it has been authenticated
 			by REALM.  This is similar but not identical
-			to <command>ms-self</command> due to the
-			'machine' part of the Kerberos principal
-			being an absolute name instead of a unqualified
+			to <command>ms-self</command>, due to the
+			"machine" part of the Kerberos principal
+			being an absolute name instead of an unqualified
 			name.
 		      </para>
 		      <para>
@@ -12867,9 +12930,9 @@ example.com. NS ns2.example.net.
 		      </para>
 		    </entry> <entry colname="2">
 		      <para>
-			This is similar to <command>krb5-self</command>
+			This is similar to <command>krb5-self</command>,
 			except it also allows updates to any subdomain of
-			the name specified in the 'machine' part of the
+			the name specified in the "machine" part of the
 			Kerberos principal, not just to the name itself.
 		      </para>
 		    </entry>
@@ -12884,7 +12947,7 @@ example.com. NS ns2.example.net.
 			This rule is identical to
 			<command>ms-subdomain</command>, except that it works
 			with Kerberos machine principals (i.e.,
-			'host/machine@REALM') rather than Windows machine
+			"host/machine@REALM") rather than Windows machine
 			principals.
 		      </para>
 		    </entry>
@@ -12901,7 +12964,7 @@ example.com. NS ns2.example.net.
 			client's IP address into the
 			<literal>in-addr.arpa</literal> and
 			<literal>ip6.arpa</literal>
-			namespaces match the name to be updated.
+			namespaces matches the name to be updated.
 			The <command>identity</command> field must match
 			that name.  The <command>name</command> field
 			should be set to ".".
@@ -12970,12 +13033,12 @@ example.com. NS ns2.example.net.
 			field, the format of which is
 			"<constant>local:</constant><replaceable>path</replaceable>",
 			where <replaceable>path</replaceable> is the location
-			of a UNIX-domain socket.  (Currently, "local" is the
+			of a Unix-domain socket.  (Currently, "local" is the
 			only supported mechanism.)
 		      </para>
 		      <para>
 			Requests to the external daemon are sent over the
-			UNIX-domain socket as datagrams with the following
+			Unix-domain socket as datagrams with the following
 			format:
 		      </para>
 		      <programlisting>
@@ -13001,17 +13064,17 @@ example.com. NS ns2.example.net.
 	    </informaltable>
 	  </section>
 
-	  <section xml:id="multiple_views"><info><title>Multiple views</title></info>
+	  <section xml:id="multiple_views"><info><title>Multiple Views</title></info>
 
 	    <para>
 	      When multiple views are in use, a zone may be
 	      referenced by more than one of them. Often, the views
-	      will contain different zones with the same name, allowing
+	      contain different zones with the same name, allowing
 	      different clients to receive different answers for the same
 	      queries. At times, however, it is desirable for multiple
 	      views to contain identical zones.  The
 	      <command>in-view</command> zone option provides an efficient
-	      way to do this: it allows a view to reference a zone that
+	      way to do this; it allows a view to reference a zone that
 	      was defined in a previously configured view. Example:
 	    </para>
 	    <programlisting>
@@ -13039,16 +13102,16 @@ view external {
 	    <para>
 	      A <command>zone</command> statement which uses the
 	      <command>in-view</command> option may not use any other
-	      options with the exception of <command>forward</command>
+	      , with the exception of <command>forward</command>
 	      and <command>forwarders</command>. (These options control
-	      the behavior of the containing view, rather than changing
+	      the behavior of the containing view, rather than change
 	      the zone object itself.)
 	    </para>
 	    <para>
-	      Zone level acls (e.g. allow-query, allow-transfer) and
-	      other configuration details of the zone are all set
-	      in the view the referenced zone is defined in.  Care
-	      need to be taken to ensure that acls are wide enough
+	      Zone-level ACLs (e.g., allow-query, allow-transfer), and
+	      other configuration details of the zone, are all set
+	      in the view the referenced zone is defined in.  Be
+	      careful to ensure that ACLs are wide enough
 	      for all views referencing the zone.
 	    </para>
 	    <para>
@@ -13069,7 +13132,7 @@ view external {
 
 	  <para>
 	    This section, largely borrowed from RFC 1034, describes the
-	    concept of a Resource Record (RR) and explains when each is used.
+	    concept of a Resource Record (RR) and explains when each type is used.
 	    Since the publication of RFC 1034, several new RRs have been
 	    identified
 	    and implemented in the DNS. These are also included.
@@ -13083,7 +13146,7 @@ view external {
 	      separate RRs. The order of RRs in a set is not significant and
 	      need not be preserved by name servers, resolvers, or other
 	      parts of the DNS. However, sorting of multiple RRs is
-	      permitted for optimization purposes, for example, to specify
+	      permitted for optimization purposes: for example, to specify
 	      that a particular nearby server be tried first. See <xref linkend="the_sortlist_statement"/> and <xref linkend="rrset_ordering"/>.
 	    </para>
 
@@ -13146,7 +13209,7 @@ view external {
 		    <entry colname="2">
 		      <para>
 			An encoded 16-bit value that identifies
-			a protocol family or instance of a protocol.
+			a protocol family or an instance of a protocol.
 		      </para>
 		    </entry>
 		  </row>
@@ -13159,1062 +13222,19 @@ view external {
 		    <entry colname="2">
 		      <para>
 			The resource data.  The format of the
-			data is type (and sometimes class) specific.
-		      </para>
-		    </entry>
-		  </row>
-		</tbody>
-	      </tgroup>
-	    </informaltable>
-	    <para>
-	      The following are <emphasis>types</emphasis> of valid RRs:
-	    </para>
-	    <informaltable colsep="0" rowsep="0">
-	      <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-		<colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
-		<colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
-		<tbody>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			A
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			A host address.  In the IN class, this is a
-			32-bit IP address.  Described in RFC 1035.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			AAAA
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			IPv6 address.  Described in RFC 1886.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			A6
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			IPv6 address.  This can be a partial
-			address (a suffix) and an indirection to the name
-			where the rest of the
-			address (the prefix) can be found.  Experimental.
-			Described in RFC 2874.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			AFSDB
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Location of AFS database servers.
-			Experimental.  Described in RFC 1183.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			AMTRELAY
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Automatic Multicast Tunneling Relay
-			discovery record.
-			Work in progress draft-ietf-mboned-driad-amt-discovery.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			APL
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Address prefix list.  Experimental.
-			Described in RFC 3123.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			ATMA
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			ATM Address.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			AVC
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Application Visibility and Control record.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			CAA
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Identifies which Certificate Authorities can issue
-			certificates for this domain and what rules they
-			need to follow when doing so. Defined in RFC 6844.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			CDNSKEY
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Identifies which DNSKEY records should be published
-			as DS records in the parent zone.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			CDS
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Contains the set of DS records that should be published
-			by the parent zone.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			CERT
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Holds a digital certificate.
-			Described in RFC 2538.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			CNAME
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Identifies the canonical name of an alias.
-			Described in RFC 1035.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			CSYNC
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Child-to-Parent Synchronization in DNS as described
-			in RFC 7477.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			DHCID
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Is used for identifying which DHCP client is
-			associated with this name.  Described in RFC 4701.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			DLV
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			A DNS Look-aside Validation record which contains
-			the records that are used as trust anchors for
-			zones in a DLV namespace.  Described in RFC 4431.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			DNAME
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Replaces the domain name specified with
-			another name to be looked up, effectively aliasing an
-			entire
-			subtree of the domain name space rather than a single
-			record
-			as in the case of the CNAME RR.
-			Described in RFC 2672.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			DNSKEY
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Stores a public key associated with a signed
-			DNS zone.  Described in RFC 4034.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			DOA
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Implements the Digital Object Architecture over
-			DNS. Experimental.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			DS
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Stores the hash of a public key associated with a
-			signed DNS zone.  Described in RFC 4034.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			EID
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			End Point Identifier.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			EUI48
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			A 48-bit EUI address. Described in RFC 7043.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			EUI64
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			A 64-bit EUI address. Described in RFC 7043.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			GID
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Reserved.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			GPOS
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Specifies the global position.  Superseded by LOC.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			HINFO
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Identifies the CPU and OS used by a host.
-			Described in RFC 1035.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			HIP
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Host Identity Protocol Address.
-			Described in RFC 5205.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			IPSECKEY
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Provides a method for storing IPsec keying material in
-			DNS.  Described in RFC 4025.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			ISDN
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Representation of ISDN addresses.
-			Experimental.  Described in RFC 1183.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			KEY
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Stores a public key associated with a
-			DNS name.  Used in original DNSSEC; replaced
-			by DNSKEY in DNSSECbis, but still used with
-			SIG(0).  Described in RFCs 2535 and 2931.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			KX
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Identifies a key exchanger for this
-			DNS name.  Described in RFC 2230.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			L32
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Holds 32-bit Locator values for
-			Identifier-Locator Network Protocol. Described
-			in RFC 6742.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			L64
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Holds 64-bit Locator values for
-			Identifier-Locator Network Protocol. Described
-			in RFC 6742.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			LOC
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			For storing GPS info.  Described in RFC 1876.
-			Experimental.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			LP
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Identifier-Locator Network Protocol.
-			Described in RFC 6742.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			MB
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Mail Box.  Historical.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			MD
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Mail Destination.  Historical.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			MF
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Mail Forwarder.  Historical.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			MG
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Mail Group.  Historical.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			MINFO
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Mail Information.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			MR
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Mail Rename. Historical.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			MX
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Identifies a mail exchange for the domain with
-			a 16-bit preference value (lower is better)
-			followed by the host name of the mail exchange.
-			Described in RFC 974, RFC 1035.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			NAPTR
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Name authority pointer.  Described in RFC 2915.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			NID
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Holds values for Node Identifiers in
-			Identifier-Locator Network Protocol. Described
-			in RFC 6742.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			NINFO
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Contains zone status information.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			NIMLOC
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Nimrod Locator.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			NSAP
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			A network service access point.
-			Described in RFC 1706.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			NSAP-PTR
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Historical.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			NS
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			The authoritative name server for the
-			domain.  Described in RFC 1035.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			NSEC
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Used in DNSSECbis to securely indicate that
-			RRs with an owner name in a certain name interval do
-			not exist in
-			a zone and indicate what RR types are present for an
-			existing name.
-			Described in RFC 4034.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			NSEC3
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Used in DNSSECbis to securely indicate that
-			RRs with an owner name in a certain name
-			interval do not exist in a zone and indicate
-			what RR types are present for an existing
-			name.  NSEC3 differs from NSEC in that it
-			prevents zone enumeration but is more
-			computationally expensive on both the server
-			and the client than NSEC.  Described in RFC
-			5155.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			NSEC3PARAM
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Used in DNSSECbis to tell the authoritative
-			server which NSEC3 chains are available to use.
-			Described in RFC 5155.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			NULL
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			This is an opaque container.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			NXT
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Used in DNSSEC to securely indicate that
-			RRs with an owner name in a certain name interval do
-			not exist in
-			a zone and indicate what RR types are present for an
-			existing name.
-			Used in original DNSSEC; replaced by NSEC in
-			DNSSECbis.
-			Described in RFC 2535.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			OPENPGPKEY
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Used to hold an OPENPGPKEY.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			PTR
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			A pointer to another part of the domain
-			name space.  Described in RFC 1035.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			PX
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Provides mappings between RFC 822 and X.400
-			addresses.  Described in RFC 2163.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			RKEY
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Resource key.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			RP
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Information on persons responsible
-			for the domain.  Experimental.  Described in RFC 1183.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			RRSIG
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Contains DNSSECbis signature data.  Described
-			in RFC 4034.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			RT
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Route-through binding for hosts that
-			do not have their own direct wide area network
-			addresses.
-			Experimental.  Described in RFC 1183.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			SIG
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Contains DNSSEC signature data.  Used in
-			original DNSSEC; replaced by RRSIG in
-			DNSSECbis, but still used for SIG(0).
-			Described in RFCs 2535 and 2931.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			SINK
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			The kitchen sink record.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			SMIMEA
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			The S/MIME Security Certificate Association.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			SOA
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Identifies the start of a zone of authority.
-			Described in RFC 1035.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			SPF
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Contains the Sender Policy Framework information
-			for a given email domain.  Described in RFC 4408.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			SRV
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Information about well known network
-			services (replaces WKS).  Described in RFC 2782.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			SSHFP
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Provides a way to securely publish a secure shell key's
-			fingerprint.  Described in RFC 4255.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			TA
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Trust Anchor. Experimental.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			TALINK
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Trust Anchor Link.  Experimental.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			TLSA
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Transport Layer Security Certificate Association.
-			Described in RFC 6698.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			TXT
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Text records.  Described in RFC 1035.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			UID
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Reserved.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			UINFO
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Reserved.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			UNSPEC
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Reserved. Historical.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			URI
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Holds a URI. Described in RFC 7553.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			WKS
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Information about which well known
-			network services, such as SMTP, that a domain
-			supports. Historical.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			X25
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Representation of X.25 network addresses.
-			Experimental.  Described in RFC 1183.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			ZONEMD
-		      </para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Zone Message Digest.
-			Work in progress draft-wessels-dns-zone-digest.
+			data is type- and sometimes class-specific.
 		      </para>
 		    </entry>
 		  </row>
 		</tbody>
 	      </tgroup>
 	    </informaltable>
+		<para>
+		For a complete list of <emphasis>types</emphasis> of valid RRs,
+		including those that have been obsoleted,
+		please refer to https://en.wikipedia.org/wiki/List_of_DNS_record_types.
+		</para>
+
 	    <para>
 	      The following <emphasis>classes</emphasis> of resource records
 	      are currently valid in the DNS:
@@ -14247,7 +13267,7 @@ view external {
 		      <para>
 			Chaosnet, a LAN protocol created at MIT in the
 			mid-1970s.
-			Rarely used for its historical purpose, but reused for
+			It was rarely used for its historical purpose, but was reused for
 			BIND's
 			built-in server information zones, e.g.,
 			<literal>version.bind</literal>.
@@ -14264,11 +13284,11 @@ view external {
 		    <entry colname="2">
 		      <para>
 			Hesiod, an information service
-			developed by MIT's Project Athena. It is used to share
+			developed by MIT's Project Athena. It was used to share
 			information
 			about various systems databases, such as users,
-			groups, printers
-			and so on.
+			groups, printers,
+			etc.
 		      </para>
 		    </entry>
 		  </row>
@@ -14283,16 +13303,16 @@ view external {
 	      part of the RR.  For example, many name servers internally form
 	      tree
 	      or hash structures for the name space, and chain RRs off nodes.
-	      The remaining RR parts are the fixed header (type, class, TTL)
+	      The remaining RR parts are the fixed header (type, class, TTL),
 	      which is consistent for all RRs, and a variable part (RDATA)
 	      that
 	      fits the needs of the resource being described.
 	    </para>
 	    <para>
-	      The meaning of the TTL field is a time limit on how long an
+	      The TTL field is a time limit on how long an
 	      RR can be kept in a cache.  This limit does not apply to
 	      authoritative
-	      data in zones; it is also timed out, but by the refreshing
+	      data in zones; that also times out, but follows the refreshing
 	      policies
 	      for the zone.  The TTL is assigned by the administrator for the
 	      zone where the data originates.  While short TTLs can be used to
@@ -14303,8 +13323,7 @@ view external {
 	      order of days for the typical host.  If a change can be
 	      anticipated,
 	      the TTL can be reduced prior to the change to minimize
-	      inconsistency
-	      during the change, and then increased back to its former value
+	      inconsistency, and then increased back to its former value
 	      following
 	      the change.
 	    </para>
@@ -14315,7 +13334,7 @@ view external {
 	      used as "pointers" to other data in the DNS.
 	    </para>
 	  </section>
-	  <section xml:id="rr_text"><info><title>Textual expression of RRs</title></info>
+	  <section xml:id="rr_text"><info><title>Textual Expression of RRs</title></info>
 
 	    <para>
 	      RRs are represented in binary form in the packets of the DNS
@@ -14323,7 +13342,7 @@ view external {
 	      when
 	      stored in a name server or resolver.  In the examples provided
 	      in
-	      RFC 1034, a style similar to that used in master files was
+	      RFC 1034, a style similar to that used in zone files was
 	      employed
 	      in order to show the contents of RRs.  In this format, most RRs
 	      are shown on a single line, although continuation lines are
@@ -14337,22 +13356,22 @@ view external {
 	      readability.
 	    </para>
 	    <para>
-	      Following the owner, we list the TTL, type, and class of the
+	      Following the owner are list the TTL, type, and class of the
 	      RR.  Class and type use the mnemonics defined above, and TTL is
-	      an integer before the type field.  In order to avoid ambiguity
+	      an integer before the type field.  To avoid ambiguity
 	      in
 	      parsing, type and class mnemonics are disjoint, TTLs are
 	      integers,
 	      and the type mnemonic is always last. The IN class and TTL
 	      values
-	      are often omitted from examples in the interests of clarity.
+	      are often omitted from examples in the interest of clarity.
 	    </para>
 	    <para>
-	      The resource data or RDATA section of the RR are given using
+	      The resource data or RDATA section of the RR is given using
 	      knowledge of the typical representation for the data.
 	    </para>
 	    <para>
-	      For example, we might show the RRs carried in a message as:
+	      For example, the RRs carried in a message might be shown as:
 	    </para>
 	    <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
 		<colspec colname="1" colnum="1" colsep="0" colwidth="1.381in"/>
@@ -14462,14 +13481,14 @@ view external {
 	      The MX RRs have an RDATA section which consists of a 16-bit
 	      number followed by a domain name.  The address RRs use a
 	      standard
-	      IP address format to contain a 32-bit internet address.
+	      IP address format to contain a 32-bit Internet address.
 	    </para>
 	    <para>
 	      The above example shows six RRs, with two RRs at each of three
 	      domain names.
 	    </para>
 	    <para>
-	      Similarly we might see:
+	      Here is another possible example:
 	    </para>
 	    <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
 		<colspec colname="1" colnum="1" colsep="0" colwidth="1.491in"/>
@@ -14523,8 +13542,8 @@ view external {
 	    series of resource records, each of which contains a particular
 	    piece of information about a given domain name (which is usually,
 	    but not always, a host). The simplest way to think of a RR is as
-	    a typed pair of data, a domain name matched with a relevant datum,
-	    and stored with some additional type information to help systems
+	    a typed pair of data, a domain name matched with a relevant datum
+	    and stored with some additional type information, to help systems
 	    determine when the RR is relevant.
 	  </para>
 
@@ -14535,21 +13554,21 @@ view external {
 	    controls the order in which email delivery is attempted, with the
 	    lowest number first. If two priorities are the same, a server is
 	    chosen randomly. If no servers at a given priority are responding,
-	    the mail transport agent will fall back to the next largest
+	    the mail transport agent falls back to the next largest
 	    priority.
-	    Priority numbers do not have any absolute meaning — they are
+	    Priority numbers do not have any absolute meaning; they are
 	    relevant
 	    only respective to other MX records for that domain name. The
 	    domain
-	    name given is the machine to which the mail will be delivered.
+	    name given is the machine to which the mail is delivered.
 	    It <emphasis>must</emphasis> have an associated address record
-	    (A or AAAA) — CNAME is not sufficient.
+	    (A or AAAA); CNAME is not sufficient.
 	  </para>
 	  <para>
 	    For a given domain, if there is both a CNAME record and an
-	    MX record, the MX record is in error, and will be ignored.
+	    MX record, the MX record is in error, and is ignored.
 	    Instead,
-	    the mail will be delivered to the server specified in the MX
+	    the mail is delivered to the server specified in the MX
 	    record
 	    pointed to by the CNAME.
 	    For example:
@@ -14692,19 +13711,19 @@ view external {
 	      </tbody>
 	    </tgroup>
 	    </informaltable><para>
-	    Mail delivery will be attempted to <literal>mail.example.com</literal> and
+	    Mail delivery is attempted to <literal>mail.example.com</literal> and
 	    <literal>mail2.example.com</literal> (in
-	    any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
-	    be attempted.
+	    any order); if neither of those succeeds, delivery to <literal>mail.backup.org</literal>
+	    is attempted.
 	  </para>
 	</section>
 	<section xml:id="Setting_TTLs"><info><title>Setting TTLs</title></info>
 
 	  <para>
-	    The time-to-live of the RR field is a 32-bit integer represented
+	    The time-to- (TTL) of the RR field is a 32-bit integer represented
 	    in units of seconds, and is primarily used by resolvers when they
-	    cache RRs. The TTL describes how long a RR can be cached before it
-	    should be discarded. The following three types of TTL are
+	    cache RRs. The TTL describes how long an RR can be cached before it
+	    should be discarded. The following three types of TTLs are
 	    currently
 	    used in a zone file.
 	  </para>
@@ -14722,9 +13741,9 @@ view external {
 		  <entry colname="2">
 		    <para>
 		      The last field in the SOA is the negative
-		      caching TTL. This controls how long other servers will
+		      caching TTL. This controls how long other servers
 		      cache no-such-domain
-		      (NXDOMAIN) responses from you.
+		      (NXDOMAIN) responses from this server.
 		    </para>
 		    <para>
 		      The maximum time for
@@ -14756,7 +13775,7 @@ view external {
 		  <entry colname="2">
 		    <para>
 		      Each RR can have a TTL as the second
-		      field in the RR, which will control how long other
+		      field in the RR, which controls how long other
 		      servers can cache it.
 		    </para>
 		  </entry>
@@ -14766,7 +13785,7 @@ view external {
 	  </informaltable>
 	  <para>
 	    All of these TTLs default to units of seconds, though units
-	    can be explicitly specified, for example, <literal>1h30m</literal>.
+	    can be explicitly specified: for example, <literal>1h30m</literal>.
 	  </para>
 	</section>
 	<section xml:id="ipv4_reverse"><info><title>Inverse Mapping in IPv4</title></info>
@@ -14820,10 +13839,10 @@ view external {
 	  </informaltable>
 	  <note>
 	    <para>
-	      The <command>$ORIGIN</command> lines in the examples
-	      are for providing context to the examples only — they do not
+	      The <command>$ORIGIN</command> line in this example
+	      is only to provide context; it does not
 	      necessarily
-	      appear in the actual usage. They are only used here to indicate
+	      appear in the actual usage. It is only used here to indicate
 	      that the example is relative to the listed origin.
 	    </para>
 	  </note>
@@ -14831,15 +13850,15 @@ view external {
 	<section xml:id="zone_directives"><info><title>Other Zone File Directives</title></info>
 
 	  <para>
-	    The Master File Format was initially defined in RFC 1035 and
-	    has subsequently been extended. While the Master File Format
+	    The DNS "master file" format was initially defined in RFC 1035 and
+	    has subsequently been extended. While the format
 	    itself
-	    is class independent all records in a Master File must be of the
+	    is class-independent, all records in a zone file must be of the
 	    same
 	    class.
 	  </para>
 	  <para>
-	    Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
+	    Master file directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
 	    and <command>$TTL.</command>
 	  </para>
 	  <section xml:id="atsign"><info><title>The <command>@</command> (at-sign)</title></info>
@@ -14848,8 +13867,8 @@ view external {
 	      When used in the label (or name) field, the asperand or
 	      at-sign (@) symbol represents the current origin.
 	      At the start of the zone file, it is the
-	      &lt;<varname>zone_name</varname>&gt; (followed by
-	      trailing dot).
+	      &lt;<varname>zone_name</varname>&gt;, followed by a
+	      trailing dot (.).
 	    </para>
 	  </section>
 	  <section xml:id="origin_directive"><info><title>The <command>$ORIGIN</command> Directive</title></info>
@@ -14860,11 +13879,11 @@ view external {
 	      <optional><replaceable>comment</replaceable></optional>
 	    </para>
 	    <para><command>$ORIGIN</command>
-	      sets the domain name that will be appended to any
-	      unqualified records. When a zone is first read in there
+	      sets the domain name that is appended to any
+	      unqualified records. When a zone is first read, there
 	      is an implicit <command>$ORIGIN</command>
-	      &lt;<varname>zone_name</varname>&gt;<command>.</command>
-	      (followed by trailing dot).
+	      &lt;<varname>zone_name</varname>&gt;<command>.</command>;
+	      note the trailing dot.
 	      The current <command>$ORIGIN</command> is appended to
 	      the domain specified in the <command>$ORIGIN</command>
 	      argument if it is not absolute.
@@ -14894,10 +13913,10 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 	      <optional> <replaceable>comment</replaceable> </optional>
 	    </para>
 	    <para>
-	      Read and process the file <filename>filename</filename> as
-	      if it were included into the file at this point.  If <command>origin</command> is
-	      specified the file is processed with <command>$ORIGIN</command> set
-	      to that value, otherwise the current <command>$ORIGIN</command> is
+	      This reads and processes the file <filename>filename</filename> as
+	      if it were included in the file at this point.  If <command>origin</command> is
+	      specified, the file is processed with <command>$ORIGIN</command> set
+	      to that value; otherwise, the current <command>$ORIGIN</command> is
 	      used.
 	    </para>
 	    <para>
@@ -14927,7 +13946,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 <replaceable>comment</replaceable> </optional>
 	    </para>
 	    <para>
-	      Set the default Time To Live (TTL) for subsequent records
+	      This sets the default Time-To-Live (TTL) for subsequent records
 	      with undefined TTLs. Valid TTLs are of the range 0-2147483647
 	      seconds.
 	    </para>
@@ -14936,7 +13955,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 	    </para>
 	  </section>
 	</section>
-	<section xml:id="generate_directive"><info><title><acronym>BIND</acronym> Master File Extension: the  <command>$GENERATE</command> Directive</title></info>
+	<section xml:id="generate_directive"><info><title><acronym>BIND</acronym> Primary File Extension: the  <command>$GENERATE</command> Directive</title></info>
 
 	  <para>
 	    Syntax: <command>$GENERATE</command>
@@ -14953,7 +13972,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 	    differ from each other by an
 	    iterator. <command>$GENERATE</command> can be used to
 	    easily generate the sets of records required to support
-	    sub /24 reverse delegations described in RFC 2317:
+	    sub-/24 reverse delegations described in RFC 2317:
 	    Classless IN-ADDR.ARPA delegation.
 	  </para>
 
@@ -14974,9 +13993,9 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
 </programlisting>
 
 	   <para>
-	    Generate a set of A and MX records.  Note the MX's right hand
-	    side is a quoted string.  The quotes will be stripped when the
-	    right hand side is processed.
+	    Both generate a set of A and MX records.  Note the MX's right-hand
+	    side is a quoted string.  The quotes are stripped when the
+	    right-hand side is processed.
 	   </para>
 
 <programlisting>
@@ -15012,9 +14031,9 @@ HOST-127.EXAMPLE. MX 0 .
 		    <para>
 		      This can be one of two forms: start-stop
 		      or start-stop/step. If the first form is used, then step
-		      is set to 1. start, stop and step must be positive
-		      integers between 0 and (2^31)-1. start must not be
-		      larger than stop.
+		      is set to 1. "start", "stop", and "step" must be positive
+		      integers between 0 and (2^31)-1. "start" must not be
+		      larger than "stop".
 		    </para>
 		  </entry>
 		</row>
@@ -15030,20 +14049,20 @@ HOST-127.EXAMPLE. MX 0 .
 		      symbols within the <command>lhs</command> string
 		      are replaced by the iterator value.
 
-		      To get a $ in the output, you need to escape the
+		      To get a $ in the output, escape the
 		      <command>$</command> using a backslash
 		      <command>\</command>,
-		      e.g. <command>\$</command>. The
+		      e.g., <command>\$</command>. The
 		      <command>$</command> may optionally be followed
 		      by modifiers which change the offset from the
-		      iterator, field width and base.
+		      iterator, field width, and base.
 
 		      Modifiers are introduced by a
 		      <command>{</command> (left brace) immediately following the
-		      <command>$</command> as
+		      <command>$</command>, as in
 		      <command>${offset[,width[,base]]}</command>.
 		      For example, <command>${-20,3,d}</command>
-		      subtracts 20 from the current value, prints the
+		      subtracts 20 from the current value and prints the
 		      result as a decimal in a zero-padded field of
 		      width 3.
 
@@ -15051,8 +14070,8 @@ HOST-127.EXAMPLE. MX 0 .
 		      (<command>d</command>), octal
 		      (<command>o</command>), hexadecimal
 		      (<command>x</command> or <command>X</command>
-		      for uppercase) and nibble
-		      (<command>n</command> or <command>N</command>\
+		      for uppercase), and nibble
+		      (<command>n</command> or <command>N</command>
 		      for uppercase).  The default modifier is
 		      <command>${0,0,d}</command>.  If the
 		      <command>lhs</command> is not absolute, the
@@ -15060,8 +14079,8 @@ HOST-127.EXAMPLE. MX 0 .
 		      to the name.
 		    </para>
 		    <para>
-		      In nibble mode the value will be treated as
-		      if it was a reversed hexadecimal string
+		      In nibble mode, the value is treated as
+		      if it were a reversed hexadecimal string,
 		      with each hexadecimal digit as a separate
 		      label.  The width field includes the label
 		      separator.
@@ -15079,8 +14098,8 @@ HOST-127.EXAMPLE. MX 0 .
 		  </entry>
 		  <entry colname="2">
 		    <para>
-		      Specifies the time-to-live of the generated records. If
-		      not specified this will be inherited using the
+		      This specifies the time-to-live of the generated records. If
+		      not specified, this is inherited using the
 		      normal TTL inheritance rules.
 		    </para>
 		    <para><command>class</command>
@@ -15095,7 +14114,7 @@ HOST-127.EXAMPLE. MX 0 .
 		  </entry>
 		  <entry colname="2">
 		    <para>
-		      Specifies the class of the generated records.
+		      This specifies the class of the generated records.
 		      This must match the zone class if it is
 		      specified.
 		    </para>
@@ -15111,7 +14130,7 @@ HOST-127.EXAMPLE. MX 0 .
 		  </entry>
 		  <entry colname="2">
 		    <para>
-		      Any valid type.
+		      This can be any valid type.
 		    </para>
 		  </entry>
 		</row>
@@ -15121,7 +14140,7 @@ HOST-127.EXAMPLE. MX 0 .
 		  </entry>
 		  <entry colname="2">
 		    <para>
-		      <command>rhs</command>, optionally, quoted string.
+		      <command>rhs</command> is an optionally quoted string.
 		    </para>
 		  </entry>
 		</row>
@@ -15140,7 +14159,7 @@ HOST-127.EXAMPLE. MX 0 .
 	<section xml:id="zonefile_format"><info><title>Additional File Formats</title></info>
 
 	  <para>
-	    In addition to the standard textual format, BIND 9
+	    In addition to the standard text format, BIND 9
 	    supports the ability to read or dump to zone files in
 	    other formats.
 	  </para>
@@ -15153,9 +14172,9 @@ HOST-127.EXAMPLE. MX 0 .
 	  <para>
 	    An even faster alternative is the <constant>map</constant>
 	    format, which is an image of a <acronym>BIND</acronym> 9
-	    in-memory zone database; it is capable of being loaded
+	    in-memory zone database; it can be loaded
 	    directly into memory via the <command>mmap()</command>
-	    function; the zone can begin serving queries almost
+	    function and the zone can begin serving queries almost
 	    immediately.
 	  </para>
 	  <para>
@@ -15163,25 +14182,25 @@ HOST-127.EXAMPLE. MX 0 .
 	    <constant>raw</constant> or <constant>map</constant>
 	    format is expected to be generated from a textual zone
 	    file by the <command>named-compilezone</command> command.
-	    For a secondary server or for a dynamic zone, it is automatically
-	    generated (if this format is specified by the
-	    <command>masterfile-format</command> option) when
+	    For a secondary server or for a dynamic zone, the zone file is automatically
+	    generated when
 	    <command>named</command> dumps the zone contents after
-	    zone transfer or when applying prior updates.
+	    zone transfer or when applying prior updates, if one of these formats is specified by the
+	    <command>masterfile-format</command> option.
 	  </para>
 	  <para>
 	    If a zone file in a binary format needs manual modification,
 	    it first must be converted to a textual form by the
-	    <command>named-compilezone</command> command.  All
-	    necessary modification should go to the text file, which
-	    should then be converted to the binary form by the
+	    <command>named-compilezone</command> command.  Make any
+	    necessary modifications to the text file, and
+	    then convert it to the binary form via the
 	    <command>named-compilezone</command> command again.
 	  </para>
 	  <para>
 	    Note that <command>map</command> format is extremely
 	    architecture-specific.  A <constant>map</constant>
 	    file <emphasis>cannot</emphasis> be used on a system
-	    with different pointer size, endianness or data alignment
+	    with different pointer size, endianness, or data alignment
 	    than the system on which it was generated, and should in
 	    general be used only inside a single system.
 	    While <constant>raw</constant> format uses
@@ -15197,21 +14216,20 @@ HOST-127.EXAMPLE. MX 0 .
 	</section>
       </section>
 
-      <section xml:id="statistics"><info><title>BIND9 Statistics</title></info>
+      <section xml:id="statistics"><info><title>BIND 9 Statistics</title></info>
 
 	<para>
 	  <acronym>BIND</acronym> 9 maintains lots of statistics
 	  information and provides several interfaces for users to
-	  get access to the statistics.
+	  access those statistics.
 	  The available statistics include all statistics counters
-	  that were available in <acronym>BIND</acronym> 8 and
-	  are meaningful in <acronym>BIND</acronym> 9,
+	  that are meaningful in <acronym>BIND</acronym> 9,
 	  and other information that is considered useful.
 	</para>
 
 	<para>
 	  The statistics information is categorized into the following
-	  sections.
+	  sections:
 	</para>
 
 	<informaltable frame="all">
@@ -15249,8 +14267,8 @@ HOST-127.EXAMPLE. MX 0 .
 		<entry colname="2">
 		  <para>
 		    The number of outgoing queries for each RR
-		    type sent from the internal resolver.
-		    Maintained per view.
+		    type sent from the internal resolver,
+		    maintained per view.
 		  </para>
 		</entry>
 	      </row>
@@ -15261,7 +14279,7 @@ HOST-127.EXAMPLE. MX 0 .
 		</entry>
 		<entry colname="2">
 		  <para>
-		    Statistics counters about incoming request processing.
+		    Statistics counters for incoming request processing.
 		  </para>
 		</entry>
 	      </row>
@@ -15273,7 +14291,7 @@ HOST-127.EXAMPLE. MX 0 .
 		<entry colname="2">
 		  <para>
 		    Statistics counters regarding zone maintenance
-		    operations such as zone transfers.
+		    operations, such as zone transfers.
 		  </para>
 		</entry>
 	      </row>
@@ -15284,9 +14302,9 @@ HOST-127.EXAMPLE. MX 0 .
 		</entry>
 		<entry colname="2">
 		  <para>
-		    Statistics counters about name resolution
-		    performed in the internal resolver.
-		    Maintained per view.
+		    Statistics counters for name resolutions
+		    performed in the internal resolver,
+		    maintained per view.
 		  </para>
 		</entry>
 	      </row>
@@ -15297,14 +14315,29 @@ HOST-127.EXAMPLE. MX 0 .
 		</entry>
 		<entry colname="2">
 		  <para>
-		    The number of RRsets per RR type and nonexistent
-		    names stored in the cache database.
-		    If the exclamation mark (!) is printed for a RR
-		    type, it means that particular type of RRset is
-		    known to be nonexistent (this is also known as
-		    "NXRRSET").  If a hash mark (#) is present then
-		    the RRset is marked for garbage collection.
-		    Maintained per view.
+		    Statistics counters related to cache contents,
+		    maintained per view.
+		  </para>
+		  <para>
+		    The "NXDOMAIN" counter is the number of names
+		    that have been cached as nonexistent.
+		    Counters named for RR types indicate the
+		    number of active RRsets for each type in the cache
+		    database.
+		  </para>
+		  <para>
+		    If an RR type name is preceded by an exclamation
+		    point (!), it represents the number of records in the
+		    cache which indicate that the type does not exist
+		    for a particular name; this is also known as "NXRRSET".
+		    If an RR type name is preceded by a hash mark (#), it
+		    represents the number of RRsets for this type that are
+		    present in the cache but whose TTLs have expired; these
+		    RRsets may only be used if stale answers are enabled.
+		    If an RR type name is preceded by a tilde (~), it
+		    represents the number of RRsets for this type that are
+		    present in the cache database but are marked for garbage
+		    collection; these RRsets cannot be used.
 		  </para>
 		</entry>
 	      </row>
@@ -15315,7 +14348,7 @@ HOST-127.EXAMPLE. MX 0 .
 		</entry>
 		<entry colname="2">
 		  <para>
-		    Statistics counters about network related events.
+		    Statistics counters for network-related events.
 		  </para>
 		</entry>
 	      </row>
@@ -15326,9 +14359,9 @@ HOST-127.EXAMPLE. MX 0 .
 
 	<para>
 	  A subset of Name Server Statistics is collected and shown
-	  per zone for which the server has the authority when
+	  per zone for which the server has the authority, when
 	  <command>zone-statistics</command> is set to
-	  <userinput>full</userinput> (or <userinput>yes</userinput>
+	  <userinput>full</userinput> (or <userinput>yes</userinput>),
 	  for backward compatibility. See the description of
 	  <command>zone-statistics</command> in <xref linkend="options"/>
 	  for further details.
@@ -15342,9 +14375,9 @@ HOST-127.EXAMPLE. MX 0 .
 	<para>
 	  There are currently two user interfaces to get access to the
 	  statistics.
-	  One is in the plain text format dumped to the file specified
-	  by the <command>statistics-file</command> configuration option.
-	  The other is remotely accessible via a statistics channel
+	  One is in plain-text format, dumped to the file specified
+	  by the <command>statistics-file</command> configuration option;
+	  the other is remotely accessible via a statistics channel
 	  when the <command>statistics-channels</command> statement
 	  is specified in the configuration file
 	  (see <xref linkend="statschannels"/>.)
@@ -15360,7 +14393,7 @@ HOST-127.EXAMPLE. MX 0 .
 	  </para>
 	  <para>
 	    The number in parentheses is a standard
-	    Unix-style timestamp, measured as seconds since January 1, 1970.
+	    Unix-style timestamp, measured in seconds since January 1, 1970.
 
 	    Following
 	    that line is a set of statistics information, which is categorized
@@ -15374,8 +14407,8 @@ HOST-127.EXAMPLE. MX 0 .
 
 	  <para>
 	    Each section consists of lines, each containing the statistics
-	    counter value followed by its textual description.
-	    See below for available counters.
+	    counter value followed by its textual description;
+	    see below for available counters.
 	    For brevity, counters that have a value of 0 are not shown
 	    in the statistics file.
 	  </para>
@@ -15392,16 +14425,16 @@ HOST-127.EXAMPLE. MX 0 .
 	<section xml:id="statistics_counters"><info><title>Statistics Counters</title></info>
 
 	  <para>
-	    The following tables summarize statistics counters that
+	    The following tables summarize the statistics counters that
 	    <acronym>BIND</acronym> 9 provides.
 	    For each row of the tables, the leftmost column is the
-	    abbreviated symbol name of that counter.
-	    These symbols are shown in the statistics information
+	    abbreviated symbol name of that counter;
+	    these symbols are shown in the statistics information
 	    accessed via an HTTP statistics channel.
 	    The rightmost column gives the description of the counter,
-	    which is also shown in the statistics file
-	    (but, in this document, possibly with slight modification
-	    for better readability).
+	    which is also shown in the statistics file,
+	    but, in this document, may be slightly modified
+	    for better readability.
 	    Additional notes may also be provided in this column.
 	    When a middle column exists between these two columns,
 	    it gives the corresponding counter name of the
@@ -15424,7 +14457,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			<emphasis>BIND8 Symbol</emphasis>
+			<emphasis>BIND 8 Symbol</emphasis>
 		      </para>
 		    </entry>
 		    <entry colname="3">
@@ -15443,8 +14476,8 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			IPv4 requests received.
-			Note: this also counts non query requests.
+			This indicates the number of IPv4 requests received.
+			Note: this also counts non-query requests.
 		      </para>
 		    </entry>
 		  </row>
@@ -15457,8 +14490,8 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			IPv6 requests received.
-			Note: this also counts non query requests.
+			This indicates the number of IPv6 requests received.
+			Note: this also counts non-query requests.
 		      </para>
 		    </entry>
 		  </row>
@@ -15471,7 +14504,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Requests with EDNS(0) received.
+			This indicates the number of requests received with EDNS(0).
 		      </para>
 		    </entry>
 		  </row>
@@ -15484,7 +14517,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Requests with unsupported EDNS version received.
+			This indicates the number of requests received with an unsupported EDNS version.
 		      </para>
 		    </entry>
 		  </row>
@@ -15497,7 +14530,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Requests with TSIG received.
+			This indicates the number of requests received with TSIG.
 		      </para>
 		    </entry>
 		  </row>
@@ -15510,7 +14543,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Requests with SIG(0) received.
+			This indicates the number of requests received with SIG(0).
 		      </para>
 		    </entry>
 		  </row>
@@ -15523,7 +14556,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Requests with invalid (TSIG or SIG(0)) signature.
+			This indicates the number of requests received with an invalid (TSIG or SIG(0)) signature.
 		      </para>
 		    </entry>
 		  </row>
@@ -15536,7 +14569,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			TCP requests received.
+			This indicates the number of TCP requests received.
 		      </para>
 		    </entry>
 		  </row>
@@ -15549,7 +14582,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Authoritative (non recursive) queries rejected.
+			This indicates the number of rejected authoritative (non-recursive) queries.
 		      </para>
 		    </entry>
 		  </row>
@@ -15562,7 +14595,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Recursive queries rejected.
+			This indicates the number of rejected recursive queries.
 		      </para>
 		    </entry>
 		  </row>
@@ -15575,7 +14608,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Zone transfer requests rejected.
+			This indicates the number of rejected zone transfer requests.
 		      </para>
 		    </entry>
 		  </row>
@@ -15588,7 +14621,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Dynamic update requests rejected.
+			This indicates the number of rejected dynamic update requests.
 		      </para>
 		    </entry>
 		  </row>
@@ -15601,7 +14634,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Responses sent.
+			This indicates the number of responses sent.
 		      </para>
 		    </entry>
 		  </row>
@@ -15614,7 +14647,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Truncated responses sent.
+			This indicates the number of truncated responses sent.
 		      </para>
 		    </entry>
 		  </row>
@@ -15627,7 +14660,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Responses with EDNS(0) sent.
+			This indicates the number of responses sent with EDNS(0).
 		      </para>
 		    </entry>
 		  </row>
@@ -15640,7 +14673,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Responses with TSIG sent.
+			This indicates the number of responses sent with TSIG.
 		      </para>
 		    </entry>
 		  </row>
@@ -15653,7 +14686,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Responses with SIG(0) sent.
+			This indicates the number of responses sent with SIG(0).
 		      </para>
 		    </entry>
 		  </row>
@@ -15666,8 +14699,8 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Queries resulted in a successful answer.
-			This means the query which returns a NOERROR response
+			This indicates the number of queries that resulted in a successful answer,
+			meaning queries which return a NOERROR response
 			with at least one answer RR.
 			This corresponds to the
 			<command>success</command> counter
@@ -15685,7 +14718,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Queries resulted in authoritative answer.
+			This indicates the number of queries that resulted in an authoritative answer.
 		      </para>
 		    </entry>
 		  </row>
@@ -15698,7 +14731,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Queries resulted in non authoritative answer.
+			This indicates the number of queries that resulted in a non-authoritative answer.
 		      </para>
 		    </entry>
 		  </row>
@@ -15711,7 +14744,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Queries resulted in referral answer.
+			This indicates the number of queries that resulted in a referral answer.
 			This corresponds to the
 			<command>referral</command> counter
 			of previous versions of
@@ -15728,7 +14761,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Queries resulted in NOERROR responses with no data.
+			This indicates the number of queries that resulted in NOERROR responses with no data.
 			This corresponds to the
 			<command>nxrrset</command> counter
 			of previous versions of
@@ -15745,7 +14778,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Queries resulted in SERVFAIL.
+			This indicates the number of queries that resulted in SERVFAIL.
 		      </para>
 		    </entry>
 		  </row>
@@ -15758,7 +14791,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Queries resulted in FORMERR.
+			This indicates the number of queries that resulted in FORMERR.
 		      </para>
 		    </entry>
 		  </row>
@@ -15771,7 +14804,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Queries resulted in NXDOMAIN.
+			This indicates the number of queries that resulted in NXDOMAIN.
 			This corresponds to the
 			<command>nxdomain</command> counter
 			of previous versions of
@@ -15788,7 +14821,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Queries which caused the server
+			This indicates the number of queries that caused the server
 			to perform recursion in order to find the final answer.
 			This corresponds to the
 			<command>recursion</command> counter
@@ -15806,9 +14839,9 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Queries which the server attempted to
-			recurse but discovered an existing query with the same
-			IP address, port, query ID, name, type and class
+			This indicates the number of queries which the server attempted to
+			recurse but for which it discovered an existing query with the same
+			IP address, port, query ID, name, type, and class
 			already being processed.
 			This corresponds to the
 			<command>duplicate</command> counter
@@ -15826,10 +14859,10 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Recursive queries for which the server
+			This indicates the number of recursive queries for which the server
 			discovered an excessive number of existing
-			recursive queries for the same name, type and
-			class and were subsequently dropped.
+			recursive queries for the same name, type, and
+			class, and which were subsequently dropped.
 			This is the number of dropped queries due to
 			the reason explained with the
 			<command>clients-per-query</command>
@@ -15854,18 +14887,18 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Other query failures.
+			This indicates the number of query failures.
 			This corresponds to the
 			<command>failure</command> counter
 			of previous versions of
 			<acronym>BIND</acronym> 9.
 			Note: this counter is provided mainly for
-			backward compatibility with the previous versions.
-			Normally a more fine-grained counters such as
+			backward compatibility with the previous versions;
+			normally, more fine-grained counters such as
 			<command>AuthQryRej</command> and
 			<command>RecQryRej</command>
 			that would also fall into this counter are provided,
-			and so this counter would not be of much
+			so this counter is not of much
 			interest in practice.
 		      </para>
 		    </entry>
@@ -15879,7 +14912,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Queries resulted in NXDOMAIN that were redirected.
+			This indicates the number of queries that resulted in NXDOMAIN that were redirected.
 		      </para>
 		    </entry>
 		  </row>
@@ -15892,7 +14925,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Queries resulted in NXDOMAIN that were redirected
+			This indicates the number of queries that resulted in NXDOMAIN that were redirected
 			and resulted in a successful remote lookup.
 		      </para>
 		    </entry>
@@ -15906,7 +14939,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Requested zone transfers completed.
+			This indicates the number of requested and completed zone transfers.
 		      </para>
 		    </entry>
 		  </row>
@@ -15919,7 +14952,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Update requests forwarded.
+			This indicates the number of forwarded update requests.
 		      </para>
 		    </entry>
 		  </row>
@@ -15932,7 +14965,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Update responses forwarded.
+			This indicates the number of forwarded update responses.
 		      </para>
 		    </entry>
 		  </row>
@@ -15945,7 +14978,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Dynamic update forward failed.
+			This indicates the number of forwarded dynamic updates that failed.
 		      </para>
 		    </entry>
 		  </row>
@@ -15958,7 +14991,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Dynamic updates completed.
+			This indicates the number of completed dynamic updates.
 		      </para>
 		    </entry>
 		  </row>
@@ -15971,7 +15004,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Dynamic updates failed.
+			This indicates the number of failed dynamic updates.
 		      </para>
 		    </entry>
 		  </row>
@@ -15984,7 +15017,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Dynamic updates rejected due to prerequisite failure.
+			This indicates the number of dynamic updates rejected due to a prerequisite failure.
 		      </para>
 		    </entry>
 		  </row>
@@ -15997,7 +15030,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Responses dropped by rate limits.
+			This indicates the number of responses dropped due to rate limits.
 		      </para>
 		    </entry>
 		  </row>
@@ -16010,7 +15043,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Responses truncated by rate limits.
+			This indicates the number of responses truncated by rate limits.
 		      </para>
 		    </entry>
 		  </row>
@@ -16023,7 +15056,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Response policy zone rewrites.
+			This indicates the number of response policy zone rewrites.
 		      </para>
 		    </entry>
 		  </row>
@@ -16058,7 +15091,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			IPv4 notifies sent.
+			This indicates the number of IPv4 notifies sent.
 		      </para>
 		    </entry>
 		  </row>
@@ -16068,7 +15101,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			IPv6 notifies sent.
+			This indicates the number of IPv6 notifies sent.
 		      </para>
 		    </entry>
 		  </row>
@@ -16078,7 +15111,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			IPv4 notifies received.
+			This indicates the number of IPv4 notifies received.
 		      </para>
 		    </entry>
 		  </row>
@@ -16088,7 +15121,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			IPv6 notifies received.
+			This indicates the number of IPv6 notifies received.
 		      </para>
 		    </entry>
 		  </row>
@@ -16098,7 +15131,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			Incoming notifies rejected.
+			This indicates the number of incoming notifies rejected.
 		      </para>
 		    </entry>
 		  </row>
@@ -16108,7 +15141,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			IPv4 SOA queries sent.
+			This indicates the number of IPv4 SOA queries sent.
 		      </para>
 		    </entry>
 		  </row>
@@ -16118,7 +15151,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			IPv6 SOA queries sent.
+			This indicates the number of IPv6 SOA queries sent.
 		      </para>
 		    </entry>
 		  </row>
@@ -16128,7 +15161,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			IPv4 AXFR requested.
+			This indicates the number of requested IPv4 AXFRs.
 		      </para>
 		    </entry>
 		  </row>
@@ -16138,7 +15171,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			IPv6 AXFR requested.
+			This indicates the number of requested IPv6 AXFRs.
 		      </para>
 		    </entry>
 		  </row>
@@ -16148,7 +15181,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			IPv4 IXFR requested.
+			This indicates the number of requested IPv4 IXFRs.
 		      </para>
 		    </entry>
 		  </row>
@@ -16158,7 +15191,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			IPv6 IXFR requested.
+			This indicates the number of requested IPv6 IXFRs.
 		      </para>
 		    </entry>
 		  </row>
@@ -16168,7 +15201,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			Zone transfer requests succeeded.
+			This indicates the number of successful zone transfer requests.
 		      </para>
 		    </entry>
 		  </row>
@@ -16178,7 +15211,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			Zone transfer requests failed.
+			This indicates the number of failed zone transfer requests.
 		      </para>
 		    </entry>
 		  </row>
@@ -16203,7 +15236,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			<emphasis>BIND8 Symbol</emphasis>
+			<emphasis>BIND 8 Symbol</emphasis>
 		      </para>
 		    </entry>
 		    <entry colname="3">
@@ -16222,7 +15255,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			IPv4 queries sent.
+			This indicates the number of IPv4 queries sent.
 		      </para>
 		    </entry>
 		  </row>
@@ -16235,7 +15268,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			IPv6 queries sent.
+			This indicates the number of IPv6 queries sent.
 		      </para>
 		    </entry>
 		  </row>
@@ -16248,7 +15281,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			IPv4 responses received.
+			This indicates the number of IPv4 responses received.
 		      </para>
 		    </entry>
 		  </row>
@@ -16261,7 +15294,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			IPv6 responses received.
+			This indicates the number of IPv6 responses received.
 		      </para>
 		    </entry>
 		  </row>
@@ -16274,7 +15307,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			NXDOMAIN received.
+			This indicates the number of NXDOMAINs received.
 		      </para>
 		    </entry>
 		  </row>
@@ -16287,7 +15320,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			SERVFAIL received.
+			This indicates the number of SERVFAILs received.
 		      </para>
 		    </entry>
 		  </row>
@@ -16300,7 +15333,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			FORMERR received.
+			This indicates the number of FORMERRs received.
 		      </para>
 		    </entry>
 		  </row>
@@ -16313,7 +15346,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Other errors received.
+			This indicates the number of other errors received.
 		      </para>
 		    </entry>
 		  </row>
@@ -16326,7 +15359,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			EDNS(0) query failures.
+			This indicates the number of EDNS(0) query failures.
 		      </para>
 		    </entry>
 		  </row>
@@ -16339,8 +15372,8 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Mismatch responses received.
-			The DNS ID, response's source address,
+			This indicates the number of mismatched responses received,
+			meaning the DNS ID, response's source address,
 			and/or the response's source port does not
 			match what was expected.
 			(The port must be 53 or as defined by
@@ -16359,7 +15392,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Truncated responses received.
+			This indicates the number of truncated responses received.
 		      </para>
 		    </entry>
 		  </row>
@@ -16372,7 +15405,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Lame delegations received.
+			This indicates the number of lame delegations received.
 		      </para>
 		    </entry>
 		  </row>
@@ -16385,7 +15418,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Query retries performed.
+			This indicates the number of query retries performed.
 		      </para>
 		    </entry>
 		  </row>
@@ -16398,7 +15431,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Queries aborted due to quota control.
+			This indicates the number of queries aborted due to quota control.
 		      </para>
 		    </entry>
 		  </row>
@@ -16411,10 +15444,9 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Failures in opening query sockets.
+			This indicates the number of failures in opening query sockets.
 			One common reason for such failures is a
-			failure of opening a new socket due to a
-			limitation on file descriptors.
+			due to a limitation on file descriptors.
 		      </para>
 		    </entry>
 		  </row>
@@ -16427,7 +15459,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Query timeouts.
+			This indicates the number of query timeouts.
 		      </para>
 		    </entry>
 		  </row>
@@ -16440,7 +15472,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			IPv4 NS address fetches invoked.
+			This indicates the number of IPv4 NS address fetches invoked.
 		      </para>
 		    </entry>
 		  </row>
@@ -16453,7 +15485,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			IPv6 NS address fetches invoked.
+			This indicates the number of IPv6 NS address fetches invoked.
 		      </para>
 		    </entry>
 		  </row>
@@ -16466,7 +15498,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			IPv4 NS address fetch failed.
+			This indicates the number of failed IPv4 NS address fetches.
 		      </para>
 		    </entry>
 		  </row>
@@ -16479,7 +15511,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			IPv6 NS address fetch failed.
+			This indicates the number of failed IPv6 NS address fetches.
 		      </para>
 		    </entry>
 		  </row>
@@ -16492,7 +15524,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			DNSSEC validation attempted.
+			This indicates the number of attempted DNSSEC validations.
 		      </para>
 		    </entry>
 		  </row>
@@ -16505,7 +15537,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			DNSSEC validation succeeded.
+			This indicates the number of successful DNSSEC validations.
 		      </para>
 		    </entry>
 		  </row>
@@ -16518,7 +15550,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			DNSSEC validation on negative information succeeded.
+			This indicates the number of successful DNSSEC validations on negative information.
 		      </para>
 		    </entry>
 		  </row>
@@ -16531,7 +15563,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			DNSSEC validation failed.
+			This indicates the number of failed DNSSEC validations.
 		      </para>
 		    </entry>
 		  </row>
@@ -16544,8 +15576,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="3">
 		      <para>
-			Frequency table on round trip times (RTTs) of
-			queries.
+			This provides a frequency table on query round-trip times (RTTs).
 			Each <command>nn</command> specifies the corresponding
 			frequency.
 			In the sequence of
@@ -16557,11 +15588,11 @@ HOST-127.EXAMPLE. MX 0 .
 			number of queries whose RTTs are between
 			<command>nn_(i-1)</command> (inclusive) and
 			<command>nn_i</command> (exclusive) milliseconds.
-			For the sake of convenience we define
+			For the sake of convenience, we define
 			<command>nn_0</command> to be 0.
 			The last entry should be represented as
 			<command>nn_m+</command>, which means the
-			number of queries whose RTTs are equal to or over
+			number of queries whose RTTs are equal to or greater than
 			<command>nn_m</command> milliseconds.
 		      </para>
 		    </entry>
@@ -16576,7 +15607,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 	    <para>
 	      Socket I/O statistics counters are defined per socket
-	      types, which are
+	      type, which are
 	      <command>UDP4</command> (UDP/IPv4),
 	      <command>UDP6</command> (UDP/IPv6),
 	      <command>TCP4</command> (TCP/IPv4),
@@ -16584,7 +15615,7 @@ HOST-127.EXAMPLE. MX 0 .
 	      <command>Unix</command> (Unix Domain), and
 	      <command>FDwatch</command> (sockets opened outside the
 	      socket module).
-	      In the following table <command>&lt;TYPE&gt;</command>
+	      In the following table, <command>&lt;TYPE&gt;</command>
 	      represents a socket type.
 	      Not all counters are available for all socket types;
 	      exceptions are noted in the description field.
@@ -16614,8 +15645,8 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			Sockets opened successfully.
-			This counter is not applicable to the
+			This indicates the number of sockets opened successfully.
+			This counter does not apply to the
 			<command>FDwatch</command> type.
 		      </para>
 		    </entry>
@@ -16626,8 +15657,8 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			Failures of opening sockets.
-			This counter is not applicable to the
+			This indicates the number of failures to open sockets.
+			This counter does not apply to the
 			<command>FDwatch</command> type.
 		      </para>
 		    </entry>
@@ -16638,7 +15669,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			Sockets closed.
+			This indicates the number of closed sockets.
 		      </para>
 		    </entry>
 		  </row>
@@ -16648,7 +15679,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			Failures of binding sockets.
+			This indicates the number of failures to bind sockets.
 		      </para>
 		    </entry>
 		  </row>
@@ -16658,7 +15689,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			Failures of connecting sockets.
+			This indicates the number of failures to connect sockets.
 		      </para>
 		    </entry>
 		  </row>
@@ -16668,7 +15699,7 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			Connections established successfully.
+			This indicates the number of connections established successfully.
 		      </para>
 		    </entry>
 		  </row>
@@ -16678,8 +15709,8 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			Failures of accepting incoming connection requests.
-			This counter is not applicable to the
+			This indicates the number of failures to accept incoming connection requests.
+			This counter does not apply to the
 			<command>UDP</command> and
 			<command>FDwatch</command> types.
 		      </para>
@@ -16691,8 +15722,8 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			Incoming connections successfully accepted.
-			This counter is not applicable to the
+			This indicates the number of incoming connections successfully accepted.
+			This counter does not apply to the
 			<command>UDP</command> and
 			<command>FDwatch</command> types.
 		      </para>
@@ -16704,9 +15735,9 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			Errors in socket send operations.
+			This indicates the number of errors in socket send operations.
 			This counter corresponds
-			to <command>SErr</command> counter of
+			to the <command>SErr</command> counter of
 			<command>BIND</command> 8.
 		      </para>
 		    </entry>
@@ -16717,9 +15748,9 @@ HOST-127.EXAMPLE. MX 0 .
 		    </entry>
 		    <entry colname="2">
 		      <para>
-			Errors in socket receive operations.
-			This includes errors of send operations on a
-			connected UDP socket notified by an ICMP error
+			This indicates the number of errors in socket receive operations,
+			including errors of send operations on a
+			connected UDP socket, notified by an ICMP error
 			message.
 		      </para>
 		    </entry>
@@ -16734,7 +15765,7 @@ HOST-127.EXAMPLE. MX 0 .
 	    <para>
 	      Most statistics counters that were available
 	      in <command>BIND</command> 8 are also supported in
-	      <command>BIND</command> 9 as shown in the above tables.
+	      <command>BIND</command> 9, as shown in the above tables.
 	      Here are notes about other counters that do not appear
 	      in these tables.
 	    </para>
@@ -16744,7 +15775,7 @@ HOST-127.EXAMPLE. MX 0 .
 		<term><command>RFwdR,SFwdR</command></term>
 		<listitem>
 		  <para>
-		    These counters are not supported
+		    These counters are not supported,
 		    because <command>BIND</command> 9 does not adopt
 		    the notion of <emphasis>forwarding</emphasis>
 		    as <command>BIND</command> 8 did.
@@ -16774,9 +15805,9 @@ HOST-127.EXAMPLE. MX 0 .
 		<term><command>ROpts</command></term>
 		<listitem>
 		  <para>
-		    This counter is not supported
+		    This counter is not supported,
 		    because <command>BIND</command> 9 does not care
-		    about IP options in the first place.
+		    about IP options.
 		  </para>
 		</listitem>
 	      </varlistentry>
@@ -16792,36 +15823,36 @@ HOST-127.EXAMPLE. MX 0 .
 
 	<para>
 	  Access Control Lists (ACLs) are address match lists that
-	  you can set up and nickname for future use in
+	  can be set up and nicknamed for future use in
 	  <command>allow-notify</command>, <command>allow-query</command>,
 	  <command>allow-query-on</command>, <command>allow-recursion</command>,
 	  <command>blackhole</command>, <command>allow-transfer</command>,
 	  <command>match-clients</command>, etc.
 	</para>
 	<para>
-	  Using ACLs allows you to have finer control over who can access
-	  your name server, without cluttering up your config files with huge
+	  ACLs give users finer control over who can access
+	  the name server, without cluttering up configuration files with huge
 	  lists of IP addresses.
 	</para>
 	<para>
 	  It is a <emphasis>good idea</emphasis> to use ACLs, and to
-	  control access to your server. Limiting access to your server by
+	  control access. Limiting access to the server by
 	  outside parties can help prevent spoofing and denial of service
-	  (DoS) attacks against your server.
+	  (DoS) attacks against the server.
 	</para>
 	<para>
 	  ACLs match clients on the basis of up to three characteristics:
 	  1) The client's IP address; 2) the TSIG or SIG(0) key that was
 	  used to sign the request, if any; and 3) an address prefix
-	  encoded in an EDNS Client Subnet option, if any.
+	  encoded in an EDNS Client-Subnet option, if any.
 	</para>
 	<para>
 	  Here is an example of ACLs based on client addresses:
 	</para>
 
 <programlisting>
-// Set up an ACL named "bogusnets" that will block
-// RFC1918 space and some reserved space, which is
+// Set up an ACL named "bogusnets" that blocks
+// RFC 1918 space and some reserved space, which is
 // commonly used in spoofing attacks.
 acl bogusnets {
 	0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
@@ -16860,11 +15891,11 @@ zone "example.com" {
 	  may include <option>key</option> elements, which specify the
 	  name of a TSIG or SIG(0) key, or <option>ecs</option>
 	  elements, which specify a network prefix but are only matched
-	  if that prefix matches an EDNS client subnet option included
+	  if that prefix matches an EDNS client-subnet option included
 	  in the request.
 	</para>
 	<para>
-	  The EDNS Client Subnet (ECS) option is used by a recursive
+	  The EDNS Client-Subnet (ECS) option is used by a recursive
 	  resolver to inform an authoritative name server of the network
 	  address block from which the original query was received, enabling
 	  authoritative servers to give different answers to the same
@@ -16879,7 +15910,7 @@ zone "example.com" {
 	</para>
 	<note>
 	  <simpara>
-	    (Note: The authoritative ECS implementation in
+	    (Note: the authoritative ECS implementation in
 	    <command>named</command> is based on an early version of the
 	    specification, and is known to have incompatibilities with
 	    other implementations.  It is also inefficient, requiring
@@ -16896,7 +15927,7 @@ zone "example.com" {
 	  <command>geoip <optional>db <replaceable>database</replaceable></optional> <replaceable>field</replaceable> <replaceable>value</replaceable></command>
 	</para>
 	<para>
-	  The <replaceable>field</replaceable> indicates which field
+	  The <replaceable>field</replaceable> parameter indicates which field
 	  to search for a match.  Available fields are "country",
 	  "region", "city", "continent", "postal" (postal code),
 	  "metro" (metro code), "area" (area code), "tz" (timezone),
@@ -16908,13 +15939,13 @@ zone "example.com" {
 	  contains spaces or other special characters.  An "asnum"
 	  search for autonomous system number can be specified using
 	  the string "ASNNNN" or the integer NNNN.
-	  When "country" search is specified with a string is two
-	  characters long, then it must be a standard ISO-3166-1
-	  two-letter country code; otherwise it is interpreted as
-	  the full name of the country.  Similarly, if this is a
-	  "region" search and the string is two characters long,
-	  then it treated as a standard two-letter state or province
-	  abbreviation; otherwise it treated as the full name of the
+	  When "country" search is specified with a string that is two
+	  characters long, it must be a standard ISO-3166-1
+	  two-letter country code; otherwise, it is interpreted as
+	  the full name of the country.  Similarly, if
+	  "region" is the search term and the string is two characters long,
+	  it is treated as a standard two-letter state or province
+	  abbreviation; otherwise, it is treated as the full name of the
 	  state or province.
 	</para>
 	<para>
@@ -16925,20 +15956,20 @@ zone "example.com" {
 	  can be answered from either the "city" or "country" databases,
 	  so for these search types, specifying a
 	  <replaceable>database</replaceable>
-	  will force the query to be answered from that database and no
+	  forces the query to be answered from that database and no
 	  other.  If <replaceable>database</replaceable> is not
-	  specified, then these queries will be answered from the "city",
-	  database if it is installed, or the "country" database if it
-	  is installed, in that order. Valid database names are
+	  specified, these queries are first answered from the "city"
+	  database if it is installed, and then from the "country" database if it
+	  is installed. Valid database names are
 	  "country", "city", "asnum", "isp", and "domain". (If using
 	  the legacy GeoIP API, "netspeed" and "org" databases are also
 	  available.)
 	</para>
 	<para>
-	  By default, if a DNS query includes an EDNS Client Subnet (ECS)
-	  option which encodes a non-zero address prefix, then GeoIP ACLs
-	  will be matched against that address prefix.  Otherwise, they
-	  are matched against the source address of the query.  To
+	  By default, if a DNS query includes an EDNS Client-Subnet (ECS)
+	  option which encodes a non-zero address prefix, then GeoIP ACL
+	  elements are matched against that address prefix.  Otherwise,
+	  they are matched against the source address of the query.  To
 	  prevent GeoIP ACLs from matching against ECS options, set
 	  the <command>geoip-use-ecs</command> to <literal>no</literal>.
 	</para>
@@ -16957,22 +15988,22 @@ geoip org "Internet Systems Consortium";
 </programlisting>
 
 	<para>
-	  ACLs use a "first-match" logic rather than "best-match":
+	  ACLs use a "first-match" logic rather than "best-match";
 	  if an address prefix matches an ACL element, then that ACL
 	  is considered to have matched even if a later element would
 	  have matched more specifically.  For example, the ACL
-	  <command> { 10/8; !10.0.0.1; }</command> would actually
+	  <command>{ 10/8; !10.0.0.1; }</command> would actually
 	  match a query from 10.0.0.1, because the first element
-	  indicated that the query should be accepted, and the second
+	  indicates that the query should be accepted, and the second
 	  element is ignored.
 	</para>
 	<para>
 	  When using "nested" ACLs (that is, ACLs included or referenced
-	  within other ACLs), a negative match of a nested ACL will
+	  within other ACLs), a negative match of a nested ACL tells
 	  the containing ACL to continue looking for matches.  This
 	  enables complex ACLs to be constructed, in which multiple
 	  client characteristics can be checked at the same time. For
-	  example, to construct an ACL which allows queries only when
+	  example, to construct an ACL which allows a query only when
 	  it originates from a particular network <emphasis>and</emphasis>
 	  only when it is signed with a particular key, use:
 	</para>
@@ -16981,14 +16012,14 @@ allow-query { !{ !10/8; any; }; key example; };
 </programlisting>
 	<para>
 	  Within the nested ACL, any address that is
-	  <emphasis>not</emphasis> in the 10/8 network prefix will
-	  be rejected, and this will terminate processing of the
+	  <emphasis>not</emphasis> in the 10/8 network prefix is
+	  rejected, which terminates processing of the
 	  ACL.  Any address that <emphasis>is</emphasis> in the 10/8
-	  network prefix will be accepted, but this causes a negative
+	  network prefix is accepted, but this causes a negative
 	  match of the nested ACL, so the containing ACL continues
-	  processing. The query will then be accepted if it is signed
+	  processing. The query is accepted if it is signed
 	  by the key "example", and rejected otherwise.  The ACL, then,
-	  will only matches when <emphasis>both</emphasis> conditions
+	  only matches when <emphasis>both</emphasis> conditions
 	  are true.
 	</para>
       </section>
@@ -16996,17 +16027,17 @@ allow-query { !{ !10/8; any; }; key example; };
       <section xml:id="chroot_and_setuid"><info><title><command>Chroot</command> and <command>Setuid</command></title></info>
 
 	<para>
-	  On UNIX servers, it is possible to run <acronym>BIND</acronym>
+	  On Unix servers, it is possible to run <acronym>BIND</acronym>
 	  in a <emphasis>chrooted</emphasis> environment (using
 	  the <command>chroot()</command> function) by specifying
 	  the <option>-t</option> option for <command>named</command>.
 	  This can help improve system security by placing
-	  <acronym>BIND</acronym> in a "sandbox", which will limit
+	  <acronym>BIND</acronym> in a "sandbox," which limits
 	  the damage done if a server is compromised.
 	</para>
 	<para>
-	  Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
-	  ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
+	  Another useful feature in the Unix version of <acronym>BIND</acronym> is the
+	  ability to run the daemon as an unprivileged user (<option>-u</option> <replaceable>user</replaceable>).
 	  We suggest running as an unprivileged user when using the <command>chroot</command> feature.
 	</para>
 	<para>
@@ -17021,23 +16052,23 @@ allow-query { !{ !10/8; any; }; key example; };
 	<section xml:id="chroot"><info><title>The <command>chroot</command> Environment</title></info>
 
 	  <para>
-	    In order for a <command>chroot</command> environment
+	    For a <command>chroot</command> environment
 	    to work properly in a particular directory (for example,
-	    <filename>/var/named</filename>), you will need to set
-	    up an environment that includes everything
+	    <filename>/var/named</filename>), the
+	    environment must include everything
 	    <acronym>BIND</acronym> needs to run.  From
 	    <acronym>BIND</acronym>'s point of view,
 	    <filename>/var/named</filename> is the root of the
-	    filesystem.  You will need to adjust the values of
+	    filesystem; the values of
 	    options like <command>directory</command> and
-	    <command>pid-file</command> to account for this.
+	    <command>pid-file</command> must be adjusted to account for this.
 	  </para>
 	  <para>
-	    Unlike with earlier versions of BIND, you typically will
-	    <emphasis>not</emphasis> need to compile <command>named</command>
-	    statically nor install shared libraries under the new root.
-	    However, depending on your operating system, you may need
-	    to set up things like
+	    Unlike with earlier versions of BIND,
+	    <command>named</command> does <emphasis>not</emphasis> typically need to be compiled
+	    statically, nor do shared libraries need to be installed under the new root.
+	    However, depending on the operating system, it may be necessary
+	    to set up locations such as
 	    <filename>/dev/zero</filename>,
 	    <filename>/dev/random</filename>,
 	    <filename>/dev/log</filename>, and
@@ -17055,12 +16086,12 @@ allow-query { !{ !10/8; any; }; key example; };
 	    modification times) or the <command>chown</command>
 	    utility (to
 	    set the user id and/or group id) on files
-	    to which you want <acronym>BIND</acronym>
-	    to write.
+	    where <acronym>BIND</acronym>
+	    should write.
 	  </para>
 	  <note><simpara>
 	    If the <command>named</command> daemon is running as an
-	    unprivileged user, it will not be able to bind to new restricted
+	    unprivileged user, it cannot bind to new restricted
 	    ports if the server is reloaded.
 	  </simpara></note>
 	</section>
@@ -17077,16 +16108,16 @@ allow-query { !{ !10/8; any; }; key example; };
 	  or
 	  network prefix in the <command>allow-update</command>
 	  zone option.
-	  This method is insecure since the source address of the update UDP
+	  This method is insecure, since the source address of the update UDP
 	  packet
 	  is easily forged.  Also note that if the IP addresses allowed by the
 	  <command>allow-update</command> option include the
-	  address of a slave
-	  server which performs forwarding of dynamic updates, the master can
+	  address of a secondary
+	  server which performs forwarding of dynamic updates, the primary can
 	  be
-	  trivially attacked by sending the update to the slave, which will
-	  forward it to the master with its own source IP address causing the
-	  master to approve it without question.
+	  trivially attacked by sending the update to the secondary, which
+	  forwards it to the primary with its own source IP address - causing the
+	  primary to approve it without question.
 	</para>
 
 	<para>
@@ -17095,16 +16126,16 @@ allow-query { !{ !10/8; any; }; key example; };
 	  (TSIG).  That is, the <command>allow-update</command>
 	  option should
 	  list only TSIG key names, not IP addresses or network
-	  prefixes. Alternatively, the new <command>update-policy</command>
+	  prefixes. Alternatively, the <command>update-policy</command>
 	  option can be used.
 	</para>
 
 	<para>
-	  Some sites choose to keep all dynamically-updated DNS data
+	  Some sites choose to keep all dynamically updated DNS data
 	  in a subdomain and delegate that subdomain to a separate zone. This
-	  way, the top-level zone containing critical data such as the IP
+	  way, the top-level zone containing critical data, such as the IP
 	  addresses
-	  of public web and mail servers need not allow dynamic update at
+	  of public web and mail servers, need not allow dynamic update at
 	  all.
 	</para>
 
@@ -17115,14 +16146,14 @@ allow-query { !{ !10/8; any; }; key example; };
 
       <section xml:id="common_problems"><info><title>Common Problems</title></info>
 
-	<section><info><title>It's not working; how can I figure out what's wrong?</title></info>
+	<section><info><title>It's Not Working; How Can I Figure Out What's Wrong?</title></info>
 
 	  <para>
-	    The best solution to solving installation and
-	    configuration issues is to take preventative measures by setting
+	    The best solution to installation and
+	    configuration issues is to take preventive measures by setting
 	    up logging files beforehand. The log files provide a
-	    source of hints and information that can be used to figure out
-	    what went wrong and how to fix the problem.
+	    source of hints and information that can be used to identify
+	    what went wrong and fix the problem.
 	  </para>
 
 	</section>
@@ -17130,54 +16161,54 @@ allow-query { !{ !10/8; any; }; key example; };
       <section><info><title>Incrementing and Changing the Serial Number</title></info>
 
 	<para>
-	  Zone serial numbers are just numbers — they aren't
-	  date related.  A lot of people set them to a number that
+	  Zone serial numbers are just numbers — they are not
+	  date-related.  However, many people set them to a number that
 	  represents a date, usually of the form YYYYMMDDRR.
-	  Occasionally they will make a mistake and set them to a
-	  "date in the future" then try to correct them by setting
-	  them to the "current date".  This causes problems because
+	  Occasionally they make a mistake and set the serial number to a
+	  date in the future, then try to correct it by setting
+	  it to the current date.  This causes problems because
 	  serial numbers are used to indicate that a zone has been
-	  updated.  If the serial number on the slave server is
-	  lower than the serial number on the master, the slave
-	  server will attempt to update its copy of the zone.
+	  updated.  If the serial number on the secondary server is
+	  lower than the serial number on the primary, the secondary
+	  server attempts to update its copy of the zone.
 	</para>
 
 	<para>
-	  Setting the serial number to a lower number on the master
-	  server than the slave server means that the slave will not perform
+	  Setting the serial number to a lower number on the primary
+	  server than the one on the secondary server means that the secondary will not perform
 	  updates to its copy of the zone.
 	</para>
 
 	<para>
 	  The solution to this is to add 2147483647 (2^31-1) to the
-	  number, reload the zone and make sure all slaves have updated to
-	  the new zone serial number, then reset the number to what you want
-	  it to be, and reload the zone again.
+	  number, reload the zone and make sure all secondaries have updated to
+	  the new zone serial number, then reset it to the desired number
+	  and reload the zone again.
 	</para>
 
       </section>
       <section xml:id="more_help"><info><title>Where Can I Get Help?</title></info>
 
 	<para>
-	  The Internet Systems Consortium
-	  (<acronym>ISC</acronym>) offers a wide range
-	  of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
-	  levels of premium support are available and each level includes
-	  support for all <acronym>ISC</acronym> programs,
-	  significant discounts on products
-	  and training, and a recognized priority on bug fixes and
-	  non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
-	  support agreement package which includes services ranging from bug
-	  fix announcements to remote support. It also includes training in
-	  <acronym>BIND</acronym> and <acronym>DHCP</acronym>.
+	The BIND-users mailing list, at https://lists.isc.org/mailman/listinfo/bind-users,
+	is an excellent resource for peer user support. In addition, <acronym>ISC</acronym> maintains a
+	Knowledgebase of helpful articles at https://kb.isc.org.
+	</para>
+
+	<para>
+	  Internet Systems Consortium
+	  (<acronym>ISC</acronym>) offers annual
+	  support agreements for <acronym>BIND</acronym>9, ISC <acronym>DHCP</acronym>, and Kea DHCP.
+	  All paid support contracts include advance security notifications; some levels include
+	  service level agreements (SLAs), premium software features, and increased priority on bug fixes
+	  and feature requests.
 	</para>
 
 	<para>
-	  To discuss arrangements for support, contact
-	  <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="mailto:info@isc.org">info@isc.org</link> or visit the
-	  <acronym>ISC</acronym> web page at
-	  <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/services/support/">http://www.isc.org/services/support/</link>
-	  to read more.
+	  Please contact
+	  <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="mailto:info@isc.org">info@isc.org</link> or visit
+	  <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/contact/">https://www.isc.org/contact/</link>
+	  for more information.
 	</para>
       </section>
     </chapter>
@@ -17188,8 +16219,8 @@ allow-query { !{ !10/8; any; }; key example; };
 
     <appendix xml:id="Bv9ARM.ch10"><info><title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title></info>
       <para xml:id="historical_dns_information">
-	Although the "official" beginning of the Domain Name
-	System occurred in 1984 with the publication of RFC 920, the
+	Although the Domain Name
+	System "officially" began in 1984 with the publication of RFC 920, the
 	core of the new system was described in 1983 in RFCs 882 and
 	883. From 1984 to 1987, the ARPAnet (the precursor to today's
 	Internet) became a testbed of experimentation for developing the
@@ -17197,14 +16228,14 @@ allow-query { !{ !10/8; any; }; key example; };
 	operational network environment.  New RFCs were written and
 	published in 1987 that modified the original documents to
 	incorporate improvements based on the working model. RFC 1034,
-	"Domain Names-Concepts and Facilities", and RFC 1035, "Domain
-	Names-Implementation and Specification" were published and
+	"Domain Names-Concepts and Facilities," and RFC 1035, "Domain
+	Names-Implementation and Specification," were published and
 	became the standards upon which all <acronym>DNS</acronym> implementations are
 	built.
       </para>
 
       <para>
-	The first working domain name server, called "Jeeves", was
+	The first working domain name server, called "Jeeves," was
 	written in 1983-84 by Paul Mockapetris for operation on DEC
 	Tops-20
 	machines located at the University of Southern California's
@@ -17225,7 +16256,7 @@ allow-query { !{ !10/8; any; }; key example; };
 	Versions of <acronym>BIND</acronym> through
 	4.8.3 were maintained by the Computer
 	Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
-	Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
+	Painter, David Riggle, and Songnian Zhou made up the initial <acronym>BIND</acronym>
 	project team. After that, additional work on the software package
 	was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
 	Corporation
@@ -17239,7 +16270,7 @@ allow-query { !{ !10/8; any; }; key example; };
       <para>
 	<acronym>BIND</acronym> versions 4.9 and 4.9.1 were
 	released by Digital Equipment
-	Corporation (now Compaq Computer Corporation). Paul Vixie, then
+	Corporation (which became Compaq Computer Corporation and eventually merged with Hewlett-Packard). Paul Vixie, then
 	a DEC employee, became <acronym>BIND</acronym>'s
 	primary caretaker. He was assisted
 	by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
@@ -17257,8 +16288,8 @@ allow-query { !{ !10/8; any; }; key example; };
       <para>
 	<acronym>BIND</acronym> versions from 4.9.3 onward
 	have been developed and maintained
-	by the Internet Systems Consortium and its predecessor,
-	the Internet Software Consortium,  with support being provided
+	by Internet Systems Consortium and its predecessor,
+	the Internet Software Consortium,  with support provided
 	by ISC's sponsors.
       </para>
       <para>
@@ -17279,7 +16310,8 @@ allow-query { !{ !10/8; any; }; key example; };
       <para>
 	<acronym>BIND</acronym> development work is made
 	possible today by the sponsorship
-	of several corporations, and by the tireless work efforts of
+	of corporations who purchase professional support services from ISC
+	(https://www.isc.org/contact/) and/or donate to our mission, and by the tireless efforts of
 	numerous individuals.
       </para>
     </appendix>
@@ -17289,15 +16321,15 @@ allow-query { !{ !10/8; any; }; key example; };
       <section xml:id="ipv6addresses"><info><title>IPv6 addresses (AAAA)</title></info>
 
 	  <para>
-	    IPv6 addresses are 128-bit identifiers for interfaces and
-	    sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
+	    IPv6 addresses are 128-bit identifiers, for interfaces and
+	    sets of interfaces, which were introduced in the <acronym>DNS</acronym> to facilitate
 	    scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
 	    an identifier for a single interface;
 	    <emphasis>Anycast</emphasis>,
 	    an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
 	    an identifier for a set of interfaces. Here we describe the global
 	    Unicast address scheme. For more information, see RFC 3587,
-	    "Global Unicast Address Format."
+	    "IPv6 Global Unicast Address Format."
 	  </para>
 	  <para>
 	    IPv6 unicast addresses consist of a
@@ -17307,12 +16339,12 @@ allow-query { !{ !10/8; any; }; key example; };
 	  </para>
 	  <para>
 	    The global routing prefix is provided by the
-	    upstream provider or ISP, and (roughly) corresponds to the
+	    upstream provider or ISP, and roughly corresponds to the
 	    IPv4 <emphasis>network</emphasis> section
 	    of the address range.
 
-	    The subnet identifier is for local subnetting, much the
-	    same as subnetting an
+	    The subnet identifier is for local subnetting, much
+	    like subnetting an
 	    IPv4 /16 network into /24 subnets.
 
 	    The interface identifier is the address of an individual
@@ -17321,31 +16353,31 @@ allow-query { !{ !10/8; any; }; key example; };
 	  </para>
 	  <para>
 	    The subnetting capability of IPv6 is much more flexible than
-	    that of IPv4: subnetting can be carried out on bit boundaries,
+	    that of IPv4; subnetting can be carried out on bit boundaries,
 	    in much the same way as Classless InterDomain Routing
 	    (CIDR), and the DNS PTR representation ("nibble" format)
 	    makes setting up reverse zones easier.
 	  </para>
 	  <para>
-	    The Interface Identifier must be unique on the local link,
+	    The interface identifier must be unique on the local link,
 	    and is usually generated automatically by the IPv6
 	    implementation, although it is usually possible to
 	    override the default setting if necessary.  A typical IPv6
 	    address might look like:
-	    <command>2001:db8:201:9:a00:20ff:fe81:2b32</command>
+	    <command>2001:db8:201:9:a00:20ff:fe81:2b32</command>.
 	  </para>
 	  <para>
 	    IPv6 address specifications often contain long strings
 	    of zeros, so the architects have included a shorthand for
 	    specifying
-	    them. The double colon (`::') indicates the longest possible
+	    them. The double colon ("::") indicates the longest possible
 	    string
 	    of zeros that can fit, and can be used only once in an address.
 	  </para>
       </section>
       <section xml:id="bibliography"><info><title>Bibliography (and Suggested Reading)</title></info>
 
-	<section xml:id="rfcs"><info><title>Request for Comments (RFCs)</title></info>
+	<section xml:id="rfcs"><info><title>Requests for Comments (RFCs)</title></info>
 
 	  <para>
 	    Specification documents for the Internet protocol suite, including
@@ -17353,70 +16385,64 @@ allow-query { !{ !10/8; any; }; key example; };
 	    the Request for Comments (RFCs)
 	    series of technical notes. The standards themselves are defined
 	    by the Internet Engineering Task Force (IETF) and the Internet
-	    Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
+	    Engineering Steering Group (IESG). RFCs can be obtained online at:
 	  </para>
 	  <para>
-	    <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="ftp://www.isi.edu/in-notes/">
-	      ftp://www.isi.edu/in-notes/RFC<replaceable>xxxx</replaceable>.txt
+	    <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://datatracker.ietf.org/doc/">
+	    https://datatracker.ietf.org/doc/
 	    </link>
 	  </para>
-	  <para>
-	    (where <replaceable>xxxx</replaceable> is
-	    the number of the RFC). RFCs are also available via the Web at:
-	  </para>
-	  <para>
-	    <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.ietf.org/rfc/">http://www.ietf.org/rfc/</link>.
-	  </para>
-	  <bibliography>
-	    <bibliodiv><info><title>Standards</title></info>
+
+	  <bibliography><title/>
+	    <bibliodiv><title>Standards</title>
 	      <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
 
 	      <biblioentry>
 		<abbrev>RFC974</abbrev>
 		<author><personname><surname>Partridge</surname><firstname>C.</firstname></personname></author>
-		<citetitle>Mail Routing and the Domain System</citetitle>
+		<title>Mail Routing and the Domain System</title>
 		<pubdate>January 1986</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC1034</abbrev>
 		<author><personname><surname>Mockapetris</surname><firstname>P.V.</firstname></personname></author>
-		<citetitle>Domain Names — Concepts and Facilities</citetitle>
+		<title>Domain Names — Concepts and Facilities</title>
 		<pubdate>November 1987</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC1035</abbrev>
-		<author><personname><surname>Mockapetris</surname><firstname>P. V.</firstname></personname></author> <citetitle>Domain Names — Implementation and
-		  Specification</citetitle>
+		<author><personname><surname>Mockapetris</surname><firstname>P. V.</firstname></personname></author> <title>Domain Names — Implementation and
+		  Specification</title>
 		<pubdate>November 1987</pubdate>
 	      </biblioentry>
 	    </bibliodiv>
-	    <bibliodiv xml:id="proposed_standards" xreflabel="Proposed Standards"><info><title>Proposed Standards</title></info>
+	    <bibliodiv xml:id="proposed_standards" xreflabel="Proposed Standards"><title>Proposed Standards</title>
 
 	      <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
 	      <biblioentry>
 		<abbrev>RFC2181</abbrev>
 		<author><personname><surname>Elz</surname><firstname>R., R. Bush</firstname></personname></author>
-		<citetitle>Clarifications to the <acronym>DNS</acronym>
-		  Specification</citetitle>
+		<title>Clarifications to the <acronym>DNS</acronym>
+		  Specification</title>
 		<pubdate>July 1997</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC2308</abbrev>
 		<author><personname><surname>Andrews</surname><firstname>M.</firstname></personname></author>
-		<citetitle>Negative Caching of <acronym>DNS</acronym>
-		  Queries</citetitle>
+		<title>Negative Caching of <acronym>DNS</acronym>
+		  Queries</title>
 		<pubdate>March 1998</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC1995</abbrev>
 		<author><personname><surname>Ohta</surname><firstname>M.</firstname></personname></author>
-		<citetitle>Incremental Zone Transfer in <acronym>DNS</acronym></citetitle>
+		<title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
 		<pubdate>August 1996</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC1996</abbrev>
 		<author><personname><surname>Vixie</surname><firstname>P.</firstname></personname></author>
-		<citetitle>A Mechanism for Prompt Notification of Zone Changes</citetitle>
+		<title>A Mechanism for Prompt Notification of Zone Changes</title>
 		<pubdate>August 1996</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17427,7 +16453,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><firstname>Y.</firstname><surname>Rekhter</surname></personname></author>
 		  <author><personname><firstname>J.</firstname><surname>Bound</surname></personname></author>
 		</authorgroup>
-		<citetitle>Dynamic Updates in the Domain Name System</citetitle>
+		<title>Dynamic Updates in the Domain Name System</title>
 		<pubdate>April 1997</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17435,7 +16461,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><firstname>P.</firstname><surname>Vixie</surname></personname></author>
 		</authorgroup>
-		<citetitle>Extension Mechanisms for DNS (EDNS0)</citetitle>
+		<title>Extension Mechanisms for DNS (EDNS0)</title>
 		<pubdate>August 1997</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17443,7 +16469,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><firstname>M.</firstname><surname>Crawford</surname></personname></author>
 		</authorgroup>
-		<citetitle>Non-Terminal DNS Name Redirection</citetitle>
+		<title>Non-Terminal DNS Name Redirection</title>
 		<pubdate>August 1999</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17454,7 +16480,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><firstname>D.</firstname><surname>Eastlake</surname><lineage>3rd</lineage></personname></author>
 		  <author><personname><firstname>B.</firstname><surname>Wellington</surname></personname></author>
 		</authorgroup>
-		<citetitle>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</citetitle>
+		<title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
 		<pubdate>May 2000</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17462,7 +16488,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><firstname>D.</firstname><surname>Eastlake</surname><lineage>3rd</lineage></personname></author>
 		</authorgroup>
-		<citetitle>Secret Key Establishment for DNS (TKEY RR)</citetitle>
+		<title>Secret Key Establishment for DNS (TKEY RR)</title>
 		<pubdate>September 2000</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17470,7 +16496,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><firstname>D.</firstname><surname>Eastlake</surname><lineage>3rd</lineage></personname></author>
 		</authorgroup>
-		<citetitle>DNS Request and Transaction Signatures (SIG(0)s)</citetitle>
+		<title>DNS Request and Transaction Signatures (SIG(0)s)</title>
 		<pubdate>September 2000</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17478,7 +16504,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><firstname>B.</firstname><surname>Wellington</surname></personname></author>
 		</authorgroup>
-		<citetitle>Secure Domain Name System (DNS) Dynamic Update</citetitle>
+		<title>Secure Domain Name System (DNS) Dynamic Update</title>
 		<pubdate>November 2000</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17491,20 +16517,20 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><firstname>J.</firstname><surname>Westhead</surname></personname></author>
 		  <author><personname><firstname>R.</firstname><surname>Hall</surname></personname></author>
 		</authorgroup>
-		<citetitle>Generic Security Service Algorithm for Secret
+		<title>Generic Security Service Algorithm for Secret
 		       Key Transaction Authentication for DNS
-		       (GSS-TSIG)</citetitle>
+		       (GSS-TSIG)</title>
 		<pubdate>October 2003</pubdate>
 	      </biblioentry>
 	    </bibliodiv>
-	    <bibliodiv><info><title><acronym>DNS</acronym> Security Proposed Standards</title></info>
+	    <bibliodiv><title><acronym>DNS</acronym> Security Proposed Standards</title>
 
 	      <biblioentry>
 		<abbrev>RFC3225</abbrev>
 		<authorgroup>
 		  <author><personname><firstname>D.</firstname><surname>Conrad</surname></personname></author>
 		</authorgroup>
-		<citetitle>Indicating Resolver Support of DNSSEC</citetitle>
+		<title>Indicating Resolver Support of DNSSEC</title>
 		<pubdate>December 2001</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17513,7 +16539,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><firstname>D.</firstname><surname>Atkins</surname></personname></author>
 		  <author><personname><firstname>R.</firstname><surname>Austein</surname></personname></author>
 		</authorgroup>
-		<citetitle>Threat Analysis of the Domain Name System (DNS)</citetitle>
+		<title>Threat Analysis of the Domain Name System (DNS)</title>
 		<pubdate>August 2004</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17525,7 +16551,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><firstname>D.</firstname><surname>Massey</surname></personname></author>
 		  <author><personname><firstname>S.</firstname><surname>Rose</surname></personname></author>
 		</authorgroup>
-		<citetitle>DNS Security Introduction and Requirements</citetitle>
+		<title>DNS Security Introduction and Requirements</title>
 		<pubdate>March 2005</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17537,7 +16563,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><firstname>D.</firstname><surname>Massey</surname></personname></author>
 		  <author><personname><firstname>S.</firstname><surname>Rose</surname></personname></author>
 		</authorgroup>
-		<citetitle>Resource Records for the DNS Security Extensions</citetitle>
+		<title>Resource Records for the DNS Security Extensions</title>
 		<pubdate>March 2005</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17549,19 +16575,19 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><firstname>D.</firstname><surname>Massey</surname></personname></author>
 		  <author><personname><firstname>S.</firstname><surname>Rose</surname></personname></author>
 		</authorgroup>
-		<citetitle>Protocol Modifications for the DNS
-		       Security Extensions</citetitle>
+		<title>Protocol Modifications for the DNS
+		       Security Extensions</title>
 		<pubdate>March 2005</pubdate>
 	      </biblioentry>
 	    </bibliodiv>
-	    <bibliodiv><info><title>Other Important RFCs About <acronym>DNS</acronym>
-		Implementation</title></info>
+	    <bibliodiv><title>Other Important RFCs About <acronym>DNS</acronym>
+		Implementation</title>
 
 	      <biblioentry>
 		<abbrev>RFC1535</abbrev>
 		<author><personname><surname>Gavron</surname><firstname>E.</firstname></personname></author>
-		<citetitle>A Security Problem and Proposed Correction With Widely
-		  Deployed <acronym>DNS</acronym> Software</citetitle>
+		<title>A Security Problem and Proposed Correction With Widely
+		  Deployed <acronym>DNS</acronym> Software</title>
 		<pubdate>October 1993</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17573,8 +16599,8 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><firstname>P.</firstname><surname>Danzig</surname></personname></author>
 		  <author><personname><firstname>S.</firstname><surname>Miller</surname></personname></author>
 		</authorgroup>
-		<citetitle>Common <acronym>DNS</acronym> Implementation
-		  Errors and Suggested Fixes</citetitle>
+		<title>Common <acronym>DNS</acronym> Implementation
+		  Errors and Suggested Fixes</title>
 		<pubdate>October 1993</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17583,7 +16609,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Elz</surname><firstname>R.</firstname></personname></author>
 		  <author><personname><firstname>R.</firstname><surname>Bush</surname></personname></author>
 		</authorgroup>
-		<citetitle>Serial Number Arithmetic</citetitle>
+		<title>Serial Number Arithmetic</title>
 		<pubdate>August 1996</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17592,12 +16618,12 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Morishita</surname><firstname>Y.</firstname></personname></author>
 		  <author><personname><firstname>T.</firstname><surname>Jinmei</surname></personname></author>
 		</authorgroup>
-		<citetitle>Common Misbehaviour Against <acronym>DNS</acronym>
-		Queries for IPv6 Addresses</citetitle>
+		<title>Common Misbehaviour Against <acronym>DNS</acronym>
+		Queries for IPv6 Addresses</title>
 		<pubdate>May 2005</pubdate>
 	      </biblioentry>
 	    </bibliodiv>
-	    <bibliodiv><info><title>Resource Record Types</title></info>
+	    <bibliodiv><title>Resource Record Types</title>
 
 	      <biblioentry>
 		<abbrev>RFC1183</abbrev>
@@ -17607,7 +16633,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><firstname>R.</firstname><surname>Ullmann</surname></personname></author>
 		  <author><personname><firstname>P.</firstname><surname>Mockapetris</surname></personname></author>
 		</authorgroup>
-		<citetitle>New <acronym>DNS</acronym> RR Definitions</citetitle>
+		<title>New <acronym>DNS</acronym> RR Definitions</title>
 		<pubdate>October 1990</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17616,7 +16642,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Manning</surname><firstname>B.</firstname></personname></author>
 		  <author><personname><firstname>R.</firstname><surname>Colella</surname></personname></author>
 		</authorgroup>
-		<citetitle><acronym>DNS</acronym> NSAP Resource Records</citetitle>
+		<title><acronym>DNS</acronym> NSAP Resource Records</title>
 		<pubdate>October 1994</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17625,8 +16651,8 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Daniel</surname><firstname>R.</firstname></personname></author>
 		  <author><personname><firstname>M.</firstname><surname>Mealling</surname></personname></author>
 		</authorgroup>
-		<citetitle>Resolution of Uniform Resource Identifiers using
-		  the Domain Name System</citetitle>
+		<title>Resolution of Uniform Resource Identifiers using
+		  the Domain Name System</title>
 		<pubdate>June 1997</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17637,9 +16663,9 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><firstname>T.</firstname><firstname>Goodwin</firstname></personname></author>
 		  <author><personname><firstname>I.</firstname><surname>Dickinson</surname></personname></author>
 		</authorgroup>
-		<citetitle>A Means for Expressing Location Information in the
+		<title>A Means for Expressing Location Information in the
 		  Domain
-		  Name System</citetitle>
+		  Name System</title>
 		<pubdate>January 1996</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17648,35 +16674,35 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Gulbrandsen</surname><firstname>A.</firstname></personname></author>
 		  <author><personname><firstname>P.</firstname><surname>Vixie</surname></personname></author>
 		</authorgroup>
-		<citetitle>A <acronym>DNS</acronym> RR for Specifying the
+		<title>A <acronym>DNS</acronym> RR for Specifying the
 		  Location of
-		  Services</citetitle>
+		  Services</title>
 		<pubdate>October 1996</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC2163</abbrev>
 		<author><personname><surname>Allocchio</surname><firstname>A.</firstname></personname></author>
-		<citetitle>Using the Internet <acronym>DNS</acronym> to
+		<title>Using the Internet <acronym>DNS</acronym> to
 		  Distribute MIXER
-		  Conformant Global Address Mapping</citetitle>
+		  Conformant Global Address Mapping</title>
 		<pubdate>January 1998</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC2230</abbrev>
 		<author><personname><surname>Atkinson</surname><firstname>R.</firstname></personname></author>
-		<citetitle>Key Exchange Delegation Record for the <acronym>DNS</acronym></citetitle>
+		<title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
 		<pubdate>October 1997</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC2536</abbrev>
 		<author><personname><surname>Eastlake</surname><firstname>D.</firstname><lineage>3rd</lineage></personname></author>
-		<citetitle>DSA KEYs and SIGs in the Domain Name System (DNS)</citetitle>
+		<title>DSA KEYs and SIGs in the Domain Name System (DNS)</title>
 		<pubdate>March 1999</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC2537</abbrev>
 		<author><personname><surname>Eastlake</surname><firstname>D.</firstname><lineage>3rd</lineage></personname></author>
-		<citetitle>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</citetitle>
+		<title>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</title>
 		<pubdate>March 1999</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17685,7 +16711,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Eastlake</surname><firstname>D.</firstname><lineage>3rd</lineage></personname></author>
 		  <author><personname><surname>Gudmundsson</surname><firstname>O.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>Storing Certificates in the Domain Name System (DNS)</citetitle>
+		<title>Storing Certificates in the Domain Name System (DNS)</title>
 		<pubdate>March 1999</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17693,7 +16719,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><surname>Eastlake</surname><firstname>D.</firstname><lineage>3rd</lineage></personname></author>
 		</authorgroup>
-		<citetitle>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</citetitle>
+		<title>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</title>
 		<pubdate>March 1999</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17701,7 +16727,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><surname>Eastlake</surname><firstname>D.</firstname><lineage>3rd</lineage></personname></author>
 		</authorgroup>
-		<citetitle>Detached Domain Name System (DNS) Information</citetitle>
+		<title>Detached Domain Name System (DNS) Information</title>
 		<pubdate>March 1999</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17709,26 +16735,26 @@ allow-query { !{ !10/8; any; }; key example; };
 		<author><personname><surname>Gulbrandsen</surname><firstname>A.</firstname></personname></author>
 		<author><personname><surname>Vixie</surname><firstname>P.</firstname></personname></author>
 		<author><personname><surname>Esibov</surname><firstname>L.</firstname></personname></author>
-		<citetitle>A DNS RR for specifying the location of services (DNS SRV)</citetitle>
+		<title>A DNS RR for specifying the location of services (DNS SRV)</title>
 		<pubdate>February 2000</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC2915</abbrev>
 		<author><personname><surname>Mealling</surname><firstname>M.</firstname></personname></author>
 		<author><personname><surname>Daniel</surname><firstname>R.</firstname></personname></author>
-		<citetitle>The Naming Authority Pointer (NAPTR) DNS Resource Record</citetitle>
+		<title>The Naming Authority Pointer (NAPTR) DNS Resource Record</title>
 		<pubdate>September 2000</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC3110</abbrev>
 		<author><personname><surname>Eastlake</surname><firstname>D.</firstname><lineage>3rd</lineage></personname></author>
-		<citetitle>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</citetitle>
+		<title>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</title>
 		<pubdate>May 2001</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC3123</abbrev>
 		<author><personname><surname>Koch</surname><firstname>P.</firstname></personname></author>
-		<citetitle>A DNS RR Type for Lists of Address Prefixes (APL RR)</citetitle>
+		<title>A DNS RR Type for Lists of Address Prefixes (APL RR)</title>
 		<pubdate>June 2001</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17739,37 +16765,37 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><firstname>V.</firstname><surname>Ksinant</surname></personname></author>
 		  <author><personname><firstname>M.</firstname><surname>Souissi</surname></personname></author>
 		</authorgroup>
-		<citetitle><acronym>DNS</acronym> Extensions to support IP
-		  version 6</citetitle>
+		<title><acronym>DNS</acronym> Extensions to support IP
+		  version 6</title>
 		<pubdate>October 2003</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC3597</abbrev>
 		<author><personname><surname>Gustafsson</surname><firstname>A.</firstname></personname></author>
-		<citetitle>Handling of Unknown DNS Resource Record (RR) Types</citetitle>
+		<title>Handling of Unknown DNS Resource Record (RR) Types</title>
 		<pubdate>September 2003</pubdate>
 	      </biblioentry>
 	    </bibliodiv>
-	    <bibliodiv><info><title><acronym>DNS</acronym> and the Internet</title></info>
+	    <bibliodiv><title><acronym>DNS</acronym> and the Internet</title>
 
 	      <biblioentry>
 		<abbrev>RFC1101</abbrev>
 		<author><personname><surname>Mockapetris</surname><firstname>P. V.</firstname></personname></author>
-		<citetitle><acronym>DNS</acronym> Encoding of Network Names
-		  and Other Types</citetitle>
+		<title><acronym>DNS</acronym> Encoding of Network Names
+		  and Other Types</title>
 		<pubdate>April 1989</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC1123</abbrev>
 		<author><personname><surname>Braden</surname><surname>R.</surname></personname></author>
-		<citetitle>Requirements for Internet Hosts - Application and
-		  Support</citetitle>
+		<title>Requirements for Internet Hosts - Application and
+		  Support</title>
 		<pubdate>October 1989</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC1591</abbrev>
 		<author><personname><surname>Postel</surname><firstname>J.</firstname></personname></author>
-		<citetitle>Domain Name System Structure and Delegation</citetitle>
+		<title>Domain Name System Structure and Delegation</title>
 		<pubdate>March 1994</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17779,7 +16805,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><firstname>G.</firstname><surname>de Groot</surname></personname></author>
 		  <author><personname><firstname>P.</firstname><surname>Vixie</surname></personname></author>
 		</authorgroup>
-		<citetitle>Classless IN-ADDR.ARPA Delegation</citetitle>
+		<title>Classless IN-ADDR.ARPA Delegation</title>
 		<pubdate>March 1998</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17787,7 +16813,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><surname>Internet Architecture Board</surname></personname></author>
 		</authorgroup>
-		<citetitle>IAB Technical Comment on the Unique DNS Root</citetitle>
+		<title>IAB Technical Comment on the Unique DNS Root</title>
 		<pubdate>May 2000</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17797,30 +16823,30 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Brunner-Williams</surname><firstname>E.</firstname></personname></author>
 		  <author><personname><surname>Manning</surname><firstname>B.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>Domain Name System (DNS) IANA Considerations</citetitle>
+		<title>Domain Name System (DNS) IANA Considerations</title>
 		<pubdate>September 2000</pubdate>
 	      </biblioentry>
 	    </bibliodiv>
-	    <bibliodiv><info><title><acronym>DNS</acronym> Operations</title></info>
+	    <bibliodiv><title><acronym>DNS</acronym> Operations</title>
 
 	      <biblioentry>
 		<abbrev>RFC1033</abbrev>
 		<author><personname><surname>Lottor</surname><firstname>M.</firstname></personname></author>
-		<citetitle>Domain administrators operations guide</citetitle>
+		<title>Domain administrators operations guide</title>
 		<pubdate>November 1987</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC1537</abbrev>
 		<author><personname><surname>Beertema</surname><firstname>P.</firstname></personname></author>
-		<citetitle>Common <acronym>DNS</acronym> Data File
-		  Configuration Errors</citetitle>
+		<title>Common <acronym>DNS</acronym> Data File
+		  Configuration Errors</title>
 		<pubdate>October 1993</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC1912</abbrev>
 		<author><personname><surname>Barr</surname><firstname>D.</firstname></personname></author>
-		<citetitle>Common <acronym>DNS</acronym> Operational and
-		  Configuration Errors</citetitle>
+		<title>Common <acronym>DNS</acronym> Operational and
+		  Configuration Errors</title>
 		<pubdate>February 1996</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17829,7 +16855,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Manning</surname><firstname>B.</firstname></personname></author>
 		  <author><personname><firstname>P.</firstname><surname>Vixie</surname></personname></author>
 		</authorgroup>
-		<citetitle>Operational Criteria for Root Name Servers</citetitle>
+		<title>Operational Criteria for Root Name Servers</title>
 		<pubdate>October 1996</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17838,12 +16864,23 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Hamilton</surname><firstname>M.</firstname></personname></author>
 		  <author><personname><firstname>R.</firstname><surname>Wright</surname></personname></author>
 		</authorgroup>
-		<citetitle>Use of <acronym>DNS</acronym> Aliases for
-		  Network Services</citetitle>
+		<title>Use of <acronym>DNS</acronym> Aliases for
+		  Network Services</title>
 		<pubdate>October 1997</pubdate>
 	      </biblioentry>
+              <biblioentry>
+                <abbrev>RFC8906</abbrev>
+                <authorgroup>
+		  <author><personname><surname>Andrews</surname><firstname>M.</firstname></personname></author>
+		  <author><personname><surname>Bellis</surname><firstname>R.</firstname></personname></author>
+                </authorgroup>
+                <title>
+                  A Common Operational Problem in DNS Servers: Failure to Communicate
+                </title>
+                <pubdate>September 2020</pubdate>
+              </biblioentry>
 	    </bibliodiv>
-	    <bibliodiv><info><title>Internationalized Domain Names</title></info>
+	    <bibliodiv><title>Internationalized Domain Names</title>
 
 	      <biblioentry>
 		<abbrev>RFC2825</abbrev>
@@ -17851,8 +16888,8 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>IAB</surname></personname></author>
 		  <author><personname><surname>Daigle</surname><firstname>R.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>A Tangled Web: Issues of I18N, Domain Names,
-		       and the Other Internet protocols</citetitle>
+		<title>A Tangled Web: Issues of I18N, Domain Names,
+		       and the Other Internet protocols</title>
 		<pubdate>May 2000</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17862,7 +16899,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Hoffman</surname><firstname>P.</firstname></personname></author>
 		  <author><personname><surname>Costello</surname><firstname>A.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>Internationalizing Domain Names in Applications (IDNA)</citetitle>
+		<title>Internationalizing Domain Names in Applications (IDNA)</title>
 		<pubdate>March 2003</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17871,7 +16908,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Hoffman</surname><firstname>P.</firstname></personname></author>
 		  <author><personname><surname>Blanchet</surname><firstname>M.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>Nameprep: A Stringprep Profile for Internationalized Domain Names</citetitle>
+		<title>Nameprep: A Stringprep Profile for Internationalized Domain Names</title>
 		<pubdate>March 2003</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17879,13 +16916,13 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><surname>Costello</surname><firstname>A.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>Punycode: A Bootstring encoding of Unicode
+		<title>Punycode: A Bootstring encoding of Unicode
 		       for Internationalized Domain Names in
-		       Applications (IDNA)</citetitle>
+		       Applications (IDNA)</title>
 		<pubdate>March 2003</pubdate>
 	      </biblioentry>
 	    </bibliodiv>
-	    <bibliodiv><info><title>Other <acronym>DNS</acronym>-related RFCs</title></info>
+	    <bibliodiv><title>Other <acronym>DNS</acronym>-related RFCs</title>
 
 	      <note>
 		<para>
@@ -17897,27 +16934,27 @@ allow-query { !{ !10/8; any; }; key example; };
 	      <biblioentry>
 		<abbrev>RFC1464</abbrev>
 		<author><personname><surname>Rosenbaum</surname><firstname>R.</firstname></personname></author>
-		<citetitle>Using the Domain Name System To Store Arbitrary String
-		  Attributes</citetitle>
+		<title>Using the Domain Name System To Store Arbitrary String
+		  Attributes</title>
 		<pubdate>May 1993</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC1713</abbrev>
 		<author><personname><surname>Romao</surname><firstname>A.</firstname></personname></author>
-		<citetitle>Tools for <acronym>DNS</acronym> Debugging</citetitle>
+		<title>Tools for <acronym>DNS</acronym> Debugging</title>
 		<pubdate>November 1994</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC1794</abbrev>
 		<author><personname><surname>Brisco</surname><firstname>T.</firstname></personname></author>
-		<citetitle><acronym>DNS</acronym> Support for Load
-		  Balancing</citetitle>
+		<title><acronym>DNS</acronym> Support for Load
+		  Balancing</title>
 		<pubdate>April 1995</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC2240</abbrev>
 		<author><personname><surname>Vaughan</surname><firstname>O.</firstname></personname></author>
-		<citetitle>A Legal Basis for Domain Name Allocation</citetitle>
+		<title>A Legal Basis for Domain Name Allocation</title>
 		<pubdate>November 1997</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17927,13 +16964,13 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><firstname>T.</firstname><surname>Wolf</surname></personname></author>
 		  <author><personname><firstname>G.</firstname><surname>Oglesby</surname></personname></author>
 		</authorgroup>
-		<citetitle>Domain Names and Company Name Retrieval</citetitle>
+		<title>Domain Names and Company Name Retrieval</title>
 		<pubdate>May 1998</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC2352</abbrev>
 		<author><personname><surname>Vaughan</surname><firstname>O.</firstname></personname></author>
-		<citetitle>A Convention For Using Legal Names as Domain Names</citetitle>
+		<title>A Convention For Using Legal Names as Domain Names</title>
 		<pubdate>May 1998</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17941,7 +16978,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><surname>Klensin</surname><firstname>J.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>Reflections on the DNS, RFC 1591, and Categories of Domains</citetitle>
+		<title>Reflections on the DNS, RFC 1591, and Categories of Domains</title>
 		<pubdate>February 2001</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17949,8 +16986,8 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><surname>Hardie</surname><firstname>T.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>Distributing Authoritative Name Servers via
-		       Shared Unicast Addresses</citetitle>
+		<title>Distributing Authoritative Name Servers via
+		       Shared Unicast Addresses</title>
 		<pubdate>April 2002</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17959,11 +16996,11 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Durand</surname><firstname>A.</firstname></personname></author>
 		  <author><personname><firstname>J.</firstname><surname>Ihren</surname></personname></author>
 		</authorgroup>
-		<citetitle>DNS IPv6 Transport Operational Guidelines</citetitle>
+		<title>DNS IPv6 Transport Operational Guidelines</title>
 		<pubdate>September 2004</pubdate>
 	      </biblioentry>
 	    </bibliodiv>
-	    <bibliodiv><info><title>Obsolete and Unimplemented Experimental RFC</title></info>
+	    <bibliodiv><title>Obsolete and Unimplemented Experimental RFC</title>
 
 	      <biblioentry>
 		<abbrev>RFC1712</abbrev>
@@ -17973,8 +17010,8 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><firstname>S.</firstname><surname>Pleitner</surname></personname></author>
 		  <author><personname><firstname>D.</firstname><surname>Baldoni</surname></personname></author>
 		</authorgroup>
-		<citetitle><acronym>DNS</acronym> Encoding of Geographical
-		  Location</citetitle>
+		<title><acronym>DNS</acronym> Encoding of Geographical
+		  Location</title>
 		<pubdate>November 1994</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17982,7 +17019,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><surname>Crawford</surname><firstname>M.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>Binary Labels in the Domain Name System</citetitle>
+		<title>Binary Labels in the Domain Name System</title>
 		<pubdate>August 1999</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -17991,12 +17028,12 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Crawford</surname><firstname>M.</firstname></personname></author>
 		  <author><personname><surname>Huitema</surname><firstname>C.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>DNS Extensions to Support IPv6 Address Aggregation
-		       and Renumbering</citetitle>
+		<title>DNS Extensions to Support IPv6 Address Aggregation
+		       and Renumbering</title>
 		<pubdate>July 2000</pubdate>
 	      </biblioentry>
 	    </bibliodiv>
-	    <bibliodiv><info><title>Obsoleted DNS Security RFCs</title></info>
+	    <bibliodiv><title>Obsoleted DNS Security RFCs</title>
 
 	      <note>
 		<para>
@@ -18010,13 +17047,13 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Eastlake</surname><lineage>3rd</lineage><firstname>D.</firstname></personname></author>
 		  <author><personname><firstname>C.</firstname><surname>Kaufman</surname></personname></author>
 		</authorgroup>
-		<citetitle>Domain Name System Security Extensions</citetitle>
+		<title>Domain Name System Security Extensions</title>
 		<pubdate>January 1997</pubdate>
 	      </biblioentry>
 	      <biblioentry>
 		<abbrev>RFC2137</abbrev>
 		<author><personname><surname>Eastlake</surname><lineage>3rd</lineage><firstname>D.</firstname></personname></author>
-		<citetitle>Secure Domain Name System Dynamic Update</citetitle>
+		<title>Secure Domain Name System Dynamic Update</title>
 		<pubdate>April 1997</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -18024,7 +17061,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><surname>Eastlake</surname><lineage>3rd</lineage><firstname>D.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>Domain Name System Security Extensions</citetitle>
+		<title>Domain Name System Security Extensions</title>
 		<pubdate>March 1999</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -18032,8 +17069,8 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><surname>Wellington</surname><firstname>B.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>Domain Name System Security (DNSSEC)
-		       Signing Authority</citetitle>
+		<title>Domain Name System Security (DNSSEC)
+		       Signing Authority</title>
 		<pubdate>November 2000</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -18041,7 +17078,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><surname>Lewis</surname><firstname>E.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>DNS Security Extension Clarification on Zone Status</citetitle>
+		<title>DNS Security Extension Clarification on Zone Status</title>
 		<pubdate>March 2001</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -18050,7 +17087,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Massey</surname><firstname>D.</firstname></personname></author>
 		  <author><personname><surname>Rose</surname><firstname>S.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>Limiting the Scope of the KEY Resource Record (RR)</citetitle>
+		<title>Limiting the Scope of the KEY Resource Record (RR)</title>
 		<pubdate>December 2002</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -18059,7 +17096,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Wellington</surname><firstname>B.</firstname></personname></author>
 		  <author><personname><surname>Gudmundsson</surname><firstname>O.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>Redefinition of DNS Authenticated Data (AD) bit</citetitle>
+		<title>Redefinition of DNS Authenticated Data (AD) bit</title>
 		<pubdate>November 2003</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -18067,7 +17104,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><surname>Gudmundsson</surname><firstname>O.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>Delegation Signer (DS) Resource Record (RR)</citetitle>
+		<title>Delegation Signer (DS) Resource Record (RR)</title>
 		<pubdate>December 2003</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -18075,7 +17112,7 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><surname>Weiler</surname><firstname>S.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>Legacy Resolver Compatibility for Delegation Signer (DS)</citetitle>
+		<title>Legacy Resolver Compatibility for Delegation Signer (DS)</title>
 		<pubdate>May 2004</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -18085,8 +17122,8 @@ allow-query { !{ !10/8; any; }; key example; };
 		  <author><personname><surname>Schlyter</surname><firstname>J.</firstname></personname></author>
 		  <author><personname><surname>Lewis</surname><firstname>E.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>Domain Name System KEY (DNSKEY) Resource Record
-		      (RR) Secure Entry Point (SEP) Flag</citetitle>
+		<title>Domain Name System KEY (DNSKEY) Resource Record
+		      (RR) Secure Entry Point (SEP) Flag</title>
 		<pubdate>April 2004</pubdate>
 	      </biblioentry>
 	      <biblioentry>
@@ -18094,13 +17131,13 @@ allow-query { !{ !10/8; any; }; key example; };
 		<authorgroup>
 		  <author><personname><surname>Schlyter</surname><firstname>J.</firstname></personname></author>
 		</authorgroup>
-		<citetitle>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</citetitle>
+		<title>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</title>
 		<pubdate>August 2004</pubdate>
 	      </biblioentry>
 	    </bibliodiv>
 	  </bibliography>
 	</section>
-	<section xml:id="internet_drafts"><info><title>Internet Drafts</title></info>
+	<section xml:id="internet_drafts"><title>Internet Drafts</title>
 
 	  <para>
 	    Internet Drafts (IDs) are rough-draft working documents of
@@ -18116,13 +17153,13 @@ allow-query { !{ !10/8; any; }; key example; };
 	<section xml:id="more_about_bind"><info><title>Other Documents About <acronym>BIND</acronym></title></info>
 
 	  <para/>
-	  <bibliography>
+	  <bibliography><title/>
 	    <biblioentry>
 	      <authorgroup>
 		<author><personname><surname>Albitz</surname><firstname>Paul</firstname></personname></author>
 		<author><personname><firstname>Cricket</firstname><surname>Liu</surname></personname></author>
 	      </authorgroup>
-	      <citetitle><acronym>DNS</acronym> and <acronym>BIND</acronym></citetitle>
+	      <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
 	      <copyright>
 		<year>1998</year>
 		<holder>Sebastopol, CA: O'Reilly and Associates</holder>
@@ -18138,11 +17175,10 @@ allow-query { !{ !10/8; any; }; key example; };
     </appendix>
 
     <reference xml:id="Bv9ARM.ch13"><info><title>Manual pages</title></info>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dig/dig.docbook"/>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/mdig.docbook"/>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dig/host.docbook"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/arpaname.docbook"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/confgen/ddns-confgen.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/delv/delv.docbook"/>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dig/nslookup.docbook"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dig/dig.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/python/dnssec-checkds.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/python/dnssec-coverage.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dnssec/dnssec-dsfromkey.docbook"/>
@@ -18154,28 +17190,29 @@ allow-query { !{ !10/8; any; }; key example; };
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dnssec/dnssec-settime.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dnssec/dnssec-signzone.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dnssec/dnssec-verify.docbook"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/dnstap-read.docbook"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/genrandom.docbook"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dig/host.docbook"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/isc-hmac-fixup.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/named/lwresd.docbook"/>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/named/named.docbook"/>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/named/named.conf.docbook"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/mdig.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/check/named-checkconf.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/check/named-checkzone.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/named-journalprint.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/named-nzd2nzf.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/named-rrchecker.docbook"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/named/named.conf.docbook"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/named/named.docbook"/>
+       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/nsec3hash.docbook"/>
+     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/dig/nslookup.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/nsupdate/nsupdate.docbook"/>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/rndc/rndc.docbook"/>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/rndc/rndc.conf.docbook"/>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/confgen/rndc-confgen.docbook"/>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/confgen/ddns-confgen.docbook"/>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/arpaname.docbook"/>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/dnstap-read.docbook"/>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/genrandom.docbook"/>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/isc-hmac-fixup.docbook"/>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/nsec3hash.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/pkcs11/pkcs11-destroy.docbook"/>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/pkcs11/pkcs11-list.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/pkcs11/pkcs11-keygen.docbook"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/pkcs11/pkcs11-list.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/pkcs11/pkcs11-tokens.docbook"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/confgen/rndc-confgen.docbook"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/rndc/rndc.conf.docbook"/>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/rndc/rndc.docbook"/>
     </reference>
 
   </book>
diff --git a/bind/bind9/doc/arm/Bv9ARM.ch01.html b/bind/bind9/doc/arm/Bv9ARM.ch01.html
index 646c04e2..4a898647 100644
--- a/bind/bind9/doc/arm/Bv9ARM.ch01.html
+++ b/bind/bind9/doc/arm/Bv9ARM.ch01.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 1. Introduction</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
@@ -50,8 +50,7 @@
 </dl></dd>
 </dl>
 </div>
-
-    <p>
+<p>
       The Internet Domain Name System (<acronym class="acronym">DNS</acronym>)
       consists of the syntax
       to specify the names of entities in the Internet in a hierarchical
@@ -61,12 +60,10 @@
       group of distributed
       hierarchical databases.
     </p>
-
-    <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="doc_scope"></a>Scope of Document</h2></div></div></div>
-
-      <p>
+<p>
         The Berkeley Internet Name Domain
         (<acronym class="acronym">BIND</acronym>) implements a
         domain name server for a number of operating systems. This
@@ -75,14 +72,12 @@
         <acronym class="acronym">BIND</acronym> version 9 software package for
         system administrators.
       </p>
-      <p>This version of the manual corresponds to BIND version 9.11.</p>
-    </div>
-
-    <div class="section">
+<p>This version of the manual corresponds to BIND version 9.11.</p>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="organization"></a>Organization of This Document</h2></div></div></div>
-
-      <p>
+<p>
         In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
         the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
         describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
@@ -107,18 +102,15 @@
         and the Domain Name
         System.
       </p>
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="conventions"></a>Conventions Used in This Document</h2></div></div></div>
-
-      <p>
+<p>
         In this document, we use the following general typographic
         conventions:
       </p>
-
-      <div class="informaltable">
-        <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="3.000in" class="1">
 <col width="2.625in" class="2">
@@ -175,14 +167,11 @@
               </td>
 </tr>
 </tbody>
-</table>
-      </div>
-
-      <p>
+</table></div>
+<p>
         The following conventions are used in descriptions of the
         <acronym class="acronym">BIND</acronym> configuration file:</p>
-<div class="informaltable">
-                  <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="3.000in" class="1">
 <col width="2.625in" class="2">
@@ -237,36 +226,31 @@
                 </td>
 </tr>
 </tbody>
-</table>
-        </div>
+</table></div>
 <p>
       </p>
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="dns_overview"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
-
-      <p>
-        The purpose of this document is to explain the installation
+<p>
+        This document explains the installation
         and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
-        Name Domain) software package, and we
+        Name Domain) software package. We
         begin by reviewing the fundamentals of the Domain Name System
         (<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
       </p>
-
-      <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="dns_fundamentals"></a>DNS Fundamentals</h3></div></div></div>
-
-        <p>
+<p>
           The Domain Name System (DNS) is a hierarchical, distributed
           database.  It stores information for mapping Internet host names to
           IP
           addresses and vice versa, mail routing information, and other data
           used by Internet applications.
         </p>
-
-        <p>
+<p>
           Clients look up information in the DNS by calling a
           <span class="emphasis"><em>resolver</em></span> library, which sends queries to one or
           more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
@@ -274,13 +258,11 @@
           contains a name server, <span class="command"><strong>named</strong></span>, and a
           resolver library, <span class="command"><strong>liblwres</strong></span>.
         </p>
-
-        </div>
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="domain_names"></a>Domains and Domain Names</h3></div></div></div>
-
-        <p>
+<p>
           The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
           organizational or administrative boundaries. Each node of the tree,
           called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain
@@ -291,8 +273,7 @@
           separated by dots. A label need only be unique within its parent
           domain.
         </p>
-
-        <p>
+<p>
           For example, a domain name for a host at the
           company <span class="emphasis"><em>Example, Inc.</em></span> could be
           <code class="literal">ourhost.example.com</code>,
@@ -304,41 +285,35 @@
           <code class="literal">ourhost</code> is the
           name of the host.
         </p>
-
-        <p>
+<p>
           For administrative purposes, the name space is partitioned into
           areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
-          extending down to the leaf nodes or to nodes where other zones
+          extending down to the "leaf" nodes or to nodes where other zones
           start.
           The data for each zone is stored in a <span class="emphasis"><em>name server</em></span>, which answers queries about the zone using the
           <span class="emphasis"><em>DNS protocol</em></span>.
         </p>
-
-        <p>
+<p>
           The data associated with each domain name is stored in the
           form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s).
           Some of the supported resource record types are described in
           <a class="xref" href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called &#8220;Types of Resource Records and When to Use Them&#8221;</a>.
         </p>
-
-        <p>
+<p>
           For more detailed information about the design of the DNS and
           the DNS protocol, please refer to the standards documents listed in
-          <a class="xref" href="Bv9ARM.ch11.html#rfcs" title="Request for Comments (RFCs)">the section called &#8220;Request for Comments (RFCs)&#8221;</a>.
+          <a class="xref" href="Bv9ARM.ch11.html#rfcs" title="Requests for Comments (RFCs)">the section called &#8220;Requests for Comments (RFCs)&#8221;</a>.
         </p>
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="zones"></a>Zones</h3></div></div></div>
-
-        <p>
+<p>
           To properly operate a name server, it is important to understand
           the difference between a <span class="emphasis"><em>zone</em></span>
           and a <span class="emphasis"><em>domain</em></span>.
         </p>
-
-        <p>
+<p>
           As stated previously, a zone is a point of delegation in
           the <acronym class="acronym">DNS</acronym> tree. A zone consists of
           those contiguous parts of the domain
@@ -350,8 +325,7 @@
           parent zone, which should be matched by equivalent NS records at
           the root of the delegated zone.
         </p>
-
-        <p>
+<p>
           For instance, consider the <code class="literal">example.com</code>
           domain which includes names
           such as <code class="literal">host.aaa.example.com</code> and
@@ -368,29 +342,26 @@
           <span class="emphasis"><em>terminal</em></span>, that is, has no
           <span class="emphasis"><em>subdomains</em></span>.  Every subdomain is a domain and
           every domain except the root is also a subdomain. The terminology is
-          not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
+          not intuitive and we suggest reading RFCs 1033, 1034, and 1035
           to
           gain a complete understanding of this difficult and subtle
           topic.
         </p>
-
-        <p>
+<p>
           Though <acronym class="acronym">BIND</acronym> is called a "domain name
           server",
-          it deals primarily in terms of zones. The master and slave
+          it deals primarily in terms of zones. The "primary" and "secondary"
           declarations in the <code class="filename">named.conf</code> file
           specify
-          zones, not domains. When you ask some other site if it is willing to
-          be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
-          actually asking for slave service for some collection of zones.
+          zones, not domains. When BIND asks some other site if it is willing to
+          be a secondary server for a <span class="emphasis"><em>domain</em></span>, it is
+          actually asking for secondary service for some collection of <span class="emphasis"><em>zones</em></span>.
         </p>
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="auth_servers"></a>Authoritative Name Servers</h3></div></div></div>
-
-        <p>
+<p>
           Each zone is served by at least
           one <span class="emphasis"><em>authoritative name server</em></span>,
           which contains the complete data for the zone.
@@ -398,22 +369,20 @@
           most zones have two or more authoritative servers, on
           different networks.
         </p>
-
-        <p>
+<p>
           Responses from authoritative servers have the "authoritative
           answer" (AA) bit set in the response packets.  This makes them
           easy to identify when debugging DNS configurations using tools like
           <span class="command"><strong>dig</strong></span> (<a class="xref" href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called &#8220;Diagnostic Tools&#8221;</a>).
         </p>
-
-        <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="primary_master"></a>The Primary Master</h4></div></div></div>
-
-          <p>
-            The authoritative server where the master copy of the zone
+<a name="primary_master"></a>The Primary Server</h4></div></div></div>
+<p>
+            The authoritative server where the main copy of the zone
             data is maintained is called the
-            <span class="emphasis"><em>primary master</em></span> server, or simply the
+            <span class="emphasis"><em>primary</em></span> (or
+            <span class="command"><strong>master</strong></span>) server, or simply the
             <span class="emphasis"><em>primary</em></span>.  Typically it loads the zone
             contents from some local file edited by humans or perhaps
             generated mechanically from some other local file which is
@@ -421,96 +390,83 @@
             <span class="emphasis"><em>zone file</em></span> or
             <span class="emphasis"><em>master file</em></span>.
           </p>
-
-          <p>
-            In some cases, however, the master file may not be edited
+<p>
+            In some cases, however, the zone file may not be edited
             by humans at all, but may instead be the result of
             <span class="emphasis"><em>dynamic update</em></span> operations.
           </p>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="slave_server"></a>Slave Servers</h4></div></div></div>
-
-          <p>
-            The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
-            servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
-            load the zone contents from another server using a replication
+<a name="slave_server"></a>Secondary Servers</h4></div></div></div>
+<p>
+            The other authoritative servers, called the
+            <span class="emphasis"><em>secondary</em></span>
+            (or <span class="command"><strong>slave</strong></span>) servers, load the zone
+            contents from another server using a replication
             process known as a <span class="emphasis"><em>zone transfer</em></span>.
-            Typically the data are transferred directly from the primary
+            Typically the data is transferred directly from the primary
             master, but it is also possible to transfer it from another
-            slave.  In other words, a slave server may itself act as a
-            master to a subordinate slave server.
+            secondary.  In other words, a secondary server may itself act as a
+            primary to a subordinate secondary server.
           </p>
-          <p>
-            Periodically, the slave server must send a refresh query to
+<p>
+            Periodically, the secondary server must send a refresh query to
             determine whether the zone contents have been updated. This
-            is done by sending a query for the zone's SOA record and
+            is done by sending a query for the zone's Start of Authority (SOA) record and
             checking whether the SERIAL field has been updated; if so,
             a new transfer request is initiated. The timing of these
             refresh queries is controlled by the SOA REFRESH and RETRY
-            fields, but can be overrridden with the
+            fields, but can be overridden with the
             <span class="command"><strong>max-refresh-time</strong></span>,
             <span class="command"><strong>min-refresh-time</strong></span>,
             <span class="command"><strong>max-retry-time</strong></span>, and
             <span class="command"><strong>min-retry-time</strong></span> options.
           </p>
-          <p>
+<p>
             If the zone data cannot be updated within the time specified
             by the SOA EXPIRE option (up to a hard-coded maximum of
-            24 weeks) then the slave zone expires and will no longer
-            respond to queries.
+            24 weeks), the secondary zone expires and no longer
+            responds to queries.
           </p>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="stealth_server"></a>Stealth Servers</h4></div></div></div>
-
-          <p>
-            Usually all of the zone's authoritative servers are listed in
+<p>
+            Usually, all of the zone's authoritative servers are listed in
             NS records in the parent zone.  These NS records constitute
             a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
             The authoritative servers are also listed in the zone file itself,
             at the <span class="emphasis"><em>top level</em></span> or <span class="emphasis"><em>apex</em></span>
-            of the zone.  You can list servers in the zone's top-level NS
-            records that are not in the parent's NS delegation, but you cannot
-            list servers in the parent's delegation that are not present at
-            the zone's top level.
+            of the zone.  Servers that are not in the parent's NS delegation can be listed in the zone's top-level NS
+            records, but servers that are not present at
+            the zone's top level cannot be listed in the parent's delegation.
           </p>
-
-          <p>
+<p>
             A <span class="emphasis"><em>stealth server</em></span> is a server that is
             authoritative for a zone but is not listed in that zone's NS
             records.  Stealth servers can be used for keeping a local copy of
             a
-            zone to speed up access to the zone's records or to make sure that
+            zone, to speed up access to the zone's records, or to make sure that
             the
             zone is available even if all the "official" servers for the zone
             are
             inaccessible.
           </p>
-
-          <p>
-            A configuration where the primary master server itself is a
+<p>
+            A configuration where the primary server itself is a
             stealth server is often referred to as a "hidden primary"
             configuration.  One use for this configuration is when the primary
-            master
-            is behind a firewall and therefore unable to communicate directly
+            is behind a firewall and is therefore unable to communicate directly
             with the outside world.
           </p>
-
-        </div>
-
-      </div>
-      <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="cache_servers"></a>Caching Name Servers</h3></div></div></div>
-
-        
-
-        <p>
+<p>
           The resolver libraries provided by most operating systems are
           <span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
           capable of
@@ -522,26 +478,22 @@
           is called a <span class="emphasis"><em>recursive</em></span> name server; it performs
           <span class="emphasis"><em>recursive lookups</em></span> for local clients.
         </p>
-
-        <p>
+<p>
           To improve performance, recursive servers cache the results of
           the lookups they perform.  Since the processes of recursion and
           caching are intimately connected, the terms
           <span class="emphasis"><em>recursive server</em></span> and
           <span class="emphasis"><em>caching server</em></span> are often used synonymously.
         </p>
-
-        <p>
+<p>
           The length of time for which a record may be retained in
           the cache of a caching name server is controlled by the
-          Time To Live (TTL) field associated with each resource record.
+          Time-To-Live (TTL) field associated with each resource record.
         </p>
-
-        <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="forwarder"></a>Forwarding</h4></div></div></div>
-
-          <p>
+<p>
             Even a caching name server does not necessarily perform
             the complete recursive lookup itself.  Instead, it can
             <span class="emphasis"><em>forward</em></span> some or all of the queries
@@ -549,37 +501,47 @@
             server,
             commonly referred to as a <span class="emphasis"><em>forwarder</em></span>.
           </p>
-
-          <p>
-            There may be one or more forwarders,
-            and they are queried in turn until the list is exhausted or an
-            answer
-            is found. Forwarders are typically used when you do not
-            wish all the servers at a given site to interact directly with the
-            rest of
-            the Internet servers. A typical scenario would involve a number
-            of internal <acronym class="acronym">DNS</acronym> servers and an
-            Internet firewall. Servers unable
-            to pass packets through the firewall would forward to the server
-            that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers
-            on the internal server's behalf.
+<p>
+            Forwarders are typically used when an administrator does not
+            wish for all the servers at a given site to interact
+            directly with the rest of the Internet. For example, a
+            common scenario is when multiple internal DNS servers are
+            behind an Internet firewall. Servers behind the firewall
+            forward their requests to the server with external access,
+            which queries Internet DNS servers on the internal servers'
+            behalf.
           </p>
-        </div>
-
-      </div>
-
-      <div class="section">
+<p>
+            Another scenario (largely now superseded by Response Policy
+            Zones) is to send queries first to a custom server for RBL
+            processing before forwarding them to the wider Internet.
+          </p>
+<p>
+            There may be one or more forwarders in a given setup. The
+            order in which the forwarders are listed in
+            <code class="filename">named.conf</code> does not determine the
+            sequence in which they are queried; rather,
+            <span class="command"><strong>named</strong></span> uses the response times from
+            previous queries to select the server that is likely to
+            respond the most quickly. A server that has not yet been
+            queried is given an initial small random response time to
+            ensure that it is tried at least once. Dynamic adjustment of
+            the recorded response times ensures that all forwarders are
+            queried, even those with slower response times.  This
+            permits changes in behavior based on server responsiveness.
+          </p>
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="multi_role"></a>Name Servers in Multiple Roles</h3></div></div></div>
-
-        <p>
+<p>
           The <acronym class="acronym">BIND</acronym> name server can
           simultaneously act as
-          a master for some zones, a slave for other zones, and as a caching
+          a primary for some zones, a secondary for other zones, and a caching
           (recursive) server for a set of local clients.
         </p>
-
-        <p>
+<p>
           However, since the functions of authoritative name service
           and caching/recursive name service are logically separate, it is
           often advantageous to run them on separate server machines.
@@ -594,11 +556,9 @@
           does not need to be reachable from the Internet at large and can
           be placed inside a firewall.
         </p>
-
-      </div>
-    </div>
-
-  </div>
+</div>
+</div>
+</div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
@@ -616,6 +576,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/Bv9ARM.ch02.html b/bind/bind9/doc/arm/Bv9ARM.ch02.html
index b07809d3..02ab986b 100644
--- a/bind/bind9/doc/arm/Bv9ARM.ch02.html
+++ b/bind/bind9/doc/arm/Bv9ARM.ch02.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 2. BIND Resource Requirements</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
@@ -39,101 +39,94 @@
 <dt><span class="section"><a href="Bv9ARM.ch02.html#hw_req">Hardware requirements</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch02.html#cpu_req">CPU Requirements</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch02.html#mem_req">Memory Requirements</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch02.html#intensive_env">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch02.html#intensive_env">Name Server-Intensive Environment Issues</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch02.html#supported_os">Supported Operating Systems</a></span></dt>
 </dl>
 </div>
-
-    <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="hw_req"></a>Hardware requirements</h2></div></div></div>
-      <p>
+<p>
         <acronym class="acronym">DNS</acronym> hardware requirements have
         traditionally been quite modest.
-        For many installations, servers that have been pensioned off from
+        For many installations, servers that have been retired from
         active duty have performed admirably as <acronym class="acronym">DNS</acronym> servers.
       </p>
-      <p>
-        The DNSSEC features of <acronym class="acronym">BIND</acronym> 9
-        may prove to be quite
-        CPU intensive however, so organizations that make heavy use of these
+<p>
+        However, the DNSSEC features of <acronym class="acronym">BIND</acronym> 9
+        may be quite
+        CPU-intensive, so organizations that make heavy use of these
         features may wish to consider larger systems for these applications.
         <acronym class="acronym">BIND</acronym> 9 is fully multithreaded, allowing
         full utilization of
         multiprocessor systems for installations that need it.
       </p>
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="cpu_req"></a>CPU Requirements</h2></div></div></div>
-      <p>
+<p>
         CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
-        i486-class machines
-        for serving of static zones without caching, to enterprise-class
-        machines if you intend to process many dynamic updates and DNSSEC
-        signed zones, serving many thousands of queries per second.
+        i386-class machines,
+        for serving static zones without caching, to enterprise-class
+        machines to process many dynamic updates and DNSSEC-signed zones,
+        serving many thousands of queries per second.
       </p>
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="mem_req"></a>Memory Requirements</h2></div></div></div>
-      <p>
-        The memory of the server has to be large enough to fit the
-        cache and zones loaded off disk.  The <span class="command"><strong>max-cache-size</strong></span>
-        option can be used to limit the amount of memory used by the cache,
+<p>
+        Server memory must be sufficient to hold both the
+        cache and the zones loaded from disk.  The <span class="command"><strong>max-cache-size</strong></span>
+        option can limit the amount of memory used by the cache,
         at the expense of reducing cache hit rates and causing more <acronym class="acronym">DNS</acronym>
         traffic.
-        Additionally, if additional section caching
+        If additional section caching
         (<a class="xref" href="Bv9ARM.ch06.html#acache" title="Additional Section Caching">the section called &#8220;Additional Section Caching&#8221;</a>) is enabled,
         the <span class="command"><strong>max-acache-size</strong></span> option can be used to
         limit the amount
         of memory used by the mechanism.
         It is still good practice to have enough memory to load
-        all zone and cache data into memory &#8212; unfortunately, the best
+        all zone and cache data into memory; unfortunately, the best
         way
         to determine this for a given installation is to watch the name server
-        in operation. After a few weeks the server process should reach
+        in operation. After a few weeks, the server process should reach
         a relatively stable size where entries are expiring from the cache as
         fast as they are being inserted.
       </p>
-      
-    </div>
-
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="intensive_env"></a>Name Server Intensive Environment Issues</h2></div></div></div>
-
-      <p>
-        For name server intensive environments, there are two alternative
-        configurations that may be used. The first is where clients and
+<a name="intensive_env"></a>Name Server-Intensive Environment Issues</h2></div></div></div>
+<p>
+        For name server-intensive environments, there are two
+        configurations that may be used. The first is one where clients and
         any second-level internal name servers query a main name server, which
-        has enough memory to build a large cache. This approach minimizes
+        has enough memory to build a large cache; this approach minimizes
         the bandwidth used by external name lookups. The second alternative
         is to set up second-level internal name servers to make queries
         independently.
-        In this configuration, none of the individual machines needs to
+        In this configuration, none of the individual machines need to
         have as much memory or CPU power as in the first alternative, but
         this has the disadvantage of making many more external queries,
         as none of the name servers share their cached data.
       </p>
-    </div>
-
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="supported_os"></a>Supported Operating Systems</h2></div></div></div>
-
-      <p>
-        ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
-        number
-        of Unix-like operating systems and on
-        Microsoft Windows Server 2003 and 2008, and Windows XP and Vista.
+<p>
+        ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on many
+        Unix-like operating systems and on
+        Microsoft Windows Server 2012 R2, 2016 and Windows 10.
         For an up-to-date
-        list of supported systems, see the README file in the top level
+        list of supported systems, see the PLATFORMS.md file in the top-level
         directory
         of the BIND 9 source distribution.
       </p>
-    </div>
-  </div>
+</div>
+</div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
@@ -151,6 +144,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/Bv9ARM.ch03.html b/bind/bind9/doc/arm/Bv9ARM.ch03.html
index 14d1db54..bb946445 100644
--- a/bind/bind9/doc/arm/Bv9ARM.ch03.html
+++ b/bind/bind9/doc/arm/Bv9ARM.ch03.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 3. Name Server Configuration</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
@@ -49,31 +49,26 @@
 </dl></dd>
 </dl>
 </div>
-
-    <p>
-      In this chapter we provide some suggested configurations along
+<p>
+      In this chapter we provide some suggested configurations, along
       with guidelines for their use.  We suggest reasonable values for
       certain option settings.
     </p>
-
-    <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
-
-      <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="cache_only_sample"></a>A Caching-only Name Server</h3></div></div></div>
-
-        <p>
+<p>
           The following sample configuration is appropriate for a caching-only
           name server for use by clients internal to a corporation.  All
           queries
           from outside clients are refused using the <span class="command"><strong>allow-query</strong></span>
-          option.  Alternatively, the same effect could be achieved using
+          option.  The same effect can be achieved using
           suitable
           firewall rules.
         </p>
-
 <pre class="programlisting">
 // Two corporate subnets we wish to allow queries from.
 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
@@ -91,19 +86,15 @@ zone "0.0.127.in-addr.arpa" {
      notify no;
 };
 </pre>
-
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="auth_only_sample"></a>An Authoritative-only Name Server</h3></div></div></div>
-
-        <p>
+<p>
           This sample configuration is for an authoritative-only server
-          that is the master server for "<code class="filename">example.com</code>"
-          and a slave for the subdomain "<code class="filename">eng.example.com</code>".
+          that is the primary server for "<code class="filename">example.com</code>"
+          and a secondary server for the subdomain "<code class="filename">eng.example.com</code>".
         </p>
-
 <pre class="programlisting">
 options {
      // Working directory
@@ -123,50 +114,42 @@ zone "0.0.127.in-addr.arpa" {
      file "localhost.rev";
      notify no;
 };
-// We are the master server for example.com
+// We are the primary server for example.com
 zone "example.com" {
      type master;
      file "example.com.db";
-     // IP addresses of slave servers allowed to
+     // IP addresses of secondary servers allowed to
      // transfer example.com
      allow-transfer {
           192.168.4.14;
           192.168.5.53;
      };
 };
-// We are a slave server for eng.example.com
+// We are a secondary server for eng.example.com
 zone "eng.example.com" {
      type slave;
      file "eng.example.com.bk";
-     // IP address of eng.example.com master server
+     // IP address of eng.example.com primary server
      masters { 192.168.4.12; };
 };
 </pre>
-
-      </div>
-    </div>
-
-    <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="load_balancing"></a>Load Balancing</h2></div></div></div>
-
-      
-
-      <p>
+<p>
         A primitive form of load balancing can be achieved in
         the <acronym class="acronym">DNS</acronym> by using multiple records
         (such as multiple A records) for one name.
       </p>
-
-      <p>
-        For example, if you have three WWW servers with network addresses
-        of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
-        following means that clients will connect to each machine one third
+<p>
+        For example, assuming three HTTP servers with network addresses
+        of 10.0.0.1, 10.0.0.2, and 10.0.0.3, a set of records such as the
+        following means that clients will connect to each machine one-third
         of the time:
       </p>
-
-      <div class="informaltable">
-        <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="0.875in" class="1">
 <col width="0.500in" class="2">
@@ -280,86 +263,71 @@ zone "eng.example.com" {
               </td>
 </tr>
 </tbody>
-</table>
-      </div>
-      <p>
-        When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
-        them and respond to the query with the records in a different
-        order.  In the example above, clients will randomly receive
+</table></div>
+<p>
+        When a resolver queries for these records, <acronym class="acronym">BIND</acronym> rotates
+        them and responds to the query with the records in a different
+        order.  In the example above, clients randomly receive
         records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
-        will use the first record returned and discard the rest.
+        use the first record returned and discard the rest.
       </p>
-      <p>
+<p>
         For more detail on ordering responses, check the
         <span class="command"><strong>rrset-order</strong></span> sub-statement in the
         <span class="command"><strong>options</strong></span> statement, see
         <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">RRset Ordering</a>.
       </p>
-
-    </div>
-
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="ns_operations"></a>Name Server Operations</h2></div></div></div>
-
-      <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="tools"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
-        <p>
+<p>
           This section describes several indispensable diagnostic,
-          administrative and monitoring tools available to the system
+          administrative, and monitoring tools available to the system
           administrator for controlling and debugging the name server
           daemon.
         </p>
-        <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
-          <p>
+<p>
             The <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span>, and
-            <span class="command"><strong>nslookup</strong></span> programs are all command
-            line tools
+            <span class="command"><strong>nslookup</strong></span> programs are all command-line tools
             for manually querying name servers.  They differ in style and
             output format.
           </p>
-
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><a name="dig"></a><span class="command"><strong>dig</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   <span class="command"><strong>dig</strong></span>
                   is the most versatile and complete of these lookup tools.
                   It has two modes: simple interactive
-                  mode for a single query, and batch mode which executes a
+                  mode for a single query, and batch mode, which executes a
                   query for
                   each in a list of several query lines. All query options are
                   accessible
                   from the command line.
                 </p>
-                <div class="cmdsynopsis"><p>
-                  <code class="command">dig</code> 
-                   [@<em class="replaceable"><code>server</code></em>]
-                    <em class="replaceable"><code>domain</code></em> 
-                   [<em class="replaceable"><code>query-type</code></em>]
-                   [<em class="replaceable"><code>query-class</code></em>]
-                   [+<em class="replaceable"><code>query-option</code></em>]
-                   [-<em class="replaceable"><code>dig-option</code></em>]
-                   [%<em class="replaceable"><code>comment</code></em>]
-                </p></div>
-                <p>
-                  The usual simple use of <span class="command"><strong>dig</strong></span> will take the form
+<div class="cmdsynopsis"><p><code class="command">dig</code>  [@<em class="replaceable"><code>server</code></em>]  <em class="replaceable"><code>domain</code></em>  [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
+<p>
+                  The usual simple use of <span class="command"><strong>dig</strong></span> takes the form
                 </p>
-                <p class="simpara">
+<p class="simpara">
                   <span class="command"><strong>dig @server domain query-type query-class</strong></span>
                 </p>
-                <p>
+<p>
                   For more information and a list of available commands and
                   options, see the <span class="command"><strong>dig</strong></span> man
                   page.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>host</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   The <span class="command"><strong>host</strong></span> utility emphasizes
                   simplicity
                   and ease of use.  By default, it converts
@@ -367,54 +335,34 @@ zone "eng.example.com" {
                   functionality
                   can be extended with the use of options.
                 </p>
-                <div class="cmdsynopsis"><p>
-                  <code class="command">host</code> 
-                   [-aCdlnrsTwv]
-                   [-c <em class="replaceable"><code>class</code></em>]
-                   [-N <em class="replaceable"><code>ndots</code></em>]
-                   [-t <em class="replaceable"><code>type</code></em>]
-                   [-W <em class="replaceable"><code>timeout</code></em>]
-                   [-R <em class="replaceable"><code>retries</code></em>]
-                   [-m <em class="replaceable"><code>flag</code></em>]
-                   [-4]
-                   [-6]
-                    <em class="replaceable"><code>hostname</code></em> 
-                   [<em class="replaceable"><code>server</code></em>]
-                </p></div>
-                <p>
+<div class="cmdsynopsis"><p><code class="command">host</code>  [-aCdlnrsTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] [-m <em class="replaceable"><code>flag</code></em>] [-4] [-6]  <em class="replaceable"><code>hostname</code></em>  [<em class="replaceable"><code>server</code></em>]</p></div>
+<p>
                   For more information and a list of available commands and
                   options, see the <span class="command"><strong>host</strong></span> man
                   page.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>nslookup</strong></span></span></dt>
 <dd>
-                <p><span class="command"><strong>nslookup</strong></span>
+<p><span class="command"><strong>nslookup</strong></span>
                   has two modes: interactive and
                   non-interactive. Interactive mode allows the user to
                   query name servers for information about various
-                  hosts and domains or to print a list of hosts in a
+                  hosts and domains, or to print a list of hosts in a
                   domain. Non-interactive mode is used to print just
                   the name and requested information for a host or
                   domain.
                 </p>
-                <div class="cmdsynopsis"><p>
-                  <code class="command">nslookup</code> 
-                   [-option...]
-                   [
-                    [<em class="replaceable"><code>host-to-find</code></em>]
-                     |  [- [server]]
-                  ]
-                </p></div>
-                <p>
+<div class="cmdsynopsis"><p><code class="command">nslookup</code>  [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] |  [- [server]]]</p></div>
+<p>
                   Interactive mode is entered when no arguments are given (the
-                  default name server will be used) or when the first argument
+                  default name server is used) or when the first argument
                   is a
-                  hyphen (`-') and the second argument is the host name or
+                  hyphen ("-") and the second argument is the host name or
                   Internet address
                   of a name server.
                 </p>
-                <p>
+<p>
                   Non-interactive mode is used when the name or Internet
                   address
                   of the host to be looked up is given as the first argument.
@@ -422,105 +370,69 @@ zone "eng.example.com" {
                   optional second argument specifies the host name or address
                   of a name server.
                 </p>
-                <p>
+<p>
                   Due to its arcane user interface and frequently inconsistent
                   behavior, we do not recommend the use of <span class="command"><strong>nslookup</strong></span>.
                   Use <span class="command"><strong>dig</strong></span> instead.
                 </p>
-              </dd>
+</dd>
 </dl></div>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="admin_tools"></a>Administrative Tools</h4></div></div></div>
-          <p>
+<p>
             Administrative tools play an integral part in the management
             of a server.
           </p>
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt>
 <a name="named-checkconf"></a><span class="term"><span class="command"><strong>named-checkconf</strong></span></span>
 </dt>
 <dd>
-                <p>
+<p>
                   The <span class="command"><strong>named-checkconf</strong></span> program
                   checks the syntax of a <code class="filename">named.conf</code> file.
                 </p>
-                <div class="cmdsynopsis"><p>
-                  <code class="command">named-checkconf</code> 
-                   [-jvz]
-                   [-t <em class="replaceable"><code>directory</code></em>]
-                   [<em class="replaceable"><code>filename</code></em>]
-                </p></div>
-              </dd>
+<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div>
+</dd>
 <dt>
 <a name="named-checkzone"></a><span class="term"><span class="command"><strong>named-checkzone</strong></span></span>
 </dt>
 <dd>
-                <p>
+<p>
                   The <span class="command"><strong>named-checkzone</strong></span> program
-                  checks a master file for
+                  checks a zone file for
                   syntax and consistency.
                 </p>
-                <div class="cmdsynopsis"><p>
-                  <code class="command">named-checkzone</code> 
-                   [-djqvD]
-                   [-c <em class="replaceable"><code>class</code></em>]
-                   [-o <em class="replaceable"><code>output</code></em>]
-                   [-t <em class="replaceable"><code>directory</code></em>]
-                   [-w <em class="replaceable"><code>directory</code></em>]
-                   [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>]
-                   [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>]
-                   [-W <em class="replaceable"><code>(ignore|warn)</code></em>]
-                    <em class="replaceable"><code>zone</code></em> 
-                   [<em class="replaceable"><code>filename</code></em>]
-                </p></div>
-              </dd>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-W <em class="replaceable"><code>(ignore|warn)</code></em>]  <em class="replaceable"><code>zone</code></em>  [<em class="replaceable"><code>filename</code></em>]</p></div>
+</dd>
 <dt>
 <a name="named-compilezone"></a><span class="term"><span class="command"><strong>named-compilezone</strong></span></span>
 </dt>
-<dd>
-                <p>
-                  Similar to <span class="command"><strong>named-checkzone,</strong></span> but
+<dd><p>
+                  This tool is similar to <span class="command"><strong>named-checkzone,</strong></span> but
                   it always dumps the zone content to a specified file
                   (typically in a different format).
-                </p>
-              </dd>
+                </p></dd>
 <dt>
 <a name="rndc"></a><span class="term"><span class="command"><strong>rndc</strong></span></span>
 </dt>
 <dd>
-                <p>
+<p>
                   The remote name daemon control
                   (<span class="command"><strong>rndc</strong></span>) program allows the
                   system
                   administrator to control the operation of a name server.
-                  Since <acronym class="acronym">BIND</acronym> 9.2, <span class="command"><strong>rndc</strong></span>
-                  supports all the commands of the BIND 8 <span class="command"><strong>ndc</strong></span>
-                  utility except <span class="command"><strong>ndc start</strong></span> and
-                  <span class="command"><strong>ndc restart</strong></span>, which were also
-                  not supported in <span class="command"><strong>ndc</strong></span>'s
-                  channel mode.
-                  If you run <span class="command"><strong>rndc</strong></span> without any
-                  options
-                  it will display a usage message as follows:
-                </p>
-                <div class="cmdsynopsis"><p>
-                  <code class="command">rndc</code> 
-                   [-c <em class="replaceable"><code>config</code></em>]
-                   [-s <em class="replaceable"><code>server</code></em>]
-                   [-p <em class="replaceable"><code>port</code></em>]
-                   [-y <em class="replaceable"><code>key</code></em>]
-                    <em class="replaceable"><code>command</code></em> 
-                   [<em class="replaceable"><code>command</code></em>...]
-                </p></div>
-
-                <p>See <a class="xref" href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for details of
+                  If <span class="command"><strong>rndc</strong></span> is run without any
+                  options,
+                  it displays a usage message as follows:
+                </p>
+<div class="cmdsynopsis"><p><code class="command">rndc</code>  [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>]  <em class="replaceable"><code>command</code></em>  [<em class="replaceable"><code>command</code></em>...]</p></div>
+<p>See <a class="xref" href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for details of
                   the available <span class="command"><strong>rndc</strong></span> commands.
                 </p>
-
-                <p>
+<p>
                   <span class="command"><strong>rndc</strong></span> requires a configuration file,
                   since all
                   communication with the server is authenticated with
@@ -532,7 +444,7 @@ zone "eng.example.com" {
                   alternate
                   location can be specified with the <code class="option">-c</code>
                   option.  If the configuration file is not found,
-                  <span class="command"><strong>rndc</strong></span> will also look in
+                  <span class="command"><strong>rndc</strong></span> also looks in
                   <code class="filename">/etc/rndc.key</code> (or whatever
                   <code class="varname">sysconfdir</code> was defined when
                   the <acronym class="acronym">BIND</acronym> build was
@@ -544,29 +456,27 @@ zone "eng.example.com" {
                   <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span class="command"><strong>controls</strong></span> Statement Definition and
           Usage&#8221;</a>.
                 </p>
-
-                <p>
+<p>
                   The format of the configuration file is similar to
-                  that of <code class="filename">named.conf</code>, but
+                  that of <code class="filename">named.conf</code>, but is
                   limited to
-                  only four statements, the <span class="command"><strong>options</strong></span>,
-                  <span class="command"><strong>key</strong></span>, <span class="command"><strong>server</strong></span> and
+                  only four statements: the <span class="command"><strong>options</strong></span>,
+                  <span class="command"><strong>key</strong></span>, <span class="command"><strong>server</strong></span>, and
                   <span class="command"><strong>include</strong></span>
                   statements.  These statements are what associate the
                   secret keys to the servers with which they are meant to
                   be shared.  The order of statements is not
                   significant.
                 </p>
-
-                <p>
+<p>
                   The <span class="command"><strong>options</strong></span> statement has
                   three clauses:
                   <span class="command"><strong>default-server</strong></span>, <span class="command"><strong>default-key</strong></span>,
                   and <span class="command"><strong>default-port</strong></span>.
                   <span class="command"><strong>default-server</strong></span> takes a
-                  host name or address argument  and represents the server
-                  that will
-                  be contacted if no <code class="option">-s</code>
+                  host name or address argument and represents the server
+                  that
+                  is contacted if no <code class="option">-s</code>
                   option is provided on the command line.
                   <span class="command"><strong>default-key</strong></span> takes
                   the name of a key as its argument, as defined by a <span class="command"><strong>key</strong></span> statement.
@@ -576,8 +486,7 @@ zone "eng.example.com" {
                   port is given on the command line or in a
                   <span class="command"><strong>server</strong></span> statement.
                 </p>
-
-                <p>
+<p>
                   The <span class="command"><strong>key</strong></span> statement defines a
                   key to be used
                   by <span class="command"><strong>rndc</strong></span> when authenticating
@@ -594,20 +503,19 @@ zone "eng.example.com" {
                   The <span class="command"><strong>key</strong></span> statement has two
                   clauses:
                   <span class="command"><strong>algorithm</strong></span> and <span class="command"><strong>secret</strong></span>.
-                  While the configuration parser will accept any string as the
+                  While the configuration parser accepts any string as the
                   argument
-                  to algorithm, currently only the strings
+                  to <span class="command"><strong>algorithm</strong></span>, currently only the strings
                   "<strong class="userinput"><code>hmac-md5</code></strong>",
                   "<strong class="userinput"><code>hmac-sha1</code></strong>",
                   "<strong class="userinput"><code>hmac-sha224</code></strong>",
                   "<strong class="userinput"><code>hmac-sha256</code></strong>",
-                  "<strong class="userinput"><code>hmac-sha384</code></strong>"
+                  "<strong class="userinput"><code>hmac-sha384</code></strong>",
                   and "<strong class="userinput"><code>hmac-sha512</code></strong>"
-                  have any meaning.  The secret is a Base64 encoded string
+                  have any meaning.  The secret is a Base64-encoded string
                   as specified in RFC 3548.
                 </p>
-
-                <p>
+<p>
                   The <span class="command"><strong>server</strong></span> statement
                   associates a key
                   defined using the <span class="command"><strong>key</strong></span>
@@ -623,11 +531,9 @@ zone "eng.example.com" {
                   connect
                   to on the server.
                 </p>
-
-                <p>
+<p>
                   A sample minimal configuration file is as follows:
                 </p>
-
 <pre class="programlisting">
 key rndc_key {
      algorithm "hmac-sha256";
@@ -639,67 +545,57 @@ options {
      default-key    rndc_key;
 };
 </pre>
-
-                <p>
+<p>
                   This file, if installed as <code class="filename">/etc/rndc.conf</code>,
-                  would allow the command:
+                  allows the command:
                 </p>
-
-                <p>
+<p>
                   <code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong>
                 </p>
-
-                <p>
-                  to connect to 127.0.0.1 port 953 and cause the name server
-                  to reload, if a name server on the local machine were
+<p>
+                  to connect to 127.0.0.1 port 953 and causes the name server
+                  to reload, if a name server on the local machine is
                   running with
                   following controls statements:
                 </p>
-
 <pre class="programlisting">
 controls {
         inet 127.0.0.1
             allow { localhost; } keys { rndc_key; };
 };
 </pre>
-
-                <p>
-                  and it had an identical key statement for
+<p>
+                  and it has an identical key statement for
                   <code class="literal">rndc_key</code>.
                 </p>
-
-                <p>
+<p>
                   Running the <span class="command"><strong>rndc-confgen</strong></span>
-                  program will
-                  conveniently create a <code class="filename">rndc.conf</code>
-                  file for you, and also display the
+                  program
+                  conveniently creates an <code class="filename">rndc.conf</code>
+                  file, and also displays the
                   corresponding <span class="command"><strong>controls</strong></span>
-                  statement that you need to
+                  statement needed to
                   add to <code class="filename">named.conf</code>.
                   Alternatively,
-                  you can run <span class="command"><strong>rndc-confgen -a</strong></span>
+                  it is possible to run <span class="command"><strong>rndc-confgen -a</strong></span>
                   to set up
-                  a <code class="filename">rndc.key</code> file and not
+                  an <code class="filename">rndc.key</code> file and not
                   modify
                   <code class="filename">named.conf</code> at all.
                 </p>
-
-              </dd>
+</dd>
 </dl></div>
-
-        </div>
-      </div>
-
-      <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="signals"></a>Signals</h3></div></div></div>
-        <p>
-          Certain UNIX signals cause the name server to take specific
+<p>
+          Certain Unix signals cause the name server to take specific
           actions, as described in the following table.  These signals can
           be sent using the <span class="command"><strong>kill</strong></span> command.
         </p>
-        <div class="informaltable">
-          <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.125in" class="1">
 <col width="4.000in" class="2">
@@ -737,11 +633,10 @@ controls {
                 </td>
 </tr>
 </tbody>
-</table>
-        </div>
-      </div>
-    </div>
-  </div>
+</table></div>
+</div>
+</div>
+</div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
@@ -759,6 +654,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/Bv9ARM.ch04.html b/bind/bind9/doc/arm/Bv9ARM.ch04.html
index d732e318..77f15b13 100644
--- a/bind/bind9/doc/arm/Bv9ARM.ch04.html
+++ b/bind/bind9/doc/arm/Bv9ARM.ch04.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 4. Advanced DNS Features</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
@@ -38,14 +38,14 @@
 <dl class="toc">
 <dt><span class="section"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
-<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
+<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The Journal File</a></span></dt></dl></dd>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns">Split DNS</a></span></dt>
-<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns_sample">Example split DNS setup</a></span></dt></dl></dd>
+<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns_sample">Example Split DNS Setup</a></span></dt></dl></dd>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.5">Generating a Shared Key</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Loading A New Key</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Loading a New Key</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.7">Instructing the Server to Use a Key</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.8">TSIG-Based Access Control</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.9">Errors</a></span></dt>
@@ -56,22 +56,22 @@
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers for DNSSEC</a></span></dt>
 </dl></dd>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.2">Converting from insecure to secure</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.7">Dynamic DNS update method</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.15">Fully automatic zone signing</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.24">Private-type records</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.31">DNSKEY rollovers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.33">Dynamic DNS update method</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.38">Automatic key rollovers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.40">NSEC3PARAM rollovers via UPDATE</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.42">Converting from NSEC to NSEC3</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.44">Converting from NSEC3 to NSEC</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.46">Converting from secure to insecure</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.50">Periodic re-signing</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.7">Dynamic DNS Update Method</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.15">Fully Automatic Zone Signing</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.24">Private Type Records</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.31">DNSKEY Rollovers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.33">Dynamic DNS Update Method</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.38">Automatic Key Rollovers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.40">NSEC3PARAM Rollovers via UPDATE</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.42">Converting From NSEC to NSEC3</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.44">Converting From NSEC3 to NSEC</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.46">Converting From Secure to Insecure</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.50">Periodic Re-signing</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.52">NSEC3 and OPTOUT</a></span></dt>
 </dl></dd>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
@@ -79,7 +79,7 @@
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.3">Validating Resolver</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.4">Authoritative Server</a></span></dt>
 </dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) Support</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.6">Prerequisites</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.7">Native PKCS#11</a></span></dt>
@@ -94,7 +94,7 @@
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.6">Configuring DLZ</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.7">Sample DLZ Driver</a></span></dt>
 </dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dyndb-info">DynDB (Dynamic Database)</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#dyndb-info">Dynamic Database (DynDB)</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.5">Configuring DynDB</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.6">Sample DynDB Module</a></span></dt>
@@ -103,28 +103,26 @@
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.4">Principle of Operation</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.5">Configuring Catalog Zones</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.6">Catalog Zone format</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.6">Catalog Zone Format</a></span></dt>
 </dl></dd>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#ipv6">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.6">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.7">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.7">Address-to-Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl>
 </div>
-
-    <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="notify"></a>Notify</h2></div></div></div>
-      <p>
-        <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
-        servers to notify their slave servers of changes to a zone's data. In
-        response to a <span class="command"><strong>NOTIFY</strong></span> from a master server, the
-        slave will check to see that its version of the zone is the
-        current version and, if not, initiate a zone transfer.
+<p>
+        <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows primary
+        servers to notify their secondary servers of changes to a zone's data. In
+        response to a <span class="command"><strong>NOTIFY</strong></span> from a primary server, the
+        secondary checks to see that its version of the zone is the
+        current version and, if not, initiates a zone transfer.
       </p>
-
-      <p>
+<p>
         For more information about <acronym class="acronym">DNS</acronym>
         <span class="command"><strong>NOTIFY</strong></span>, see the description of the
         <span class="command"><strong>notify</strong></span> option in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a> and
@@ -132,185 +130,161 @@
         <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.  The <span class="command"><strong>NOTIFY</strong></span>
         protocol is specified in RFC 1996.
       </p>
-
-      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
-        As a slave zone can also be a master to other slaves, <span class="command"><strong>named</strong></span>,
+        As a secondary zone can also be a primary to other secondaries, <span class="command"><strong>named</strong></span>,
         by default, sends <span class="command"><strong>NOTIFY</strong></span> messages for every zone
-        it loads.  Specifying <span class="command"><strong>notify master-only;</strong></span> will
-        cause <span class="command"><strong>named</strong></span> to only send <span class="command"><strong>NOTIFY</strong></span> for master
+        it loads.  Specifying <span class="command"><strong>notify primary-only;</strong></span>
+        causes <span class="command"><strong>named</strong></span> to only send <span class="command"><strong>NOTIFY</strong></span> for primary
         zones that it loads.
       </p>
 </div>
-
-    </div>
-
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
-
-      <p>
-        Dynamic Update is a method for adding, replacing or deleting
-        records in a master server by sending it a special form of DNS
+<p>
+        Dynamic Update is a method for adding, replacing, or deleting
+        records in a primary server by sending it a special form of DNS
         messages.  The format and meaning of these messages is specified
         in RFC 2136.
       </p>
-
-      <p>
+<p>
         Dynamic update is enabled by including an
         <span class="command"><strong>allow-update</strong></span> or an <span class="command"><strong>update-policy</strong></span>
         clause in the <span class="command"><strong>zone</strong></span> statement.
       </p>
-
-      <p>
+<p>
         If the zone's <span class="command"><strong>update-policy</strong></span> is set to
         <strong class="userinput"><code>local</code></strong>, updates to the zone
-        will be permitted for the key <code class="varname">local-ddns</code>,
-        which will be generated by <span class="command"><strong>named</strong></span> at startup.
+        are permitted for the key <code class="varname">local-ddns</code>,
+        which is generated by <span class="command"><strong>named</strong></span> at startup.
         See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for more details.
       </p>
-
-      <p>
-        Dynamic updates using Kerberos signed requests can be made
-        using the TKEY/GSS protocol by setting either the
-        <span class="command"><strong>tkey-gssapi-keytab</strong></span> option, or alternatively
+<p>
+        Dynamic updates using Kerberos-signed requests can be made
+        using the TKEY/GSS protocol, either by setting the
+        <span class="command"><strong>tkey-gssapi-keytab</strong></span> option, or
         by setting both the <span class="command"><strong>tkey-gssapi-credential</strong></span>
         and <span class="command"><strong>tkey-domain</strong></span> options. Once enabled,
-        Kerberos signed requests will be matched against the update
+        Kerberos-signed requests are matched against the update
         policies for the zone, using the Kerberos principal as the
         signer for the request.
       </p>
-
-      <p>
+<p>
         Updating of secure zones (zones using DNSSEC) follows RFC
-        3007: RRSIG, NSEC and NSEC3 records affected by updates are
+        3007: RRSIG, NSEC, and NSEC3 records affected by updates are
         automatically regenerated by the server using an online
         zone key.  Update authorization is based on transaction
         signatures and an explicit server policy.
       </p>
-
-      <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="journal"></a>The journal file</h3></div></div></div>
-
-        <p>
+<a name="journal"></a>The Journal File</h3></div></div></div>
+<p>
           All changes made to a zone using dynamic update are stored
           in the zone's journal file.  This file is automatically created
           by the server when the first dynamic update takes place.
           The name of the journal file is formed by appending the extension
           <code class="filename">.jnl</code> to the name of the
           corresponding zone
-          file unless specifically overridden.  The journal file is in a
+          file, unless specifically overridden.  The journal file is in a
           binary format and should not be edited manually.
         </p>
-
-        <p>
-          The server will also occasionally write ("dump")
+<p>
+          The server also occasionally writes ("dumps")
           the complete contents of the updated zone to its zone file.
           This is not done immediately after
           each dynamic update, because that would be too slow when a large
           zone is updated frequently.  Instead, the dump is delayed by
           up to 15 minutes, allowing additional updates to take place.
-          During the dump process, transient files will be created
+          During the dump process, transient files are created
           with the extensions <code class="filename">.jnw</code> and
           <code class="filename">.jbk</code>; under ordinary circumstances, these
-          will be removed when the dump is complete, and can be safely
+          are removed when the dump is complete, and can be safely
           ignored.
         </p>
-
-        <p>
-          When a server is restarted after a shutdown or crash, it will replay
-              the journal file to incorporate into the zone any updates that
+<p>
+          When a server is restarted after a shutdown or crash, it replays
+          the journal file to incorporate into the zone any updates that
           took
           place after the last zone dump.
         </p>
-
-        <p>
+<p>
           Changes that result from incoming incremental zone transfers are
           also
-          journalled in a similar way.
+          journaled in a similar way.
         </p>
-
-        <p>
+<p>
           The zone files of dynamic zones cannot normally be edited by
           hand because they are not guaranteed to contain the most recent
-          dynamic changes &#8212; those are only in the journal file.
+          dynamic changes; those are only in the journal file.
           The only way to ensure that the zone file of a dynamic zone
-          is up to date is to run <span class="command"><strong>rndc stop</strong></span>.
+          is up-to-date is to run <span class="command"><strong>rndc stop</strong></span>.
         </p>
-
-        <p>
-          If you have to make changes to a dynamic zone
-          manually, the following procedure will work:
-          Disable dynamic updates to the zone using
+<p>
+          To make changes to a dynamic zone
+          manually, follow these steps:
+          first, disable dynamic updates to the zone using
           <span class="command"><strong>rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
-          This will update the zone's master file with the changes
+          This updates the zone file with the changes
           stored in its <code class="filename">.jnl</code> file.
-          Edit the zone file.  Run
+          Then, edit the zone file.  Finally, run
           <span class="command"><strong>rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
           to reload the changed zone and re-enable dynamic updates.
         </p>
-
-        <p>
+<p>
           <span class="command"><strong>rndc sync <em class="replaceable"><code>zone</code></em></strong></span>
-          will update the zone file with changes from the journal file
+          updates the zone file with changes from the journal file
           without stopping dynamic updates; this may be useful for viewing
           the current zone state.  To remove the <code class="filename">.jnl</code>
           file after updating the zone file, use
           <span class="command"><strong>rndc sync -clean</strong></span>.
         </p>
-
-      </div>
-
-    </div>
-
-    <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
-
-      <p>
+<p>
         The incremental zone transfer (IXFR) protocol is a way for
-        slave servers to transfer only changed data, instead of having to
-        transfer the entire zone. The IXFR protocol is specified in RFC
+        secondary servers to transfer only changed data, instead of having to
+        transfer an entire zone. The IXFR protocol is specified in RFC
         1995. See <a class="xref" href="Bv9ARM.ch11.html#proposed_standards" title="Proposed Standards">Proposed Standards</a>.
       </p>
-
-      <p>
-        When acting as a master, <acronym class="acronym">BIND</acronym> 9
+<p>
+        When acting as a primary server, <acronym class="acronym">BIND</acronym> 9
         supports IXFR for those zones
         where the necessary change history information is available. These
-        include master zones maintained by dynamic update and slave zones
-        whose data was obtained by IXFR.  For manually maintained master
-        zones, and for slave zones obtained by performing a full zone
+        include primary zones maintained by dynamic update and secondary zones
+        whose data was obtained by IXFR.  For manually maintained primary
+        zones, and for secondary zones obtained by performing a full zone
         transfer (AXFR), IXFR is supported only if the option
         <span class="command"><strong>ixfr-from-differences</strong></span> is set
         to <strong class="userinput"><code>yes</code></strong>.
       </p>
-
-      <p>
-        When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
-        attempt to use IXFR unless
+<p>
+        When acting as a secondary server, <acronym class="acronym">BIND</acronym> 9
+        attempts to use IXFR unless
         it is explicitly disabled. For more information about disabling
         IXFR, see the description of the <span class="command"><strong>request-ixfr</strong></span> clause
         of the <span class="command"><strong>server</strong></span> statement.
       </p>
-    </div>
-
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="split_dns"></a>Split DNS</h2></div></div></div>
-
-      <p>
-        Setting up different views, or visibility, of the DNS space to
+<p>
+        Setting up different views of the DNS space to
         internal and external resolvers is usually referred to as a
-        <span class="emphasis"><em>Split DNS</em></span> setup. There are several
-        reasons an organization would want to set up its DNS this way.
+        <span class="emphasis"><em>split DNS</em></span> setup. There are several
+        reasons an organization might want to set up its DNS this way.
       </p>
-      <p>
-        One common reason for setting up a DNS system this way is
+<p>
+        One common reason to use split DNS is
         to hide "internal" DNS information from "external" clients on the
-        Internet. There is some debate as to whether or not this is actually
+        Internet. There is some debate as to whether this is actually
         useful.
         Internal DNS information leaks out in many ways (via email headers,
         for example) and most savvy "attackers" can find the information
@@ -318,20 +292,20 @@
         However, since listing addresses of internal servers that
         external clients cannot possibly reach can result in
         connection delays and other annoyances, an organization may
-        choose to use a Split DNS to present a consistent view of itself
+        choose to use split DNS to present a consistent view of itself
         to the outside world.
       </p>
-      <p>
-        Another common reason for setting up a Split DNS system is
+<p>
+        Another common reason for setting up a split DNS system is
         to allow internal networks that are behind filters or in RFC 1918
         space (reserved IP space, as documented in RFC 1918) to resolve DNS
         on the Internet. Split DNS can also be used to allow mail from outside
-        back in to the internal network.
+        back into the internal network.
       </p>
-      <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="split_dns_sample"></a>Example split DNS setup</h3></div></div></div>
-        <p>
+<a name="split_dns_sample"></a>Example Split DNS Setup</h3></div></div></div>
+<p>
           Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
           (<code class="literal">example.com</code>)
           has several corporate sites that have an internal network with
@@ -339,23 +313,23 @@
           Internet Protocol (IP) space and an external demilitarized zone (DMZ),
           or "outside" section of a network, that is available to the public.
         </p>
-        <p>
+<p>
           <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
           to be able to resolve external hostnames and to exchange mail with
           people on the outside. The company also wants its internal resolvers
           to have access to certain internal-only zones that are not available
           at all outside of the internal network.
         </p>
-        <p>
-          In order to accomplish this, the company will set up two sets
-          of name servers. One set will be on the inside network (in the
+<p>
+          In order to accomplish this, the company sets up two sets
+          of name servers. One set is on the inside network (in the
           reserved
-          IP space) and the other set will be on bastion hosts, which are
+          IP space) and the other set is on bastion hosts, which are
           "proxy"
-          hosts that can talk to both sides of its network, in the DMZ.
+          hosts in the DMZ that can talk to both sides of its network.
         </p>
-        <p>
-          The internal servers will be configured to forward all queries,
+<p>
+          The internal servers are configured to forward all queries,
           except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
           and <code class="filename">site2.example.com</code>, to the servers
           in the
@@ -363,106 +337,91 @@
           for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
           and <code class="filename">site2.internal</code>.
         </p>
-        <p>
+<p>
           To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
           the internal name servers must be configured to disallow all queries
           to these domains from any external hosts, including the bastion
           hosts.
         </p>
-        <p>
-          The external servers, which are on the bastion hosts, will
-          be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
+<p>
+          The external servers, which are on the bastion hosts, are
+          configured to serve the "public" version of the <code class="filename">site1.example.com</code> and <code class="filename">site2.example.com</code> zones.
           This could include things such as the host records for public servers
-          (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
-          and mail exchange (MX)  records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
+          (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>)
+          and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
         </p>
-        <p>
-          In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
-          should have special MX records that contain wildcard (`*') records
+<p>
+          In addition, the public <code class="filename">site1.example.com</code> and <code class="filename">site2.example.com</code> zones
+          should have special MX records that contain wildcard ("*") records
           pointing to the bastion hosts. This is needed because external mail
           servers do not have any other way of looking up how to deliver mail
-          to those internal hosts. With the wildcard records, the mail will
-          be delivered to the bastion host, which can then forward it on to
+          to those internal hosts. With the wildcard records, the mail is
+          delivered to the bastion host, which can then forward it on to
           internal hosts.
         </p>
-        <p>
+<p>
           Here's an example of a wildcard MX record:
         </p>
-        <pre class="programlisting">*   IN MX 10 external1.example.com.</pre>
-        <p>
+<pre class="programlisting">*   IN MX 10 external1.example.com.</pre>
+<p>
           Now that they accept mail on behalf of anything in the internal
-          network, the bastion hosts will need to know how to deliver mail
-          to internal hosts. In order for this to work properly, the resolvers
+          network, the bastion hosts need to know how to deliver mail
+          to internal hosts. The resolvers
           on
-          the bastion hosts will need to be configured to point to the internal
+          the bastion hosts need to be configured to point to the internal
           name servers for DNS resolution.
         </p>
-        <p>
-          Queries for internal hostnames will be answered by the internal
-          servers, and queries for external hostnames will be forwarded back
+<p>
+          Queries for internal hostnames are answered by the internal
+          servers, and queries for external hostnames are forwarded back
           out to the DNS servers on the bastion hosts.
         </p>
-        <p>
-          In order for all this to work properly, internal clients will
+<p>
+          For all of this to work properly, internal clients
           need to be configured to query <span class="emphasis"><em>only</em></span> the internal
           name servers for DNS queries. This could also be enforced via
           selective
           filtering on the network.
         </p>
-        <p>
+<p>
           If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
-          internal clients will now be able to:
+          internal clients are now able to:
         </p>
-        <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-            
-              Look up any hostnames in the <code class="literal">site1</code>
+              Look up any hostnames in the <code class="literal">site1.example.com</code>
               and
               <code class="literal">site2.example.com</code> zones.
-            
-          </li>
+            </li>
 <li class="listitem">
-            
               Look up any hostnames in the <code class="literal">site1.internal</code> and
               <code class="literal">site2.internal</code> domains.
-            
-          </li>
-<li class="listitem">
-            Look up any hostnames on the Internet.
-          </li>
-<li class="listitem">
-            Exchange mail with both internal and external people.
-          </li>
+            </li>
+<li class="listitem">Look up any hostnames on the Internet.</li>
+<li class="listitem">Exchange mail with both internal and external users.</li>
 </ul></div>
-        <p>
-          Hosts on the Internet will be able to:
+<p>
+          Hosts on the Internet are able to:
         </p>
-        <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-            
-              Look up any hostnames in the <code class="literal">site1</code>
+              Look up any hostnames in the <code class="literal">site1.example.com</code>
               and
               <code class="literal">site2.example.com</code> zones.
-            
-          </li>
+            </li>
 <li class="listitem">
-            
-              Exchange mail with anyone in the <code class="literal">site1</code> and
+              Exchange mail with anyone in the <code class="literal">site1.example.com</code> and
               <code class="literal">site2.example.com</code> zones.
-            
-          </li>
+            </li>
 </ul></div>
-
-        <p>
-          Here is an example configuration for the setup we just
+<p>
+          Here is an example configuration for the setup just
           described above. Note that this is only configuration information;
-          for information on how to configure your zone files, see <a class="xref" href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called &#8220;Sample Configurations&#8221;</a>.
+          for information on how to configure the zone files, see <a class="xref" href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called &#8220;Sample Configurations&#8221;</a>.
         </p>
-
-        <p>
+<p>
           Internal DNS server config:
         </p>
-
 <pre class="programlisting">
 
 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
@@ -487,7 +446,7 @@ options {
     ...
 };
 
-// sample master zone
+// sample primary zone
 zone "site1.example.com" {
   type master;
   file "m/site1.example.com";
@@ -497,7 +456,7 @@ zone "site1.example.com" {
   allow-transfer { internals; };
 };
 
-// sample slave zone
+// sample secondary zone
 zone "site2.example.com" {
   type slave;
   file "s/site2.example.com";
@@ -524,11 +483,9 @@ zone "site2.internal" {
   allow-transfer { internals; }
 };
 </pre>
-
-        <p>
+<p>
           External (bastion host) DNS server config:
         </p>
-
 <pre class="programlisting">
 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
 
@@ -549,7 +506,7 @@ options {
   ...
 };
 
-// sample slave zone
+// sample secondary zone
 zone "site1.example.com" {
   type master;
   file "m/site1.foo.com";
@@ -563,26 +520,22 @@ zone "site2.example.com" {
   allow-transfer { internals; externals; }
 };
 </pre>
-
-        <p>
+<p>
           In the <code class="filename">resolv.conf</code> (or equivalent) on
           the bastion host(s):
         </p>
-
 <pre class="programlisting">
 search ...
 nameserver 172.16.72.2
 nameserver 172.16.72.3
 nameserver 172.16.72.4
 </pre>
-
-      </div>
-    </div>
-    <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="tsig"></a>TSIG</h2></div></div></div>
-
-      <p>
+<p>
         TSIG (Transaction SIGnatures) is a mechanism for authenticating DNS
         messages, originally specified in RFC 2845. It allows DNS messages
         to be cryptographically signed using a shared secret.  TSIG can
@@ -591,14 +544,14 @@ nameserver 172.16.72.4
         clients when IP-based access control is insufficient or needs to
         be overridden, or as a way to ensure message authenticity when it
         is critical to the integrity of the server, such as with dynamic
-        UPDATE messages or zone transfers from a master to a slave server.
+        UPDATE messages or zone transfers from a primary to a secondary server.
       </p>
-      <p>
-        This is a guide to setting up TSIG in <acronym class="acronym">BIND</acronym>.
+<p>
+        This section is a guide to setting up TSIG in <acronym class="acronym">BIND</acronym>.
         It describes the configuration syntax and the process of creating
         TSIG keys.
       </p>
-      <p>
+<p>
         <span class="command"><strong>named</strong></span> supports TSIG for server-to-server
         communication, and some of the tools included with
         <acronym class="acronym">BIND</acronym> support it for sending messages to
@@ -606,60 +559,58 @@ nameserver 172.16.72.4
         </p>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-            <a class="xref" href="man.nsupdate.html" title="nsupdate"><span class="refentrytitle"><span class="application">nsupdate</span></span>(1)</a> supports TSIG via the
-            <code class="option">-k</code>, <code class="option">-l</code> and
-            <code class="option">-y</code> command line options, or via
+<a class="xref" href="man.nsupdate.html" title="nsupdate"><span class="refentrytitle"><span class="application">nsupdate</span></span>(1)</a> supports TSIG via the
+            <code class="option">-k</code>, <code class="option">-l</code>, and
+            <code class="option">-y</code> command-line options, or via
             the <span class="command"><strong>key</strong></span> command when running
             interactively.
           </li>
 <li class="listitem">
-            <a class="xref" href="man.dig.html" title="dig"><span class="refentrytitle">dig</span>(1)</a> supports TSIG via the
-            <code class="option">-k</code> and <code class="option">-y</code> command
-            line options.
+<a class="xref" href="man.dig.html" title="dig"><span class="refentrytitle">dig</span>(1)</a> supports TSIG via the
+            <code class="option">-k</code> and <code class="option">-y</code>
+                command-line options.
           </li>
 </ul></div>
 <p>
       </p>
-
-      <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.6.5"></a>Generating a Shared Key</h3></div></div></div>
-        <p>
+<p>
           TSIG keys can be generated using the <span class="command"><strong>tsig-keygen</strong></span>
           command; the output of the command is a <span class="command"><strong>key</strong></span> directive
           suitable for inclusion in <code class="filename">named.conf</code>.  The
-          key name, algorithm and size can be specified by command line parameters;
+          key name, algorithm, and size can be specified by command-line parameters;
           the defaults are "tsig-key", HMAC-SHA256, and 256 bits, respectively.
         </p>
-        <p>
+<p>
           Any string which is a valid DNS name can be used as a key name.
           For example, a key to be shared between servers called
           <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span> could
-          be called "host1-host2.", and this key could be generated using:
+          be called "host1-host2.", and this key can be generated using:
         </p>
 <pre class="programlisting">
   $ tsig-keygen host1-host2. &gt; host1-host2.key
 </pre>
-        <p>
+<p>
           This key may then be copied to both hosts.  The key name and secret
           must be identical on both hosts.
           (Note: copying a shared secret from one server to another is beyond
           the scope of the DNS. A secure transport mechanism should be used:
           secure FTP, SSL, ssh, telephone, encrypted email, etc.)
         </p>
-        <p>
+<p>
           <span class="command"><strong>tsig-keygen</strong></span> can also be run as
           <span class="command"><strong>ddns-confgen</strong></span>, in which case its output includes
           additional configuration text for setting up dynamic DNS in
           <span class="command"><strong>named</strong></span>.  See <a class="xref" href="man.ddns-confgen.html" title="ddns-confgen"><span class="refentrytitle"><span class="application">ddns-confgen</span></span>(8)</a>
           for details.
         </p>
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.6.6"></a>Loading A New Key</h3></div></div></div>
-        <p>
+<a name="id-1.5.6.6"></a>Loading a New Key</h3></div></div></div>
+<p>
           For a key shared between servers called
           <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>,
           the following could be added to each server's
@@ -671,49 +622,48 @@ key "host1-host2." {
         secret "DAopyf1mhCbFVZw7pgmNPBoLUq8wEUT7UuPoLENP2HY=";
 };
 </pre>
-        <p>
+<p>
           (This is the same key generated above using
           <span class="command"><strong>tsig-keygen</strong></span>.)
         </p>
-        <p>
+<p>
           Since this text contains a secret, it
           is recommended that either <code class="filename">named.conf</code> not be
           world-readable, or that the <span class="command"><strong>key</strong></span> directive
-          be stored in a file which is not world-readable, and which is
+          be stored in a file which is not world-readable and which is
           included in <code class="filename">named.conf</code> via the
           <span class="command"><strong>include</strong></span> directive.
         </p>
-        <p>
+<p>
           Once a key has been added to <code class="filename">named.conf</code> and the
           server has been restarted or reconfigured, the server can recognize
           the key.  If the server receives a message signed by the
-          key, it will be able to verify the signature.  If the signature
-          is valid, the response will be signed using the same key.
+          key, it is able to verify the signature.  If the signature
+          is valid, the response is signed using the same key.
         </p>
-        <p>
+<p>
           TSIG keys that are known to a server can be listed using the
           command <span class="command"><strong>rndc tsig-list</strong></span>.
         </p>
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.6.7"></a>Instructing the Server to Use a Key</h3></div></div></div>
-        <p>
+<p>
           A server sending a request to another server must be told whether
           to use a key, and if so, which key to use.
         </p>
-        <p>
+<p>
           For example, a key may be specified for each server in the
           <span class="command"><strong>masters</strong></span> statement in the definition of a
-          slave zone; in this case, all SOA QUERY messages, NOTIFY
-          messages, and zone transfer requests (AXFR or IXFR) will be
+          secondary zone; in this case, all SOA QUERY messages, NOTIFY
+          messages, and zone transfer requests (AXFR or IXFR) are
           signed using the specified key.  Keys may also be specified
-          in the <span class="command"><strong>also-notify</strong></span> statement of a master
-          or slave zone, causing NOTIFY messages to be signed using
+          in the <span class="command"><strong>also-notify</strong></span> statement of a primary
+          or secondary zone, causing NOTIFY messages to be signed using
           the specified key.
         </p>
-        <p>
+<p>
           Keys can also be specified in a <span class="command"><strong>server</strong></span>
           directive. Adding the following on <span class="emphasis"><em>host1</em></span>,
           if the IP address of <span class="emphasis"><em>host2</em></span> is 10.1.2.3, would
@@ -726,58 +676,56 @@ server 10.1.2.3 {
         keys { host1-host2. ;};
 };
 </pre>
-        <p>
+<p>
           Multiple keys may be present in the <span class="command"><strong>keys</strong></span>
           statement, but only the first one is used.  As this directive does
           not contain secrets, it can be used in a world-readable file.
         </p>
-        <p>
+<p>
           Requests sent by <span class="emphasis"><em>host2</em></span> to <span class="emphasis"><em>host1</em></span>
           would <span class="emphasis"><em>not</em></span> be signed, unless a similar
           <span class="command"><strong>server</strong></span> directive were in <span class="emphasis"><em>host2</em></span>'s
           configuration file.
         </p>
-        <p>
-          Whenever any server sends a TSIG-signed DNS request, it will expect
+<p>
+          Whenever any server sends a TSIG-signed DNS request, it expects
           the response to be signed with the same key. If a response is not
-          signed, or if the signature is not valid, the response will be
+          signed, or if the signature is not valid, the response is
           rejected.
         </p>
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.6.8"></a>TSIG-Based Access Control</h3></div></div></div>
-        <p>
+<p>
           TSIG keys may be specified in ACL definitions and ACL directives
-          such as <span class="command"><strong>allow-query</strong></span>, <span class="command"><strong>allow-transfer</strong></span>
+          such as <span class="command"><strong>allow-query</strong></span>, <span class="command"><strong>allow-transfer</strong></span>,
           and <span class="command"><strong>allow-update</strong></span>.
           The above key would be denoted in an ACL element as
           <span class="command"><strong>key host1-host2.</strong></span>
         </p>
-        <p>
-          An example of an <span class="command"><strong>allow-update</strong></span> directive using
+<p>
+          Here is an example of an <span class="command"><strong>allow-update</strong></span> directive using
           a TSIG key:
         </p>
 <pre class="programlisting">
 allow-update { !{ !localnets; any; }; key host1-host2. ;};
 </pre>
-        <p>
+<p>
           This allows dynamic updates to succeed only if the UPDATE
           request comes from an address in <span class="command"><strong>localnets</strong></span>,
           <span class="emphasis"><em>and</em></span> if it is signed using the
           <span class="command"><strong>host1-host2.</strong></span> key.
         </p>
-        <p>
+<p>
           See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for a discussion of
           the more flexible <span class="command"><strong>update-policy</strong></span> statement.
         </p>
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.6.9"></a>Errors</h3></div></div></div>
-        <p>
+<p>
           Processing of TSIG-signed messages can result in several errors:
           </p>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
@@ -793,95 +741,89 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
             </li>
 <li class="listitem">
               If a TSIG-aware server receives a message with a time
-              outside of the allowed range, the response will be signed, with
+              outside of the allowed range, the response will be signed but
               the TSIG extended error code set to BADTIME, and the time values
               will be adjusted so that the response can be successfully
               verified.
             </li>
 </ul></div>
 <p>
-          In all of the above cases, the server will return a response code
+          In all of the above cases, the server returns a response code
           of NOTAUTH (not authenticated).
         </p>
-      </div>
-    </div>
-
-    <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="tkey"></a>TKEY</h2></div></div></div>
-
-      <p>
+<p>
         TKEY (Transaction KEY) is a mechanism for automatically negotiating
         a shared secret between two hosts, originally specified in RFC 2930.
       </p>
-      <p>
+<p>
         There are several TKEY "modes" that specify how a key is to be
         generated or assigned.  <acronym class="acronym">BIND</acronym> 9 implements only
         one of these modes: Diffie-Hellman key exchange.  Both hosts are
         required to have a KEY record with algorithm DH (though this
         record is not required to be present in a zone).
       </p>
-      <p>
+<p>
         The TKEY process is initiated by a client or server by sending
         a query of type TKEY to a TKEY-aware server.  The query must include
         an appropriate KEY record in the additional section, and
         must be signed using either TSIG or SIG(0) with a previously
-        established key.  The server's response, if successful, will
-        contain a TKEY record in its answer section.  After this transaction,
-        both participants will have enough information to calculate a
+        established key.  The server's response, if successful,
+        contains a TKEY record in its answer section.  After this transaction,
+        both participants have enough information to calculate a
         shared secret using Diffie-Hellman key exchange.  The shared secret
         can then be used by to sign subsequent transactions between the
         two servers.
       </p>
-      <p>
+<p>
         TSIG keys known by the server, including TKEY-negotiated keys, can
         be listed using <span class="command"><strong>rndc tsig-list</strong></span>.
       </p>
-      <p>
+<p>
         TKEY-negotiated keys can be deleted from a server using
         <span class="command"><strong>rndc tsig-delete</strong></span>.  This can also be done via
         the TKEY protocol itself, by sending an authenticated TKEY query
         specifying the "key deletion" mode.
       </p>
-
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="sig0"></a>SIG(0)</h2></div></div></div>
-
-      <p>
+<p>
         <acronym class="acronym">BIND</acronym> partially supports DNSSEC SIG(0)
         transaction signatures as specified in RFC 2535 and RFC 2931.
         SIG(0) uses public/private keys to authenticate messages.  Access control
-        is performed in the same manner as TSIG keys; privileges can be
+        is performed in the same manner as with TSIG keys; privileges can be
         granted or denied in ACL directives based on the key name.
       </p>
-      <p>
-        When a SIG(0) signed message is received, it will only be
+<p>
+        When a SIG(0) signed message is received, it is only
         verified if the key is known and trusted by the server. The
-        server will not attempt to recursively fetch or validate the
+        server does not attempt to recursively fetch or validate the
         key.
       </p>
-      <p>
+<p>
         SIG(0) signing of multiple-message TCP streams is not supported.
       </p>
-      <p>
+<p>
         The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
         generates SIG(0) signed messages is <span class="command"><strong>nsupdate</strong></span>.
       </p>
-    </div>
-
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
-      <p>
+<p>
         Cryptographic authentication of DNS information is possible
         through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
         defined in RFC 4033, RFC 4034, and RFC 4035.
         This section describes the creation and use of DNSSEC signed zones.
       </p>
-
-      <p>
+<p>
         In order to set up a DNSSEC secure zone, there are a series
         of steps which must be followed.  <acronym class="acronym">BIND</acronym>
         9 ships
@@ -890,64 +832,54 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
         below.  In all cases, the <code class="option">-h</code> option prints a
         full list of parameters.  Note that the DNSSEC tools require the
         keyset files to be in the working directory or the
-        directory specified by the <code class="option">-d</code> option, and
-        that the tools shipped with BIND 9.2.x and earlier are not compatible
-        with the current ones.
+        directory specified by the <code class="option">-d</code> option.
       </p>
-
-      <p>
+<p>
         There must also be communication with the administrators of
         the parent and/or child zone to transmit keys.  A zone's security
-        status must be indicated by the parent zone for a DNSSEC capable
+        status must be indicated by the parent zone for a DNSSEC-capable
         resolver to trust its data.  This is done through the presence
         or absence of a <code class="literal">DS</code> record at the
         delegation
         point.
       </p>
-
-      <p>
+<p>
         For other servers to trust data in this zone, they must
-        either be statically configured with this zone's zone key or the
+        be statically configured with either this zone's zone key or the
         zone key of another zone above this one in the DNS tree.
       </p>
-
-      <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="dnssec_keys"></a>Generating Keys</h3></div></div></div>
-
-        <p>
+<p>
           The <span class="command"><strong>dnssec-keygen</strong></span> program is used to
           generate keys.
         </p>
-
-        <p>
+<p>
           A secure zone must contain one or more zone keys.  The
           zone keys will sign all other records in the zone, as well as
           the zone keys of any secure delegated zones.  Zone keys must
-          have the same name as the zone, a name type of
-          <span class="command"><strong>ZONE</strong></span>, and must be usable for
+          have the same name as the zone, have a name type of
+          <span class="command"><strong>ZONE</strong></span>, and be usable for
           authentication.
           It is recommended that zone keys use a cryptographic algorithm
           designated as "mandatory to implement" by the IETF; currently
           the only one is RSASHA1.
         </p>
-
-        <p>
-          The following command will generate a 768-bit RSASHA1 key for
+<p>
+          The following command generates a 768-bit RSASHA1 key for
           the <code class="filename">child.example</code> zone:
         </p>
-
-        <p>
+<p>
           <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
         </p>
-
-        <p>
-          Two output files will be produced:
+<p>
+          Two output files are produced:
           <code class="filename">Kchild.example.+005+12345.key</code> and
           <code class="filename">Kchild.example.+005+12345.private</code>
           (where
           12345 is an example of a key tag).  The key filenames contain
-          the key name (<code class="filename">child.example.</code>),
+          the key name (<code class="filename">child.example.</code>), the
           algorithm (3
           is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
           this case).
@@ -957,57 +889,47 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
           <code class="filename">.key</code> file) is used for signature
           verification.
         </p>
-
-        <p>
-          To generate another key with the same properties (but with
-          a different key tag), repeat the above command.
+<p>
+          To generate another key with the same properties but with
+          a different key tag, repeat the above command.
         </p>
-
-        <p>
+<p>
           The <span class="command"><strong>dnssec-keyfromlabel</strong></span> program is used
-          to get a key pair from a crypto hardware and build the key
+          to get a key pair from a crypto hardware device and build the key
           files. Its usage is similar to <span class="command"><strong>dnssec-keygen</strong></span>.
         </p>
-
-        <p>
+<p>
           The public keys should be inserted into the zone file by
           including the <code class="filename">.key</code> files using
           <span class="command"><strong>$INCLUDE</strong></span> statements.
         </p>
-
-      </div>
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="dnssec_signing"></a>Signing the Zone</h3></div></div></div>
-
-        <p>
+<p>
           The <span class="command"><strong>dnssec-signzone</strong></span> program is used
           to sign a zone.
         </p>
-
-        <p>
+<p>
           Any <code class="filename">keyset</code> files corresponding to
-          secure subzones should be present.  The zone signer will
-          generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
+          secure sub-zones should be present.  The zone signer
+          generates <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>,
           and <code class="literal">RRSIG</code> records for the zone, as
           well as <code class="literal">DS</code> for the child zones if
-          <code class="literal">'-g'</code> is specified.  If <code class="literal">'-g'</code>
+          <code class="literal">-g</code> is specified.  If <code class="literal">-g</code>
           is not specified, then DS RRsets for the secure child
           zones need to be added manually.
         </p>
-
-        <p>
-          The following command signs the zone, assuming it is in a
-          file called <code class="filename">zone.child.example</code>.  By
-                default, all zone keys which have an available private key are
-                used to generate signatures.
+<p>
+          By default, all zone keys which have an available private key are
+          used to generate signatures. The following command signs the zone, assuming it is in a
+          file called <code class="filename">zone.child.example</code>:
         </p>
-
-        <p>
+<p>
           <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
         </p>
-
-        <p>
+<p>
           One output file is produced:
           <code class="filename">zone.child.example.signed</code>.  This
           file
@@ -1015,40 +937,34 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
           as the
           input file for the zone.
         </p>
-
-        <p><span class="command"><strong>dnssec-signzone</strong></span>
-          will also produce a keyset and dsset files and optionally a
-          dlvset file.  These are used to provide the parent zone
+<p><span class="command"><strong>dnssec-signzone</strong></span>
+          also produces keyset and dsset files.
+          These are used to provide the parent zone
           administrators with the <code class="literal">DNSKEYs</code> (or their
           corresponding <code class="literal">DS</code> records) that are the
           secure entry point to the zone.
         </p>
-
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="dnssec_config"></a>Configuring Servers</h3></div></div></div>
-
-        <p>
+<a name="dnssec_config"></a>Configuring Servers for DNSSEC</h3></div></div></div>
+<p>
           To enable <span class="command"><strong>named</strong></span> to respond appropriately
-          to DNS requests from DNSSEC aware clients,
+          to DNS requests from DNSSEC-aware clients,
           <span class="command"><strong>dnssec-enable</strong></span> must be set to yes.
           (This is the default setting.)
         </p>
-
-        <p>
+<p>
           To enable <span class="command"><strong>named</strong></span> to validate answers from
           other servers, the <span class="command"><strong>dnssec-enable</strong></span> option
           must be set to <strong class="userinput"><code>yes</code></strong>, and the
-          <span class="command"><strong>dnssec-validation</strong></span> options must be set to
+          <span class="command"><strong>dnssec-validation</strong></span> option must be set to
           <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
         </p>
-
-        <p>
+<p>
           If <span class="command"><strong>dnssec-validation</strong></span> is set to
           <strong class="userinput"><code>auto</code></strong>, then a default
-          trust anchor for the DNS root zone will be used.
+          trust anchor for the DNS root zone is used.
           If it is set to <strong class="userinput"><code>yes</code></strong>, however,
           then at least one trust anchor must be configured
           with a <span class="command"><strong>trusted-keys</strong></span> or
@@ -1057,46 +973,40 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
           will not occur.  The default setting is
           <strong class="userinput"><code>yes</code></strong>.
         </p>
-
-        <p>
+<p>
           <span class="command"><strong>trusted-keys</strong></span> are copies of DNSKEY RRs
           for zones that are used to form the first link in the
           cryptographic chain of trust.  All keys listed in
           <span class="command"><strong>trusted-keys</strong></span> (and corresponding zones)
-          are deemed to exist and only the listed keys will be used
-          to validated the DNSKEY RRset that they are from.
+          are deemed to exist and only the listed keys are used
+          to validate the DNSKEY RRset that they are from.
         </p>
-
-        <p>
+<p>
           <span class="command"><strong>managed-keys</strong></span> are trusted keys which are
-          automatically kept up to date via RFC 5011 trust anchor
+          automatically kept up-to-date via RFC 5011 trust anchor
           maintenance.
         </p>
-
-        <p>
+<p>
           <span class="command"><strong>trusted-keys</strong></span> and
           <span class="command"><strong>managed-keys</strong></span> are described in more detail
           later in this document.
         </p>
-
-        <p>
-          Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
+<p>
+          <acronym class="acronym">BIND</acronym>
           9 does not verify signatures on load, so zone keys for
           authoritative zones do not need to be specified in the
           configuration file.
         </p>
-
-        <p>
-          After DNSSEC gets established, a typical DNSSEC configuration
-          will look something like the following.  It has one or
-          more public keys for the root.  This allows answers from
-          outside the organization to be validated.  It will also
-          have several keys for parts of the namespace the organization
+<p>
+          After DNSSEC is established, a typical DNSSEC configuration
+          looks something like the following.  It has one or
+          more public keys for the root, which allows answers from
+          outside the organization to be validated.  It also
+          has several keys for parts of the namespace that the organization
           controls.  These are here to ensure that <span class="command"><strong>named</strong></span>
-          is immune to compromises in the DNSSEC components of the security
+          is immune to compromised security in the DNSSEC components
           of parent zones.
         </p>
-
 <pre class="programlisting">
 managed-keys {
         /* Root Key */
@@ -1149,73 +1059,64 @@ options {
         dnssec-validation yes;
 };
 </pre>
-
-        <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
           None of the keys listed in this example are valid.  In particular,
           the root key is not valid.
         </p>
 </div>
-
-        <p>
+<p>
           When DNSSEC validation is enabled and properly configured,
-          the resolver will reject any answers from signed, secure zones
-          which fail to validate, and will return SERVFAIL to the client.
+          the resolver rejects any answers from signed, secure zones
+          which fail to validate, and returns SERVFAIL to the client.
         </p>
-
-        <p>
+<p>
           Responses may fail to validate for any of several reasons,
           including missing, expired, or invalid signatures, a key which
           does not match the DS RRset in the parent zone, or an insecure
           response from a zone which, according to its parent, should have
           been secure.
         </p>
-
-        <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-          <p>
+<p>
             When the validator receives a response from an unsigned zone
             that has a signed parent, it must confirm with the parent
             that the zone was intentionally left unsigned.  It does
             this by verifying, via signed and validated NSEC/NSEC3 records,
             that the parent zone contains no DS records for the child.
           </p>
-          <p>
+<p>
             If the validator <span class="emphasis"><em>can</em></span> prove that the zone
             is insecure, then the response is accepted.  However, if it
-            cannot, then it must assume an insecure response to be a
+            cannot, the validator must assume an insecure response to be a
             forgery; it rejects the response and logs an error.
           </p>
-          <p>
+<p>
             The logged error reads "insecurity proof failed" and
             "got insecure response; parent indicates it should be secure".
           </p>
-        </div>
-      </div>
-    </div>
-
-    <div class="section">
+</div>
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.2"></a>Converting from insecure to secure</h3></div></div></div>
-
-  </div>
-  <p>Changing a zone from insecure to secure can be done in two
-  ways: using a dynamic DNS update, or the
+<div class="section"><div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.5.10.2"></a>Converting from insecure to secure</h3></div></div></div></div>
+<p>A zone ca be changed from insecure to secure in two
+  ways: using a dynamic DNS update, or via the
   <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
-  <p>For either method, you need to configure
-  <span class="command"><strong>named</strong></span> so that it can see the
+<p>For either method,
+  <span class="command"><strong>named</strong></span> must be configured so that it can see the
   <code class="filename">K*</code> files which contain the public and private
-  parts of the keys that will be used to sign the zone. These files
-  will have been generated by
-  <span class="command"><strong>dnssec-keygen</strong></span>. You can do this by placing them
+  parts of the keys that are used to sign the zone. These files
+  are generated by
+  <span class="command"><strong>dnssec-keygen</strong></span>, and they should be placed
   in the key-directory, as specified in
   <code class="filename">named.conf</code>:</p>
-  <pre class="programlisting">
+<pre class="programlisting">
 	zone example.net {
 		type master;
 		update-policy local;
@@ -1223,35 +1124,32 @@ options {
 		key-directory "dynamic/example.net";
 	};
 </pre>
-  <p>If one KSK and one ZSK DNSKEY key have been generated, this
-  configuration will cause all records in the zone to be signed
-  with the ZSK, and the DNSKEY RRset to be signed with the KSK as
-  well. An NSEC chain will be generated as part of the initial
+<p>If one KSK and one ZSK DNSKEY key have been generated, this
+  configuration causes all records in the zone to be signed
+  with the ZSK, and the DNSKEY RRset to be signed with the KSK.
+  An NSEC chain is generated as part of the initial
   signing process.</p>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.7"></a>Dynamic DNS update method</h3></div></div></div>
-
-  </div>
-  <p>To insert the keys via dynamic update:</p>
-  <pre class="screen">
+<div class="section"><div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.5.10.7"></a>Dynamic DNS Update Method</h3></div></div></div></div>
+<p>To insert the keys via dynamic update:</p>
+<pre class="screen">
 	% nsupdate
 	&gt; ttl 3600
 	&gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
 	&gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
 	&gt; send
 </pre>
-  <p>While the update request will complete almost immediately,
-  the zone will not be completely signed until
-  <span class="command"><strong>named</strong></span> has had time to walk the zone and
+<p>While the update request completes almost immediately,
+  the zone is not completely signed until
+  <span class="command"><strong>named</strong></span> has had time to "walk" the zone and
   generate the NSEC and RRSIG records. The NSEC record at the apex
-  will be added last, to signal that there is a complete NSEC
+  is added last, to signal that there is a complete NSEC
   chain.</p>
-  <p>If you wish to sign using NSEC3 instead of NSEC, you should
-  add an NSEC3PARAM record to the initial update request. If you
-  wish the NSEC3 chain to have the OPTOUT bit set, set it in the
+<p>To sign using NSEC3 instead of NSEC,
+  add an NSEC3PARAM record to the initial update request.
+  The OPTOUT bit in the NSEC3 chain can be set in the
   flags field of the NSEC3PARAM record.</p>
-  <pre class="screen">
+<pre class="screen">
 	% nsupdate
 	&gt; ttl 3600
 	&gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
@@ -1259,95 +1157,89 @@ options {
 	&gt; update add example.net NSEC3PARAM 1 1 100 1234567890
 	&gt; send
 </pre>
-  <p>Again, this update request will complete almost
-  immediately; however, the record won't show up until
+<p>Again, this update request completes almost
+  immediately; however, the record does not show up until
   <span class="command"><strong>named</strong></span> has had a chance to build/remove the
-  relevant chain. A private type record will be created to record
-  the state of the operation (see below for more details), and will
-  be removed once the operation completes.</p>
-  <p>While the initial signing and NSEC/NSEC3 chain generation
+  relevant chain. A private type record is created to record
+  the state of the operation (see below for more details), and is
+  removed once the operation completes.</p>
+<p>While the initial signing and NSEC/NSEC3 chain generation
   is happening, other updates are possible as well.</p>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.15"></a>Fully automatic zone signing</h3></div></div></div>
-
-  </div>
-  <p>To enable automatic signing, add the
+<div class="section"><div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.5.10.15"></a>Fully Automatic Zone Signing</h3></div></div></div></div>
+<p>To enable automatic signing, add the
   <span class="command"><strong>auto-dnssec</strong></span> option to the zone statement in
   <code class="filename">named.conf</code>.
   <span class="command"><strong>auto-dnssec</strong></span> has two possible arguments:
   <code class="constant">allow</code> or
   <code class="constant">maintain</code>.</p>
-  <p>With
+<p>With
   <span class="command"><strong>auto-dnssec allow</strong></span>,
   <span class="command"><strong>named</strong></span> can search the key directory for keys
   matching the zone, insert them into the zone, and use them to
-  sign the zone. It will do so only when it receives an
+  sign the zone. It does so only when it receives an
   <span class="command"><strong>rndc sign &lt;zonename&gt;</strong></span>.</p>
-  <p>
+<p>
   
   <span class="command"><strong>auto-dnssec maintain</strong></span> includes the above
-  functionality, but will also automatically adjust the zone's
-  DNSKEY records on schedule according to the keys' timing metadata.
+  functionality, but also automatically adjusts the zone's
+  DNSKEY records on a schedule according to the keys' timing metadata.
   (See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
   <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
   </p>
-  <p>
-  <span class="command"><strong>named</strong></span> will periodically search the key directory
-  for keys matching the zone, and if the keys' metadata indicates
-  that any change should be made the zone, such as adding, removing,
-  or revoking a key, then that action will be carried out.  By default,
+<p>
+  <span class="command"><strong>named</strong></span> periodically searches the key directory
+  for keys matching the zone; if the keys' metadata indicates
+  that any change should be made to the zone - such as adding, removing,
+  or revoking a key - then that action is carried out.  By default,
   the key directory is checked for changes every 60 minutes; this period
-  can be adjusted with the <code class="option">dnssec-loadkeys-interval</code>, up
+  can be adjusted with <code class="option">dnssec-loadkeys-interval</code>, up
   to a maximum of 24 hours.  The <span class="command"><strong>rndc loadkeys</strong></span> forces
   <span class="command"><strong>named</strong></span> to check for key updates immediately.
   </p>
-  <p>
+<p>
   If keys are present in the key directory the first time the zone
-  is loaded, the zone will be signed immediately, without waiting for an
+  is loaded, the zone is signed immediately, without waiting for an
   <span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span>
-  command. (Those commands can still be used when there are unscheduled
-  key changes, however.)
+  command. Those commands can still be used when there are unscheduled
+  key changes.
   </p>
-  <p>
+<p>
   When new keys are added to a zone, the TTL is set to match that
   of any existing DNSKEY RRset. If there is no existing DNSKEY RRset,
-  then the TTL will be set to the TTL specified when the key was
+  the TTL is set to the TTL specified when the key was
   created (using the <span class="command"><strong>dnssec-keygen -L</strong></span> option), if
   any, or to the SOA TTL.
   </p>
-  <p>
-  If you wish the zone to be signed using NSEC3 instead of NSEC,
+<p>
+  To sign the zone using NSEC3 instead of NSEC,
   submit an NSEC3PARAM record via dynamic update prior to the
-  scheduled publication and activation of the keys.  If you wish the
-  NSEC3 chain to have the OPTOUT bit set, set it in the flags field
-  of the NSEC3PARAM record.  The NSEC3PARAM record will not appear in
-  the zone immediately, but it will be stored for later reference.  When
+  scheduled publication and activation of the keys.
+  The OPTOUT bit for the NSEC3 chain can be set in the flags field
+  of the NSEC3PARAM record.  The NSEC3PARAM record does not appear in
+  the zone immediately, but it is stored for later reference.  When
   the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
-  record will appear in the zone.
+  record appears in the zone.
   </p>
-  <p>Using the
+<p>Using the
   <span class="command"><strong>auto-dnssec</strong></span> option requires the zone to be
   configured to allow dynamic updates, by adding an
   <span class="command"><strong>allow-update</strong></span> or
   <span class="command"><strong>update-policy</strong></span> statement to the zone
-  configuration. If this has not been done, the configuration will
-  fail.</p>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.24"></a>Private-type records</h3></div></div></div>
-
-  </div>
-  <p>The state of the signing process is signaled by
-  private-type records (with a default type value of 65534). When
-  signing is complete, these records will have a nonzero value for
-  the final octet (for those records which have a nonzero initial
-  octet).</p>
-  <p>The private type record format: If the first octet is
-  non-zero then the record indicates that the zone needs to be
+  configuration. If this has not been done, the configuration
+  fails.</p>
+<div class="section"><div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.5.10.24"></a>Private Type Records</h3></div></div></div></div>
+<p>The state of the signing process is signaled by
+  private type records (with a default type value of 65534). When
+  signing is complete, these records with a non-zero initial octet
+  have a non-zero value for the final octet.</p>
+<p>If the first octet of a private type record is
+  non-zero, the record indicates either that the zone needs to be
   signed with the key matching the record, or that all signatures
-  that match the record should be removed.</p>
-  <p>
+  that match the record should be removed. Here are the meanings
+  of the different values of the first octet:</p>
+<p>
     </p>
 <div class="literallayout"><p><br>
 <br>
@@ -1358,15 +1250,15 @@ options {
 </p></div>
 <p>
   </p>
-  <p>Only records flagged as "complete" can be removed via
-  dynamic update. Attempts to remove other private type records
-  will be silently ignored.</p>
-  <p>If the first octet is zero (this is a reserved algorithm
-  number that should never appear in a DNSKEY record) then the
-  record indicates changes to the NSEC3 chains are in progress. The
-  rest of the record contains an NSEC3PARAM record. The flag field
-  tells what operation to perform based on the flag bits.</p>
-  <p>
+<p>Only records flagged as "complete" can be removed via
+  dynamic update; attempts to remove other private type records
+  are silently ignored.</p>
+<p>If the first octet is zero (this is a reserved algorithm
+  number that should never appear in a DNSKEY record), the
+  record indicates that changes to the NSEC3 chains are in progress. The
+  rest of the record contains an NSEC3PARAM record, while the flag field
+  tells what operation to perform based on the flag bits:</p>
+<p>
     </p>
 <div class="literallayout"><p><br>
 <br>
@@ -1377,231 +1269,192 @@ options {
 </p></div>
 <p>
   </p>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.31"></a>DNSKEY rollovers</h3></div></div></div>
-
-  </div>
-  <p>As with insecure-to-secure conversions, rolling DNSSEC
-  keys can be done in two ways: using a dynamic DNS update, or the
+<div class="section"><div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.5.10.31"></a>DNSKEY Rollovers</h3></div></div></div></div>
+<p>As with insecure-to-secure conversions, DNSSEC keyrolls
+  can be done in two ways: using a dynamic DNS update, or via the
   <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.33"></a>Dynamic DNS update method</h3></div></div></div>
-
-  </div>
-  <p> To perform key rollovers via dynamic update, you need to add
-  the <code class="filename">K*</code> files for the new keys so that
-  <span class="command"><strong>named</strong></span> can find them. You can then add the new
-  DNSKEY RRs via dynamic update.
-  <span class="command"><strong>named</strong></span> will then cause the zone to be signed
-  with the new keys. When the signing is complete the private type
-  records will be updated so that the last octet is non
-  zero.</p>
-  <p>If this is for a KSK you need to inform the parent and any
-  trust anchor repositories of the new KSK.</p>
-  <p>You should then wait for the maximum TTL in the zone before
+<div class="section"><div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.5.10.33"></a>Dynamic DNS Update Method</h3></div></div></div></div>
+<p> To perform key rollovers via dynamic update,
+  the <code class="filename">K*</code> files for the new keys must be added so that
+  <span class="command"><strong>named</strong></span> can find them. The new
+  DNSKEY RRs can then be added via dynamic update.
+  <span class="command"><strong>named</strong></span> then causes the zone to be signed
+  with the new keys; when the signing is complete, the private type
+  records are updated so that the last octet is non-zero.</p>
+<p>If this is for a KSK, the parent and any
+  trust anchor repositories of the new KSK must be informed.</p>
+<p>The maximum TTL in the zone must expire before
   removing the old DNSKEY. If it is a KSK that is being updated,
-  you also need to wait for the DS RRset in the parent to be
-  updated and its TTL to expire. This ensures that all clients will
-  be able to verify at least one signature when you remove the old
-  DNSKEY.</p>
-  <p>The old DNSKEY can be removed via UPDATE. Take care to
+  the DS RRset in the parent must also be
+  updated its TTL allowed to expire. This ensures that all clients
+  are able to verify at least one signature when the old DNSKEY is removed.</p>
+<p>The old DNSKEY can be removed via UPDATE, taking care to
   specify the correct key.
-  <span class="command"><strong>named</strong></span> will clean out any signatures generated
+  <span class="command"><strong>named</strong></span> cleans out any signatures generated
   by the old key after the update completes.</p>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.38"></a>Automatic key rollovers</h3></div></div></div>
-
-  </div>
-  <p>When a new key reaches its activation date (as set by
+<div class="section"><div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.5.10.38"></a>Automatic Key Rollovers</h3></div></div></div></div>
+<p>When a new key reaches its activation date (as set by
   <span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>),
-  if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to
-  <code class="constant">maintain</code>, <span class="command"><strong>named</strong></span> will
-  automatically carry out the key rollover.  If the key's algorithm
-  has not previously been used to sign the zone, then the zone will
-  be fully signed as quickly as possible.  However, if the new key
-  is replacing an existing key of the same algorithm, then the
-  zone will be re-signed incrementally, with signatures from the
-  old key being replaced with signatures from the new key as their
+  and if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to
+  <code class="constant">maintain</code>, <span class="command"><strong>named</strong></span>
+  automatically carries out the key rollover.  If the key's algorithm
+  has not previously been used to sign the zone, then the zone is
+  fully signed as quickly as possible.  However, if the new key
+  replaces an existing key of the same algorithm, the
+  zone is re-signed incrementally, with signatures from the
+  old key replaced with signatures from the new key as their
   signature validity periods expire.  By default, this rollover
-  completes in 30 days, after which it will be safe to remove the
+  completes in 30 days, after which it is safe to remove the
   old key from the DNSKEY RRset.</p>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.40"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div>
-
-  </div>
-  <p>Add the new NSEC3PARAM record via dynamic update. When the
+<div class="section"><div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.5.10.40"></a>NSEC3PARAM Rollovers via UPDATE</h3></div></div></div></div>
+<p>The new NSEC3PARAM record can be added via dynamic update. When the
   new NSEC3 chain has been generated, the NSEC3PARAM flag field
-  will be zero. At this point you can remove the old NSEC3PARAM
-  record. The old chain will be removed after the update request
+  is set to zero. At that point, the old NSEC3PARAM
+  record can be removed. The old chain is removed after the update request
   completes.</p>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.42"></a>Converting from NSEC to NSEC3</h3></div></div></div>
-
-  </div>
-  <p>To do this, you just need to add an NSEC3PARAM record. When
-  the conversion is complete, the NSEC chain will have been removed
-  and the NSEC3PARAM record will have a zero flag field. The NSEC3
-  chain will be generated before the NSEC chain is
+<div class="section"><div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.5.10.42"></a>Converting From NSEC to NSEC3</h3></div></div></div></div>
+<p>To do this, an NSEC3PARAM record must be added. When
+  the conversion is complete, the NSEC chain is removed
+  and the NSEC3PARAM record has a zero flag field. The NSEC3
+  chain is generated before the NSEC chain is
   destroyed.</p>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.44"></a>Converting from NSEC3 to NSEC</h3></div></div></div>
-
-  </div>
-  <p>To do this, use <span class="command"><strong>nsupdate</strong></span> to
+<div class="section"><div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.5.10.44"></a>Converting From NSEC3 to NSEC</h3></div></div></div></div>
+<p>To do this, use <span class="command"><strong>nsupdate</strong></span> to
   remove all NSEC3PARAM records with a zero flag
-  field. The NSEC chain will be generated before the NSEC3 chain is
+  field. The NSEC chain is generated before the NSEC3 chain is
   removed.</p>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.46"></a>Converting from secure to insecure</h3></div></div></div>
-
-  </div>
-  <p>To convert a signed zone to unsigned using dynamic DNS,
+<div class="section"><div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.5.10.46"></a>Converting From Secure to Insecure</h3></div></div></div></div>
+<p>To convert a signed zone to unsigned using dynamic DNS,
   delete all the DNSKEY records from the zone apex using
   <span class="command"><strong>nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
-  and associated NSEC3PARAM records will be removed automatically.
-  This will take place after the update request completes.</p>
-  <p> This requires the
+  and associated NSEC3PARAM records are removed automatically.
+  This takes place after the update request completes.</p>
+<p> This requires the
   <span class="command"><strong>dnssec-secure-to-insecure</strong></span> option to be set to
   <strong class="userinput"><code>yes</code></strong> in
   <code class="filename">named.conf</code>.</p>
-  <p>In addition, if the <span class="command"><strong>auto-dnssec maintain</strong></span>
+<p>In addition, if the <span class="command"><strong>auto-dnssec maintain</strong></span>
   zone statement is used, it should be removed or changed to
-  <span class="command"><strong>allow</strong></span> instead (or it will re-sign).
+  <span class="command"><strong>allow</strong></span> instead; otherwise, it will re-sign).
   </p>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.50"></a>Periodic re-signing</h3></div></div></div>
-
-  </div>
-  <p>In any secure zone which supports dynamic updates, <span class="command"><strong>named</strong></span>
-  will periodically re-sign RRsets which have not been re-signed as
-  a result of some update action. The signature lifetimes will be
-  adjusted so as to spread the re-sign load over time rather than
+<div class="section"><div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.5.10.50"></a>Periodic Re-signing</h3></div></div></div></div>
+<p>In any secure zone which supports dynamic updates, <span class="command"><strong>named</strong></span>
+  periodically re-signs RRsets which have not been re-signed as
+  a result of some update action. The signature lifetimes are
+  adjusted to spread the re-sign load over time rather than
   all at once.</p>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.52"></a>NSEC3 and OPTOUT</h3></div></div></div>
-
-  </div>
-  <p>
+<div class="section"><div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.5.10.52"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
+<p>
   <span class="command"><strong>named</strong></span> only supports creating new NSEC3 chains
   where all the NSEC3 records in the zone have the same OPTOUT
   state.
   <span class="command"><strong>named</strong></span> supports UPDATES to zones where the NSEC3
   records in the chain have mixed OPTOUT state.
   <span class="command"><strong>named</strong></span> does not support changing the OPTOUT
-  state of an individual NSEC3 record, the entire chain needs to be
-  changed if the OPTOUT state of an individual NSEC3 needs to be
+  state of an individual NSEC3 record; if the OPTOUT state of an individual NSEC3 needs to be
+  changed, the entire chain must be
   changed.</p>
 </div>
-
-    <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
-
-  <p>
+<p>
     BIND is able to maintain DNSSEC trust anchors using RFC 5011 key
     management. This feature allows <span class="command"><strong>named</strong></span> to keep track
     of changes to critical DNSSEC keys without any need for the operator to
     make changes to configuration files.
   </p>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.11.3"></a>Validating Resolver</h3></div></div></div>
-
-    
-    <p>To configure a validating resolver to use RFC 5011 to
+<p>To configure a validating resolver to use RFC 5011 to
     maintain a trust anchor, configure the trust anchor using a
     <span class="command"><strong>managed-keys</strong></span> statement. Information about
     this can be found in
     <a class="xref" href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>managed-keys</strong></span> Statement Definition
             and Usage&#8221;</a>.</p>
-    
-  </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.11.4"></a>Authoritative Server</h3></div></div></div>
-
-    <p>To set up an authoritative zone for RFC 5011 trust anchor
+<p>To set up an authoritative zone for RFC 5011 trust anchor
     maintenance, generate two (or more) key signing keys (KSKs) for
     the zone. Sign the zone with one of them; this is the "active"
     KSK. All KSKs which do not sign the zone are "stand-by"
     keys.</p>
-    <p>Any validating resolver which is configured to use the
-    active KSK as an RFC 5011-managed trust anchor will take note
-    of the stand-by KSKs in the zone's DNSKEY RRset, and store them
-    for future reference. The resolver will recheck the zone
-    periodically, and after 30 days, if the new key is still there,
-    then the key will be accepted by the resolver as a valid trust
-    anchor for the zone. Any time after this 30-day acceptance
+<p>Any validating resolver which is configured to use the
+    active KSK as an RFC 5011-managed trust anchor takes note
+    of the stand-by KSKs in the zone's DNSKEY RRset, and stores them
+    for future reference. The resolver rechecks the zone
+    periodically; after 30 days, if the new key is still there,
+    the key is accepted by the resolver as a valid trust
+    anchor for the zone. Anytime after this 30-day acceptance
     timer has completed, the active KSK can be revoked, and the
     zone can be "rolled over" to the newly accepted key.</p>
-    <p>The easiest way to place a stand-by key in a zone is to
+<p>The easiest way to place a stand-by key in a zone is to
     use the "smart signing" features of
     <span class="command"><strong>dnssec-keygen</strong></span> and
-    <span class="command"><strong>dnssec-signzone</strong></span>. If a key with a publication
+    <span class="command"><strong>dnssec-signzone</strong></span>. If a key exists with a publication
     date in the past, but an activation date which is unset or in
-    the future, "
-    <span class="command"><strong>dnssec-signzone -S</strong></span>" will include the DNSKEY
-    record in the zone, but will not sign with it:</p>
-    <pre class="screen">
+    the future, <span class="command"><strong>dnssec-signzone -S</strong></span> includes the DNSKEY
+    record in the zone but does not sign with it:</p>
+<pre class="screen">
 $ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
 $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong>
 </pre>
-    <p>To revoke a key, the new command
-    <span class="command"><strong>dnssec-revoke</strong></span> has been added. This adds the
-    REVOKED bit to the key flags and re-generates the
+<p>To revoke a key, use the command
+    <span class="command"><strong>dnssec-revoke</strong></span>. This adds the
+    REVOKED bit to the key flags and regenerates the
     <code class="filename">K*.key</code> and
     <code class="filename">K*.private</code> files.</p>
-    <p>After revoking the active key, the zone must be signed
-    with both the revoked KSK and the new active KSK. (Smart
-    signing takes care of this automatically.)</p>
-    <p>Once a key has been revoked and used to sign the DNSKEY
-    RRset in which it appears, that key will never again be
+<p>After revoking the active key, the zone must be signed
+    with both the revoked KSK and the new active KSK. Smart
+    signing takes care of this automatically.</p>
+<p>Once a key has been revoked and used to sign the DNSKEY
+    RRset in which it appears, that key is never again
     accepted as a valid trust anchor by the resolver. However,
-    validation can proceed using the new active key (which had been
-    accepted by the resolver when it was a stand-by key).</p>
-    <p>See RFC 5011 for more details on key rollover
+    validation can proceed using the new active key, which was
+    accepted by the resolver when it was a stand-by key.</p>
+<p>See RFC 5011 for more details on key rollover
     scenarios.</p>
-    <p>When a key has been revoked, its key ID changes,
-    increasing by 128, and wrapping around at 65535. So, for
+<p>When a key has been revoked, its key ID changes,
+    increasing by 128 and wrapping around at 65535. So, for
     example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes
     "<code class="filename">Kexample.com.+005+10128</code>".</p>
-    <p>If two keys have IDs exactly 128 apart, and one is
-    revoked, then the two key IDs will collide, causing several
+<p>If two keys have IDs exactly 128 apart and one is
+    revoked, the two key IDs will collide, causing several
     problems. To prevent this,
-    <span class="command"><strong>dnssec-keygen</strong></span> will not generate a new key if
-    another key is present which may collide. This checking will
-    only occur if the new keys are written to the same directory
-    which holds all other keys in use for that zone.</p>
-    <p>Older versions of BIND 9 did not have this precaution.
+    <span class="command"><strong>dnssec-keygen</strong></span> does not generate a new key if
+    another key which may collide is present. This checking
+    only occurs if the new keys are written to the same directory
+    that holds all other keys in use for that zone.</p>
+<p>Older versions of BIND 9 did not have this protection.
     Exercise caution if using key revocation on keys that were
     generated by previous releases, or if using keys stored in
     multiple directories or on multiple machines.</p>
-    <p>It is expected that a future release of BIND 9 will
+<p>It is expected that a future release of BIND 9 will
     address this problem in a different way, by storing revoked
     keys with their original unrevoked key IDs.</p>
-  </div>
 </div>
-
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="pkcs11"></a>PKCS#11 (Cryptoki) support</h2></div></div></div>
-
-  <p>
-    PKCS#11 (Public Key Cryptography Standard #11) defines a
+<a name="pkcs11"></a>PKCS#11 (Cryptoki) Support</h2></div></div></div>
+<p>
+    Public Key Cryptography Standard #11 (PKCS#11) defines a
     platform-independent API for the control of hardware security
     modules (HSMs) and other cryptographic support devices.
   </p>
-  <p>
+<p>
     BIND 9 is known to work with three HSMs: The AEP Keyper, which has
     been tested with Debian Linux, Solaris x86 and Windows Server 2003;
     the Thales nShield, tested with Debian Linux; and the Sun SCA 6000
@@ -1610,13 +1463,13 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code><
     a software-based HSM simulator library produced by the OpenDNSSEC
     project.
   </p>
-  <p>
+<p>
     PKCS#11 makes use of a "provider library": a dynamically loadable
     library which provides a low-level PKCS#11 interface to drive the HSM
     hardware.  The PKCS#11 provider library comes from the HSM vendor, and
     it is specific to the HSM to be controlled.
   </p>
-  <p>
+<p>
     There are two available mechanisms for PKCS#11 support in BIND 9:
     OpenSSL-based PKCS#11 and native PKCS#11.  When using the first
     mechanism, BIND uses a modified version of OpenSSL, which loads
@@ -1626,21 +1479,19 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code><
     OpenSSL completely; BIND loads the provider library itself, and uses
     the PKCS#11 API to drive the HSM directly.
   </p>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.12.6"></a>Prerequisites</h3></div></div></div>
-
-    <p>
+<p>
       See the documentation provided by your HSM vendor for
       information about installing, initializing, testing and
       troubleshooting the HSM.
     </p>
-  </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.12.7"></a>Native PKCS#11</h3></div></div></div>
-
-    <p>
+<p>
       Native PKCS#11 mode will only work with an HSM capable of carrying
       out <span class="emphasis"><em>every</em></span> cryptographic operation BIND 9 may
       need. The HSM's provider library must have a complete implementation
@@ -1652,15 +1503,15 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code><
       native PKCS#11, it is expected that OpenSSL-based PKCS#11 will
       be deprecated.)
     </p>
-    <p>
+<p>
       To build BIND with native PKCS#11, configure as follows:
     </p>
-    <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>cd bind9</code></strong>
 $ <strong class="userinput"><code>./configure --enable-native-pkcs11 \
     --with-pkcs11=<em class="replaceable"><code>provider-library-path</code></em></code></strong>
     </pre>
-    <p>
+<p>
       This will cause all BIND tools, including <span class="command"><strong>named</strong></span>
       and the <span class="command"><strong>dnssec-*</strong></span> and <span class="command"><strong>pkcs11-*</strong></span>
       tools, to use the PKCS#11 provider library specified in
@@ -1670,11 +1521,10 @@ $ <strong class="userinput"><code>./configure --enable-native-pkcs11 \
       <span class="command"><strong>dnssec-*</strong></span> tools, or the <code class="option">-m</code> in
       the <span class="command"><strong>pkcs11-*</strong></span> tools.)
     </p>
-    <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id-1.5.12.7.6"></a>Building SoftHSMv2</h4></div></div></div>
-
-      <p>
+<p>
 	SoftHSMv2, the latest development version of SoftHSM, is available
 	from
 	<a class="link" href="https://github.com/opendnssec/SoftHSMv2" target="_top">
@@ -1692,7 +1542,7 @@ $ <strong class="userinput"><code>./configure --enable-native-pkcs11 \
 	cryptographic functions, but when using it for native PKCS#11 in
 	BIND, OpenSSL is required.
       </p>
-      <p>
+<p>
 	By default, the SoftHSMv2 configuration file is
 	<em class="replaceable"><code>prefix</code></em>/etc/softhsm2.conf (where
 	<em class="replaceable"><code>prefix</code></em> is configured at compile time).
@@ -1700,20 +1550,19 @@ $ <strong class="userinput"><code>./configure --enable-native-pkcs11 \
 	variable.  The SoftHSMv2 cryptographic store must be installed and
 	initialized before using it with BIND.
       </p>
-      <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code> cd SoftHSMv2 </code></strong>
 $ <strong class="userinput"><code> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost </code></strong>
 $ <strong class="userinput"><code> make </code></strong>
 $ <strong class="userinput"><code> make install </code></strong>
 $ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 </code></strong>
       </pre>
-    </div>
-  </div>
-  <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.12.8"></a>OpenSSL-based PKCS#11</h3></div></div></div>
-
-    <p>
+<p>
       OpenSSL-based PKCS#11 mode uses a modified version of the
       OpenSSL library; stock OpenSSL does not fully support PKCS#11.
       ISC provides a patch to OpenSSL to correct this.  This patch is
@@ -1721,23 +1570,20 @@ $ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token
       modified by ISC to provide new features such as PIN management and
       key-by-reference.
     </p>
-    <p>
+<p>
       There are two "flavors" of PKCS#11 support provided by
       the patched OpenSSL, one of which must be chosen at
       configuration time. The correct choice depends on the HSM
       hardware:
     </p>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
 	  Use 'crypto-accelerator' with HSMs that have hardware
 	  cryptographic acceleration features, such as the SCA 6000
 	  board. This causes OpenSSL to run all supported
 	  cryptographic operations in the HSM.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
+	</p></li>
+<li class="listitem"><p>
 	  Use 'sign-only' with HSMs that are designed to
 	  function primarily as secure key storage devices, but lack
 	  hardware acceleration. These devices are highly secure, but
@@ -1748,10 +1594,9 @@ $ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token
 	  such as zone signing, and to use the system CPU for all
 	  other computationally-intensive operations. The AEP Keyper
 	  is an example of such a device.
-	</p>
-      </li>
+	</p></li>
 </ul></div>
-    <p>
+<p>
       The modified OpenSSL code is included in the BIND 9 release,
       in the form of a context diff against the latest versions of
       OpenSSL.  OpenSSL 0.9.8, 1.0.0, 1.0.1 and 1.0.2 are supported;
@@ -1759,7 +1604,7 @@ $ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token
       follow, we use OpenSSL 0.9.8, but the same methods work with
       OpenSSL 1.0.0 through 1.0.2.
     </p>
-    <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
       The OpenSSL patches as of this writing (January 2016)
@@ -1769,28 +1614,27 @@ $ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token
       is expected to change.
     </p>
 </div>
-    <p>
+<p>
       Before building BIND 9 with PKCS#11 support, it will be
       necessary to build OpenSSL with the patch in place, and configure
       it with the path to your HSM's PKCS#11 provider library.
     </p>
-    <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id-1.5.12.8.8"></a>Patching OpenSSL</h4></div></div></div>
-
-      <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>wget <a class="link" href="" target="_top">http://www.openssl.org/source/openssl-0.9.8zc.tar.gz</a></code></strong>
   </pre>
-      <p>Extract the tarball:</p>
-      <pre class="screen">
+<p>Extract the tarball:</p>
+<pre class="screen">
 $ <strong class="userinput"><code>tar zxf openssl-0.9.8zc.tar.gz</code></strong>
 </pre>
-      <p>Apply the patch from the BIND 9 release:</p>
-      <pre class="screen">
+<p>Apply the patch from the BIND 9 release:</p>
+<pre class="screen">
 $ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8zc \
 	      &lt; bind9/bin/pkcs11/openssl-0.9.8zc-patch</code></strong>
 </pre>
-      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
 	The patch file may not be compatible with the
@@ -1798,93 +1642,87 @@ $ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8zc \
 	install GNU patch.
       </p>
 </div>
-      <p>
+<p>
 	When building OpenSSL, place it in a non-standard
 	location so that it does not interfere with OpenSSL libraries
 	elsewhere on the system. In the following examples, we choose
 	to install into "/opt/pkcs11/usr". We will use this location
 	when we configure BIND 9.
       </p>
-      <p>
+<p>
 	Later, when building BIND 9, the location of the custom-built
 	OpenSSL library will need to be specified via configure.
       </p>
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id-1.5.12.8.9"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
-      
-
-      <p>
+<p>
 	The AEP Keyper is a highly secure key storage device,
 	but does not provide hardware cryptographic acceleration. It
 	can carry out cryptographic operations, but it is probably
 	slower than your system's CPU. Therefore, we choose the
 	'sign-only' flavor when building OpenSSL.
       </p>
-      <p>
+<p>
 	The Keyper-specific PKCS#11 provider library is
 	delivered with the Keyper software. In this example, we place
 	it /opt/pkcs11/usr/lib:
       </p>
-      <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
 </pre>
-      <p>
+<p>
 	The Keyper library requires threads, so we
 	must specify -pthread.
       </p>
-      <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
 $ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \
 	    --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
 	    --pk11-flavor=sign-only \
 	    --prefix=/opt/pkcs11/usr</code></strong>
 </pre>
-      <p>
+<p>
 	After configuring, run "<span class="command"><strong>make</strong></span>"
 	and "<span class="command"><strong>make test</strong></span>". If "<span class="command"><strong>make
 	test</strong></span>" fails with "pthread_atfork() not found", you forgot to
 	add the -pthread above.
       </p>
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id-1.5.12.8.10"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
-      
-
-      <p>
+<p>
 	The SCA-6000 PKCS#11 provider is installed as a system
 	library, libpkcs11. It is a true crypto accelerator, up to 4
 	times faster than any CPU, so the flavor shall be
 	'crypto-accelerator'.
       </p>
-      <p>
+<p>
 	In this example, we are building on Solaris x86 on an
 	AMD64 system.
       </p>
-      <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
 $ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \
 	    --pk11-libname=/usr/lib/64/libpkcs11.so \
 	    --pk11-flavor=crypto-accelerator \
 	    --prefix=/opt/pkcs11/usr</code></strong>
 </pre>
-      <p>
+<p>
 	(For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
       </p>
-      <p>
+<p>
 	After configuring, run
 	<span class="command"><strong>make</strong></span> and
 	<span class="command"><strong>make test</strong></span>.
       </p>
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id-1.5.12.8.11"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
-      
-
-      <p>
+<p>
 	SoftHSM (version 1) is a software library developed by the
 	OpenDNSSEC project
 	(<a class="link" href="http://www.opendnssec.org" target="_top">
@@ -1897,13 +1735,13 @@ $ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \
 	less secure than a true HSM, it can allow you to experiment
 	with PKCS#11 when an HSM is not available.
       </p>
-      <p>
+<p>
 	The SoftHSM cryptographic store must be installed and
 	initialized before using it with OpenSSL, and the SOFTHSM_CONF
 	environment variable must always point to the SoftHSM configuration
 	file:
       </p>
-      <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code> cd softhsm-1.3.7 </code></strong>
 $ <strong class="userinput"><code> configure --prefix=/opt/pkcs11/usr </code></strong>
 $ <strong class="userinput"><code> make </code></strong>
@@ -1912,118 +1750,111 @@ $ <strong class="userinput"><code> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf
 $ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" &gt; $SOFTHSM_CONF </code></strong>
 $ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
 </pre>
-      <p>
+<p>
 	SoftHSM can perform all cryptographic operations, but
 	since it only uses your system CPU, there is no advantage to using
 	it for anything but signing.  Therefore, we choose the 'sign-only'
 	flavor when building OpenSSL.
       </p>
-      <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
 $ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \
 	    --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \
 	    --pk11-flavor=sign-only \
 	    --prefix=/opt/pkcs11/usr</code></strong>
 </pre>
-      <p>
+<p>
 	After configuring, run "<span class="command"><strong>make</strong></span>"
 	and "<span class="command"><strong>make test</strong></span>".
       </p>
-    </div>
-    <p>
+</div>
+<p>
       Once you have built OpenSSL, run
       "<span class="command"><strong>apps/openssl engine pkcs11</strong></span>" to confirm
       that PKCS#11 support was compiled in correctly. The output
       should be one of the following lines, depending on the flavor
       selected:
     </p>
-    <pre class="screen">
+<pre class="screen">
 	(pkcs11) PKCS #11 engine support (sign only)
 </pre>
-    <p>Or:</p>
-    <pre class="screen">
+<p>Or:</p>
+<pre class="screen">
 	(pkcs11) PKCS #11 engine support (crypto accelerator)
 </pre>
-    <p>
+<p>
       Next, run
       "<span class="command"><strong>apps/openssl engine pkcs11 -t</strong></span>". This will
       attempt to initialize the PKCS#11 engine. If it is able to
       do so successfully, it will report
       <span class="quote">&#8220;<span class="quote"><code class="literal">[ available ]</code></span>&#8221;</span>.
     </p>
-    <p>
+<p>
       If the output is correct, run
       "<span class="command"><strong>make install</strong></span>" which will install the
       modified OpenSSL suite to <code class="filename">/opt/pkcs11/usr</code>.
     </p>
-    <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id-1.5.12.8.18"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
-      
-
-      <p>
+<p>
 	To link with the PKCS#11 provider, threads must be
 	enabled in the BIND 9 build.
       </p>
-      <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>cd ../bind9</code></strong>
 $ <strong class="userinput"><code>./configure --enable-threads \
 	   --with-openssl=/opt/pkcs11/usr \
 	   --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
 </pre>
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id-1.5.12.8.19"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
-      
-
-      <p>
+<p>
 	To link with the PKCS#11 provider, threads must be
 	enabled in the BIND 9 build.
       </p>
-      <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>cd ../bind9</code></strong>
 $ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-threads \
 	    --with-openssl=/opt/pkcs11/usr \
 	    --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
 </pre>
-      <p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
-      <p>
+<p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
+<p>
 	If configure complains about OpenSSL not working, you
 	may have a 32/64-bit architecture mismatch. Or, you may have
 	incorrectly specified the path to OpenSSL (it should be the
 	same as the --prefix argument to the OpenSSL
 	Configure).
       </p>
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id-1.5.12.8.20"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
-      
-
-      <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>cd ../bind9</code></strong>
 $ <strong class="userinput"><code>./configure --enable-threads \
 	   --with-openssl=/opt/pkcs11/usr \
 	   --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so</code></strong>
 </pre>
-    </div>
-    <p>
+</div>
+<p>
       After configuring, run
       "<span class="command"><strong>make</strong></span>",
       "<span class="command"><strong>make test</strong></span>" and
       "<span class="command"><strong>make install</strong></span>".
     </p>
-    <p>
+<p>
       (Note: If "make test" fails in the "pkcs11" system test, you may
       have forgotten to set the SOFTHSM_CONF environment variable.)
     </p>
-  </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.12.9"></a>PKCS#11 Tools</h3></div></div></div>
-
-    <p>
+<p>
       BIND 9 includes a minimal set of tools to operate the
       HSM, including
       <span class="command"><strong>pkcs11-keygen</strong></span> to generate a new key pair
@@ -2033,7 +1864,7 @@ $ <strong class="userinput"><code>./configure --enable-threads \
       <span class="command"><strong>pkcs11-destroy</strong></span> to remove objects, and
       <span class="command"><strong>pkcs11-tokens</strong></span> to list available tokens.
     </p>
-    <p>
+<p>
       In UNIX/Linux builds, these tools are built only if BIND
       9 is configured with the --with-pkcs11 option. (Note: If
       --with-pkcs11 is set to "yes", rather than to the path of the
@@ -2042,25 +1873,24 @@ $ <strong class="userinput"><code>./configure --enable-threads \
       PKCS11_PROVIDER environment variable to specify the path to the
       provider.)
     </p>
-  </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.12.10"></a>Using the HSM</h3></div></div></div>
-
-    <p>
+<p>
       For OpenSSL-based PKCS#11, we must first set up the runtime
       environment so the OpenSSL and PKCS#11 libraries can be loaded:
     </p>
-    <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
 </pre>
-    <p>
+<p>
       This causes <span class="command"><strong>named</strong></span> and other binaries to load
       the OpenSSL library from <code class="filename">/opt/pkcs11/usr/lib</code>
       rather than from the default location.  This step is not necessary
       when using native PKCS#11.
     </p>
-    <p>
+<p>
       Some HSMs require other environment variables to be set.
       For example, when operating an AEP Keyper, it is necessary to
       specify the location of the "machine" file, which stores
@@ -2069,10 +1899,10 @@ $ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${L
       <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>,
       use:
     </p>
-    <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
 </pre>
-    <p>
+<p>
       Such environment variables must be set whenever running
       any tool that uses the HSM, including
       <span class="command"><strong>pkcs11-keygen</strong></span>,
@@ -2083,31 +1913,31 @@ $ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11P
       <span class="command"><strong>dnssec-keygen</strong></span>, and
       <span class="command"><strong>named</strong></span>.
     </p>
-    <p>
+<p>
       We can now create and use keys in the HSM. In this case,
       we will create a 2048 bit key and give it the label
       "sample-ksk":
     </p>
-    <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>pkcs11-keygen -b 2048 -l sample-ksk</code></strong>
 </pre>
-    <p>To confirm that the key exists:</p>
-    <pre class="screen">
+<p>To confirm that the key exists:</p>
+<pre class="screen">
 $ <strong class="userinput"><code>pkcs11-list</code></strong>
 Enter PIN:
 object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
 object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
 </pre>
-    <p>
+<p>
       Before using this key to sign a zone, we must create a
       pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
       does this. In this case, we will be using the HSM key
       "sample-ksk" as the key-signing key for "example.net":
     </p>
-    <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
 </pre>
-    <p>
+<p>
       The resulting K*.key and K*.private files can now be used
       to sign the zone. Unlike normal K* files, which contain both
       public and private key data, these files will contain only the
@@ -2115,31 +1945,31 @@ $ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK examp
       remains stored within the HSM. Signing with the private key takes
       place inside the HSM.
     </p>
-    <p>
+<p>
       If you wish to generate a second key in the HSM for use
       as a zone-signing key, follow the same procedure above, using a
       different keylabel, a smaller key size, and omitting "-f KSK"
       from the dnssec-keyfromlabel arguments:
     </p>
-    <p>
+<p>
       (Note: When using OpenSSL-based PKCS#11 the label is an arbitrary
       string which identifies the key.  With native PKCS#11, the label is
       a PKCS#11 URI string which may include other details about the key
       and the HSM, including its PIN. See
       <a class="xref" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel"><span class="refentrytitle"><span class="application">dnssec-keyfromlabel</span></span>(8)</a> for details.)
     </p>
-    <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>pkcs11-keygen -b 1024 -l sample-zsk</code></strong>
 $ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-zsk example.net</code></strong>
 </pre>
-    <p>
+<p>
       Alternatively, you may prefer to generate a conventional
       on-disk key, using dnssec-keygen:
     </p>
-    <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>dnssec-keygen example.net</code></strong>
 </pre>
-    <p>
+<p>
       This provides less security than an HSM key, but since
       HSMs can be slow or cumbersome to use for security reasons, it
       may be more efficient to reserve HSM keys for use in the less
@@ -2149,13 +1979,13 @@ $ <strong class="userinput"><code>dnssec-keygen example.net</code></strong>
       there is no speed advantage to using on-disk keys, as cryptographic
       operations will be done by the HSM regardless.)
     </p>
-    <p>
+<p>
       Now you can sign the zone. (Note: If not using the -S
       option to <span class="command"><strong>dnssec-signzone</strong></span>, it will be
       necessary to add the contents of both <code class="filename">K*.key</code>
       files to the zone master file before signing it.)
     </p>
-    <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>dnssec-signzone -S example.net</code></strong>
 Enter PIN:
 Verifying the zone using the following algorithms:
@@ -2164,12 +1994,11 @@ Zone signing complete:
 Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
 example.net.signed
 </pre>
-  </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.12.11"></a>Specifying the engine on the command line</h3></div></div></div>
-
-    <p>
+<p>
       When using OpenSSL-based PKCS#11, the "engine" to be used by
       OpenSSL can be specified in <span class="command"><strong>named</strong></span> and all of
       the BIND <span class="command"><strong>dnssec-*</strong></span> tools by using the "-E
@@ -2179,30 +2008,29 @@ example.net.signed
       for some reason you wish to use a different OpenSSL
       engine.
     </p>
-    <p>
+<p>
       If you wish to disable use of the "pkcs11" engine &#8212;
       for troubleshooting purposes, or because the HSM is unavailable
       &#8212; set the engine to the empty string. For example:
     </p>
-    <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong>
 </pre>
-    <p>
+<p>
       This causes
       <span class="command"><strong>dnssec-signzone</strong></span> to run as if it were compiled
       without the --with-pkcs11 option.
     </p>
-    <p>
+<p>
       When built with native PKCS#11 mode, the "engine" option has a
       different meaning: it specifies the path to the PKCS#11 provider
       library.  This may be useful when testing a new provider library.
     </p>
-  </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.12.12"></a>Running named with automatic zone re-signing</h3></div></div></div>
-
-    <p>
+<p>
       If you want <span class="command"><strong>named</strong></span> to dynamically re-sign zones
       using HSM keys, and/or to to sign new records inserted via nsupdate,
       then <span class="command"><strong>named</strong></span> must have access to the HSM PIN. In OpenSSL-based PKCS#11,
@@ -2210,13 +2038,13 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
       (in the above examples,
       <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).
     </p>
-    <p>
+<p>
       The location of the openssl.cnf file can be overridden by
       setting the OPENSSL_CONF environment variable before running
       <span class="command"><strong>named</strong></span>.
     </p>
-    <p>Sample openssl.cnf:</p>
-    <pre class="programlisting">
+<p>Sample openssl.cnf:</p>
+<pre class="programlisting">
 	openssl_conf = openssl_def
 	[ openssl_def ]
 	engines = engine_section
@@ -2225,110 +2053,105 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
 	[ pkcs11_section ]
 	PIN = <em class="replaceable"><code>&lt;PLACE PIN HERE&gt;</code></em>
 </pre>
-    <p>
+<p>
       This will also allow the dnssec-* tools to access the HSM
       without PIN entry. (The pkcs11-* tools access the HSM directly,
       not via OpenSSL, so a PIN will still be required to use
       them.)
     </p>
-    <p>
+<p>
       In native PKCS#11 mode, the PIN can be provided in a file specified
       as an attribute of the key's label.  For example, if a key had the label
       <strong class="userinput"><code>pkcs11:object=local-zsk;pin-source=/etc/hsmpin</code></strong>,
       then the PIN would be read from the file
       <code class="filename">/etc/hsmpin</code>.
     </p>
-    <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
-      <p>
+<p>
 	Placing the HSM's PIN in a text file in this manner may reduce the
 	security advantage of using an HSM. Be sure this is what you want to
 	do before configuring the system in this way.
       </p>
-    </div>
-  </div>
 </div>
-
-    <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="dlz-info"></a>DLZ (Dynamically Loadable Zones)</h2></div></div></div>
-
-  <p>
-    DLZ (Dynamically Loadable Zones) is an extension to BIND 9 that allows
+<p>
+    Dynamically Loadable Zones (DLZ) are an extension to BIND 9 that allows
     zone data to be retrieved directly from an external database.  There is
     no required format or schema.  DLZ drivers exist for several different
-    database backends including PostgreSQL, MySQL, and LDAP and can be
+    database backends, including PostgreSQL, MySQL, and LDAP, and can be
     written for any other.
   </p>
-  <p>
+<p>
     Historically, DLZ drivers had to be statically linked with the <span class="command"><strong>named</strong></span>
     binary and were turned on via a configure option at compile time (for
-    example, <strong class="userinput"><code>"configure --with-dlz-ldap"</code></strong>).
-    Currently, the drivers provided in the BIND 9 tarball in
+    example, <strong class="userinput"><code>configure --with-dlz-ldap</code></strong>).
+    The drivers provided in the BIND 9 tarball in
     <code class="filename">contrib/dlz/drivers</code> are still linked this
     way.
   </p>
-  <p>
+<p>
     In BIND 9.8 and higher, it is possible to link some DLZ modules
     dynamically at runtime, via the DLZ "dlopen" driver, which acts as a
     generic wrapper around a shared object implementing the DLZ API.  The
     "dlopen" driver is linked into <span class="command"><strong>named</strong></span> by default, so configure options
-    are no longer necessary when using these dynamically linkable drivers,
-    but are still needed for the older drivers in
+    are no longer necessary when using these dynamically linkable drivers;
+    they are still needed for the older drivers in
     <code class="filename">contrib/dlz/drivers</code>.
   </p>
-
-  <p>
-    When the DLZ module provides data to <span class="command"><strong>named</strong></span>, it does so in text format.
-    The response is converted to DNS wire format by <span class="command"><strong>named</strong></span>.  This
+<p>
+    The DLZ module provides data to <span class="command"><strong>named</strong></span> in text format,
+    which is then converted to DNS wire format by <span class="command"><strong>named</strong></span>.  This
     conversion, and the lack of any internal caching, places significant
     limits on the query performance of DLZ modules.  Consequently, DLZ is
     not recommended for use on high-volume servers.  However, it can be
-    used in a hidden master configuration, with slaves retrieving zone
-    updates via AXFR.  (Note, however, that DLZ has no built-in support for
-    DNS notify; slaves are not automatically informed of changes to the
-    zones in the database.)
+    used in a hidden primary configuration, with secondaries retrieving zone
+    updates via AXFR.  Note, however, that DLZ has no built-in support for
+    DNS notify; secondary servers are not automatically informed of changes to the
+    zones in the database.
   </p>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.13.6"></a>Configuring DLZ</h3></div></div></div>
-
-    <p>
+<p>
       A DLZ database is configured with a <span class="command"><strong>dlz</strong></span>
       statement in <code class="filename">named.conf</code>:
     </p>
-    <pre class="screen">
+<pre class="screen">
     dlz example {
 	database "dlopen driver.so <code class="option">args</code>";
 	search yes;
     };
     </pre>
-    <p>
+<p>
       This specifies a DLZ module to search when answering queries; the
       module is implemented in <code class="filename">driver.so</code> and is
       loaded at runtime by the dlopen DLZ driver.  Multiple
       <span class="command"><strong>dlz</strong></span> statements can be specified; when
       answering a query, all DLZ modules with <code class="option">search</code>
-      set to <code class="literal">yes</code> will be queried to find out if
-      they contain an answer for the query name; the best available
-      answer will be returned to the client.
+      set to <code class="literal">yes</code> are queried to see whether
+      they contain an answer for the query name. The best available
+      answer is returned to the client.
     </p>
-    <p>
+<p>
       The <code class="option">search</code> option in the above example can be
       omitted, because <code class="literal">yes</code> is the default value.
     </p>
-    <p>
+<p>
       If <code class="option">search</code> is set to <code class="literal">no</code>, then
       this DLZ module is <span class="emphasis"><em>not</em></span> searched for the best
       match when a query is received.  Instead, zones in this DLZ must be
-      separately specified in a zone statement.  This allows you to
-      configure a zone normally using standard zone option semantics,
-      but specify a different database back-end for storage of the
+      separately specified in a zone statement.  This allows users to
+      configure a zone normally using standard zone-option semantics,
+      but specify a different database backend for storage of the
       zone's data.  For example, to implement NXDOMAIN redirection using
-      a DLZ module for back-end storage of redirection rules:
+      a DLZ module for backend storage of redirection rules:
     </p>
-    <pre class="screen">
+<pre class="screen">
     dlz other {
 	database "dlopen driver.so <code class="option">args</code>";
 	search no;
@@ -2339,65 +2162,62 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
 	dlz other;
     };
     </pre>
-  </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.13.7"></a>Sample DLZ Driver</h3></div></div></div>
-
-    <p>
-      For guidance in implementation of DLZ modules, the directory
+<p>
+      For guidance in the implementation of DLZ modules, the directory
       <code class="filename">contrib/dlz/example</code> contains a basic
-      dynamically-linkable DLZ module--i.e., one which can be
+      dynamically linkable DLZ module - i.e., one which can be
       loaded at runtime by the "dlopen" DLZ driver.
       The example sets up a single zone, whose name is passed
       to the module as an argument in the <span class="command"><strong>dlz</strong></span>
       statement:
     </p>
-    <pre class="screen">
+<pre class="screen">
     dlz other {
 	database "dlopen driver.so example.nil";
     };
     </pre>
-    <p>
+<p>
       In the above example, the module is configured to create a zone
-      "example.nil", which can answer queries and AXFR requests, and
+      "example.nil", which can answer queries and AXFR requests and
       accept DDNS updates.  At runtime, prior to any updates, the zone
       contains an SOA, NS, and a single A record at the apex:
     </p>
-    <pre class="screen">
+<pre class="screen">
  example.nil.  3600    IN      SOA     example.nil. hostmaster.example.nil. (
 					       123 900 600 86400 3600
 				       )
  example.nil.  3600    IN      NS      example.nil.
  example.nil.  1800    IN      A       10.53.0.1
     </pre>
-    <p>
-      The sample driver is capable of retrieving information about the
-      querying client, and altering its response on the basis of this
+<p>
+      The sample driver can retrieve information about the
+      querying client and alter its response on the basis of this
       information.  To demonstrate this feature, the example driver
       responds to queries for "source-addr.<code class="option">zonename</code>&gt;/TXT"
       with the source address of the query.  Note, however, that this
-      record will *not* be included in AXFR or ANY responses.  Normally,
-      this feature would be used to alter responses in some other fashion,
+      record will <span class="emphasis"><em>not</em></span> be included in AXFR or ANY responses.  Normally,
+      this feature is used to alter responses in some other fashion,
       e.g., by providing different address records for a particular name
       depending on the network from which the query arrived.
     </p>
-    <p>
+<p>
       Documentation of the DLZ module API can be found in
       <code class="filename">contrib/dlz/example/README</code>.  This directory also
       contains the header file <code class="filename">dlz_minimal.h</code>, which
-      defines the API and should be included by any dynamically-linkable
+      defines the API and should be included by any dynamically linkable
       DLZ module.
     </p>
-  </div>
 </div>
-
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="dyndb-info"></a>DynDB (Dynamic Database)</h2></div></div></div>
-
-  <p>
-    DynDB is an extension to BIND 9 which, like DLZ
+<a name="dyndb-info"></a>Dynamic Database (DynDB)</h2></div></div></div>
+<p>
+    Dynamic Database, or DynDB, is an extension to BIND 9 which, like DLZ
     (see <a class="xref" href="Bv9ARM.ch04.html#dlz-info" title="DLZ (Dynamically Loadable Zones)">the section called &#8220;DLZ (Dynamically Loadable Zones)&#8221;</a>), allows zone data to be
     retrieved from an external database.  Unlike DLZ, a DynDB module
     provides a full-featured BIND zone database interface.  Where
@@ -2408,182 +2228,171 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
     data source, providing the same performance and functionality
     as zones served natively by BIND.
   </p>
-  <p>
+<p>
     A DynDB module supporting LDAP has been created by Red Hat
     and is available from
-    <a class="link" href="https://fedorahosted.org/bind-dyndb-ldap/" target="_top">https://fedorahosted.org/bind-dyndb-ldap/</a>.
+    <a class="link" href="https://pagure.io/bind-dyndb-ldap" target="_top">https://pagure.io/bind-dyndb-ldap</a>.
   </p>
-  <p>
+<p>
     A sample DynDB module for testing and developer guidance
     is included with the BIND source code, in the directory
     <code class="filename">bin/tests/system/dyndb/driver</code>.
   </p>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.14.5"></a>Configuring DynDB</h3></div></div></div>
-
-    <p>
+<p>
       A DynDB database is configured with a <span class="command"><strong>dyndb</strong></span>
       statement in <code class="filename">named.conf</code>:
     </p>
-    <pre class="screen">
+<pre class="screen">
     dyndb example "driver.so" {
         <em class="replaceable"><code>parameters</code></em>
     };
     </pre>
-    <p>
+<p>
       The file <code class="filename">driver.so</code> is a DynDB module which
       implements the full DNS database API.  Multiple
       <span class="command"><strong>dyndb</strong></span> statements can be specified, to load
       different drivers or multiple instances of the same driver.
       Zones provided by a DynDB module are added to the view's zone
       table, and are treated as normal authoritative zones when BIND
-      is responding to queries.  Zone configuration is handled internally
+      responds to queries.  Zone configuration is handled internally
       by the DynDB module.
     </p>
-    <p>
+<p>
       The <em class="replaceable"><code>parameters</code></em> are passed as an opaque
       string to the DynDB module's initialization routine. Configuration
-      syntax will differ depending on the driver.
+      syntax differs depending on the driver.
     </p>
-  </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.14.6"></a>Sample DynDB Module</h3></div></div></div>
-
-    <p>
-      For guidance in implementation of DynDB modules, the directory
-      <code class="filename">bin/tests/system/dyndb/driver</code>.
+<p>
+      For guidance in the implementation of DynDB modules, the directory
+      <code class="filename">bin/tests/system/dyndb/driver</code>
       contains a basic DynDB module.
       The example sets up two zones, whose names are passed
       to the module as arguments in the <span class="command"><strong>dyndb</strong></span>
       statement:
     </p>
-    <pre class="screen">
+<pre class="screen">
     dyndb sample "sample.so" { example.nil. arpa. };
     </pre>
-    <p>
-      In the above example, the module is configured to create a zone
+<p>
+      In the above example, the module is configured to create a zone,
       "example.nil", which can answer queries and AXFR requests, and
       accept DDNS updates.  At runtime, prior to any updates, the zone
       contains an SOA, NS, and a single A record at the apex:
     </p>
-    <pre class="screen">
+<pre class="screen">
  example.nil.  86400    IN      SOA     example.nil. example.nil. (
                                                0 28800 7200 604800 86400
                                        )
  example.nil.  86400    IN      NS      example.nil.
  example.nil.  86400    IN      A       127.0.0.1
     </pre>
-    <p>
-      When the zone is updated dynamically, the DynDB module will determine
-      whether the updated RR is an address (i.e., type A or AAAA) and if
-      so, it will automatically update the corresponding PTR record in a
-      reverse zone.  (Updates are not stored permanently; all updates are
-      lost when the server is restarted.)
-    </p>
-  </div>
+<p>
+      When the zone is updated dynamically, the DynDB module determines
+      whether the updated RR is an address (i.e., type A or AAAA); if
+      so, it automatically updates the corresponding PTR record in a
+      reverse zone.  Note that updates are not stored permanently; all updates are
+      lost when the server is restarted.
+    </p>
 </div>
-
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="catz-info"></a>Catalog Zones</h2></div></div></div>
-
-  <p>
+<p>
     A "catalog zone" is a special DNS zone that contains a list of
     other zones to be served, along with their configuration parameters.
-    Zones listed in a catalog zone are called "member zones".
-    When a catalog zone is loaded or transferred to a slave server
-    which supports this functionality, the slave server will create
+    Zones listed in a catalog zone are called "member zones."
+    When a catalog zone is loaded or transferred to a secondary server
+    which supports this functionality, the secondary server creates
     the member zones automatically. When the catalog zone is updated
     (for example, to add or delete member zones, or change
-    their configuration parameters) those changes are immediately put
+    their configuration parameters), those changes are immediately put
     into effect. Because the catalog zone is a normal DNS zone, these
     configuration changes can be propagated using the standard AXFR/IXFR
     zone transfer mechanism.
   </p>
-  <p>
-    Catalog zones' format and behavior are specified as an internet draft
-    for interoperability among DNS implementations.  As of this release, the
+<p>
+    Catalog zones' format and behavior are specified as an Internet draft
+    for interoperability among DNS implementations.  The
     latest revision of the DNS catalog zones draft can be found here:
-    https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/
+    https://datatracker.ietf.org/doc/draft-toorop-dnsop-dns-catalog-zones/.
   </p>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.15.4"></a>Principle of Operation</h3></div></div></div>
-    <p>
-      Normally, if a zone is to be served by a slave server, the
+<p>
+      Normally, if a zone is to be served by a secondary server, the
       <code class="filename">named.conf</code> file on the server must list the
       zone, or the zone must be added using <span class="command"><strong>rndc addzone</strong></span>.
-      In environments with a large number of slave servers and/or where
+      In environments with a large number of secondary servers, and/or where
       the zones being served are changing frequently, the overhead involved
-      in maintaining consistent zone configuration on all the slave
+      in maintaining consistent zone configuration on all the secondary
       servers can be significant.
     </p>
-    <p>
-      A catalog zone is a way to ease this administrative burden.  It is a
-      DNS zone that lists member zones that should be served by slave servers.
-      When a slave server receives an update to the catalog zone, it adds,
+<p>
+      A catalog zone is a way to ease this administrative burden: it is a
+      DNS zone that lists member zones that should be served by secondary servers.
+      When a secondary server receives an update to the catalog zone, it adds,
       removes, or reconfigures member zones based on the data received.
     </p>
-    <p>
-      To use a catalog zone, it must first be set up as a normal zone on
-      the master and the on slave servers that will be configured to use
+<p>
+      To use a catalog zone, it must first be set up as a normal zone on both
+      the primary and secondary servers that are configured to use
       it.  It must also be added to a <code class="option">catalog-zones</code> list
       in the <code class="option">options</code> or <code class="option">view</code> statement
-      in <code class="filename">named.conf</code>.  (This is comparable to the way
+      in <code class="filename">named.conf</code>.  This is comparable to the way
       a policy zone is configured as a normal zone and also listed in
-      a <code class="option">response-policy</code> statement.)
+      a <code class="option">response-policy</code> statement.
     </p>
-    <p>
+<p>
       To use the catalog zone feature to serve a new member zone:
       </p>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-          <p>
-	    Set up the the member zone to be served on the master as normal.
-	    This could be done by editing <code class="filename">named.conf</code>,
+<li class="listitem"><p>
+	    Set up the the member zone to be served on the primary as normal.
+	    This can be done by editing <code class="filename">named.conf</code>
 	    or by running <span class="command"><strong>rndc addzone</strong></span>.
-          </p>
-        </li>
-<li class="listitem">
-          <p>
+          </p></li>
+<li class="listitem"><p>
             Add an entry to the catalog zone for the new member zone.
-	    This could be done by editing the catalog zone's master file
+	    This can be done by editing the catalog zone's zone file
 	    and running <span class="command"><strong>rndc reload</strong></span>, or by updating
 	    the zone using <span class="command"><strong>nsupdate</strong></span>.
-          </p>
-        </li>
+          </p></li>
 </ul></div>
 <p>
-      The change to the catalog zone will be propagated from the master to all
-      slaves using the normal AXFR/IXFR mechanism.  When the slave receives the
-      update to the catalog zone, it will detect the entry for the new member
-      zone, create an instance of of that zone on the slave server, and point
+      The change to the catalog zone is propagated from the primary to all
+      secondaries using the normal AXFR/IXFR mechanism.  When the secondary receives the
+      update to the catalog zone, it detects the entry for the new member
+      zone, creates an instance of that zone on the secondary server, and points
       that instance to the <code class="option">masters</code> specified in the catalog
-      zone data. The newly created member zone is a normal slave zone, so
-      BIND will immediately initiate a transfer of zone contents from the
-      master.  Once complete, the slave will start serving the member zone.
-    </p>
-    <p>
-      Removing a member zone from a slave server requires nothing more than
-      deleting the member zone's entry in the catalog zone. The change to the
-      catalog zone is propagated to the slave server using the normal AXFR/IXFR
-      transfer mechanism.  The slave server, on processing the update, will
-      notice that the member zone has been removed.  It will stop serving the
-      zone and remove it from its list of configured zones.  (Removing the
-      member zone from the master server has to be done in the normal way,
+      zone data. The newly created member zone is a normal secondary zone, so
+      BIND immediately initiates a transfer of zone contents from the
+      primary.  Once complete, the secondary starts serving the member zone.
+    </p>
+<p>
+      Removing a member zone from a secondary server requires only
+      deleting the member zone's entry in the catalog zone; the change to the
+      catalog zone is propagated to the secondary server using the normal AXFR/IXFR
+      transfer mechanism.  The secondary server, on processing the update,
+      notices that the member zone has been removed, stops serving the
+      zone, and removes it from its list of configured zones. However, removing the
+      member zone from the primary server must be done
       by editing the configuration file or running
       <span class="command"><strong>rndc delzone</strong></span>.)
     </p>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.15.5"></a>Configuring Catalog Zones</h3></div></div></div>
-    <p>
+<p>
       Catalog zones are configured with a <span class="command"><strong>catalog-zones</strong></span>
       statement in the <code class="literal">options</code> or <code class="literal">view</code>
       section of <code class="filename">named.conf</code>. For example,
@@ -2597,65 +2406,64 @@ catalog-zones {
 	     min-update-interval 10;
 };
 </pre>
-    <p>
+<p>
       This statement specifies that the zone
       <code class="literal">catalog.example</code> is a catalog zone. This zone must be
       properly configured in the same view. In most configurations, it would
-      be a slave zone.
+      be a secondary zone.
     </p>
-    <p>
+<p>
       The options following the zone name are not required, and may be
       specified in any order:
     </p>
-    <p>
-      The <code class="option">default-masters</code> option defines the default masters
-      for member zones listed in a catalog zone. This can be overridden by
+<p>
+      The <code class="option">default-masters</code> option defines the default primaries
+      for member zones listed in a catalog zone, and can be overridden by
       options within a catalog zone. If no such options are included, then
-      member zones will transfer their contents from the servers listed in
+      member zones transfer their contents from the servers listed in
       this option.
     </p>
-    <p>
+<p>
       The <code class="option">in-memory</code> option, if set to <code class="literal">yes</code>,
       causes member zones to be stored only in memory. This is functionally
-      equivalent to configuring a slave zone without a <code class="option">file</code>.
+      equivalent to configuring a secondary zone without a <code class="option">file</code>
       option.  The default is <code class="literal">no</code>; member zones' content
-      will be stored locally in a file whose name is automatically generated
+      is stored locally in a file whose name is automatically generated
       from the view name, catalog zone name, and member zone name.
     </p>
-    <p>
+<p>
       The <code class="option">zone-directory</code> option causes local copies of
-      member zones' master files (if <code class="option">in-memory</code> is not set
-      to <code class="literal">yes</code>) to be stored in the specified directory.
+      member zones' zone files to be stored in the specified directory,
+      if <code class="option">in-memory</code> is not set to <code class="literal">yes</code>.
       The default is to store zone files in the server's working directory.
       A non-absolute pathname in <code class="option">zone-directory</code> is
       assumed to be relative to the working directory.
     </p>
-    <p>
+<p>
       The <code class="option">min-update-interval</code> option sets the minimum
       interval between processing of updates to catalog zones, in seconds.
       If an update to a catalog zone (for example, via IXFR) happens less
       than <code class="option">min-update-interval</code> seconds after the most
-      recent update, then the changes will not be carried out until this
+      recent update, the changes are not carried out until this
       interval has elapsed.  The default is <code class="literal">5</code> seconds.
     </p>
-    <p>
+<p>
       Catalog zones are defined on a per-view basis. Configuring a non-empty
-      <code class="option">catalog-zones</code> statement in a view will automatically
-      turn on <code class="option">allow-new-zones</code> for that view. (Note: this
-      means <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc delzone</strong></span>
-      will also work in any view that supports catalog zones.)
+      <code class="option">catalog-zones</code> statement in a view automatically
+      turns on <code class="option">allow-new-zones</code> for that view. This
+      means that <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc delzone</strong></span>
+      also work in any view that supports catalog zones.
     </p>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.15.6"></a>Catalog Zone format</h3></div></div></div>
-    <p>
-      A catalog zone is a regular DNS zone; therefore, it has to have a
+<a name="id-1.5.15.6"></a>Catalog Zone Format</h3></div></div></div>
+<p>
+      A catalog zone is a regular DNS zone; therefore, it must have a
       single <code class="literal">SOA</code> and at least one <code class="literal">NS</code>
       record.
     </p>
-    <p>
+<p>
       A record stating the version of the catalog zone format is
       also required. If the version number listed is not supported by
       the server, then a catalog zone may not be used by that server.
@@ -2665,67 +2473,67 @@ catalog.example.    IN SOA . . 2016022901 900 600 86400 1
 catalog.example.    IN NS nsexample.
 version.catalog.example.    IN TXT "1"
 </pre>
-    <p>
+<p>
       Note that this record must have the domain name
-      version.<em class="replaceable"><code>catalog-zone-name</code></em>.  This illustrates
-      how the meaning of data stored in a catalog zone is indicated by the
+      "version.<em class="replaceable"><code>catalog-zone-name</code></em>".
+      The data stored in a catalog zone is indicated by the
       the domain name label immediately before the catalog zone domain.
     </p>
-    <p>
+<p>
       Catalog zone options can be set either globally for the whole catalog
       zone or for a single member zone. Global options override the settings
-      in the configuration file and member zone options override global
+      in the configuration file, and member zone options override global
       options.
     </p>
-    <p>
+<p>
       Global options are set at the apex of the catalog zone, e.g.:
 </p>
 <pre class="screen">
  masters.catalog.example.    IN AAAA 2001:db8::1
 </pre>
-    <p>BIND currently supports the following options:</p>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<p>BIND currently supports the following options:</p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-        <p>A simple <code class="option">masters</code> definition:</p>
-	<pre class="screen">
+<p>A simple <code class="option">masters</code> definition:</p>
+<pre class="screen">
 	 masters.catalog.example.    IN A 192.0.2.1
 	</pre>
-	<p>
-	  This option defines a master server for the member zones - it
-	  can be either an A or AAAA record. If multiple masters are set the
+<p>
+	  This option defines a primary server for the member zones, which
+	  can be either an A or AAAA record. If multiple primaries are set, the
 	  order in which they are used is random.
 	</p>
-      </li>
+</li>
 <li class="listitem">
-        <p>A <code class="option">masters</code> with a TSIG key defined:</p>
-        <pre class="screen">
+<p>A <code class="option">masters</code> with a TSIG key defined:</p>
+<pre class="screen">
          label.masters.catalog.example.     IN A 192.0.2.2
          label.masters.catalog.example.	    IN TXT "tsig_key_name"
         </pre>
-        <p>
-         This option defines a master server for the member zone with a TSIG
+<p>
+         This option defines a primary server for the member zone with a TSIG
          key set. The TSIG key must be configured in the configuration file.
          <code class="option">label</code> can be any valid DNS label.
         </p>
-      </li>
+</li>
 <li class="listitem">
-        <p><code class="option">allow-query</code> and
+<p><code class="option">allow-query</code> and
         <code class="option">allow-transfer</code> ACLs:</p>
-        <pre class="screen">
+<pre class="screen">
          allow-query.catalog.example.	IN APL 1:10.0.0.1/24
          allow-transfer.catalog.example.	IN APL !1:10.0.0.1/32 1:10.0.0.0/24
         </pre>
-        <p>
+<p>
           These options are the equivalents of <code class="option">allow-query</code>
           and <code class="option">allow-transfer</code> in a zone declaration in the
           <code class="filename">named.conf</code> configuration file. The ACL is
-          processed in order - if there's no match to any rule the default
-          policy is to deny access.  For the syntax of the APL RR see RFC
-          3123
+          processed in order; if there is no match to any rule, the default
+          policy is to deny access.  For the syntax of the APL RR, see RFC
+          3123.
         </p>
-      </li>
+</li>
 </ul></div>
-    <p>
+<p>
       A member zone is added by including a <code class="literal">PTR</code>
       resource record in the <code class="literal">zones</code> sub-domain of the
       catalog zone. The record label is a <code class="literal">SHA-1</code> hash
@@ -2736,7 +2544,7 @@ version.catalog.example.    IN TXT "1"
 <pre class="screen">
 5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN PTR domain.example.
 </pre>
-    <p>
+<p>
       The hash is necessary to identify options for a specific member
       zone. The member zone-specific options are defined the same way as
       global options, but in the member zone subdomain:
@@ -2747,33 +2555,31 @@ label.masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN
 label.masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN TXT "tsig_key"
 allow-query.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN APL 1:10.0.0.0/24
 </pre>
-    <p>
-      As would be expected, options defined for a specific zone override
+<p>
+      Options defined for a specific zone override
       the global options defined in the catalog zone. These in turn override
       the global options defined in the <code class="literal">catalog-zones</code>
       statement in the configuration file.
     </p>
-    <p>
-      (Note that none of the global records an option will be inherited if
+<p>
+      Note that none of the global records for an option are inherited if
       any records are defined for that option for the specific zone.  For
       example, if the zone had a <code class="literal">masters</code> record of type
-      A but not AAAA, then it would <span class="emphasis"><em>not</em></span> inherit the
-      type AAAA record from the global option.)
+      A but not AAAA, it would <span class="emphasis"><em>not</em></span> inherit the
+      type AAAA record from the global option.
     </p>
-  </div>
 </div>
-
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="ipv6"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
-      <p>
+<p>
         <acronym class="acronym">BIND</acronym> 9 fully supports all currently
-        defined forms of IPv6 name to address and address to name
-        lookups.  It will also use IPv6 addresses to make queries when
-        running on an IPv6 capable system.
+        defined forms of IPv6 name-to-address and address-to-name
+        lookups.  It also uses IPv6 addresses to make queries when
+        running on an IPv6-capable system.
       </p>
-
-      <p>
+<p>
         For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
         only AAAA records.  RFC 3363 deprecated the use of A6 records,
         and client-side support for A6 records was accordingly removed
@@ -2783,8 +2589,7 @@ allow-query.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN A
         for A6 records, and accept zone transfer for a zone containing A6
         records.
       </p>
-
-      <p>
+<p>
         For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
         the traditional "nibble" format used in the
         <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
@@ -2794,62 +2599,54 @@ allow-query.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN A
         but support of binary labels has been completely removed per
         RFC 3363.
         Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
-        the binary label format at all any more, and will return an
-        error if given.
+        the binary label format at all anymore, and return an
+        error if one is given.
         In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
         name server will not load a zone file containing binary labels.
       </p>
-
-      <p>
+<p>
         For an overview of the format and structure of IPv6 addresses,
         see <a class="xref" href="Bv9ARM.ch11.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called &#8220;IPv6 addresses (AAAA)&#8221;</a>.
       </p>
-
-      <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.5.16.6"></a>Address Lookups Using AAAA Records</h3></div></div></div>
-
-        <p>
+<p>
           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
-          IPv6 address in a single record.  For example,
+          IPv6 address in a single record.  For example:
         </p>
-
 <pre class="programlisting">
 $ORIGIN example.com.
 host            3600    IN      AAAA    2001:db8::1
 </pre>
-
-        <p>
+<p>
           Use of IPv4-in-IPv6 mapped addresses is not recommended.
           If a host has an IPv4 address, use an A record, not
           a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
           the address.
         </p>
-      </div>
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.16.7"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
-
-        <p>
+<a name="id-1.5.16.7"></a>Address-to-Name Lookups Using Nibble Format</h3></div></div></div>
+<p>
           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
           <code class="literal">ip6.arpa.</code> is appended to the
           resulting name.
           For example, the following would provide reverse name lookup for
           a host with address
-          <code class="literal">2001:db8::1</code>.
+          <code class="literal">2001:db8::1</code>:
         </p>
-
 <pre class="programlisting">
 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  14400   IN    PTR    (
                                     host.example.com. )
 </pre>
-
-      </div>
-    </div>
-  </div>
+</div>
+</div>
+</div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
@@ -2867,6 +2664,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/Bv9ARM.ch05.html b/bind/bind9/doc/arm/Bv9ARM.ch05.html
index 105229c2..e394bb3e 100644
--- a/bind/bind9/doc/arm/Bv9ARM.ch05.html
+++ b/bind/bind9/doc/arm/Bv9ARM.ch05.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 5. The BIND 9 Lightweight Resolver</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
@@ -40,46 +40,42 @@
 <dt><span class="section"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl>
 </div>
-
-    <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="lightweight_resolver"></a>The Lightweight Resolver Library</h2></div></div></div>
-
-      <p>
-        Traditionally applications have been linked with a stub resolver
+<p>
+        Traditionally, applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
         server.
       </p>
-      <p>
-        IPv6 once introduced new complexity into the resolution process,
+<p>
+        At first, IPv6 introduced new complexity into the resolution process,
         such as following A6 chains and DNAME records, and simultaneous
         lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
         then removed, these are hard or impossible
         to implement in a traditional stub resolver.
       </p>
-      <p>
+<p>
         <acronym class="acronym">BIND</acronym> 9 therefore can also provide resolution
         services to local clients
         using a combination of a lightweight resolver library and a resolver
         daemon process running on the local host.  These communicate using
-        a simple UDP-based protocol, the "lightweight resolver protocol"
+        a simple UDP-based protocol, the "lightweight resolver protocol,"
         that is distinct from and simpler than the full DNS protocol.
       </p>
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="lwresd"></a>Running a Resolver Daemon</h2></div></div></div>
-
-      <p>
+<p>
         To use the lightweight resolver interface, the system must
         run the resolver daemon <span class="command"><strong>lwresd</strong></span> or a
         local
         name server configured with a <span class="command"><strong>lwres</strong></span>
         statement.
       </p>
-
-      <p>
-        By default, applications using the lightweight resolver library will
+<p>
+        By default, applications using the lightweight resolver library
         make
         UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
         The
@@ -87,44 +83,37 @@
         lines in
         <code class="filename">/etc/resolv.conf</code>.
       </p>
-
-      <p>
-        The daemon currently only looks in the DNS, but in the future
-        it may use other sources such as <code class="filename">/etc/hosts</code>,
-        NIS, etc.
-      </p>
-
-      <p>
+<p>
         The <span class="command"><strong>lwresd</strong></span> daemon is essentially a
         caching-only name server that responds to requests using the
         lightweight
         resolver protocol rather than the DNS protocol.  Because it needs
         to run on each host, it is designed to require no or minimal
         configuration.
-        Unless configured otherwise, it uses the name servers listed on
+        Unless otherwise instructed, it uses the name servers listed on
         <span class="command"><strong>nameserver</strong></span> lines in <code class="filename">/etc/resolv.conf</code>
         as forwarders, but is also capable of doing the resolution
         autonomously if
         none are specified.
       </p>
-      <p>
+<p>
         The <span class="command"><strong>lwresd</strong></span> daemon may also be
         configured with a
-        <code class="filename">named.conf</code> style configuration file,
+        <code class="filename">named.conf</code>-style configuration file,
         in
         <code class="filename">/etc/lwresd.conf</code> by default.  A name
         server may also
         be configured to act as a lightweight resolver daemon using the
         <span class="command"><strong>lwres</strong></span> statement in <code class="filename">named.conf</code>.
       </p>
-      <p>
+<p>
         The number of client queries that the <span class="command"><strong>lwresd</strong></span>
-        daemon is able to serve can be set using the
+        daemon serves can be set using the
         <code class="option">lwres-tasks</code> and <code class="option">lwres-clients</code>
         statements in the configuration.
       </p>
-    </div>
-  </div>
+</div>
+</div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
@@ -142,6 +131,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/Bv9ARM.ch06.html b/bind/bind9/doc/arm/Bv9ARM.ch06.html
index 03a3a3c7..d6e84045 100644
--- a/bind/bind9/doc/arm/Bv9ARM.ch06.html
+++ b/bind/bind9/doc/arm/Bv9ARM.ch06.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 6. BIND 9 Configuration Reference</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
@@ -88,44 +88,24 @@
 <dt><span class="section"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch06.html#ipv4_reverse">Inverse Mapping in IPv4</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch06.html#zone_directives">Other Zone File Directives</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#generate_directive"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#generate_directive"><acronym class="acronym">BIND</acronym> Primary File Extension: the  <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics">BIND 9 Statistics</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch06.html#statsfile">The Statistics File</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt>
 </dl></dd>
 </dl>
 </div>
-
-    <p>
-      <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
-      to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
-      areas
-      of configuration, such as views. <acronym class="acronym">BIND</acronym>
-      8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
-      9, although more complex configurations should be reviewed to check
-      if they can be more efficiently implemented using the new features
-      found in <acronym class="acronym">BIND</acronym> 9.
-    </p>
-
-    <p>
-      <acronym class="acronym">BIND</acronym> 4 configuration files can be
-      converted to the new format
-      using the shell script
-      <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
-    </p>
-    <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
-
-      <p>
+<p>
         Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
         file documentation:
       </p>
-      <div class="informaltable">
-        <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.855in" class="1">
 <col width="3.770in" class="2">
@@ -155,7 +135,7 @@
                   A list of one or more
                   <code class="varname">ip_addr</code>,
                   <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
-                  or <code class="varname">acl_name</code> elements, see
+                  or <code class="varname">acl_name</code> elements; see
                   <a class="xref" href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.
                 </p>
               </td>
@@ -172,7 +152,7 @@
                   with optional <code class="varname">key_id</code> and/or
                   <code class="varname">ip_port</code>.
                   A <code class="varname">masters_list</code> may include other
-                  <code class="varname">masters_lists</code>.
+                  <code class="varname">masters_list</code>s.
                 </p>
               </td>
 </tr>
@@ -184,8 +164,8 @@
               </td>
 <td>
                 <p>
-                  A quoted string which will be used as
-                  a DNS name, for example "<code class="literal">my.test.domain</code>".
+                  A quoted string which is used as
+                  a DNS name; for example, <code class="literal">my.test.domain</code>.
                 </p>
               </td>
 </tr>
@@ -211,8 +191,7 @@
 <td>
                 <p>
                   One to four integers valued 0 through
-                  255 separated by dots (`.'), such as <span class="command"><strong>123</strong></span>,
-                  <span class="command"><strong>45.67</strong></span> or <span class="command"><strong>89.123.45.67</strong></span>.
+                  255 separated by dots ("."), such as <span class="command"><strong>123.45.67</strong></span> or <span class="command"><strong>89.123.45.67</strong></span>.
                 </p>
               </td>
 </tr>
@@ -238,22 +217,22 @@
 <td>
                 <p>
                   An IPv6 address, such as <span class="command"><strong>2001:db8::1234</strong></span>.
-                  IPv6 scoped addresses that have ambiguity on their
+                  IPv6-scoped addresses that have ambiguity on their
                   scope zones must be disambiguated by an appropriate
-                  zone ID with the percent character (`%') as
+                  zone ID with the percent character ("%") as a
                   delimiter.  It is strongly recommended to use
                   string zone names rather than numeric identifiers,
-                  in order to be robust against system configuration
+                  to be robust against system configuration
                   changes.  However, since there is no standard
                   mapping for such names and identifier values,
-                  currently only interface names as link identifiers
+                  only interface names as link identifiers
                   are supported, assuming one-to-one mapping between
                   interfaces and links.  For example, a link-local
                   address <span class="command"><strong>fe80::1</strong></span> on the link
                   attached to the interface <span class="command"><strong>ne0</strong></span>
                   can be specified as <span class="command"><strong>fe80::1%ne0</strong></span>.
                   Note that on most systems link-local addresses
-                  always have the ambiguity, and need to be
+                  always have ambiguity and need to be
                   disambiguated.
                 </p>
               </td>
@@ -298,7 +277,7 @@
                   through 65535, with values
                   below 1024 typically restricted to use by processes running
                   as root.
-                  In some cases, an asterisk (`*') character can be used as a
+                  In some cases, an asterisk ("*") character can be used as a
                   placeholder to
                   select a random high-numbered port.
                 </p>
@@ -313,19 +292,19 @@
 <td>
                 <p>
                   An IP network specified as an <code class="varname">ip_addr</code>,
-                  followed by a slash (`/') and then the number of bits in the
+                  followed by a slash ("/") and then the number of bits in the
                   netmask.
-                  Trailing zeros in a <code class="varname">ip_addr</code>
-                  may omitted.
+                  Trailing zeros in an <code class="varname">ip_addr</code>
+                  may be omitted.
                   For example, <span class="command"><strong>127/8</strong></span> is the
                   network <span class="command"><strong>127.0.0.0</strong></span> with
                   netmask <span class="command"><strong>255.0.0.0</strong></span> and <span class="command"><strong>1.2.3.0/28</strong></span> is
                   network <span class="command"><strong>1.2.3.0</strong></span> with netmask <span class="command"><strong>255.255.255.240</strong></span>.
                 </p>
                 <p>
-                  When specifying a prefix involving a IPv6 scoped address
-                  the scope may be omitted.  In that case the prefix will
-                  match packets from any scope.
+                  When specifying a prefix involving a IPv6-scoped address,
+                  the scope may be omitted.  In that case, the prefix
+                  matches packets from any scope.
                 </p>
               </td>
 </tr>
@@ -381,11 +360,11 @@
 <td>
                 <p>
                   A non-negative real number that can be specified to
-                  the nearest one hundredth.  Up to five digits can be
+                  the nearest one-hundredth.  Up to five digits can be
                   specified before a decimal point, and up to two
                   digits after, so the maximum value is 99999.99.
                   Acceptable values might be further limited by the
-                  context in which it is used.
+                  contexts in which they are used.
                 </p>
               </td>
 </tr>
@@ -397,7 +376,7 @@
               </td>
 <td>
                 <p>
-                  A quoted string which will be used as
+                  A quoted string which is used as
                   a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
                 </p>
               </td>
@@ -424,7 +403,7 @@
                   For example,
                   <strong class="userinput"><code>range 1024 65535</code></strong> represents
                   ports from 1024 through 65535.
-                  In either case an asterisk (`*') character is not
+                  In either case an asterisk ("*") character is not
                   allowed as a valid <code class="varname">ip_port</code>.
                 </p>
               </td>
@@ -449,7 +428,7 @@
                   use a more limited range within these extremes.
                   In most cases, setting a value to 0 does not
                   literally mean zero; it means "undefined" or
-                  "as big as possible", depending on the context.
+                  "as big as possible," depending on the context.
                   See the explanations of particular parameters
                   that use <code class="varname">size_spec</code>
                   for details on how they interpret its use.
@@ -467,7 +446,7 @@
                 </p>
                 <p>
                   <code class="varname">unlimited</code> generally means
-                  "as big as possible", and is usually the best
+                  "as big as possible," and is usually the best
                   way to safely set a very large number.
                 </p>
                 <p>
@@ -484,15 +463,15 @@
               </td>
 <td>
                 <p>
-                  <code class="varname">size_spec</code> or integer value
-                  followed by '%' to represent percents.
+                  A <code class="varname">size_spec</code> or integer value
+                  followed by "%" to represent percent.
                 </p>
                 <p>
                   The behavior is exactly the same as
                   <code class="varname">size_spec</code>, but
-                  <code class="varname">size_or_percent</code> allows also
-                  to specify a positive integer value followed by
-                  '%' sign to represent percents.
+                  <code class="varname">size_or_percent</code> also allows
+                  specifying a positive integer value followed by the
+                  "%"" sign to represent percent.
                 </p>
               </td>
 </tr>
@@ -521,96 +500,77 @@
                 <p>
                   One of <strong class="userinput"><code>yes</code></strong>,
                   <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
-                  <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
+                  <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong>, or
                   <strong class="userinput"><code>passive</code></strong>.
                   When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
                   <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
-                  are restricted to slave and stub zones.
+                  are restricted to secondary and stub zones.
                 </p>
               </td>
 </tr>
 </tbody>
-</table>
-      </div>
-      <div class="section">
+</table></div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
-
-        <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.7.4.4.2"></a>Syntax</h4></div></div></div>
-
+<a name="id-1.7.2.4.2"></a>Syntax</h4></div></div></div>
 <pre class="programlisting"><em class="replaceable"><code>address_match_list</code></em> = <em class="replaceable"><code>address_match_list_element</code></em> <span class="command"><strong>;</strong></span> ...
 
 <em class="replaceable"><code>address_match_list_element</code></em> = [ <span class="command"><strong>!</strong></span> ] ( <em class="replaceable"><code>ip_address</code></em> | <em class="replaceable"><code>ip_prefix</code></em> |
      <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_id</code></em> | <em class="replaceable"><code>acl_name</code></em> | <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> )
 </pre>
-
-        </div>
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.7.4.4.3"></a>Definition and Usage</h4></div></div></div>
-
-          <p>
+<a name="id-1.7.2.4.3"></a>Definition and Usage</h4></div></div></div>
+<p>
             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
             the <span class="command"><strong>listen-on</strong></span> and <span class="command"><strong>sortlist</strong></span>
             statements. The elements which constitute an address match
             list can be any of the following:
           </p>
-          <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-              an IP address (IPv4 or IPv6)
-            </li>
-<li class="listitem">
-              an IP prefix (in `/' notation)
-            </li>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">an IP address (IPv4 or IPv6)</li>
+<li class="listitem">an IP prefix (in "/" notation)</li>
 <li class="listitem">
-              
                 a key ID, as defined by the <span class="command"><strong>key</strong></span>
                 statement
-              
-            </li>
-<li class="listitem">
-              the name of an address match list defined with
+              </li>
+<li class="listitem">the name of an address match list defined with
                 the <span class="command"><strong>acl</strong></span> statement
-              
-            </li>
-<li class="listitem">
-              a nested address match list enclosed in braces
-            </li>
+              </li>
+<li class="listitem">a nested address match list enclosed in braces</li>
 </ul></div>
-
-          <p>
-            Elements can be negated with a leading exclamation mark (`!'),
+<p>
+            Elements can be negated with a leading exclamation mark ("!"),
             and the match list names "any", "none", "localhost", and
             "localnets" are predefined. More information on those names
-            can be found in the description of the acl statement.
+            can be found in the description of the <span class="command"><strong>acl</strong></span>
+            statement.
           </p>
-
-          <p>
+<p>
             The addition of the key clause made the name of this syntactic
             element something of a misnomer, since security keys can be used
             to validate access without regard to a host or network address.
             Nonetheless, the term "address match list" is still used
             throughout the documentation.
           </p>
-
-          <p>
+<p>
             When a given IP address or prefix is compared to an address
             match list, the comparison takes place in approximately O(1)
             time.  However, key comparisons require that the list of keys
             be traversed until a matching key is found, and therefore may
             be somewhat slower.
           </p>
-
-          <p>
+<p>
             The interpretation of a match depends on whether the list is being
             used for access control, defining <span class="command"><strong>listen-on</strong></span> ports, or in a
             <span class="command"><strong>sortlist</strong></span>, and whether the element was negated.
           </p>
-
-          <p>
+<p>
             When used as an access control list, a non-negated match
             allows access and a negated match denies access. If
             there is no match, access is denied. The clauses
@@ -626,15 +586,14 @@
             <span class="command"><strong>allow-update-forwarding</strong></span>,
             <span class="command"><strong>blackhole</strong></span>, and
             <span class="command"><strong>keep-response-order</strong></span> all use address match
-            lists.  Similarly, the <span class="command"><strong>listen-on</strong></span> option will cause the
+            lists.  Similarly, the <span class="command"><strong>listen-on</strong></span> option causes the
             server to refuse queries on any of the machine's
             addresses which do not match the list.
           </p>
-
-          <p>
+<p>
             Order of insertion is significant.  If more than one element
             in an ACL is found to match a given IP address or prefix,
-            preference will be given to the one that came
+            preference is given to the one that came
             <span class="emphasis"><em>first</em></span> in the ACL definition.
             Because of this first-match behavior, an element that
             defines a subset of another element in the list should
@@ -642,31 +601,27 @@
             either is negated. For example, in
             <span class="command"><strong>1.2.3/24; ! 1.2.3.13;</strong></span>
             the 1.2.3.13 element is completely useless because the
-            algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
+            algorithm matches any lookup for 1.2.3.13 to the 1.2.3/24
             element.  Using <span class="command"><strong>! 1.2.3.13; 1.2.3/24</strong></span> fixes
-            that problem by having 1.2.3.13 blocked by the negation, but
-            all other 1.2.3.* hosts fall through.
+            that problem by blocking 1.2.3.13 via the negation, but
+            all other 1.2.3.* hosts pass through.
           </p>
-        </div>
-      </div>
-
-      <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="comment_syntax"></a>Comment Syntax</h3></div></div></div>
-
-        <p>
-          The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
+<p>
+          The <acronym class="acronym">BIND</acronym> 9 comment syntax allows
           comments to appear
           anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
           file. To appeal to programmers of all kinds, they can be written
           in the C, C++, or shell/perl style.
         </p>
-
-        <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.7.4.5.3"></a>Syntax</h4></div></div></div>
-
-          <p>
+<a name="id-1.7.2.5.3"></a>Syntax</h4></div></div></div>
+<p>
             </p>
 <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
 <p>
@@ -674,30 +629,29 @@
 <pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
 <p>
             </p>
-<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
+<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common Unix shells
 # and perl</pre>
 <p>
           </p>
-        </div>
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.7.4.5.4"></a>Definition and Usage</h4></div></div></div>
-
-          <p>
+<a name="id-1.7.2.5.4"></a>Definition and Usage</h4></div></div></div>
+<p>
             Comments may appear anywhere that whitespace may appear in
             a <acronym class="acronym">BIND</acronym> configuration file.
           </p>
-          <p>
+<p>
             C-style comments start with the two characters /* (slash,
             star) and end with */ (star, slash). Because they are completely
             delimited with these characters, they can be used to comment only
             a portion of a line or to span multiple lines.
           </p>
-          <p>
+<p>
             C-style comments cannot be nested. For example, the following
             is not valid because the entire comment ends with the first */:
           </p>
-          <p>
+<p>
 
 </p>
 <pre class="programlisting">/* This is the start of a comment.
@@ -708,15 +662,14 @@
 <p>
 
           </p>
-
-          <p>
+<p>
             C++-style comments start with the two characters // (slash,
             slash) and continue to the end of the physical line. They cannot
             be continued across multiple physical lines; to have one logical
             comment span multiple lines, each line must use the // pair.
             For example:
           </p>
-          <p>
+<p>
 
 </p>
 <pre class="programlisting">// This is the start of a comment.  The next line
@@ -726,15 +679,14 @@
 <p>
 
           </p>
-          <p>
-            Shell-style (or perl-style, if you prefer) comments start
+<p>
+            Shell-style (or perl-style) comments start
             with the character <code class="literal">#</code> (number sign)
             and continue to the end of the
             physical line, as in C++ comments.
             For example:
           </p>
-
-          <p>
+<p>
 
 </p>
 <pre class="programlisting"># This is the start of a comment.  The next line
@@ -744,39 +696,33 @@
 <p>
 
           </p>
-
-          <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
-            <p>
-              You cannot use the semicolon (`;') character
-              to start a comment such as you would in a zone file. The
+<p>
+              The semicolon (";") character
+              cannot start a comment, unlike in a zone file. The
               semicolon indicates the end of a configuration
               statement.
             </p>
-          </div>
-        </div>
-      </div>
-    </div>
-
-    <div class="section">
+</div>
+</div>
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
-
-      <p>
+<p>
         A <acronym class="acronym">BIND</acronym> 9 configuration consists of
         statements and comments.
-        Statements end with a semicolon. Statements and comments are the
+        Statements end with a semicolon; statements and comments are the
         only elements that can appear without enclosing braces. Many
         statements contain a block of sub-statements, which are also
         terminated with a semicolon.
       </p>
-
-      <p>
+<p>
         The following statements are supported:
       </p>
-
-      <div class="informaltable">
-        <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.336in" class="1">
 <col width="3.778in" class="2">
@@ -788,7 +734,7 @@
               </td>
 <td>
                 <p>
-                  defines a named IP address
+                  Defines a named IP address
                   matching list, for access control and other uses.
                 </p>
               </td>
@@ -799,7 +745,7 @@
               </td>
 <td>
                 <p>
-                  declares control channels to be used
+                  Declares control channels to be used
                   by the <span class="command"><strong>rndc</strong></span> utility.
                 </p>
               </td>
@@ -810,7 +756,7 @@
               </td>
 <td>
                 <p>
-                  includes a file.
+                  Includes a file.
                 </p>
               </td>
 </tr>
@@ -820,7 +766,7 @@
               </td>
 <td>
                 <p>
-                  specifies key information for use in
+                  Specifies key information for use in
                   authentication and authorization using TSIG.
                 </p>
               </td>
@@ -831,7 +777,7 @@
               </td>
 <td>
                 <p>
-                  specifies what the server logs, and where
+                  Specifies what information the server logs and where
                   the log messages are sent.
                 </p>
               </td>
@@ -842,8 +788,8 @@
               </td>
 <td>
                 <p>
-                  configures <span class="command"><strong>named</strong></span> to
-                  also act as a light-weight resolver daemon (<span class="command"><strong>lwresd</strong></span>).
+                  Configures <span class="command"><strong>named</strong></span> to
+                  also act as a lightweight resolver daemon (<span class="command"><strong>lwresd</strong></span>).
                 </p>
               </td>
 </tr>
@@ -853,8 +799,8 @@
               </td>
 <td>
                 <p>
-                  defines a named masters list for
-                  inclusion in stub and slave zones'
+                  Defines a named list of primary servers for
+                  inclusion in stub and secondary zones'
                   <span class="command"><strong>masters</strong></span> or
                   <span class="command"><strong>also-notify</strong></span> lists.
                 </p>
@@ -866,7 +812,7 @@
               </td>
 <td>
                 <p>
-                  controls global server configuration
+                  Controls global server configuration
                   options and sets defaults for other statements.
                 </p>
               </td>
@@ -877,7 +823,7 @@
               </td>
 <td>
                 <p>
-                  sets certain configuration options on
+                  Sets certain configuration options on
                   a per-server basis.
                 </p>
               </td>
@@ -888,7 +834,7 @@
               </td>
 <td>
                 <p>
-                  declares communication channels to get access to
+                  Declares communication channels to get access to
                   <span class="command"><strong>named</strong></span> statistics.
                 </p>
               </td>
@@ -899,7 +845,7 @@
               </td>
 <td>
                 <p>
-                  defines trusted DNSSEC keys.
+                  Defines trusted DNSSEC keys.
                 </p>
               </td>
 </tr>
@@ -909,7 +855,7 @@
               </td>
 <td>
                 <p>
-                  lists DNSSEC keys to be kept up to date
+                  Lists DNSSEC keys to be kept up-to-date
                   using RFC 5011 trust anchor maintenance.
                 </p>
               </td>
@@ -920,7 +866,7 @@
               </td>
 <td>
                 <p>
-                  defines a view.
+                  Defines a view.
                 </p>
               </td>
 </tr>
@@ -930,45 +876,38 @@
               </td>
 <td>
                 <p>
-                  defines a zone.
+                  Defines a zone.
                 </p>
               </td>
 </tr>
 </tbody>
-</table>
-      </div>
-
-      <p>
+</table></div>
+<p>
         The <span class="command"><strong>logging</strong></span> and
         <span class="command"><strong>options</strong></span> statements may only occur once
         per
         configuration.
       </p>
-
-      <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="acl_grammar"></a><span class="command"><strong>acl</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
+<pre class="programlisting">
 <span class="command"><strong>acl</strong></span> <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };
 </pre>
-      </div>
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="acl"></a><span class="command"><strong>acl</strong></span> Statement Definition and
           Usage</h3></div></div></div>
-
-        <p>
+<p>
           The <span class="command"><strong>acl</strong></span> statement assigns a symbolic
-          name to an address match list. It gets its name from a primary
-          use of address match lists: Access Control Lists (ACLs).
+          name to an address match list. It gets its name from one of the primary
+          uses of address match lists: Access Control Lists (ACLs).
         </p>
-
-        <p>
+<p>
           The following ACLs are built-in:
         </p>
-
-        <div class="informaltable">
-          <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.130in" class="1">
 <col width="4.000in" class="2">
@@ -1020,21 +959,20 @@
                     ACL element is updated to reflect the changes.
                     Some systems do not provide a way to determine the prefix
                     lengths of
-                    local IPv6 addresses.
-                    In such a case, <span class="command"><strong>localnets</strong></span>
+                    local IPv6 addresses;
+                    in such cases, <span class="command"><strong>localnets</strong></span>
                     only matches the local
                     IPv6 addresses, just like <span class="command"><strong>localhost</strong></span>.
                   </p>
                 </td>
 </tr>
 </tbody>
-</table>
-        </div>
-      </div>
-      <div class="section">
+</table></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="controls_grammar"></a><span class="command"><strong>controls</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
+<pre class="programlisting">
 <span class="command"><strong>controls</strong></span> {
 	<span class="command"><strong>inet</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |
 	    * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] allow
@@ -1047,62 +985,55 @@
 	    <em class="replaceable"><code>boolean</code></em> ];
 };
 </pre>
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="controls_statement_definition_and_usage"></a><span class="command"><strong>controls</strong></span> Statement Definition and
           Usage</h3></div></div></div>
-
-        <p>
+<p>
           The <span class="command"><strong>controls</strong></span> statement declares control
-          channels to be used by system administrators to control the
+          channels to be used by system administrators to manage the
           operation of the name server. These control channels are
           used by the <span class="command"><strong>rndc</strong></span> utility to send
           commands to and retrieve non-DNS results from a name server.
         </p>
-
-        <p>
+<p>
           An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
           listening at the specified <span class="command"><strong>ip_port</strong></span> on the
           specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
           address.  An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
-          interpreted as the IPv4 wildcard address; connections will be
+          interpreted as the IPv4 wildcard address; connections are
           accepted on any of the system's IPv4 addresses.
           To listen on the IPv6 wildcard address,
           use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
-          If you will only use <span class="command"><strong>rndc</strong></span> on the local host,
+          If <span class="command"><strong>rndc</strong></span> is only used on the local host,
           using the loopback address (<code class="literal">127.0.0.1</code>
           or <code class="literal">::1</code>) is recommended for maximum security.
         </p>
-
-        <p>
+<p>
           If no port is specified, port 953 is used. The asterisk
           "<code class="literal">*</code>" cannot be used for <span class="command"><strong>ip_port</strong></span>.
         </p>
-
-        <p>
+<p>
           The ability to issue commands over the control channel is
           restricted by the <span class="command"><strong>allow</strong></span> and
           <span class="command"><strong>keys</strong></span> clauses.
           Connections to the control channel are permitted based on the
           <span class="command"><strong>address_match_list</strong></span>.  This is for simple
-          IP address based filtering only; any <span class="command"><strong>key_id</strong></span>
+          IP address-based filtering only; any <span class="command"><strong>key_id</strong></span>
           elements of the <span class="command"><strong>address_match_list</strong></span>
           are ignored.
         </p>
-
-        <p>
-          A <span class="command"><strong>unix</strong></span> control channel is a UNIX domain
+<p>
+          A <span class="command"><strong>unix</strong></span> control channel is a Unix domain
           socket listening at the specified path in the file system.
           Access to the socket is specified by the <span class="command"><strong>perm</strong></span>,
-          <span class="command"><strong>owner</strong></span> and <span class="command"><strong>group</strong></span> clauses.
-          Note on some platforms (SunOS and Solaris) the permissions
+          <span class="command"><strong>owner</strong></span>, and <span class="command"><strong>group</strong></span> clauses.
+          Note on some platforms (SunOS and Solaris), the permissions
           (<span class="command"><strong>perm</strong></span>) are applied to the parent directory
           as the permissions on the socket itself are ignored.
         </p>
-
-        <p>
+<p>
           The primary authorization mechanism of the command
           channel is the <span class="command"><strong>key_list</strong></span>, which
           contains a list of <span class="command"><strong>key_id</strong></span>s.
@@ -1111,8 +1042,7 @@
           See <a class="xref" href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a class="xref" href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>)
           for information about configuring keys in <span class="command"><strong>rndc</strong></span>.
         </p>
-
-        <p>
+<p>
           If the <span class="command"><strong>read-only</strong></span> clause is enabled, the
           control channel is limited to the following set of read-only
           commands: <span class="command"><strong>nta -dump</strong></span>,
@@ -1122,76 +1052,48 @@
           <span class="command"><strong>read-only</strong></span> is not enabled and the control
           channel allows read-write access.
         </p>
-
-        <p>
+<p>
           If no <span class="command"><strong>controls</strong></span> statement is present,
-          <span class="command"><strong>named</strong></span> will set up a default
+          <span class="command"><strong>named</strong></span> sets up a default
           control channel listening on the loopback address 127.0.0.1
           and its IPv6 counterpart ::1.
           In this case, and also when the <span class="command"><strong>controls</strong></span> statement
           is present but does not have a <span class="command"><strong>keys</strong></span> clause,
-          <span class="command"><strong>named</strong></span> will attempt to load the command channel key
+          <span class="command"><strong>named</strong></span> attempts to load the command channel key
           from the file <code class="filename">rndc.key</code> in
           <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
-          was specified as when <acronym class="acronym">BIND</acronym> was built).
-          To create a <code class="filename">rndc.key</code> file, run
+          was specified when <acronym class="acronym">BIND</acronym> was built).
+          To create an <code class="filename">rndc.key</code> file, run
           <strong class="userinput"><code>rndc-confgen -a</code></strong>.
         </p>
-
-        <p>
-          The <code class="filename">rndc.key</code> feature was created to
-          ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
-          which did not have digital signatures on its command channel
-          messages and thus did not have a <span class="command"><strong>keys</strong></span> clause.
-
-          It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
-          configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
-          and still have <span class="command"><strong>rndc</strong></span> work the same way
-          <span class="command"><strong>ndc</strong></span> worked in BIND 8, simply by executing the
-          command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
-          installed.
-        </p>
-
-        <p>
-          Since the <code class="filename">rndc.key</code> feature
-          is only intended to allow the backward-compatible usage of
-          <acronym class="acronym">BIND</acronym> 8 configuration files, this
-          feature does not
-          have a high degree of configurability.  You cannot easily change
-          the key name or the size of the secret, so you should make a
-          <code class="filename">rndc.conf</code> with your own key if you
-          wish to change
-          those things.  The <code class="filename">rndc.key</code> file
+<p>
+          The key name and the size of the secret cannot be easily changed; if it
+          is desirable to change those things, make a
+          <code class="filename">rndc.conf</code> with a custom key.  The <code class="filename">rndc.key</code> file
           also has its
           permissions set such that only the owner of the file (the user that
           <span class="command"><strong>named</strong></span> is running as) can access it.
-          If you
-          desire greater flexibility in allowing other users to access
-          <span class="command"><strong>rndc</strong></span> commands, then you need to create
+          For greater flexibility in allowing other users to access
+          <span class="command"><strong>rndc</strong></span> commands, create
           a
-          <code class="filename">rndc.conf</code> file and make it group
-          readable by a group
+          <code class="filename">rndc.conf</code> file and make it group-readable by a group
           that contains the users who should have access.
         </p>
-
-        <p>
+<p>
           To disable the command channel, use an empty
           <span class="command"><strong>controls</strong></span> statement:
           <span class="command"><strong>controls { };</strong></span>.
         </p>
-
-      </div>
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="include_grammar"></a><span class="command"><strong>include</strong></span> Statement Grammar</h3></div></div></div>
-
-        <pre class="programlisting"><span class="command"><strong>include</strong></span> <em class="replaceable"><code>filename</code></em><span class="command"><strong>;</strong></span></pre>
-      </div>
-      <div class="section">
+<pre class="programlisting"><span class="command"><strong>include</strong></span> <em class="replaceable"><code>filename</code></em><span class="command"><strong>;</strong></span></pre>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="include_statement"></a><span class="command"><strong>include</strong></span> Statement Definition and Usage</h3></div></div></div>
-
-        <p>
+<p>
           The <span class="command"><strong>include</strong></span> statement inserts the
           specified file at the point where the <span class="command"><strong>include</strong></span>
           statement is encountered. The <span class="command"><strong>include</strong></span>
@@ -1201,32 +1103,28 @@
           others. For example, the statement could include private keys
           that are readable only by the name server.
         </p>
-
-      </div>
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="key_grammar"></a><span class="command"><strong>key</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
+<pre class="programlisting">
 <span class="command"><strong>key</strong></span> <em class="replaceable"><code>string</code></em> {
 	<span class="command"><strong>algorithm</strong></span> <em class="replaceable"><code>string</code></em>;
 	<span class="command"><strong>secret</strong></span> <em class="replaceable"><code>string</code></em>;
 };
 </pre>
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="key_statement"></a><span class="command"><strong>key</strong></span> Statement Definition and Usage</h3></div></div></div>
-
-        <p>
+<p>
           The <span class="command"><strong>key</strong></span> statement defines a shared
           secret key for use with TSIG (see <a class="xref" href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
           or the command channel
           (see <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span class="command"><strong>controls</strong></span> Statement Definition and
           Usage&#8221;</a>).
         </p>
-
-        <p>
+<p>
           The <span class="command"><strong>key</strong></span> statement can occur at the
           top level
           of the configuration file or inside a <span class="command"><strong>view</strong></span>
@@ -1237,37 +1135,33 @@
           Usage&#8221;</a>)
           must be defined at the top level.
         </p>
-
-        <p>
+<p>
           The <em class="replaceable"><code>key_id</code></em>, also known as the
-          key name, is a domain name uniquely identifying the key. It can
+          key name, is a domain name that uniquely identifies the key. It can
           be used in a <span class="command"><strong>server</strong></span>
           statement to cause requests sent to that
           server to be signed with this key, or in address match lists to
           verify that incoming requests have been signed with a key
           matching this name, algorithm, and secret.
         </p>
-
-        <p>
+<p>
           The <em class="replaceable"><code>algorithm_id</code></em> is a string
           that specifies a security/authentication algorithm.  The
           <span class="command"><strong>named</strong></span> server supports <code class="literal">hmac-md5</code>,
           <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
-          <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
+          <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>,
           and <code class="literal">hmac-sha512</code> TSIG authentication.
           Truncated hashes are supported by appending the minimum
-          number of required bits preceded by a dash, e.g.
+          number of required bits preceded by a dash, e.g.,
           <code class="literal">hmac-sha1-80</code>.  The
           <em class="replaceable"><code>secret_string</code></em> is the secret
-          to be used by the algorithm, and is treated as a Base64
-          encoded string.
+          to be used by the algorithm, and is treated as a Base64-encoded string.
         </p>
-
-      </div>
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="logging_grammar"></a><span class="command"><strong>logging</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
+<pre class="programlisting">
 <span class="command"><strong>logging</strong></span> {
 	<span class="command"><strong>category</strong></span> <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };
 	<span class="command"><strong>channel</strong></span> <em class="replaceable"><code>string</code></em> {
@@ -1284,108 +1178,93 @@
 	};
 };
 </pre>
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="logging_statement"></a><span class="command"><strong>logging</strong></span> Statement Definition and Usage</h3></div></div></div>
-
-        <p>
+<p>
           The <span class="command"><strong>logging</strong></span> statement configures a
           wide
           variety of logging options for the name server. Its <span class="command"><strong>channel</strong></span> phrase
-          associates output methods, format options and severity levels with
+          associates output methods, format options, and severity levels with
           a name that can then be used with the <span class="command"><strong>category</strong></span> phrase
           to select how various classes of messages are logged.
         </p>
-        <p>
+<p>
           Only one <span class="command"><strong>logging</strong></span> statement is used to
           define
-          as many channels and categories as are wanted. If there is no <span class="command"><strong>logging</strong></span> statement,
-          the logging configuration will be:
+          as many channels and categories as desired. If there is no <span class="command"><strong>logging</strong></span> statement,
+          the logging configuration is:
         </p>
-
 <pre class="programlisting">logging {
      category default { default_syslog; default_debug; };
      category unmatched { null; };
 };
 </pre>
-
-        <p>
+<p>
           If <span class="command"><strong>named</strong></span> is started with the
           <code class="option">-L</code> option, it logs to the specified file
           at startup, instead of using syslog. In this case the logging
-          configuration will be:
+          configuration is:
         </p>
-
 <pre class="programlisting">logging {
      category default { default_logfile; default_debug; };
      category unmatched { null; };
 };
 </pre>
-
-        <p>
-          In <acronym class="acronym">BIND</acronym> 9, the logging configuration
+<p>
+          The logging configuration
           is only established when
-          the entire configuration file has been parsed.  In <acronym class="acronym">BIND</acronym> 8, it was
-          established as soon as the <span class="command"><strong>logging</strong></span>
-          statement
-          was parsed. When the server is starting up, all logging messages
+          the entire configuration file has been parsed. When the server starts up, all logging messages
           regarding syntax errors in the configuration file go to the default
           channels, or to standard error if the <code class="option">-g</code> option
           was specified.
         </p>
-
-        <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="channel"></a>The <span class="command"><strong>channel</strong></span> Phrase</h4></div></div></div>
-
-          <p>
+<p>
             All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
-            you can make as many of them as you want.
+            there is no limit to the number of channels that can be created.
           </p>
-
-          <p>
+<p>
             Every channel definition must include a destination clause that
-            says whether messages selected for the channel go to a file, to a
-            particular syslog facility, to the standard error stream, or are
-            discarded. It can optionally also limit the message severity level
-            that will be accepted by the channel (the default is
+            says whether messages selected for the channel go to a file, go to a
+            particular syslog facility, go to the standard error stream, or are
+            discarded. The definition can optionally also limit the message severity level
+            that is accepted by the channel (the default is
             <span class="command"><strong>info</strong></span>), and whether to include a
             <span class="command"><strong>named</strong></span>-generated time stamp, the
-            category name
-            and/or severity level (the default is not to include any).
+            category name,
+            and/or the severity level (the default is not to include any).
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>null</strong></span> destination clause
             causes all messages sent to the channel to be discarded;
             in that case, other options for the channel are meaningless.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>file</strong></span> destination clause directs
             the channel
             to a disk file.  It can include limitations
-            both on how large the file is allowed to become, and how many
+            both on how large the file is allowed to become, and on how many
             versions
-            of the file will be saved each time the file is opened.
+            of the file are saved each time the file is opened.
           </p>
-
-          <p>
-            If you use the <span class="command"><strong>versions</strong></span> log file
-            option, then
-            <span class="command"><strong>named</strong></span> will retain that many backup
+<p>
+            If the <span class="command"><strong>versions</strong></span> log file
+            option is used, then
+            <span class="command"><strong>named</strong></span> retains that many backup
             versions of the file by
-            renaming them when opening.  For example, if you choose to keep
+            renaming them when opening.  For example, to keep
             three old versions
-            of the file <code class="filename">lamers.log</code>, then just
+            of the file <code class="filename">lamers.log</code>, just
             before it is opened
             <code class="filename">lamers.log.1</code> is renamed to
             <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
             to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
             renamed to <code class="filename">lamers.log.0</code>.
-            You can say <span class="command"><strong>versions unlimited</strong></span> to
+            The <span class="command"><strong>versions unlimited</strong></span> option can be set to
             not limit
             the number of versions.
             If a <span class="command"><strong>size</strong></span> option is associated with
@@ -1395,37 +1274,33 @@
             existing
             log file is simply appended.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>size</strong></span> option for files is used
             to limit log
-            growth. If the file ever exceeds the size, then <span class="command"><strong>named</strong></span> will
-            stop writing to the file unless it has a <span class="command"><strong>versions</strong></span> option
+            growth. If the file ever exceeds the size, then <span class="command"><strong>named</strong></span>
+            stops writing to the file unless it also has a <span class="command"><strong>versions</strong></span> option
             associated with it.  If backup versions are kept, the files are
             rolled as
             described above and a new one begun.  If there is no
-            <span class="command"><strong>versions</strong></span> option, no more data will
-            be written to the log
+            <span class="command"><strong>versions</strong></span> option, no more data is
+            written to the log
             until some out-of-band mechanism removes or truncates the log to
             less than the
             maximum size.  The default behavior is not to limit the size of
             the
             file.
           </p>
-
-          <p>
-            Example usage of the <span class="command"><strong>size</strong></span> and
+<p>
+            Here is an example using the <span class="command"><strong>size</strong></span> and
             <span class="command"><strong>versions</strong></span> options:
           </p>
-
 <pre class="programlisting">channel an_example_channel {
     file "example.log" versions 3 size 20m;
     print-time yes;
     print-category yes;
 };
 </pre>
-
-          <p>
+<p>
             The <span class="command"><strong>syslog</strong></span> destination clause
             directs the
             channel to the system log.  Its argument is a
@@ -1436,119 +1311,110 @@
             <span class="command"><strong>uucp</strong></span>, <span class="command"><strong>cron</strong></span>, <span class="command"><strong>authpriv</strong></span>,
             <span class="command"><strong>ftp</strong></span>, <span class="command"><strong>local0</strong></span>, <span class="command"><strong>local1</strong></span>,
             <span class="command"><strong>local2</strong></span>, <span class="command"><strong>local3</strong></span>, <span class="command"><strong>local4</strong></span>,
-            <span class="command"><strong>local5</strong></span>, <span class="command"><strong>local6</strong></span> and
-            <span class="command"><strong>local7</strong></span>, however not all facilities
+            <span class="command"><strong>local5</strong></span>, <span class="command"><strong>local6</strong></span>, and
+            <span class="command"><strong>local7</strong></span>; however, not all facilities
             are supported on
             all operating systems.
-            How <span class="command"><strong>syslog</strong></span> will handle messages
+            How <span class="command"><strong>syslog</strong></span> handles messages
             sent to
             this facility is described in the <span class="command"><strong>syslog.conf</strong></span> man
-            page. If you have a system which uses a very old version of <span class="command"><strong>syslog</strong></span> that
+            page. On a system which uses a very old version of <span class="command"><strong>syslog</strong></span>, which
             only uses two arguments to the <span class="command"><strong>openlog()</strong></span> function,
             then this clause is silently ignored.
           </p>
-          <p>
-            On Windows machines syslog messages are directed to the EventViewer.
+<p>
+            On Windows machines, syslog messages are directed to the EventViewer.
           </p>
-          <p>
+<p>
             The <span class="command"><strong>severity</strong></span> clause works like <span class="command"><strong>syslog</strong></span>'s
-            "priorities", except that they can also be used if you are writing
+            "priorities," except that they can also be used when writing
             straight to a file rather than using <span class="command"><strong>syslog</strong></span>.
-            Messages which are not at least of the severity level given will
-            not be selected for the channel; messages of higher severity
+            Messages which are not at least of the severity level given are
+            not selected for the channel; messages of higher severity
             levels
-            will be accepted.
-          </p>
-          <p>
-            If you are using <span class="command"><strong>syslog</strong></span>, then the <span class="command"><strong>syslog.conf</strong></span> priorities
-            will also determine what eventually passes through. For example,
-            defining a channel facility and severity as <span class="command"><strong>daemon</strong></span> and <span class="command"><strong>debug</strong></span> but
-            only logging <span class="command"><strong>daemon.warning</strong></span> via <span class="command"><strong>syslog.conf</strong></span> will
-            cause messages of severity <span class="command"><strong>info</strong></span> and
+            are accepted.
+          </p>
+<p>
+            When using <span class="command"><strong>syslog</strong></span>, the <span class="command"><strong>syslog.conf</strong></span> priorities
+            also determine what eventually passes through. For example,
+            defining a channel facility and severity as <span class="command"><strong>daemon</strong></span> and <span class="command"><strong>debug</strong></span>, but
+            only logging <span class="command"><strong>daemon.warning</strong></span> via <span class="command"><strong>syslog.conf</strong></span>,
+            causes messages of severity <span class="command"><strong>info</strong></span> and
             <span class="command"><strong>notice</strong></span> to
             be dropped. If the situation were reversed, with <span class="command"><strong>named</strong></span> writing
             messages of only <span class="command"><strong>warning</strong></span> or higher,
             then <span class="command"><strong>syslogd</strong></span> would
             print all messages it received from the channel.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>stderr</strong></span> destination clause
             directs the
             channel to the server's standard error stream.  This is intended
             for
-            use when the server is running as a foreground process, for
-            example
-            when debugging a configuration.
+            use when the server is running as a foreground process, as
+            when debugging a configuration, for example.
           </p>
-
-          <p>
+<p>
             The server can supply extensive debugging information when
             it is in debugging mode. If the server's global debug level is
             greater
-            than zero, then debugging mode will be active. The global debug
+            than zero, debugging mode is active. The global debug
             level is set either by starting the <span class="command"><strong>named</strong></span> server
             with the <code class="option">-d</code> flag followed by a positive integer,
             or by running <span class="command"><strong>rndc trace</strong></span>.
             The global debug level
             can be set to zero, and debugging mode turned off, by running <span class="command"><strong>rndc
-notrace</strong></span>. All debugging messages in the server have a debug
-            level, and higher debug levels give more detailed output. Channels
+                notrace</strong></span>. All debugging messages in the server have a debug
+            level; higher debug levels give more detailed output. Channels
             that specify a specific debug severity, for example:
           </p>
-
 <pre class="programlisting">channel specific_debug_level {
     file "foo";
     severity debug 3;
 };
 </pre>
-
-          <p>
-            will get debugging output of level 3 or less any time the
+<p>
+            get debugging output of level 3 or less any time the
             server is in debugging mode, regardless of the global debugging
             level. Channels with <span class="command"><strong>dynamic</strong></span>
             severity use the
             server's global debug level to determine what messages to print.
           </p>
-          <p>
-            If <span class="command"><strong>print-time</strong></span> has been turned on,
-            then
-            the date and time will be logged. <span class="command"><strong>print-time</strong></span> may
-            be specified for a <span class="command"><strong>syslog</strong></span> channel,
-            but is usually
-            pointless since <span class="command"><strong>syslog</strong></span> also logs
-            the date and
-            time. If <span class="command"><strong>print-category</strong></span> is
-            requested, then the
-            category of the message will be logged as well. Finally, if <span class="command"><strong>print-severity</strong></span> is
-            on, then the severity level of the message will be logged. The <span class="command"><strong>print-</strong></span> options may
-            be used in any combination, and will always be printed in the
+<p>
+            If <span class="command"><strong>print-time</strong></span> is set to
+            <strong class="userinput"><code>yes</code></strong>, then the date and time are logged.
+            <span class="command"><strong>print-time</strong></span> may be specified for a
+            <span class="command"><strong>syslog</strong></span> channel, but is usually
+            unnecessary since <span class="command"><strong>syslog</strong></span> also logs
+            the date and time. If <span class="command"><strong>print-category</strong></span> is
+            set to <strong class="userinput"><code>yes</code></strong>, then the
+            category of the message is logged as well. Finally, if
+            <span class="command"><strong>print-severity</strong></span> is set, then the severity
+            level of the message is logged.
+            The <span class="command"><strong>print-</strong></span> options may
+            be used in any combination, and are always printed in the
             following
             order: time, category, severity. Here is an example where all
             three <span class="command"><strong>print-</strong></span> options
             are on:
           </p>
-
-          <p>
+<p>
             <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
           </p>
-
-          <p>
-            If <span class="command"><strong>buffered</strong></span> has been turned on the output
-            to files will not be flushed after each log entry.  By default
+<p>
+            If <span class="command"><strong>buffered</strong></span> has been turned on, the output
+            to files is not flushed after each log entry.  By default
             all log messages are flushed.
           </p>
-
-          <p>
+<p>
             There are four predefined channels that are used for
-            <span class="command"><strong>named</strong></span>'s default logging as follows.
+            <span class="command"><strong>named</strong></span>'s default logging, as follows.
             If <span class="command"><strong>named</strong></span> is started with the
-            <code class="option">-L</code> then a
-            fifth channel <span class="command"><strong>default_logfile</strong></span> is added.
+            <code class="option">-L</code>, then a
+            fifth channel, <span class="command"><strong>default_logfile</strong></span>, is added.
             How they are
             used is described in <a class="xref" href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span class="command"><strong>category</strong></span> Phrase&#8221;</a>.
           </p>
-
 <pre class="programlisting">channel default_syslog {
     // send to syslog's daemon facility
     syslog daemon;
@@ -1586,67 +1452,56 @@ channel default_logfile {
     severity dynamic;
 };
 </pre>
-
-          <p>
+<p>
             The <span class="command"><strong>default_debug</strong></span> channel has the
             special
             property that it only produces output when the server's debug
             level is
-            nonzero.  It normally writes to a file called <code class="filename">named.run</code>
+            non-zero.  It normally writes to a file called <code class="filename">named.run</code>
             in the server's working directory.
           </p>
-
-          <p>
+<p>
             For security reasons, when the <code class="option">-u</code>
-            command line option is used, the <code class="filename">named.run</code> file
+            command-line option is used, the <code class="filename">named.run</code> file
             is created only after <span class="command"><strong>named</strong></span> has
             changed to the
             new UID, and any debug output generated while <span class="command"><strong>named</strong></span> is
-            starting up and still running as root is discarded.  If you need
-            to capture this output, you must run the server with the <code class="option">-L</code>
+            starting - and still running as root - is discarded.
+            To capture this output, run the server with the <code class="option">-L</code>
             option to specify a default logfile, or the <code class="option">-g</code>
-            option to log to standard error which you can redirect to a file.
+            option to log to standard error which can be redirected to a file.
           </p>
-
-          <p>
-            Once a channel is defined, it cannot be redefined. Thus you
-            cannot alter the built-in channels directly, but you can modify
-            the default logging by pointing categories at channels you have
-            defined.
+<p>
+            Once a channel is defined, it cannot be redefined.
+            The built-in channels cannot be altered directly, but
+            the default logging can be modified by pointing categories at defined channels.
           </p>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="the_category_phrase"></a>The <span class="command"><strong>category</strong></span> Phrase</h4></div></div></div>
-
-          <p>
-            There are many categories, so you can send the logs you want
-            to see wherever you want, without seeing logs you don't want. If
-            you don't specify a list of channels for a category, then log
+<p>
+            There are many categories, so desired logs
+            can be sent anywhere while unwanted logs are ignored. If
+            a list of channels is not specified for a category, log
             messages
-            in that category will be sent to the <span class="command"><strong>default</strong></span> category
-            instead. If you don't specify a default category, the following
+            in that category are sent to the <span class="command"><strong>default</strong></span> category
+            instead. If no default category is specified, the following
             "default default" is used:
           </p>
-
 <pre class="programlisting">category default { default_syslog; default_debug; };
 </pre>
-
-          <p>
-            If you start <span class="command"><strong>named</strong></span> with the
-            <code class="option">-L</code> option then the default category is:
+<p>
+            If <span class="command"><strong>named</strong></span> is started with the
+            <code class="option">-L</code> option, the default category is:
           </p>
-
 <pre class="programlisting">category default { default_logfile; default_debug; };
 </pre>
-
-          <p>
-            As an example, let's say you want to log security events to
-            a file, but you also want keep the default logging behavior. You'd
+<p>
+            As an example, let's say a user wants to log security events to
+            a file, but also wants to keep the default logging behavior. They would
             specify the following:
           </p>
-
 <pre class="programlisting">channel my_security_channel {
     file "my_security_file";
     severity info;
@@ -1656,22 +1511,18 @@ category security {
     default_syslog;
     default_debug;
 };</pre>
-
-          <p>
+<p>
             To discard all messages in a category, specify the <span class="command"><strong>null</strong></span> channel:
           </p>
-
 <pre class="programlisting">category xfer-out { null; };
 category notify { null; };
 </pre>
-
-          <p>
-            Following are the available categories and brief descriptions
+<p>
+            The following are the available categories and brief descriptions
             of the types of log information they contain. More
             categories may be added in future <acronym class="acronym">BIND</acronym> releases.
           </p>
-          <div class="informaltable">
-  <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.150in" class="1">
 <col width="3.350in" class="2">
@@ -1693,8 +1544,8 @@ category notify { null; };
 	</td>
 <td>
 	  <p>
-	    Logs nameservers that are skipped due to them being
-	    a CNAME rather than A / AAAA records.
+	    Name servers that are skipped for being
+	    a CNAME rather than A/AAAA records.
 	  </p>
 	</td>
 </tr>
@@ -1726,7 +1577,7 @@ category notify { null; };
 	</td>
 <td>
 	  <p>
-	    The default category defines the logging
+	    Logging
 	    options for those categories where no specific
 	    configuration has been
 	    defined.
@@ -1739,11 +1590,11 @@ category notify { null; };
 	</td>
 <td>
 	  <p>
-	    Delegation only.  Logs queries that have been
+	    Queries that have been
 	    forced to NXDOMAIN as the result of a
 	    delegation-only zone or a
 	    <span class="command"><strong>delegation-only</strong></span> in a
-	    forward, hint or stub zone declaration.
+	    forward, hint, or stub zone declaration.
 	  </p>
 	</td>
 </tr>
@@ -1786,7 +1637,7 @@ category notify { null; };
 	  <p>
 	    Log queries that have been forced to use plain
 	    DNS due to timeouts.  This is often due to
-	    the remote servers not being RFC 1034 compliant
+	    the remote servers not being RFC 1034-compliant
 	    (not always returning FORMERR or similar to
 	    EDNS queries and other extensions to the DNS
 	    when they are not understood).  In other words, this is
@@ -1803,11 +1654,11 @@ category notify { null; };
 	  </p>
 	  <p>
 	    Note: eventually <span class="command"><strong>named</strong></span> will have to stop
-	    treating such timeouts as due to RFC 1034 non
-	    compliance and start treating it as plain
+	    treating such timeouts as due to RFC 1034
+		non-compliance and start treating it as plain
 	    packet loss.  Falsely classifying packet
-	    loss as due to RFC 1034 non compliance impacts
-	    on DNSSEC validation which requires EDNS for
+	    loss as due to RFC 1034 non-compliance impacts
+	    DNSSEC validation, which requires EDNS for
 	    the DNSSEC records to be returned.
 	  </p>
 	</td>
@@ -1818,8 +1669,8 @@ category notify { null; };
 	</td>
 <td>
 	  <p>
-	    The catch-all. Many things still aren't
-	    classified into categories, and they all end up here.
+	    Catch-all for many things that still are not
+	    classified into categories.
 	  </p>
 	</td>
 </tr>
@@ -1829,8 +1680,8 @@ category notify { null; };
 	</td>
 <td>
 	  <p>
-	    Lame servers.  These are misconfigurations
-	    in remote servers, discovered by BIND 9 when trying to
+	    Misconfigurations
+	    in remote servers, discovered by <acronym class="acronym">BIND</acronym> 9 when trying to
 	    query those servers during resolution.
 	  </p>
 	</td>
@@ -1861,11 +1712,11 @@ category notify { null; };
 	</td>
 <td>
 	  <p>
-	    Specify where queries should be logged to.
+	    Location where queries should be logged.
 	  </p>
 	  <p>
-	    At startup, specifying the category <span class="command"><strong>queries</strong></span> will also
-	    enable query logging unless <span class="command"><strong>querylog</strong></span> option has been
+	    At startup, specifying the category <span class="command"><strong>queries</strong></span> also
+	    enables query logging unless <span class="command"><strong>querylog</strong></span> option has been
 	    specified.
 	  </p>
 
@@ -1874,16 +1725,16 @@ category notify { null; };
 	    identifier in @0x&lt;hexadecimal-number&gt;
 	    format. Next, it reports the client's IP
 	    address and port number, and the query name,
-	    class and type.  Next, it reports whether the
+	    class, and type.  Next, it reports whether the
 	    Recursion Desired flag was set (+ if set, -
-	    if not set), if the query was signed (S),
-	    EDNS was in used along with the EDNS version
-	    number (E(#)), if TCP was used (T), if DO
-	    (DNSSEC Ok) was set (D), if CD (Checking
-	    Disabled) was set (C), if a valid DNS Server
-	    COOKIE was received (V), or if a DNS COOKIE
+	    if not set), whether the query was signed (S),
+	    whether EDNS was in use along with the EDNS version
+	    number (E(#)), whether TCP was used (T), whether DO
+	    (DNSSEC Ok) was set (D), whether CD (Checking
+	    Disabled) was set (C), whether a valid DNS Server
+	    COOKIE was received (V), and whether a DNS COOKIE
 	    option without a valid Server COOKIE was
-	    present (K).  After this the destination
+	    present (K).  After this, the destination
 	    address the query was sent to is reported.
 	  </p>
 
@@ -1894,10 +1745,10 @@ category notify { null; };
 	    <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code>
 	  </p>
 	  <p>
-	    (The first part of this log message, showing the
+	    The first part of this log message, showing the
 	    client address/port number and query name, is
 	    repeated in all subsequent log messages related
-	    to the same query.)
+	    to the same query.
 	  </p>
 	</td>
 </tr>
@@ -1924,12 +1775,12 @@ category notify { null; };
 	    These messages include a hash value of the domain name
 	    of the response and the name itself,
 	    except when there is insufficient memory to record
-	    the name for the final notice
+	    the name for the final notice.
 	    The final notice is normally delayed until about one
-	    minute after rate limit stops.
+	    minute after rate limiting stops.
 	    A lack of memory can hurry the final notice,
-	    in which case it starts with an asterisk (*).
-	    Various internal events are logged at debug 1 level
+	    which is indicated by an initial asterisk (*).
+	    Various internal events are logged at debug level 1
 	    and higher.
 	  </p>
 	  <p>
@@ -1957,7 +1808,7 @@ category notify { null; };
 <td>
 	  <p>
 	    Information about errors in response policy zone files,
-	    rewritten responses, and at the highest
+	    rewritten responses, and, at the highest
 	    <span class="command"><strong>debug</strong></span> levels, mere rewriting
 	    attempts.
 	  </p>
@@ -1979,7 +1830,7 @@ category notify { null; };
 	</td>
 <td>
 	  <p>
-	    Logs queries that have been terminated, either by dropping
+	    Queries that have been terminated, either by dropping
 	    or responding with SERVFAIL, as a result of a fetchlimit
 	    quota being exceeded.
 	  </p>
@@ -1991,7 +1842,7 @@ category notify { null; };
 	</td>
 <td>
 	  <p>
-	    Logs trust-anchor-telemetry requests received by named.
+	    Trust-anchor-telemetry requests received by <span class="command"><strong>named</strong></span>.
 	  </p>
 	</td>
 </tr>
@@ -2002,9 +1853,9 @@ category notify { null; };
 <td>
 	  <p>
 	    Messages that <span class="command"><strong>named</strong></span> was unable to determine the
-	    class of or for which there was no matching <span class="command"><strong>view</strong></span>.
-	    A one line summary is also logged to the <span class="command"><strong>client</strong></span> category.
-	    This category is best sent to a file or stderr, by
+	    class of, or for which there was no matching <span class="command"><strong>view</strong></span>.
+	    A one-line summary is also logged to the <span class="command"><strong>client</strong></span> category.
+	    This category is best sent to a file or stderr; by
 	    default it is sent to
 	    the <span class="command"><strong>null</strong></span> channel.
 	  </p>
@@ -2051,83 +1902,74 @@ category notify { null; };
 	</td>
 </tr>
 </tbody>
-</table>
+</table></div>
 </div>
-        </div>
-        <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="query_errors"></a>The <span class="command"><strong>query-errors</strong></span> Category</h4></div></div></div>
-          <p>
+<p>
             The <span class="command"><strong>query-errors</strong></span> category is
-            specifically intended for debugging purposes: To identify
-            why and how specific queries result in responses which
-            indicate an error.
-            Messages of this category are therefore only logged
-            with <span class="command"><strong>debug</strong></span> levels.
+            used to indicate why and how specific queries resulted in
+            responses which indicate an error.  Normally, these messages
+            will be logged at <span class="command"><strong>debug</strong></span> logging levels;
+            note, however, that if query logging is active, some are
+            logged at <span class="command"><strong>info</strong></span>. The logging levels are
+            described below:
           </p>
-
-          <p>
-            At the debug levels of 1 or higher, each response with the
-            rcode of SERVFAIL is logged as follows:
+<p>
+            At <span class="command"><strong>debug</strong></span> level 1 or higher - or at
+            <span class="command"><strong>info</strong></span>, when query logging is active - each
+            response with response code SERVFAIL is logged as follows:
           </p>
-          <p>
+<p>
             <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
           </p>
-          <p>
-            This means an error resulting in SERVFAIL was
-            detected at line 3880 of source file
-            <code class="filename">query.c</code>.
-            Log messages of this level will particularly
-            help identify the cause of SERVFAIL for an
-            authoritative server.
-          </p>
-          <p>
-            At the debug levels of 2 or higher, detailed context
-            information of recursive resolutions that resulted in
-            SERVFAIL is logged.
-            The log message will look like as follows:
-          </p>
-          <p>
+<p>
+            This means an error resulting in SERVFAIL was detected at line
+            3880 of source file <code class="filename">query.c</code>.  Log messages
+            of this level are particularly helpful in identifying the cause of
+            SERVFAIL for an authoritative server.
+          </p>
+<p>
+            At <span class="command"><strong>debug</strong></span> level 2 or higher, detailed
+            context information about recursive resolutions that resulted in
+            SERVFAIL is logged.  The log message looks like this:
+          </p>
+<p>
 
             </p>
 <pre class="programlisting">
 fetch completed at resolver.c:2970 for www.example.com/A
-in 30.000183: timed out/success [domain:example.com,
-referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
+in 10.000183: timed out/success [domain:example.com,
+referral:2,restart:7,qrysent:8,timeout:5,lame:0,quota:0,neterr:0,
 badresp:1,adberr:0,findfail:0,valfail:0]
             </pre>
 <p>
           </p>
-          <p>
+<p>
             The first part before the colon shows that a recursive
             resolution for AAAA records of www.example.com completed
-            in 30.000183 seconds and the final result that led to the
+            in 10.000183 seconds, and the final result that led to the
             SERVFAIL was determined at line 2970 of source file
             <code class="filename">resolver.c</code>.
           </p>
-          <p>
-            The following part shows the detected final result and the
-            latest result of DNSSEC validation.
-            The latter is always success when no validation attempt
-            is made.
-            In this example, this query resulted in SERVFAIL probably
-            because all name servers are down or unreachable, leading
-            to a timeout in 30 seconds.
-            DNSSEC validation was probably not attempted.
-          </p>
-          <p>
-            The last part enclosed in square brackets shows statistics
-            information collected for this particular resolution
-            attempt.
-            The <code class="varname">domain</code> field shows the deepest zone
-            that the resolver reached;
-            it is the zone where the error was finally detected.
-            The meaning of the other fields is summarized in the
-            following table.
+<p>
+            The next part shows the detected final result and the
+            latest result of DNSSEC validation.  The latter is always
+            "success" when no validation attempt was made.  In this example,
+            this query probably resulted in SERVFAIL because all name
+            servers are down or unreachable, leading to a timeout in 10
+            seconds.  DNSSEC validation was probably not attempted.
           </p>
-
-          <div class="informaltable">
-            <table border="1">
+<p>
+            The last part, enclosed in square brackets, shows statistics
+            collected for this particular resolution attempt.
+            The <code class="varname">domain</code> field shows the deepest zone that
+            the resolver reached; it is the zone where the error was
+            finally detected.  The meaning of the other fields is
+            summarized in the following table.
+          </p>
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.150in" class="1">
 <col width="3.350in" class="2">
@@ -2141,7 +1983,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                     <p>
                       The number of referrals the resolver received
                       throughout the resolution process.
-                      In the above example this is 2, which are most
+                      In the above example there are two, which are most
                       likely com and example.com.
                     </p>
                   </td>
@@ -2155,7 +1997,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                       The number of cycles that the resolver tried
                       remote servers at the <code class="varname">domain</code>
                       zone.
-                      In each cycle the resolver sends one query
+                      In each cycle, the resolver sends one query
                       (possibly resending it, depending on the response)
                       to each known name server of
                       the <code class="varname">domain</code> zone.
@@ -2194,13 +2036,25 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                       at the <code class="varname">domain</code> zone.
                       A server is detected to be lame either by an
                       invalid response or as a result of lookup in
-                      BIND9's address database (ADB), where lame
+                      BIND 9's address database (ADB), where lame
                       servers are cached.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
+                    <p><code class="varname">quota</code></p>
+                  </td>
+<td>
+                    <p>
+                      The number of times the resolver was unable
+                      to send a query because it had exceeded the
+                      permissible fetch quota for a server.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
                     <p><code class="varname">neterr</code></p>
                   </td>
 <td>
@@ -2208,9 +2062,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                       The number of erroneous results that the
                       resolver encountered in sending queries
                       at the <code class="varname">domain</code> zone.
-                      One common case is the remote server is
-                      unreachable and the resolver receives an ICMP
-                      unreachable error message.
+                      One common case is when the remote server is
+                      unreachable and the resolver receives an "ICMP
+                      unreachable" error message.
                     </p>
                   </td>
 </tr>
@@ -2245,7 +2099,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                   </td>
 <td>
                     <p>
-                      Failures of resolving remote server addresses.
+                      Failures to resolve remote server addresses.
                       This is a total number of failures throughout
                       the resolution process.
                     </p>
@@ -2266,36 +2120,29 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                   </td>
 </tr>
 </tbody>
-</table>
-          </div>
-          <p>
-            At the debug levels of 3 or higher, the same messages
-            as those at the debug 1 level are logged for other errors
-            than SERVFAIL.
-            Note that negative responses such as NXDOMAIN are not
-            regarded as errors here.
-          </p>
-          <p>
-            At the debug levels of 4 or higher, the same messages
-            as those at the debug 2 level are logged for other errors
-            than SERVFAIL.
-            Unlike the above case of level 3, messages are logged for
-            negative responses.
-            This is because any unexpected results can be difficult to
-            debug in the recursion case.
-          </p>
-        </div>
-      </div>
-
-      <div class="section">
+</table></div>
+<p>
+            At <span class="command"><strong>debug</strong></span> level 3 or higher, the same
+            messages as those at <span class="command"><strong>debug</strong></span> level 1 are
+            logged for errors other than SERVFAIL. Note that negative
+            responses such as NXDOMAIN are not errors, and are not logged
+            at this debug level.
+          </p>
+<p>
+            At <span class="command"><strong>debug</strong></span> level 4 or higher, the
+            detailed context information logged at <span class="command"><strong>debug</strong></span>
+            level 2 is logged for errors other than SERVFAIL and
+            for negative responses such as NXDOMAIN.
+          </p>
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="lwres_grammar"></a><span class="command"><strong>lwres</strong></span> Statement Grammar</h3></div></div></div>
-
-        <p>
+<p>
            This is the grammar of the <span class="command"><strong>lwres</strong></span>
           statement in the <code class="filename">named.conf</code> file:
         </p>
-
 <pre class="programlisting"><span class="command"><strong>lwres {</strong></span>
   [ <span class="command"><strong>listen-on {</strong></span>
     ( <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>;</strong></span> )
@@ -2308,13 +2155,11 @@ badresp:1,adberr:0,findfail:0,valfail:0]
   [ <span class="command"><strong>lwres-clients</strong></span> <em class="replaceable"><code>number</code></em><span class="command"><strong>;</strong></span> ]
 <span class="command"><strong>};</strong></span>
 </pre>
-
-      </div>
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="lwres_statement"></a><span class="command"><strong>lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
-
-        <p>
+<p>
           The <span class="command"><strong>lwres</strong></span> statement configures the
           name
           server to also act as a lightweight resolver server. (See
@@ -2322,32 +2167,29 @@ badresp:1,adberr:0,findfail:0,valfail:0]
           <span class="command"><strong>lwres</strong></span> statements configuring
           lightweight resolver servers with different properties.
         </p>
-
-        <p>
+<p>
           The <span class="command"><strong>listen-on</strong></span> statement specifies a
           list of
           IPv4 addresses (and ports) that this instance of a lightweight
           resolver daemon
           should accept requests on.  If no port is specified, port 921 is
           used.
-          If this statement is omitted, requests will be accepted on
+          If this statement is omitted, requests are accepted on
           127.0.0.1,
           port 921.
         </p>
-
-        <p>
+<p>
           The <span class="command"><strong>view</strong></span> statement binds this
           instance of a
           lightweight resolver daemon to a view in the DNS namespace, so that
           the
-          response will be constructed in the same manner as a normal DNS
+          response is constructed in the same manner as a normal DNS
           query
           matching this view.  If this statement is omitted, the default view
           is
-          used, and if there is no default view, an error is triggered.
+          used; if there is no default view, an error is triggered.
         </p>
-
-        <p>
+<p>
           The <span class="command"><strong>search</strong></span> statement is equivalent to
           the
           <span class="command"><strong>search</strong></span> statement in
@@ -2355,74 +2197,69 @@ badresp:1,adberr:0,findfail:0,valfail:0]
           list of domains
           which are appended to relative names in queries.
         </p>
-
-        <p>
+<p>
           The <span class="command"><strong>ndots</strong></span> statement is equivalent to
           the
           <span class="command"><strong>ndots</strong></span> statement in
           <code class="filename">/etc/resolv.conf</code>.  It indicates the
           minimum
           number of dots in a relative domain name that should result in an
-          exact match lookup before search path elements are appended.
+          exact-match lookup before search path elements are appended.
         </p>
-        <p>
+<p>
           The <code class="option">lwres-tasks</code> statement specifies the number
-          of worker threads the lightweight resolver will dedicate to serving
-          clients.  By default the number is the same as the number of CPUs on
+          of worker threads the lightweight resolver dedicates to serving
+          clients.  By default, the number is the same as the number of CPUs on
           the system; this can be overridden using the <code class="option">-n</code>
-          command line option when starting the server.
+          command-line option when starting the server.
         </p>
-        <p>
-          The <code class="option">lwres-clients</code> specifies
+<p>
+          The <code class="option">lwres-clients</code> statement specifies
           the number of client objects per thread the lightweight
           resolver should create to serve client queries.
           By default, if the lightweight resolver runs as a part
           of <span class="command"><strong>named</strong></span>, 256 client objects are
           created for each task; if it runs as <span class="command"><strong>lwresd</strong></span>,
           1024 client objects are created for each thread. The maximum
-          value is 32768; higher values will be silently ignored and
-          the maximum will be used instead.
+          value is 32768; higher values are silently ignored and
+          the maximum is used instead.
           Note that setting too high a value may overconsume
           system resources.
         </p>
-        <p>
+<p>
           The maximum number of client queries that the lightweight
           resolver can handle at any one time equals
           <code class="option">lwres-tasks</code> times <code class="option">lwres-clients</code>.
         </p>
-      </div>
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="masters_grammar"></a><span class="command"><strong>masters</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
+<pre class="programlisting">
 <span class="command"><strong>masters</strong></span> <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp
     <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [
     <span class="command"><strong>port</strong></span> <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port
     <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
 </pre>
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="masters_statement"></a><span class="command"><strong>masters</strong></span> Statement Definition and
           Usage</h3></div></div></div>
-
-        <p><span class="command"><strong>masters</strong></span>
-          lists allow for a common set of masters to be easily used by
-          multiple stub and slave zones in their <span class="command"><strong>masters</strong></span>
+<p><span class="command"><strong>masters</strong></span>
+          lists allow for a common set of primaries to be easily used by
+          multiple stub and secondary zones in their <span class="command"><strong>masters</strong></span>
           or <span class="command"><strong>also-notify</strong></span> lists.
         </p>
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="options_grammar"></a><span class="command"><strong>options</strong></span> Statement Grammar</h3></div></div></div>
-
-        <p>
+<p>
           This is the grammar of the <span class="command"><strong>options</strong></span>
           statement in the <code class="filename">named.conf</code> file:
         </p>
-        <pre class="programlisting">
+<pre class="programlisting">
 <span class="command"><strong>options</strong></span> {
 	<span class="command"><strong>acache-cleaning-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>acache-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
@@ -2698,72 +2535,64 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	<span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
 };
 </pre>
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="options"></a><span class="command"><strong>options</strong></span> Statement Definition and
           Usage</h3></div></div></div>
-
-        <p>
+<p>
           The <span class="command"><strong>options</strong></span> statement sets up global
           options
           to be used by <acronym class="acronym">BIND</acronym>. This statement
           may appear only
           once in a configuration file. If there is no <span class="command"><strong>options</strong></span>
-          statement, an options block with each option set to its default will
-          be used.
+          statement, an options block with each option set to its default is
+          used.
         </p>
-
-        <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>attach-cache</strong></span></span></dt>
 <dd>
-                <p>
-                  Allows multiple views to share a single cache
+<p>
+                  This option allows multiple views to share a single cache
                   database.
                   Each view has its own cache database by default, but
                   if multiple views have the same operational policy
                   for name resolution and caching, those views can
-                  share a single cache to save memory and possibly
-                  improve resolution efficiency by using this option.
+                  share a single cache to save memory, and possibly
+                  improve resolution efficiency, by using this option.
                 </p>
-
-                <p>
+<p>
                   The <span class="command"><strong>attach-cache</strong></span> option
                   may also be specified in <span class="command"><strong>view</strong></span>
                   statements, in which case it overrides the
                   global <span class="command"><strong>attach-cache</strong></span> option.
                 </p>
-
-                <p>
+<p>
                   The <em class="replaceable"><code>cache_name</code></em> specifies
                   the cache to be shared.
                   When the <span class="command"><strong>named</strong></span> server configures
                   views which are supposed to share a cache, it
                   creates a cache with the specified name for the
                   first view of these sharing views.
-                  The rest of the views will simply refer to the
-                  already created cache.
+                  The rest of the views simply refer to the
+                  already-created cache.
                 </p>
-
-                <p>
-                  One common configuration to share a cache would be to
+<p>
+                  One common configuration to share a cache is to
                   allow all views to share a single cache.
                   This can be done by specifying
-                  the <span class="command"><strong>attach-cache</strong></span> as a global
+                  <span class="command"><strong>attach-cache</strong></span> as a global
                   option with an arbitrary name.
                 </p>
-
-                <p>
+<p>
                   Another possible operation is to allow a subset of
-                  all views to share a cache while the others to
+                  all views to share a cache while the others
                   retain their own caches.
                   For example, if there are three views A, B, and C,
                   and only A and B should share a cache, specify the
-                  <span class="command"><strong>attach-cache</strong></span> option as a view A (or
+                  <span class="command"><strong>attach-cache</strong></span> option as a view of A (or
                   B)'s option, referring to the other view name:
                 </p>
-
 <pre class="programlisting">
   view "A" {
     // this view has its own cache
@@ -2778,8 +2607,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     ...
   };
 </pre>
-
-                <p>
+<p>
                   Views that share a cache must have the same policy
                   on configurable parameters that may affect caching.
                   The current implementation requires the following
@@ -2794,8 +2622,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                   <span class="command"><strong>max-cache-size</strong></span>, and
                   <span class="command"><strong>zero-no-soa-ttl</strong></span>.
                 </p>
-
-                <p>
+<p>
                   Note that there may be other parameters that may
                   cause confusion if they are inconsistent for
                   different views that share a single cache.
@@ -2803,31 +2630,29 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                   forwarders that can return different answers for the
                   same question, sharing the answer does not make
                   sense or could even be harmful.
-                  It is administrator's responsibility to ensure
+                  It is administrator's responsibility to ensure that
                   configuration differences in different views do
                   not cause disruption with a shared cache.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>
-<dd>
-              <p>
-                The working directory of the server.
-                Any non-absolute pathnames in the configuration file will
-                be taken as relative to this directory. The default
+<dd><p>
+                This sets the working directory of the server.
+                Any non-absolute pathnames in the configuration file are
+                taken as relative to this directory. The default
                 location for most server output files
-                (e.g. <code class="filename">named.run</code>) is this directory.
+                (e.g., <code class="filename">named.run</code>) is this directory.
                 If a directory is not specified, the working directory
-                defaults to `<code class="filename">.</code>', the directory from
+                defaults to "<code class="filename">.</code>", the directory from
                 which the server was started. The directory specified
                 should be an absolute path. It is
                 <span class="emphasis"><em>strongly recommended</em></span>
                 that the directory be writable by the effective user
                 ID of the <span class="command"><strong>named</strong></span> process.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>dnstap</strong></span></span></dt>
 <dd>
-              <p>
+<p>
                 <span class="command"><strong>dnstap</strong></span> is a fast, flexible method
                 for capturing and logging DNS traffic. Developed by
                 Robert Edmonds at Farsight Security, Inc., and supported
@@ -2842,28 +2667,28 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                 by Google, Inc.; see
                 <a class="link" href="https://developers.google.com/protocol-buffers/" target="_top">https://developers.google.com/protocol-buffers</a>).
               </p>
-              <p>
+<p>
                 To enable <span class="command"><strong>dnstap</strong></span> at compile time,
                 the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
-                libraries must be available, and BIND must be configured with
+                libraries must be available, and <acronym class="acronym">BIND</acronym> must be configured with
                 <code class="option">--enable-dnstap</code>.
               </p>
-              <p>
+<p>
                 The <span class="command"><strong>dnstap</strong></span> option is a bracketed list
                 of message types to be logged. These may be set differently
                 for each view. Supported types are <code class="literal">client</code>,
                 <code class="literal">auth</code>, <code class="literal">resolver</code>, and
                 <code class="literal">forwarder</code>.  Specifying type
-                <code class="literal">all</code> will cause all <span class="command"><strong>dnstap</strong></span>
+                <code class="literal">all</code> causes all <span class="command"><strong>dnstap</strong></span>
                 messages to be logged, regardless of type.
               </p>
-              <p>
+<p>
                 Each type may take an additional argument to indicate whether
                 to log <code class="literal">query</code> messages or
                 <code class="literal">response</code> messages; if not specified,
                 both queries and responses are logged.
               </p>
-              <p>
+<p>
                 Example: To log all authoritative queries and responses,
                 recursive client responses, and upstream queries sent by
                 the resolver, use:
@@ -2876,111 +2701,97 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 </pre>
 <p>
               </p>
-              <p>
+<p>
                 Logged <span class="command"><strong>dnstap</strong></span> messages can be parsed
                 using the <span class="command"><strong>dnstap-read</strong></span> utility (see
                 <a class="xref" href="man.dnstap-read.html" title="dnstap-read"><span class="refentrytitle"><span class="application">dnstap-read</span></span>(1)</a> for details).
               </p>
-              <p>
+<p>
                 For more information on <span class="command"><strong>dnstap</strong></span>, see
                 <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
               </p>
-              <p>
+<p>
                 The fstrm library has a number of tunables that are exposed
                 in <code class="filename">named.conf</code>, and can be modified
                 if necessary to improve performance or prevent loss of data.
                 These are:
               </p>
-              <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-                  
                     <span class="command"><strong>fstrm-set-buffer-hint</strong></span>: The
                     threshold number of bytes to accumulate in the output
                     buffer before forcing a buffer flush. The minimum is
                     1024, the maximum is 65536, and the default is 8192.
-                  
-                </li>
+                  </li>
 <li class="listitem">
-                  
                     <span class="command"><strong>fstrm-set-flush-timeout</strong></span>: The number
                     of seconds to allow unflushed data to remain in the
                     output buffer. The minimum is 1 second, the maximum is
                     600 seconds (10 minutes), and the default is 1 second.
-                  
-                </li>
+                  </li>
 <li class="listitem">
-                  
                     <span class="command"><strong>fstrm-set-output-notify-threshold</strong></span>:
                     The number of outstanding queue entries to allow on
                     an input queue before waking the I/O thread.
                     The minimum is 1 and the default is 32.
-                  
-                </li>
+                  </li>
 <li class="listitem">
-                  
                     <span class="command"><strong>fstrm-set-output-queue-model</strong></span>:
-                    Controls the queuing semantics to use for queue
+                    The queuing semantics to use for queue
                     objects. The default is <code class="literal">mpsc</code>
                     (multiple producer, single consumer); the other
                     option is <code class="literal">spsc</code> (single producer,
                     single consumer).
-                  
-                </li>
+                  </li>
 <li class="listitem">
-                  
                     <span class="command"><strong>fstrm-set-input-queue-size</strong></span>: The
                     number of queue entries to allocate for each
                     input queue. This value must be a power of 2.
                     The minimum is 2, the maximum is 16384, and
                     the default is 512.
-                  
-                </li>
+                  </li>
 <li class="listitem">
-                  
                     <span class="command"><strong>fstrm-set-output-queue-size</strong></span>:
                     The number of queue entries to allocate for each
                     output queue. The minimum is 2, the maximum is
                     system-dependent and based on <code class="option">IOV_MAX</code>,
                     and the default is 64.
-                  
-                </li>
+                  </li>
 <li class="listitem">
-                  
                     <span class="command"><strong>fstrm-set-reopen-interval</strong></span>:
                     The number of seconds to wait between attempts to
                     reopen a closed output stream. The minimum is 1 second,
                     the maximum is 600 seconds (10 minutes), and the default
                     is 5 seconds.
-                  
-                </li>
+                  </li>
 </ul></div>
-              <p>
+<p>
                 Note that all of the above minimum, maximum, and default
                 values are set by the <span class="command"><strong>libfstrm</strong></span> library,
                 and may be subject to change in future versions of the
                 library. See the <span class="command"><strong>libfstrm</strong></span> documentation
                 for more information.
               </p>
-            </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>dnstap-output</strong></span></span></dt>
 <dd>
-              <p>
-                Configures the path to which the <span class="command"><strong>dnstap</strong></span>
-                frame stream will be sent if <span class="command"><strong>dnstap</strong></span>
+<p>
+                This configures the path to which the <span class="command"><strong>dnstap</strong></span>
+                frame stream is sent if <span class="command"><strong>dnstap</strong></span>
                 is enabled at compile time and active.
               </p>
-              <p>
+<p>
                 The first argument is either <code class="literal">file</code> or
                 <code class="literal">unix</code>, indicating whether the destination
-                is a file or a UNIX domain socket.  The second argument
+                is a file or a Unix domain socket.  The second argument
                 is the path of the file or socket.  (Note: when using a
-                socket, <span class="command"><strong>dnstap</strong></span> messages will
-                only be sent if another process such as
+                socket, <span class="command"><strong>dnstap</strong></span> messages are
+                only sent if another process such as
                 <span class="command"><strong>fstrm_capture</strong></span>
                 (provided with <span class="command"><strong>libfstrm</strong></span>) is listening on
                 the socket.)
               </p>
-              <p>
+<p>
                 <span class="command"><strong>dnstap-output</strong></span> can only be set globally
                 in <span class="command"><strong>options</strong></span>. Currently, it can only be
                 set once while <span class="command"><strong>named</strong></span> is running;
@@ -2988,60 +2799,52 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                 <span class="command"><strong>rndc reload</strong></span> or
                 <span class="command"><strong>rndc reconfig</strong></span>.
               </p>
-            </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>dnstap-identity</strong></span></span></dt>
-<dd>
-              <p>
-                Specifies an <span class="command"><strong>identity</strong></span> string to send in
+<dd><p>
+                This specifies an <span class="command"><strong>identity</strong></span> string to send in
                 <span class="command"><strong>dnstap</strong></span> messages. If set to
                 <code class="literal">hostname</code>, which is the default, the
-                server's hostname will be sent. If set to
-                <code class="literal">none</code>, no identity string will be sent.
-              </p>
-            </dd>
+                server's hostname is sent. If set to
+                <code class="literal">none</code>, no identity string is sent.
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>dnstap-version</strong></span></span></dt>
-<dd>
-              <p>
-                Specifies a <span class="command"><strong>version</strong></span> string to send in
+<dd><p>
+                This specifies a <span class="command"><strong>version</strong></span> string to send in
                 <span class="command"><strong>dnstap</strong></span> messages. The default is the
-                version number of the BIND release. If set to
-                <code class="literal">none</code>, no version string will be sent.
-              </p>
-            </dd>
+                version number of the <acronym class="acronym">BIND</acronym> release. If set to
+                <code class="literal">none</code>, no version string is sent.
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>geoip-directory</strong></span></span></dt>
-<dd>
-              <p>
+<dd><p>
                 When <span class="command"><strong>named</strong></span> is compiled using the
                 MaxMind GeoIP2 geolocation API, or the legacy GeoIP API,
                 this specifies the directory containing GeoIP
                 database files.  By default, the option is set based on
                 the prefix used to build the <span class="command"><strong>libmaxminddb</strong></span>
-                module: for example, if the library is installed in
+                module; for example, if the library is installed in
                 <code class="filename">/usr/local/lib</code>, then the default
-                <span class="command"><strong>geoip-directory</strong></span> will be
+                <span class="command"><strong>geoip-directory</strong></span> is
                 <code class="filename">/usr/local/share/GeoIP</code>. On Windows,
                 the default is the <span class="command"><strong>named</strong></span> working
                 directory.  See <a class="xref" href="Bv9ARM.ch06.html#acl" title="acl Statement Definition and Usage">the section called &#8220;<span class="command"><strong>acl</strong></span> Statement Definition and
           Usage&#8221;</a> for details about
                 <span class="command"><strong>geoip</strong></span> ACLs.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt>
-<dd>
-              <p>
-                When performing dynamic update of secure zones, the
+<dd><p>
+                This is the
                 directory where the public and private DNSSEC key files
-                should be found, if different than the current working
+                should be found when performing a dynamic update of secure zones, if different than the current working
                 directory.  (Note that this option has no effect on the
                 paths for files containing non-DNSSEC keys such as
                 <code class="filename">bind.keys</code>,
-                <code class="filename">rndc.key</code> or
+                <code class="filename">rndc.key</code>, or
                 <code class="filename">session.key</code>.)
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>lmdb-mapsize</strong></span></span></dt>
 <dd>
-              <p>
+<p>
                 When <span class="command"><strong>named</strong></span> is built with liblmdb,
                 this option sets a maximum size for the memory map of
                 the new-zone database (NZD) in LMDB database format.
@@ -3050,9 +2853,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                 Note that this is not the NZD database file size, but
                 the largest size that the database may grow to.
               </p>
-              <p>
+<p>
                 Because the database file is memory mapped, its size is
-                limited by the address space of the named process.  The
+                limited by the address space of the <span class="command"><strong>named</strong></span> process.  The
                 default of 32 megabytes was chosen to be usable with
                 32-bit <span class="command"><strong>named</strong></span> builds.  The largest
                 permitted value is 1 terabyte. Given typical zone
@@ -3060,96 +2863,85 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                 ought to be able to hold configurations of about 100,000
                 zones.
               </p>
-            </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>managed-keys-directory</strong></span></span></dt>
 <dd>
-              <p>
-                Specifies the directory in which to store the files that
+<p>
+                This specifies the directory in which to store the files that
                 track managed DNSSEC keys.  By default, this is the working
                 directory.  The directory <span class="emphasis"><em>must</em></span>
                 be writable by the effective user ID of the
                 <span class="command"><strong>named</strong></span> process.
               </p>
-              <p>
+<p>
                 If <span class="command"><strong>named</strong></span> is not configured to use views,
-                then managed keys for the server will be tracked in a single
+                managed keys for the server are tracked in a single
                 file called <code class="filename">managed-keys.bind</code>.
-                Otherwise, managed keys will be tracked in separate files,
-                one file per view; each file name will be the view name
+                Otherwise, managed keys are tracked in separate files,
+                one file per view; each file name is the view name
                 (or, if it contains characters that are incompatible with
                 use as a file name, the SHA256 hash of the view name),
                 followed by the extension
                 <code class="filename">.mkeys</code>.
               </p>
-              <p>
-                (Note: in previous releases, file names for views
+<p>
+                (Note: in earlier releases, file names for views
                 always used the SHA256 hash of the view name. To ensure
-                compatibility after upgrade, if a file using the old
-                name format is found to exist, it will be used instead
+                compatibility after upgrading, if a file using the old
+                name format is found to exist, it is used instead
                 of the new format.)
               </p>
-            </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>named-xfer</strong></span></span></dt>
-<dd>
-              <p>
-                <span class="emphasis"><em>This option is obsolete.</em></span> It
-                was used in <acronym class="acronym">BIND</acronym> 8 to specify
-                the pathname to the <span class="command"><strong>named-xfer</strong></span>
-                program.  In <acronym class="acronym">BIND</acronym> 9, no separate
+<dd><p>
+                <span class="emphasis"><em>This option is obsolete.</em></span>
+                In <acronym class="acronym">BIND</acronym> 9, no separate
                 <span class="command"><strong>named-xfer</strong></span> program is needed;
                 its functionality is built into the name server.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>tkey-gssapi-keytab</strong></span></span></dt>
-<dd>
-              <p>
-                The KRB5 keytab file to use for GSS-TSIG updates. If
+<dd><p>
+                This is the KRB5 keytab file to use for GSS-TSIG updates. If
                 this option is set and tkey-gssapi-credential is not
-                set, then updates will be allowed with any key
+                set, updates are allowed with any key
                 matching a principal in the specified keytab.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>tkey-gssapi-credential</strong></span></span></dt>
-<dd>
-              <p>
-                The security credential with which the server should
+<dd><p>
+                This is the security credential with which the server should
                 authenticate keys requested by the GSS-TSIG protocol.
-                Currently only Kerberos 5 authentication is available
-                and the credential is a Kerberos principal which the
+                Currently only Kerberos 5 authentication is available;
+                the credential is a Kerberos principal which the
                 server can acquire through the default system key
                 file, normally <code class="filename">/etc/krb5.keytab</code>.
-                The location keytab file can be overridden using the
-                tkey-gssapi-keytab option. Normally this principal is
+                The location of the keytab file can be overridden using the
+                <span class="command"><strong>tkey-gssapi-keytab</strong></span> option. Normally this principal is
                 of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
                 To use GSS-TSIG, <span class="command"><strong>tkey-domain</strong></span> must
                 also be set if a specific keytab is not set with
-                tkey-gssapi-keytab.
-              </p>
-            </dd>
+                <span class="command"><strong>tkey-gssapi-keytab</strong></span>.
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>tkey-domain</strong></span></span></dt>
-<dd>
-              <p>
-                The domain appended to the names of all shared keys
+<dd><p>
+                This domain is appended to the names of all shared keys
                 generated with <span class="command"><strong>TKEY</strong></span>.  When a
                 client requests a <span class="command"><strong>TKEY</strong></span> exchange,
                 it may or may not specify the desired name for the
-                key. If present, the name of the shared key will
-                be <code class="varname">client specified part</code> +
+                key. If present, the name of the shared key is
+                <code class="varname">client-specified part</code> +
                 <code class="varname">tkey-domain</code>.  Otherwise, the
-                name of the shared key will be <code class="varname">random hex
+                name of the shared key is <code class="varname">random hex
                 digits</code> + <code class="varname">tkey-domain</code>.
                 In most cases, the <span class="command"><strong>domainname</strong></span>
                 should be the server's domain name, or an otherwise
-                non-existent subdomain like
-                "_tkey.<code class="varname">domainname</code>".  If you are
+                nonexistent subdomain like
+                "_tkey.<code class="varname">domainname</code>".  If
                 using GSS-TSIG, this variable must be defined, unless
-                you specify a specific keytab using tkey-gssapi-keytab.
-              </p>
-            </dd>
+                a specific keytab is specified using <span class="command"><strong>tkey-gssapi-keytab</strong></span>.
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>tkey-dhkey</strong></span></span></dt>
-<dd>
-              <p>
-                The Diffie-Hellman key used by the server
+<dd><p>
+                This is the Diffie-Hellman key used by the server
                 to generate shared keys with clients using the Diffie-Hellman
                 mode
                 of <span class="command"><strong>TKEY</strong></span>. The server must be
@@ -3157,42 +2949,35 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                 public and private keys from files in the working directory.
                 In
                 most cases, the <code class="varname">key_name</code> should be the server's host name.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>cache-file</strong></span></span></dt>
-<dd>
-              <p>
+<dd><p>
                 This is for testing only.  Do not use.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>dump-file</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of the file the server dumps
-                the database to when instructed to do so with
+<dd><p>
+                This is the pathname of the file the server dumps
+                the database to, when instructed to do so with
                 <span class="command"><strong>rndc dumpdb</strong></span>.
                 If not specified, the default is <code class="filename">named_dump.db</code>.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>memstatistics-file</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of the file the server writes memory
+<dd><p>
+                This is the pathname of the file the server writes memory
                 usage statistics to on exit. If not specified,
                 the default is <code class="filename">named.memstats</code>.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>lock-file</strong></span></span></dt>
 <dd>
-              <p>
-                The pathname of a file on which <span class="command"><strong>named</strong></span> will
-                attempt to acquire a file lock when starting up for
-                the first time; if unsuccessful, the server will
-                will terminate, under the assumption that another
+<p>
+                This is the pathname of a file on which <span class="command"><strong>named</strong></span>
+                attempts to acquire a file lock when starting for
+                the first time; if unsuccessful, the server
+                terminates, under the assumption that another
                 server is already running.  If not specified, the default is
                 <code class="filename">none</code>.
               </p>
-              <p>
+<p>
                 Specifying <span class="command"><strong>lock-file none</strong></span> disables the
                 use of a lock file.  <span class="command"><strong>lock-file</strong></span> is
                 ignored if <span class="command"><strong>named</strong></span> was run using the <code class="option">-X</code>
@@ -3200,69 +2985,58 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                 <span class="command"><strong>lock-file</strong></span> are ignored if
                 <span class="command"><strong>named</strong></span> is being reloaded or
                 reconfigured; it is only effective when the server is
-                first started up.
+                first started.
               </p>
-            </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>pid-file</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of the file the server writes its process ID
+<dd><p>
+                This is the pathname of the file the server writes its process ID
                 in. If not specified, the default is
                 <code class="filename">/var/run/named/named.pid</code>.
-                The PID file is used by programs that want to send signals to
+                The PID file is used by programs that send signals to
                 the running
                 name server. Specifying <span class="command"><strong>pid-file none</strong></span> disables the
-                use of a PID file &#8212; no file will be written and any
-                existing one will be removed.  Note that <span class="command"><strong>none</strong></span>
+                use of a PID file; no file is written and any
+                existing one is removed.  Note that <span class="command"><strong>none</strong></span>
                 is a keyword, not a filename, and therefore is not enclosed
                 in
                 double quotes.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>recursing-file</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of the file the server dumps
-                the queries that are currently recursing when instructed
+<dd><p>
+                This is the pathname of the file where the server dumps
+                the queries that are currently recursing, when instructed
                 to do so with <span class="command"><strong>rndc recursing</strong></span>.
                 If not specified, the default is <code class="filename">named.recursing</code>.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>statistics-file</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of the file the server appends statistics
-                to when instructed to do so using <span class="command"><strong>rndc stats</strong></span>.
+<dd><p>
+                This is the pathname of the file the server appends statistics
+                to, when instructed to do so using <span class="command"><strong>rndc stats</strong></span>.
                 If not specified, the default is <code class="filename">named.stats</code> in the
                 server's current directory.  The format of the file is
                 described
                 in <a class="xref" href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>bindkeys-file</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of a file to override the built-in trusted
+<dd><p>
+                This is the pathname of a file to override the built-in trusted
                 keys provided by <span class="command"><strong>named</strong></span>.
                 See the discussion of <span class="command"><strong>dnssec-validation</strong></span>
                 for details.  If not specified, the default is
                 <code class="filename">/etc/bind.keys</code>.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>secroots-file</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of the file the server dumps
-                security roots to when instructed to do so with
+<dd><p>
+                This is the pathname of the file the server dumps
+                security roots to, when instructed to do so with
                 <span class="command"><strong>rndc secroots</strong></span>.
                 If not specified, the default is
                 <code class="filename">named.secroots</code>.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>session-keyfile</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of the file into which to write a TSIG
+<dd><p>
+                This is the pathname of the file into which to write a TSIG
                 session key generated by <span class="command"><strong>named</strong></span> for use by
                 <span class="command"><strong>nsupdate -l</strong></span>.  If not specified, the
                 default is <code class="filename">/var/run/named/session.key</code>.
@@ -3271,57 +3045,47 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                 <span class="command"><strong>update-policy</strong></span> statement's
                 <strong class="userinput"><code>local</code></strong> option for more
                 information about this feature.)
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>session-keyname</strong></span></span></dt>
-<dd>
-              <p>
-                The key name to use for the TSIG session key.
-                If not specified, the default is "local-ddns".
-              </p>
-            </dd>
+<dd><p>
+                This is the key name to use for the TSIG session key.
+                If not specified, the default is <code class="varname">local-ddns</code>.
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>session-keyalg</strong></span></span></dt>
-<dd>
-              <p>
-                The algorithm to use for the TSIG session key.
+<dd><p>
+                This is the algorithm to use for the TSIG session key.
                 Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
-                hmac-sha384, hmac-sha512 and hmac-md5.  If not
+                hmac-sha384, hmac-sha512, and hmac-md5.  If not
                 specified, the default is hmac-sha256.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>port</strong></span></span></dt>
-<dd>
-              <p>
-                The UDP/TCP port number the server uses for
-                receiving and sending DNS protocol traffic.
+<dd><p>
+                This is the UDP/TCP port number the server uses to
+                receive and send DNS protocol traffic.
                 The default is 53.  This option is mainly intended for server
                 testing;
-                a server using a port other than 53 will not be able to
+                a server using a port other than 53 is not able to
                 communicate with
                 the global DNS.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>dscp</strong></span></span></dt>
-<dd>
-              <p>
-                The global Differentiated Services Code Point (DSCP)
-                value to classify outgoing DNS traffic on operating
+<dd><p>
+                This is the global Differentiated Services Code Point (DSCP)
+                value to classify outgoing DNS traffic, on operating
                 systems that support DSCP. Valid values are 0 through 63.
                 It is not configured by default.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>random-device</strong></span></span></dt>
-<dd>
-              <p>
-                The source of entropy to be used by the server.  Entropy is
+<dd><p>
+                This specifies a source of entropy to be used by the server.  Entropy is
                 primarily needed
                 for DNSSEC operations, such as TKEY transactions and dynamic
                 update of signed
-                zones.  This options specifies the device (or file) from which
+                zones.  This option specifies the device (or file) from which
                 to read
-                entropy.  If this is a file, operations requiring entropy will
+                entropy.  If it is a file, operations requiring entropy will
                 fail when the
-                file has been exhausted.  If not specified, the default value
+                file has been exhausted.  If <span class="command"><strong>random-device</strong></span> is not specified, the default value
                 is
                 <code class="filename">/dev/random</code>
                 (or equivalent) when present, and none otherwise.  The
@@ -3329,151 +3093,144 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                 effect during
                 the initial configuration load at server startup time and
                 is ignored on subsequent reloads.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>preferred-glue</strong></span></span></dt>
-<dd>
-              <p>
-                If specified, the listed type (A or AAAA) will be emitted
+<dd><p>
+                If specified, the listed type (A or AAAA) is emitted
                 before other glue
                 in the additional section of a query response.
                 The default is to prefer A records when responding
                 to queries that arrived via IPv4 and AAAA when
                 responding to queries that arrived via IPv6.
-              </p>
-            </dd>
+              </p></dd>
 <dt>
 <a name="root_delegation_only"></a><span class="term"><span class="command"><strong>root-delegation-only</strong></span></span>
 </dt>
 <dd>
-              <p>
-                Turn on enforcement of delegation-only in TLDs
-                (top level domains) and root zones with an optional
+<p>
+                This turns on enforcement of delegation-only in TLDs
+                (top-level domains) and root zones with an optional
                 exclude list.
               </p>
-              <p>
+<p>
                 DS queries are expected to be made to and be answered by
-                delegation only zones.  Such queries and responses are
+                delegation-only zones.  Such queries and responses are
                 treated as an exception to delegation-only processing
-                and are not converted to NXDOMAIN responses provided
+                and are not converted to NXDOMAIN responses, provided
                 a CNAME is not discovered at the query name.
               </p>
-              <p>
-                If a delegation only zone server also serves a child
-                zone it is not always possible to determine whether
-                an answer comes from the delegation only zone or the
-                child zone.  SOA NS and DNSKEY records are apex
-                only records and a matching response that contains
+<p>
+                If a delegation-only zone server also serves a child
+                zone, it is not always possible to determine whether
+                an answer comes from the delegation-only zone or the
+                child zone.  SOA NS and DNSKEY records are apex-only
+                records and a matching response that contains
                 these records or DS is treated as coming from a
                 child zone.  RRSIG records are also examined to see
-                if they are signed by a child zone or not.  The
-                authority section is also examined to see if there
+                if they are signed by a child zone, and the
+                authority section is examined to see if there
                 is evidence that the answer is from the child zone.
                 Answers that are determined to be from a child zone
                 are not converted to NXDOMAIN responses.  Despite
-                all these checks there is still a possibility of
+                all these checks, there is still a possibility of
                 false negatives when a child zone is being served.
               </p>
-              <p>
-                Similarly false positives can arise from empty nodes
-                (no records at the name) in the delegation only zone
-                when the query type is not ANY.
+<p>
+                Similarly, false positives can arise from empty nodes
+                (no records at the name) in the delegation-only zone
+                when the query type is not <code class="varname">ANY</code>.
               </p>
-              <p>
-                Note some TLDs are not delegation only (e.g. "DE", "LV",
-                "US" and "MUSEUM").  This list is not exhaustive.
+<p>
+                Note that some TLDs are not delegation-only; e.g., "DE", "LV",
+                "US", and "MUSEUM".  This list is not exhaustive.
               </p>
-
 <pre class="programlisting">
 options {
         root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
 };
 </pre>
-
-            </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>disable-algorithms</strong></span></span></dt>
 <dd>
-              <p>
-                Disable the specified DNSSEC algorithms at and below the
+<p>
+                This disables the specified DNSSEC algorithms at and below the
                 specified name.
                 Multiple <span class="command"><strong>disable-algorithms</strong></span>
                 statements are allowed.
-                Only the best match <span class="command"><strong>disable-algorithms</strong></span>
-                clause will be used to determine which algorithms are used.
+                Only the best-match <span class="command"><strong>disable-algorithms</strong></span>
+                clause is used to determine the algorithms.
               </p>
-              <p>
+<p>
                 If all supported algorithms are disabled, the zones covered
-                by the <span class="command"><strong>disable-algorithms</strong></span> will be treated
+                by the <span class="command"><strong>disable-algorithms</strong></span> setting are treated
                 as insecure.
               </p>
-              <p>
+<p>
                 Configured trust anchors in <span class="command"><strong>trusted-keys</strong></span>
                 or <span class="command"><strong>managed-keys</strong></span> that match a disabled
-                algorithm will be ignored and treated as if they were not
-                configured at all.
+                algorithm are ignored and treated as if they were not
+                configured.
               </p>
-            </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>disable-ds-digests</strong></span></span></dt>
 <dd>
-              <p>
-                Disable the specified DS/DLV digest types at and below the
+<p>
+                This disables the specified DS digest types at and below the
                 specified name.
                 Multiple <span class="command"><strong>disable-ds-digests</strong></span>
                 statements are allowed.
-                Only the best match <span class="command"><strong>disable-ds-digests</strong></span>
-                clause will be used to determine which digest types are used.
+                Only the best-match <span class="command"><strong>disable-ds-digests</strong></span>
+                clause is used to determine the digest types.
               </p>
-              <p>
+<p>
                 If all supported digest types are disabled, the zones covered
-                by the <span class="command"><strong>disable-ds-digests</strong></span> will be treated
+                by <span class="command"><strong>disable-ds-digests</strong></span> are treated
                 as insecure.
               </p>
-            </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>dnssec-lookaside</strong></span></span></dt>
 <dd>
-              <p>
+<p>
                 When set, <span class="command"><strong>dnssec-lookaside</strong></span> provides the
                 validator with an alternate method to validate DNSKEY
                 records at the top of a zone.  When a DNSKEY is at or
                 below a domain specified by the deepest
                 <span class="command"><strong>dnssec-lookaside</strong></span>, and the normal DNSSEC
                 validation has left the key untrusted, the trust-anchor
-                will be appended to the key name and a DLV record will be
+                is appended to the key name and a DLV record is
                 looked up to see if it can validate the key.  If the DLV
                 record validates a DNSKEY (similarly to the way a DS
-                record does) the DNSKEY RRset is deemed to be trusted.
+                record does), the DNSKEY RRset is deemed to be trusted.
               </p>
-              <p>
+<p>
                 If <span class="command"><strong>dnssec-lookaside</strong></span> is set to
-                <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
+                <strong class="userinput"><code>no</code></strong>, then <span class="command"><strong>dnssec-lookaside</strong></span>
                 is not used.
               </p>
-              <p>
-                NOTE: The ISC-provided DLV service at
-                <code class="literal">dlv.isc.org</code>, has been shut down.
+<p>
+                Note: the ISC-provided DLV service at
+                <code class="literal">dlv.isc.org</code> has been shut down.
                 The <span class="command"><strong>dnssec-lookaside auto;</strong></span>
                 configuration option, which set <span class="command"><strong>named</strong></span>
-                up to use ISC DLV with minimal configuration, has
+                to use ISC DLV with minimal configuration, has
                 accordingly been removed.
               </p>
-            </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>dnssec-must-be-secure</strong></span></span></dt>
-<dd>
-              <p>
-                Specify hierarchies which must be or may not be secure
+<dd><p>
+                This specifies hierarchies which must be or may not be secure
                 (signed and validated).  If <strong class="userinput"><code>yes</code></strong>,
-                then <span class="command"><strong>named</strong></span> will only accept answers if
+                then <span class="command"><strong>named</strong></span> only accepts answers if
                 they are secure.  If <strong class="userinput"><code>no</code></strong>, then normal
-                DNSSEC validation applies allowing for insecure answers to
+                DNSSEC validation applies, allowing insecure answers to
                 be accepted.  The specified domain must be under a
                 <span class="command"><strong>trusted-keys</strong></span> or
                 <span class="command"><strong>managed-keys</strong></span> statement, or
                 <span class="command"><strong>dnssec-validation auto</strong></span> must be active.
-              </p>
-            </dd>
+              </p></dd>
 <dt><span class="term"><span class="command"><strong>dns64</strong></span></span></dt>
 <dd>
-              <p>
+<p>
                 This directive instructs <span class="command"><strong>named</strong></span> to
                 return mapped IPv4 addresses to AAAA queries when
                 there are no AAAA records.  It is intended to be
@@ -3481,47 +3238,47 @@ options {
                 <span class="command"><strong>dns64</strong></span> defines one DNS64 prefix.
                 Multiple DNS64 prefixes can be defined.
               </p>
-              <p>
+<p>
                 Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
-                64 and 96 as per RFC 6052.  Bits 64..71 inclusive must
-                be zero with the most significate bit of the prefix in
+                64, and 96, per RFC 6052.  Bits 64..71 inclusive must
+                be zero, with the most significant bit of the prefix in
                 position 0.
               </p>
-              <p>
-                Additionally a reverse IP6.ARPA zone will be created for
+<p>
+                In addition, a reverse IP6.ARPA zone is created for
                 the prefix to provide a mapping from the IP6.ARPA names
                 to the corresponding IN-ADDR.ARPA names using synthesized
                 CNAMEs.  <span class="command"><strong>dns64-server</strong></span> and
                 <span class="command"><strong>dns64-contact</strong></span> can be used to specify
                 the name of the server and contact for the zones. These
-                are settable at the view / options level.  These are
-                not settable on a per-prefix basis.
+                can be set at the view/options level but not
+                on a per-prefix basis.
               </p>
-              <p>
+<p>
                 Each <span class="command"><strong>dns64</strong></span> supports an optional
                 <span class="command"><strong>clients</strong></span> ACL that determines which
                 clients are affected by this directive.  If not defined,
                 it defaults to <strong class="userinput"><code>any;</code></strong>.
               </p>
-              <p>
+<p>
                 Each <span class="command"><strong>dns64</strong></span> supports an optional
                 <span class="command"><strong>mapped</strong></span> ACL that selects which
                 IPv4 addresses are to be mapped in the corresponding
-                A RRset.  If not defined it defaults to
+                A RRset.  If not defined, it defaults to
                 <strong class="userinput"><code>any;</code></strong>.
               </p>
-              <p>
-                Normally, DNS64 won't apply to a domain name that
-                owns one or more AAAA records; these records will
-                simply be returned.  The optional
+<p>
+                Normally, DNS64 does not apply to a domain name that
+                owns one or more AAAA records; these records are
+                simply returned.  The optional
                 <span class="command"><strong>exclude</strong></span> ACL allows specification
-                of a list of IPv6 addresses that will be ignored
-                if they appear in a domain name's AAAA records, and
-                DNS64 will be applied to any A records the domain
+                of a list of IPv6 addresses that are ignored
+                if they appear in a domain name's AAAA records;
+                DNS64 is applied to any A records the domain
                 name owns.  If not defined, <span class="command"><strong>exclude</strong></span>
                 defaults to ::ffff:0.0.0.0/96.
               </p>
-              <p>
+<p>
                 A optional <span class="command"><strong>suffix</strong></span> can also
                 be defined to set the bits trailing the mapped
                 IPv4 address bits.  By default these bits are
@@ -3529,20 +3286,20 @@ options {
                 matching the prefix and mapped IPv4 address
                 must be zero.
               </p>
-              <p>
+<p>
                 If <span class="command"><strong>recursive-only</strong></span> is set to
-                <span class="command"><strong>yes</strong></span> the DNS64 synthesis will
-                only happen for recursive queries.  The default
+                <span class="command"><strong>yes</strong></span>, the DNS64 synthesis
+                only happens for recursive queries.  The default
                 is <span class="command"><strong>no</strong></span>.
               </p>
-              <p>
+<p>
                 If <span class="command"><strong>break-dnssec</strong></span> is set to
-                <span class="command"><strong>yes</strong></span> the DNS64 synthesis will
-                happen even if the result, if validated, would
+                <span class="command"><strong>yes</strong></span>, the DNS64 synthesis
+                happens even if the result, if validated, would
                 cause a DNSSEC validation failure.  If this option
                 is set to <span class="command"><strong>no</strong></span> (the default), the DO
                 is set on the incoming query, and there are RRSIGs on
-                the applicable records, then synthesis will not happen.
+                the applicable records, then synthesis does not happen.
               </p>
 <pre class="programlisting">
         acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
@@ -3554,12 +3311,11 @@ options {
                 suffix ::;
         };
 </pre>
-            </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>dnssec-loadkeys-interval</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   When a zone is configured with <span class="command"><strong>auto-dnssec
-                  maintain;</strong></span> its key repository must be checked
+                  maintain;</strong></span>, its key repository must be checked
                   periodically to see if any new keys have been added
                   or any existing keys' timing metadata has been updated
                   (see <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
@@ -3570,11 +3326,10 @@ options {
                   the minimum is <code class="literal">1</code> (1 minute), and the
                   maximum is <code class="literal">1440</code> (24 hours); any higher
                   value is silently reduced.
-                </p>
-            </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   If this option is set to its default value of
                   <code class="literal">maintain</code> in a zone of type
                   <code class="literal">master</code> which is DNSSEC-signed
@@ -3582,171 +3337,171 @@ options {
                   <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>), and
                   if <span class="command"><strong>named</strong></span> has access to the
                   private signing key(s) for the zone, then
-                  <span class="command"><strong>named</strong></span> will automatically sign all new
-                  or changed records and maintain signatures for the zone
+                  <span class="command"><strong>named</strong></span> automatically signs all new
+                  or changed records and maintains signatures for the zone
                   by regenerating RRSIG records whenever they approach
                   their expiration date.
                 </p>
-                <p>
+<p>
                   If the option is changed to <code class="literal">no-resign</code>,
-                  then <span class="command"><strong>named</strong></span> will sign all new or
+                  then <span class="command"><strong>named</strong></span> signs all new or
                   changed records, but scheduled maintenance of
                   signatures is disabled.
                 </p>
-                <p>
+<p>
                   With either of these settings, <span class="command"><strong>named</strong></span>
-                  will reject updates to a DNSSEC-signed zone when the
+                  rejects updates to a DNSSEC-signed zone when the
                   signing keys are inactive or unavailable to
                   <span class="command"><strong>named</strong></span>.  (A planned third option,
                   <code class="literal">external</code>, will disable all automatic
                   signing and allow DNSSEC data to be submitted into a zone
                   via dynamic update; this is not yet implemented.)
                 </p>
-            </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>nta-lifetime</strong></span></span></dt>
 <dd>
-                <p>
-                  Species the default lifetime, in seconds,
-                  that will be used for negative trust anchors added
+<p>
+                  This specifies the default lifetime, in seconds,
+                  for negative trust anchors added
                   via <span class="command"><strong>rndc nta</strong></span>.
                 </p>
-                <p>
+<p>
                   A negative trust anchor selectively disables
                   DNSSEC validation for zones that are known to be
-                  failing because of misconfiguration rather than
+                  failing because of misconfiguration, rather than
                   an attack.  When data to be validated is
                   at or below an active NTA (and above any other
-                  configured trust anchors), <span class="command"><strong>named</strong></span> will
-                  abort the DNSSEC validation process and treat the data as
+                  configured trust anchors), <span class="command"><strong>named</strong></span>
+                  aborts the DNSSEC validation process and treats the data as
                   insecure rather than bogus.  This continues until the
                   NTA's lifetime is elapsed. NTAs persist
                   across <span class="command"><strong>named</strong></span> restarts.
                 </p>
-                <p>
-                  For convenience, TTL-style time unit suffixes can be
-                  used to specify the NTA lifetime in seconds, minutes
+<p>
+                  For convenience, TTL-style time-unit suffixes can be
+                  used to specify the NTA lifetime in seconds, minutes,
                   or hours.  <code class="option">nta-lifetime</code> defaults to
-                  one hour.  It cannot exceed one week.
+                  one hour; it cannot exceed one week.
                 </p>
-            </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>nta-recheck</strong></span></span></dt>
 <dd>
-                <p>
-                  Species how often to check whether negative
+<p>
+                  This specifies how often to check whether negative
                   trust anchors added via <span class="command"><strong>rndc nta</strong></span>
                   are still necessary.
                 </p>
-                <p>
+<p>
                   A negative trust anchor is normally used when a
                   domain has stopped validating due to operator error;
                   it temporarily disables DNSSEC validation for that
                   domain. In the interest of ensuring that DNSSEC
                   validation is turned back on as soon as possible,
-                  <span class="command"><strong>named</strong></span> will periodically send a
+                  <span class="command"><strong>named</strong></span> periodically sends a
                   query to the domain, ignoring negative trust anchors,
                   to find out whether it can now be validated.  If so,
                   the negative trust anchor is allowed to expire early.
                 </p>
-                <p>
+<p>
                   Validity checks can be disabled for an individual
                   NTA by using <span class="command"><strong>rndc nta -f</strong></span>, or
                   for all NTAs by setting <code class="option">nta-recheck</code>
                   to zero.
                 </p>
-                <p>
-                  For convenience, TTL-style time unit suffixes can be
+<p>
+                  For convenience, TTL-style time-unit suffixes can be
                   used to specify the NTA recheck interval in seconds,
-                  minutes or hours.  The default is five minutes.  It
-                  cannot be longer than <code class="option">nta-lifetime</code>
-                  (which cannot be longer than a week).
+                  minutes, or hours.  The default is five minutes.  It
+                  cannot be longer than <code class="option">nta-lifetime</code>,
+                  which cannot be longer than a week.
                 </p>
-            </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>max-zone-ttl</strong></span></span></dt>
 <dd>
-              <p>
-                Specifies a maximum permissible TTL value in seconds.
-                For convenience, TTL-style time unit suffixes may be
+<p>
+                This specifies a maximum permissible TTL value in seconds.
+                For convenience, TTL-style time-unit suffixes may be
                 used to specify the maximum value.
                 When loading a zone file using a
                 <code class="option">masterfile-format</code> of
                 <code class="constant">text</code> or <code class="constant">raw</code>,
                 any record encountered with a TTL higher than
-                <code class="option">max-zone-ttl</code> will cause the zone to
+                <code class="option">max-zone-ttl</code> causes the zone to
                 be rejected.
               </p>
-              <p>
+<p>
                 This is useful in DNSSEC-signed zones because when
                 rolling to a new DNSKEY, the old key needs to remain
                 available until RRSIG records have expired from
                 caches.  The <code class="option">max-zone-ttl</code> option guarantees
-                that the largest TTL in the zone will be no higher
+                that the largest TTL in the zone is no higher
                 than the set value.
               </p>
-              <p>
-                (NOTE: Because <code class="constant">map</code>-format files
+<p>
+                (Note: because <code class="constant">map</code>-format files
                 load directly into memory, this option cannot be
                 used with them.)
               </p>
-              <p>
+<p>
                 The default value is <code class="constant">unlimited</code>.
                 A <code class="option">max-zone-ttl</code> of zero is treated as
                 <code class="constant">unlimited</code>.
               </p>
-            </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt>
 <dd>
-              <p>
+<p>
                 Zones configured for dynamic DNS may use this
-                option to set the update method that will be used for
+                option to set the update method to be used for
                 the zone serial number in the SOA record.
               </p>
-              <p>
+<p>
                 With the default setting of
                 <span class="command"><strong>serial-update-method increment;</strong></span>, the
-                SOA serial number will be incremented by one each time
+                SOA serial number is incremented by one each time
                 the zone is updated.
               </p>
-              <p>
+<p>
                 When set to
                 <span class="command"><strong>serial-update-method unixtime;</strong></span>, the
-                SOA serial number will be set to the number of seconds
-                since the UNIX epoch, unless the serial number is
+                SOA serial number is set to the number of seconds
+                since the Unix epoch, unless the serial number is
                 already greater than or equal to that value, in which
                 case it is simply incremented by one.
               </p>
-              <p>
+<p>
                 When set to
                 <span class="command"><strong>serial-update-method date;</strong></span>, the
-                new SOA serial number will be the current date
+                new SOA serial number is the current date
                 in the form "YYYYMMDD", followed by two zeroes,
                 unless the existing serial number is already greater
                 than or equal to that value, in which case it is
                 incremented by one.
               </p>
-            </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>zone-statistics</strong></span></span></dt>
 <dd>
-              <p>
-                If <strong class="userinput"><code>full</code></strong>, the server will collect
-                statistical data on all zones (unless specifically
+<p>
+                If <strong class="userinput"><code>full</code></strong>, the server collects
+                statistical data on all zones, unless specifically
                 turned off on a per-zone basis by specifying
                 <span class="command"><strong>zone-statistics terse</strong></span> or
                 <span class="command"><strong>zone-statistics none</strong></span>
-                in the <span class="command"><strong>zone</strong></span> statement).
+                in the <span class="command"><strong>zone</strong></span> statement.
                 The default is <strong class="userinput"><code>terse</code></strong>, providing
                 minimal statistics on zones (including name and
                 current serial number, but not query type
                 counters).
               </p>
-              <p>
+<p>
                 These statistics may be accessed via the
                 <span class="command"><strong>statistics-channel</strong></span> or
                 using <span class="command"><strong>rndc stats</strong></span>, which
-                will dump them to the file listed
+                dumps them to the file listed
                 in the <span class="command"><strong>statistics-file</strong></span>.  See
                 also <a class="xref" href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
               </p>
-              <p>
+<p>
                 For backward compatibility with earlier versions
                 of BIND 9, the <span class="command"><strong>zone-statistics</strong></span>
                 option can also accept <strong class="userinput"><code>yes</code></strong>
@@ -3757,42 +3512,40 @@ options {
                 as <strong class="userinput"><code>none</code></strong>; previously, it
                 was the same as <strong class="userinput"><code>terse</code></strong>.
               </p>
-            </dd>
+</dd>
 </dl></div>
-
-        <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="boolean_options"></a>Boolean Options</h4></div></div></div>
-
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>automatic-interface-scan</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   If <strong class="userinput"><code>yes</code></strong> and supported by the operating
-                  system, automatically rescan network interfaces when the
+                  system, this automatically rescans network interfaces when the
                   interface addresses are added or removed.  The default is
                   <strong class="userinput"><code>yes</code></strong>.  This configuration option does
-                  not affect time based <span class="command"><strong>interface-interval</strong></span>
-                  option, and it is recommended to set the time based
+                  not affect the time-based <span class="command"><strong>interface-interval</strong></span>
+                  option; it is recommended to set the time-based
                   <span class="command"><strong>interface-interval</strong></span> to 0 when the operator
                   confirms that automatic interface scanning is supported by the
                   operating system.
                 </p>
-                <p>
+<p>
                   The <span class="command"><strong>automatic-interface-scan</strong></span> implementation
-                  uses routing sockets for the network interface discovery,
-                  and therefore the operating system has to support the routing
+                  uses routing sockets for the network interface discovery;
+                  therefore, the operating system must support the routing
                   sockets for this feature to work.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>allow-new-zones</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   If <strong class="userinput"><code>yes</code></strong>, then zones can be
                   added at runtime via <span class="command"><strong>rndc addzone</strong></span>.
                   The default is <strong class="userinput"><code>no</code></strong>.
                 </p>
-                <p>
+<p>
                   Newly added zones' configuration parameters
                   are stored so that they can persist after the
                   server is restarted.  The configuration information
@@ -3806,112 +3559,98 @@ options {
                   incompatible with use as a file name, in which case a
                   cryptographic hash of the view name is used instead.
                 </p>
-                <p>
-                  Zones added at runtime will have their configuration
+<p>
+                  Configurations for zones added at runtime are
                   stored either in a new-zone file (NZF) or a new-zone
-                  database (NZD) depending on whether
+                  database (NZD), depending on whether
                   <span class="command"><strong>named</strong></span> was linked with
                   liblmdb at compile time.
                   See <a class="xref" href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for further details
                   about <span class="command"><strong>rndc addzone</strong></span>.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>auth-nxdomain</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   If <strong class="userinput"><code>yes</code></strong>, then the <span class="command"><strong>AA</strong></span> bit
                   is always set on NXDOMAIN responses, even if the server is
                   not actually
-                  authoritative. The default is <strong class="userinput"><code>no</code></strong>;
-                  this is
-                  a change from <acronym class="acronym">BIND</acronym> 8. If you
-                  are using very old DNS software, you
-                  may need to set it to <strong class="userinput"><code>yes</code></strong>.
-                </p>
-              </dd>
+                  authoritative. The default is <strong class="userinput"><code>no</code></strong>.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>deallocate-on-exit</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This option was used in <acronym class="acronym">BIND</acronym>
                   8 to enable checking
                   for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
                   the checks.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>memstatistics</strong></span></span></dt>
-<dd>
-                <p>
-                  Write memory statistics to the file specified by
+<dd><p>
+                  This writes memory statistics to the file specified by
                   <span class="command"><strong>memstatistics-file</strong></span> at exit.
                   The default is <strong class="userinput"><code>no</code></strong> unless
-                  '-m record' is specified on the command line in
+                  <strong class="userinput"><code>-m record</code></strong> is specified on the command line, in
                   which case it is <strong class="userinput"><code>yes</code></strong>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>dialup</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   If <strong class="userinput"><code>yes</code></strong>, then the
                   server treats all zones as if they are doing zone transfers
                   across
                   a dial-on-demand dialup link, which can be brought up by
                   traffic
-                  originating from this server. This has different effects
+                  originating from this server. Although this setting has different effects
                   according
-                  to zone type and concentrates the zone maintenance so that
-                  it all
-                  happens in a short interval, once every <span class="command"><strong>heartbeat-interval</strong></span> and
-                  hopefully during the one call. It also suppresses some of
-                  the normal
+                  to zone type, it concentrates the zone maintenance so that
+                  everything
+                  happens quickly, once every <span class="command"><strong>heartbeat-interval</strong></span>,
+                  ideally during a single call. It also suppresses some
+                  normal
                   zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
                 </p>
-                <p>
-                  The <span class="command"><strong>dialup</strong></span> option
-                  may also be specified in the <span class="command"><strong>view</strong></span> and
-                  <span class="command"><strong>zone</strong></span> statements,
-                  in which case it overrides the global <span class="command"><strong>dialup</strong></span>
-                  option.
+<p>
+                  If specified in the <span class="command"><strong>view</strong></span> and
+                  <span class="command"><strong>zone</strong></span> statements, the <span class="command"><strong>dialup</strong></span> option
+                  overrides the global <span class="command"><strong>dialup</strong></span> option.
                 </p>
-                <p>
-                  If the zone is a master zone, then the server will send out a
+<p>
+                  If the zone is a primary zone, the server sends out a
                   NOTIFY
-                  request to all the slaves (default). This should trigger the
+                  request to all the secondaries (default). This should trigger the
                   zone serial
-                  number check in the slave (providing it supports NOTIFY)
-                  allowing the slave
+                  number check in the secondary (providing it supports NOTIFY),
+                  allowing the secondary
                   to verify the zone while the connection is active.
                   The set of servers to which NOTIFY is sent can be controlled
                   by
                   <span class="command"><strong>notify</strong></span> and <span class="command"><strong>also-notify</strong></span>.
                 </p>
-                <p>
+<p>
                   If the
-                  zone is a slave or stub zone, then the server will suppress
+                  zone is a secondary or stub zone, the server suppresses
                   the regular
-                  "zone up to date" (refresh) queries and only perform them
+                  "zone up to date" (refresh) queries and only performs them
                   when the
-                  <span class="command"><strong>heartbeat-interval</strong></span> expires in
+                  <span class="command"><strong>heartbeat-interval</strong></span> expires, in
                   addition to sending
                   NOTIFY requests.
                 </p>
-                <p>
+<p>
                   Finer control can be achieved by using
-                  <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
-                  messages,
-                  <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
+                  <strong class="userinput"><code>notify</code></strong>, which only sends NOTIFY
+                  messages;
+                  <strong class="userinput"><code>notify-passive</code></strong>, which sends NOTIFY
                   messages and
-                  suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
+                  suppresses the normal refresh queries; <strong class="userinput"><code>refresh</code></strong>,
                   which suppresses normal refresh processing and sends refresh
                   queries
                   when the <span class="command"><strong>heartbeat-interval</strong></span>
-                  expires, and
-                  <strong class="userinput"><code>passive</code></strong> which just disables normal
+                  expires; and
+                  <strong class="userinput"><code>passive</code></strong>, which disables normal
                   refresh
                   processing.
                 </p>
-
-                <div class="informaltable">
-                  <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.150in" class="1">
 <col width="1.150in" class="2">
@@ -4062,60 +3801,48 @@ options {
                         </td>
 </tr>
 </tbody>
-</table>
-                </div>
-
-                <p>
+</table></div>
+<p>
                   Note that normal NOTIFY processing is not affected by
                   <span class="command"><strong>dialup</strong></span>.
                 </p>
-
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>fake-iquery</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   In <acronym class="acronym">BIND</acronym> 8, this option
                   enabled simulating the obsolete DNS query type
                   IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
                   IQUERY simulation.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>fetch-glue</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This option is obsolete.
                   In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
                   caused the server to attempt to fetch glue resource records
                   it
-                  didn't have when constructing the additional
+                  did not have when constructing the additional
                   data section of a response.  This is now considered a bad
                   idea
                   and BIND 9 never does it.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>flush-zones-on-shutdown</strong></span></span></dt>
-<dd>
-                <p>
-                  When the nameserver exits due receiving SIGTERM,
+<dd><p>
+                  When the nameserver exits upon receiving SIGTERM,
                   flush or do not flush any pending zone writes.  The default
                   is
                   <span class="command"><strong>flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>geoip-use-ecs</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   When BIND is compiled with GeoIP support and configured
                   with "geoip" ACL elements, this option indicates whether
                   the EDNS Client Subnet option, if present in a request,
                   should be used for matching against the GeoIP database.
                   The default is
                   <span class="command"><strong>geoip-use-ecs</strong></span> <strong class="userinput"><code>yes</code></strong>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>has-old-clients</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This option was incorrectly implemented
                   in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
                   To achieve the intended effect
@@ -4123,63 +3850,54 @@ options {
                   <span class="command"><strong>has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
                   the two separate options <span class="command"><strong>auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
                   and <span class="command"><strong>rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>host-statistics</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   In BIND 8, this enabled keeping of
                   statistics for every host that the name server interacts
                   with.
-                  Not implemented in BIND 9.
-                </p>
-              </dd>
+                  It is not implemented in BIND 9.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>root-key-sentinel</strong></span></span></dt>
-<dd>
-                <p>
-                  Respond to root key sentinel probes as described in
+<dd><p>
+                  If <strong class="userinput"><code>yes</code></strong>, respond to root key sentinel probes as described in
                   draft-ietf-dnsop-kskroll-sentinel-08. The default is
                   <strong class="userinput"><code>yes</code></strong>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>maintain-ixfr-base</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   <span class="emphasis"><em>This option is obsolete</em></span>.
                   It was used in <acronym class="acronym">BIND</acronym> 8 to
                   determine whether a transaction log was
                   kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
-                  log whenever possible.  If you need to disable outgoing
+                  log whenever possible.  To disable outgoing
                   incremental zone
                   transfers, use <span class="command"><strong>provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>message-compression</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   If <strong class="userinput"><code>yes</code></strong>, DNS name compression is
                   used in responses to regular queries (not including
-                  AXFR or IXFR, which always uses compression).  Setting
+                  AXFR or IXFR, which always use compression).  Setting
                   this option to <strong class="userinput"><code>no</code></strong> reduces CPU
                   usage on servers and may improve throughput.  However,
                   it increases response size, which may cause more queries
                   to be processed using TCP; a server with compression
                   disabled is out of compliance with RFC 1123 Section
                   6.1.3.2. The default is <strong class="userinput"><code>yes</code></strong>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>minimal-responses</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   If set to <strong class="userinput"><code>yes</code></strong>, then when generating
-                  responses the server will only add records to the authority
+                  responses the server only adds records to the authority
                   and additional data sections when they are required (e.g.
                   delegations, negative responses).  This may improve the
                   performance of the server.
                 </p>
-                <p>
+<p>
                   When set to <strong class="userinput"><code>no-auth</code></strong>, the
-                  server will omit records from the authority section
+                  server omits records from the authority section
                   unless they are required, but it may still add
                   records to the additional section.  When set to
                   <strong class="userinput"><code>no-auth-recursive</code></strong>, this
@@ -4187,23 +3905,22 @@ options {
                   settings are useful when answering stub clients,
                   which usually ignore the authority section.
                   <strong class="userinput"><code>no-auth-recursive</code></strong> is
-                  designed for mixed-mode servers which handle
+                  designed for mixed-mode servers that handle
                   both authoritative and recursive queries.
                 </p>
-                <p>
+<p>
                   The default is <strong class="userinput"><code>no</code></strong>.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>minimal-any</strong></span></span></dt>
-<dd>
-                <p>
-                  If set to <strong class="userinput"><code>yes</code></strong>, then when
-                  generating a positive response to a query of type
-                  ANY over UDP, the server will reply with only one
+<dd><p>
+                  If set to <strong class="userinput"><code>yes</code></strong>, the server replies with only one
                   of the RRsets for the query name, and its covering
-                  RRSIGs if any, instead of replying with all known
+                  RRSIGs if any, when
+                  generating a positive response to a query of type
+                  ANY over UDP, instead of replying with all known
                   RRsets for the name.  Similarly, a query for type
-                  RRSIG will be answered with the RRSIG records covering
+                  RRSIG is answered with the RRSIG records covering
                   only one type. This can reduce the impact of some kinds
                   of attack traffic, without harming legitimate
                   clients.  (Note, however, that the RRset returned is the
@@ -4211,75 +3928,69 @@ options {
                   the smallest available RRset.)
                   Additionally, <code class="option">minimal-responses</code> is
                   turned on for these queries, so no unnecessary records
-                  will be added to the authority or additional sections.
+                  are added to the authority or additional sections.
                   The default is <strong class="userinput"><code>no</code></strong>.
-                </p>
-            </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>multiple-cnames</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
-                  a domain name to have multiple CNAME records in violation of
+                  a domain name to have multiple CNAME records, in violation of
                   the DNS standards.  <acronym class="acronym">BIND</acronym> 9.2 onwards
-                  always strictly enforces the CNAME rules both in master
+                  always strictly enforces the CNAME rules both in primary
                   files and dynamic updates.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>notify</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   If <strong class="userinput"><code>yes</code></strong> (the default),
                   DNS NOTIFY messages are sent when a zone the server is
                   authoritative for
-                  changes, see <a class="xref" href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>.  The messages are
+                  changes; see <a class="xref" href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>.  The messages are
                   sent to the
-                  servers listed in the zone's NS records (except the master
+                  servers listed in the zone's NS records (except the primary
                   server identified
                   in the SOA MNAME field), and to any servers listed in the
                   <span class="command"><strong>also-notify</strong></span> option.
                 </p>
-                <p>
+<p>
                   If <strong class="userinput"><code>master-only</code></strong>, notifies are only
                   sent
-                  for master zones.
+                  for primary zones.
                   If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
                   to
                   servers explicitly listed using <span class="command"><strong>also-notify</strong></span>.
                   If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
                 </p>
-                <p>
+<p>
                   The <span class="command"><strong>notify</strong></span> option may also be
                   specified in the <span class="command"><strong>zone</strong></span>
                   statement,
                   in which case it overrides the <span class="command"><strong>options notify</strong></span> statement.
                   It would only be necessary to turn off this option if it
-                  caused slaves
+                  caused secondary zones
                   to crash.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>notify-to-soa</strong></span></span></dt>
-<dd>
-                <p>
-                  If <strong class="userinput"><code>yes</code></strong> do not check the nameservers
+<dd><p>
+                  If <strong class="userinput"><code>yes</code></strong>, do not check the name servers
                   in the NS RRset against the SOA MNAME.  Normally a NOTIFY
-                  message is not sent to the SOA MNAME (SOA ORIGIN) as it is
-                  supposed to contain the name of the ultimate master.
-                  Sometimes, however, a slave is listed as the SOA MNAME in
-                  hidden master configurations and in that case you would
-                  want the ultimate master to still send NOTIFY messages to
-                  all the nameservers listed in the NS RRset.
-                </p>
-              </dd>
+                  message is not sent to the SOA MNAME (SOA ORIGIN), as it is
+                  supposed to contain the name of the ultimate primary server.
+                  Sometimes, however, a secondary server is listed as the SOA MNAME in
+                  hidden primary configurations; in that case,
+                  the ultimate primary should be set to still send NOTIFY messages to
+                  all the name servers listed in the NS RRset.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>recursion</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   If <strong class="userinput"><code>yes</code></strong>, and a
-                  DNS query requests recursion, then the server will attempt
+                  DNS query requests recursion, then the server attempts
                   to do
                   all the work required to answer the query. If recursion is
                   off
-                  and the server does not already know the answer, it will
-                  return a
+                  and the server does not already know the answer, it
+                  returns a
                   referral response. The default is
                   <strong class="userinput"><code>yes</code></strong>.
                   Note that setting <span class="command"><strong>recursion no</strong></span> does not prevent
@@ -4288,11 +3999,9 @@ options {
                   queries.
                   Caching may still occur as an effect the server's internal
                   operation, such as NOTIFY address lookups.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>request-nsid</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   If <strong class="userinput"><code>yes</code></strong>, then an empty EDNS(0)
                   NSID (Name Server Identifier) option is sent with all
                   queries to authoritative name servers during iterative
@@ -4301,45 +4010,42 @@ options {
                   the <span class="command"><strong>resolver</strong></span> category at level
                   <span class="command"><strong>info</strong></span>.
                   The default is <strong class="userinput"><code>no</code></strong>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>request-sit</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This experimental option is obsolete.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>require-server-cookie</strong></span></span></dt>
 <dd>
-                <p>
-                  Require a valid server cookie before sending a full
-                  response to a UDP request from a cookie aware client.
-                  BADCOOKIE is sent if there is a bad or no existent
+<p>
+                  If <strong class="userinput"><code>yes</code></strong>, require a valid server cookie before sending a full
+                  response to a UDP request from a cookie-aware client.
+                  BADCOOKIE is sent if there is a bad or nonexistent
                   server cookie.
                   The default is <strong class="userinput"><code>no</code></strong>.
                 </p>
-                <p>
-                  Set this to <strong class="userinput"><code>yes</code></strong> to test that DNS
-                  COOKIE clients correctly handle BADCOOKIE or if you are
+<p>
+                  Users wishing to test that DNS COOKIE clients correctly handle BADCOOKIE, or who are
                   getting a lot of forged DNS requests with DNS COOKIES
-                  present. Setting this to <strong class="userinput"><code>yes</code></strong> will
-                  result in reduced amplification effect in a reflection
-                  attack, as the BADCOOKIE response will be smaller than
+                  present, should set this to <strong class="userinput"><code>yes</code></strong>.
+                  Setting this to <strong class="userinput"><code>yes</code></strong>
+                  results in a reduced amplification effect in a reflection
+                  attack, as the BADCOOKIE response is smaller than
                   a full response, while also requiring a legitimate client
                   to follow up with a second query with the new, valid, cookie.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>answer-cookie</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   When set to the default value of <strong class="userinput"><code>yes</code></strong>,
-                  COOKIE EDNS options will be sent when applicable in
+                  COOKIE EDNS options are sent when applicable in
                   replies to client queries. If set to
-                  <strong class="userinput"><code>no</code></strong>, COOKIE EDNS options will not
-                  be sent in replies.  This can only be set at the global
+                  <strong class="userinput"><code>no</code></strong>, COOKIE EDNS options are not
+                  sent in replies.  This can only be set at the global
                   options level, not per-view.
                 </p>
-                <p>
+<p>
                   <span class="command"><strong>answer-cookie no</strong></span> is only intended as a
                   temporary measure, for use when <span class="command"><strong>named</strong></span>
                   shares an IP address with other servers that do not yet
@@ -4351,13 +4057,12 @@ options {
                   security mechanism, and should not be disabled unless
                   absolutely necessary.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>send-cookie</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   If <strong class="userinput"><code>yes</code></strong>, then a COOKIE EDNS
                   option is sent along with the query.  If the
-                  resolver has previously talked to the server, the
+                  resolver has previously communicated with the server, the
                   COOKIE returned in the previous transaction is sent.
                   This is used by the server to determine whether
                   the resolver has talked to it before. A resolver
@@ -4371,77 +4076,71 @@ options {
                   to receiving smaller responses via the
                   <span class="command"><strong>nocookie-udp-size</strong></span> option.
                   The default is <strong class="userinput"><code>yes</code></strong>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>nocookie-udp-size</strong></span></span></dt>
-<dd>
-                <p>
-                  Sets the maximum size of UDP responses that will be
+<dd><p>
+                  This sets the maximum size of UDP responses that are
                   sent to queries without a valid server COOKIE. A value
-                  below 128 will be silently raised to 128. The default
+                  below 128 is silently raised to 128. The default
                   value is 4096, but the <span class="command"><strong>max-udp-size</strong></span>
-                  option may further limit the response size.
-                </p>
-              </dd>
+                  option may further limit the response size as the default
+                  for <span class="command"><strong>max-udp-size</strong></span> is 1232.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>sit-secret</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This experimental option is obsolete.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>cookie-algorithm</strong></span></span></dt>
-<dd>
-                <p>
-                  Set the algorithm to be used when generating the
-                  server cookie.  One of "aes", "sha1" or "sha256".
+<dd><p>
+                  This sets the algorithm to be used when generating the
+                  server cookie; the options are "aes", "sha1", or "sha256".
                   The default is "aes" if supported by the cryptographic
-                  library or otherwise "sha256".
-                </p>
-              </dd>
+                  library; otherwise, "sha256".
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>cookie-secret</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   If set, this is a shared secret used for generating
                   and verifying EDNS COOKIE options
                   within an anycast cluster.  If not set, the system
-                  will generate a random secret at startup.  The
+                  generates a random secret at startup.  The
                   shared secret is encoded as a hex string and needs
-                  to be 128 bits for AES128, 160 bits for SHA1 and
+                  to be 128 bits for AES128, 160 bits for SHA1, and
                   256 bits for SHA256.
                 </p>
-                <p>
+<p>
                   If there are multiple secrets specified, the first
                   one listed in <code class="filename">named.conf</code> is
                   used to generate new server cookies.  The others
-                  will only be used to verify returned cookies.
+                  are only used to verify returned cookies.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>rfc2308-type1</strong></span></span></dt>
 <dd>
-                <p>
-                  Setting this to <strong class="userinput"><code>yes</code></strong> will
-                  cause the server to send NS records along with the SOA
+<p>
+                  Setting this to <strong class="userinput"><code>yes</code></strong>
+                  causes the server to send NS records along with the SOA
                   record for negative
                   answers. The default is <strong class="userinput"><code>no</code></strong>.
                 </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-                  <p>
-                    Not yet implemented in <acronym class="acronym">BIND</acronym>
+<p>
+                    This is not yet implemented in <acronym class="acronym">BIND</acronym>
                     9.
                   </p>
-                </div>
-              </dd>
+</div>
+</dd>
 <dt><span class="term"><span class="command"><strong>trust-anchor-telemetry</strong></span></span></dt>
 <dd>
-                <p>
-                  Causes <span class="command"><strong>named</strong></span> to send specially-formed
+<p>
+                  This causes <span class="command"><strong>named</strong></span> to send specially formed
                   queries once per day to domains for which trust anchors
                   have been configured via <span class="command"><strong>trusted-keys</strong></span>,
                   <span class="command"><strong>managed-keys</strong></span>, or
                   <span class="command"><strong>dnssec-validation auto</strong></span>.
                 </p>
-                <p>
+<p>
                   The query name used for these queries has the
                   form "_ta-xxxx(-xxxx)(...)".&lt;domain&gt;, where
                   each "xxxx" is a group of four hexadecimal digits
@@ -4449,125 +4148,109 @@ options {
                   The key IDs for each domain are sorted smallest
                   to largest prior to encoding. The query type is NULL.
                 </p>
-                <p>
-                  By monitoring these queries, zone operators will
-                  be able to see which resolvers have been updated to
+<p>
+                  By monitoring these queries, zone operators are
+                  able to see which resolvers have been updated to
                   trust a new key; this may help them decide when it
                   is safe to remove an old one.
                 </p>
-                <p>
+<p>
                   The default is <strong class="userinput"><code>yes</code></strong>.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>use-id-pool</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   <span class="emphasis"><em>This option is obsolete</em></span>.
                   <acronym class="acronym">BIND</acronym> 9 always allocates query
                   IDs from a pool.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>use-ixfr</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   <span class="emphasis"><em>This option is obsolete</em></span>.
-                  If you need to disable IXFR to a particular server or
+                  To disable IXFR to a particular server or
                   servers, see
                   the information on the <span class="command"><strong>provide-ixfr</strong></span> option
                   in <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span class="command"><strong>server</strong></span> Statement Definition and
             Usage&#8221;</a>.
                   See also
                   <a class="xref" href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>provide-ixfr</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   See the description of
                   <span class="command"><strong>provide-ixfr</strong></span> in
                   <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span class="command"><strong>server</strong></span> Statement Definition and
             Usage&#8221;</a>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>request-ixfr</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   See the description of
                   <span class="command"><strong>request-ixfr</strong></span> in
                   <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span class="command"><strong>server</strong></span> Statement Definition and
             Usage&#8221;</a>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>request-expire</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   See the description of
                   <span class="command"><strong>request-expire</strong></span> in
                   <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span class="command"><strong>server</strong></span> Statement Definition and
             Usage&#8221;</a>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>treat-cr-as-space</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This option was used in <acronym class="acronym">BIND</acronym>
                   8 to make
                   the server treat carriage return ("<span class="command"><strong>\r</strong></span>") characters the same way
                   as a space or tab character,
-                  to facilitate loading of zone files on a UNIX system that
+                  to facilitate loading of zone files on a Unix system that
                   were generated
                   on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span class="command"><strong>\n</strong></span>"
                   and NT/DOS "<span class="command"><strong>\r\n</strong></span>" newlines
                   are always accepted,
                   and the option is ignored.
-                </p>
-              </dd>
+                </p></dd>
 <dt>
 <span class="term"><span class="command"><strong>additional-from-auth</strong></span>, </span><span class="term"><span class="command"><strong>additional-from-cache</strong></span></span>
 </dt>
 <dd>
-
-                <p>
+<p>
                   These options control the behavior of an authoritative
                   server when
                   answering queries which have additional data, or when
                   following CNAME
                   and DNAME chains.
                 </p>
-
-                <p>
+<p>
                   When both of these options are set to <strong class="userinput"><code>yes</code></strong>
                   (the default) and a
                   query is being answered from authoritative data (a zone
                   configured into the server), the additional data section of
                   the
-                  reply will be filled in using data from other authoritative
+                  reply is filled in using data from other authoritative
                   zones
                   and from the cache.  In some situations this is undesirable,
                   such
                   as when there is concern over the correctness of the cache,
                   or
-                  in servers where slave zones may be added and modified by
+                  in servers where secondary zones may be added and modified by
                   untrusted third parties.  Also, avoiding
-                  the search for this additional data will speed up server
+                  the search for this additional data speeds up server
                   operations
                   at the possible expense of additional queries to resolve
                   what would
                   otherwise be provided in the additional section.
                 </p>
-
-                <p>
+<p>
                   For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
                   and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
-                  records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
+                  records (A and AAAA) for <code class="literal">mail.example.net</code> are provided as well,
                   if known, even though they are not in the example.com zone.
                   Setting these options to <span class="command"><strong>no</strong></span>
                   disables this behavior and makes
                   the server only search for additional data in the zone it
                   answers from.
                 </p>
-
-                <p>
+<p>
                   These options are intended for use in authoritative-only
                   servers, or in authoritative-only views.  Attempts to set
                   them to <span class="command"><strong>no</strong></span> without also
@@ -4576,8 +4259,7 @@ options {
                   server to
                   ignore the options and log a warning message.
                 </p>
-
-                <p>
+<p>
                   Specifying <span class="command"><strong>additional-from-cache no</strong></span> actually
                   disables the use of the cache not only for additional data
                   lookups
@@ -4587,8 +4269,7 @@ options {
                   correctness of
                   the cached data is an issue.
                 </p>
-
-                <p>
+<p>
                   When a name server is non-recursively queried for a name
                   that is not
                   below the apex of any served zone, it normally answers with
@@ -4597,37 +4278,36 @@ options {
                   some other
                   known parent of the query name.  Since the data in an
                   upwards referral
-                  comes from the cache, the server will not be able to provide
+                  comes from the cache, the server is not able to provide
                   upwards
                   referrals when <span class="command"><strong>additional-from-cache no</strong></span>
-                  has been specified.  Instead, it will respond to such
+                  has been specified.  Instead, it responds to such
                   queries
                   with REFUSED.  This should not cause any problems since
                   upwards referrals are not required for the resolution
                   process.
                 </p>
-
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>match-mapped-addresses</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   If <strong class="userinput"><code>yes</code></strong>, then an
-                  IPv4-mapped IPv6 address will match any address match
+                  IPv4-mapped IPv6 address matches any address-match
                   list entries that match the corresponding IPv4 address.
                 </p>
-                <p>
+<p>
                   This option was introduced to work around a kernel quirk
                   in some operating systems that causes IPv4 TCP
                   connections, such as zone transfers, to be accepted on an
-                  IPv6 socket using mapped addresses.  This caused address
-                  match lists designed for IPv4 to fail to match.  However,
+                  IPv6 socket using mapped addresses.  This caused address-match
+                  lists designed for IPv4 to fail to match.  However,
                   <span class="command"><strong>named</strong></span> now solves this problem
                   internally.  The use of this option is discouraged.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>filter-aaaa-on-v4</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   This option is only available when
                   <acronym class="acronym">BIND</acronym> 9 is compiled with the
                   <strong class="userinput"><code>--enable-filter-aaaa</code></strong> option on the
@@ -4641,7 +4321,7 @@ options {
                   to override the global <span class="command"><strong>filter-aaaa-on-v4</strong></span>
                   option.
                 </p>
-                <p>
+<p>
                   If <strong class="userinput"><code>yes</code></strong>,
                   the DNS client is at an IPv4 address, in <span class="command"><strong>filter-aaaa</strong></span>,
                   and if the response does not include DNSSEC signatures,
@@ -4649,110 +4329,105 @@ options {
                   This filtering applies to all responses and not only
                   authoritative responses.
                 </p>
-                <p>
+<p>
                   If <strong class="userinput"><code>break-dnssec</code></strong>,
                   then AAAA records are deleted even when DNSSEC is enabled.
-                  As suggested by the name, this makes the response not verify,
-                  because the DNSSEC protocol is designed detect deletions.
+                  As suggested by the name, this causes the response to not verify,
+                  because the DNSSEC protocol is designed to detect deletions.
                 </p>
-                <p>
+<p>
                   This mechanism can erroneously cause other servers to
                   not give AAAA records to their clients.
-                  A recursing server with both IPv6 and IPv4 network connections
+                  A recursing server with both IPv6 and IPv4 network connections,
                   that queries an authoritative server using this mechanism
-                  via IPv4 will be denied AAAA records even if its client is
+                  via IPv4, is denied AAAA records even if its client is
                   using IPv6.
                 </p>
-                <p>
+<p>
                   This mechanism is applied to authoritative as well as
                   non-authoritative records.
                   A client using IPv4 that is not allowed recursion can
                   erroneously be given AAAA records because the server is not
                   allowed to check for A records.
                 </p>
-                <p>
+<p>
                   Some AAAA records are given to IPv4 clients in glue records.
                   IPv4 clients that are servers can then erroneously
                   answer requests for AAAA records received via IPv4.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>filter-aaaa-on-v6</strong></span></span></dt>
-<dd>
-                <p>
-                  Identical to <span class="command"><strong>filter-aaaa-on-v4</strong></span>,
+<dd><p>
+                  This is identical to <span class="command"><strong>filter-aaaa-on-v4</strong></span>,
                   except it filters AAAA responses to queries from IPv6
                   clients instead of IPv4 clients.  To filter all
                   responses, set both options to <strong class="userinput"><code>yes</code></strong>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>ixfr-from-differences</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   When <strong class="userinput"><code>yes</code></strong> and the server loads a new
-                  version of a master zone from its zone file or receives a
-                  new version of a slave file via zone transfer, it will
-                  compare the new version to the previous one and calculate
+                  version of a primary zone from its zone file or receives a
+                  new version of a secondary file via zone transfer, it
+                  compares the new version to the previous one and calculates
                   a set of differences.  The differences are then logged in
-                  the zone's journal file such that the changes can be
-                  transmitted to downstream slaves as an incremental zone
+                  the zone's journal file so that the changes can be
+                  transmitted to downstream secondaries as an incremental zone
                   transfer.
                 </p>
-                <p>
+<p>
                   By allowing incremental zone transfers to be used for
                   non-dynamic zones, this option saves bandwidth at the
                   expense of increased CPU and memory consumption at the
-                  master.
+                  primary server.
                   In particular, if the new version of a zone is completely
                   different from the previous one, the set of differences
-                  will be of a size comparable to the combined size of the
-                  old and new zone version, and the server will need to
+                  is of a size comparable to the combined size of the
+                  old and new zone versions, and the server needs to
                   temporarily allocate memory to hold this complete
                   difference set.
                 </p>
-                <p><span class="command"><strong>ixfr-from-differences</strong></span>
+<p><span class="command"><strong>ixfr-from-differences</strong></span>
                   also accepts <span class="command"><strong>master</strong></span> and
                   <span class="command"><strong>slave</strong></span> at the view and options
-                  levels which causes
+                  levels, which causes
                   <span class="command"><strong>ixfr-from-differences</strong></span> to be enabled for
-                  all <span class="command"><strong>master</strong></span> or
-                  <span class="command"><strong>slave</strong></span> zones respectively.
+                  all primary or secondary zones, respectively.
                   It is off by default.
                 </p>
-                <p>
+<p>
                   Note: if inline signing is enabled for a zone, the
                   user-provided <span class="command"><strong>ixfr-from-differences</strong></span>
                   setting is ignored for that zone.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt>
-<dd>
-                <p>
-                  This should be set when you have multiple masters for a zone
+<dd><p>
+                  This should be set when there are multiple primary servers for a zone
                   and the
-                  addresses refer to different machines.  If <strong class="userinput"><code>yes</code></strong>, <span class="command"><strong>named</strong></span> will
+                  addresses refer to different machines.  If <strong class="userinput"><code>yes</code></strong>, <span class="command"><strong>named</strong></span> does
                   not log
-                  when the serial number on the master is less than what <span class="command"><strong>named</strong></span>
+                  when the serial number on the primary is less than what <span class="command"><strong>named</strong></span>
                   currently
                   has.  The default is <strong class="userinput"><code>no</code></strong>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>auto-dnssec</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   Zones configured for dynamic DNS may use this
                   option to allow varying levels of automatic DNSSEC key
                   management. There are three possible settings:
                 </p>
-                <p>
+<p>
                   <span class="command"><strong>auto-dnssec allow;</strong></span> permits
                   keys to be updated and the zone fully re-signed
                   whenever the user issues the command <span class="command"><strong>rndc sign
                   <em class="replaceable"><code>zonename</code></em></strong></span>.
                 </p>
-                <p>
+<p>
                   <span class="command"><strong>auto-dnssec maintain;</strong></span> includes the
                   above, but also automatically adjusts the zone's DNSSEC
-                  keys on schedule, according to the keys' timing metadata
+                  keys on a schedule, according to the keys' timing metadata
                   (see <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
                   <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>).  The command
                   <span class="command"><strong>rndc sign
@@ -4766,49 +4441,47 @@ options {
                   repository and schedule key maintenance events to occur
                   in the future, but it does not sign the full zone
                   immediately.  Note: once keys have been loaded for a
-                  zone the first time, the repository will be searched
+                  zone the first time, the repository is searched
                   for changes periodically, regardless of whether
                   <span class="command"><strong>rndc loadkeys</strong></span> is used.  The recheck
                   interval is defined by
                   <span class="command"><strong>dnssec-loadkeys-interval</strong></span>.)
                 </p>
-                <p>
+<p>
                   The default setting is <span class="command"><strong>auto-dnssec off</strong></span>.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>dnssec-enable</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This indicates whether DNSSEC-related resource
                   records are to be returned by <span class="command"><strong>named</strong></span>.
                   If set to <strong class="userinput"><code>no</code></strong>,
-                  <span class="command"><strong>named</strong></span> will not return DNSSEC-related
+                  <span class="command"><strong>named</strong></span> does not return DNSSEC-related
                   resource records unless specifically queried for.
                   The default is <strong class="userinput"><code>yes</code></strong>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>dnssec-validation</strong></span></span></dt>
 <dd>
-                <p>
-                  Enable DNSSEC validation in <span class="command"><strong>named</strong></span>.
-                  Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
+<p>
+                  This option enables DNSSEC validation in <span class="command"><strong>named</strong></span>.
+                  Note that <span class="command"><strong>dnssec-enable</strong></span> also needs to be
                   set to <strong class="userinput"><code>yes</code></strong> to be effective.
                   If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
                   is disabled.
                 </p>
-                <p>
+<p>
                   If set to <strong class="userinput"><code>auto</code></strong>, DNSSEC validation
-                  is enabled, and a default trust anchor for the DNS root
+                  is enabled and a default trust anchor for the DNS root
                   zone is used.  If set to <strong class="userinput"><code>yes</code></strong>,
                   DNSSEC validation is enabled, but a trust anchor must be
                   manually configured using a <span class="command"><strong>trusted-keys</strong></span>
                   or <span class="command"><strong>managed-keys</strong></span> statement.  The default
                   is <strong class="userinput"><code>yes</code></strong>.
                 </p>
-                <p>
+<p>
                   The default root trust anchor is stored in the file
                   <code class="filename">bind.keys</code>.
-                  <span class="command"><strong>named</strong></span> will load that key at
+                  <span class="command"><strong>named</strong></span> loads that key at
                   startup if <span class="command"><strong>dnssec-validation</strong></span> is
                   set to <code class="constant">auto</code>.  A copy of the file is
                   installed along with BIND 9, and is current as of the
@@ -4816,194 +4489,186 @@ options {
                   <code class="filename">bind.keys</code> can be downloaded
                   from <a class="link" href="https://www.isc.org/bind-keys" target="_top">https://www.isc.org/bind-keys</a>.
                 </p>
-                <p>
-                  To prevent problems if <code class="filename">bind.keys</code> is
+<p>
+                  (To prevent problems if <code class="filename">bind.keys</code> is
                   not found, the current trust anchor is also compiled in
                   to <span class="command"><strong>named</strong></span>.  Relying on this is not
                   recommended, however, as it requires <span class="command"><strong>named</strong></span>
                   to be recompiled with a new key when the root key expires.)
                 </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-                  <p>
-                    <span class="command"><strong>named</strong></span> <span class="emphasis"><em>only</em></span>
-                    loads the root key from <code class="filename">bind.keys</code>.
+<p>
+                    <span class="command"><strong>named</strong></span> loads <span class="emphasis"><em>only</em></span>
+                    the root key from <code class="filename">bind.keys</code>.
                     The file cannot be used to store keys for other zones.
                     The root key in <code class="filename">bind.keys</code> is ignored
                     if <span class="command"><strong>dnssec-validation auto</strong></span> is not in
                     use.
                   </p>
-                  <p>
+<p>
                     Whenever the resolver sends out queries to an
                     EDNS-compliant server, it always sets the DO bit
-                    indicating it can support DNSSEC responses even if
+                    indicating it can support DNSSEC responses, even if
                     <span class="command"><strong>dnssec-validation</strong></span> is off.
                   </p>
-                </div>
-              </dd>
+</div>
+</dd>
 <dt><span class="term"><span class="command"><strong>dnssec-accept-expired</strong></span></span></dt>
-<dd>
-                <p>
-                  Accept expired signatures when verifying DNSSEC signatures.
+<dd><p>
+                  This accepts expired signatures when verifying DNSSEC signatures.
                   The default is <strong class="userinput"><code>no</code></strong>.
                   Setting this option to <strong class="userinput"><code>yes</code></strong>
                   leaves <span class="command"><strong>named</strong></span> vulnerable to
                   replay attacks.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>querylog</strong></span></span></dt>
 <dd>
-                <p>
-                  Specify whether query logging should be started when <span class="command"><strong>named</strong></span>
-                  starts.
-                  If <span class="command"><strong>querylog</strong></span> is not specified,
-                  then the query logging
-                  is determined by the presence of the logging category <span class="command"><strong>queries</strong></span>.
+<p>
+                  Query logging provides a complete log of all incoming
+                  queries and all query errors. This provides more insight
+                  into the server's activity, but with a cost to
+                  performance which may be significant on heavily loaded
+                  servers.
                 </p>
-              </dd>
+<p>
+                  The <span class="command"><strong>querylog</strong></span> option specifies
+                  whether query logging should be active when
+                  <span class="command"><strong>named</strong></span> first starts.
+                  If <span class="command"><strong>querylog</strong></span> is not specified, then
+                  query logging is determined by the presence of the
+                  logging category <span class="command"><strong>queries</strong></span>.
+                  Query logging can also be activated at runtime using the
+                  command <span class="command"><strong>rndc querylog on</strong></span>, or
+                  deactivated with <span class="command"><strong>rndc querylog off</strong></span>.
+                </p>
+</dd>
 <dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   This option is used to restrict the character set and syntax
                   of
-                  certain domain names in master files and/or DNS responses
+                  certain domain names in zone files and/or DNS responses
                   received
                   from the network.  The default varies according to usage
-                  area.  For
-                  <span class="command"><strong>master</strong></span> zones the default is <span class="command"><strong>fail</strong></span>.
-                  For <span class="command"><strong>slave</strong></span> zones the default
-                  is <span class="command"><strong>warn</strong></span>.
-                  For answers received from the network (<span class="command"><strong>response</strong></span>)
+                  area.  For primary zones (i.e.,
+                  <span class="command"><strong>type master</strong></span>),
+                  the default is <span class="command"><strong>fail</strong></span>.
+                  For secondary zones (<span class="command"><strong>type slave</strong></span>), the
+                  default is <span class="command"><strong>warn</strong></span>.
+                  For answers received from the network (<span class="command"><strong>response</strong></span>),
                   the default is <span class="command"><strong>ignore</strong></span>.
                 </p>
-                <p>
+<p>
                   The rules for legal hostnames and mail domains are derived
                   from RFC 952 and RFC 821 as modified by RFC 1123.
                 </p>
-                <p><span class="command"><strong>check-names</strong></span>
-                  applies to the owner names of A, AAAA and MX records.
+<p><span class="command"><strong>check-names</strong></span>
+                  applies to the owner names of A, AAAA, and MX records.
                   It also applies to the domain names in the RDATA of NS, SOA,
                   MX, and SRV records.
-                  It also applies to the RDATA of PTR records where the owner
-                  name indicated that it is a reverse lookup of a hostname
+                  It further applies to the RDATA of PTR records where the owner
+                  name indicates that it is a reverse lookup of a hostname
                   (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>check-dup-records</strong></span></span></dt>
-<dd>
-                <p>
-                  Check master zones for records that are treated as different
+<dd><p>
+                  This checks primary zones for records that are treated as different
                   by DNSSEC but are semantically equal in plain DNS.  The
                   default is to <span class="command"><strong>warn</strong></span>.  Other possible
                   values are <span class="command"><strong>fail</strong></span> and
                   <span class="command"><strong>ignore</strong></span>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>check-mx</strong></span></span></dt>
-<dd>
-                <p>
-                  Check whether the MX record appears to refer to a IP address.
+<dd><p>
+                  This checks whether the MX record appears to refer to a IP address.
                   The default is to <span class="command"><strong>warn</strong></span>.  Other possible
                   values are <span class="command"><strong>fail</strong></span> and
                   <span class="command"><strong>ignore</strong></span>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>check-wildcard</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This option is used to check for non-terminal wildcards.
                   The use of non-terminal wildcards is almost always as a
                   result of a failure
                   to understand the wildcard matching algorithm (RFC 1034).
                   This option
-                  affects master zones.  The default (<span class="command"><strong>yes</strong></span>) is to check
+                  affects primary zones.  The default (<span class="command"><strong>yes</strong></span>) is to check
                   for non-terminal wildcards and issue a warning.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>check-integrity</strong></span></span></dt>
 <dd>
-                <p>
-                  Perform post load zone integrity checks on master
-                  zones.  This checks that MX and SRV records refer
+<p>
+                  This performs post-load zone integrity checks on primary
+                  zones.  It checks that MX and SRV records refer
                   to address (A or AAAA) records and that glue
                   address records exist for delegated zones.  For
-                  MX and SRV records only in-zone hostnames are
-                  checked (for out-of-zone hostnames use
+                  MX and SRV records, only in-zone hostnames are
+                  checked (for out-of-zone hostnames, use
                   <span class="command"><strong>named-checkzone</strong></span>).
-                  For NS records only names below top of zone are
+                  For NS records, only names below top-of-zone are
                   checked (for out-of-zone names and glue consistency
-                  checks use <span class="command"><strong>named-checkzone</strong></span>).
+                  checks, use <span class="command"><strong>named-checkzone</strong></span>).
                   The default is <span class="command"><strong>yes</strong></span>.
                 </p>
-                <p>
-                  The use of the SPF record for publishing Sender
-                  Policy Framework is deprecated as the migration
+<p>
+                  The use of the SPF record to publish Sender
+                  Policy Framework is deprecated, as the migration
                   from using TXT records to SPF records was abandoned.
                   Enabling this option also checks that a TXT Sender
                   Policy Framework record exists (starts with "v=spf1")
                   if there is an SPF record. Warnings are emitted if the
-                  TXT record does not exist and can be suppressed with
+                  TXT record does not exist; they can be suppressed with
                   <span class="command"><strong>check-spf</strong></span>.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>check-mx-cname</strong></span></span></dt>
-<dd>
-                <p>
-                  If <span class="command"><strong>check-integrity</strong></span> is set then
-                  fail, warn or ignore MX records that refer
+<dd><p>
+                  If <span class="command"><strong>check-integrity</strong></span> is set, then
+                  fail, warn, or ignore MX records that refer
                   to CNAMES.  The default is to <span class="command"><strong>warn</strong></span>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>check-srv-cname</strong></span></span></dt>
-<dd>
-                <p>
-                  If <span class="command"><strong>check-integrity</strong></span> is set then
-                  fail, warn or ignore SRV records that refer
+<dd><p>
+                  If <span class="command"><strong>check-integrity</strong></span> is set, then
+                  fail, warn, or ignore SRV records that refer
                   to CNAMES.  The default is to <span class="command"><strong>warn</strong></span>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>check-sibling</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   When performing integrity checks, also check that
                   sibling glue exists.  The default is <span class="command"><strong>yes</strong></span>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>check-spf</strong></span></span></dt>
-<dd>
-                <p>
-                  If <span class="command"><strong>check-integrity</strong></span> is set then
+<dd><p>
+                  If <span class="command"><strong>check-integrity</strong></span> is set,
                   check that there is a TXT Sender Policy Framework
                   record present (starts with "v=spf1") if there is an
                   SPF record present. The default is
                   <span class="command"><strong>warn</strong></span>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>zero-no-soa-ttl</strong></span></span></dt>
-<dd>
-                <p>
-                  When returning authoritative negative responses to
-                  SOA queries set the TTL of the SOA record returned in
+<dd><p>
+                  If <strong class="userinput"><code>yes</code></strong>, when returning authoritative negative responses to
+                  SOA queries, set the TTL of the SOA record returned in
                   the authority section to zero.
                   The default is <span class="command"><strong>yes</strong></span>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>zero-no-soa-ttl-cache</strong></span></span></dt>
-<dd>
-                <p>
-                  When caching a negative response to a SOA query
+<dd><p>
+                  If <strong class="userinput"><code>yes</code></strong>, when caching a negative response to an SOA query
                   set the TTL to zero.
                   The default is <span class="command"><strong>no</strong></span>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>update-check-ksk</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   When set to the default value of <code class="literal">yes</code>,
                   check the KSK bit in each key to determine how the key
                   should be used when generating RRSIGs for a secure zone.
                 </p>
-                <p>
+<p>
                   Ordinarily, zone-signing keys (that is, keys without the
                   KSK bit set) are used to sign the entire zone, while
                   key-signing keys (keys with the KSK bit set) are only
@@ -5012,77 +4677,72 @@ options {
                   then the KSK bit is ignored; KSKs are treated as if they
                   were ZSKs and are used to sign the entire zone.  This is
                   similar to the <span class="command"><strong>dnssec-signzone -z</strong></span>
-                  command line option.
+                  command-line option.
                 </p>
-                <p>
+<p>
                   When this option is set to <code class="literal">yes</code>, there
                   must be at least two active keys for every algorithm
                   represented in the DNSKEY RRset: at least one KSK and one
                   ZSK per algorithm.  If there is any algorithm for which
-                  this requirement is not met, this option will be ignored
+                  this requirement is not met, this option is ignored
                   for that algorithm.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>dnssec-dnskey-kskonly</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   When this option and <span class="command"><strong>update-check-ksk</strong></span>
                   are both set to <code class="literal">yes</code>, only key-signing
-                  keys (that is, keys with the KSK bit set) will be used
+                  keys (that is, keys with the KSK bit set) are used
                   to sign the DNSKEY RRset at the zone apex.  Zone-signing
-                  keys (keys without the KSK bit set) will be used to sign
+                  keys (keys without the KSK bit set) are used to sign
                   the remainder of the zone, but not the DNSKEY RRset.
                   This is similar to the
-                  <span class="command"><strong>dnssec-signzone -x</strong></span> command line option.
+                  <span class="command"><strong>dnssec-signzone -x</strong></span> command-line option.
                 </p>
-                <p>
+<p>
                   The default is <span class="command"><strong>no</strong></span>.  If
                   <span class="command"><strong>update-check-ksk</strong></span> is set to
                   <code class="literal">no</code>, this option is ignored.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>try-tcp-refresh</strong></span></span></dt>
-<dd>
-                <p>
-                  Try to refresh the zone using TCP if UDP queries fail.
-                  For BIND 8 compatibility, the default is
+<dd><p>
+                  If <strong class="userinput"><code>yes</code></strong>, try to refresh the zone using TCP if UDP queries fail.
+                  The default is
                   <span class="command"><strong>yes</strong></span>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>dnssec-secure-to-insecure</strong></span></span></dt>
 <dd>
-                <p>
-                  Allow a dynamic zone to transition from secure to
+<p>
+                  This allows a dynamic zone to transition from secure to
                   insecure (i.e., signed to unsigned) by deleting all
                   of the DNSKEY records.  The default is <span class="command"><strong>no</strong></span>.
                   If set to <span class="command"><strong>yes</strong></span>, and if the DNSKEY RRset
                   at the zone apex is deleted, all RRSIG and NSEC records
-                  will be removed from the zone as well.
+                  are removed from the zone as well.
                 </p>
-                <p>
-                  If the zone uses NSEC3, then it is also necessary to
-                  delete the NSEC3PARAM RRset from the zone apex; this will
-                  cause the removal of all corresponding NSEC3 records.
+<p>
+                  If the zone uses NSEC3, it is also necessary to
+                  delete the NSEC3PARAM RRset from the zone apex; this
+                  causes the removal of all corresponding NSEC3 records.
                   (It is expected that this requirement will be eliminated
                   in a future release.)
                 </p>
-                <p>
+<p>
                   Note that if a zone has been configured with
                   <span class="command"><strong>auto-dnssec maintain</strong></span> and the
                   private keys remain accessible in the key repository,
                   then the zone will be automatically signed again the
                   next time <span class="command"><strong>named</strong></span> is started.
                 </p>
-              </dd>
+</dd>
 </dl></div>
-
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="forwarding"></a>Forwarding</h4></div></div></div>
-
-          <p>
+<p>
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
             name servers. It can also be used to allow queries by servers that
@@ -5092,105 +4752,89 @@ options {
             the server is not authoritative and does not have the answer in
             its cache.
           </p>
-
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This option is only meaningful if the
-                  forwarders list is not empty. A value of <code class="varname">first</code>,
-                  the default, causes the server to query the forwarders
-                  first &#8212; and
-                  if that doesn't answer the question, the server will then
-                  look for
+                  forwarders list is not empty. A value of <code class="varname">first</code> is
+                  the default and causes the server to query the forwarders
+                  first;
+                  if that does not answer the question, the server then
+                  looks for
                   the answer itself. If <code class="varname">only</code> is
                   specified, the
-                  server will only query the forwarders.
-                </p>
-              </dd>
+                  server only queries the forwarders.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies the IP addresses to be used
-                  for forwarding. The default is the empty list (no
-                  forwarding).
-                </p>
-              </dd>
+<dd><p>
+                  This specifies a list of IP addresses to which queries are
+                  forwarded. The default is the empty list (no forwarding).
+                  Each address in the list can be associated with an optional
+                  port number and/or DSCP value, and a default port number and
+                  DSCP value can be set for the entire list.
+                </p></dd>
 </dl></div>
-
-          <p>
+<p>
             Forwarding can also be configured on a per-domain basis, allowing
             for the global forwarding options to be overridden in a variety
-            of ways. You can set particular domains to use different
+            of ways. Particular domains can be set to use different
             forwarders,
             or have a different <span class="command"><strong>forward only/first</strong></span> behavior,
-            or not forward at all, see <a class="xref" href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone Statement Grammar">the section called &#8220;<span class="command"><strong>zone</strong></span>
+            or not forward at all; see <a class="xref" href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone Statement Grammar">the section called &#8220;<span class="command"><strong>zone</strong></span>
             Statement Grammar&#8221;</a>.
           </p>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="dual_stack"></a>Dual-stack Servers</h4></div></div></div>
-
-          <p>
-            Dual-stack servers are used as servers of last resort to work
+<p>
+            Dual-stack servers are used as servers of last resort, to work
             around
             problems in reachability due the lack of support for either IPv4
             or IPv6
             on the host machine.
           </p>
-
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>dual-stack-servers</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies host names or addresses of machines with access to
+<dd><p>
+                  This specifies host names or addresses of machines with access to
                   both IPv4 and IPv6 transports. If a hostname is used, the
                   server must be able
                   to resolve the name using only the transport it has.  If the
-                  machine is dual
-                  stacked, then the <span class="command"><strong>dual-stack-servers</strong></span> have no effect unless
+                  machine is dual-stacked, the <span class="command"><strong>dual-stack-servers</strong></span> parameter has no effect unless
                   access to a transport has been disabled on the command line
-                  (e.g. <span class="command"><strong>named -4</strong></span>).
-                </p>
-              </dd>
+                  (e.g., <span class="command"><strong>named -4</strong></span>).
+                </p></dd>
 </dl></div>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="access_control"></a>Access Control</h4></div></div></div>
-
-
-          <p>
+<p>
             Access to the server can be restricted based on the IP address
             of the requesting system. See <a class="xref" href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
             details on how to specify IP address lists.
           </p>
-
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>allow-notify</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which hosts are allowed to
-                  notify this server, a slave, of zone changes in addition
-                  to the zone masters.
+<dd><p>
+                  This ACL specifies which hosts are allowed to
+                  notify this secondary server of zone changes in addition
+                  to the zone primaries.
                   <span class="command"><strong>allow-notify</strong></span> may also be
                   specified in the
                   <span class="command"><strong>zone</strong></span> statement, in which case
                   it overrides the
                   <span class="command"><strong>options allow-notify</strong></span>
                   statement.  It is only meaningful
-                  for a slave zone.  If not specified, the default is to
+                  for a secondary zone.  If not specified, the default is to
                   process notify messages
-                  only from a zone's master.
-                </p>
-              </dd>
+                  only from a zone's primary.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>allow-query</strong></span></span></dt>
 <dd>
-                <p>
-                  Specifies which hosts are allowed to ask ordinary
+<p>
+                  This specifies which hosts are allowed to ask ordinary
                   DNS questions. <span class="command"><strong>allow-query</strong></span> may
                   also be specified in the <span class="command"><strong>zone</strong></span>
                   statement, in which case it overrides the
@@ -5198,133 +4842,123 @@ options {
                   If not specified, the default is to allow queries
                   from all hosts.
                 </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-                  <p>
-                    <span class="command"><strong>allow-query-cache</strong></span> is now
+<p>
+                    <span class="command"><strong>allow-query-cache</strong></span> is
                     used to specify access to the cache.
                   </p>
-                </div>
-              </dd>
+</div>
+</dd>
 <dt><span class="term"><span class="command"><strong>allow-query-on</strong></span></span></dt>
 <dd>
-                <p>
-                  Specifies which local addresses can accept ordinary
+<p>
+                  This specifies which local addresses can accept ordinary
                   DNS questions. This makes it possible, for instance,
                   to allow queries on internal-facing interfaces but
                   disallow them on external-facing ones, without
                   necessarily knowing the internal network's addresses.
                 </p>
-                <p>
+<p>
                   Note that <span class="command"><strong>allow-query-on</strong></span> is only
                   checked for queries that are permitted by
                   <span class="command"><strong>allow-query</strong></span>.  A query must be
-                  allowed by both ACLs, or it will be refused.
+                  allowed by both ACLs, or it is refused.
                 </p>
-                <p>
+<p>
                   <span class="command"><strong>allow-query-on</strong></span> may
                   also be specified in the <span class="command"><strong>zone</strong></span>
                   statement, in which case it overrides the
                   <span class="command"><strong>options allow-query-on</strong></span> statement.
                 </p>
-                <p>
+<p>
                   If not specified, the default is to allow queries
                   on all addresses.
                 </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-                  <p>
+<p>
                     <span class="command"><strong>allow-query-cache</strong></span> is
                     used to specify access to the cache.
                   </p>
-                </div>
-              </dd>
+</div>
+</dd>
 <dt><span class="term"><span class="command"><strong>allow-query-cache</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which hosts are allowed to get answers
+<dd><p>
+                  This specifies which hosts are allowed to get answers
                   from the cache.  If <span class="command"><strong>allow-query-cache</strong></span>
-                  is not set then <span class="command"><strong>allow-recursion</strong></span>
-                  is used if set, otherwise <span class="command"><strong>allow-query</strong></span>
-                  is used if set unless <span class="command"><strong>recursion no;</strong></span> is
-                  set in which case <span class="command"><strong>none;</strong></span> is used,
-                  otherwise the default (<span class="command"><strong>localnets;</strong></span>
+                  is not set, BIND checks to see if the following parameters
+                  are set, in order: <span class="command"><strong>allow-recursion</strong></span> and
+                  <span class="command"><strong>allow-query</strong></span>
+                  (unless <span class="command"><strong>recursion no;</strong></span> is
+                  set, in which case <span class="command"><strong>none;</strong></span> is used).
+                  If neither of those parameters is set, the default (<span class="command"><strong>localnets;</strong></span>
                   <span class="command"><strong>localhost;</strong></span>) is used.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>allow-query-cache-on</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which local addresses can give answers
+<dd><p>
+                  This specifies which local addresses can send answers
                   from the cache.  If not specified, the default is
                   to allow cache queries on any address,
-                  <span class="command"><strong>localnets</strong></span> and
+                  <span class="command"><strong>localnets</strong></span>, and
                   <span class="command"><strong>localhost</strong></span>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>allow-recursion</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which hosts are allowed to make recursive
-                  queries through this server. If
-                  <span class="command"><strong>allow-recursion</strong></span> is not set
-                  then <span class="command"><strong>allow-query-cache</strong></span> is
-                  used if set, otherwise <span class="command"><strong>allow-query</strong></span>
-                  is used if set, otherwise the default
+<dd><p>
+                  This specifies which hosts are allowed to make recursive
+                  queries through this server. BIND checks to see if the
+                  following parameters are set, in order:
+                  <span class="command"><strong>allow-recursion</strong></span>, <span class="command"><strong>allow-query-cache</strong></span>,
+                  and <span class="command"><strong>allow-query</strong></span>.
+                  If none of those parameters are set, the default
                   (<span class="command"><strong>localnets;</strong></span>
                   <span class="command"><strong>localhost;</strong></span>) is used.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>allow-recursion-on</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which local addresses can accept recursive
+<dd><p>
+                  This specifies which local addresses can accept recursive
                   queries.  If not specified, the default is to allow
                   recursive queries on all addresses.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>allow-update</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which hosts are allowed to
-                  submit Dynamic DNS updates for master zones. The default is
+<dd><p>
+                  This specifies which hosts are allowed to
+                  submit Dynamic DNS updates for primary zones. The default is
                   to deny
                   updates from all hosts.  Note that allowing updates based
                   on the requestor's IP address is insecure; see
                   <a class="xref" href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt>
 <dd>
-                <p>
-                  Specifies which hosts are allowed to
-                  submit Dynamic DNS updates to slave zones to be forwarded to
+<p>
+                  This specifies which hosts are allowed to
+                  submit Dynamic DNS updates to secondary zones to be forwarded to
                   the
-                  master.  The default is <strong class="userinput"><code>{ none; }</code></strong>,
+                  primary.  The default is <strong class="userinput"><code>{ none; }</code></strong>,
                   which
-                  means that no update forwarding will be performed.  To
+                  means that no update forwarding is performed.  To
                   enable
                   update forwarding, specify
                   <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
                   Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
                   <strong class="userinput"><code>{ any; }</code></strong> is usually
-                  counterproductive, since
+                  counterproductive;
                   the responsibility for update access control should rest
                   with the
-                  master server, not the slaves.
+                  primary server, not the secondaries.
                 </p>
-                <p>
-                  Note that enabling the update forwarding feature on a slave
+<p>
+                  Note that enabling the update forwarding feature on a secondary
                   server
-                  may expose master servers relying on insecure IP address
-                  based
-                  access control to attacks; see <a class="xref" href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
+                  may expose primary servers to attacks if they rely on insecure
+                  IP-address-based
+                  access control; see <a class="xref" href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
                   for more details.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>allow-v6-synthesis</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This option was introduced for the smooth transition from
                   AAAA
                   to A6 and from "nibble labels" to binary labels.
@@ -5332,158 +4966,139 @@ options {
                   deprecated,
                   this option was also deprecated.
                   It is now ignored with some warning messages.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>allow-transfer</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which hosts are allowed to
+<dd><p>
+                  This specifies which hosts are allowed to
                   receive zone transfers from the server. <span class="command"><strong>allow-transfer</strong></span> may
                   also be specified in the <span class="command"><strong>zone</strong></span>
                   statement, in which
                   case it overrides the <span class="command"><strong>options allow-transfer</strong></span> statement.
                   If not specified, the default is to allow transfers to all
                   hosts.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>blackhole</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies a list of addresses that the
-                  server will not accept queries from or use to resolve a
+<dd><p>
+                  This specifies a list of addresses which the
+                  server does accept queries from or use to resolve a
                   query. Queries
-                  from these addresses will not be responded to. The default
+                  from these addresses are not responded to. The default
                   is <strong class="userinput"><code>none</code></strong>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>filter-aaaa</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies a list of addresses to which
+<dd><p>
+                  This specifies a list of addresses to which
                   <span class="command"><strong>filter-aaaa-on-v4</strong></span>
                   and <span class="command"><strong>filter-aaaa-on-v6</strong></span>
                   apply.  The default is <strong class="userinput"><code>any</code></strong>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>keep-response-order</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies a list of addresses to which the server
-                  will send responses to TCP queries in the same order
+<dd><p>
+                  This specifies a list of addresses to which the server
+                  sends responses to TCP queries, in the same order
                   in which they were received.  This disables the
                   processing of TCP queries in parallel. The default
                   is <strong class="userinput"><code>none</code></strong>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>no-case-compress</strong></span></span></dt>
 <dd>
-                <p>
-                  Specifies a list of addresses which require responses
+<p>
+                  This specifies a list of addresses which require responses
                   to use case-insensitive compression.  This ACL can be
                   used when <span class="command"><strong>named</strong></span> needs to work with
                   clients that do not comply with the requirement in RFC
                   1034 to use case-insensitive name comparisons when
                   checking for matching domain names.
                 </p>
-                <p>
+<p>
                   If left undefined, the ACL defaults to
                   <span class="command"><strong>none</strong></span>: case-insensitive compression
-                  will be used for all clients.  If the ACL is defined and
-                  matches a client, then case will be ignored when
+                  is used for all clients.  If the ACL is defined and
+                  matches a client, case is ignored when
                   compressing domain names in DNS responses sent to that
                   client.
                 </p>
-                <p>
-                  This can result in slightly smaller responses: if
+<p>
+                  This can result in slightly smaller responses; if
                   a response contains the names "example.com" and
-                  "example.COM", case-insensitive compression would treat
+                  "example.COM", case-insensitive compression treats
                   the second one as a duplicate.  It also ensures
                   that the case of the query name exactly matches the
                   case of the owner names of returned records, rather
-                  than matching the case of the records entered in
+                  than matches the case of the records entered in
                   the zone file.  This allows responses to exactly
                   match the query, which is required by some clients
                   due to incorrect use of case-sensitive comparisons.
                 </p>
-                <p>
+<p>
                   Case-insensitive compression is <span class="emphasis"><em>always</em></span>
                   used in AXFR and IXFR responses, regardless of whether
                   the client matches this ACL.
                 </p>
-                <p>
+<p>
                   There are circumstances in which <span class="command"><strong>named</strong></span>
-                  will not preserve the case of owner names of records:
+                  does not preserve the case of owner names of records:
                   if a zone file defines records of different types with
                   the same name, but the capitalization of the name is
                   different (e.g., "www.example.com/A" and
                   "WWW.EXAMPLE.COM/AAAA"), then all responses for that
-                  name will use the <span class="emphasis"><em>first</em></span> version
+                  name use the <span class="emphasis"><em>first</em></span> version
                   of the name that was used in the zone file.  This
                   limitation may be addressed in a future release.  However,
                   domain names specified in the rdata of resource records
-                  (i.e., records of type NS, MX, CNAME, etc) will always
+                  (i.e., records of type NS, MX, CNAME, etc.) always
                   have their case preserved unless the client matches this
                   ACL.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>resolver-query-timeout</strong></span></span></dt>
-<dd>
-                <p>
-                  The amount of time in seconds that the resolver
-                  will spend attempting to resolve a recursive
+<dd><p>
+                  This is the amount of time in seconds that the
+                  resolver spends attempting to resolve a recursive
                   query before failing.  The default and minimum
                   is <code class="literal">10</code> and the maximum is
                   <code class="literal">30</code>.  Setting it to
-                  <code class="literal">0</code> will result in the default
+                  <code class="literal">0</code> results in the default
                   being used.
-                </p>
-              </dd>
+                </p></dd>
 </dl></div>
-
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="interfaces"></a>Interfaces</h4></div></div></div>
-
-          <p>
-            The interfaces and ports that the server will answer queries
+<p>
+            The interfaces and ports that the server answers queries
             from may be specified using the <span class="command"><strong>listen-on</strong></span> option. <span class="command"><strong>listen-on</strong></span> takes
             an optional port and an <code class="varname">address_match_list</code>
             of IPv4 addresses.  (IPv6 addresses are ignored, with a
             logged warning.)
-            The server will listen on all interfaces allowed by the address
-            match list. If a port is not specified, port 53 will be used.
+            The server listens on all interfaces allowed by the address
+            match list. If a port is not specified, port 53 is used.
           </p>
-          <p>
+<p>
             Multiple <span class="command"><strong>listen-on</strong></span> statements are
             allowed.
-            For example,
+            For example:
           </p>
-
 <pre class="programlisting">listen-on { 5.6.7.8; };
 listen-on port 1234 { !1.2.3.4; 1.2/16; };
 </pre>
-
-          <p>
-            will enable the name server on port 53 for the IP address
+<p>
+            enables the name server on port 53 for the IP address
             5.6.7.8, and on port 1234 of an address on the machine in net
             1.2 that is not 1.2.3.4.
           </p>
-
-          <p>
+<p>
             If no <span class="command"><strong>listen-on</strong></span> is specified, the
-            server will listen on port 53 on all IPv4 interfaces.
+            server listens on port 53 on all IPv4 interfaces.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>listen-on-v6</strong></span> option is used to
-            specify the interfaces and the ports on which the server will
-            listen for incoming queries sent using IPv6.  If not specified,
-            the server will listen on port 53 on all IPv6 interfaces.
+            specify the interfaces and the ports on which the server
+            listens for incoming queries sent using IPv6.  If not specified,
+            the server listens on port 53 on all IPv6 interfaces.
           </p>
-
-          <p>
+<p>
             When </p>
 <pre class="programlisting">{ any; }</pre>
 <p> is
@@ -5491,123 +5106,107 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; };
             as the <code class="varname">address_match_list</code> for the
             <span class="command"><strong>listen-on-v6</strong></span> option,
             the server does not bind a separate socket to each IPv6 interface
-            address as it does for IPv4 if the operating system has enough API
-            support for IPv6 (specifically if it conforms to RFC 3493 and RFC
+            address as it does for IPv4, if the operating system has enough API
+            support for IPv6 (specifically, if it conforms to RFC 3493 and RFC
             3542).
             Instead, it listens on the IPv6 wildcard address.
             If the system only has incomplete API support for IPv6, however,
             the behavior is the same as that for IPv4.
           </p>
-
-          <p>
+<p>
             A list of particular IPv6 addresses can also be specified, in
             which case
             the server listens on a separate socket for each specified
             address,
             regardless of whether the desired API is supported by the system.
             IPv4 addresses specified in <span class="command"><strong>listen-on-v6</strong></span>
-            will be ignored, with a logged warning.
+            are ignored, with a logged warning.
           </p>
-
-          <p>
+<p>
             Multiple <span class="command"><strong>listen-on-v6</strong></span> options can
             be used.
-            For example,
+            For example:
           </p>
-
 <pre class="programlisting">listen-on-v6 { any; };
 listen-on-v6 port 1234 { !2001:db8::/32; any; };
 </pre>
-
-          <p>
-            will enable the name server on port 53 for any IPv6 addresses
+<p>
+            enables the name server on port 53 for any IPv6 addresses
             (with a single wildcard socket),
-            and on port 1234 of IPv6 addresses that is not in the prefix
-            2001:db8::/32 (with separate sockets for each matched address.)
+            and on port 1234 of IPv6 addresses that are not in the prefix
+            2001:db8::/32 (with separate sockets for each matched address).
           </p>
-
-          <p>
-            To make the server not listen on any IPv6 address, use
+<p>
+            To instruct the server not to listen on any IPv6 address, use:
           </p>
-
 <pre class="programlisting">listen-on-v6 { none; };
 </pre>
-
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="query_address"></a>Query Address</h4></div></div></div>
-
-          <p>
-            If the server doesn't know the answer to a question, it will
-            query other name servers. <span class="command"><strong>query-source</strong></span> specifies
+<p>
+            If the server does not know the answer to a question, it
+            queries other name servers. <span class="command"><strong>query-source</strong></span> specifies
             the address and port used for such queries. For queries sent over
             IPv6, there is a separate <span class="command"><strong>query-source-v6</strong></span> option.
             If <span class="command"><strong>address</strong></span> is <span class="command"><strong>*</strong></span> (asterisk) or is omitted,
             a wildcard IP address (<span class="command"><strong>INADDR_ANY</strong></span>)
-            will be used.
+            is used.
           </p>
-
-          <p>
+<p>
             If <span class="command"><strong>port</strong></span> is <span class="command"><strong>*</strong></span> or is omitted,
             a random port number from a pre-configured
-            range is picked up and will be used for each query.
-            The port range(s) is that specified in
+            range is picked up and used for each query.
+            The port range(s) is specified in
             the <span class="command"><strong>use-v4-udp-ports</strong></span> (for IPv4)
             and <span class="command"><strong>use-v6-udp-ports</strong></span> (for IPv6)
             options, excluding the ranges specified in
             the <span class="command"><strong>avoid-v4-udp-ports</strong></span>
             and <span class="command"><strong>avoid-v6-udp-ports</strong></span> options, respectively.
           </p>
-
-          <p>
+<p>
             The defaults of the <span class="command"><strong>query-source</strong></span> and
             <span class="command"><strong>query-source-v6</strong></span> options
             are:
           </p>
-
 <pre class="programlisting">query-source address * port *;
 query-source-v6 address * port *;
 </pre>
-
-          <p>
+<p>
             If <span class="command"><strong>use-v4-udp-ports</strong></span> or
             <span class="command"><strong>use-v6-udp-ports</strong></span> is unspecified,
-            <span class="command"><strong>named</strong></span> will check if the operating
+            <span class="command"><strong>named</strong></span> checks whether the operating
             system provides a programming interface to retrieve the
             system's default range for ephemeral ports.
             If such an interface is available,
-            <span class="command"><strong>named</strong></span> will use the corresponding system
-            default range; otherwise, it will use its own defaults:
+            <span class="command"><strong>named</strong></span> uses the corresponding system
+            default range; otherwise, it uses its own defaults:
          </p>
-
 <pre class="programlisting">use-v4-udp-ports { range 1024 65535; };
 use-v6-udp-ports { range 1024 65535; };
 </pre>
-
-          <p>
-            Note: make sure the ranges be sufficiently large for
-            security.  A desirable size depends on various parameters,
+<p>
+            Note: make sure the ranges are sufficiently large for
+            security.  A desirable size depends on several parameters,
             but we generally recommend it contain at least 16384 ports
             (14 bits of entropy).
             Note also that the system's default range when used may be
             too small for this purpose, and that the range may even be
             changed while <span class="command"><strong>named</strong></span> is running; the new
-            range will automatically be applied when <span class="command"><strong>named</strong></span>
+            range is automatically applied when <span class="command"><strong>named</strong></span>
             is reloaded.
-            It is encouraged to
-            configure <span class="command"><strong>use-v4-udp-ports</strong></span> and
-            <span class="command"><strong>use-v6-udp-ports</strong></span> explicitly so that the
+            Explicit
+            configuration of <span class="command"><strong>use-v4-udp-ports</strong></span> and
+            <span class="command"><strong>use-v6-udp-ports</strong></span> is encouraged, so that the
             ranges are sufficiently large and are reasonably
             independent from the ranges used by other applications.
           </p>
-
-          <p>
+<p>
             Note: the operational configuration
             where <span class="command"><strong>named</strong></span> runs may prohibit the use
-            of some ports.  For example, UNIX systems will not allow
-            <span class="command"><strong>named</strong></span> running without a root privilege
+            of some ports.  For example, Unix systems do not allow
+            <span class="command"><strong>named</strong></span>, if run without root privilege,
             to use ports less than 1024.
             If such ports are included in the specified (or detected)
             set of query ports, the corresponding query attempts will
@@ -5615,18 +5214,15 @@ use-v6-udp-ports { range 1024 65535; };
             It is therefore important to configure the set of ports
             that can be safely used in the expected operational environment.
           </p>
-
-          <p>
+<p>
             The defaults of the <span class="command"><strong>avoid-v4-udp-ports</strong></span> and
             <span class="command"><strong>avoid-v6-udp-ports</strong></span> options
             are:
           </p>
-
 <pre class="programlisting">avoid-v4-udp-ports {};
 avoid-v6-udp-ports {};
 </pre>
-
-          <p>
+<p>
             Note: BIND 9.5.0 introduced
             the <span class="command"><strong>use-queryport-pool</strong></span>
             option to support a pool of such random ports, but this
@@ -5638,73 +5234,63 @@ avoid-v6-udp-ports {};
             <span class="command"><strong>query-source-v6</strong></span> options;
             it implicitly disables the use of randomized port numbers.
           </p>
-
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>use-queryport-pool</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This option is obsolete.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>queryport-pool-ports</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This option is obsolete.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>queryport-pool-updateinterval</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This option is obsolete.
-                </p>
-              </dd>
+                </p></dd>
 </dl></div>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-            <p>
+<p>
               The address specified in the <span class="command"><strong>query-source</strong></span> option
               is used for both UDP and TCP queries, but the port applies only
               to UDP queries.  TCP queries always use a random
               unprivileged port.
             </p>
-          </div>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+</div>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-            <p>
+<p>
               Solaris 2.5.1 and earlier does not support setting the source
               address for TCP sockets.
             </p>
-          </div>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+</div>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-            <p>
+<p>
               See also <span class="command"><strong>transfer-source</strong></span> and
               <span class="command"><strong>notify-source</strong></span>.
             </p>
-          </div>
-        </div>
-
-        <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
-
-          <p>
+<p>
             <acronym class="acronym">BIND</acronym> has mechanisms in place to
             facilitate zone transfers
             and set limits on the amount of load that transfers place on the
             system. The following options apply to zone transfers.
           </p>
-
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>also-notify</strong></span></span></dt>
 <dd>
-                <p>
-                  Defines a global list of IP addresses of name servers
+<p>
+                  This option defines a global list of IP addresses of name servers
                   that are also sent NOTIFY messages whenever a fresh copy of
                   the
                   zone is loaded, in addition to the servers listed in the
                   zone's NS records.
-                  This helps to ensure that copies of the zones will
+                  This helps to ensure that copies of the zones
                   quickly converge on stealth servers.
                   Optionally, a port may be specified with each
                   <span class="command"><strong>also-notify</strong></span> address to send
@@ -5716,208 +5302,174 @@ avoid-v6-udp-ports {};
                   In place of explicit addresses, one or more named
                   <span class="command"><strong>masters</strong></span> lists can be used.
                 </p>
-                <p>
+<p>
                   If an <span class="command"><strong>also-notify</strong></span> list
                   is given in a <span class="command"><strong>zone</strong></span> statement,
-                  it will override
+                  it overrides
                   the <span class="command"><strong>options also-notify</strong></span>
                   statement. When a <span class="command"><strong>zone notify</strong></span>
                   statement
                   is set to <span class="command"><strong>no</strong></span>, the IP
-                  addresses in the global <span class="command"><strong>also-notify</strong></span> list will
-                  not be sent NOTIFY messages for that zone. The default is
+                  addresses in the global <span class="command"><strong>also-notify</strong></span> list are
+                  not sent NOTIFY messages for that zone. The default is
                   the empty
                   list (no global notification list).
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>max-transfer-time-in</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   Inbound zone transfers running longer than
-                  this many minutes will be terminated. The default is 120
+                  this many minutes are terminated. The default is 120
                   minutes
                   (2 hours).  The maximum value is 28 days (40320 minutes).
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>max-transfer-idle-in</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   Inbound zone transfers making no progress
-                  in this many minutes will be terminated. The default is 60
+                  in this many minutes are terminated. The default is 60
                   minutes
                   (1 hour).  The maximum value is 28 days (40320 minutes).
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>max-transfer-time-out</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   Outbound zone transfers running longer than
-                  this many minutes will be terminated. The default is 120
+                  this many minutes are terminated. The default is 120
                   minutes
                   (2 hours).  The maximum value is 28 days (40320 minutes).
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>max-transfer-idle-out</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   Outbound zone transfers making no progress
-                  in this many minutes will be terminated.  The default is 60
+                  in this many minutes are terminated.  The default is 60
                   minutes (1
                   hour).  The maximum value is 28 days (40320 minutes).
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>notify-rate</strong></span></span></dt>
-<dd>
-                <p>
-                  The rate at which NOTIFY requests will be sent
+<dd><p>
+                  This specifies the rate at which NOTIFY requests are sent
                   during normal zone maintenance operations. (NOTIFY
                   requests due to initial zone loading are subject
                   to a separate rate limit; see below.) The default is
                   20 per second.
                   The lowest possible rate is one per second; when set
-                  to zero, it will be silently raised to one.
-                </p>
-              </dd>
+                  to zero, it is silently raised to one.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>startup-notify-rate</strong></span></span></dt>
-<dd>
-                <p>
-                  The rate at which NOTIFY requests will be sent
+<dd><p>
+                  This is the rate at which NOTIFY requests are sent
                   when the name server is first starting up, or when
-                  zones have been newly added to the nameserver.
+                  zones have been newly added to the name server.
                   The default is 20 per second.
                   The lowest possible rate is one per second; when set
-                  to zero, it will be silently raised to one.
-                </p>
-              </dd>
+                  to zero, it is silently raised to one.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>serial-query-rate</strong></span></span></dt>
-<dd>
-                <p>
-                  Slave servers will periodically query master
+<dd><p>
+                  Secondary servers periodically query primary
                   servers to find out if zone serial numbers have
                   changed. Each such query uses a minute amount of
-                  the slave server's network bandwidth.  To limit
+                  the secondary server's network bandwidth.  To limit
                   the amount of bandwidth used, BIND 9 limits the
                   rate at which queries are sent.  The value of the
                   <span class="command"><strong>serial-query-rate</strong></span> option, an
                   integer, is the maximum number of queries sent
                   per second.  The default is 20 per second.
                   The lowest possible rate is one per second; when set
-                  to zero, it will be silently raised to one.
-                </p>
-              </dd>
+                  to zero, it is silently raised to one.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>serial-queries</strong></span></span></dt>
-<dd>
-                <p>
-                  In BIND 8, the <span class="command"><strong>serial-queries</strong></span>
-                  option
-                  set the maximum number of concurrent serial number queries
-                  allowed to be outstanding at any given time.
+<dd><p>
                   BIND 9 does not limit the number of outstanding
                   serial queries and ignores the <span class="command"><strong>serial-queries</strong></span> option.
                   Instead, it limits the rate at which the queries are sent
                   as defined using the <span class="command"><strong>serial-query-rate</strong></span> option.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>transfer-format</strong></span></span></dt>
-<dd>
-
-                <p>
+<dd><p>
                   Zone transfers can be sent using two different formats,
                   <span class="command"><strong>one-answer</strong></span> and
                   <span class="command"><strong>many-answers</strong></span>.
                   The <span class="command"><strong>transfer-format</strong></span> option is used
-                  on the master server to determine which format it sends.
+                  on the primary server to determine which format it sends.
                   <span class="command"><strong>one-answer</strong></span> uses one DNS message per
                   resource record transferred.
                   <span class="command"><strong>many-answers</strong></span> packs as many resource
-                  records as possible into a message.
-                  <span class="command"><strong>many-answers</strong></span> is more efficient, but is
-                  only supported by relatively new slave servers,
-                  such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
-                  8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
+                  records as possible into one message.
+                  <span class="command"><strong>many-answers</strong></span> is more efficient; the default is <span class="command"><strong>many-answers</strong></span>.
                   The <span class="command"><strong>many-answers</strong></span> format is also supported by
-                  recent Microsoft Windows nameservers.
-                  The default is <span class="command"><strong>many-answers</strong></span>.
+                  recent Microsoft Windows name servers.
                   <span class="command"><strong>transfer-format</strong></span> may be overridden on a
                   per-server basis by using the <span class="command"><strong>server</strong></span>
                   statement.
-                </p>
-
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>transfer-message-size</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   This is an upper bound on the uncompressed size of DNS
                   messages used in zone transfers over TCP.  If a message
-                  grows larger than this size, additional messages will be
+                  grows larger than this size, additional messages are
                   used to complete the zone transfer.  (Note, however,
                   that this is a hint, not a hard limit; if a message
                   contains a single resource record whose RDATA does not
                   fit within the size limit, a larger message will be
                   permitted so the record can be transferred.)
                 </p>
-                <p>
-                  Valid values are between 512 and 65535 octets, and any
-                  values outside that range will be adjusted to the nearest
+<p>
+                  Valid values are between 512 and 65535 octets; any
+                  values outside that range are adjusted to the nearest
                   value within it.  The default is <code class="literal">20480</code>,
-                  which was selected to improve message compression:
+                  which was selected to improve message compression;
                   most DNS messages of this size will compress to less
                   than 16536 bytes.  Larger messages cannot be compressed
                   as effectively, because 16536 is the largest permissible
                   compression offset pointer in a DNS message.
                 </p>
-                <p>
+<p>
                   This option is mainly intended for server testing;
                   there is rarely any benefit in setting a value other
                   than the default.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>transfers-in</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum number of inbound zone transfers
-                  that can be running concurrently. The default value is <code class="literal">10</code>.
+<dd><p>
+                  This is the maximum number of inbound zone transfers
+                  that can run concurrently. The default value is <code class="literal">10</code>.
                   Increasing <span class="command"><strong>transfers-in</strong></span> may
                   speed up the convergence
-                  of slave zones, but it also may increase the load on the
+                  of secondary zones, but it also may increase the load on the
                   local system.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>transfers-out</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum number of outbound zone transfers
-                  that can be running concurrently. Zone transfer requests in
+<dd><p>
+                  This is the maximum number of outbound zone transfers
+                  that can run concurrently. Zone transfer requests in
                   excess
-                  of the limit will be refused. The default value is <code class="literal">10</code>.
-                </p>
-              </dd>
+                  of the limit are refused. The default value is <code class="literal">10</code>.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>transfers-per-ns</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum number of inbound zone transfers
-                  that can be concurrently transferring from a given remote
+<dd><p>
+                  This is the maximum number of inbound zone transfers
+                  that can concurrently transfer from a given remote
                   name server.
                   The default value is <code class="literal">2</code>.
                   Increasing <span class="command"><strong>transfers-per-ns</strong></span>
                   may
-                  speed up the convergence of slave zones, but it also may
+                  speed up the convergence of secondary zones, but it also may
                   increase
                   the load on the remote name server. <span class="command"><strong>transfers-per-ns</strong></span> may
                   be overridden on a per-server basis by using the <span class="command"><strong>transfers</strong></span> phrase
                   of the <span class="command"><strong>server</strong></span> statement.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>transfer-source</strong></span></span></dt>
 <dd>
-                <p><span class="command"><strong>transfer-source</strong></span>
-                  determines which local address will be bound to IPv4
+<p><span class="command"><strong>transfer-source</strong></span>
+                  determines which local address is bound to IPv4
                   TCP connections used to fetch zones transferred
                   inbound by the server.  It also determines the
                   source IPv4 address, and optionally the UDP port,
                   used for the refresh queries and forwarded dynamic
-                  updates.  If not set, it defaults to a system
-                  controlled value which will usually be the address
+                  updates.  If not set, it defaults to a
+                  system-controlled value which is usually the address
                   of the interface "closest to" the remote end. This
                   address must appear in the remote end's
                   <span class="command"><strong>allow-transfer</strong></span> option for the
@@ -5931,66 +5483,58 @@ avoid-v6-udp-ports {};
                   <span class="command"><strong>zone</strong></span> block in the configuration
                   file.
                 </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-                  <p>
+<p>
                     Solaris 2.5.1 and earlier does not support setting the
                     source address for TCP sockets.
                   </p>
-                </div>
-              </dd>
+</div>
+</dd>
 <dt><span class="term"><span class="command"><strong>transfer-source-v6</strong></span></span></dt>
-<dd>
-                <p>
-                  The same as <span class="command"><strong>transfer-source</strong></span>,
+<dd><p>
+                  This option is the same as <span class="command"><strong>transfer-source</strong></span>,
                   except zone transfers are performed using IPv6.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>alt-transfer-source</strong></span></span></dt>
 <dd>
-                <p>
-                  An alternate transfer source if the one listed in
+<p>
+                  This indicates an alternate transfer source if the one listed in
                   <span class="command"><strong>transfer-source</strong></span> fails and
                   <span class="command"><strong>use-alt-transfer-source</strong></span> is
                   set.
                 </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
-                  If you do not wish the alternate transfer source
-                  to be used, you should set
-                  <span class="command"><strong>use-alt-transfer-source</strong></span>
-                  appropriately and you should not depend upon
+                  To avoid using the alternate transfer source,
+                  set <span class="command"><strong>use-alt-transfer-source</strong></span>
+                  appropriately and do not depend upon
                   getting an answer back to the first refresh
                   query.
                 </p>
 </div>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>alt-transfer-source-v6</strong></span></span></dt>
-<dd>
-                <p>
-                  An alternate transfer source if the one listed in
+<dd><p>
+                  This indicates an alternate transfer source if the one listed in
                   <span class="command"><strong>transfer-source-v6</strong></span> fails and
                   <span class="command"><strong>use-alt-transfer-source</strong></span> is
                   set.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>use-alt-transfer-source</strong></span></span></dt>
-<dd>
-                <p>
-                  Use the alternate transfer sources or not.  If views are
-                  specified this defaults to <span class="command"><strong>no</strong></span>
-                  otherwise it defaults to
-                  <span class="command"><strong>yes</strong></span> (for BIND 8
-                  compatibility).
-                </p>
-              </dd>
+<dd><p>
+                  This indicates whether the alternate transfer sources should be used.  If views are
+                  specified, this defaults to <span class="command"><strong>no</strong></span>;
+                  otherwise, it defaults to
+                  <span class="command"><strong>yes</strong></span>.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>notify-source</strong></span></span></dt>
 <dd>
-                <p><span class="command"><strong>notify-source</strong></span>
+<p><span class="command"><strong>notify-source</strong></span>
                   determines which local source address, and
-                  optionally UDP port, will be used to send NOTIFY
-                  messages.  This address must appear in the slave
+                  optionally UDP port, is used to send NOTIFY
+                  messages.  This address must appear in the secondary
                   server's <span class="command"><strong>masters</strong></span> zone clause or
                   in an <span class="command"><strong>allow-notify</strong></span> clause.  This
                   statement sets the <span class="command"><strong>notify-source</strong></span>
@@ -6001,62 +5545,54 @@ avoid-v6-udp-ports {};
                   <span class="command"><strong>view</strong></span> block in the configuration
                   file.
                 </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-                  <p>
+<p>
                     Solaris 2.5.1 and earlier does not support setting the
                     source address for TCP sockets.
                   </p>
-                </div>
-              </dd>
+</div>
+</dd>
 <dt><span class="term"><span class="command"><strong>notify-source-v6</strong></span></span></dt>
-<dd>
-                <p>
-                  Like <span class="command"><strong>notify-source</strong></span>,
+<dd><p>
+                  This option acts like <span class="command"><strong>notify-source</strong></span>,
                   but applies to notify messages sent to IPv6 addresses.
-                </p>
-              </dd>
+                </p></dd>
 </dl></div>
-
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="port_lists"></a>UDP Port Lists</h4></div></div></div>
-
-          <p>
+<p>
             <span class="command"><strong>use-v4-udp-ports</strong></span>,
             <span class="command"><strong>avoid-v4-udp-ports</strong></span>,
             <span class="command"><strong>use-v6-udp-ports</strong></span>, and
             <span class="command"><strong>avoid-v6-udp-ports</strong></span>
-            specify a list of IPv4 and IPv6 UDP ports that will be
-            used or not used as source ports for UDP messages.
+            specify a list of IPv4 and IPv6 UDP ports that are
+            or are not used as source ports for UDP messages.
             See <a class="xref" href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called &#8220;Query Address&#8221;</a> about how the
             available ports are determined.
-            For example, with the following configuration
+            For example, with the following configuration:
           </p>
-
 <pre class="programlisting">
 use-v6-udp-ports { range 32768 65535; };
 avoid-v6-udp-ports { 40000; range 50000 60000; };
 </pre>
-
-           <p>
+<p>
              UDP ports of IPv6 messages sent
-             from <span class="command"><strong>named</strong></span> will be in one
+             from <span class="command"><strong>named</strong></span> are in one
              of the following ranges: 32768 to 39999, 40001 to 49999,
              and 60001 to 65535.
            </p>
-
-           <p>
+<p>
              <span class="command"><strong>avoid-v4-udp-ports</strong></span> and
              <span class="command"><strong>avoid-v6-udp-ports</strong></span> can be used
              to prevent <span class="command"><strong>named</strong></span> from choosing as its random source port a
-             port that is blocked by your firewall or a port that is
+             port that is blocked by a firewall or a port that is
              used by other applications;
              if a query went out with a source port blocked by a
              firewall, the
-             answer would not get by the firewall and the name server would
+             answer would not pass through the firewall and the name server would
              have to query again.
              Note: the desired range can also be represented only with
              <span class="command"><strong>use-v4-udp-ports</strong></span> and
@@ -6065,13 +5601,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
              sense; they are provided for backward compatibility and
              to possibly simplify the port specification.
            </p>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="resource_limits"></a>Operating System Resource Limits</h4></div></div></div>
-
-          <p>
+<p>
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
             example, <span class="command"><strong>1G</strong></span> can be used instead of
@@ -6084,116 +5618,94 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
             that was in force when the server was started. See the description
             of <span class="command"><strong>size_spec</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.
           </p>
-
-          <p>
+<p>
             The following options set operating system resource limits for
-            the name server process.  Some operating systems don't support
+            the name server process.  Some operating systems do not support
             some or
-            any of the limits. On such systems, a warning will be issued if
-            the
+            any of the limits; on such systems, a warning is issued if
+            an
             unsupported limit is used.
           </p>
-
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>coresize</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum size of a core dump. The default
+<dd><p>
+                  This sets the maximum size of a core dump. The default
                   is <code class="literal">default</code>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>datasize</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum amount of data memory the server
+<dd><p>
+                  This sets the maximum amount of data memory the server
                   may use. The default is <code class="literal">default</code>.
-                  This is a hard limit on server memory usage.
-                  If the server attempts to allocate memory in excess of this
+                  This is a hard limit on server memory usage;
+                  if the server attempts to allocate memory in excess of this
                   limit, the allocation will fail, which may in turn leave
                   the server unable to perform DNS service.  Therefore,
-                  this option is rarely useful as a way of limiting the
+                  this option is rarely useful as a way to limit the
                   amount of memory used by the server, but it can be used
                   to raise an operating system data size limit that is
-                  too small by default.  If you wish to limit the amount
+                  too small by default.  To limit the amount
                   of memory used by the server, use the
                   <span class="command"><strong>max-cache-size</strong></span> and
                   <span class="command"><strong>recursive-clients</strong></span>
                   options instead.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>files</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum number of files the server
+<dd><p>
+                  This sets the maximum number of files the server
                   may have open concurrently. The default is <code class="literal">unlimited</code>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>stacksize</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum amount of stack memory the server
+<dd><p>
+                  This sets the maximum amount of stack memory the server
                   may use. The default is <code class="literal">default</code>.
-                </p>
-              </dd>
+                </p></dd>
 </dl></div>
-
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="server_resource_limits"></a>Server  Resource Limits</h4></div></div></div>
-
-          <p>
+<a name="server_resource_limits"></a>Server Resource Limits</h4></div></div></div>
+<p>
             The following options set limits on the server's
             resource consumption that are enforced internally by the
-            server rather than the operating system.
+            server rather than by the operating system.
           </p>
-
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>max-ixfr-log-size</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This option is obsolete; it is accepted
                   and ignored for BIND 8 compatibility.  The option
                   <span class="command"><strong>max-journal-size</strong></span> performs a
                   similar function in BIND 9.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt>
-<dd>
-                <p>
-                  Sets a maximum size for each journal file
-                  (see <a class="xref" href="Bv9ARM.ch04.html#journal" title="The journal file">the section called &#8220;The journal file&#8221;</a>).  When the journal file
+<dd><p>
+                  This sets a maximum size for each journal file
+                  (see <a class="xref" href="Bv9ARM.ch04.html#journal" title="The Journal File">the section called &#8220;The Journal File&#8221;</a>).  When the journal file
                   approaches
                   the specified size, some of the oldest transactions in the
                   journal
-                  will be automatically removed.  The largest permitted
+                  are automatically removed.  The largest permitted
                   value is 2 gigabytes. The default is
                   <code class="literal">unlimited</code>, which also
                   means 2 gigabytes.
-                  This may also be set on a per-zone basis.
-                </p>
-              </dd>
+                  This option may also be set on a per-zone basis.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>max-records</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum number of records permitted in a zone.
-                  The default is zero which means unlimited.
-                </p>
-              </dd>
+<dd><p>
+                  This sets the maximum number of records permitted in a zone.
+                  The default is zero, which means the maximum is unlimited.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>host-statistics-max</strong></span></span></dt>
-<dd>
-                <p>
-                  In BIND 8, specifies the maximum number of host statistics
+<dd><p>
+                  In BIND 8, this specified the maximum number of host statistics
                   entries to be kept.
-                  Not implemented in BIND 9.
-                </p>
-              </dd>
+                  It is not implemented in BIND 9.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>recursive-clients</strong></span></span></dt>
 <dd>
-                <p>
-                  The maximum number ("hard quota") of simultaneous
-                  recursive lookups the server will perform on behalf
+<p>
+                  This sets the maximum number (a "hard quota") of simultaneous
+                  recursive lookups the server performs on behalf
                   of clients.  The default is
                   <code class="literal">1000</code>.  Because each recursing
                   client uses a fair
@@ -6202,105 +5714,103 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   <span class="command"><strong>recursive-clients</strong></span> option may
                   have to be decreased on hosts with limited memory.
                 </p>
-                <p>
+<p>
                   <code class="option">recursive-clients</code> defines a "hard
-                  quota" limit for pending recursive clients: when more
+                  quota" limit for pending recursive clients; when more
                   clients than this are pending, new incoming requests
-                  will not be accepted, and for each incoming request
-                  a previous pending request will also be dropped.
+                  are not accepted, and for each incoming request
+                  a previous pending request is dropped.
                 </p>
-                <p>
+<p>
                   A "soft quota" is also set.  When this lower
                   quota is exceeded, incoming requests are accepted, but
-                  for each one, a pending request will be dropped.
+                  for each one, a pending request is dropped.
                   If <code class="option">recursive-clients</code> is greater than
                   1000, the soft quota is set to
                   <code class="option">recursive-clients</code> minus 100;
                   otherwise it is set to 90% of
                   <code class="option">recursive-clients</code>.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>tcp-clients</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum number of simultaneous client TCP
-                  connections that the server will accept.
+<dd><p>
+                  This is the maximum number of simultaneous client TCP
+                  connections that the server accepts.
                   The default is <code class="literal">150</code>.
-                </p>
-              </dd>
+                </p></dd>
 <dt>
 <a name="clients-per-query"></a><span class="term"><a name="cpq_term"></a><span class="command"><strong>clients-per-query</strong></span>, </span><span class="term"><span class="command"><strong>max-clients-per-query</strong></span></span>
 </dt>
 <dd>
-                <p>These set the
+<p>These set the
                   initial value (minimum) and maximum number of recursive
                   simultaneous clients for any given query
-                  (&lt;qname,qtype,qclass&gt;) that the server will accept
-                  before dropping additional clients.  <span class="command"><strong>named</strong></span> will attempt to
-                  self tune this value and changes will be logged.  The
+                  (&lt;qname,qtype,qclass&gt;) that the server accepts
+                  before dropping additional clients.  <span class="command"><strong>named</strong></span> attempts to
+                  self-tune this value and changes are logged.  The
                   default values are 10 and 100.
                 </p>
-                <p>
+<p>
                   This value should reflect how many queries come in for
                   a given name in the time it takes to resolve that name.
-                  If the number of queries exceed this value, <span class="command"><strong>named</strong></span> will
-                  assume that it is dealing with a non-responsive zone
-                  and will drop additional queries.  If it gets a response
-                  after dropping queries, it will raise the estimate.  The
-                  estimate will then be lowered in 20 minutes if it has
+                  If the number of queries exceeds this value, <span class="command"><strong>named</strong></span>
+                  assumes that it is dealing with a non-responsive zone
+                  and drops additional queries.  If it gets a response
+                  after dropping queries, it raises the estimate.  The
+                  estimate is then lowered in 20 minutes if it has
                   remained unchanged.
                 </p>
-                <p>
+<p>
                   If <span class="command"><strong>clients-per-query</strong></span> is set to zero,
-                  then there is no limit on the number of clients per query
-                  and no queries will be dropped.
+                  there is no limit on the number of clients per query
+                  and no queries are dropped.
                 </p>
-                <p>
+<p>
                   If <span class="command"><strong>max-clients-per-query</strong></span> is set to zero,
-                  then there is no upper bound other than imposed by
+                  there is no upper bound other than imposed by
                   <span class="command"><strong>recursive-clients</strong></span>.
                 </p>
-              </dd>
+</dd>
 <dt>
 <a name="fetches-per-zone"></a><span class="term"><span class="command"><strong>fetches-per-zone</strong></span></span>
 </dt>
 <dd>
-                <p>
-                  The maximum number of simultaneous iterative
-                  queries to any one domain that the server will
-                  permit before blocking new queries for data
+<p>
+                  This sets the maximum number of simultaneous iterative
+                  queries to any one domain that the server
+                  permits before blocking new queries for data
                   in or beneath that zone.
                   This value should reflect how many fetches would
                   normally be sent to any one zone in the time it
                   would take to resolve them.  It should be smaller
                   than <code class="option">recursive-clients</code>.
                 </p>
-                <p>
+<p>
                   When many clients simultaneously query for the
-                  same name and type, the clients will all be attached
+                  same name and type, the clients are all attached
                   to the same fetch, up to the
                   <code class="option">max-clients-per-query</code> limit,
-                  and only one iterative query will be sent.
+                  and only one iterative query is sent.
                   However, when clients are simultaneously
                   querying for <span class="emphasis"><em>different</em></span> names
-                  or types, multiple queries will be sent and
+                  or types, multiple queries are sent and
                   <code class="option">max-clients-per-query</code> is not
                   effective as a limit.
                 </p>
-                <p>
+<p>
                   Optionally, this value may be followed by the keyword
                   <code class="literal">drop</code> or <code class="literal">fail</code>,
                   indicating whether queries which exceed the fetch
-                  quota for a zone will be dropped with no response,
+                  quota for a zone are dropped with no response,
                   or answered with SERVFAIL.  The default is
                   <code class="literal">drop</code>.
                 </p>
-                <p>
+<p>
                   If <span class="command"><strong>fetches-per-zone</strong></span> is set to zero,
-                  then there is no limit on the number of fetches per query
-                  and no queries will be dropped.  The default is zero.
+                  there is no limit on the number of fetches per query
+                  and no queries are dropped.  The default is zero.
                 </p>
-                <p>
+<p>
                   The current list of active fetches can be dumped by
                   running <span class="command"><strong>rndc recursing</strong></span>.  The list
                   includes the number of active fetches for each
@@ -6313,14 +5823,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   next time a fetch is sent to that domain, it is
                   recreated with the counters set to zero.)
                 </p>
-              </dd>
+</dd>
 <dt>
 <a name="fetches-per-server"></a><span class="term"><span class="command"><strong>fetches-per-server</strong></span></span>
 </dt>
 <dd>
-                <p>
-                  The maximum number of simultaneous iterative
-                  queries that the server will allow to be sent to
+<p>
+                  This sets the maximum number of simultaneous iterative
+                  queries that the server allows to be sent to
                   a single upstream name server before blocking
                   additional queries.
                   This value should reflect how many fetches would
@@ -6328,21 +5838,21 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   would take to resolve them.  It should be smaller
                   than <code class="option">recursive-clients</code>.
                 </p>
-                <p>
+<p>
                   Optionally, this value may be followed by the keyword
                   <code class="literal">drop</code> or <code class="literal">fail</code>,
-                  indicating whether queries will be dropped with no
-                  response, or answered with SERVFAIL, when all of the
+                  indicating whether queries are dropped with no
+                  response or answered with SERVFAIL, when all of the
                   servers authoritative for a zone are found to have
                   exceeded the per-server quota.  The default is
                   <code class="literal">fail</code>.
                 </p>
-                <p>
+<p>
                   If <span class="command"><strong>fetches-per-server</strong></span> is set to zero,
-                  then there is no limit on the number of fetches per query
-                  and no queries will be dropped.  The default is zero.
+                  there is no limit on the number of fetches per query
+                  and no queries are dropped.  The default is zero.
                 </p>
-                <p>
+<p>
                   The <span class="command"><strong>fetches-per-server</strong></span> quota is
                   dynamically adjusted in response to detected
                   congestion. As queries are sent to a server
@@ -6358,23 +5868,23 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   can be used to adjust the parameters for this
                   calculation.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>fetch-quota-params</strong></span></span></dt>
 <dd>
-                <p>
-                  Sets the parameters to use for dynamic resizing of
+<p>
+                  This sets the parameters to use for dynamic resizing of
                   the <code class="option">fetches-per-server</code> quota in
                   response to detected congestion.
                 </p>
-                <p>
+<p>
                   The first argument is an integer value indicating
                   how frequently to recalculate the moving average
                   of the ratio of timeouts to responses for each
-                  server.  The default is 100, meaning we recalculate
+                  server.  The default is 100, meaning that BIND recalculates
                   the average ratio after every 100 queries have either
                   been answered or timed out.
                 </p>
-                <p>
+<p>
                   The remaining three arguments represent the "low"
                   threshold (defaulting to a timeout ratio of 0.1),
                   the "high" threshold (defaulting to a timeout
@@ -6386,161 +5896,142 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   events to weigh more heavily, smoothing out
                   short-term blips in the timeout ratio.
                   These arguments are all fixed-point numbers with
-                  precision of 1/100: at most two places after
+                  precision of 1/100; at most two places after
                   the decimal point are significant.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>reserved-sockets</strong></span></span></dt>
 <dd>
-                <p>
-                  The number of file descriptors reserved for TCP, stdio,
+<p>
+                  This sets the number of file descriptors reserved for TCP, stdio,
                   etc.  This needs to be big enough to cover the number of
                   interfaces <span class="command"><strong>named</strong></span> listens on plus
                   <span class="command"><strong>tcp-clients</strong></span>, as well as
                   to provide room for outgoing TCP queries and incoming zone
                   transfers.  The default is <code class="literal">512</code>.
                   The minimum value is <code class="literal">128</code> and the
-                  maximum value is <code class="literal">128</code> less than
+                  maximum value is <code class="literal">128</code> fewer than
                   maxsockets (-S).  This option may be removed in the future.
                 </p>
-                <p>
+<p>
                   This option has little effect on Windows.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>max-cache-size</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum amount of memory to use for the
-                  server's cache, in bytes or % of total physical memory.
+<dd><p>
+                  This sets the maximum amount of memory to use for the
+                  server's cache, in bytes or percentage of total physical memory.
                   When the amount of data in the cache
-                  reaches this limit, the server will cause records to
-                  expire prematurely based on an LRU based strategy so
+                  reaches this limit, the server causes records to
+                  expire prematurely, following an LRU-based strategy, so
                   that the limit is not exceeded.
                   The keyword <strong class="userinput"><code>unlimited</code></strong>,
-                  or the value 0, will place no limit on cache size;
-                  records will be purged from the cache only when their
+                  or the value 0, places no limit on the cache size;
+                  records are purged from the cache only when their
                   TTLs expire.
-                  Any positive values less than 2MB will be ignored
+                  Any positive values less than 2MB are ignored
                   and reset to 2MB.
                   In a server with multiple views, the limit applies
                   separately to the cache of each view.
                   The default is <strong class="userinput"><code>90%</code></strong>.
-                  On systems where detection of amount of physical
-                  memory is not supported values represented as %
+                  On systems where detection of the amount of physical
+                  memory is not supported, values represented as a percentage
                   fall back to unlimited.
                   Note that the detection of physical memory is done only
-                  once at startup, so <span class="command"><strong>named</strong></span> will not
+                  once at startup, so <span class="command"><strong>named</strong></span> does not
                   adjust the cache size if the amount of physical memory
                   is changed during runtime.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>tcp-listen-queue</strong></span></span></dt>
-<dd>
-                <p>
-                  The listen queue depth.  The default and minimum is 10.
-                  If the kernel supports the accept filter "dataready" this
+<dd><p>
+                  This sets the listen-queue depth.  The default and minimum is 10.
+                  If the kernel supports the accept filter "dataready", this
                   also controls how
-                  many TCP connections that will be queued in kernel space
+                  many TCP connections are queued in kernel space
                   waiting for
-                  some data before being passed to accept.  Nonzero values
-                  less than 10 will be silently raised. A value of 0 may also
-                  be used; on most platforms this sets the listen queue
+                  some data before being passed to accept.  Non-zero values
+                  less than 10 are silently raised. A value of 0 may also
+                  be used; on most platforms this sets the listen-queue
                   length to a system-defined default value.
-                </p>
-              </dd>
+                </p></dd>
 </dl></div>
-
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="intervals"></a>Periodic Task Intervals</h4></div></div></div>
-
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>cleaning-interval</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   This interval is effectively obsolete.  Previously,
-                  the server would remove expired resource records
+                  the server removed expired resource records
                   from the cache every <span class="command"><strong>cleaning-interval</strong></span> minutes.
                   <acronym class="acronym">BIND</acronym> 9 now manages cache
                   memory in a more sophisticated manner and does not
-                  rely on the periodic cleaning any more.
+                  rely on periodic cleaning anymore.
                   Specifying this option therefore has no effect on
                   the server's behavior.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>heartbeat-interval</strong></span></span></dt>
-<dd>
-                <p>
-                  The server will perform zone maintenance tasks
+<dd><p>
+                  The server performs zone maintenance tasks
                   for all zones marked as <span class="command"><strong>dialup</strong></span> whenever this
                   interval expires. The default is 60 minutes. Reasonable
                   values are up
                   to 1 day (1440 minutes).  The maximum value is 28 days
                   (40320 minutes).
-                  If set to 0, no zone maintenance for these zones will occur.
-                </p>
-              </dd>
+                  If set to 0, no zone maintenance for these zones occurs.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>interface-interval</strong></span></span></dt>
-<dd>
-                <p>
-                  The server will scan the network interface list
+<dd><p>
+                  The server scans the network interface list
                   every <span class="command"><strong>interface-interval</strong></span>
                   minutes. The default
-                  is 60 minutes. The maximum value is 28 days (40320 minutes).
-                  If set to 0, interface scanning will only occur when
+                  is 60 minutes; the maximum value is 28 days (40320 minutes).
+                  If set to 0, interface scanning only occurs when
                   the configuration file is loaded, or when
                   <span class="command"><strong>automatic-interface-scan</strong></span> is enabled
                   and supported by the operating system. After the scan, the
-                  server will begin listening for queries on any newly
+                  server begins listening for queries on any newly
                   discovered interfaces (provided they are allowed by the
                   <span class="command"><strong>listen-on</strong></span> configuration), and
-                  will
-                  stop listening on interfaces that have gone away.
-                </p>
-              </dd>
+                  stops listening on interfaces that have gone away.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>statistics-interval</strong></span></span></dt>
 <dd>
-                <p>
-                  Name server statistics will be logged
+<p>
+                  Name server statistics are logged
                   every <span class="command"><strong>statistics-interval</strong></span>
                   minutes. The default is
-                  60. The maximum value is 28 days (40320 minutes).
-                  If set to 0, no statistics will be logged.
+                  60, and the maximum value is 28 days (40320 minutes).
+                  If set to 0, no statistics are logged.
                   </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-                  <p>
-                    Not yet implemented in
+<p>
+                    This option is not implemented in
                     <acronym class="acronym">BIND</acronym> 9.
                   </p>
-                </div>
-              </dd>
+</div>
+</dd>
 <dt><span class="term"><span class="command"><strong>topology</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   In BIND 8, this option indicated network topology
                   so that preferential treatment could be given to
-                  the topologicaly closest name servers when sending
+                  the topologically closest name servers when sending
                   queries. It is not implemented in BIND 9.
-                </p>
-              </dd>
+                </p></dd>
 </dl></div>
-
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="the_sortlist_statement"></a>The <span class="command"><strong>sortlist</strong></span> Statement</h4></div></div></div>
-
-          <p>
+<p>
             The response to a DNS query may consist of multiple resource
             records (RRs) forming a resource record set (RRset).  The name
-            server will normally return the RRs within the RRset in an
+            server normally returns the RRs within the RRset in an
             indeterminate order (but see the <span class="command"><strong>rrset-order</strong></span>
             statement in <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).  The client
-            resolver code should rearrange the RRs as appropriate, that is,
+            resolver code should rearrange the RRs as appropriate: that is,
             using any addresses on the local net in preference to other
             addresses.  However, not all resolvers can do this or are
             correctly configured.  When a client is using a local server,
@@ -6548,44 +6039,42 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
             client's address. This only requires configuring the name
             servers, not all the clients.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>sortlist</strong></span> statement (see below) takes an
             <span class="command"><strong>address_match_list</strong></span> and interprets it in a
-            special way.  Each top level statement in the
+            special way.  Each top-level statement in the
             <span class="command"><strong>sortlist</strong></span> must itself be an explicit
             <span class="command"><strong>address_match_list</strong></span> with one or two elements.
             The first element (which may be an IP address, an IP prefix, an
-            ACL name or a nested <span class="command"><strong>address_match_list</strong></span>) of
-            each top level list is checked against the source address of
+            ACL name, or a nested <span class="command"><strong>address_match_list</strong></span>) of
+            each top-level list is checked against the source address of
             the query until a match is found. When the addresses in the
-            first element overlap, the first rule to match gets selected.
+            first element overlap, the first rule to match is selected.
           </p>
-          <p>
+<p>
             Once the source address of the query has been matched, if the
-            top level statement contains only one element, the actual
+            top-level statement contains only one element, the actual
             primitive element that matched the source address is used to
             select the address in the response to move to the beginning of
             the response. If the statement is a list of two elements, then
             the second element is interpreted as a topology preference
-            list.  Each top level element is assigned a distance and the
+            list.  Each top-level element is assigned a distance, and the
             address in the response with the minimum distance is moved to
             the beginning of the response.
           </p>
-          <p>
+<p>
             In the following example, any queries received from any of the
-            addresses of the host itself will get responses preferring
+            addresses of the host itself get responses preferring
             addresses on any of the locally connected networks. Next most
             preferred are addresses on the 192.168.1/24 network, and after
-            that either the 192.168.2/24 or 192.168.3/24 network with no
+            that either the 192.168.2/24 or 192.168.3/24 network, with no
             preference shown between these two networks. Queries received
-            from a host on the 192.168.1/24 network will prefer other
+            from a host on the 192.168.1/24 network prefer other
             addresses on that network to the 192.168.2/24 and 192.168.3/24
             networks. Queries received from a host on the 192.168.4/24 or
-            the 192.168.5/24 network will only prefer other addresses on
+            the 192.168.5/24 network only prefer other addresses on
             their directly connected networks.
           </p>
-
 <pre class="programlisting">sortlist {
     // IF the local host
     // THEN first fit on the following nets
@@ -6609,162 +6098,207 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
     { { 192.168.4/24; 192.168.5/24; };
     };
 };</pre>
-
-          <p>
-            The following example will give reasonable behavior for the
-            local host and hosts on directly connected networks. It is
-            similar to the behavior of the address sort in
-            <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent to queries from
-            the local host will favor any of the directly connected
+<p>
+            The following example illustrates reasonable behavior for the
+            local host and hosts on directly connected networks. Responses sent to queries from
+            the local host favor any of the directly connected
             networks. Responses sent to queries from any other hosts on a
-            directly connected network will prefer addresses on that same
-            network.  Responses to other queries will not be sorted.
+            directly connected network prefer addresses on that same
+            network.  Responses to other queries are not sorted.
           </p>
-
 <pre class="programlisting">sortlist {
            { localhost; localnets; };
            { localnets; };
 };
 </pre>
-
-        </div>
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
-
-          <p>
-            When multiple records are returned in an answer it may be
-            useful to configure the order of the records placed into the
-            response.
-            The <span class="command"><strong>rrset-order</strong></span> statement permits
-            configuration
-            of the ordering of the records in a multiple record response.
-            See also the <span class="command"><strong>sortlist</strong></span> statement,
-            <a class="xref" href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span class="command"><strong>sortlist</strong></span> Statement&#8221;</a>.
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+              While alternating the order of records in a DNS response between
+              subsequent queries is a known load distribution technique, certain
+              caveats apply (mostly stemming from caching) which usually make it
+              a suboptimal choice for load balancing purposes when used on its
+              own.
+            </p>
+</div>
+<p>
+            The <span class="command"><strong>rrset-order</strong></span> statement permits configuration
+            of the ordering of the records in a multiple-record response.  See
+            also: <a class="xref" href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span class="command"><strong>sortlist</strong></span> Statement&#8221;</a>.
           </p>
-
-          <p>
-            An <span class="command"><strong>order_spec</strong></span> is defined as
-            follows:
-          </p>
-          <p>
-            [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
-            [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
-            [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
-            order <em class="replaceable"><code>ordering</code></em>
-          </p>
-          <p>
-            If no class is specified, the default is <span class="command"><strong>ANY</strong></span>.
-            If no type is specified, the default is <span class="command"><strong>ANY</strong></span>.
-            If no name is specified, the default is "<span class="command"><strong>*</strong></span>" (asterisk).
-          </p>
-          <p>
-            The legal values for <span class="command"><strong>ordering</strong></span> are:
-          </p>
-          <div class="informaltable">
-            <table border="1">
+<p>
+            Each rule in an <span class="command"><strong>rrset-order</strong></span> statement is defined
+            as follows:
+          </p>
+<p>
+            [<span class="optional">class <em class="replaceable"><code>&lt;class_name&gt;</code></em></span>]
+            [<span class="optional">type <em class="replaceable"><code>&lt;type_name&gt;</code></em></span>]
+            [<span class="optional">name <em class="replaceable"><code>"&lt;domain_name&gt;"</code></em></span>]
+            order <em class="replaceable"><code>&lt;ordering&gt;</code></em>
+          </p>
+<p>
+            The default qualifiers for each rule are:
+            </p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+                If no <span class="command"><strong>class</strong></span> is specified, the default is
+                <span class="command"><strong>ANY</strong></span>.
+              </li>
+<li class="listitem">
+                If no <span class="command"><strong>type</strong></span> is specified, the default is
+                <span class="command"><strong>ANY</strong></span>.
+              </li>
+<li class="listitem">
+                If no <span class="command"><strong>name</strong></span> is specified, the default is
+                <span class="command"><strong>*</strong></span> (asterisk).
+              </li>
+</ul></div>
+<p>
+          </p>
+<p>
+            <em class="replaceable"><code>&lt;domain_name&gt;</code></em> only matches the name
+            itself, not any of its subdomains.  To make a rule match all
+            subdomains of a given name, a wildcard name
+            (<em class="replaceable"><code>*.&lt;domain_name&gt;</code></em>) must be used.
+            Note that <em class="replaceable"><code>*.&lt;domain_name&gt;</code></em> does
+            <span class="emphasis"><em>not</em></span> match
+            <em class="replaceable"><code>&lt;domain_name&gt;</code></em> itself; to specify
+            RRset ordering for a name and all of its subdomains, two separate
+            rules must be defined: one for
+            <em class="replaceable"><code>&lt;domain_name&gt;</code></em> and one for
+            <em class="replaceable"><code>*.&lt;domain_name&gt;</code></em>.
+          </p>
+<p>
+            The legal values for <em class="replaceable"><code>&lt;ordering&gt;</code></em>
+            are:
+          </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>fixed</strong></span></span></dt>
+<dd>
+<p>
+                  Records are returned in the order they are defined in the zone
+                  file.
+                </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+                    The <span class="command"><strong>fixed</strong></span> option is only available if
+                    BIND is configured with
+                    <span class="command"><strong>--enable-fixed-rrset</strong></span> at compile time.
+                  </p>
+</div>
+</dd>
+<dt><span class="term"><span class="command"><strong>random</strong></span></span></dt>
+<dd><p>
+                  Records are returned in a random order.
+                </p></dd>
+<dt><span class="term"><span class="command"><strong>cyclic</strong></span></span></dt>
+<dd><p>
+                  Records are returned in a cyclic round-robin order, rotating
+                  by one record per query.
+                </p></dd>
+</dl></div>
+<p>
+            By default, records are returned in random order.
+          </p>
+<p>
+            Note that if multiple <span class="command"><strong>rrset-order</strong></span> statements are
+            present in the configuration file (at both the
+            <span class="command"><strong>options</strong></span> and <span class="command"><strong>view</strong></span> levels), they
+            are <span class="emphasis"><em>not</em></span> combined; instead, the more-specific
+            one (<span class="command"><strong>view</strong></span>) replaces the less-specific one
+            (<span class="command"><strong>options</strong></span>).
+          </p>
+<p>
+            If multiple rules within a single <span class="command"><strong>rrset-order</strong></span>
+            statement match a given RRset, the first matching rule is applied.
+          </p>
+<p>
+            Example:
+          </p>
+<pre class="programlisting">rrset-order {
+    type A name "foo.isc.org" order random;
+    type AAAA name "foo.isc.org" order cyclic;
+    name "bar.isc.org" order fixed;
+    name "*.bar.isc.org" order random;
+    name "*.baz.isc.org" order cyclic;
+};
+</pre>
+<p>
+            With the above configuration, the following RRset ordering is used:
+          </p>
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
-<col width="0.750in" class="1">
-<col width="3.750in" class="2">
+<col>
+<col>
+<col>
 </colgroup>
+<thead><tr>
+<th><p>QNAME</p></th>
+<th><p>QTYPE</p></th>
+<th><p>RRset Order</p></th>
+</tr></thead>
 <tbody>
 <tr>
-<td>
-                    <p><span class="command"><strong>fixed</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Records are returned in the order they
-                      are defined in the zone file.
-                    </p>
-                  </td>
+<td><p><strong class="userinput"><code>foo.isc.org</code></strong></p></td>
+<td><p><strong class="userinput"><code>A</code></strong></p></td>
+<td><p><span class="command"><strong>random</strong></span></p></td>
 </tr>
 <tr>
-<td>
-                    <p><span class="command"><strong>random</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Records are returned in some random order.
-                    </p>
-                  </td>
+<td><p><strong class="userinput"><code>foo.isc.org</code></strong></p></td>
+<td><p><strong class="userinput"><code>AAAA</code></strong></p></td>
+<td><p><span class="command"><strong>cyclic</strong></span></p></td>
 </tr>
 <tr>
-<td>
-                    <p><span class="command"><strong>cyclic</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Records are returned in a cyclic round-robin order.
-                    </p>
-                    <p>
-                      If <acronym class="acronym">BIND</acronym> is configured with the
-                      "--enable-fixed-rrset" option at compile time, then
-                      the initial ordering of the RRset will match the
-                      one specified in the zone file.
-                    </p>
-                  </td>
+<td><p><strong class="userinput"><code>foo.isc.org</code></strong></p></td>
+<td><p><strong class="userinput"><code>TXT</code></strong></p></td>
+<td><p><span class="command"><strong>random</strong></span></p></td>
+</tr>
+<tr>
+<td><p><strong class="userinput"><code>sub.foo.isc.org</code></strong></p></td>
+<td><p>all</p></td>
+<td><p><span class="command"><strong>random</strong></span></p></td>
+</tr>
+<tr>
+<td><p><strong class="userinput"><code>bar.isc.org</code></strong></p></td>
+<td><p>all</p></td>
+<td><p><span class="command"><strong>fixed</strong></span></p></td>
+</tr>
+<tr>
+<td><p><strong class="userinput"><code>sub.bar.isc.org</code></strong></p></td>
+<td><p>all</p></td>
+<td><p><span class="command"><strong>random</strong></span></p></td>
+</tr>
+<tr>
+<td><p><strong class="userinput"><code>baz.isc.org</code></strong></p></td>
+<td><p>all</p></td>
+<td><p><span class="command"><strong>random</strong></span></p></td>
+</tr>
+<tr>
+<td><p><strong class="userinput"><code>sub.baz.isc.org</code></strong></p></td>
+<td><p>all</p></td>
+<td><p><span class="command"><strong>cyclic</strong></span></p></td>
 </tr>
 </tbody>
-</table>
-          </div>
-          <p>
-            For example:
-          </p>
-
-<pre class="programlisting">rrset-order {
-   class IN type A name "host.example.com" order random;
-   order cyclic;
-};
-</pre>
-
-          <p>
-            will cause any responses for type A records in class IN that
-            have "<code class="literal">host.example.com</code>" as a
-            suffix, to always be returned
-            in random order. All other records are returned in cyclic order.
-          </p>
-          <p>
-            If multiple <span class="command"><strong>rrset-order</strong></span> statements
-            appear, they are not combined &#8212; the last one applies.
-          </p>
-          <p>
-            By default, all records are returned in random order.
-          </p>
-
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-            <p>
-              In this release of <acronym class="acronym">BIND</acronym> 9, the
-              <span class="command"><strong>rrset-order</strong></span> statement does not support
-              "fixed" ordering by default.  Fixed ordering can be enabled
-              at compile time by specifying "--enable-fixed-rrset" on
-              the "configure" command line.
-            </p>
-          </div>
-        </div>
-
-        <div class="section">
+</table></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="tuning"></a>Tuning</h4></div></div></div>
-
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>lame-ttl</strong></span></span></dt>
-<dd>
-                <p>
-                  Sets the number of seconds to cache a
-                  lame server indication. 0 disables caching. (This is
-                  <span class="bold"><strong>NOT</strong></span> recommended.)
-                  The default is <code class="literal">600</code> (10 minutes) and the
-                  maximum value is
-                  <code class="literal">1800</code> (30 minutes).
-                </p>
-
-              </dd>
+<dd><p>
+                  This is always set to 0. More information is available
+                  in the <a class="link" href="https://kb.isc.org/docs/cve-2021-25219" target="_top">security advisory for CVE-2021-25219</a>.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>servfail-ttl</strong></span></span></dt>
 <dd>
-                <p>
-                  Sets the number of seconds to cache a
+<p>
+                  This sets the number of seconds to cache a
                   SERVFAIL response due to DNSSEC validation failure or
                   other general server failure.  If set to
                   <code class="literal">0</code>, SERVFAIL caching is disabled.
@@ -6773,266 +6307,244 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   query that failed due to DNSSEC validation to be retried
                   without waiting for the SERVFAIL TTL to expire.
                 </p>
-                <p>
+<p>
                   The maximum value is <code class="literal">30</code>
-                  seconds; any higher value will be silently
+                  seconds; any higher value is silently
                   reduced. The default is <code class="literal">1</code>
                   second.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>max-ncache-ttl</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   To reduce network traffic and increase performance,
                   the server stores negative answers. <span class="command"><strong>max-ncache-ttl</strong></span> is
                   used to set a maximum retention time for these answers in
-                  the server
+                  the server,
                   in seconds. The default
                   <span class="command"><strong>max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
                   <span class="command"><strong>max-ncache-ttl</strong></span> cannot exceed
-                  7 days and will
-                  be silently truncated to 7 days if set to a greater value.
-                </p>
-              </dd>
+                  7 days and is
+                  silently truncated to 7 days if set to a greater value.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>max-cache-ttl</strong></span></span></dt>
-<dd>
-                <p>
-                  Sets the maximum time for which the server will
-                  cache ordinary (positive) answers in seconds.
+<dd><p>
+                  This sets the maximum time for which the server
+                  caches ordinary (positive) answers, in seconds.
                   The default is 604800 (one week).
                   A value of zero may cause all queries to return
                   SERVFAIL, because of lost caches of intermediate
                   RRsets (such as NS and glue AAAA/A records) in the
                   resolution process.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>min-roots</strong></span></span></dt>
 <dd>
-                <p>
-                  The minimum number of root servers that
+<p>
+                  This sets the minimum number of root servers that
                   is required for a request for the root servers to be
                   accepted. The default
                   is <strong class="userinput"><code>2</code></strong>.
                 </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-                  <p>
-                    Not implemented in <acronym class="acronym">BIND</acronym> 9.
+<p>
+                    This is not implemented in <acronym class="acronym">BIND</acronym> 9.
                   </p>
-                </div>
-              </dd>
-<dt><span class="term"><span class="command"><strong>resolver-nonbackoff-tries</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies how many retries occur before exponential
-                  backoff kicks in.  The default is <strong class="userinput"><code>3</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>resolver-retry-interval</strong></span></span></dt>
-<dd>
-                <p>
-                  The base retry interval in milliseconds.
-                  The default is <strong class="userinput"><code>800</code></strong>.
-                </p>
-              </dd>
+</div>
+</dd>
 <dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt>
 <dd>
-                <p>
-                  Specifies the number of days into the future when
-                  DNSSEC signatures automatically generated as a
+<p>
+                  This specifies the number of days into the future that
+                  DNSSEC signatures that are automatically generated as a
                   result of dynamic updates (<a class="xref" href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>) will expire.  There
                   is an optional second field which specifies how
-                  long before expiry that the signatures will be
-                  regenerated.  If not specified, the signatures will
-                  be regenerated at 1/4 of base interval.  The second
+                  long before expiry that the signatures are
+                  regenerated.  If not specified, the signatures are
+                  regenerated at 1/4 of base interval.  The second
                   field is specified in days if the base interval is
-                  greater than 7 days otherwise it is specified in hours.
-                  The default base interval is <code class="literal">30</code> days
+                  greater than 7 days; otherwise it is specified in hours.
+                  The default base interval is <code class="literal">30</code> days,
                   giving a re-signing interval of 7 1/2 days.  The maximum
-                  values are 10 years (3660 days).
+                  value is 10 years (3660 days).
                 </p>
-                <p>
+<p>
                   The signature inception time is unconditionally
-                  set to one hour before the current time to allow
+                  set to one hour before the current time, to allow
                   for a limited amount of clock skew.
                 </p>
-                <p>
+<p>
                   The <span class="command"><strong>sig-validity-interval</strong></span>
-                  should be, at least, several multiples of the SOA
-                  expire interval to allow for reasonable interaction
+                  should be at least several multiples of the SOA
+                  expire interval, to allow for reasonable interaction
                   between the various timer and expiry dates.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>sig-signing-nodes</strong></span></span></dt>
-<dd>
-                <p>
-                  Specify the maximum number of nodes to be
-                  examined in each quantum when signing a zone with
+<dd><p>
+                  This specifies the maximum number of nodes to be
+                  examined in each quantum, when signing a zone with
                   a new DNSKEY. The default is
                   <code class="literal">100</code>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>sig-signing-signatures</strong></span></span></dt>
-<dd>
-                <p>
-                  Specify a threshold number of signatures that
-                  will terminate processing a quantum when signing
+<dd><p>
+                  This specifies a threshold number of signatures that
+                  terminates processing a quantum, when signing
                   a zone with a new DNSKEY.  The default is
                   <code class="literal">10</code>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>sig-signing-type</strong></span></span></dt>
 <dd>
-                <p>
-                  Specify a private RDATA type to be used when generating
-                  signing state records.  The default is
+<p>
+                  This specifies a private RDATA type to be used when generating
+                  signing-state records.  The default is
                   <code class="literal">65534</code>.
                 </p>
-                <p>
-                  It is expected that this parameter may be removed
-                  in a future version once there is a standard type.
+<p>
+                  This parameter may be removed
+                  in a future version, once there is a standard type.
                 </p>
-                <p>
-                  Signing state records are used to internally by
+<p>
+                  Signing-state records are used internally by
                   <span class="command"><strong>named</strong></span> to track the current state of
                   a zone-signing process, i.e., whether it is still active
                   or has been completed.  The records can be inspected
                   using the command
                   <span class="command"><strong>rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>.
                   Once <span class="command"><strong>named</strong></span> has finished signing
-                  a zone with a particular key, the signing state
+                  a zone with a particular key, the signing-state
                   record associated with that key can be removed from
                   the zone by running
                   <span class="command"><strong>rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>.
-                  To clear all of the completed signing state
+                  To clear all of the completed signing-state
                   records for a zone, use
                   <span class="command"><strong>rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>.
                 </p>
-              </dd>
+</dd>
 <dt>
 <span class="term"><span class="command"><strong>min-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>max-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>min-retry-time</strong></span>, </span><span class="term"><span class="command"><strong>max-retry-time</strong></span></span>
 </dt>
 <dd>
-                <p>
+<p>
                   These options control the server's behavior on refreshing a
                   zone (querying for SOA changes) or retrying failed
                   transfers.  Usually the SOA values for the zone are used,
                   up to a hard-coded maximum expiry of 24 weeks. However,
-                  these values are set by the master, giving slave server
+                  these values are set by the primary, giving secondary server
                   administrators little control over their contents.
                 </p>
-                <p>
+<p>
                   These options allow the administrator to set a minimum and
                   maximum refresh and retry time in seconds per-zone,
                   per-view, or globally.  These options are valid for
-                  slave and stub zones, and clamp the SOA refresh and
+                  secondary and stub zones, and clamp the SOA refresh and
                   retry times to the specified values.
                 </p>
-                <p>
-                  The following defaults apply.
+<p>
+                  The following defaults apply:
                   <span class="command"><strong>min-refresh-time</strong></span> 300 seconds,
                   <span class="command"><strong>max-refresh-time</strong></span> 2419200 seconds
                   (4 weeks), <span class="command"><strong>min-retry-time</strong></span> 500 seconds,
                   and <span class="command"><strong>max-retry-time</strong></span> 1209600 seconds
                   (2 weeks).
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>edns-udp-size</strong></span></span></dt>
 <dd>
-                <p>
-                  Sets the maximum advertised EDNS UDP buffer size in
+<p>
+                  This sets the maximum advertised EDNS UDP buffer size, in
                   bytes, to control the size of packets received from
                   authoritative servers in response to recursive queries.
-                  Valid values are 512 to 4096 (values outside this range
-                  will be silently adjusted to the nearest value within
-                  it).  The default value is 4096.
+                  Valid values are 512 to 4096; values outside this range
+                  are silently adjusted to the nearest value within
+                  it.  The default value is 1232.
                 </p>
-                <p>
+<p>
                   The usual reason for setting
                   <span class="command"><strong>edns-udp-size</strong></span> to a non-default value
                   is to get UDP answers to pass through broken firewalls
                   that block fragmented packets and/or block UDP DNS
                   packets that are greater than 512 bytes.
                 </p>
-                <p>
+<p>
                   When <span class="command"><strong>named</strong></span> first queries a remote
-                  server, it will advertise a UDP buffer size of 512, as
+                  server, it advertises a UDP buffer size of 512, as
                   this has the greatest chance of success on the first try.
                 </p>
-                <p>
+<p>
                   If the initial response times out, <span class="command"><strong>named</strong></span>
-                  will try again with plain DNS, and if that is successful,
-                  it will be taken as evidence that the server does not
+                  tries again with plain DNS; if that is successful,
+                  it is taken as evidence that the server does not
                   support EDNS. After enough failures using EDNS and
                   successes using plain DNS, <span class="command"><strong>named</strong></span>
-                  will default to plain DNS for future communications
-                  with that server.  (Periodically, <span class="command"><strong>named</strong></span>
-                  will send an EDNS query to see if the situation has
-                  improved.)
+                  defaults to plain DNS for future communications
+                  with that server.  If that happens, <span class="command"><strong>named</strong></span>
+                  periodically sends an EDNS query to see if the situation has
+                  improved.
                 </p>
-                <p>
+<p>
                   However, if the initial query is successful with
                   EDNS advertising a buffer size of 512, then
-                  <span class="command"><strong>named</strong></span> will advertise progressively
+                  <span class="command"><strong>named</strong></span> advertises progressively
                   larger buffer sizes on successive queries, until
                   responses begin timing out or
                   <span class="command"><strong>edns-udp-size</strong></span> is reached.
                 </p>
-                <p>
+<p>
                   The default buffer sizes used by <span class="command"><strong>named</strong></span>
-                  are 512, 1232, 1432, and 4096, but never exceeding
+                  are 512, 1232, 1432, and 4096, but never exceed
                   <span class="command"><strong>edns-udp-size</strong></span>.  (The values 1232 and
-                  1432 are chosen to allow for an IPv4/IPv6 encapsulated
+                  1432 are chosen to allow for an IPv4-/IPv6-encapsulated
                   UDP message to be sent without fragmentation at the
                   minimum MTU sizes for Ethernet and IPv6 networks.)
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>max-udp-size</strong></span></span></dt>
 <dd>
-                <p>
-                  Sets the maximum EDNS UDP message size
-                  <span class="command"><strong>named</strong></span> will send in bytes.
-                  Valid values are 512 to 4096 (values outside this
-                  range will be silently adjusted to the nearest
-                  value within it).  The default value is 4096.
+<p>
+                  This sets the maximum EDNS UDP message size that
+                  <span class="command"><strong>named</strong></span> sends, in bytes.
+                  Valid values are 512 to 4096; values outside this
+                  range are silently adjusted to the nearest
+                  value within it.  The default value is 1232.
                 </p>
-                <p>
+<p>
                   This value applies to responses sent by a server; to
                   set the advertised buffer size in queries, see
                   <span class="command"><strong>edns-udp-size</strong></span>.
                 </p>
-                <p>
+<p>
                   The usual reason for setting
                   <span class="command"><strong>max-udp-size</strong></span> to a non-default
-                  value is to get UDP answers to pass through broken
+                  value is to allow UDP answers to pass through broken
                   firewalls that block fragmented packets and/or
                   block UDP packets that are greater than 512 bytes.
                   This is independent of the advertised receive
                   buffer (<span class="command"><strong>edns-udp-size</strong></span>).
                 </p>
-                <p>
-                  Setting this to a low value will encourage additional
-                  TCP traffic to the nameserver.
+<p>
+                  Setting this to a low value encourages additional
+                  TCP traffic to the name server.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>masterfile-format</strong></span></span></dt>
 <dd>
-                <p>Specifies
+<p>This specifies
                   the file format of zone files (see
                   <a class="xref" href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called &#8220;Additional File Formats&#8221;</a>).
                   The default value is <code class="constant">text</code>, which is the
-                  standard textual representation, except for slave zones,
+                  standard textual representation, except for secondary zones,
                   in which the default value is <code class="constant">raw</code>.
-                  Files in other formats than <code class="constant">text</code> are
+                  Files in formats other than <code class="constant">text</code> are
                   typically expected to be generated by the
                   <span class="command"><strong>named-compilezone</strong></span> tool, or dumped by
                   <span class="command"><strong>named</strong></span>.
                 </p>
-                <p>
-                  Note that when a zone file in a different format than
+<p>
+                  Note that when a zone file in a format other than
                   <code class="constant">text</code> is loaded, <span class="command"><strong>named</strong></span>
                   may omit some of the checks which would be performed for a
-                  file in the <code class="constant">text</code> format.  In particular,
+                  file in <code class="constant">text</code> format.  In particular,
                   <span class="command"><strong>check-names</strong></span> checks do not apply
                   for the <code class="constant">raw</code> format.  This means
                   a zone file in the <code class="constant">raw</code> format
@@ -7042,7 +6554,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   loaded directly into memory via memory mapping, with only
                   minimal checking.
                 </p>
-                <p>
+<p>
                   This statement sets the
                   <span class="command"><strong>masterfile-format</strong></span> for all zones,
                   but can be overridden on a per-zone or per-view basis
@@ -7051,18 +6563,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   <span class="command"><strong>view</strong></span> block in the configuration
                   file.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>masterfile-style</strong></span></span></dt>
 <dd>
-                <p>
-                  Specifies the formatting of zone files during dump
+<p>
+                  This specifies the formatting of zone files during dump,
                   when the <code class="option">masterfile-format</code> is
-                  <code class="constant">text</code>. (This option is ignored
-                  with any other <code class="option">masterfile-format</code>.)
+                  <code class="constant">text</code>. This option is ignored
+                  with any other <code class="option">masterfile-format</code>.
                 </p>
-                <p>
+<p>
                   When set to <code class="constant">relative</code>,
-                  records are printed in a multi-line format with owner
+                  records are printed in a multi-line format, with owner
                   names expressed relative to a shared origin.  When set
                   to <code class="constant">full</code>, records are printed in
                   a single-line format with absolute owner names.
@@ -7073,105 +6585,91 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   zone is to be edited by hand.  The default is
                   <code class="constant">relative</code>.
                 </p>
-              </dd>
+</dd>
 <dt>
 <a name="max-recursion-depth"></a><span class="term"><span class="command"><strong>max-recursion-depth</strong></span></span>
 </dt>
-<dd>
-                <p>
-                  Sets the maximum number of levels of recursion
+<dd><p>
+                  This sets the maximum number of levels of recursion
                   that are permitted at any one time while servicing
                   a recursive query. Resolving a name may require
                   looking up a name server address, which in turn
-                  requires resolving another name, etc; if the number
-                  of indirections exceeds this value, the recursive
+                  requires resolving another name, etc.; if the number
+                  of recursions exceeds this value, the recursive
                   query is terminated and returns SERVFAIL.  The
                   default is 7.
-                </p>
-              </dd>
+                </p></dd>
 <dt>
 <a name="max-recursion-queries"></a><span class="term"><span class="command"><strong>max-recursion-queries</strong></span></span>
 </dt>
-<dd>
-                <p>
-                  Sets the maximum number of iterative queries that
+<dd><p>
+                  This sets the maximum number of iterative queries that
                   may be sent while servicing a recursive query.
                   If more queries are sent, the recursive query
-                  is terminated and returns SERVFAIL. Queries to
-                  look up top level domains such as "com" and "net"
-                  and the DNS root zone are exempt from this limitation.
-                  The default is 75.
-                </p>
-              </dd>
+                  is terminated and returns SERVFAIL.  The default is 100.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>
 <dd>
-                <p>
-                  The delay, in seconds, between sending sets of notify
-                  messages for a zone.  The default is five (5) seconds.
+<p>
+                  This sets the delay, in seconds, between sending sets of NOTIFY
+                  messages for a zone.  The default is 5 seconds.
                 </p>
-                <p>
-                  The overall rate that NOTIFY messages are sent for all
+<p>
+                  The overall rate at which NOTIFY messages are sent for all
                   zones is controlled by <span class="command"><strong>serial-query-rate</strong></span>.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>max-rsa-exponent-size</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum RSA exponent size, in bits, that will
-                  be accepted when validating.  Valid values are 35
-                  to 4096 bits.  The default zero (0) is also accepted
+<dd><p>
+                  This sets the maximum RSA exponent size, in bits, that is
+                  accepted when validating.  Valid values are 35
+                  to 4096 bits.  The default, zero, is also accepted
                   and is equivalent to 4096.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>prefetch</strong></span></span></dt>
 <dd>
-                <p>
+<p>
                   When a query is received for cached data which
                   is to expire shortly, <span class="command"><strong>named</strong></span> can
                   refresh the data from the authoritative server
                   immediately, ensuring that the cache always has an
                   answer available.
                 </p>
-                <p>
-                  The <code class="option">prefetch</code> specifies the
+<p>
+                  <code class="option">prefetch</code> specifies the
                   "trigger" TTL value at which prefetch of the current
-                  query will take place: when a cache record with a
+                  query takes place; when a cache record with a
                   lower TTL value is encountered during query processing,
-                  it will be refreshed.  Valid trigger TTL values are 1 to
-                  10 seconds.  Values larger than 10 seconds will be silently
+                  it is refreshed.  Valid trigger TTL values are 1 to
+                  10 seconds.  Values larger than 10 seconds are silently
                   reduced to 10.
-                  Setting a trigger TTL to zero (0) causes
+                  Setting a trigger TTL to zero causes
                   prefetch to be disabled.
                   The default trigger TTL is <code class="literal">2</code>.
                 </p>
-                <p>
+<p>
                   An optional second argument specifies the "eligibility"
                   TTL: the smallest <span class="emphasis"><em>original</em></span>
-                  TTL value that will be accepted for a record to be
+                  TTL value that is accepted for a record to be
                   eligible for prefetching.  The eligibility TTL must
                   be at least six seconds longer than the trigger TTL;
-                  if it isn't, <span class="command"><strong>named</strong></span> will silently
-                  adjust it upward.
+                  if not, <span class="command"><strong>named</strong></span> silently
+                  adjusts it upward.
                   The default eligibility TTL is <code class="literal">9</code>.
                 </p>
-              </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>v6-bias</strong></span></span></dt>
-<dd>
-                <p>
-                  When determining the next nameserver to try
-                  preference IPv6 nameservers by this many milliseconds.
+<dd><p>
+                  When determining the next name server to try,
+                  this indicates by how many milliseconds to prefer IPv6 name servers.
                   The default is <code class="literal">50</code> milliseconds.
-                </p>
-              </dd>
+                </p></dd>
 </dl></div>
-
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="builtin"></a>Built-in server information zones</h4></div></div></div>
-
-          <p>
+<a name="builtin"></a>Built-in Server Information Zones</h4></div></div></div>
+<p>
             The server provides some helpful diagnostic information
             through a number of built-in zones under the
             pseudo-top-level-domain <code class="literal">bind</code> in the
@@ -7179,96 +6677,93 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
             of a
             built-in view (see <a class="xref" href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span class="command"><strong>view</strong></span> Statement Grammar&#8221;</a>) of
             class
-            <span class="command"><strong>CHAOS</strong></span> which is separate from the
+            <span class="command"><strong>CHAOS</strong></span>, which is separate from the
             default view of class <span class="command"><strong>IN</strong></span>. Most global
             configuration options (<span class="command"><strong>allow-query</strong></span>,
-            etc) will apply to this view, but some are locally
+            etc.) apply to this view, but some are locally
             overridden: <span class="command"><strong>notify</strong></span>,
-            <span class="command"><strong>recursion</strong></span> and
+            <span class="command"><strong>recursion</strong></span>, and
             <span class="command"><strong>allow-new-zones</strong></span> are
             always set to <strong class="userinput"><code>no</code></strong>, and
             <span class="command"><strong>rate-limit</strong></span> is set to allow
             three responses per second.
           </p>
-          <p>
-            If you need to disable these zones, use the options
-            below, or hide the built-in <span class="command"><strong>CHAOS</strong></span>
+<p>
+            To disable these zones, use the options
+            below or hide the built-in <span class="command"><strong>CHAOS</strong></span>
             view by
             defining an explicit view of class <span class="command"><strong>CHAOS</strong></span>
             that matches all clients.
           </p>
-
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>version</strong></span></span></dt>
 <dd>
-                <p>
-                  The version the server should report
+<p>
+                  This is the version the server should report
                   via a query of the name <code class="literal">version.bind</code>
-                  with type <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>.
+                  with type <span class="command"><strong>TXT</strong></span> and class <span class="command"><strong>CHAOS</strong></span>.
                   The default is the real version number of this server.
                   Specifying <span class="command"><strong>version none</strong></span>
                   disables processing of the queries.
                 </p>
-              </dd>
+<p>
+                  Setting <span class="command"><strong>version</strong></span> to any value
+                  (including <code class="literal">none</code>) also
+                  disables queries for <code class="literal">authors.bind TXT CH</code>.
+                </p>
+</dd>
 <dt><span class="term"><span class="command"><strong>hostname</strong></span></span></dt>
-<dd>
-                <p>
-                  The hostname the server should report via a query of
+<dd><p>
+                  This is the hostname the server should report via a query of
                   the name <code class="filename">hostname.bind</code>
-                  with type <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>.
+                  with type <span class="command"><strong>TXT</strong></span> and class <span class="command"><strong>CHAOS</strong></span>.
                   This defaults to the hostname of the machine hosting the
-                  name server as
-                  found by the gethostname() function.  The primary purpose of such queries
+                  name server, as
+                  found by the <span class="command"><strong>gethostname()</strong></span> function.  The primary purpose of such queries
                   is to
                   identify which of a group of anycast servers is actually
-                  answering your queries.  Specifying <span class="command"><strong>hostname none;</strong></span>
+                  answering the queries.  Specifying <span class="command"><strong>hostname none;</strong></span>
                   disables processing of the queries.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>server-id</strong></span></span></dt>
-<dd>
-                <p>
-                  The ID the server should report when receiving a Name
+<dd><p>
+                  This is the ID the server should report when receiving a Name
                   Server Identifier (NSID) query, or a query of the name
                   <code class="filename">ID.SERVER</code> with type
-                  <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>.
+                  <span class="command"><strong>TXT</strong></span> and class <span class="command"><strong>CHAOS</strong></span>.
                   The primary purpose of such queries is to
                   identify which of a group of anycast servers is actually
-                  answering your queries.  Specifying <span class="command"><strong>server-id none;</strong></span>
+                  answering the queries.  Specifying <span class="command"><strong>server-id none;</strong></span>
                   disables processing of the queries.
-                  Specifying <span class="command"><strong>server-id hostname;</strong></span> will cause <span class="command"><strong>named</strong></span> to
-                  use the hostname as found by the gethostname() function.
+                  Specifying <span class="command"><strong>server-id hostname;</strong></span> causes <span class="command"><strong>named</strong></span> to
+                  use the hostname as found by the <span class="command"><strong>gethostname()</strong></span> function.
                   The default <span class="command"><strong>server-id</strong></span> is <span class="command"><strong>none</strong></span>.
-                </p>
-              </dd>
+                </p></dd>
 </dl></div>
-
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
-
-          <p>
+<p>
             The <span class="command"><strong>named</strong></span> server has some built-in
-            empty zones (SOA and NS records only).
+            empty zones, for SOA and NS records only.
             These are for zones that should normally be answered locally
             and which queries should not be sent to the Internet's root
             servers.  The official servers which cover these namespaces
             return NXDOMAIN responses to these queries.  In particular,
             these cover the reverse namespaces for addresses from
-            RFC 1918, RFC 4193, RFC 5737 and RFC 6598.  They also include the
-            reverse namespace for IPv6 local address (locally assigned),
-            IPv6 link local addresses, the IPv6 loopback address and the
+            RFC 1918, RFC 4193, RFC 5737, and RFC 6598.  They also include the
+            reverse namespace for the IPv6 local address (locally assigned),
+            IPv6 link local addresses, the IPv6 loopback address, and the
             IPv6 unknown address.
           </p>
-          <p>
-            The server will attempt to determine if a built-in zone
+<p>
+            The server attempts to determine if a built-in zone
             already exists or is active (covered by a forward-only
-            forwarding declaration) and will not create an empty
-            zone in that case.
+            forwarding declaration) and does not create an empty
+            zone if either is true.
           </p>
-          <p>
+<p>
             The current list of empty zones is:
             </p>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
@@ -7374,184 +6869,157 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </ul></div>
 <p>
           </p>
-          <p>
-            Empty zones are settable at the view level and only apply to
+<p>
+            Empty zones can be set at the view level and only apply to
             views of class IN.  Disabled empty zones are only inherited
             from options if there are no disabled empty zones specified
             at the view level.  To override the options list of disabled
-            zones, you can disable the root zone at the view level, for example:
+            zones, disable the root zone at the view level. For example:
 </p>
 <pre class="programlisting">
             disable-empty-zone ".";
 </pre>
 <p>
           </p>
-          <p>
-            If you are using the address ranges covered here, you should
-            already have reverse zones covering the addresses you use.
-            In practice this appears to not be the case with many queries
+<p>
+            If using the address ranges covered here,
+            reverse zones covering the addresses should already be in place.
+            In practice this appears to not be the case, with many queries
             being made to the infrastructure servers for names in these
-            spaces.  So many in fact that sacrificial servers were needed
+            spaces.  So many, in fact, that sacrificial servers had
             to be deployed to channel the query load away from the
             infrastructure servers.
           </p>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
             The real parent servers for these zones should disable all
-            empty zone under the parent zone they serve.  For the real
-            root servers, this is all built-in empty zones.  This will
-            enable them to return referrals to deeper in the tree.
+            empty zones under the parent zone they serve.  For the real
+            root servers, this is all built-in empty zones.  This
+            enables them to return referrals to deeper in the tree.
           </p>
 </div>
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>empty-server</strong></span></span></dt>
-<dd>
-                <p>
-                  Specify what server name will appear in the returned
-                  SOA record for empty zones.  If none is specified, then
-                  the zone's name will be used.
-                </p>
-               </dd>
+<dd><p>
+                  This specifies the server name that appears in the returned
+                  SOA record for empty zones.  If none is specified,
+                  the zone's name is used.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>empty-contact</strong></span></span></dt>
-<dd>
-                <p>
-                  Specify what contact name will appear in the returned
-                  SOA record for empty zones.  If none is specified, then
-                  "." will be used.
-                </p>
-              </dd>
+<dd><p>
+                  This specifies the contact name that appears in the returned
+                  SOA record for empty zones.  If none is specified,
+                  "." is used.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>empty-zones-enable</strong></span></span></dt>
-<dd>
-                <p>
-                  Enable or disable all empty zones.  By default, they
+<dd><p>
+                  This enables or disables all empty zones.  By default, they
                   are enabled.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>disable-empty-zone</strong></span></span></dt>
-<dd>
-                <p>
-                  Disable individual empty zones.  By default, none are
+<dd><p>
+                  This disables individual empty zones.  By default, none are
                   disabled.  This option can be specified multiple times.
-                </p>
-              </dd>
+                </p></dd>
 </dl></div>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="acache"></a>Additional Section Caching</h4></div></div></div>
-
-
-          <p>
+<p>
             The additional section cache, also called <span class="command"><strong>acache</strong></span>,
             is an internal cache to improve the response performance of BIND 9.
-            When additional section caching is enabled, BIND 9 will
-            cache an internal short-cut to the additional section content for
+            When additional section caching is enabled, BIND 9
+            caches an internal shortcut to the additional section content for
             each answer RR.
             Note that <span class="command"><strong>acache</strong></span> is an internal caching
             mechanism of BIND 9, and is not related to the DNS caching
             server function.
           </p>
-
-          <p>
+<p>
             Additional section caching does not change the
             response content (except the RRsets ordering of the additional
-            section, see below), but can improve the response performance
+            section; see below), but can improve the response performance
             significantly.
             It is particularly effective when BIND 9 acts as an authoritative
             server for a zone that has many delegations with many glue RRs.
           </p>
-
-          <p>
-            In order to obtain the maximum performance improvement
+<p>
+            To obtain the maximum performance improvement
             from additional section caching, setting
             <span class="command"><strong>additional-from-cache</strong></span>
             to <span class="command"><strong>no</strong></span> is recommended, since the current
             implementation of <span class="command"><strong>acache</strong></span>
-            does not short-cut of additional section information from the
+            does not shortcut additional section information from the
             DNS cache data.
           </p>
-
-          <p>
+<p>
             One obvious disadvantage of <span class="command"><strong>acache</strong></span> is
             that it requires much more
             memory for the internal cached data.
             Thus, if the response performance does not matter and memory
-            consumption is much more critical, the
+            consumption is more critical, the
             <span class="command"><strong>acache</strong></span> mechanism can be
             disabled by setting <span class="command"><strong>acache-enable</strong></span> to
             <span class="command"><strong>no</strong></span>.
             It is also possible to specify the upper limit of memory
             consumption
-            for acache by using <span class="command"><strong>max-acache-size</strong></span>.
+            for <span class="command"><strong>acache</strong></span> by using <span class="command"><strong>max-acache-size</strong></span>.
           </p>
-
-          <p>
+<p>
             Additional section caching also has a minor effect on the
             RRset ordering in the additional section.
             Without <span class="command"><strong>acache</strong></span>,
             <span class="command"><strong>cyclic</strong></span> order is effective for the additional
-            section as well as the answer and authority sections.
+            section as well as for the answer and authority sections.
             However, additional section caching fixes the ordering when it
             first caches an RRset for the additional section, and the same
-            ordering will be kept in succeeding responses, regardless of the
+            ordering is kept in succeeding responses, regardless of the
             setting of <span class="command"><strong>rrset-order</strong></span>.
             The effect of this should be minor, however, since an
             RRset in the additional section
             typically only contains a small number of RRs (and in many cases
-            it only contains a single RR), in which case the
-            ordering does not matter much.
+            only a single RR), so the
+            ordering is not significant.
           </p>
-
-          <p>
+<p>
             The following is a summary of options related to
             <span class="command"><strong>acache</strong></span>.
           </p>
-
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>acache-enable</strong></span></span></dt>
-<dd>
-                <p>
+<dd><p>
                   If <span class="command"><strong>yes</strong></span>, additional section caching is
                   enabled.  The default value is <span class="command"><strong>no</strong></span>.
-                </p>
-              </dd>
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>acache-cleaning-interval</strong></span></span></dt>
-<dd>
-                <p>
-                  The server will remove stale cache entries, based on an LRU
-                  based
+<dd><p>
+                  The server removes stale cache entries, based on an LRU-based
                   algorithm, every <span class="command"><strong>acache-cleaning-interval</strong></span> minutes.
                   The default is 60 minutes.
-                  If set to 0, no periodic cleaning will occur.
-                </p>
-              </dd>
+                  If set to 0, no periodic cleaning occurs.
+                </p></dd>
 <dt><span class="term"><span class="command"><strong>max-acache-size</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum amount of memory in bytes to use for the server's acache.
+<dd><p>
+                  This is the maximum amount of memory, in bytes, to use for the server's acache.
                   When the amount of data in the acache reaches this limit,
                   the server
-                  will clean more aggressively so that the limit is not
+                  cleans more aggressively so that the limit is not
                   exceeded.
                   In a server with multiple views, the limit applies
                   separately to the
-                  acache of each view.
+                  <span class="command"><strong>acache</strong></span> of each view.
                   The default is <code class="literal">16M</code>.
-                </p>
-              </dd>
+                </p></dd>
 </dl></div>
-
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="content_filtering"></a>Content Filtering</h4></div></div></div>
-
-          <p>
+<p>
             <acronym class="acronym">BIND</acronym> 9 provides the ability to filter
-            out DNS responses from external DNS servers containing
+            out responses from external DNS servers containing
             certain types of data in the answer section.
             Specifically, it can reject address (A or AAAA) records if
             the corresponding IPv4 or IPv6 addresses match the given
@@ -7566,101 +7034,88 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
             the <code class="varname">name_list</code> elements.
             If the optional <code class="varname">namelist</code> is specified
             with <span class="command"><strong>except-from</strong></span>, records whose query name
-            matches the list will be accepted regardless of the filter
+            matches the list are accepted regardless of the filter
             setting.
             Likewise, if the alias name is a subdomain of the
             corresponding zone, the <span class="command"><strong>deny-answer-aliases</strong></span>
-            filter will not apply;
+            filter does not apply;
             for example, even if "example.com" is specified for
             <span class="command"><strong>deny-answer-aliases</strong></span>,
           </p>
 <pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre>
-
-          <p>
-            returned by an "example.com" server will be accepted.
+<p>
+            returned by an "example.com" server is accepted.
           </p>
-
-          <p>
+<p>
             In the <code class="varname">address_match_list</code> of the
             <span class="command"><strong>deny-answer-addresses</strong></span> option, only
             <code class="varname">ip_addr</code>
             and <code class="varname">ip_prefix</code>
             are meaningful;
-            any <code class="varname">key_id</code> will be silently ignored.
+            any <code class="varname">key_id</code> is silently ignored.
           </p>
-
-          <p>
+<p>
             If a response message is rejected due to the filtering,
             the entire message is discarded without being cached, and
-            a SERVFAIL error will be returned to the client.
+            a SERVFAIL error is returned to the client.
           </p>
-
-          <p>
+<p>
             This filtering is intended to prevent "DNS rebinding attacks," in
             which an attacker, in response to a query for a domain name the
-            attacker controls, returns an IP address within your own network or
-            an alias name within your own domain.
+            attacker controls, returns an IP address within the user's own network or
+            an alias name within the user's own domain.
             A naive web browser or script could then serve as an
             unintended proxy, allowing the attacker
-            to get access to an internal node of your local network
-            that couldn't be externally accessed otherwise.
+            to get access to an internal node of the local network
+            that could not be externally accessed otherwise.
             See the paper available at
-            <a class="link" href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top">
-            http://portal.acm.org/citation.cfm?id=1315245.1315298
+            <a class="link" href="https://dl.acm.org/doi/10.1145/1315245.1315298" target="_top">
+            https://dl.acm.org/doi/10.1145/1315245.1315298
             </a>
-            for more details about the attacks.
+            for more details about these attacks.
           </p>
-
-          <p>
-            For example, if you own a domain named "example.net" and
-            your internal network uses an IPv4 prefix 192.0.2.0/24,
-            you might specify the following rules:
+<p>
+            For example, with a domain named "example.net" and
+            an internal network using an IPv4 prefix 192.0.2.0/24,
+            an administrator might specify the following rules:
           </p>
-
 <pre class="programlisting">deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
 deny-answer-aliases { "example.net"; };
 </pre>
-
-          <p>
-            If an external attacker lets a web browser in your local
+<p>
+            If an external attacker let a web browser in the local
             network look up an IPv4 address of "attacker.example.com",
             the attacker's DNS server would return a response like this:
           </p>
-
 <pre class="programlisting">attacker.example.com. A 192.0.2.1</pre>
-
-          <p>
+<p>
             in the answer section.
             Since the rdata of this record (the IPv4 address) matches
-            the specified prefix 192.0.2.0/24, this response will be
+            the specified prefix 192.0.2.0/24, this response would be
             ignored.
           </p>
-
-          <p>
-            On the other hand, if the browser looks up a legitimate
+<p>
+            On the other hand, if the browser looked up a legitimate
             internal web server "www.example.net" and the
-            following response is returned to
-            the <acronym class="acronym">BIND</acronym> 9 server
+            following response were returned to
+            the <acronym class="acronym">BIND</acronym> 9 server:
           </p>
-
 <pre class="programlisting">www.example.net. A 192.0.2.2</pre>
-
-          <p>
-            it will be accepted since the owner name "www.example.net"
+<p>
+            it would be accepted, since the owner name "www.example.net"
             matches the <span class="command"><strong>except-from</strong></span> element,
             "example.net".
           </p>
-
-          <p>
+<p>
             Note that this is not really an attack on the DNS per se.
-            In fact, there is nothing wrong for an "external" name to
-            be mapped to your "internal" IP address or domain name
-            from the DNS point of view.
-            It might actually be provided for a legitimate purpose,
+            In fact, there is nothing wrong with having an "external" name
+            mapped to an "internal" IP address or domain name
+            from the DNS point of view;
+            it might actually be provided for a legitimate purpose,
             such as for debugging.
             As long as the mapping is provided by the correct owner,
-            it is not possible or does not make sense to detect
-            whether the intent of the mapping is legitimate or not
+            it either is not possible or does not make sense to detect
+            whether the intent of the mapping is legitimate
             within the DNS.
             The "rebinding" attack must primarily be protected at the
             application that uses the DNS.
@@ -7668,39 +7123,35 @@ deny-answer-aliases { "example.net"; };
             all possible applications at once.
             This filtering feature is provided only to help such an
             operational environment;
-            it is generally discouraged to turn it on unless you are
-            very sure you have no other choice and the attack is a
-            real threat for your applications.
+            turning it on is generally discouraged unless there is
+            no other choice and the attack is a
+            real threat to applications.
           </p>
-
-          <p>
-            Care should be particularly taken if you want to use this
+<p>
+            Care should be particularly taken if using this
             option for addresses within 127.0.0.0/8.
-            These addresses are obviously "internal", but many
+            These addresses are obviously "internal," but many
             applications conventionally rely on a DNS mapping from
             some name to such an address.
             Filtering out DNS records containing this address
             spuriously can break such applications.
           </p>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="rpz"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
-
-          <p>
+<p>
             <acronym class="acronym">BIND</acronym> 9 includes a limited
             mechanism to modify DNS responses for requests
-            analogous to email anti-spam DNS blacklists.
+            analogous to email anti-spam DNS rejection lists.
             Responses can be changed to deny the existence of domains (NXDOMAIN),
             deny the existence of IP addresses for domains (NODATA),
             or contain other IP addresses or data.
           </p>
-
-          <p>
+<p>
             Response policy zones are named in the
             <span class="command"><strong>response-policy</strong></span> option for the view or among the
-            global options if there is no response-policy option for the view.
+            global options if there is no <span class="command"><strong>response-policy</strong></span> option for the view.
             Response policy zones are ordinary DNS zones containing RRsets
             that can be queried normally if allowed.
             It is usually best to restrict those queries with something like
@@ -7708,8 +7159,7 @@ deny-answer-aliases { "example.net"; };
             Note that zones using <span class="command"><strong>masterfile-format map</strong></span>
             cannot be used as policy zones.
           </p>
-
-          <p>
+<p>
             A <span class="command"><strong>response-policy</strong></span> option can support
             multiple policy zones.  To maximize performance, a radix
             tree is used to quickly identify response policy zones
@@ -7718,129 +7168,144 @@ deny-answer-aliases { "example.net"; };
             in a single <span class="command"><strong>response-policy</strong></span> option; more
             than that is a configuration error.
           </p>
-
-          <p>
+<p>
             Rules encoded in response policy zones are processed after
-            <a class="link" href="Bv9ARM.ch06.html#access_control" title="Access Control">Access Control Lists
+            those defined in <a class="link" href="Bv9ARM.ch06.html#access_control" title="Access Control">Access Control Lists
             (ACLs)</a>.  All queries from clients which are not
-            permitted access to the resolver will be answered with a
+            permitted access to the resolver are answered with a
             status code of REFUSED, regardless of configured RPZ rules.
           </p>
-
-          <p>
+<p>
             Five policy triggers can be encoded in RPZ records.
             </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>RPZ-CLIENT-IP</strong></span></span></dt>
 <dd>
-                  <p>
+<p>
                     IP records are triggered by the IP address of the
                     DNS client.
                     Client IP address triggers are encoded in records that have
                     owner names that are subdomains of
-                    <span class="command"><strong>rpz-client-ip</strong></span> relativized to the
-                    policy zone origin name
+                    <span class="command"><strong>rpz-client-ip</strong></span>, relativized to the
+                    policy zone origin name,
                     and encode an address or address block.
                     IPv4 addresses are represented as
                     <strong class="userinput"><code>prefixlength.B4.B3.B2.B1.rpz-client-ip</code></strong>.
                     The IPv4 prefix length must be between 1 and 32.
-                    All four bytes, B4, B3, B2, and B1, must be present.
+                    All four bytes - B4, B3, B2, and B1 - must be present.
                     B4 is the decimal value of the least significant byte of the
                     IPv4 address as in IN-ADDR.ARPA.
                   </p>
-
-                  <p>
+<p>
                     IPv6 addresses are encoded in a format similar
                     to the standard IPv6 text representation,
                     <strong class="userinput"><code>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-client-ip</code></strong>.
-                    Each of W8,...,W1 is a one to four digit hexadecimal number
+                    Each of W8,...,W1 is a one- to four-digit hexadecimal number
                     representing 16 bits of the IPv6 address as in the standard
                     text representation of IPv6 addresses, but reversed as in
                     IP6.ARPA. (Note that this representation of IPv6
                     address is different from IP6.ARPA where each hex
                     digit occupies a label.)
                     All 8 words must be present except when one set of consecutive
-                    zero words is replaced with <strong class="userinput"><code>.zz.</code></strong>
+                    zero words is replaced with <strong class="userinput"><code>.zz.</code></strong>,
                     analogous to double colons (::) in standard IPv6 text
                     encodings.
                     The IPv6 prefix length must be between 1 and 128.
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>QNAME</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     QNAME policy records are triggered by query names of
                     requests and targets of CNAME records resolved to generate
                     the response.
                     The owner name of a QNAME policy record is
                     the query name relativized to the policy zone.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>RPZ-IP</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     IP triggers are IP addresses in an
                     A or AAAA record in the ANSWER section of a response.
-                    They are encoded like client-IP triggers except as
+                    They are encoded like client-IP triggers, except as
                     subdomains of <span class="command"><strong>rpz-ip</strong></span>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>RPZ-NSDNAME</strong></span></span></dt>
 <dd>
-                  <p>
+<p>
                     NSDNAME triggers match names of authoritative servers
                     for the query name, a parent of the query name, a CNAME for
-                    query name, or a parent of a CNAME.
+                    the query name, or a parent of a CNAME.
                     They are encoded as subdomains of
-                    <span class="command"><strong>rpz-nsdname</strong></span> relativized
+                    <span class="command"><strong>rpz-nsdname</strong></span>, relativized
                     to the RPZ origin name.
                     NSIP triggers match IP addresses in A and
                     AAAA RRsets for domains that can be checked against NSDNAME
-                    policy records.
+                    policy records.  The
+                    <span class="command"><strong>nsdname-enable</strong></span> phrase turns NSDNAME
+                    triggers off or on for a single policy zone or for all
+                    zones.
+                  </p>
+<p>
+                    If authoritative nameservers for the query name are not
+                    yet known, <span class="command"><strong>named</strong></span> recursively
+                    looks up the authoritative servers for the query name
+                    before applying an RPZ-NSDNAME rule,
+                    which can cause a processing delay. To speed up
+                    processing at the cost of precision, the
+                    <span class="command"><strong>nsdname-wait-recurse</strong></span> option
+                    can be used; when set to <strong class="userinput"><code>no</code></strong>,
+                    RPZ-NSDNAME rules are only applied when authoritative
+                    servers for the query name have already been looked up and
+                    cached.  If authoritative servers for the query name
+                    are not in the cache, the RPZ-NSDNAME rule is
+                    ignored, but the authoritative servers for the query name
+                    are looked up in the background and the rule is
+                    applied to subsequent queries. The default is
+                    <strong class="userinput"><code>yes</code></strong>, meaning RPZ-NSDNAME
+                    rules are always applied, even if authoritative
+                    servers for the query name need to be looked up first.
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>RPZ-NSIP</strong></span></span></dt>
 <dd>
-                  <p>
+<p>
                     NSIP triggers match the IP addresses of authoritative
                     servers.  They are enncoded like IP triggers, except as
                     subdomains of <span class="command"><strong>rpz-nsip</strong></span>.
                     NSDNAME and NSIP triggers are checked only for names with at
                     least <span class="command"><strong>min-ns-dots</strong></span> dots.
                     The default value of <span class="command"><strong>min-ns-dots</strong></span> is
-                    1, to exclude top level domains.
+                    1, to exclude top-level domains.
                   </p>
-                  <p>
+<p>
                     If a name server's IP address is not yet known,
-                    <span class="command"><strong>named</strong></span> will recursively look up
-                    the IP address before applying an RPZ-NSIP rule.
-                    This can cause a processing delay. To speed up
+                    <span class="command"><strong>named</strong></span> recursively looks up
+                    the IP address before applying an RPZ-NSIP rule,
+                    which can cause a processing delay. To speed up
                     processing at the cost of precision, the
                     <span class="command"><strong>nsip-wait-recurse</strong></span> option
                     can be used: when set to <strong class="userinput"><code>no</code></strong>,
-                    RPZ-NSIP rules will only be applied when a name
-                    servers's IP address has already been looked up and
+                    RPZ-NSIP rules are only applied when a name
+                    server's IP address has already been looked up and
                     cached.  If a server's IP address is not in the
-                    cache, then the RPZ-NSIP rule will be ignored,
-                    but the address will be looked up in the
-                    background, and the rule will be applied
+                    cache, the RPZ-NSIP rule is ignored,
+                    but the address is looked up in the
+                    background and the rule is applied
                     to subsequent queries.  The default is
                     <strong class="userinput"><code>yes</code></strong>, meaning RPZ-NSIP
-                    rules should always be applied even if an
+                    rules are always applied, even if an
                     address needs to be looked up first.
                   </p>
-                </dd>
+</dd>
 </dl></div>
 <p>
           </p>
-
-          <p>
+<p>
             The query response is checked against all response policy zones,
             so two or more policy records can be triggered by a response.
             Because DNS responses are rewritten according to at most one
             policy record, a single record encoding an action (other than
             <span class="command"><strong>DISABLED</strong></span> actions) must be chosen.
-            Triggers or the records that encode them are chosen for the
+            Triggers, or the records that encode them, are chosen for
             rewriting in the following order:
             </p>
 <div class="orderedlist"><ol class="orderedlist" type="1">
@@ -7863,18 +7328,16 @@ deny-answer-aliases { "example.net"; };
 </ol></div>
 <p>
           </p>
-
-          <p>
+<p>
             When the processing of a response is restarted to resolve
             DNAME or CNAME records and a policy record set has
             not been triggered,
             all response policy zones are again consulted for the
             DNAME or CNAME names and addresses.
           </p>
-
-          <p>
-            RPZ record sets are any types of DNS record except
-            DNAME or DNSSEC that encode actions or responses to
+<p>
+            RPZ record sets are any types of DNS record, except
+            DNAME or DNSSEC, that encode actions or responses to
             individual queries.
             Any of the policies can be used with any of the triggers.
             For example, while the <span class="command"><strong>TCP-only</strong></span> policy is
@@ -7884,72 +7347,60 @@ deny-answer-aliases { "example.net"; };
             </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>PASSTHRU</strong></span></span></dt>
-<dd>
-                  <p>
-                    The whitelist policy is specified
+<dd><p>
+                    The auto-acceptance policy is specified
                     by a CNAME whose target is <span class="command"><strong>rpz-passthru</strong></span>.
                     It causes the response to not be rewritten
                     and is most often used to "poke holes" in policies for
                     CIDR blocks.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>DROP</strong></span></span></dt>
-<dd>
-                  <p>
-                    The blacklist policy is specified
+<dd><p>
+                    The auto-rejection policy is specified
                     by a CNAME whose target is <span class="command"><strong>rpz-drop</strong></span>.
                     It causes the response to be discarded.
                     Nothing is sent to the DNS client.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>TCP-Only</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     The "slip" policy is specified
                     by a CNAME whose target is <span class="command"><strong>rpz-tcp-only</strong></span>.
                     It changes UDP responses to short, truncated DNS responses
                     that require the DNS client to try again with TCP.
                     It is used to mitigate distributed DNS reflection attacks.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>NXDOMAIN</strong></span></span></dt>
-<dd>
-                  <p>
-                    The domain undefined response is encoded
+<dd><p>
+                    The "domain undefined" response is encoded
                     by a CNAME whose target is the root domain (.)
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>NODATA</strong></span></span></dt>
-<dd>
-                  <p>
-                    The empty set of resource records is specified by
+<dd><p>
+                    The empty set of resource records is specified by a
                     CNAME whose target is the wildcard top-level
-                    domain (*.).
+                    domain (<code class="literal">*.</code>).
                     It rewrites the response to NODATA or ANCOUNT=0.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>Local Data</strong></span></span></dt>
 <dd>
-                  <p>
+<p>
                     A set of ordinary DNS records can be used to answer queries.
                     Queries for record types not the set are answered with
                     NODATA.
                   </p>
-
-                  <p>
+<p>
                     A special form of local data is a CNAME whose target is a
                     wildcard such as *.example.com.
-                    It is used as if were an ordinary CNAME after the asterisk (*)
+                    It is used as if an ordinary CNAME after the asterisk (*)
                     has been replaced with the query name.
-                    The purpose for this special form is query logging in the
-                    walled garden's authority DNS server.
+                    This special form is useful for query logging in the
+                    walled garden's authoritative DNS server.
                   </p>
-                </dd>
+</dd>
 </dl></div>
 <p>
           </p>
-
-          <p>
+<p>
             All of the actions specified in all of the individual records
             in a policy zone
             can be overridden with a <span class="command"><strong>policy</strong></span> clause in the
@@ -7960,60 +7411,50 @@ deny-answer-aliases { "example.net"; };
             </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>GIVEN</strong></span></span></dt>
-<dd>
-                  <p>The placeholder policy says "do not override but
+<dd><p>The placeholder policy says "do not override but
                     perform the action specified in the zone."
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>DISABLED</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     The testing override policy causes policy zone records to do
                     nothing but log what they would have done if the
                     policy zone were not disabled.
-                    The response to the DNS query will be written (or not)
+                    The response to the DNS query is written (or not)
                     according to any triggered policy records that are not
                     disabled.
                     Disabled policy zones should appear first,
-                    because they will often not be logged
-                    if a higher precedence trigger is found first.
-                  </p>
-                </dd>
+                    because they are often not logged
+                    if a higher-precedence trigger is found first.
+                  </p></dd>
 <dt>
 <span class="term"><span class="command"><strong>PASSTHRU</strong></span>, </span><span class="term"><span class="command"><strong>DROP</strong></span>, </span><span class="term"><span class="command"><strong>TCP-Only</strong></span>, </span><span class="term"><span class="command"><strong>NXDOMAIN</strong></span>, </span><span class="term"><span class="command"><strong>NODATA</strong></span></span>
 </dt>
-<dd>
-                  <p>
-                    override with the corresponding per-record policy.
-                  </p>
-                </dd>
+<dd><p>
+                    each override the corresponding per-record policy.
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>CNAME domain</strong></span></span></dt>
-<dd>
-                    <p>
+<dd><p>
                       causes all RPZ policy records to act as if they were
                       "cname domain" records.
-                    </p>
-                  </dd>
+                    </p></dd>
 </dl></div>
 <p>
           </p>
-
-          <p>
+<p>
             By default, the actions encoded in a response policy zone
             are applied only to queries that ask for recursion (RD=1).
-            That default can be changed for a single policy zone or
-            all response policy zones in a view
+            That default can be changed for a single policy zone, or for
+            all response policy zones in a view,
             with a <span class="command"><strong>recursive-only no</strong></span> clause.
             This feature is useful for serving the same zone files
             both inside and outside an RFC 1918 cloud and using RPZ to
             delete answers that would otherwise contain RFC 1918 values
             on the externally visible name server or view.
           </p>
-
-          <p>
+<p>
             Also by default, RPZ actions are applied only to DNS requests
             that either do not request DNSSEC metadata (DO=0) or when no
-            DNSSEC records are available for request name in the original
+            DNSSEC records are available for the requested name in the original
             zone (not the response policy zone).  This default can be
             changed for all response policy zones in a view with a
             <span class="command"><strong>break-dnssec yes</strong></span> clause.  In that case, RPZ
@@ -8021,53 +7462,50 @@ deny-answer-aliases { "example.net"; };
             clause option reflects the fact that results rewritten by RPZ
             actions cannot verify.
           </p>
-
-          <p>
-            No DNS records are needed for a QNAME or Client-IP trigger.
-            The name or IP address itself is sufficient,
+<p>
+            No DNS records are needed for a QNAME or Client-IP trigger;
+            the name or IP address itself is sufficient,
             so in principle the query name need not be recursively resolved.
             However, not resolving the requested
-            name can leak the fact that response policy rewriting is in use
-            and that the name is listed in a policy zone to operators of
+            name can leak the fact that response policy rewriting is in use,
+            and that the name is listed in a policy zone, to operators of
             servers for listed names.  To prevent that information leak, by
             default any recursion needed for a request is done before any
             policy triggers are considered.  Because listed domains often
-            have slow authoritative servers, this default behavior can cost
+            have slow authoritative servers, this behavior can cost
             significant time.
             The <span class="command"><strong>qname-wait-recurse no</strong></span> option
             overrides that default behavior when recursion cannot
             change a non-error response.
             The option does not affect QNAME or client-IP triggers
             in policy zones listed
-            after other zones containing IP, NSIP and NSDNAME triggers, because
+            after other zones containing IP, NSIP, and NSDNAME triggers, because
             those may depend on the A, AAAA, and NS records that would be
             found during recursive resolution.  It also does not affect
             DNSSEC requests (DO=1) unless <span class="command"><strong>break-dnssec yes</strong></span>
-            is in use, because the response would depend on whether or not
+            is in use, because the response would depend on whether
             RRSIG records were found during resolution.
             Using this option can cause error responses such as SERVFAIL to
             appear to be rewritten, since no recursion is being done to
             discover problems at the authoritative server.
           </p>
-
-          <p>
+<p>
             The TTL of a record modified by RPZ policies is set from the
-            TTL of the relevant record in policy zone.  It is then limited
+            TTL of the relevant record in the policy zone.  It is then limited
             to a maximum value.
             The <span class="command"><strong>max-policy-ttl</strong></span> clause changes the
-            maximum seconds from its default of 5.
+            maximum number of seconds from its default of 5.
           </p>
-
-          <p>
-            For example, you might use this option statement
+<p>
+            For example, an administrator might use this option statement:
           </p>
 <pre class="programlisting">    response-policy { zone "badlist"; };</pre>
-          <p>
-            and this zone statement
+<p>
+            and this zone statement:
           </p>
 <pre class="programlisting">    zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
-          <p>
-            with this zone file
+<p>
+            with this zone file:
           </p>
 <pre class="programlisting">$TTL 1H
 @                       SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
@@ -8098,7 +7536,7 @@ ok.domain.com           CNAME   rpz-passthru.
 ns.domain.com.rpz-nsdname   CNAME   .
 48.zz.2.2001.rpz-nsip       CNAME   .
 
-; blacklist and whitelist some DNS clients
+; auto-reject and auto-accept some DNS clients
 112.zz.2001.rpz-client-ip    CNAME   rpz-drop.
 8.0.0.0.127.rpz-client-ip    CNAME   rpz-drop.
 
@@ -8108,71 +7546,65 @@ example.com                 CNAME   rpz-tcp-only.
 *.example.com               CNAME   rpz-tcp-only.
 
 </pre>
-          <p>
+<p>
             RPZ can affect server performance.
             Each configured response policy zone requires the server to
             perform one to four additional database lookups before a
             query can be answered.
             For example, a DNS server with four policy zones, each with all
-            four kinds of response triggers, QNAME, IP, NSIP, and
-            NSDNAME, requires a total of 17 times as many database
+            four kinds of response triggers (QNAME, IP, NSIP, and
+            NSDNAME), requires a total of 17 times as many database
             lookups as a similar DNS server with no response policy zones.
-            A <acronym class="acronym">BIND9</acronym> server with adequate memory and one
+            A <acronym class="acronym">BIND</acronym> 9 server with adequate memory and one
             response policy zone with QNAME and IP triggers might achieve a
-            maximum queries-per-second rate about 20% lower.
+            maximum queries-per-second (QPS) rate about 20% lower.
             A server with four response policy zones with QNAME and IP
             triggers might have a maximum QPS rate about 50% lower.
           </p>
-
-          <p>
+<p>
             Responses rewritten by RPZ are counted in the
             <span class="command"><strong>RPZRewrites</strong></span> statistics.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>log</strong></span> clause can be used to optionally
             turn off rewrite logging for a particular response policy
             zone. By default, all rewrites are logged.
           </p>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="rrl"></a>Response Rate Limiting</h4></div></div></div>
-
-          <p>
-            Excessive almost identical UDP <span class="emphasis"><em>responses</em></span>
+<p>
+            Excessive, almost identical UDP <span class="emphasis"><em>responses</em></span>
             can be controlled by configuring a
             <span class="command"><strong>rate-limit</strong></span> clause in an
             <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> statement.
             This mechanism keeps authoritative BIND 9 from being used
-            in amplifying reflection denial of service (DoS) attacks.
-            Short truncated (TC=1) responses can be sent to provide
+            to amplify reflection denial of service (DoS) attacks.
+            Short, truncated (TC=1) responses can be sent to provide
             rate-limited responses to legitimate clients within
             a range of forged, attacked IP addresses.
-            Legitimate clients react to dropped or truncated response
-            by retrying with UDP or with TCP respectively.
+            Legitimate clients react to dropped or truncated responses
+            by retrying with UDP or with TCP, respectively.
           </p>
-
-          <p>
+<p>
             This mechanism is intended for authoritative DNS servers.
-            It can be used on recursive servers but can slow
+            It can be used on recursive servers, but can slow
             applications such as SMTP servers (mail receivers) and
             HTTP clients (web browsers) that repeatedly request the
             same domains.
             When possible, closing "open" recursive servers is better.
           </p>
-
-          <p>
+<p>
             Response rate limiting uses a "credit" or "token bucket" scheme.
             Each combination of identical response and client
-            has a conceptual account that earns a specified number
+            has a conceptual "account" that earns a specified number
             of credits every second.
             A prospective response debits its account by one.
             Responses are dropped or truncated
             while the account is negative.
             Responses are tracked within a rolling window of time
-            which defaults to 15 seconds, but can be configured with
+            which defaults to 15 seconds, but which can be configured with
             the <span class="command"><strong>window</strong></span> option to any value from
             1 to 3600 seconds (1 hour).
             The account cannot become more positive than
@@ -8180,20 +7612,18 @@ example.com                 CNAME   rpz-tcp-only.
             or more negative than <span class="command"><strong>window</strong></span>
             times the per-second limit.
             When the specified number of credits for a class of
-            responses is set to 0, those responses are not rate limited.
+            responses is set to 0, those responses are not rate-limited.
           </p>
-
-          <p>
+<p>
             The notions of "identical response" and "DNS client"
             for rate limiting are not simplistic.
             All responses to an address block are counted as if to a
             single client.
-            The prefix lengths of addresses blocks are
+            The prefix lengths of address blocks are
             specified with <span class="command"><strong>ipv4-prefix-length</strong></span> (default 24)
             and <span class="command"><strong>ipv6-prefix-length</strong></span> (default 56).
           </p>
-
-          <p>
+<p>
             All non-empty responses for a valid domain name (qname)
             and record type (qtype) are identical and have a limit specified
             with <span class="command"><strong>responses-per-second</strong></span>
@@ -8211,20 +7641,18 @@ example.com                 CNAME   rpz-tcp-only.
             This controls some attacks using random names, but
             can be relaxed or turned off (set to 0)
             on servers that expect many legitimate
-            NXDOMAIN responses, such as from anti-spam blacklists.
+            NXDOMAIN responses, such as from anti-spam rejection lists.
             Referrals or delegations to the server of a given
             domain are identical and are limited by
             <span class="command"><strong>referrals-per-second</strong></span>
             (default <span class="command"><strong>responses-per-second</strong></span>).
           </p>
-
-          <p>
+<p>
             Responses generated from local wildcards are counted and limited
             as if they were for the parent domain name.
             This controls flooding using random.wild.example.com.
           </p>
-
-          <p>
+<p>
             All requests that result in DNS errors other
             than NXDOMAIN, such as SERVFAIL and FORMERR, are identical
             regardless of requested name (qname) or record type (qtype).
@@ -8235,8 +7663,7 @@ example.com                 CNAME   rpz-tcp-only.
             but it can be set separately with
             <span class="command"><strong>errors-per-second</strong></span>.
           </p>
-
-          <p>
+<p>
             Many attacks using DNS involve UDP requests with forged source
             addresses.
             Rate limiting prevents the use of BIND 9 to flood a network
@@ -8247,22 +7674,21 @@ example.com                 CNAME   rpz-tcp-only.
             Setting <span class="command"><strong>slip</strong></span> to 2 (its default) causes every
             other UDP request to be answered with a small truncated (TC=1)
             response.
-            The small size and reduced frequency, and so lack of
+            The small size and reduced frequency, and resulting lack of
             amplification, of "slipped" responses make them unattractive
             for reflection DoS attacks.
             <span class="command"><strong>slip</strong></span> must be between 0 and 10.
-            A value of 0 does not "slip":
-            no truncated responses are sent due to rate limiting,
-            all responses are dropped.
+            A value of 0 does not "slip";
+            no truncated responses are sent due to rate limiting.
+            Rather, all responses are dropped.
             A value of 1 causes every response to slip;
-            values between 2 and 10 cause every n'th response to slip.
-            Some error responses including REFUSED and SERVFAIL
+            values between 2 and 10 cause every nth response to slip.
+            Some error responses, including REFUSED and SERVFAIL,
             cannot be replaced with truncated responses and are instead
             leaked at the <span class="command"><strong>slip</strong></span> rate.
           </p>
-
-          <p>
-            (NOTE: Dropped responses from an authoritative server may
+<p>
+            (Note: dropped responses from an authoritative server may
             reduce the difficulty of a third party successfully forging
             a response to a recursive resolver. The best security
             against forged responses is for authoritative operators
@@ -8274,13 +7700,12 @@ example.com                 CNAME   rpz-tcp-only.
             responses to be truncated rather than dropped.  This reduces
             the effectiveness of rate-limiting against reflection attacks.)
           </p>
-
-          <p>
-            When the approximate query per second rate exceeds
+<p>
+            When the approximate query-per-second rate exceeds
             the <span class="command"><strong>qps-scale</strong></span> value,
-            then the <span class="command"><strong>responses-per-second</strong></span>,
+            the <span class="command"><strong>responses-per-second</strong></span>,
             <span class="command"><strong>errors-per-second</strong></span>,
-            <span class="command"><strong>nxdomains-per-second</strong></span> and
+            <span class="command"><strong>nxdomains-per-second</strong></span>, and
             <span class="command"><strong>all-per-second</strong></span> values are reduced by the
             ratio of the current rate to the <span class="command"><strong>qps-scale</strong></span> value.
             This feature can tighten defenses during attacks.
@@ -8289,31 +7714,29 @@ example.com                 CNAME   rpz-tcp-only.
             a total query rate of 1000 queries/second for all queries from
             all DNS clients including via TCP,
             then the effective responses/second limit changes to
-            (250/1000)*20 or 5.
+            (250/1000)*20, or 5.
             Responses sent via TCP are not limited
-            but are counted to compute the query per second rate.
+            but are counted to compute the query-per-second rate.
           </p>
-
-          <p>
+<p>
             Communities of DNS clients can be given their own parameters or no
             rate limiting by putting
             <span class="command"><strong>rate-limit</strong></span> statements in <span class="command"><strong>view</strong></span>
-            statements instead of the global <span class="command"><strong>option</strong></span>
+            statements instead of in the global <span class="command"><strong>option</strong></span>
             statement.
             A <span class="command"><strong>rate-limit</strong></span> statement in a view replaces,
-            rather than supplementing, a <span class="command"><strong>rate-limit</strong></span>
+            rather than supplements, a <span class="command"><strong>rate-limit</strong></span>
             statement among the main options.
             DNS clients within a view can be exempted from rate limits
             with the <span class="command"><strong>exempt-clients</strong></span> clause.
           </p>
-
-          <p>
+<p>
             UDP responses of all kinds can be limited with the
             <span class="command"><strong>all-per-second</strong></span> phrase.  This rate
             limiting is unlike the rate limiting provided by
             <span class="command"><strong>responses-per-second</strong></span>,
             <span class="command"><strong>errors-per-second</strong></span>, and
-            <span class="command"><strong>nxdomains-per-second</strong></span> on a DNS server
+            <span class="command"><strong>nxdomains-per-second</strong></span> on a DNS server,
             which are often invisible to the victim of a DNS
             reflection attack.  Unless the forged requests of the
             attack are the same as the legitimate requests of the
@@ -8328,11 +7751,11 @@ example.com                 CNAME   rpz-tcp-only.
             server for NS, PTR, A, and AAAA records as the incoming
             SMTP/TCP/IP connection is considered.  The SMTP server
             can need additional NS, A, AAAA, MX, TXT, and SPF records
-            as it considers the STMP <span class="command"><strong>Mail From</strong></span>
+            as it considers the SMTP <span class="command"><strong>Mail From</strong></span>
             command.  Web browsers often repeatedly resolve the
-            same names that are repeated in HTML &lt;IMG&gt; tags
+            same names that are duplicated in HTML &lt;IMG&gt; tags
             in a page.  <span class="command"><strong>all-per-second</strong></span> is similar
-            to the rate limiting offered by firewalls but often
+            to the rate limiting offered by firewalls but is often
             inferior.  Attacks that justify ignoring the contents
             of DNS responses are likely to be attacks on the DNS
             server itself.  They usually should be discarded before
@@ -8340,10 +7763,9 @@ example.com                 CNAME   rpz-tcp-only.
             or parsing DNS requests, but that rate limiting must
             be done before the DNS server sees the requests.
           </p>
-
-          <p>
+<p>
             The maximum size of the table used to track requests and
-            rate limit responses is set with <span class="command"><strong>max-table-size</strong></span>.
+            rate-limit responses is set with <span class="command"><strong>max-table-size</strong></span>.
             Each entry in the table is between 40 and 80 bytes.
             The table needs approximately as many entries as the number
             of requests received per second.
@@ -8355,25 +7777,23 @@ example.com                 CNAME   rpz-tcp-only.
             expansions of the table and inform
             choices for the initial and maximum table size.
           </p>
-
-          <p>
-            Use <span class="command"><strong>log-only yes</strong></span> to test rate limiting parameters
+<p>
+            Use <span class="command"><strong>log-only yes</strong></span> to test rate-limiting parameters
             without actually dropping any requests.
           </p>
-
-          <p>
+<p>
             Responses dropped by rate limits are included in the
             <span class="command"><strong>RateDropped</strong></span> and <span class="command"><strong>QryDropped</strong></span>
             statistics.
             Responses that truncated by rate limits are included in
             <span class="command"><strong>RateSlipped</strong></span> and <span class="command"><strong>RespTruncated</strong></span>.
           </p>
-        </div>
-
-        <div class="section">
-<div class="titlepage"></div>
-          <p>
-            Named supports NXDOMAIN redirection via two methods:
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="nxdomain_redirect"></a>NXDOMAIN Redirection</h4></div></div></div>
+<p>
+            <span class="command"><strong>named</strong></span> supports NXDOMAIN redirection via two methods:
             </p>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">Redirect zone <a class="xref" href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone Statement Grammar">the section called &#8220;<span class="command"><strong>zone</strong></span>
@@ -8383,39 +7803,38 @@ example.com                 CNAME   rpz-tcp-only.
 </ul></div>
 <p>
           </p>
-          <p>
-            With both methods when named gets a NXDOMAIN response
+<p>
+            With either method, when <span class="command"><strong>named</strong></span> gets an NXDOMAIN response
             it examines a separate namespace to see if the NXDOMAIN
             response should be replaced with an alternative response.
           </p>
-          <p>
+<p>
             With a redirect zone (<span class="command"><strong>zone "." { type redirect; };</strong></span>), the
             data used to replace the NXDOMAIN is held in a single
             zone which is not part of the normal namespace.  All the
             redirect information is contained in the zone; there are
             no delegations.
           </p>
-          <p>
+<p>
             With a redirect namespace (<span class="command"><strong>option { nxdomain-redirect
-            &lt;suffix&gt; };</strong></span>) the data used to replace the
+            &lt;suffix&gt; };</strong></span>), the data used to replace the
             NXDOMAIN is part of the normal namespace and is looked up by
             appending the specified suffix to the original query name.
             This roughly doubles the cache required to process NXDOMAIN
-            responses as you have the original NXDOMAIN response and
-            the replacement data or a NXDOMAIN indicating that there
-            is no replacement.
+            responses, as both the original NXDOMAIN response and
+            the replacement data (or a NXDOMAIN indicating that there
+            is no replacement) must be stored.
           </p>
-          <p>
+<p>
             If both a redirect zone and a redirect namespace are configured,
             the redirect zone is tried first.
           </p>
-        </div>
-      </div>
-
-      <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="server_statement_grammar"></a><span class="command"><strong>server</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
+<pre class="programlisting">
 <span class="command"><strong>server</strong></span> <em class="replaceable"><code>netprefix</code></em> {
 	<span class="command"><strong>bogus</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>edns</strong></span> <em class="replaceable"><code>boolean</code></em>;
@@ -8447,24 +7866,21 @@ example.com                 CNAME   rpz-tcp-only.
 	<span class="command"><strong>transfers</strong></span> <em class="replaceable"><code>integer</code></em>;
 };
 </pre>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="server_statement_definition_and_usage"></a><span class="command"><strong>server</strong></span> Statement Definition and
             Usage</h3></div></div></div>
-
-          <p>
+<p>
             The <span class="command"><strong>server</strong></span> statement defines
             characteristics
             to be associated with a remote name server.  If a prefix length is
             specified, then a range of servers is covered.  Only the most
             specific
-            server clause applies regardless of the order in
+            server clause applies, regardless of the order in
             <code class="filename">named.conf</code>.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>server</strong></span> statement can occur at
             the top level of the
             configuration file or inside a <span class="command"><strong>view</strong></span>
@@ -8479,43 +7895,40 @@ example.com                 CNAME   rpz-tcp-only.
             used as
             defaults.
           </p>
-
-          <p>
-            If you discover that a remote server is giving out bad data,
-            marking it as bogus will prevent further queries to it. The
+<p>
+            If a remote server is giving out bad data,
+            marking it as bogus prevents further queries to it. The
             default
             value of <span class="command"><strong>bogus</strong></span> is <span class="command"><strong>no</strong></span>.
           </p>
-          <p>
+<p>
             The <span class="command"><strong>provide-ixfr</strong></span> clause determines
             whether
-            the local server, acting as master, will respond with an
+            the local server, acting as primary, responds with an
             incremental
-            zone transfer when the given remote server, a slave, requests it.
+            zone transfer when the given remote server, a secondary, requests it.
             If set to <span class="command"><strong>yes</strong></span>, incremental transfer
-            will be provided
+            is provided
             whenever possible. If set to <span class="command"><strong>no</strong></span>,
             all transfers
-            to the remote server will be non-incremental. If not set, the
+            to the remote server are non-incremental. If not set, the
             value
             of the <span class="command"><strong>provide-ixfr</strong></span> option in the
             view or
             global options block is used as a default.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>request-ixfr</strong></span> clause determines
             whether
-            the local server, acting as a slave, will request incremental zone
-            transfers from the given remote server, a master. If not set, the
+            the local server, acting as a secondary, requests incremental zone
+            transfers from the given remote server, a primary. If not set, the
             value of the <span class="command"><strong>request-ixfr</strong></span> option in
             the view or global options block is used as a default. It may
-            also be set in the zone block and, if set there, it will
-            override the global or view setting for that zone.
+            also be set in the zone block; if set there, it
+            overrides the global or view setting for that zone.
           </p>
-
-          <p>
-            IXFR requests to servers that do not support IXFR will
+<p>
+            IXFR requests to servers that do not support IXFR
             automatically
             fall back to AXFR.  Therefore, there is no need to manually list
             which servers support IXFR and which ones do not; the global
@@ -8524,127 +7937,112 @@ example.com                 CNAME   rpz-tcp-only.
             The purpose of the <span class="command"><strong>provide-ixfr</strong></span> and
             <span class="command"><strong>request-ixfr</strong></span> clauses is
             to make it possible to disable the use of IXFR even when both
-            master
-            and slave claim to support it, for example if one of the servers
+            primary
+            and secondary claim to support it: for example, if one of the servers
             is buggy and crashes or corrupts data when IXFR is used.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>request-expire</strong></span> clause determines
-            whether the local server, when acting as a slave, will
-            request the EDNS EXPIRE value.  The EDNS EXPIRE value
-            indicates the remaining time before the zone data will
-            expire and need to be be refreshed.  This is used
+            whether the local server, when acting as a secondary,
+            requests the EDNS EXPIRE value.  The EDNS EXPIRE value
+            indicates the remaining time before the zone data
+            expires and needs to be refreshed.  This is used
             when a secondary server transfers a zone from another
             secondary server; when transferring from the primary, the
             expiration timer is set from the EXPIRE field of the SOA
             record instead.
             The default is <span class="command"><strong>yes</strong></span>.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>edns</strong></span> clause determines whether
-            the local server will attempt to use EDNS when communicating
+            the local server attempts to use EDNS when communicating
             with the remote server.  The default is <span class="command"><strong>yes</strong></span>.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>edns-udp-size</strong></span> option sets the
             EDNS UDP size that is advertised by <span class="command"><strong>named</strong></span>
             when querying the remote server.  Valid values are 512
-            to 4096 bytes (values outside this range will be silently
-            adjusted to the nearest value within it).  This option
-            is useful when you wish to advertise a different value
-            to this server than the value you advertise globally,
+            to 4096 bytes; values outside this range are silently
+            adjusted to the nearest value within it.  This option
+            is useful when advertising a different value
+            to this server than the value advertised globally:
             for example, when there is a firewall at the remote
-            site that is blocking large replies. (Note: Currently,
+            site that is blocking large replies. Note: currently,
             this sets a single UDP size for all packets sent to the
-            server; <span class="command"><strong>named</strong></span> will not deviate from
+            server; <span class="command"><strong>named</strong></span> does not deviate from
             this value.  This differs from the behavior of
             <span class="command"><strong>edns-udp-size</strong></span> in <span class="command"><strong>options</strong></span>
             or <span class="command"><strong>view</strong></span> statements, where it specifies
             a maximum value. The <span class="command"><strong>server</strong></span> statement
             behavior may be brought into conformance with the
-            <span class="command"><strong>options/view</strong></span> behavior in future releases.)
+            <span class="command"><strong>options/view</strong></span> behavior in future releases.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>edns-version</strong></span> option sets the
-            maximum EDNS VERSION that will be sent to the server(s)
+            maximum EDNS VERSION that is sent to the server(s)
             by the resolver.  The actual EDNS version sent is still
-            subject to normal EDNS version negotiation rules (see
+            subject to normal EDNS version-negotiation rules (see
             RFC 6891), the maximum EDNS version supported by the
             server, and any other heuristics that indicate that a
             lower version should be sent.  This option is intended
             to be used when a remote server reacts badly to a given
             EDNS version or higher; it should be set to the highest
             version the remote server is known to support.  Valid
-            values are 0 to 255; higher values will be silently
-            adjusted.  This option will not be needed until higher
+            values are 0 to 255; higher values are silently
+            adjusted.  This option is not needed until higher
             EDNS versions than 0 are in use.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>max-udp-size</strong></span> option sets the
             maximum EDNS UDP message size <span class="command"><strong>named</strong></span>
-            will send.  Valid values are 512 to 4096 bytes (values
-            outside this range will be silently adjusted).  This
-            option is useful when you know that there is a firewall
+            sends.  Valid values are 512 to 4096 bytes; values
+            outside this range are silently adjusted.  This
+            option is useful when there is a firewall
             that is blocking large replies from <span class="command"><strong>named</strong></span>.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>tcp-only</strong></span> option sets the transport
             protocol to TCP. The default is to use the UDP transport
             and to fallback on TCP only when a truncated response
             is received.
           </p>
-
-          <p>
+<p>
             The server supports two zone transfer methods. The first, <span class="command"><strong>one-answer</strong></span>,
             uses one DNS message per resource record transferred. <span class="command"><strong>many-answers</strong></span> packs
-            as many resource records as possible into a message. <span class="command"><strong>many-answers</strong></span> is
-            more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
-            8.x, and patched versions of <acronym class="acronym">BIND</acronym>
-            4.9.5. You can specify which method
-            to use for a server with the <span class="command"><strong>transfer-format</strong></span> option.
-            If <span class="command"><strong>transfer-format</strong></span> is not
-            specified, the <span class="command"><strong>transfer-format</strong></span>
+            as many resource records as possible into a single message, which is
+            more efficient. It is possible to specify which method
+            to use for a server via the <span class="command"><strong>transfer-format</strong></span> option;
+            If not set there, the <span class="command"><strong>transfer-format</strong></span>
             specified
-            by the <span class="command"><strong>options</strong></span> statement will be
+            by the <span class="command"><strong>options</strong></span> statement is
             used.
           </p>
-
-          <p><span class="command"><strong>transfers</strong></span>
+<p><span class="command"><strong>transfers</strong></span>
             is used to limit the number of concurrent inbound zone
             transfers from the specified server. If no
             <span class="command"><strong>transfers</strong></span> clause is specified, the
             limit is set according to the
             <span class="command"><strong>transfers-per-ns</strong></span> option.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>keys</strong></span> clause identifies a
             <span class="command"><strong>key_id</strong></span> defined by the <span class="command"><strong>key</strong></span> statement,
             to be used for transaction security (TSIG, <a class="xref" href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
             when talking to the remote server.
             When a request is sent to the remote server, a request signature
-            will be generated using the key specified here and appended to the
+            is generated using the key specified here and appended to the
             message. A request originating from the remote server is not
             required
             to be signed by this key.
           </p>
-
-          <p>
+<p>
             Only a single key per server is currently supported.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>transfer-source</strong></span> and
             <span class="command"><strong>transfer-source-v6</strong></span> clauses specify
             the IPv4 and IPv6 source
-            address to be used for zone transfer with the remote server,
-            respectively.
+            address, respectively, to be used for zone transfer with the remote server.
             For an IPv4 remote server, only <span class="command"><strong>transfer-source</strong></span> can
             be specified.
             Similarly, for an IPv6 remote server, only
@@ -8655,50 +8053,45 @@ example.com                 CNAME   rpz-tcp-only.
             <span class="command"><strong>transfer-source-v6</strong></span> in
             <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>notify-source</strong></span> and
             <span class="command"><strong>notify-source-v6</strong></span> clauses specify the
-            IPv4 and IPv6 source address to be used for notify
-            messages sent to remote servers, respectively.  For an
+            IPv4 and IPv6 source address, respectively, to be used for notify
+            messages sent to remote servers.  For an
             IPv4 remote server, only <span class="command"><strong>notify-source</strong></span>
             can be specified.  Similarly, for an IPv6 remote server,
             only <span class="command"><strong>notify-source-v6</strong></span> can be specified.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>query-source</strong></span> and
             <span class="command"><strong>query-source-v6</strong></span> clauses specify the
-            IPv4 and IPv6 source address to be used for queries
-            sent to remote servers, respectively.  For an IPv4
+            IPv4 and IPv6 source address, respectively, to be used for queries
+            sent to remote servers.  For an IPv4
             remote server, only <span class="command"><strong>query-source</strong></span> can
             be specified.  Similarly, for an IPv6 remote server,
             only <span class="command"><strong>query-source-v6</strong></span> can be specified.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>request-nsid</strong></span> clause determines
-            whether the local server will add a NSID EDNS option
+            whether the local server adds an NSID EDNS option
             to requests sent to the server.  This overrides
             <span class="command"><strong>request-nsid</strong></span> set at the view or
             option level.
           </p>
-
-          <p>
+<p>
             The <span class="command"><strong>send-cookie</strong></span> clause determines
-            whether the local server will add a COOKIE EDNS option
+            whether the local server adds a COOKIE EDNS option
             to requests sent to the server.  This overrides
             <span class="command"><strong>send-cookie</strong></span> set at the view or
             option level.  The <span class="command"><strong>named</strong></span> server may
             determine that COOKIE is not supported by the remote server
             and not add a COOKIE EDNS option to requests.
           </p>
-        </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="statschannels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
+<pre class="programlisting">
 <span class="command"><strong>statistics-channels</strong></span> {
 	<span class="command"><strong>inet</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |
 	    * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
@@ -8706,51 +8099,45 @@ example.com                 CNAME   rpz-tcp-only.
 	    } ];
 };
 </pre>
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="statistics_channels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
             Usage</h3></div></div></div>
-
-        <p>
+<p>
           The <span class="command"><strong>statistics-channels</strong></span> statement
           declares communication channels to be used by system
-          administrators to get access to statistics information of
+          administrators to get access to statistics information on
           the name server.
         </p>
-
-        <p>
-          This statement intends to be flexible to support multiple
+<p>
+          This statement is intended to be flexible to support multiple
           communication protocols in the future, but currently only
           HTTP access is supported.
           It requires that BIND 9 be compiled with libxml2 and/or
           json-c (also known as libjson0); the
           <span class="command"><strong>statistics-channels</strong></span> statement is
           still accepted even if it is built without the library,
-          but any HTTP access will fail with an error.
+          but any HTTP access fails with an error.
         </p>
-
-        <p>
+<p>
           An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
           listening at the specified <span class="command"><strong>ip_port</strong></span> on the
           specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
           address.  An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code>
           (asterisk) is
-          interpreted as the IPv4 wildcard address; connections will be
+          interpreted as the IPv4 wildcard address; connections are
           accepted on any of the system's IPv4 addresses.
           To listen on the IPv6 wildcard address,
           use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
         </p>
-
-        <p>
+<p>
           If no port is specified, port 80 is used for HTTP channels.
-          The asterisk "<code class="literal">*</code>" cannot be used for
+          The asterisk (<code class="literal">*</code>) cannot be used for
           <span class="command"><strong>ip_port</strong></span>.
         </p>
-
-        <p>
-          The attempt of opening a statistics channel is
+<p>
+          Attempts to open a statistics channel are
           restricted by the optional <span class="command"><strong>allow</strong></span> clause.
           Connections to the statistics channel are permitted based on the
           <span class="command"><strong>address_match_list</strong></span>.
@@ -8761,26 +8148,23 @@ example.com                 CNAME   rpz-tcp-only.
           recommended to restrict the source of connection requests
           appropriately.
         </p>
-
-        <p>
+<p>
           If no <span class="command"><strong>statistics-channels</strong></span> statement is present,
-          <span class="command"><strong>named</strong></span> will not open any communication channels.
+          <span class="command"><strong>named</strong></span> does not open any communication channels.
         </p>
-
-        <p>
-          The statistics are available in various formats and views
+<p>
+          The statistics are available in various formats and views,
           depending on the URI used to access them.  For example, if
           the statistics channel is configured to listen on 127.0.0.1
           port 8888, then the statistics are accessible in XML format at
           <a class="link" href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or
           <a class="link" href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is
-          included which can format the XML statistics into tables
+          included, which can format the XML statistics into tables
           when viewed with a stylesheet-capable browser, and into
           charts and graphs using the Google Charts API when using a
-          javascript-capable browser.
+          JavaScript-capable browser.
         </p>
-
-        <p>
+<p>
           Broken-out subsets of the statistics can be viewed at
           <a class="link" href="http://127.0.0.1:8888/xml/v3/status" target="_top">http://127.0.0.1:8888/xml/v3/status</a>
           (server uptime and last reconfiguration time),
@@ -8797,8 +8181,7 @@ example.com                 CNAME   rpz-tcp-only.
           <a class="link" href="http://127.0.0.1:8888/xml/v3/traffic" target="_top">http://127.0.0.1:8888/xml/v3/traffic</a>
           (traffic sizes).
         </p>
-
-        <p>
+<p>
           The full set of statistics can also be read in JSON format at
           <a class="link" href="http://127.0.0.1:8888/json" target="_top">http://127.0.0.1:8888/json</a>,
           with the broken-out subsets at
@@ -8817,105 +8200,101 @@ example.com                 CNAME   rpz-tcp-only.
           <a class="link" href="http://127.0.0.1:8888/json/v1/traffic" target="_top">http://127.0.0.1:8888/json/v1/traffic</a>
           (traffic sizes).
         </p>
-      </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="trusted-keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
+<pre class="programlisting">
 <span class="command"><strong>trusted-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };
 </pre>
-        </div>
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="trusted_keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Definition
             and Usage</h3></div></div></div>
-
-          <p>
+<p>
             The <span class="command"><strong>trusted-keys</strong></span> statement defines
             DNSSEC security roots. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
             public key for a non-authoritative zone is known, but
             cannot be securely obtained through DNS, either because
             it is the DNS root zone or because its parent zone is
             unsigned.  Once a key has been configured as a trusted
-            key, it is treated as if it had been validated and
+            key, it is treated as if it has been validated and
             proven secure. The resolver attempts DNSSEC validation
             on all DNS data in subdomains of a security root.
           </p>
-          <p>
+<p>
             All keys (and corresponding zones) listed in
             <span class="command"><strong>trusted-keys</strong></span> are deemed to exist regardless
-            of what parent zones say.  Similarly for all keys listed in
-            <span class="command"><strong>trusted-keys</strong></span> only those keys are
+            of what parent zones say.  Similarly, for all keys listed in
+            <span class="command"><strong>trusted-keys</strong></span>, only those keys are
             used to validate the DNSKEY RRset.  The parent's DS RRset
-            will not be used.
+            is not used.
           </p>
-          <p>
+<p>
             The <span class="command"><strong>trusted-keys</strong></span> statement can contain
             multiple key entries, each consisting of the key's
-            domain name, flags, protocol, algorithm, and the Base64
+            domain name, flags, protocol, and algorithm, and the Base64
             representation of the key data.
-            Spaces, tabs, newlines and carriage returns are ignored
-            in the key data, so the configuration may be split up into
+            Spaces, tabs, newlines, and carriage returns are ignored
+            in the key data, so the configuration may be split into
             multiple lines.
           </p>
-          <p>
+<p>
             <span class="command"><strong>trusted-keys</strong></span> may be set at the top level
             of <code class="filename">named.conf</code> or within a view.  If it is
-            set in both places, they are additive: keys defined at the top
+            set in both places, they are additive; keys defined at the top
             level are inherited by all views, but keys defined in a view
             are only used within that view.
           </p>
-          <p>
+<p>
             Validation below specified names can be temporarily disabled
             by using <span class="command"><strong>rndc nta</strong></span>.
           </p>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="managed_keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
+<pre class="programlisting">
 <span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em>
     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };
 </pre>
-        </div>
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Definition
             and Usage</h3></div></div></div>
-
-          <p>
+<p>
             The <span class="command"><strong>managed-keys</strong></span> statement, like
             <span class="command"><strong>trusted-keys</strong></span>, defines DNSSEC
             security roots.  The difference is that
-            <span class="command"><strong>managed-keys</strong></span> can be kept up to date
+            <span class="command"><strong>managed-keys</strong></span> can be kept up-to-date
             automatically, without intervention from the resolver
             operator.
           </p>
-          <p>
+<p>
             Suppose, for example, that a zone's key-signing
             key was compromised, and the zone owner had to revoke and
             replace the key.  A resolver which had the old key in a
             <span class="command"><strong>trusted-keys</strong></span> statement would be
-            unable to validate this zone any longer; it would
+            unable to validate this zone; it would
             reply with a SERVFAIL response code.  This would
-            continue until the resolver operator had updated the
+            continue until the resolver operator updated the
             <span class="command"><strong>trusted-keys</strong></span> statement with the new key.
           </p>
-          <p>
+<p>
             If, however, the zone were listed in a
-            <span class="command"><strong>managed-keys</strong></span> statement instead, then the
+            <span class="command"><strong>managed-keys</strong></span> statement instead, the
             zone owner could add a "stand-by" key to the zone in advance.
             <span class="command"><strong>named</strong></span> would store the stand-by key, and
             when the original key was revoked, <span class="command"><strong>named</strong></span>
             would be able to transition smoothly to the new key.  It would
-            also recognize that the old key had been revoked, and cease
+            also recognize that the old key had been revoked and cease
             using that key to validate answers, minimizing the damage that
             the compromised key could do.
           </p>
-          <p>
+<p>
             A <span class="command"><strong>managed-keys</strong></span> statement contains a list of
             the keys to be managed, along with information about how the
             keys are to be initialized for the first time.  The only
@@ -8926,89 +8305,87 @@ example.com                 CNAME   rpz-tcp-only.
             allow keys to be initialized by other methods, eliminating this
             requirement.)
           </p>
-          <p>
+<p>
             Consequently, a <span class="command"><strong>managed-keys</strong></span> statement
-            appears similar to a <span class="command"><strong>trusted-keys</strong></span>, differing
-            in the presence of the second field, containing the keyword
+            appears similar to a <span class="command"><strong>trusted-keys</strong></span> statement, differing
+            by the presence of the second field, which contains the keyword
             <code class="literal">initial-key</code>.  The difference is, whereas the
             keys listed in a <span class="command"><strong>trusted-keys</strong></span> continue to be
             trusted until they are removed from
             <code class="filename">named.conf</code>, an initializing key listed
             in a <span class="command"><strong>managed-keys</strong></span> statement is only trusted
             <span class="emphasis"><em>once</em></span>: for as long as it takes to load the
-            managed key database and start the RFC 5011 key maintenance
+            managed-key database and start the RFC 5011 key-maintenance
             process.
           </p>
-          <p>
+<p>
             The first time <span class="command"><strong>named</strong></span> runs with a managed key
             configured in <code class="filename">named.conf</code>, it fetches the
             DNSKEY RRset directly from the zone apex, and validates it
             using the key specified in the <span class="command"><strong>managed-keys</strong></span>
             statement.  If the DNSKEY RRset is validly signed, then it is
-            used as the basis for a new managed keys database.
+            used as the basis for a new managed-keys database.
           </p>
-          <p>
+<p>
             From that point on, whenever <span class="command"><strong>named</strong></span> runs, it
             sees the <span class="command"><strong>managed-keys</strong></span> statement, checks to
             make sure RFC 5011 key maintenance has already been initialized
-            for the specified domain, and if so, it simply moves on.  The
+            for the specified domain, and if so, simply moves on.  The
             key specified in the <span class="command"><strong>managed-keys</strong></span>
-            statement is not used to validate answers; it has been
-            superseded by the key or keys stored in the managed keys database.
+            statement is not used to validate answers; it is
+            superseded by the key or keys stored in the managed-keys database.
           </p>
-          <p>
+<p>
             The next time <span class="command"><strong>named</strong></span> runs after a name
             has been <span class="emphasis"><em>removed</em></span> from the
             <span class="command"><strong>managed-keys</strong></span> statement, the corresponding
-            zone will be removed from the managed keys database,
-            and RFC 5011 key maintenance will no longer be used for that
+            zone is removed from the managed-keys database,
+            and RFC 5011 key maintenance is no longer used for that
             domain.
           </p>
-          <p>
-            In the current implementation, the managed keys database
+<p>
+            In the current implementation, the managed-keys database
             is stored as a master-format zone file.
           </p>
-          <p>
+<p>
             On servers which do not use views, this file is named
             <code class="filename">managed-keys.bind</code>.  When views are in
-            use, there will be a separate managed keys database for each
-            view; the filename will be the view name (or, if a view name
+            use, there is a separate managed-keys database for each
+            view; the filename is the view name (or, if a view name
             contains characters which would make it illegal as a filename,
             a hash of the view name), followed by
             the suffix <code class="filename">.mkeys</code>.
           </p>
-          <p>
+<p>
             When the key database is changed, the zone is updated.
-            As with any other dynamic zone, changes will be written
+            As with any other dynamic zone, changes are written
             into a journal file, e.g.,
             <code class="filename">managed-keys.bind.jnl</code> or
             <code class="filename">internal.mkeys.jnl</code>.
-            Changes are committed to the master file as soon as
-            possible afterward; this will usually occur within 30
-            seconds.  So, whenever <span class="command"><strong>named</strong></span> is using
+            Changes are committed to the zone file as soon as
+            possible afterward, usually within 30
+            seconds.  Whenever <span class="command"><strong>named</strong></span> is using
             automatic key maintenance, the zone file and journal file
             can be expected to exist in the working directory.
-            (For this reason among others, the working directory
+            (For this reason, among others, the working directory
             should be always be writable by <span class="command"><strong>named</strong></span>.)
           </p>
-          <p>
+<p>
             If the <span class="command"><strong>dnssec-validation</strong></span> option is
             set to <strong class="userinput"><code>auto</code></strong>, <span class="command"><strong>named</strong></span>
-            will automatically initialize a managed key for the
-            root zone.  The key that is used to initialize the key
-            maintenance process is stored in <code class="filename">bind.keys</code>;
+            automatically initializes a managed key for the
+            root zone.  The key that is used to initialize the
+                key-maintenance process is stored in <code class="filename">bind.keys</code>;
             the location of this file can be overridden with the
             <span class="command"><strong>bindkeys-file</strong></span> option. As a fallback
             in the event no <code class="filename">bind.keys</code> can be
             found, the initializing key is also compiled directly
             into <span class="command"><strong>named</strong></span>.
           </p>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="view_statement_grammar"></a><span class="command"><strong>view</strong></span> Statement Grammar</h3></div></div></div>
-
 <pre class="programlisting"><span class="command"><strong>view</strong></span> <em class="replaceable"><code>view_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
     <span class="command"><strong>match-clients {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ;
     <span class="command"><strong>match-destinations {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ;
@@ -9017,13 +8394,11 @@ example.com                 CNAME   rpz-tcp-only.
   [ <em class="replaceable"><code>zone_statement</code></em> ; ... ]
 <span class="command"><strong>} </strong></span>;
 </pre>
-
-        </div>
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="view_statement"></a><span class="command"><strong>view</strong></span> Statement Definition and Usage</h3></div></div></div>
-
-          <p>
+<p>
             The <span class="command"><strong>view</strong></span> statement is a powerful
             feature
             of <acronym class="acronym">BIND</acronym> 9 that lets a name server
@@ -9032,11 +8407,10 @@ example.com                 CNAME   rpz-tcp-only.
             implementing
             split DNS setups without having to run multiple servers.
           </p>
-
-          <p>
+<p>
             Each <span class="command"><strong>view</strong></span> statement defines a view
             of the
-            DNS namespace that will be seen by a subset of clients.  A client
+            DNS namespace that is seen by a subset of clients.  A client
             matches
             a view if its source IP address matches the
             <code class="varname">address_match_list</code> of the view's
@@ -9048,31 +8422,29 @@ example.com                 CNAME   rpz-tcp-only.
             specified, both
             <span class="command"><strong>match-clients</strong></span> and <span class="command"><strong>match-destinations</strong></span>
             default to matching all addresses.  In addition to checking IP
-            addresses
+            addresses,
             <span class="command"><strong>match-clients</strong></span> and <span class="command"><strong>match-destinations</strong></span>
             can also take <span class="command"><strong>keys</strong></span> which provide an
             mechanism for the
             client to select the view.  A view can also be specified
             as <span class="command"><strong>match-recursive-only</strong></span>, which
             means that only recursive
-            requests from matching clients will match that view.
+            requests from matching clients match that view.
             The order of the <span class="command"><strong>view</strong></span> statements is
-            significant &#8212;
-            a client request will be resolved in the context of the first
+            significant;
+            a client request is resolved in the context of the first
             <span class="command"><strong>view</strong></span> that it matches.
           </p>
-
-          <p>
+<p>
             Zones defined within a <span class="command"><strong>view</strong></span>
-            statement will
-            only be accessible to clients that match the <span class="command"><strong>view</strong></span>.
+            statement are
+            only accessible to clients that match the <span class="command"><strong>view</strong></span>.
             By defining a zone of the same name in multiple views, different
-            zone data can be given to different clients, for example,
+            zone data can be given to different clients: for example,
             "internal"
             and "external" clients in a split DNS setup.
           </p>
-
-          <p>
+<p>
             Many of the options given in the <span class="command"><strong>options</strong></span> statement
             can also be used within a <span class="command"><strong>view</strong></span>
             statement, and then
@@ -9085,14 +8457,12 @@ example.com                 CNAME   rpz-tcp-only.
             view-specific defaults
             take precedence over those in the <span class="command"><strong>options</strong></span> statement.
           </p>
-
-          <p>
-            Views are class specific.  If no class is given, class IN
+<p>
+            Views are class-specific.  If no class is given, class IN
             is assumed.  Note that all non-IN views must contain a hint zone,
             since only the IN class has compiled-in default hints.
           </p>
-
-          <p>
+<p>
             If there are no <span class="command"><strong>view</strong></span> statements in
             the config
             file, a default view that matches any client is automatically
@@ -9102,18 +8472,16 @@ example.com                 CNAME   rpz-tcp-only.
             the top level of the configuration file are considered to be part
             of
             this default view, and the <span class="command"><strong>options</strong></span>
-            statement will
-            apply to the default view. If any explicit <span class="command"><strong>view</strong></span>
+            statement
+            applies to the default view. If any explicit <span class="command"><strong>view</strong></span>
             statements are present, all <span class="command"><strong>zone</strong></span>
             statements must
             occur inside <span class="command"><strong>view</strong></span> statements.
           </p>
-
-          <p>
+<p>
             Here is an example of a typical split DNS setup implemented
             using <span class="command"><strong>view</strong></span> statements:
           </p>
-
 <pre class="programlisting">view "internal" {
       // This should match our internal networks.
       match-clients { 10.0.0.0/8; };
@@ -9146,13 +8514,11 @@ view "external" {
       };
 };
 </pre>
-
-        </div>
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="zone_statement_grammar"></a><span class="command"><strong>zone</strong></span>
             Statement Grammar</h3></div></div></div>
-
 <pre class="programlisting">
 <span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
 	<span class="command"><strong>type</strong></span> ( master | primary );
@@ -9353,60 +8719,64 @@ view "external" {
 	<span class="command"><strong>in-view</strong></span> <em class="replaceable"><code>string</code></em>;
 };
 </pre>
-
-        </div>
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="zone_statement"></a><span class="command"><strong>zone</strong></span> Statement Definition and Usage</h3></div></div></div>
-
-          <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="zone_types"></a>Zone Types</h4></div></div></div>
-            <p>
+<p>
               The <span class="command"><strong>type</strong></span> keyword is required
               for the <span class="command"><strong>zone</strong></span> configuration unless
               it is an <span class="command"><strong>in-view</strong></span> configuration. Its
-              acceptable values include: <code class="varname">delegation-only</code>,
-              <code class="varname">forward</code>, <code class="varname">hint</code>,
-              <code class="varname">master</code>, <code class="varname">redirect</code>,
-              <code class="varname">slave</code>, <code class="varname">static-stub</code>,
-              and <code class="varname">stub</code>.
+              acceptable values are: <code class="varname">master</code>,
+              <code class="varname">slave</code>, <code class="varname">hint</code>,
+              <code class="varname">stub</code>, <code class="varname">static-stub</code>,
+              <code class="varname">forward</code>, <code class="varname">redirect</code>,
+              or <code class="varname">delegation-only</code>.
             </p>
-
-            <div class="informaltable">
-              <table border="1">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+              Later versions of BIND added <span class="command"><strong>type primary</strong></span>
+              and <span class="command"><strong>type secondary</strong></span> as synonyms for
+              <span class="command"><strong>type master</strong></span> and <span class="command"><strong>type slave</strong></span>,
+              as those terms are in more common use now. BIND 9.11's
+              configuration syntax predates this change.
+            </div>
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col class="1">
-<col width="4.017in" class="2">
+<col class="2">
 </colgroup>
-<tbody>
+<tbody valign="top">
 <tr>
-<td>
+<td valign="top">
                       <p>
                         <code class="varname">master</code>
                       </p>
                     </td>
-<td>
+<td valign="top">
                       <p>
                         The server has a master copy of the data
-                        for the zone and will be able to provide authoritative
-                        answers for
-                        it.
+                        for the zone and is able to provide authoritative
+                        answers for it.
                       </p>
                     </td>
 </tr>
 <tr>
-<td>
+<td valign="top">
                       <p>
                         <code class="varname">slave</code>
                       </p>
                     </td>
-<td>
+<td valign="top">
                       <p>
-                        A slave zone is a replica of a master
-                        zone. The <span class="command"><strong>masters</strong></span> list
+                        A secondary zone, replicating a primary zone
+                        provided by another authoritative server.
+                        The <span class="command"><strong>masters</strong></span> list
                         specifies one or more IP addresses
-                        of master servers that the slave contacts to update
+                        of primary servers that the secondary contacts to update
                         its copy of the zone.
                         Masters list elements can also be names of other
                         masters lists.
@@ -9416,10 +8786,10 @@ view "external" {
                         before the
                         list of IP addresses, or on a per-server basis after
                         the IP address.
-                        Authentication to the master can also be done with
+                        Authentication to the primary can also be done with
                         per-server TSIG keys.
                         If a file is specified, then the
-                        replica will be written to this file whenever the zone
+                        replica is written to this file whenever the zone
                         is changed,
                         and reloaded from this file on a server restart. Use
                         of a file is
@@ -9431,52 +8801,64 @@ view "external" {
                         is best to
                         use a two-level naming scheme for zone filenames. For
                         example,
-                        a slave server for the zone <code class="literal">example.com</code> might place
+                        a secondary server for the zone <code class="literal">example.com</code> might place
                         the zone contents into a file called
                         <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
                         just the first two letters of the zone name. (Most
                         operating systems
-                        behave very slowly if you put 100000 files into
+                        behave very slowly if there are 100000 files in
                         a single directory.)
                       </p>
                     </td>
 </tr>
 <tr>
-<td>
+<td valign="top">
+                      <p>
+                        <code class="varname">hint</code>
+                      </p>
+                    </td>
+<td valign="top">
+                      <p>
+                        The initial set of root name servers is
+                        specified using a hint zone. When the server starts,
+                        it uses
+                        the root hints to find a root name server and get the
+                        most recent
+                        list of root name servers. If no hint zone is
+                        specified for class
+                        IN, the server uses a compiled-in default set of root
+                        servers hints.
+                        Classes other than IN have no built-in default hints.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td valign="top">
                       <p>
                         <code class="varname">stub</code>
                       </p>
                     </td>
-<td>
+<td valign="top">
                       <p>
-                        A stub zone is similar to a slave zone,
+                        A stub zone is similar to a secondary zone,
                         except that it replicates only the NS records of a
-                        master zone instead
+                        primary zone instead
                         of the entire zone. Stub zones are not a standard part
                         of the DNS;
                         they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
                       </p>
 
                       <p>
-                        Stub zones can be used to eliminate the need for glue
+                        Stub zones can be used to eliminate the need for a glue
                         NS record
-                        in a parent zone at the expense of maintaining a stub
+                        in a parent zone, at the expense of maintaining a stub
                         zone entry and
                         a set of name server addresses in <code class="filename">named.conf</code>.
                         This usage is not recommended for new configurations,
                         and BIND 9
                         supports it only in a limited way.
-                        In <acronym class="acronym">BIND</acronym> 4/8, zone
-                        transfers of a parent zone
-                        included the NS records from stub children of that
-                        zone. This meant
-                        that, in some cases, users could get away with
-                        configuring child stubs
-                        only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
-                        9 never mixes together zone data from different zones
-                        in this
-                        way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
-                        zone has child stub zones configured, all the slave
+                        If a <acronym class="acronym">BIND</acronym> 9 primary, serving a parent
+                        zone, has child stub zones configured, all the secondary
                         servers for the
                         parent zone also need to have the same child stub
                         zones
@@ -9484,13 +8866,13 @@ view "external" {
                       </p>
 
                       <p>
-                        Stub zones can also be used as a way of forcing the
+                        Stub zones can also be used as a way to force the
                         resolution
                         of a given domain to use a particular set of
                         authoritative servers.
                         For example, the caching name servers on a private
                         network using
-                        RFC1918 addressing may be configured with stub zones
+                        RFC 1918 addressing may be configured with stub zones
                         for
                         <code class="literal">10.in-addr.arpa</code>
                         to use a set of internal name servers as the
@@ -9500,21 +8882,21 @@ view "external" {
                     </td>
 </tr>
 <tr>
-<td>
+<td valign="top">
                       <p>
                         <code class="varname">static-stub</code>
                       </p>
                     </td>
-<td>
+<td valign="top">
                       <p>
                         A static-stub zone is similar to a stub zone
                         with the following exceptions:
                         the zone data is statically configured, rather
-                        than transferred from a master server;
+                        than transferred from a primary server; and
                         when recursion is necessary for a query that
                         matches a static-stub zone, the locally
-                        configured data (nameserver names and glue addresses)
-                        is always used even if different authoritative
+                        configured data (name server names and glue addresses)
+                        is always used, even if different authoritative
                         information is cached.
                       </p>
                       <p>
@@ -9529,9 +8911,9 @@ view "external" {
                         databases by <span class="command"><strong>rndc dumpdb -all</strong></span>.
                         The configured RRs are considered local configuration
                         parameters rather than public data.
-                        Non recursive queries (i.e., those with the RD
+                        Non-recursive queries (i.e., those with the RD
                         bit off) to a static-stub zone are therefore
-                        prohibited and will be responded with REFUSED.
+                        prohibited and are responded to with REFUSED.
                       </p>
                       <p>
                         Since the data is statically configured, no
@@ -9544,71 +8926,50 @@ view "external" {
                       <p>
                         Each static-stub zone is configured with
                         internally generated NS and (if necessary)
-                        glue A or AAAA RRs
+                        glue A or AAAA RRs.
                       </p>
                     </td>
 </tr>
 <tr>
-<td>
+<td valign="top">
                       <p>
                         <code class="varname">forward</code>
                       </p>
                     </td>
-<td>
+<td valign="top">
                       <p>
-                        A "forward zone" is a way to configure
+                        A forward zone is a way to configure
                         forwarding on a per-domain basis.  A <span class="command"><strong>zone</strong></span> statement
                         of type <span class="command"><strong>forward</strong></span> can
                         contain a <span class="command"><strong>forward</strong></span>
                         and/or <span class="command"><strong>forwarders</strong></span>
                         statement,
-                        which will apply to queries within the domain given by
+                        which applies to queries within the domain given by
                         the zone
                         name. If no <span class="command"><strong>forwarders</strong></span>
-                        statement is present or
+                        statement is present, or
                         an empty list for <span class="command"><strong>forwarders</strong></span> is given, then no
-                        forwarding will be done for the domain, canceling the
+                        forwarding is done for the domain, canceling the
                         effects of
-                        any forwarders in the <span class="command"><strong>options</strong></span> statement. Thus
-                        if you want to use this type of zone to change the
+                        any forwarders in the <span class="command"><strong>options</strong></span> statement. Thus,
+                        to use this type of zone to change the
                         behavior of the
                         global <span class="command"><strong>forward</strong></span> option
                         (that is, "forward first"
-                        to, then "forward only", or vice versa, but want to
+                        to, then "forward only", or vice versa), but
                         use the same
-                        servers as set globally) you need to re-specify the
+                        servers as set globally, re-specify the
                         global forwarders.
                       </p>
                     </td>
 </tr>
 <tr>
-<td>
-                      <p>
-                        <code class="varname">hint</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The initial set of root name servers is
-                        specified using a "hint zone". When the server starts
-                        up, it uses
-                        the root hints to find a root name server and get the
-                        most recent
-                        list of root name servers. If no hint zone is
-                        specified for class
-                        IN, the server uses a compiled-in default set of root
-                        servers hints.
-                        Classes other than IN have no built-in defaults hints.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
+<td valign="top">
                       <p>
                         <code class="varname">redirect</code>
                       </p>
                     </td>
-<td>
+<td valign="top">
                       <p>
                         Redirect zones are used to provide answers to
                         queries when normal resolution would result in
@@ -9619,26 +8980,26 @@ view "external" {
                       </p>
                       <p>
                         If the client has requested DNSSEC records (DO=1) and
-                        the NXDOMAIN response is signed then no substitution
-                        will occur.
+                        the NXDOMAIN response is signed, no substitution
+                        occurs.
                       </p>
                       <p>
                         To redirect all NXDOMAIN responses to
                         100.100.100.2 and
-                        2001:ffff:ffff::100.100.100.2, one would
-                        configure a type redirect zone named ".",
+                        2001:ffff:ffff::100.100.100.2,
+                        configure a type <code class="varname">redirect</code> zone named ".",
                         with the zone file containing wildcard records
                         that point to the desired addresses:
-                        <code class="literal">"*. IN A 100.100.100.2"</code>
+                        <code class="literal">*. IN A 100.100.100.2</code>
                         and
-                        <code class="literal">"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</code>.
+                        <code class="literal">*. IN AAAA 2001:ffff:ffff::100.100.100.2</code>.
                       </p>
                       <p>
-                        To redirect all Spanish names (under .ES) one
-                        would use similar entries but with the names
+                        As another example, to redirect all Spanish names (under .ES),
+                        use similar entries but with the names
                         "*.ES." instead of "*.".  To redirect all
-                        commercial Spanish names (under COM.ES) one
-                        would use wildcard entries called "*.COM.ES.".
+                        commercial Spanish names (under COM.ES),
+                        use wildcard entries called "*.COM.ES.".
                       </p>
                       <p>
                         Note that the redirect zone supports all
@@ -9648,33 +9009,33 @@ view "external" {
                       <p>
                         Because redirect zones are not referenced
                         directly by name, they are not kept in the
-                        zone lookup table with normal master and slave
+                        zone lookup table with normal primary and secondary
                         zones. Consequently, it is not currently possible
                         to use
                         <span class="command"><strong>rndc reload
                                 <em class="replaceable"><code>zonename</code></em></strong></span>
                         to reload a redirect zone.  However, when using
                         <span class="command"><strong>rndc reload</strong></span> without specifying
-                        a zone name, redirect zones will be reloaded along
+                        a zone name, redirect zones are reloaded along
                         with other zones.
                       </p>
                     </td>
 </tr>
 <tr>
-<td>
+<td valign="top">
                       <p>
                         <code class="varname">delegation-only</code>
                       </p>
                     </td>
-<td>
+<td valign="top">
                       <p>
-                        This is used to enforce the delegation-only
-                        status of infrastructure zones (e.g. COM,
+                        This zone type is used to enforce the delegation-only
+                        status of infrastructure zones (e.g., COM,
                         NET, ORG).  Any answer that is received
                         without an explicit or implicit delegation
-                        in the authority section will be treated
+                        in the authority section is treated
                         as NXDOMAIN.  This does not apply to the
-                        zone apex.  This should not be applied to
+                        zone apex, and should not be applied to
                         leaf zones.
                       </p>
                       <p>
@@ -9686,100 +9047,105 @@ view "external" {
                       </p>
                     </td>
 </tr>
+<tr>
+<td valign="top">
+                      <p>
+                        <code class="varname">in-view</code>
+                      </p>
+                    </td>
+<td valign="top">
+                      <p>
+                        When using multiple views, a primary or secondary zone
+                        configured in one view can be referenced in a
+                        subsequent view. This allows both views to serve the
+                        same zone without the overhead of loading it more
+                        than once. This is configured using a
+                        <code class="varname">zone</code> statement, with an
+                        <code class="varname">in-view</code> option specifying the
+                        view in which the zone is defined.
+                        A <code class="varname">zone</code> statement containing
+                        <code class="varname">in-view</code> does not need to specify
+                        a type, since that is part of the zone definition
+                        in the other view.
+                      </p>
+                      <p>
+                        See <a class="xref" href="Bv9ARM.ch06.html#multiple_views" title="Multiple Views">the section called &#8220;Multiple Views&#8221;</a> for more information.
+                      </p>
+                    </td>
+</tr>
 </tbody>
-</table>
-            </div>
-          </div>
-
-          <div class="section">
+</table></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="class"></a>Class</h4></div></div></div>
-
-            <p>
+<p>
               The zone's name may optionally be followed by a class. If
               a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
               is assumed. This is correct for the vast majority of cases.
             </p>
-            <p>
+<p>
               The <code class="literal">hesiod</code> class is
-              named for an information service from MIT's Project Athena. It
-              is
+              named for an information service from MIT's Project Athena. It was
               used to share information about various systems databases, such
-              as users, groups, printers and so on. The keyword
+              as users, groups, printers, and so on. The keyword
               <code class="literal">HS</code> is
               a synonym for hesiod.
             </p>
-            <p>
+<p>
               Another MIT development is Chaosnet, a LAN protocol created
               in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
             </p>
-          </div>
-
-          <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="zone_options"></a>Zone Options</h4></div></div></div>
-
-            <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>allow-notify</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>allow-notify</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>allow-query</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>allow-query</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>allow-query-on</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>allow-query-on</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>allow-transfer</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of <span class="command"><strong>allow-transfer</strong></span>
                     in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>allow-update</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of <span class="command"><strong>allow-update</strong></span>
                     in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>update-policy</strong></span></span></dt>
-<dd>
-                  <p>
-                    Specifies a "Simple Secure Update" policy. See
+<dd><p>
+                    This specifies a "Simple Secure Update" policy. See
                     <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of <span class="command"><strong>allow-update-forwarding</strong></span>
                     in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>also-notify</strong></span></span></dt>
-<dd>
-                  <p>
-                    Only meaningful if <span class="command"><strong>notify</strong></span>
+<dd><p>
+                    This option is only meaningful if <span class="command"><strong>notify</strong></span>
                     is
-                    active for this zone. The set of machines that will
+                    active for this zone. The set of machines that
                     receive a
                     <code class="literal">DNS NOTIFY</code> message
                     for this zone is made up of all the listed name servers
                     (other than
-                    the primary master) for the zone plus any IP addresses
+                    the primary) for the zone, plus any IP addresses
                     specified
                     with <span class="command"><strong>also-notify</strong></span>. A port
                     may be specified
@@ -9792,103 +9158,79 @@ view "external" {
                     <span class="command"><strong>also-notify</strong></span> is not
                     meaningful for stub zones.
                     The default is the empty list.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     This option is used to restrict the character set and
                     syntax of
-                    certain domain names in master files and/or DNS responses
+                    certain domain names in zone files and/or DNS responses
                     received from the
-                    network.  The default varies according to zone type.  For <span class="command"><strong>master</strong></span> zones the default is <span class="command"><strong>fail</strong></span>.  For <span class="command"><strong>slave</strong></span>
-                    zones the default is <span class="command"><strong>warn</strong></span>.
+                    network.  The default varies according to zone type.
+                    For primary zones the default is <span class="command"><strong>fail</strong></span>;
+                    for secondary zones the default is <span class="command"><strong>warn</strong></span>.
                     It is not implemented for <span class="command"><strong>hint</strong></span> zones.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>check-mx</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>check-mx</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>check-spf</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>check-spf</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>check-wildcard</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>check-wildcard</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>check-integrity</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>check-integrity</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>check-sibling</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>check-sibling</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>zero-no-soa-ttl</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>zero-no-soa-ttl</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>update-check-ksk</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>update-check-ksk</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>dnssec-loadkeys-interval</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>dnssec-loadkeys-interval</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
           Usage&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>dnssec-update-mode</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
           Usage&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>dnssec-dnskey-kskonly</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>try-tcp-refresh</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>try-tcp-refresh</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>database</strong></span></span></dt>
 <dd>
-                  <p>
-                    Specify the type of database to be used for storing the
+<p>
+                    This specifies the type of database to be used to store the
                     zone data.  The string following the <span class="command"><strong>database</strong></span> keyword
                     is interpreted as a list of whitespace-delimited words.
                     The first word
@@ -9898,42 +9240,39 @@ view "external" {
                     specific
                     to the database type.
                   </p>
-                  <p>
+<p>
                     The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
                     native in-memory
-                    red-black-tree database.  This database does not take
+                    red-black tree database.  This database does not take
                     arguments.
                   </p>
-                  <p>
+<p>
                     Other values are possible if additional database drivers
                     have been linked into the server.  Some sample drivers are
                     included
                     with the distribution but none are linked in by default.
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>dialup</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>dialup</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>delegation-only</strong></span></span></dt>
 <dd>
-                  <p>
-                    The flag only applies to forward, hint and stub
+<p>
+                    This flag only applies to forward, hint, and stub
                     zones.  If set to <strong class="userinput"><code>yes</code></strong>,
-                    then the zone will also be treated as if it is
+                    then the zone is treated as if it is
                     also a delegation-only type zone.
                   </p>
-                  <p>
+<p>
                     See caveats in <a class="xref" href="Bv9ARM.ch06.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>.
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>file</strong></span></span></dt>
-<dd>
-                  <p>
-                    Set the zone's filename. In <span class="command"><strong>master</strong></span>,
+<dd><p>
+                    This sets the zone's filename. In <span class="command"><strong>master</strong></span>,
                     <span class="command"><strong>hint</strong></span>, and <span class="command"><strong>redirect</strong></span>
                     zones which do not have <span class="command"><strong>masters</strong></span>
                     defined, zone data is loaded from this file. In
@@ -9942,31 +9281,25 @@ view "external" {
                     <span class="command"><strong>masters</strong></span> defined, zone data is
                     retrieved from another server and saved in this file.
                     This option is not applicable to other zone types.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt>
-<dd>
-                  <p>
-                    Only meaningful if the zone has a forwarders
+<dd><p>
+                    This option is only meaningful if the zone has a forwarders
                     list. The <span class="command"><strong>only</strong></span> value causes
                     the lookup to fail
-                    after trying the forwarders and getting no answer, while <span class="command"><strong>first</strong></span> would
-                    allow a normal lookup to be tried.
-                  </p>
-                </dd>
+                    after trying the forwarders and getting no answer, while <span class="command"><strong>first</strong></span>
+                    allows a normal lookup to be tried.
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt>
-<dd>
-                  <p>
-                    Used to override the list of global forwarders.
+<dd><p>
+                    This is used to override the list of global forwarders.
                     If it is not specified in a zone of type <span class="command"><strong>forward</strong></span>,
                     no forwarding is done for the zone and the global options are
                     not used.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>ixfr-base</strong></span></span></dt>
-<dd>
-                  <p>
-                    Was used in <acronym class="acronym">BIND</acronym> 8 to
+<dd><p>
+                    This was used in <acronym class="acronym">BIND</acronym> 8 to
                     specify the name
                     of the transaction log (journal) file for dynamic update
                     and IXFR.
@@ -9975,388 +9308,316 @@ view "external" {
                     file by appending "<code class="filename">.jnl</code>"
                     to the name of the
                     zone file.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>ixfr-tmp-file</strong></span></span></dt>
-<dd>
-                  <p>
-                    Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
-                    Ignored in <acronym class="acronym">BIND</acronym> 9.
-                  </p>
-                </dd>
+<dd><p>
+                    This was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
+                    It is ignored in <acronym class="acronym">BIND</acronym> 9.
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>journal</strong></span></span></dt>
-<dd>
-                  <p>
-                    Allow the default journal's filename to be overridden.
+<dd><p>
+                    This allows the default journal's filename to be overridden.
                     The default is the zone's filename with "<code class="filename">.jnl</code>" appended.
-                    This is applicable to <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span> zones.
-                  </p>
-                </dd>
+                    This is applicable to primary (<span class="command"><strong>master</strong></span>)
+                    and secondary (<span class="command"><strong>slave</strong></span>) zones.
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
-                    <span class="command"><strong>max-journal-size</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called &#8220;Server  Resource Limits&#8221;</a>.
-                  </p>
-                </dd>
+                    <span class="command"><strong>max-journal-size</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called &#8220;Server Resource Limits&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>max-records</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
-                    <span class="command"><strong>max-records</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called &#8220;Server  Resource Limits&#8221;</a>.
-                  </p>
-                </dd>
+                    <span class="command"><strong>max-records</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called &#8220;Server Resource Limits&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>max-transfer-time-in</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>max-transfer-time-in</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>max-transfer-idle-in</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>max-transfer-idle-in</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>max-transfer-time-out</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>max-transfer-time-out</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>max-transfer-idle-out</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>max-transfer-idle-out</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>notify</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>notify</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>notify-delay</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>notify-to-soa</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>notify-to-soa</strong></span> in
                     <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>pubkey</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     In <acronym class="acronym">BIND</acronym> 8, this option was
-                    intended for specifying
-                    a public zone key for verification of signatures in DNSSEC
-                    signed
-                    zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
+                    intended to specify
+                    a public zone key for verification of signatures in DNSSEC-signed
+                    zones when they were loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
                     on load and ignores the option.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>zone-statistics</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>zone-statistics</strong></span> in
                     <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
           Usage&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>server-addresses</strong></span></span></dt>
 <dd>
-                  <p>
-                    Only meaningful for static-stub zones.
+<p>
+                    This option is only meaningful for static-stub zones.
                     This is a list of IP addresses to which queries
                     should be sent in recursive resolution for the
                     zone.
-                    A non empty list for this option will internally
-                    configure the apex NS RR with associated glue A or
+                    A non-empty list for this option internally
+                    configures the apex NS RR with associated glue A or
                     AAAA RRs.
                   </p>
-                  <p>
+<p>
                     For example, if "example.com" is configured as a
                     static-stub zone with 192.0.2.1 and 2001:db8::1234
                     in a <span class="command"><strong>server-addresses</strong></span> option,
-                    the following RRs will be internally configured.
+                    the following RRs are internally configured:
                   </p>
 <pre class="programlisting">example.com. NS example.com.
 example.com. A 192.0.2.1
 example.com. AAAA 2001:db8::1234</pre>
-                  <p>
-                    These records are internally used to resolve
+<p>
+                    These records are used internally to resolve
                     names under the static-stub zone.
                     For instance, if the server receives a query for
                     "www.example.com" with the RD bit on, the server
-                    will initiate recursive resolution and send
+                    initiates recursive resolution and sends
                     queries to 192.0.2.1 and/or 2001:db8::1234.
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>server-names</strong></span></span></dt>
 <dd>
-                  <p>
-                    Only meaningful for static-stub zones.
-                    This is a list of domain names of nameservers that
+<p>
+                    This option is only meaningful for static-stub zones.
+                    This is a list of domain names of name servers that
                     act as authoritative servers of the static-stub
                     zone.
-                    These names will be resolved to IP addresses when
+                    These names are resolved to IP addresses when
                     <span class="command"><strong>named</strong></span> needs to send queries to
                     these servers.
-                    To make this supplemental resolution successful,
+                    For this supplemental resolution to be successful,
                     these names must not be a subdomain of the origin
-                    name of static-stub zone.
+                    name of the static-stub zone.
                     That is, when "example.net" is the origin of a
                     static-stub zone, "ns.example" and
                     "master.example.com" can be specified in the
                     <span class="command"><strong>server-names</strong></span> option, but
-                    "ns.example.net" cannot, and will be rejected by
+                    "ns.example.net" cannot; it is rejected by
                     the configuration parser.
                   </p>
-                  <p>
-                    A non empty list for this option will internally
-                    configure the apex NS RR with the specified names.
+<p>
+                    A non-empty list for this option internally
+                    configures the apex NS RR with the specified names.
                     For example, if "example.com" is configured as a
                     static-stub zone with "ns1.example.net" and
                     "ns2.example.net"
                     in a <span class="command"><strong>server-names</strong></span> option,
-                    the following RRs will be internally configured.
+                    the following RRs are internally configured:
                   </p>
 <pre class="programlisting">example.com. NS ns1.example.net.
 example.com. NS ns2.example.net.
 </pre>
-                  <p>
-                    These records are internally used to resolve
+<p>
+                    These records are used internally to resolve
                     names under the static-stub zone.
                     For instance, if the server receives a query for
                     "www.example.com" with the RD bit on, the server
-                    initiate recursive resolution,
-                    resolve "ns1.example.net" and/or
-                    "ns2.example.net" to IP addresses, and then send
-                    queries to (one or more of) these addresses.
+                    initiates recursive resolution,
+                    resolves "ns1.example.net" and/or
+                    "ns2.example.net" to IP addresses, and then sends
+                    queries to one or more of these addresses.
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>sig-validity-interval</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>sig-signing-nodes</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>sig-signing-nodes</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>sig-signing-signatures</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>sig-signing-signatures</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>sig-signing-type</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>sig-signing-type</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>transfer-source</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>transfer-source-v6</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>transfer-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>alt-transfer-source</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>alt-transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>alt-transfer-source-v6</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>alt-transfer-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>use-alt-transfer-source</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>use-alt-transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>notify-source</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>notify-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>notify-source-v6</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>notify-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt>
 <span class="term"><span class="command"><strong>min-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>max-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>min-retry-time</strong></span>, </span><span class="term"><span class="command"><strong>max-retry-time</strong></span></span>
 </dt>
-<dd>
-                  <p>
-                    See the description in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p>
-                </dd>
+<dd><p>
+                    See the descriptions in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>ixfr-from-differences</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>ixfr-from-differences</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                     (Note that the <span class="command"><strong>ixfr-from-differences</strong></span>
-                    <strong class="userinput"><code>master</code></strong> and
-                    <strong class="userinput"><code>slave</code></strong> choices are not
+                    choices of <strong class="userinput"><code>master</code></strong> and
+                    <strong class="userinput"><code>slave</code></strong> are not
                     available at the zone level.)
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>key-directory</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
           Usage&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>auto-dnssec</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>auto-dnssec</strong></span> in
                     <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
           Usage&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>serial-update-method</strong></span> in
                     <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
           Usage&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>inline-signing</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     If <code class="literal">yes</code>, this enables
-                    "bump in the wire" signing of a zone, where a
+                    "bump in the wire" signing of a zone, where an
                     unsigned zone is transferred in or loaded from
                     disk and a signed version of the zone is served,
-                    with possibly, a different serial number.  This
+                    with, possibly, a different serial number.  This
                     behavior is disabled by default.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of <span class="command"><strong>multi-master</strong></span> in
                     <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>masterfile-format</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of <span class="command"><strong>masterfile-format</strong></span>
                     in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>max-zone-ttl</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of <span class="command"><strong>max-zone-ttl</strong></span>
                     in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
           Usage&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>dnssec-secure-to-insecure</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     See the description of
                     <span class="command"><strong>dnssec-secure-to-insecure</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
+                  </p></dd>
 </dl></div>
-
-          </div>
-          <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
-
-            <p><acronym class="acronym">BIND</acronym> 9 supports two alternative
+<p><acronym class="acronym">BIND</acronym> 9 supports two
               methods of granting clients the right to perform
               dynamic updates to a zone, configured by the
               <span class="command"><strong>allow-update</strong></span> and
-              <span class="command"><strong>update-policy</strong></span> option, respectively.
+              <span class="command"><strong>update-policy</strong></span> options.
             </p>
-            <p>
+<p>
               The <span class="command"><strong>allow-update</strong></span> clause is a simple
               access control list.  Any client that matches
               the ACL is granted permission to update any record
               in the zone.
             </p>
-            <p>
+<p>
               The <span class="command"><strong>update-policy</strong></span> clause
-              allows more fine-grained control over what updates are
+              allows more fine-grained control over which updates are
               allowed.  It specifies a set of rules, in which each rule
               either grants or denies permission for one or more
               names in the zone to be updated by one or more
               identities. Identity is determined by the key that
-              signed the update request using either TSIG or SIG(0).
+              signed the update request, using either TSIG or SIG(0).
               In most cases, <span class="command"><strong>update-policy</strong></span> rules
               only apply to key-based identities.  There is no way
               to specify update permissions based on client source
               address.
             </p>
-            <p>
+<p>
               <span class="command"><strong>update-policy</strong></span> rules are only meaningful
-              for zones of type <span class="command"><strong>master</strong></span>, and are
+              for primary zones (type <span class="command"><strong>master</strong></span>), and are
               not allowed in any other zone type.
               It is a configuration error to specify both
               <span class="command"><strong>allow-update</strong></span> and
               <span class="command"><strong>update-policy</strong></span> at the same time.
             </p>
-            <p>
+<p>
               A pre-defined <span class="command"><strong>update-policy</strong></span> rule can be
               switched on with the command
               <span class="command"><strong>update-policy local;</strong></span>.
-              Using this in a zone causes
-              <span class="command"><strong>named</strong></span> to generate a TSIG session key
-              when starting up and store it in a file; this key can then
+              <span class="command"><strong>named</strong></span> automatically generates a TSIG session
+              key when starting and stores it in a file; this key can then
               be used by local clients to update the zone while
               <span class="command"><strong>named</strong></span> is running.
               By default, the session key is stored in the file
@@ -10364,44 +9625,39 @@ example.com. NS ns2.example.net.
               is "local-ddns", and the key algorithm is HMAC-SHA256.
               These values are configurable with the
               <span class="command"><strong>session-keyfile</strong></span>,
-              <span class="command"><strong>session-keyname</strong></span> and
+              <span class="command"><strong>session-keyname</strong></span>, and
               <span class="command"><strong>session-keyalg</strong></span> options, respectively.
               A client running on the local system, if run with appropriate
               permissions, may read the session key from the key file and
               use it to sign update requests.  The zone's update
-              policy will be set to allow that key to change any record
+              policy is set to allow that key to change any record
               within the zone.  Assuming the key name is "local-ddns",
               this policy is equivalent to:
             </p>
-
-            <pre class="programlisting">update-policy { grant local-ddns zonesub any; };
+<pre class="programlisting">update-policy { grant local-ddns zonesub any; };
             </pre>
-
-            <p>
-              ...with the additional restriction that only clients
-              connecting from the local system will be permitted to send
+<p>
+              with the additional restriction that only clients
+              connecting from the local system are permitted to send
               updates.
             </p>
-            <p>
+<p>
               Note that only one session key is generated by
               <span class="command"><strong>named</strong></span>; all zones configured to use
-              <span class="command"><strong>update-policy local</strong></span> will accept the same key.
+              <span class="command"><strong>update-policy local</strong></span> accept the same key.
             </p>
-            <p>
+<p>
               The command <span class="command"><strong>nsupdate -l</strong></span> implements this
               feature, sending requests to localhost and signing them using
               the key retrieved from the session key file.
             </p>
-
-            <p>
+<p>
               Other rule definitions look like this:
             </p>
-
 <pre class="programlisting">
 ( <span class="command"><strong>grant</strong></span> | <span class="command"><strong>deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>ruletype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
 </pre>
-
-            <p>
+<p>
               Each rule grants or denies privileges.  Rules are checked
               in the order in which they are specified in the
               <span class="command"><strong>update-policy</strong></span> statement. Once a message
@@ -10411,7 +9667,7 @@ example.com. NS ns2.example.net.
               <span class="command"><strong>ruletype</strong></span> field, and the interpretation
               of other fields varies depending on the rule type.
             </p>
-            <p>
+<p>
               In general, a rule is matched when the
               key that signed an update request matches the
               <span class="command"><strong>identity</strong></span> field, the name of the record
@@ -10421,50 +9677,48 @@ example.com. NS ns2.example.net.
               <span class="command"><strong>types</strong></span> field. Details for each rule type
               are described below.
             </p>
-            <p>
+<p>
               The <span class="command"><strong>identity</strong></span> field must be set to
-              a fully-qualified domain name.  In most cases, this
-              represensts the name of the TSIG or SIG(0) key that must be
+              a fully qualified domain name.  In most cases, this
+              represents the name of the TSIG or SIG(0) key that must be
               used to sign the update request.  If the specified name is a
               wildcard, it is subject to DNS wildcard expansion, and the
               rule may apply to multiple identities.  When a TKEY exchange
               has been used to create a shared secret, the identity of
-              the key used to authenticate the TKEY exchange will be
+              the key used to authenticate the TKEY exchange is
               used as the identity of the shared secret.  Some rule types
               use identities matching the client's Kerberos principal
               (e.g, <strong class="userinput"><code>"host/machine@REALM"</code></strong>) or
               Windows realm (<strong class="userinput"><code>machine$@REALM</code></strong>).
             </p>
-            <p>
+<p>
               The <em class="replaceable"><code>name</code></em> field also specifies
-              a fully-qualified domain name. This often
+              a fully qualified domain name. This often
               represents the name of the record to be updated.
               Interpretation of this field is dependent on rule type.
             </p>
-            <p>
+<p>
               If no <span class="command"><strong>types</strong></span> are explicitly specified,
-              then a rule matches all types except RRSIG, NS, SOA, NSEC
+              then a rule matches all types except RRSIG, NS, SOA, NSEC,
               and NSEC3. Types may be specified by name, including
-              "ANY" (ANY matches all types except NSEC and NSEC3,
-              which can never be updated).  Note that when an attempt
+              "ANY"; ANY matches all types except NSEC and NSEC3,
+              which can never be updated.  Note that when an attempt
               is made to delete all records associated with a name,
               the rules are checked for each existing record type.
             </p>
-            <p>
+<p>
               The <em class="replaceable"><code>ruletype</code></em> field has 16
               values:
               <code class="varname">name</code>, <code class="varname">subdomain</code>,
-              <code class="varname">wildcard</code>, <code class="varname">self</code>,
-              <code class="varname">selfsub</code>, <code class="varname">selfwild</code>,
-              <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>,
-              <code class="varname">krb5-selfsub</code>, <code class="varname">ms-selfsub</code>,
-              <code class="varname">krb5-subdomain</code>,
-              <code class="varname">ms-subdomain</code>,
-              <code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>,
-              <code class="varname">zonesub</code>, and <code class="varname">external</code>.
+              <code class="varname">zonesub</code>, <code class="varname">wildcard</code>,
+                  <code class="varname">self</code>, <code class="varname">selfsub</code>,
+                  <code class="varname">selfwild</code>, <code class="varname">ms-self</code>,
+              <code class="varname">ms-selfsub</code>, <code class="varname">ms-subdomain</code>,
+              <code class="varname">krb5-self</code>, <code class="varname">krb5-selfsub</code>,
+              <code class="varname">krb5-subdomain</code>, <code class="varname">tcp-self</code>,
+                  <code class="varname">6to4-self</code>, and <code class="varname">external</code>.
             </p>
-            <div class="informaltable">
-              <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="0.819in" class="1">
 <col width="3.681in" class="2">
@@ -10478,7 +9732,7 @@ example.com. NS ns2.example.net.
                     </td>
 <td>
                       <p>
-                        Exact-match semantics.  This rule matches
+                        With exact-match semantics, this rule matches
                         when the name being updated is identical
                         to the contents of the
                         <em class="replaceable"><code>name</code></em> field.
@@ -10562,7 +9816,7 @@ example.com. NS ns2.example.net.
                         name as the record to be updated.  In this case,
                         the <em class="replaceable"><code>identity</code></em> field
                         can be specified as <code class="constant">*</code>
-                        (an asterisk).
+                        (asterisk).
                       </p>
                     </td>
 </tr>
@@ -10574,7 +9828,7 @@ example.com. NS ns2.example.net.
                     </td>
 <td>
                       <p>
-                        This rule is similar to <code class="varname">self</code>
+                        This rule is similar to <code class="varname">self</code>,
                         except that subdomains of <code class="varname">self</code>
                         can also be updated.
                       </p>
@@ -10588,7 +9842,7 @@ example.com. NS ns2.example.net.
                     </td>
 <td>
                       <p>
-                        This rule is similar to <code class="varname">self</code>
+                        This rule is similar to <code class="varname">self</code>,
                         except that only subdomains of
                         <code class="varname">self</code> can be updated.
                       </p>
@@ -10603,9 +9857,9 @@ example.com. NS ns2.example.net.
 <td>
                       <p>
                         When a client sends an UPDATE using a Windows
-                        machine principal (for example, 'machine$@REALM'),
+                        machine principal (for example, "machine$@REALM"),
                         this rule allows records with the absolute name
-                        of 'machine.REALM' to be updated.
+                        of "machine.REALM" to be updated.
                       </p>
                       <p>
                         The realm to be matched is specified in the
@@ -10633,7 +9887,7 @@ example.com. NS ns2.example.net.
                     </td>
 <td>
                       <p>
-                        This is similar to <span class="command"><strong>ms-self</strong></span>
+                        This is similar to <span class="command"><strong>ms-self</strong></span>,
                         except it also allows updates to any subdomain of
                         the name specified in the Windows machine
                         principal, not just to the name itself.
@@ -10649,7 +9903,7 @@ example.com. NS ns2.example.net.
 <td>
                       <p>
                         When a client sends an UPDATE using a Windows
-                        machine principal (for example, 'machine$@REALM'),
+                        machine principal (for example, "machine$@REALM"),
                         this rule allows any machine in the specified
                         realm to update any record in the zone or in a
                         specified subdomain of the zone.
@@ -10661,8 +9915,8 @@ example.com. NS ns2.example.net.
                       <p>
                         The <em class="replaceable"><code>name</code></em> field
                         specifies the subdomain that may be updated.
-                        If set to "." (or any other name at or above
-                        the zone apex), any name in the zone can be
+                        If set to "." or any other name at or above
+                        the zone apex, any name in the zone can be
                         updated.
                       </p>
                       <p>
@@ -10670,8 +9924,8 @@ example.com. NS ns2.example.net.
                         for the zone "example.com" includes
                         <strong class="userinput"><code>grant EXAMPLE.COM ms-subdomain hosts.example.com. A AAAA</code></strong>,
                         any machine with a valid principal in
-                        the realm <strong class="userinput"><code>EXAMPLE.COM</code></strong> will
-                        be able to update address records at or below
+                        the realm <strong class="userinput"><code>EXAMPLE.COM</code></strong> is
+                        able to update address records at or below
                         "hosts.example.com".
                       </p>
                     </td>
@@ -10686,13 +9940,13 @@ example.com. NS ns2.example.net.
                       <p>
                         When a client sends an UPDATE using a
                         Kerberos machine principal (for example,
-                        'host/machine@REALM'), this rule allows
-                        records with the absolute name of 'machine'
-                        to be updated provided it has been authenticated
+                        "host/machine@REALM"), this rule allows
+                        records with the absolute name of "machine"
+                        to be updated, provided it has been authenticated
                         by REALM.  This is similar but not identical
-                        to <span class="command"><strong>ms-self</strong></span> due to the
-                        'machine' part of the Kerberos principal
-                        being an absolute name instead of a unqualified
+                        to <span class="command"><strong>ms-self</strong></span>, due to the
+                        "machine" part of the Kerberos principal
+                        being an absolute name instead of an unqualified
                         name.
                       </p>
                       <p>
@@ -10721,9 +9975,9 @@ example.com. NS ns2.example.net.
                     </td>
 <td>
                       <p>
-                        This is similar to <span class="command"><strong>krb5-self</strong></span>
+                        This is similar to <span class="command"><strong>krb5-self</strong></span>,
                         except it also allows updates to any subdomain of
-                        the name specified in the 'machine' part of the
+                        the name specified in the "machine" part of the
                         Kerberos principal, not just to the name itself.
                       </p>
                     </td>
@@ -10739,7 +9993,7 @@ example.com. NS ns2.example.net.
                         This rule is identical to
                         <span class="command"><strong>ms-subdomain</strong></span>, except that it works
                         with Kerberos machine principals (i.e.,
-                        'host/machine@REALM') rather than Windows machine
+                        "host/machine@REALM") rather than Windows machine
                         principals.
                       </p>
                     </td>
@@ -10757,7 +10011,7 @@ example.com. NS ns2.example.net.
                         client's IP address into the
                         <code class="literal">in-addr.arpa</code> and
                         <code class="literal">ip6.arpa</code>
-                        namespaces match the name to be updated.
+                        namespaces matches the name to be updated.
                         The <span class="command"><strong>identity</strong></span> field must match
                         that name.  The <span class="command"><strong>name</strong></span> field
                         should be set to ".".
@@ -10830,12 +10084,12 @@ example.com. NS ns2.example.net.
                         field, the format of which is
                         "<code class="constant">local:</code><em class="replaceable"><code>path</code></em>",
                         where <em class="replaceable"><code>path</code></em> is the location
-                        of a UNIX-domain socket.  (Currently, "local" is the
+                        of a Unix-domain socket.  (Currently, "local" is the
                         only supported mechanism.)
                       </p>
                       <p>
                         Requests to the external daemon are sent over the
-                        UNIX-domain socket as datagrams with the following
+                        Unix-domain socket as datagrams with the following
                         format:
                       </p>
                       <pre class="programlisting">
@@ -10857,26 +10111,23 @@ example.com. NS ns2.example.net.
                     </td>
 </tr>
 </tbody>
-</table>
-            </div>
-          </div>
-
-          <div class="section">
+</table></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="multiple_views"></a>Multiple views</h4></div></div></div>
-
-            <p>
+<a name="multiple_views"></a>Multiple Views</h4></div></div></div>
+<p>
               When multiple views are in use, a zone may be
               referenced by more than one of them. Often, the views
-              will contain different zones with the same name, allowing
+              contain different zones with the same name, allowing
               different clients to receive different answers for the same
               queries. At times, however, it is desirable for multiple
               views to contain identical zones.  The
               <span class="command"><strong>in-view</strong></span> zone option provides an efficient
-              way to do this: it allows a view to reference a zone that
+              way to do this; it allows a view to reference a zone that
               was defined in a previously configured view. Example:
             </p>
-            <pre class="programlisting">
+<pre class="programlisting">
 view internal {
     match-clients { 10/8; };
 
@@ -10894,72 +10145,66 @@ view external {
     };
 };
             </pre>
-            <p>
+<p>
               An <span class="command"><strong>in-view</strong></span> option cannot refer to a view
               that is configured later in the configuration file.
             </p>
-            <p>
+<p>
               A <span class="command"><strong>zone</strong></span> statement which uses the
               <span class="command"><strong>in-view</strong></span> option may not use any other
-              options with the exception of <span class="command"><strong>forward</strong></span>
+              , with the exception of <span class="command"><strong>forward</strong></span>
               and <span class="command"><strong>forwarders</strong></span>. (These options control
-              the behavior of the containing view, rather than changing
+              the behavior of the containing view, rather than change
               the zone object itself.)
             </p>
-            <p>
-              Zone level acls (e.g. allow-query, allow-transfer) and
-              other configuration details of the zone are all set
-              in the view the referenced zone is defined in.  Care
-              need to be taken to ensure that acls are wide enough
+<p>
+              Zone-level ACLs (e.g., allow-query, allow-transfer), and
+              other configuration details of the zone, are all set
+              in the view the referenced zone is defined in.  Be
+              careful to ensure that ACLs are wide enough
               for all views referencing the zone.
             </p>
-            <p>
+<p>
               An <span class="command"><strong>in-view</strong></span> zone cannot be used as a
               response policy zone.
             </p>
-            <p>
+<p>
               An <span class="command"><strong>in-view</strong></span> zone is not intended to reference
               a <span class="command"><strong>forward</strong></span> zone.
             </p>
-          </div>
-
-        </div>
-      </div>
-      <div class="section">
+</div>
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="zone_file"></a>Zone File</h2></div></div></div>
-
-        <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
-
-          <p>
+<p>
             This section, largely borrowed from RFC 1034, describes the
-            concept of a Resource Record (RR) and explains when each is used.
+            concept of a Resource Record (RR) and explains when each type is used.
             Since the publication of RFC 1034, several new RRs have been
             identified
             and implemented in the DNS. These are also included.
           </p>
-          <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.7.6.2.3"></a>Resource Records</h4></div></div></div>
-
-            <p>
+<a name="id-1.7.4.2.3"></a>Resource Records</h4></div></div></div>
+<p>
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
               information associated with a particular name is composed of
               separate RRs. The order of RRs in a set is not significant and
               need not be preserved by name servers, resolvers, or other
               parts of the DNS. However, sorting of multiple RRs is
-              permitted for optimization purposes, for example, to specify
+              permitted for optimization purposes: for example, to specify
               that a particular nearby server be tried first. See <a class="xref" href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span class="command"><strong>sortlist</strong></span> Statement&#8221;</a> and <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.
             </p>
-
-            <p>
+<p>
               The components of a Resource Record are:
             </p>
-            <div class="informaltable">
-              <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.000in" class="1">
 <col width="3.500in" class="2">
@@ -11016,7 +10261,7 @@ view external {
 <td>
                       <p>
                         An encoded 16-bit value that identifies
-                        a protocol family or instance of a protocol.
+                        a protocol family or an instance of a protocol.
                       </p>
                     </td>
 </tr>
@@ -11029,1070 +10274,22 @@ view external {
 <td>
                       <p>
                         The resource data.  The format of the
-                        data is type (and sometimes class) specific.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table>
-            </div>
-            <p>
-              The following are <span class="emphasis"><em>types</em></span> of valid RRs:
-            </p>
-            <div class="informaltable">
-              <table border="1">
-<colgroup>
-<col width="0.875in" class="1">
-<col width="3.625in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        A
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A host address.  In the IN class, this is a
-                        32-bit IP address.  Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        AAAA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 address.  Described in RFC 1886.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        A6
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 address.  This can be a partial
-                        address (a suffix) and an indirection to the name
-                        where the rest of the
-                        address (the prefix) can be found.  Experimental.
-                        Described in RFC 2874.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        AFSDB
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Location of AFS database servers.
-                        Experimental.  Described in RFC 1183.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        AMTRELAY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Automatic Multicast Tunneling Relay
-                        discovery record.
-                        Work in progress draft-ietf-mboned-driad-amt-discovery.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        APL
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Address prefix list.  Experimental.
-                        Described in RFC 3123.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        ATMA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        ATM Address.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        AVC
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Application Visibility and Control record.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CAA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies which Certificate Authorities can issue
-                        certificates for this domain and what rules they
-                        need to follow when doing so. Defined in RFC 6844.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CDNSKEY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies which DNSKEY records should be published
-                        as DS records in the parent zone.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CDS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Contains the set of DS records that should be published
-                        by the parent zone.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CERT
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Holds a digital certificate.
-                        Described in RFC 2538.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CNAME
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies the canonical name of an alias.
-                        Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CSYNC
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Child-to-Parent Synchronization in DNS as described
-                        in RFC 7477.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DHCID
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Is used for identifying which DHCP client is
-                        associated with this name.  Described in RFC 4701.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DLV
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A DNS Look-aside Validation record which contains
-                        the records that are used as trust anchors for
-                        zones in a DLV namespace.  Described in RFC 4431.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DNAME
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Replaces the domain name specified with
-                        another name to be looked up, effectively aliasing an
-                        entire
-                        subtree of the domain name space rather than a single
-                        record
-                        as in the case of the CNAME RR.
-                        Described in RFC 2672.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DNSKEY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Stores a public key associated with a signed
-                        DNS zone.  Described in RFC 4034.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DOA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Implements the Digital Object Architecture over
-                        DNS. Experimental.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Stores the hash of a public key associated with a
-                        signed DNS zone.  Described in RFC 4034.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        EID
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        End Point Identifier.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        EUI48
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A 48-bit EUI address. Described in RFC 7043.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        EUI64
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A 64-bit EUI address. Described in RFC 7043.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        GID
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Reserved.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        GPOS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Specifies the global position.  Superseded by LOC.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        HINFO
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies the CPU and OS used by a host.
-                        Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        HIP
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Host Identity Protocol Address.
-                        Described in RFC 5205.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        IPSECKEY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Provides a method for storing IPsec keying material in
-                        DNS.  Described in RFC 4025.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        ISDN
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Representation of ISDN addresses.
-                        Experimental.  Described in RFC 1183.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        KEY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Stores a public key associated with a
-                        DNS name.  Used in original DNSSEC; replaced
-                        by DNSKEY in DNSSECbis, but still used with
-                        SIG(0).  Described in RFCs 2535 and 2931.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        KX
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies a key exchanger for this
-                        DNS name.  Described in RFC 2230.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        L32
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Holds 32-bit Locator values for
-                        Identifier-Locator Network Protocol. Described
-                        in RFC 6742.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        L64
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Holds 64-bit Locator values for
-                        Identifier-Locator Network Protocol. Described
-                        in RFC 6742.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        LOC
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        For storing GPS info.  Described in RFC 1876.
-                        Experimental.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        LP
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifier-Locator Network Protocol.
-                        Described in RFC 6742.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        MB
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Mail Box.  Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        MD
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Mail Destination.  Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        MF
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Mail Forwarder.  Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        MG
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Mail Group.  Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        MINFO
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Mail Information.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        MR
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Mail Rename. Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        MX
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies a mail exchange for the domain with
-                        a 16-bit preference value (lower is better)
-                        followed by the host name of the mail exchange.
-                        Described in RFC 974, RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NAPTR
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Name authority pointer.  Described in RFC 2915.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NID
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Holds values for Node Identifiers in
-                        Identifier-Locator Network Protocol. Described
-                        in RFC 6742.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NINFO
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Contains zone status information.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NIMLOC
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Nimrod Locator.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NSAP
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A network service access point.
-                        Described in RFC 1706.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NSAP-PTR
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The authoritative name server for the
-                        domain.  Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NSEC
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Used in DNSSECbis to securely indicate that
-                        RRs with an owner name in a certain name interval do
-                        not exist in
-                        a zone and indicate what RR types are present for an
-                        existing name.
-                        Described in RFC 4034.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NSEC3
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Used in DNSSECbis to securely indicate that
-                        RRs with an owner name in a certain name
-                        interval do not exist in a zone and indicate
-                        what RR types are present for an existing
-                        name.  NSEC3 differs from NSEC in that it
-                        prevents zone enumeration but is more
-                        computationally expensive on both the server
-                        and the client than NSEC.  Described in RFC
-                        5155.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NSEC3PARAM
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Used in DNSSECbis to tell the authoritative
-                        server which NSEC3 chains are available to use.
-                        Described in RFC 5155.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NULL
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This is an opaque container.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NXT
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Used in DNSSEC to securely indicate that
-                        RRs with an owner name in a certain name interval do
-                        not exist in
-                        a zone and indicate what RR types are present for an
-                        existing name.
-                        Used in original DNSSEC; replaced by NSEC in
-                        DNSSECbis.
-                        Described in RFC 2535.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        OPENPGPKEY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Used to hold an OPENPGPKEY.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        PTR
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A pointer to another part of the domain
-                        name space.  Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        PX
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Provides mappings between RFC 822 and X.400
-                        addresses.  Described in RFC 2163.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        RKEY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Resource key.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        RP
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Information on persons responsible
-                        for the domain.  Experimental.  Described in RFC 1183.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        RRSIG
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Contains DNSSECbis signature data.  Described
-                        in RFC 4034.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        RT
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Route-through binding for hosts that
-                        do not have their own direct wide area network
-                        addresses.
-                        Experimental.  Described in RFC 1183.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SIG
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Contains DNSSEC signature data.  Used in
-                        original DNSSEC; replaced by RRSIG in
-                        DNSSECbis, but still used for SIG(0).
-                        Described in RFCs 2535 and 2931.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SINK
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The kitchen sink record.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SMIMEA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The S/MIME Security Certificate Association.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SOA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies the start of a zone of authority.
-                        Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SPF
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Contains the Sender Policy Framework information
-                        for a given email domain.  Described in RFC 4408.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SRV
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Information about well known network
-                        services (replaces WKS).  Described in RFC 2782.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SSHFP
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Provides a way to securely publish a secure shell key's
-                        fingerprint.  Described in RFC 4255.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        TA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Trust Anchor. Experimental.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        TALINK
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Trust Anchor Link.  Experimental.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        TLSA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Transport Layer Security Certificate Association.
-                        Described in RFC 6698.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        TXT
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Text records.  Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        UID
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Reserved.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        UINFO
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Reserved.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        UNSPEC
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Reserved. Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        URI
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Holds a URI. Described in RFC 7553.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        WKS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Information about which well known
-                        network services, such as SMTP, that a domain
-                        supports. Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        X25
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Representation of X.25 network addresses.
-                        Experimental.  Described in RFC 1183.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        ZONEMD
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Zone Message Digest.
-                        Work in progress draft-wessels-dns-zone-digest.
+                        data is type- and sometimes class-specific.
                       </p>
                     </td>
 </tr>
 </tbody>
-</table>
-            </div>
-            <p>
+</table></div>
+<p>
+                For a complete list of <span class="emphasis"><em>types</em></span> of valid RRs,
+                including those that have been obsoleted,
+                please refer to https://en.wikipedia.org/wiki/List_of_DNS_record_types.
+                </p>
+<p>
               The following <span class="emphasis"><em>classes</em></span> of resource records
               are currently valid in the DNS:
             </p>
-            <div class="informaltable">
-<table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="0.875in" class="1">
 <col width="3.625in" class="2">
@@ -12120,7 +10317,7 @@ view external {
                       <p>
                         Chaosnet, a LAN protocol created at MIT in the
                         mid-1970s.
-                        Rarely used for its historical purpose, but reused for
+                        It was rarely used for its historical purpose, but was reused for
                         BIND's
                         built-in server information zones, e.g.,
                         <code class="literal">version.bind</code>.
@@ -12136,34 +10333,32 @@ view external {
 <td>
                       <p>
                         Hesiod, an information service
-                        developed by MIT's Project Athena. It is used to share
+                        developed by MIT's Project Athena. It was used to share
                         information
                         about various systems databases, such as users,
-                        groups, printers
-                        and so on.
+                        groups, printers,
+                        etc.
                       </p>
                     </td>
 </tr>
 </tbody>
-</table>
-            </div>
-
-            <p>
+</table></div>
+<p>
               The owner name is often implicit, rather than forming an
               integral
               part of the RR.  For example, many name servers internally form
               tree
               or hash structures for the name space, and chain RRs off nodes.
-              The remaining RR parts are the fixed header (type, class, TTL)
+              The remaining RR parts are the fixed header (type, class, TTL),
               which is consistent for all RRs, and a variable part (RDATA)
               that
               fits the needs of the resource being described.
             </p>
-            <p>
-              The meaning of the TTL field is a time limit on how long an
+<p>
+              The TTL field is a time limit on how long an
               RR can be kept in a cache.  This limit does not apply to
               authoritative
-              data in zones; it is also timed out, but by the refreshing
+              data in zones; that also times out, but follows the refreshing
               policies
               for the zone.  The TTL is assigned by the administrator for the
               zone where the data originates.  While short TTLs can be used to
@@ -12174,61 +10369,58 @@ view external {
               order of days for the typical host.  If a change can be
               anticipated,
               the TTL can be reduced prior to the change to minimize
-              inconsistency
-              during the change, and then increased back to its former value
+              inconsistency, and then increased back to its former value
               following
               the change.
             </p>
-            <p>
+<p>
               The data in the RDATA section of RRs is carried as a combination
               of binary strings and domain names.  The domain names are
               frequently
               used as "pointers" to other data in the DNS.
             </p>
-          </div>
-          <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="rr_text"></a>Textual expression of RRs</h4></div></div></div>
-
-            <p>
+<a name="rr_text"></a>Textual Expression of RRs</h4></div></div></div>
+<p>
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
               when
               stored in a name server or resolver.  In the examples provided
               in
-              RFC 1034, a style similar to that used in master files was
+              RFC 1034, a style similar to that used in zone files was
               employed
               in order to show the contents of RRs.  In this format, most RRs
               are shown on a single line, although continuation lines are
               possible
               using parentheses.
             </p>
-            <p>
+<p>
               The start of the line gives the owner of the RR.  If a line
               begins with a blank, then the owner is assumed to be the same as
               that of the previous RR.  Blank lines are often included for
               readability.
             </p>
-            <p>
-              Following the owner, we list the TTL, type, and class of the
+<p>
+              Following the owner are list the TTL, type, and class of the
               RR.  Class and type use the mnemonics defined above, and TTL is
-              an integer before the type field.  In order to avoid ambiguity
+              an integer before the type field.  To avoid ambiguity
               in
               parsing, type and class mnemonics are disjoint, TTLs are
               integers,
               and the type mnemonic is always last. The IN class and TTL
               values
-              are often omitted from examples in the interests of clarity.
+              are often omitted from examples in the interest of clarity.
             </p>
-            <p>
-              The resource data or RDATA section of the RR are given using
+<p>
+              The resource data or RDATA section of the RR is given using
               knowledge of the typical representation for the data.
             </p>
-            <p>
-              For example, we might show the RRs carried in a message as:
+<p>
+              For example, the RRs carried in a message might be shown as:
             </p>
-            <div class="informaltable">
-<table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.381in" class="1">
 <col width="1.020in" class="2">
@@ -12332,23 +10524,21 @@ view external {
                     </td>
 </tr>
 </tbody>
-</table>
-            </div>
-            <p>
+</table></div>
+<p>
               The MX RRs have an RDATA section which consists of a 16-bit
               number followed by a domain name.  The address RRs use a
               standard
-              IP address format to contain a 32-bit internet address.
+              IP address format to contain a 32-bit Internet address.
             </p>
-            <p>
+<p>
               The above example shows six RRs, with two RRs at each of three
               domain names.
             </p>
-            <p>
-              Similarly we might see:
+<p>
+              Here is another possible example:
             </p>
-            <div class="informaltable">
-<table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.491in" class="1">
 <col width="1.067in" class="2">
@@ -12386,57 +10576,52 @@ view external {
                     </td>
 </tr>
 </tbody>
-</table>
-            </div>
-            <p>
+</table></div>
+<p>
               This example shows two addresses for
               <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class.
             </p>
-          </div>
-        </div>
-
-        <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="mx_records"></a>Discussion of MX Records</h3></div></div></div>
-
-          <p>
+<p>
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
             piece of information about a given domain name (which is usually,
             but not always, a host). The simplest way to think of a RR is as
-            a typed pair of data, a domain name matched with a relevant datum,
-            and stored with some additional type information to help systems
+            a typed pair of data, a domain name matched with a relevant datum
+            and stored with some additional type information, to help systems
             determine when the RR is relevant.
           </p>
-
-          <p>
+<p>
             MX records are used to control delivery of email. The data
             specified in the record is a priority and a domain name. The
             priority
             controls the order in which email delivery is attempted, with the
             lowest number first. If two priorities are the same, a server is
             chosen randomly. If no servers at a given priority are responding,
-            the mail transport agent will fall back to the next largest
+            the mail transport agent falls back to the next largest
             priority.
-            Priority numbers do not have any absolute meaning &#8212; they are
+            Priority numbers do not have any absolute meaning; they are
             relevant
             only respective to other MX records for that domain name. The
             domain
-            name given is the machine to which the mail will be delivered.
+            name given is the machine to which the mail is delivered.
             It <span class="emphasis"><em>must</em></span> have an associated address record
-            (A or AAAA) &#8212; CNAME is not sufficient.
+            (A or AAAA); CNAME is not sufficient.
           </p>
-          <p>
+<p>
             For a given domain, if there is both a CNAME record and an
-            MX record, the MX record is in error, and will be ignored.
+            MX record, the MX record is in error, and is ignored.
             Instead,
-            the mail will be delivered to the server specified in the MX
+            the mail is delivered to the server specified in the MX
             record
             pointed to by the CNAME.
             For example:
           </p>
-          <div class="informaltable">
-            <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.708in" class="1">
 <col width="0.444in" class="2">
@@ -12573,29 +10758,26 @@ view external {
                   </td>
 </tr>
 </tbody>
-</table>
-            </div>
+</table></div>
 <p>
-            Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
+            Mail delivery is attempted to <code class="literal">mail.example.com</code> and
             <code class="literal">mail2.example.com</code> (in
-            any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
-            be attempted.
+            any order); if neither of those succeeds, delivery to <code class="literal">mail.backup.org</code>
+            is attempted.
           </p>
-        </div>
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
-
-          <p>
-            The time-to-live of the RR field is a 32-bit integer represented
+<p>
+            The time-to- (TTL) of the RR field is a 32-bit integer represented
             in units of seconds, and is primarily used by resolvers when they
-            cache RRs. The TTL describes how long a RR can be cached before it
-            should be discarded. The following three types of TTL are
+            cache RRs. The TTL describes how long an RR can be cached before it
+            should be discarded. The following three types of TTLs are
             currently
             used in a zone file.
           </p>
-          <div class="informaltable">
-            <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="0.750in" class="1">
 <col width="4.375in" class="2">
@@ -12610,9 +10792,9 @@ view external {
 <td>
                     <p>
                       The last field in the SOA is the negative
-                      caching TTL. This controls how long other servers will
+                      caching TTL. This controls how long other servers
                       cache no-such-domain
-                      (NXDOMAIN) responses from you.
+                      (NXDOMAIN) responses from this server.
                     </p>
                     <p>
                       The maximum time for
@@ -12644,24 +10826,22 @@ view external {
 <td>
                     <p>
                       Each RR can have a TTL as the second
-                      field in the RR, which will control how long other
+                      field in the RR, which controls how long other
                       servers can cache it.
                     </p>
                   </td>
 </tr>
 </tbody>
-</table>
-          </div>
-          <p>
+</table></div>
+<p>
             All of these TTLs default to units of seconds, though units
-            can be explicitly specified, for example, <code class="literal">1h30m</code>.
+            can be explicitly specified: for example, <code class="literal">1h30m</code>.
           </p>
-        </div>
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="ipv4_reverse"></a>Inverse Mapping in IPv4</h3></div></div></div>
-
-          <p>
+<p>
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
             and PTR records. Entries in the in-addr.arpa domain are made in
@@ -12676,8 +10856,7 @@ view external {
             PTR records if the machine has more than one name. For example,
             in the [<span class="optional">example.com</span>] domain:
           </p>
-          <div class="informaltable">
-            <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.125in" class="1">
 <col width="4.000in" class="2">
@@ -12708,107 +10887,98 @@ view external {
                   </td>
 </tr>
 </tbody>
-</table>
-          </div>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+</table></div>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-            <p>
-              The <span class="command"><strong>$ORIGIN</strong></span> lines in the examples
-              are for providing context to the examples only &#8212; they do not
+<p>
+              The <span class="command"><strong>$ORIGIN</strong></span> line in this example
+              is only to provide context; it does not
               necessarily
-              appear in the actual usage. They are only used here to indicate
+              appear in the actual usage. It is only used here to indicate
               that the example is relative to the listed origin.
             </p>
-          </div>
-        </div>
-        <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="zone_directives"></a>Other Zone File Directives</h3></div></div></div>
-
-          <p>
-            The Master File Format was initially defined in RFC 1035 and
-            has subsequently been extended. While the Master File Format
+<p>
+            The DNS "master file" format was initially defined in RFC 1035 and
+            has subsequently been extended. While the format
             itself
-            is class independent all records in a Master File must be of the
+            is class-independent, all records in a zone file must be of the
             same
             class.
           </p>
-          <p>
-            Master File Directives include <span class="command"><strong>$ORIGIN</strong></span>, <span class="command"><strong>$INCLUDE</strong></span>,
+<p>
+            Master file directives include <span class="command"><strong>$ORIGIN</strong></span>, <span class="command"><strong>$INCLUDE</strong></span>,
             and <span class="command"><strong>$TTL.</strong></span>
           </p>
-          <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="atsign"></a>The <span class="command"><strong>@</strong></span> (at-sign)</h4></div></div></div>
-
-            <p>
+<p>
               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
               At the start of the zone file, it is the
-              &lt;<code class="varname">zone_name</code>&gt; (followed by
-              trailing dot).
+              &lt;<code class="varname">zone_name</code>&gt;, followed by a
+              trailing dot (.).
             </p>
-          </div>
-          <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="origin_directive"></a>The <span class="command"><strong>$ORIGIN</strong></span> Directive</h4></div></div></div>
-
-            <p>
+<p>
               Syntax: <span class="command"><strong>$ORIGIN</strong></span>
               <em class="replaceable"><code>domain-name</code></em>
               [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
             </p>
-            <p><span class="command"><strong>$ORIGIN</strong></span>
-              sets the domain name that will be appended to any
-              unqualified records. When a zone is first read in there
+<p><span class="command"><strong>$ORIGIN</strong></span>
+              sets the domain name that is appended to any
+              unqualified records. When a zone is first read, there
               is an implicit <span class="command"><strong>$ORIGIN</strong></span>
-              &lt;<code class="varname">zone_name</code>&gt;<span class="command"><strong>.</strong></span>
-              (followed by trailing dot).
+              &lt;<code class="varname">zone_name</code>&gt;<span class="command"><strong>.</strong></span>;
+              note the trailing dot.
               The current <span class="command"><strong>$ORIGIN</strong></span> is appended to
               the domain specified in the <span class="command"><strong>$ORIGIN</strong></span>
               argument if it is not absolute.
             </p>
-
 <pre class="programlisting">
 $ORIGIN example.com.
 WWW     CNAME   MAIN-SERVER
 </pre>
-
-            <p>
+<p>
               is equivalent to
             </p>
-
 <pre class="programlisting">
 WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </pre>
-
-          </div>
-          <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="include_directive"></a>The <span class="command"><strong>$INCLUDE</strong></span> Directive</h4></div></div></div>
-
-            <p>
+<p>
               Syntax: <span class="command"><strong>$INCLUDE</strong></span>
               <em class="replaceable"><code>filename</code></em>
               [<span class="optional">
 <em class="replaceable"><code>origin</code></em> </span>]
               [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]
             </p>
-            <p>
-              Read and process the file <code class="filename">filename</code> as
-              if it were included into the file at this point.  If <span class="command"><strong>origin</strong></span> is
-              specified the file is processed with <span class="command"><strong>$ORIGIN</strong></span> set
-              to that value, otherwise the current <span class="command"><strong>$ORIGIN</strong></span> is
+<p>
+              This reads and processes the file <code class="filename">filename</code> as
+              if it were included in the file at this point.  If <span class="command"><strong>origin</strong></span> is
+              specified, the file is processed with <span class="command"><strong>$ORIGIN</strong></span> set
+              to that value; otherwise, the current <span class="command"><strong>$ORIGIN</strong></span> is
               used.
             </p>
-            <p>
+<p>
               The origin and the current domain name
               revert to the values they had prior to the <span class="command"><strong>$INCLUDE</strong></span> once
               the file has been read.
             </p>
-            <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-              <p>
+<p>
                 RFC 1035 specifies that the current origin should be restored
                 after
                 an <span class="command"><strong>$INCLUDE</strong></span>, but it is silent
@@ -12818,33 +10988,31 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
                 This could be construed as a deviation from RFC 1035, a
                 feature, or both.
               </p>
-            </div>
-          </div>
-          <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="ttl_directive"></a>The <span class="command"><strong>$TTL</strong></span> Directive</h4></div></div></div>
-
-            <p>
+<p>
               Syntax: <span class="command"><strong>$TTL</strong></span>
               <em class="replaceable"><code>default-ttl</code></em>
               [<span class="optional">
 <em class="replaceable"><code>comment</code></em> </span>]
             </p>
-            <p>
-              Set the default Time To Live (TTL) for subsequent records
+<p>
+              This sets the default Time-To-Live (TTL) for subsequent records
               with undefined TTLs. Valid TTLs are of the range 0-2147483647
               seconds.
             </p>
-            <p><span class="command"><strong>$TTL</strong></span>
+<p><span class="command"><strong>$TTL</strong></span>
                is defined in RFC 2308.
             </p>
-          </div>
-        </div>
-        <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="generate_directive"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span class="command"><strong>$GENERATE</strong></span> Directive</h3></div></div></div>
-
-          <p>
+<a name="generate_directive"></a><acronym class="acronym">BIND</acronym> Primary File Extension: the  <span class="command"><strong>$GENERATE</strong></span> Directive</h3></div></div></div>
+<p>
             Syntax: <span class="command"><strong>$GENERATE</strong></span>
             <em class="replaceable"><code>range</code></em>
             <em class="replaceable"><code>lhs</code></em>
@@ -12854,23 +11022,20 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
             <em class="replaceable"><code>rhs</code></em>
             [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
           </p>
-          <p><span class="command"><strong>$GENERATE</strong></span>
+<p><span class="command"><strong>$GENERATE</strong></span>
             is used to create a series of resource records that only
             differ from each other by an
             iterator. <span class="command"><strong>$GENERATE</strong></span> can be used to
             easily generate the sets of records required to support
-            sub /24 reverse delegations described in RFC 2317:
+            sub-/24 reverse delegations described in RFC 2317:
             Classless IN-ADDR.ARPA delegation.
           </p>
-
 <pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
 $GENERATE 1-2 @ NS SERVER$.EXAMPLE.
 $GENERATE 1-127 $ CNAME $.0</pre>
-
-          <p>
+<p>
             is equivalent to
           </p>
-
 <pre class="programlisting">0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
@@ -12878,22 +11043,18 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 ...
 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
 </pre>
-
-           <p>
-            Generate a set of A and MX records.  Note the MX's right hand
-            side is a quoted string.  The quotes will be stripped when the
-            right hand side is processed.
+<p>
+            Both generate a set of A and MX records.  Note the MX's right-hand
+            side is a quoted string.  The quotes are stripped when the
+            right-hand side is processed.
            </p>
-
 <pre class="programlisting">
 $ORIGIN EXAMPLE.
 $GENERATE 1-127 HOST-$ A 1.2.3.$
 $GENERATE 1-127 HOST-$ MX "0 ."</pre>
-
-          <p>
+<p>
             is equivalent to
           </p>
-
 <pre class="programlisting">HOST-1.EXAMPLE.   A  1.2.3.1
 HOST-1.EXAMPLE.   MX 0 .
 HOST-2.EXAMPLE.   A  1.2.3.2
@@ -12904,9 +11065,7 @@ HOST-3.EXAMPLE.   MX 0 .
 HOST-127.EXAMPLE. A  1.2.3.127
 HOST-127.EXAMPLE. MX 0 .
 </pre>
-
-          <div class="informaltable">
-            <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="0.875in" class="1">
 <col width="4.250in" class="2">
@@ -12920,9 +11079,9 @@ HOST-127.EXAMPLE. MX 0 .
                     <p>
                       This can be one of two forms: start-stop
                       or start-stop/step. If the first form is used, then step
-                      is set to 1. start, stop and step must be positive
-                      integers between 0 and (2^31)-1. start must not be
-                      larger than stop.
+                      is set to 1. "start", "stop", and "step" must be positive
+                      integers between 0 and (2^31)-1. "start" must not be
+                      larger than "stop".
                     </p>
                   </td>
 </tr>
@@ -12938,20 +11097,20 @@ HOST-127.EXAMPLE. MX 0 .
                       symbols within the <span class="command"><strong>lhs</strong></span> string
                       are replaced by the iterator value.
 
-                      To get a $ in the output, you need to escape the
+                      To get a $ in the output, escape the
                       <span class="command"><strong>$</strong></span> using a backslash
                       <span class="command"><strong>\</strong></span>,
-                      e.g. <span class="command"><strong>\$</strong></span>. The
+                      e.g., <span class="command"><strong>\$</strong></span>. The
                       <span class="command"><strong>$</strong></span> may optionally be followed
                       by modifiers which change the offset from the
-                      iterator, field width and base.
+                      iterator, field width, and base.
 
                       Modifiers are introduced by a
                       <span class="command"><strong>{</strong></span> (left brace) immediately following the
-                      <span class="command"><strong>$</strong></span> as
+                      <span class="command"><strong>$</strong></span>, as in
                       <span class="command"><strong>${offset[,width[,base]]}</strong></span>.
                       For example, <span class="command"><strong>${-20,3,d}</strong></span>
-                      subtracts 20 from the current value, prints the
+                      subtracts 20 from the current value and prints the
                       result as a decimal in a zero-padded field of
                       width 3.
 
@@ -12959,8 +11118,8 @@ HOST-127.EXAMPLE. MX 0 .
                       (<span class="command"><strong>d</strong></span>), octal
                       (<span class="command"><strong>o</strong></span>), hexadecimal
                       (<span class="command"><strong>x</strong></span> or <span class="command"><strong>X</strong></span>
-                      for uppercase) and nibble
-                      (<span class="command"><strong>n</strong></span> or <span class="command"><strong>N</strong></span>\
+                      for uppercase), and nibble
+                      (<span class="command"><strong>n</strong></span> or <span class="command"><strong>N</strong></span>
                       for uppercase).  The default modifier is
                       <span class="command"><strong>${0,0,d}</strong></span>.  If the
                       <span class="command"><strong>lhs</strong></span> is not absolute, the
@@ -12968,8 +11127,8 @@ HOST-127.EXAMPLE. MX 0 .
                       to the name.
                     </p>
                     <p>
-                      In nibble mode the value will be treated as
-                      if it was a reversed hexadecimal string
+                      In nibble mode, the value is treated as
+                      if it were a reversed hexadecimal string,
                       with each hexadecimal digit as a separate
                       label.  The width field includes the label
                       separator.
@@ -12987,8 +11146,8 @@ HOST-127.EXAMPLE. MX 0 .
                   </td>
 <td>
                     <p>
-                      Specifies the time-to-live of the generated records. If
-                      not specified this will be inherited using the
+                      This specifies the time-to-live of the generated records. If
+                      not specified, this is inherited using the
                       normal TTL inheritance rules.
                     </p>
                     <p><span class="command"><strong>class</strong></span>
@@ -13003,7 +11162,7 @@ HOST-127.EXAMPLE. MX 0 .
                   </td>
 <td>
                     <p>
-                      Specifies the class of the generated records.
+                      This specifies the class of the generated records.
                       This must match the zone class if it is
                       specified.
                     </p>
@@ -13019,7 +11178,7 @@ HOST-127.EXAMPLE. MX 0 .
                   </td>
 <td>
                     <p>
-                      Any valid type.
+                      This can be any valid type.
                     </p>
                   </td>
 </tr>
@@ -13029,69 +11188,66 @@ HOST-127.EXAMPLE. MX 0 .
                   </td>
 <td>
                     <p>
-                      <span class="command"><strong>rhs</strong></span>, optionally, quoted string.
+                      <span class="command"><strong>rhs</strong></span> is an optionally quoted string.
                     </p>
                   </td>
 </tr>
 </tbody>
-</table>
-          </div>
-          <p>
+</table></div>
+<p>
             The <span class="command"><strong>$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
             and not part of the standard zone file format.
           </p>
-          <p>
+<p>
             BIND 8 did not support the optional TTL and CLASS fields.
           </p>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="zonefile_format"></a>Additional File Formats</h3></div></div></div>
-
-          <p>
-            In addition to the standard textual format, BIND 9
+<p>
+            In addition to the standard text format, BIND 9
             supports the ability to read or dump to zone files in
             other formats.
           </p>
-          <p>
+<p>
             The <code class="constant">raw</code> format is
             a binary representation of zone data in a manner similar
             to that used in zone transfers.  Since it does not require
             parsing text, load time is significantly reduced.
           </p>
-          <p>
+<p>
             An even faster alternative is the <code class="constant">map</code>
             format, which is an image of a <acronym class="acronym">BIND</acronym> 9
-            in-memory zone database; it is capable of being loaded
+            in-memory zone database; it can be loaded
             directly into memory via the <span class="command"><strong>mmap()</strong></span>
-            function; the zone can begin serving queries almost
+            function and the zone can begin serving queries almost
             immediately.
           </p>
-          <p>
+<p>
             For a primary server, a zone file in
             <code class="constant">raw</code> or <code class="constant">map</code>
             format is expected to be generated from a textual zone
             file by the <span class="command"><strong>named-compilezone</strong></span> command.
-            For a secondary server or for a dynamic zone, it is automatically
-            generated (if this format is specified by the
-            <span class="command"><strong>masterfile-format</strong></span> option) when
+            For a secondary server or for a dynamic zone, the zone file is automatically
+            generated when
             <span class="command"><strong>named</strong></span> dumps the zone contents after
-            zone transfer or when applying prior updates.
+            zone transfer or when applying prior updates, if one of these formats is specified by the
+            <span class="command"><strong>masterfile-format</strong></span> option.
           </p>
-          <p>
+<p>
             If a zone file in a binary format needs manual modification,
             it first must be converted to a textual form by the
-            <span class="command"><strong>named-compilezone</strong></span> command.  All
-            necessary modification should go to the text file, which
-            should then be converted to the binary form by the
+            <span class="command"><strong>named-compilezone</strong></span> command.  Make any
+            necessary modifications to the text file, and
+            then convert it to the binary form via the
             <span class="command"><strong>named-compilezone</strong></span> command again.
           </p>
-          <p>
+<p>
             Note that <span class="command"><strong>map</strong></span> format is extremely
             architecture-specific.  A <code class="constant">map</code>
             file <span class="emphasis"><em>cannot</em></span> be used on a system
-            with different pointer size, endianness or data alignment
+            with different pointer size, endianness, or data alignment
             than the system on which it was generated, and should in
             general be used only inside a single system.
             While <code class="constant">raw</code> format uses
@@ -13104,30 +11260,24 @@ HOST-127.EXAMPLE. MX 0 .
             portable backup of such a file, conversion to
             <code class="constant">text</code> format is recommended.
           </p>
-        </div>
-      </div>
-
-      <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="statistics"></a>BIND9 Statistics</h2></div></div></div>
-
-        <p>
+<a name="statistics"></a>BIND 9 Statistics</h2></div></div></div>
+<p>
           <acronym class="acronym">BIND</acronym> 9 maintains lots of statistics
           information and provides several interfaces for users to
-          get access to the statistics.
+          access those statistics.
           The available statistics include all statistics counters
-          that were available in <acronym class="acronym">BIND</acronym> 8 and
-          are meaningful in <acronym class="acronym">BIND</acronym> 9,
+          that are meaningful in <acronym class="acronym">BIND</acronym> 9,
           and other information that is considered useful.
         </p>
-
-        <p>
+<p>
           The statistics information is categorized into the following
-          sections.
+          sections:
         </p>
-
-        <div class="informaltable">
-          <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="3.300in" class="1">
 <col width="2.625in" class="2">
@@ -13160,8 +11310,8 @@ HOST-127.EXAMPLE. MX 0 .
 <td>
                   <p>
                     The number of outgoing queries for each RR
-                    type sent from the internal resolver.
-                    Maintained per view.
+                    type sent from the internal resolver,
+                    maintained per view.
                   </p>
                 </td>
 </tr>
@@ -13171,7 +11321,7 @@ HOST-127.EXAMPLE. MX 0 .
                 </td>
 <td>
                   <p>
-                    Statistics counters about incoming request processing.
+                    Statistics counters for incoming request processing.
                   </p>
                 </td>
 </tr>
@@ -13182,7 +11332,7 @@ HOST-127.EXAMPLE. MX 0 .
 <td>
                   <p>
                     Statistics counters regarding zone maintenance
-                    operations such as zone transfers.
+                    operations, such as zone transfers.
                   </p>
                 </td>
 </tr>
@@ -13192,9 +11342,9 @@ HOST-127.EXAMPLE. MX 0 .
                 </td>
 <td>
                   <p>
-                    Statistics counters about name resolution
-                    performed in the internal resolver.
-                    Maintained per view.
+                    Statistics counters for name resolutions
+                    performed in the internal resolver,
+                    maintained per view.
                   </p>
                 </td>
 </tr>
@@ -13204,14 +11354,29 @@ HOST-127.EXAMPLE. MX 0 .
                 </td>
 <td>
                   <p>
-                    The number of RRsets per RR type and nonexistent
-                    names stored in the cache database.
-                    If the exclamation mark (!) is printed for a RR
-                    type, it means that particular type of RRset is
-                    known to be nonexistent (this is also known as
-                    "NXRRSET").  If a hash mark (#) is present then
-                    the RRset is marked for garbage collection.
-                    Maintained per view.
+                    Statistics counters related to cache contents,
+                    maintained per view.
+                  </p>
+                  <p>
+                    The "NXDOMAIN" counter is the number of names
+                    that have been cached as nonexistent.
+                    Counters named for RR types indicate the
+                    number of active RRsets for each type in the cache
+                    database.
+                  </p>
+                  <p>
+                    If an RR type name is preceded by an exclamation
+                    point (!), it represents the number of records in the
+                    cache which indicate that the type does not exist
+                    for a particular name; this is also known as "NXRRSET".
+                    If an RR type name is preceded by a hash mark (#), it
+                    represents the number of RRsets for this type that are
+                    present in the cache but whose TTLs have expired; these
+                    RRsets may only be used if stale answers are enabled.
+                    If an RR type name is preceded by a tilde (~), it
+                    represents the number of RRsets for this type that are
+                    present in the cache database but are marked for garbage
+                    collection; these RRsets cannot be used.
                   </p>
                 </td>
 </tr>
@@ -13221,109 +11386,95 @@ HOST-127.EXAMPLE. MX 0 .
                 </td>
 <td>
                   <p>
-                    Statistics counters about network related events.
+                    Statistics counters for network-related events.
                   </p>
                 </td>
 </tr>
 </tbody>
-</table>
-        </div>
-
-        <p>
+</table></div>
+<p>
           A subset of Name Server Statistics is collected and shown
-          per zone for which the server has the authority when
+          per zone for which the server has the authority, when
           <span class="command"><strong>zone-statistics</strong></span> is set to
-          <strong class="userinput"><code>full</code></strong> (or <strong class="userinput"><code>yes</code></strong>
+          <strong class="userinput"><code>full</code></strong> (or <strong class="userinput"><code>yes</code></strong>),
           for backward compatibility. See the description of
           <span class="command"><strong>zone-statistics</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
           Usage&#8221;</a>
           for further details.
         </p>
-
-        <p>
+<p>
           These statistics counters are shown with their zone and
           view names. The view name is omitted when the server is
           not configured with explicit views.</p>
-
-        <p>
+<p>
           There are currently two user interfaces to get access to the
           statistics.
-          One is in the plain text format dumped to the file specified
-          by the <span class="command"><strong>statistics-file</strong></span> configuration option.
-          The other is remotely accessible via a statistics channel
+          One is in plain-text format, dumped to the file specified
+          by the <span class="command"><strong>statistics-file</strong></span> configuration option;
+          the other is remotely accessible via a statistics channel
           when the <span class="command"><strong>statistics-channels</strong></span> statement
           is specified in the configuration file
           (see <a class="xref" href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called &#8220;<span class="command"><strong>statistics-channels</strong></span> Statement Grammar&#8221;</a>.)
         </p>
-
-        <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="statsfile"></a>The Statistics File</h3></div></div></div>
-
-          <p>
+<p>
             The text format statistics dump begins with a line, like:
           </p>
-          <p>
+<p>
             <span class="command"><strong>+++ Statistics Dump +++ (973798949)</strong></span>
           </p>
-          <p>
+<p>
             The number in parentheses is a standard
-            Unix-style timestamp, measured as seconds since January 1, 1970.
+            Unix-style timestamp, measured in seconds since January 1, 1970.
 
             Following
             that line is a set of statistics information, which is categorized
             as described above.
             Each section begins with a line, like:
           </p>
-
-          <p>
+<p>
             <span class="command"><strong>++ Name Server Statistics ++</strong></span>
           </p>
-
-          <p>
+<p>
             Each section consists of lines, each containing the statistics
-            counter value followed by its textual description.
-            See below for available counters.
+            counter value followed by its textual description;
+            see below for available counters.
             For brevity, counters that have a value of 0 are not shown
             in the statistics file.
           </p>
-
-          <p>
+<p>
             The statistics dump ends with the line where the
             number is identical to the number in the beginning line; for example:
           </p>
-          <p>
+<p>
             <span class="command"><strong>--- Statistics Dump --- (973798949)</strong></span>
           </p>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="statistics_counters"></a>Statistics Counters</h3></div></div></div>
-
-          <p>
-            The following tables summarize statistics counters that
+<p>
+            The following tables summarize the statistics counters that
             <acronym class="acronym">BIND</acronym> 9 provides.
             For each row of the tables, the leftmost column is the
-            abbreviated symbol name of that counter.
-            These symbols are shown in the statistics information
+            abbreviated symbol name of that counter;
+            these symbols are shown in the statistics information
             accessed via an HTTP statistics channel.
             The rightmost column gives the description of the counter,
-            which is also shown in the statistics file
-            (but, in this document, possibly with slight modification
-            for better readability).
+            which is also shown in the statistics file,
+            but, in this document, may be slightly modified
+            for better readability.
             Additional notes may also be provided in this column.
             When a middle column exists between these two columns,
             it gives the corresponding counter name of the
             <acronym class="acronym">BIND</acronym> 8 statistics, if applicable.
           </p>
-
-          <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="stats_counters"></a>Name Server Statistics Counters</h4></div></div></div>
-
-            <div class="informaltable">
-              <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.150in" class="1">
 <col width="1.150in" class="2">
@@ -13338,7 +11489,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        <span class="emphasis"><em>BIND8 Symbol</em></span>
+                        <span class="emphasis"><em>BIND 8 Symbol</em></span>
                       </p>
                     </td>
 <td>
@@ -13356,8 +11507,8 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv4 requests received.
-                        Note: this also counts non query requests.
+                        This indicates the number of IPv4 requests received.
+                        Note: this also counts non-query requests.
                       </p>
                     </td>
 </tr>
@@ -13370,8 +11521,8 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv6 requests received.
-                        Note: this also counts non query requests.
+                        This indicates the number of IPv6 requests received.
+                        Note: this also counts non-query requests.
                       </p>
                     </td>
 </tr>
@@ -13384,7 +11535,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Requests with EDNS(0) received.
+                        This indicates the number of requests received with EDNS(0).
                       </p>
                     </td>
 </tr>
@@ -13397,7 +11548,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Requests with unsupported EDNS version received.
+                        This indicates the number of requests received with an unsupported EDNS version.
                       </p>
                     </td>
 </tr>
@@ -13410,7 +11561,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Requests with TSIG received.
+                        This indicates the number of requests received with TSIG.
                       </p>
                     </td>
 </tr>
@@ -13423,7 +11574,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Requests with SIG(0) received.
+                        This indicates the number of requests received with SIG(0).
                       </p>
                     </td>
 </tr>
@@ -13436,7 +11587,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Requests with invalid (TSIG or SIG(0)) signature.
+                        This indicates the number of requests received with an invalid (TSIG or SIG(0)) signature.
                       </p>
                     </td>
 </tr>
@@ -13449,7 +11600,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        TCP requests received.
+                        This indicates the number of TCP requests received.
                       </p>
                     </td>
 </tr>
@@ -13462,7 +11613,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Authoritative (non recursive) queries rejected.
+                        This indicates the number of rejected authoritative (non-recursive) queries.
                       </p>
                     </td>
 </tr>
@@ -13475,7 +11626,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Recursive queries rejected.
+                        This indicates the number of rejected recursive queries.
                       </p>
                     </td>
 </tr>
@@ -13488,7 +11639,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Zone transfer requests rejected.
+                        This indicates the number of rejected zone transfer requests.
                       </p>
                     </td>
 </tr>
@@ -13501,7 +11652,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Dynamic update requests rejected.
+                        This indicates the number of rejected dynamic update requests.
                       </p>
                     </td>
 </tr>
@@ -13514,7 +11665,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Responses sent.
+                        This indicates the number of responses sent.
                       </p>
                     </td>
 </tr>
@@ -13527,7 +11678,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Truncated responses sent.
+                        This indicates the number of truncated responses sent.
                       </p>
                     </td>
 </tr>
@@ -13540,7 +11691,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Responses with EDNS(0) sent.
+                        This indicates the number of responses sent with EDNS(0).
                       </p>
                     </td>
 </tr>
@@ -13553,7 +11704,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Responses with TSIG sent.
+                        This indicates the number of responses sent with TSIG.
                       </p>
                     </td>
 </tr>
@@ -13566,7 +11717,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Responses with SIG(0) sent.
+                        This indicates the number of responses sent with SIG(0).
                       </p>
                     </td>
 </tr>
@@ -13579,8 +11730,8 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Queries resulted in a successful answer.
-                        This means the query which returns a NOERROR response
+                        This indicates the number of queries that resulted in a successful answer,
+                        meaning queries which return a NOERROR response
                         with at least one answer RR.
                         This corresponds to the
                         <span class="command"><strong>success</strong></span> counter
@@ -13598,7 +11749,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Queries resulted in authoritative answer.
+                        This indicates the number of queries that resulted in an authoritative answer.
                       </p>
                     </td>
 </tr>
@@ -13611,7 +11762,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Queries resulted in non authoritative answer.
+                        This indicates the number of queries that resulted in a non-authoritative answer.
                       </p>
                     </td>
 </tr>
@@ -13624,7 +11775,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Queries resulted in referral answer.
+                        This indicates the number of queries that resulted in a referral answer.
                         This corresponds to the
                         <span class="command"><strong>referral</strong></span> counter
                         of previous versions of
@@ -13641,7 +11792,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Queries resulted in NOERROR responses with no data.
+                        This indicates the number of queries that resulted in NOERROR responses with no data.
                         This corresponds to the
                         <span class="command"><strong>nxrrset</strong></span> counter
                         of previous versions of
@@ -13658,7 +11809,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Queries resulted in SERVFAIL.
+                        This indicates the number of queries that resulted in SERVFAIL.
                       </p>
                     </td>
 </tr>
@@ -13671,7 +11822,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Queries resulted in FORMERR.
+                        This indicates the number of queries that resulted in FORMERR.
                       </p>
                     </td>
 </tr>
@@ -13684,7 +11835,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Queries resulted in NXDOMAIN.
+                        This indicates the number of queries that resulted in NXDOMAIN.
                         This corresponds to the
                         <span class="command"><strong>nxdomain</strong></span> counter
                         of previous versions of
@@ -13701,7 +11852,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Queries which caused the server
+                        This indicates the number of queries that caused the server
                         to perform recursion in order to find the final answer.
                         This corresponds to the
                         <span class="command"><strong>recursion</strong></span> counter
@@ -13719,9 +11870,9 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Queries which the server attempted to
-                        recurse but discovered an existing query with the same
-                        IP address, port, query ID, name, type and class
+                        This indicates the number of queries which the server attempted to
+                        recurse but for which it discovered an existing query with the same
+                        IP address, port, query ID, name, type, and class
                         already being processed.
                         This corresponds to the
                         <span class="command"><strong>duplicate</strong></span> counter
@@ -13739,10 +11890,10 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Recursive queries for which the server
+                        This indicates the number of recursive queries for which the server
                         discovered an excessive number of existing
-                        recursive queries for the same name, type and
-                        class and were subsequently dropped.
+                        recursive queries for the same name, type, and
+                        class, and which were subsequently dropped.
                         This is the number of dropped queries due to
                         the reason explained with the
                         <span class="command"><strong>clients-per-query</strong></span>
@@ -13767,18 +11918,18 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Other query failures.
+                        This indicates the number of query failures.
                         This corresponds to the
                         <span class="command"><strong>failure</strong></span> counter
                         of previous versions of
                         <acronym class="acronym">BIND</acronym> 9.
                         Note: this counter is provided mainly for
-                        backward compatibility with the previous versions.
-                        Normally a more fine-grained counters such as
+                        backward compatibility with the previous versions;
+                        normally, more fine-grained counters such as
                         <span class="command"><strong>AuthQryRej</strong></span> and
                         <span class="command"><strong>RecQryRej</strong></span>
                         that would also fall into this counter are provided,
-                        and so this counter would not be of much
+                        so this counter is not of much
                         interest in practice.
                       </p>
                     </td>
@@ -13792,7 +11943,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Queries resulted in NXDOMAIN that were redirected.
+                        This indicates the number of queries that resulted in NXDOMAIN that were redirected.
                       </p>
                     </td>
 </tr>
@@ -13805,7 +11956,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Queries resulted in NXDOMAIN that were redirected
+                        This indicates the number of queries that resulted in NXDOMAIN that were redirected
                         and resulted in a successful remote lookup.
                       </p>
                     </td>
@@ -13819,7 +11970,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Requested zone transfers completed.
+                        This indicates the number of requested and completed zone transfers.
                       </p>
                     </td>
 </tr>
@@ -13832,7 +11983,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Update requests forwarded.
+                        This indicates the number of forwarded update requests.
                       </p>
                     </td>
 </tr>
@@ -13845,7 +11996,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Update responses forwarded.
+                        This indicates the number of forwarded update responses.
                       </p>
                     </td>
 </tr>
@@ -13858,7 +12009,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Dynamic update forward failed.
+                        This indicates the number of forwarded dynamic updates that failed.
                       </p>
                     </td>
 </tr>
@@ -13871,7 +12022,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Dynamic updates completed.
+                        This indicates the number of completed dynamic updates.
                       </p>
                     </td>
 </tr>
@@ -13884,7 +12035,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Dynamic updates failed.
+                        This indicates the number of failed dynamic updates.
                       </p>
                     </td>
 </tr>
@@ -13897,7 +12048,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Dynamic updates rejected due to prerequisite failure.
+                        This indicates the number of dynamic updates rejected due to a prerequisite failure.
                       </p>
                     </td>
 </tr>
@@ -13910,7 +12061,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Responses dropped by rate limits.
+                        This indicates the number of responses dropped due to rate limits.
                       </p>
                     </td>
 </tr>
@@ -13923,7 +12074,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Responses truncated by rate limits.
+                        This indicates the number of responses truncated by rate limits.
                       </p>
                     </td>
 </tr>
@@ -13936,21 +12087,17 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Response policy zone rewrites.
+                        This indicates the number of response policy zone rewrites.
                       </p>
                     </td>
 </tr>
 </tbody>
-</table>
-            </div>
-          </div>
-
-          <div class="section">
+</table></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="zone_stats"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
-
-            <div class="informaltable">
-              <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.150in" class="1">
 <col width="3.350in" class="2">
@@ -13974,7 +12121,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv4 notifies sent.
+                        This indicates the number of IPv4 notifies sent.
                       </p>
                     </td>
 </tr>
@@ -13984,7 +12131,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv6 notifies sent.
+                        This indicates the number of IPv6 notifies sent.
                       </p>
                     </td>
 </tr>
@@ -13994,7 +12141,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv4 notifies received.
+                        This indicates the number of IPv4 notifies received.
                       </p>
                     </td>
 </tr>
@@ -14004,7 +12151,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv6 notifies received.
+                        This indicates the number of IPv6 notifies received.
                       </p>
                     </td>
 </tr>
@@ -14014,7 +12161,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Incoming notifies rejected.
+                        This indicates the number of incoming notifies rejected.
                       </p>
                     </td>
 </tr>
@@ -14024,7 +12171,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv4 SOA queries sent.
+                        This indicates the number of IPv4 SOA queries sent.
                       </p>
                     </td>
 </tr>
@@ -14034,7 +12181,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv6 SOA queries sent.
+                        This indicates the number of IPv6 SOA queries sent.
                       </p>
                     </td>
 </tr>
@@ -14044,7 +12191,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv4 AXFR requested.
+                        This indicates the number of requested IPv4 AXFRs.
                       </p>
                     </td>
 </tr>
@@ -14054,7 +12201,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv6 AXFR requested.
+                        This indicates the number of requested IPv6 AXFRs.
                       </p>
                     </td>
 </tr>
@@ -14064,7 +12211,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv4 IXFR requested.
+                        This indicates the number of requested IPv4 IXFRs.
                       </p>
                     </td>
 </tr>
@@ -14074,7 +12221,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv6 IXFR requested.
+                        This indicates the number of requested IPv6 IXFRs.
                       </p>
                     </td>
 </tr>
@@ -14084,7 +12231,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Zone transfer requests succeeded.
+                        This indicates the number of successful zone transfer requests.
                       </p>
                     </td>
 </tr>
@@ -14094,21 +12241,17 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Zone transfer requests failed.
+                        This indicates the number of failed zone transfer requests.
                       </p>
                     </td>
 </tr>
 </tbody>
-</table>
-            </div>
-          </div>
-
-          <div class="section">
+</table></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="resolver_stats"></a>Resolver Statistics Counters</h4></div></div></div>
-
-            <div class="informaltable">
-              <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.150in" class="1">
 <col width="1.150in" class="2">
@@ -14123,7 +12266,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        <span class="emphasis"><em>BIND8 Symbol</em></span>
+                        <span class="emphasis"><em>BIND 8 Symbol</em></span>
                       </p>
                     </td>
 <td>
@@ -14141,7 +12284,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv4 queries sent.
+                        This indicates the number of IPv4 queries sent.
                       </p>
                     </td>
 </tr>
@@ -14154,7 +12297,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv6 queries sent.
+                        This indicates the number of IPv6 queries sent.
                       </p>
                     </td>
 </tr>
@@ -14167,7 +12310,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv4 responses received.
+                        This indicates the number of IPv4 responses received.
                       </p>
                     </td>
 </tr>
@@ -14180,7 +12323,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv6 responses received.
+                        This indicates the number of IPv6 responses received.
                       </p>
                     </td>
 </tr>
@@ -14193,7 +12336,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        NXDOMAIN received.
+                        This indicates the number of NXDOMAINs received.
                       </p>
                     </td>
 </tr>
@@ -14206,7 +12349,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        SERVFAIL received.
+                        This indicates the number of SERVFAILs received.
                       </p>
                     </td>
 </tr>
@@ -14219,7 +12362,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        FORMERR received.
+                        This indicates the number of FORMERRs received.
                       </p>
                     </td>
 </tr>
@@ -14232,7 +12375,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Other errors received.
+                        This indicates the number of other errors received.
                       </p>
                     </td>
 </tr>
@@ -14245,7 +12388,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        EDNS(0) query failures.
+                        This indicates the number of EDNS(0) query failures.
                       </p>
                     </td>
 </tr>
@@ -14258,8 +12401,8 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Mismatch responses received.
-                        The DNS ID, response's source address,
+                        This indicates the number of mismatched responses received,
+                        meaning the DNS ID, response's source address,
                         and/or the response's source port does not
                         match what was expected.
                         (The port must be 53 or as defined by
@@ -14278,7 +12421,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Truncated responses received.
+                        This indicates the number of truncated responses received.
                       </p>
                     </td>
 </tr>
@@ -14291,7 +12434,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Lame delegations received.
+                        This indicates the number of lame delegations received.
                       </p>
                     </td>
 </tr>
@@ -14304,7 +12447,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Query retries performed.
+                        This indicates the number of query retries performed.
                       </p>
                     </td>
 </tr>
@@ -14317,7 +12460,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Queries aborted due to quota control.
+                        This indicates the number of queries aborted due to quota control.
                       </p>
                     </td>
 </tr>
@@ -14330,10 +12473,9 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Failures in opening query sockets.
+                        This indicates the number of failures in opening query sockets.
                         One common reason for such failures is a
-                        failure of opening a new socket due to a
-                        limitation on file descriptors.
+                        due to a limitation on file descriptors.
                       </p>
                     </td>
 </tr>
@@ -14346,7 +12488,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Query timeouts.
+                        This indicates the number of query timeouts.
                       </p>
                     </td>
 </tr>
@@ -14359,7 +12501,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv4 NS address fetches invoked.
+                        This indicates the number of IPv4 NS address fetches invoked.
                       </p>
                     </td>
 </tr>
@@ -14372,7 +12514,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv6 NS address fetches invoked.
+                        This indicates the number of IPv6 NS address fetches invoked.
                       </p>
                     </td>
 </tr>
@@ -14385,7 +12527,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv4 NS address fetch failed.
+                        This indicates the number of failed IPv4 NS address fetches.
                       </p>
                     </td>
 </tr>
@@ -14398,7 +12540,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        IPv6 NS address fetch failed.
+                        This indicates the number of failed IPv6 NS address fetches.
                       </p>
                     </td>
 </tr>
@@ -14411,7 +12553,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        DNSSEC validation attempted.
+                        This indicates the number of attempted DNSSEC validations.
                       </p>
                     </td>
 </tr>
@@ -14424,7 +12566,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        DNSSEC validation succeeded.
+                        This indicates the number of successful DNSSEC validations.
                       </p>
                     </td>
 </tr>
@@ -14437,7 +12579,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        DNSSEC validation on negative information succeeded.
+                        This indicates the number of successful DNSSEC validations on negative information.
                       </p>
                     </td>
 </tr>
@@ -14450,7 +12592,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        DNSSEC validation failed.
+                        This indicates the number of failed DNSSEC validations.
                       </p>
                     </td>
 </tr>
@@ -14463,8 +12605,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Frequency table on round trip times (RTTs) of
-                        queries.
+                        This provides a frequency table on query round-trip times (RTTs).
                         Each <span class="command"><strong>nn</strong></span> specifies the corresponding
                         frequency.
                         In the sequence of
@@ -14476,28 +12617,24 @@ HOST-127.EXAMPLE. MX 0 .
                         number of queries whose RTTs are between
                         <span class="command"><strong>nn_(i-1)</strong></span> (inclusive) and
                         <span class="command"><strong>nn_i</strong></span> (exclusive) milliseconds.
-                        For the sake of convenience we define
+                        For the sake of convenience, we define
                         <span class="command"><strong>nn_0</strong></span> to be 0.
                         The last entry should be represented as
                         <span class="command"><strong>nn_m+</strong></span>, which means the
-                        number of queries whose RTTs are equal to or over
+                        number of queries whose RTTs are equal to or greater than
                         <span class="command"><strong>nn_m</strong></span> milliseconds.
                       </p>
                     </td>
 </tr>
 </tbody>
-</table>
-            </div>
-
-          </div>
-
-          <div class="section">
+</table></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="socket_stats"></a>Socket I/O Statistics Counters</h4></div></div></div>
-
-            <p>
+<p>
               Socket I/O statistics counters are defined per socket
-              types, which are
+              type, which are
               <span class="command"><strong>UDP4</strong></span> (UDP/IPv4),
               <span class="command"><strong>UDP6</strong></span> (UDP/IPv6),
               <span class="command"><strong>TCP4</strong></span> (TCP/IPv4),
@@ -14505,14 +12642,12 @@ HOST-127.EXAMPLE. MX 0 .
               <span class="command"><strong>Unix</strong></span> (Unix Domain), and
               <span class="command"><strong>FDwatch</strong></span> (sockets opened outside the
               socket module).
-              In the following table <span class="command"><strong>&lt;TYPE&gt;</strong></span>
+              In the following table, <span class="command"><strong>&lt;TYPE&gt;</strong></span>
               represents a socket type.
               Not all counters are available for all socket types;
               exceptions are noted in the description field.
             </p>
-
-            <div class="informaltable">
-              <table border="1">
+<div class="informaltable"><table class="informaltable" border="1">
 <colgroup>
 <col width="1.150in" class="1">
 <col width="3.350in" class="2">
@@ -14536,8 +12671,8 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Sockets opened successfully.
-                        This counter is not applicable to the
+                        This indicates the number of sockets opened successfully.
+                        This counter does not apply to the
                         <span class="command"><strong>FDwatch</strong></span> type.
                       </p>
                     </td>
@@ -14548,8 +12683,8 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Failures of opening sockets.
-                        This counter is not applicable to the
+                        This indicates the number of failures to open sockets.
+                        This counter does not apply to the
                         <span class="command"><strong>FDwatch</strong></span> type.
                       </p>
                     </td>
@@ -14560,7 +12695,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Sockets closed.
+                        This indicates the number of closed sockets.
                       </p>
                     </td>
 </tr>
@@ -14570,7 +12705,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Failures of binding sockets.
+                        This indicates the number of failures to bind sockets.
                       </p>
                     </td>
 </tr>
@@ -14580,7 +12715,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Failures of connecting sockets.
+                        This indicates the number of failures to connect sockets.
                       </p>
                     </td>
 </tr>
@@ -14590,7 +12725,7 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Connections established successfully.
+                        This indicates the number of connections established successfully.
                       </p>
                     </td>
 </tr>
@@ -14600,8 +12735,8 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Failures of accepting incoming connection requests.
-                        This counter is not applicable to the
+                        This indicates the number of failures to accept incoming connection requests.
+                        This counter does not apply to the
                         <span class="command"><strong>UDP</strong></span> and
                         <span class="command"><strong>FDwatch</strong></span> types.
                       </p>
@@ -14613,8 +12748,8 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Incoming connections successfully accepted.
-                        This counter is not applicable to the
+                        This indicates the number of incoming connections successfully accepted.
+                        This counter does not apply to the
                         <span class="command"><strong>UDP</strong></span> and
                         <span class="command"><strong>FDwatch</strong></span> types.
                       </p>
@@ -14626,9 +12761,9 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Errors in socket send operations.
+                        This indicates the number of errors in socket send operations.
                         This counter corresponds
-                        to <span class="command"><strong>SErr</strong></span> counter of
+                        to the <span class="command"><strong>SErr</strong></span> counter of
                         <span class="command"><strong>BIND</strong></span> 8.
                       </p>
                     </td>
@@ -14639,66 +12774,53 @@ HOST-127.EXAMPLE. MX 0 .
                     </td>
 <td>
                       <p>
-                        Errors in socket receive operations.
-                        This includes errors of send operations on a
-                        connected UDP socket notified by an ICMP error
+                        This indicates the number of errors in socket receive operations,
+                        including errors of send operations on a
+                        connected UDP socket, notified by an ICMP error
                         message.
                       </p>
                     </td>
 </tr>
 </tbody>
-</table>
-            </div>
-          </div>
-
-          <div class="section">
+</table></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="bind8_compatibility"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
-
-            <p>
+<p>
               Most statistics counters that were available
               in <span class="command"><strong>BIND</strong></span> 8 are also supported in
-              <span class="command"><strong>BIND</strong></span> 9 as shown in the above tables.
+              <span class="command"><strong>BIND</strong></span> 9, as shown in the above tables.
               Here are notes about other counters that do not appear
               in these tables.
             </p>
-
-            <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>RFwdR,SFwdR</strong></span></span></dt>
-<dd>
-                  <p>
-                    These counters are not supported
+<dd><p>
+                    These counters are not supported,
                     because <span class="command"><strong>BIND</strong></span> 9 does not adopt
                     the notion of <span class="emphasis"><em>forwarding</em></span>
                     as <span class="command"><strong>BIND</strong></span> 8 did.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>RAXFR</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     This counter is accessible in the Incoming Queries section.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>RIQ</strong></span></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     This counter is accessible in the Incoming Requests section.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><span class="command"><strong>ROpts</strong></span></span></dt>
-<dd>
-                  <p>
-                    This counter is not supported
+<dd><p>
+                    This counter is not supported,
                     because <span class="command"><strong>BIND</strong></span> 9 does not care
-                    about IP options in the first place.
-                  </p>
-                </dd>
+                    about IP options.
+                  </p></dd>
 </dl></div>
-          </div>
-        </div>
-      </div>
-
-    </div>
+</div>
+</div>
+</div>
+</div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
@@ -14716,6 +12838,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/Bv9ARM.ch07.html b/bind/bind9/doc/arm/Bv9ARM.ch07.html
index 829d31c8..ac57179f 100644
--- a/bind/bind9/doc/arm/Bv9ARM.ch07.html
+++ b/bind/bind9/doc/arm/Bv9ARM.ch07.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 7. BIND 9 Security Considerations</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
@@ -45,43 +45,40 @@
 <dt><span class="section"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl>
 </div>
-
-      <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
-
-        <p>
+<p>
           Access Control Lists (ACLs) are address match lists that
-          you can set up and nickname for future use in
+          can be set up and nicknamed for future use in
           <span class="command"><strong>allow-notify</strong></span>, <span class="command"><strong>allow-query</strong></span>,
           <span class="command"><strong>allow-query-on</strong></span>, <span class="command"><strong>allow-recursion</strong></span>,
           <span class="command"><strong>blackhole</strong></span>, <span class="command"><strong>allow-transfer</strong></span>,
           <span class="command"><strong>match-clients</strong></span>, etc.
         </p>
-        <p>
-          Using ACLs allows you to have finer control over who can access
-          your name server, without cluttering up your config files with huge
+<p>
+          ACLs give users finer control over who can access
+          the name server, without cluttering up configuration files with huge
           lists of IP addresses.
         </p>
-        <p>
+<p>
           It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
-          control access to your server. Limiting access to your server by
+          control access. Limiting access to the server by
           outside parties can help prevent spoofing and denial of service
-          (DoS) attacks against your server.
+          (DoS) attacks against the server.
         </p>
-        <p>
+<p>
           ACLs match clients on the basis of up to three characteristics:
           1) The client's IP address; 2) the TSIG or SIG(0) key that was
           used to sign the request, if any; and 3) an address prefix
-          encoded in an EDNS Client Subnet option, if any.
+          encoded in an EDNS Client-Subnet option, if any.
         </p>
-        <p>
+<p>
           Here is an example of ACLs based on client addresses:
         </p>
-
 <pre class="programlisting">
-// Set up an ACL named "bogusnets" that will block
-// RFC1918 space and some reserved space, which is
+// Set up an ACL named "bogusnets" that blocks
+// RFC 1918 space and some reserved space, which is
 // commonly used in spoofing attacks.
 acl bogusnets {
         0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
@@ -107,24 +104,23 @@ zone "example.com" {
   allow-query { any; };
 };
 </pre>
-
-        <p>
+<p>
           This allows authoritative queries for "example.com" from any
           address, but recursive queries only from the networks specified
           in "our-nets", and no queries at all from the networks
           specified in "bogusnets".
         </p>
-        <p>
+<p>
           In addition to network addresses and prefixes, which are
           matched against the source address of the DNS request, ACLs
           may include <code class="option">key</code> elements, which specify the
           name of a TSIG or SIG(0) key, or <code class="option">ecs</code>
           elements, which specify a network prefix but are only matched
-          if that prefix matches an EDNS client subnet option included
+          if that prefix matches an EDNS client-subnet option included
           in the request.
         </p>
-        <p>
-          The EDNS Client Subnet (ECS) option is used by a recursive
+<p>
+          The EDNS Client-Subnet (ECS) option is used by a recursive
           resolver to inform an authoritative name server of the network
           address block from which the original query was received, enabling
           authoritative servers to give different answers to the same
@@ -137,10 +133,10 @@ zone "example.com" {
           in ACLs that are not prefixed with "ecs" are matched only
           against the source address.
         </p>
-        <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-          <p>
-            (Note: The authoritative ECS implementation in
+<p>
+            (Note: the authoritative ECS implementation in
             <span class="command"><strong>named</strong></span> is based on an early version of the
             specification, and is known to have incompatibilities with
             other implementations.  It is also inefficient, requiring
@@ -149,36 +145,36 @@ zone "example.com" {
             the configuration.  It can be used for testing purposes, but is
             not recommended for production use.)
           </p>
-        </div>
-        <p>
+</div>
+<p>
           When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
           ACLs can also be used for geographic access restrictions.
           This is done by specifying an ACL element of the form:
           <span class="command"><strong>geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
         </p>
-        <p>
-          The <em class="replaceable"><code>field</code></em> indicates which field
+<p>
+          The <em class="replaceable"><code>field</code></em> parameter indicates which field
           to search for a match.  Available fields are "country",
           "region", "city", "continent", "postal" (postal code),
           "metro" (metro code), "area" (area code), "tz" (timezone),
           "isp", "asnum", and "domain".
         </p>
-        <p>
+<p>
           <em class="replaceable"><code>value</code></em> is the value to search
           for within the database.  A string may be quoted if it
           contains spaces or other special characters.  An "asnum"
           search for autonomous system number can be specified using
           the string "ASNNNN" or the integer NNNN.
-          When "country" search is specified with a string is two
-          characters long, then it must be a standard ISO-3166-1
-          two-letter country code; otherwise it is interpreted as
-          the full name of the country.  Similarly, if this is a
-          "region" search and the string is two characters long,
-          then it treated as a standard two-letter state or province
-          abbreviation; otherwise it treated as the full name of the
+          When "country" search is specified with a string that is two
+          characters long, it must be a standard ISO-3166-1
+          two-letter country code; otherwise, it is interpreted as
+          the full name of the country.  Similarly, if
+          "region" is the search term and the string is two characters long,
+          it is treated as a standard two-letter state or province
+          abbreviation; otherwise, it is treated as the full name of the
           state or province.
         </p>
-        <p>
+<p>
           The <em class="replaceable"><code>database</code></em> field indicates which
           GeoIP database to search for a match.  In most cases this is
           unnecessary, because most search fields can only be found in
@@ -186,27 +182,27 @@ zone "example.com" {
           can be answered from either the "city" or "country" databases,
           so for these search types, specifying a
           <em class="replaceable"><code>database</code></em>
-          will force the query to be answered from that database and no
+          forces the query to be answered from that database and no
           other.  If <em class="replaceable"><code>database</code></em> is not
-          specified, then these queries will be answered from the "city",
-          database if it is installed, or the "country" database if it
-          is installed, in that order. Valid database names are
+          specified, these queries are first answered from the "city"
+          database if it is installed, and then from the "country" database if it
+          is installed. Valid database names are
           "country", "city", "asnum", "isp", and "domain". (If using
           the legacy GeoIP API, "netspeed" and "org" databases are also
           available.)
         </p>
-        <p>
-          By default, if a DNS query includes an EDNS Client Subnet (ECS)
-          option which encodes a non-zero address prefix, then GeoIP ACLs
-          will be matched against that address prefix.  Otherwise, they
-          are matched against the source address of the query.  To
+<p>
+          By default, if a DNS query includes an EDNS Client-Subnet (ECS)
+          option which encodes a non-zero address prefix, then GeoIP ACL
+          elements are matched against that address prefix.  Otherwise,
+          they are matched against the source address of the query.  To
           prevent GeoIP ACLs from matching against ECS options, set
           the <span class="command"><strong>geoip-use-ecs</strong></span> to <code class="literal">no</code>.
         </p>
-        <p>
+<p>
           Some example GeoIP ACLs:
         </p>
-        <pre class="programlisting">geoip country US;
+<pre class="programlisting">geoip country US;
 geoip country JP;
 geoip db country country Canada;
 geoip region WA;
@@ -216,106 +212,99 @@ geoip postal 95062;
 geoip tz "America/Los_Angeles";
 geoip org "Internet Systems Consortium";
 </pre>
-
-        <p>
-          ACLs use a "first-match" logic rather than "best-match":
+<p>
+          ACLs use a "first-match" logic rather than "best-match";
           if an address prefix matches an ACL element, then that ACL
           is considered to have matched even if a later element would
           have matched more specifically.  For example, the ACL
-          <span class="command"><strong> { 10/8; !10.0.0.1; }</strong></span> would actually
+          <span class="command"><strong>{ 10/8; !10.0.0.1; }</strong></span> would actually
           match a query from 10.0.0.1, because the first element
-          indicated that the query should be accepted, and the second
+          indicates that the query should be accepted, and the second
           element is ignored.
         </p>
-        <p>
+<p>
           When using "nested" ACLs (that is, ACLs included or referenced
-          within other ACLs), a negative match of a nested ACL will
+          within other ACLs), a negative match of a nested ACL tells
           the containing ACL to continue looking for matches.  This
           enables complex ACLs to be constructed, in which multiple
           client characteristics can be checked at the same time. For
-          example, to construct an ACL which allows queries only when
+          example, to construct an ACL which allows a query only when
           it originates from a particular network <span class="emphasis"><em>and</em></span>
           only when it is signed with a particular key, use:
         </p>
-        <pre class="programlisting">
+<pre class="programlisting">
 allow-query { !{ !10/8; any; }; key example; };
 </pre>
-        <p>
+<p>
           Within the nested ACL, any address that is
-          <span class="emphasis"><em>not</em></span> in the 10/8 network prefix will
-          be rejected, and this will terminate processing of the
+          <span class="emphasis"><em>not</em></span> in the 10/8 network prefix is
+          rejected, which terminates processing of the
           ACL.  Any address that <span class="emphasis"><em>is</em></span> in the 10/8
-          network prefix will be accepted, but this causes a negative
+          network prefix is accepted, but this causes a negative
           match of the nested ACL, so the containing ACL continues
-          processing. The query will then be accepted if it is signed
+          processing. The query is accepted if it is signed
           by the key "example", and rejected otherwise.  The ACL, then,
-          will only matches when <span class="emphasis"><em>both</em></span> conditions
+          only matches when <span class="emphasis"><em>both</em></span> conditions
           are true.
         </p>
-      </div>
-
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="chroot_and_setuid"></a><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span>
 </h2></div></div></div>
-
-        <p>
-          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
+<p>
+          On Unix servers, it is possible to run <acronym class="acronym">BIND</acronym>
           in a <span class="emphasis"><em>chrooted</em></span> environment (using
           the <span class="command"><strong>chroot()</strong></span> function) by specifying
           the <code class="option">-t</code> option for <span class="command"><strong>named</strong></span>.
           This can help improve system security by placing
-          <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
+          <acronym class="acronym">BIND</acronym> in a "sandbox," which limits
           the damage done if a server is compromised.
         </p>
-        <p>
-          Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
-          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
+<p>
+          Another useful feature in the Unix version of <acronym class="acronym">BIND</acronym> is the
+          ability to run the daemon as an unprivileged user (<code class="option">-u</code> <em class="replaceable"><code>user</code></em>).
           We suggest running as an unprivileged user when using the <span class="command"><strong>chroot</strong></span> feature.
         </p>
-        <p>
+<p>
           Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span class="command"><strong>chroot</strong></span> sandbox,
           <span class="command"><strong>/var/named</strong></span>, and to run <span class="command"><strong>named</strong></span> <span class="command"><strong>setuid</strong></span> to
           user 202:
         </p>
-        <p>
+<p>
           <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
         </p>
-
-        <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="chroot"></a>The <span class="command"><strong>chroot</strong></span> Environment</h3></div></div></div>
-
-          <p>
-            In order for a <span class="command"><strong>chroot</strong></span> environment
+<p>
+            For a <span class="command"><strong>chroot</strong></span> environment
             to work properly in a particular directory (for example,
-            <code class="filename">/var/named</code>), you will need to set
-            up an environment that includes everything
+            <code class="filename">/var/named</code>), the
+            environment must include everything
             <acronym class="acronym">BIND</acronym> needs to run.  From
             <acronym class="acronym">BIND</acronym>'s point of view,
             <code class="filename">/var/named</code> is the root of the
-            filesystem.  You will need to adjust the values of
+            filesystem; the values of
             options like <span class="command"><strong>directory</strong></span> and
-            <span class="command"><strong>pid-file</strong></span> to account for this.
+            <span class="command"><strong>pid-file</strong></span> must be adjusted to account for this.
           </p>
-          <p>
-            Unlike with earlier versions of BIND, you typically will
-            <span class="emphasis"><em>not</em></span> need to compile <span class="command"><strong>named</strong></span>
-            statically nor install shared libraries under the new root.
-            However, depending on your operating system, you may need
-            to set up things like
+<p>
+            Unlike with earlier versions of BIND,
+            <span class="command"><strong>named</strong></span> does <span class="emphasis"><em>not</em></span> typically need to be compiled
+            statically, nor do shared libraries need to be installed under the new root.
+            However, depending on the operating system, it may be necessary
+            to set up locations such as
             <code class="filename">/dev/zero</code>,
             <code class="filename">/dev/random</code>,
             <code class="filename">/dev/log</code>, and
             <code class="filename">/etc/localtime</code>.
           </p>
-        </div>
-
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="setuid"></a>Using the <span class="command"><strong>setuid</strong></span> Function</h3></div></div></div>
-
-          <p>
+<p>
             Prior to running the <span class="command"><strong>named</strong></span> daemon,
             use
             the <span class="command"><strong>touch</strong></span> utility (to change file
@@ -323,25 +312,23 @@ allow-query { !{ !10/8; any; }; key example; };
             modification times) or the <span class="command"><strong>chown</strong></span>
             utility (to
             set the user id and/or group id) on files
-            to which you want <acronym class="acronym">BIND</acronym>
-            to write.
+            where <acronym class="acronym">BIND</acronym>
+            should write.
           </p>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
             If the <span class="command"><strong>named</strong></span> daemon is running as an
-            unprivileged user, it will not be able to bind to new restricted
+            unprivileged user, it cannot bind to new restricted
             ports if the server is reloaded.
           </p>
 </div>
-        </div>
-      </div>
-
-      <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
-
-        <p>
+<p>
           Access to the dynamic
           update facility should be strictly limited.  In earlier versions of
           <acronym class="acronym">BIND</acronym>, the only way to do this was
@@ -350,39 +337,36 @@ allow-query { !{ !10/8; any; }; key example; };
           or
           network prefix in the <span class="command"><strong>allow-update</strong></span>
           zone option.
-          This method is insecure since the source address of the update UDP
+          This method is insecure, since the source address of the update UDP
           packet
           is easily forged.  Also note that if the IP addresses allowed by the
           <span class="command"><strong>allow-update</strong></span> option include the
-          address of a slave
-          server which performs forwarding of dynamic updates, the master can
+          address of a secondary
+          server which performs forwarding of dynamic updates, the primary can
           be
-          trivially attacked by sending the update to the slave, which will
-          forward it to the master with its own source IP address causing the
-          master to approve it without question.
+          trivially attacked by sending the update to the secondary, which
+          forwards it to the primary with its own source IP address - causing the
+          primary to approve it without question.
         </p>
-
-        <p>
+<p>
           For these reasons, we strongly recommend that updates be
           cryptographically authenticated by means of transaction signatures
           (TSIG).  That is, the <span class="command"><strong>allow-update</strong></span>
           option should
           list only TSIG key names, not IP addresses or network
-          prefixes. Alternatively, the new <span class="command"><strong>update-policy</strong></span>
+          prefixes. Alternatively, the <span class="command"><strong>update-policy</strong></span>
           option can be used.
         </p>
-
-        <p>
-          Some sites choose to keep all dynamically-updated DNS data
+<p>
+          Some sites choose to keep all dynamically updated DNS data
           in a subdomain and delegate that subdomain to a separate zone. This
-          way, the top-level zone containing critical data such as the IP
+          way, the top-level zone containing critical data, such as the IP
           addresses
-          of public web and mail servers need not allow dynamic update at
+          of public web and mail servers, need not allow dynamic update at
           all.
         </p>
-
-      </div>
-    </div>
+</div>
+</div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
@@ -400,6 +384,6 @@ allow-query { !{ !10/8; any; }; key example; };
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/Bv9ARM.ch08.html b/bind/bind9/doc/arm/Bv9ARM.ch08.html
index 236aeaf2..e78e37ea 100644
--- a/bind/bind9/doc/arm/Bv9ARM.ch08.html
+++ b/bind/bind9/doc/arm/Bv9ARM.ch08.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 8. Troubleshooting</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
@@ -37,88 +37,77 @@
 <p><b>Table of Contents</b></p>
 <dl class="toc">
 <dt><span class="section"><a href="Bv9ARM.ch08.html#common_problems">Common Problems</a></span></dt>
-<dd><dl><dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2.2">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dd><dl><dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2.2">It's Not Working; How Can I Figure Out What's Wrong?</a></span></dt></dl></dd>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.3">Incrementing and Changing the Serial Number</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#more_help">Where Can I Get Help?</a></span></dt>
 </dl>
 </div>
-
-      <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="common_problems"></a>Common Problems</h2></div></div></div>
-
-        <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.9.2.2"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
-
-          <p>
-            The best solution to solving installation and
-            configuration issues is to take preventative measures by setting
+<a name="id-1.9.2.2"></a>It's Not Working; How Can I Figure Out What's Wrong?</h3></div></div></div>
+<p>
+            The best solution to installation and
+            configuration issues is to take preventive measures by setting
             up logging files beforehand. The log files provide a
-            source of hints and information that can be used to figure out
-            what went wrong and how to fix the problem.
+            source of hints and information that can be used to identify
+            what went wrong and fix the problem.
           </p>
-
-        </div>
-      </div>
-      <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id-1.9.3"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
-
-        <p>
-          Zone serial numbers are just numbers &#8212; they aren't
-          date related.  A lot of people set them to a number that
+<p>
+          Zone serial numbers are just numbers &#8212; they are not
+          date-related.  However, many people set them to a number that
           represents a date, usually of the form YYYYMMDDRR.
-          Occasionally they will make a mistake and set them to a
-          "date in the future" then try to correct them by setting
-          them to the "current date".  This causes problems because
+          Occasionally they make a mistake and set the serial number to a
+          date in the future, then try to correct it by setting
+          it to the current date.  This causes problems because
           serial numbers are used to indicate that a zone has been
-          updated.  If the serial number on the slave server is
-          lower than the serial number on the master, the slave
-          server will attempt to update its copy of the zone.
+          updated.  If the serial number on the secondary server is
+          lower than the serial number on the primary, the secondary
+          server attempts to update its copy of the zone.
         </p>
-
-        <p>
-          Setting the serial number to a lower number on the master
-          server than the slave server means that the slave will not perform
+<p>
+          Setting the serial number to a lower number on the primary
+          server than the one on the secondary server means that the secondary will not perform
           updates to its copy of the zone.
         </p>
-
-        <p>
+<p>
           The solution to this is to add 2147483647 (2^31-1) to the
-          number, reload the zone and make sure all slaves have updated to
-          the new zone serial number, then reset the number to what you want
-          it to be, and reload the zone again.
+          number, reload the zone and make sure all secondaries have updated to
+          the new zone serial number, then reset it to the desired number
+          and reload the zone again.
         </p>
-
-      </div>
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="more_help"></a>Where Can I Get Help?</h2></div></div></div>
-
-        <p>
-          The Internet Systems Consortium
-          (<acronym class="acronym">ISC</acronym>) offers a wide range
-          of support and service agreements for <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym> servers. Four
-          levels of premium support are available and each level includes
-          support for all <acronym class="acronym">ISC</acronym> programs,
-          significant discounts on products
-          and training, and a recognized priority on bug fixes and
-          non-funded feature requests. In addition, <acronym class="acronym">ISC</acronym> offers a standard
-          support agreement package which includes services ranging from bug
-          fix announcements to remote support. It also includes training in
-          <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym>.
+<p>
+        The BIND-users mailing list, at https://lists.isc.org/mailman/listinfo/bind-users,
+        is an excellent resource for peer user support. In addition, <acronym class="acronym">ISC</acronym> maintains a
+        Knowledgebase of helpful articles at https://kb.isc.org.
         </p>
-
-        <p>
-          To discuss arrangements for support, contact
-          <a class="link" href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the
-          <acronym class="acronym">ISC</acronym> web page at
-          <a class="link" href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a>
-          to read more.
+<p>
+          Internet Systems Consortium
+          (<acronym class="acronym">ISC</acronym>) offers annual
+          support agreements for <acronym class="acronym">BIND</acronym>9, ISC <acronym class="acronym">DHCP</acronym>, and Kea DHCP.
+          All paid support contracts include advance security notifications; some levels include
+          service level agreements (SLAs), premium software features, and increased priority on bug fixes
+          and feature requests.
         </p>
-      </div>
-    </div>
+<p>
+          Please contact
+          <a class="link" href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit
+          <a class="link" href="https://www.isc.org/contact/" target="_top">https://www.isc.org/contact/</a>
+          for more information.
+        </p>
+</div>
+</div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
@@ -136,6 +125,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/Bv9ARM.ch09.html b/bind/bind9/doc/arm/Bv9ARM.ch09.html
index ecc62de5..576b9d34 100644
--- a/bind/bind9/doc/arm/Bv9ARM.ch09.html
+++ b/bind/bind9/doc/arm/Bv9ARM.ch09.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Appendix A. Release Notes</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
@@ -36,11 +36,32 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.15</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.36</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.36">Notes for BIND 9.11.36</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.35">Notes for BIND 9.11.35</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.34">Notes for BIND 9.11.34</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.33">Notes for BIND 9.11.33</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.32">Notes for BIND 9.11.32</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.31">Notes for BIND 9.11.31</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.30">Notes for BIND 9.11.30</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.29">Notes for BIND 9.11.29</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.28">Notes for BIND 9.11.28</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.27">Notes for BIND 9.11.27</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.26">Notes for BIND 9.11.26</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.25">Notes for BIND 9.11.25</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.24">Notes for BIND 9.11.24</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.23">Notes for BIND 9.11.23</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.22">Notes for BIND 9.11.22</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.21">Notes for BIND 9.11.21</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.20">Notes for BIND 9.11.20</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.19">Notes for BIND 9.11.19</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.18">Notes for BIND 9.11.18</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.17">Notes for BIND 9.11.17</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.16">Notes for BIND 9.11.16</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.15">Notes for BIND 9.11.15</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.14">Notes for BIND 9.11.14</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.13">Notes for BIND 9.11.13</a></span></dt>
@@ -62,27 +83,26 @@
 </dl></dd>
 </dl>
 </div>
-      <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.15</h2></div></div></div>
-  
-  <div class="section">
+<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.36</h2></div></div></div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
-  <p>
+<p>
     BIND 9.11 (Extended Support Version) is a stable branch of BIND.
     This document summarizes significant changes since the last
     production release on that branch.
   </p>
-  <p>
+<p>
     Please see the file <code class="filename">CHANGES</code> for a more
     detailed list of changes and bug fixes.
   </p>
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_download"></a>Download</h3></div></div></div>
-  <p>
+<p>
     The latest versions of BIND 9 software can always be found at
     <a class="link" href="https://www.isc.org/download/" target="_top">https://www.isc.org/download/</a>.
     There you will find additional information about each release,
@@ -90,210 +110,773 @@
     operating systems.
   </p>
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License Change</h3></div></div></div>
-  <p>
+<p>
     With the release of BIND 9.11.0, ISC changed to the open
     source license for BIND from the ISC license to the Mozilla
     Public License (MPL 2.0).
   </p>
-  <p>
+<p>
     The MPL-2.0 license requires that if you make changes to
     licensed software (e.g. BIND) and distribute them outside
     your organization, that you publish those changes under that
     same license. It does not require that you publish or disclose
     anything other than the changes you made to our software.
   </p>
-  <p>
+<p>
     This requirement will not affect anyone who is using BIND, with
     or without modifications, without redistributing it, nor anyone
     redistributing it without changes. Therefore, this change will be
     without consequence for most individuals and organizations who are
     using BIND.
   </p>
-  <p>
+<p>
     Those unsure whether or not the license change affects their
     use of BIND, or who wish to discuss how to comply with the
     license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
     https://www.isc.org/mission/contact/</a>.
   </p>
 </div>
-
-  <div class="section">
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.36"></a>Notes for BIND 9.11.36</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.36-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+<p>
+          The <span class="command"><strong>lame-ttl</strong></span> option controls how long
+          <span class="command"><strong>named</strong></span> caches certain types of broken responses from
+          authoritative servers (see the <a class="link" href="https://kb.isc.org/docs/cve-2021-25219" target="_top">security advisory</a>
+          for details). This caching mechanism could be abused by an attacker to
+          significantly degrade resolver performance. The vulnerability has been
+          mitigated by changing the default value of <span class="command"><strong>lame-ttl</strong></span>
+          to <span class="command"><strong>0</strong></span> and overriding any explicitly set value with
+          <span class="command"><strong>0</strong></span>, effectively disabling this mechanism altogether.
+          ISC's testing has determined that doing that has a negligible impact
+          on resolver performance while also preventing abuse. Administrators
+          may observe more traffic towards servers issuing certain types of
+          broken responses than in previous BIND 9 releases, depending on client
+          query patterns. (CVE-2021-25219)
+        </p>
+<p>
+          ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
+          bringing this vulnerability to our attention. [GL #2899]
+        </p>
+</li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.35"></a>Notes for BIND 9.11.35</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.35-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          <span class="command"><strong>named</strong></span> failed to check the opcode of responses when
+          performing zone refreshes, stub zone updates, and UPDATE forwarding.
+          This could lead to an assertion failure under certain conditions and
+          has been addressed by rejecting responses whose opcode does not match
+          the expected value. [GL #2762]
+        </p></li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.34"></a>Notes for BIND 9.11.34</h3></div></div></div>
+<p>
+    This maintenance release of BIND 9.11 contains no significant changes,
+    although some minor updates have been made (for example, to fix build issues
+    on Solaris 11).
+  </p>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.33"></a>Notes for BIND 9.11.33</h3></div></div></div>
+<p>
+    This maintenance release of BIND 9.11 contains no significant changes,
+    although some minor updates have been made (for example, to eliminate
+    compiler warnings emitted by GCC 11).
+  </p>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.32"></a>Notes for BIND 9.11.32</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.32-changes"></a>Feature Changes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          DNSSEC responses containing NSEC3 records with iteration counts
+          greater than 150 are now treated as insecure. [GL #2445]
+        </p></li>
+<li class="listitem"><p>
+          The maximum supported number of NSEC3 iterations that can be
+          configured for a zone has been reduced to 150. [GL #2642]
+        </p></li>
+<li class="listitem"><p>
+          The implementation of the ZONEMD RR type has been updated to match RFC
+          8976. [GL #2658]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.31"></a>Notes for BIND 9.11.31</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.31-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+<p>
+          A malformed incoming IXFR transfer could trigger an assertion failure
+          in <span class="command"><strong>named</strong></span>, causing it to quit abnormally.
+          (CVE-2021-25214)
+        </p>
+<p>
+          ISC would like to thank Greg Kuechle of SaskTel for bringing this
+          vulnerability to our attention. [GL #2467]
+        </p>
+</li>
+<li class="listitem">
+<p>
+          <span class="command"><strong>named</strong></span> crashed when a DNAME record placed in the
+          ANSWER section during DNAME chasing turned out to be the final answer
+          to a client query. (CVE-2021-25215)
+        </p>
+<p>
+          ISC would like to thank <a class="link" href="https://github.com/sivakesava1" target="_top">Siva Kakarla</a> for
+          bringing this vulnerability to our attention. [GL #2540]
+        </p>
+</li>
+<li class="listitem">
+<p>
+          When a server's configuration set the
+          <span class="command"><strong>tkey-gssapi-keytab</strong></span> or
+          <span class="command"><strong>tkey-gssapi-credential</strong></span> option, a specially crafted
+          GSS-TSIG query could cause a buffer overflow in the ISC implementation
+          of SPNEGO (a protocol enabling negotiation of the security mechanism
+          used for GSSAPI authentication). This flaw could be exploited to crash
+          <span class="command"><strong>named</strong></span> binaries compiled for 64-bit platforms, and
+          could enable remote code execution when <span class="command"><strong>named</strong></span> was
+          compiled for 32-bit platforms. (CVE-2021-25216)
+        </p>
+<p>
+          This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro
+          Zero Day Initiative. [GL #2604]
+        </p>
+</li>
+</ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.31-changes"></a>Feature Changes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          The ISC implementation of SPNEGO was removed from BIND 9 source code.
+          Instead, BIND 9 now always uses the SPNEGO implementation provided by
+          the system GSSAPI library when it is built with GSSAPI support. All
+          major contemporary Kerberos/GSSAPI libraries contain an implementation
+          of the SPNEGO mechanism. [GL #2607]
+        </p></li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.30"></a>Notes for BIND 9.11.30</h3></div></div></div>
+<p>
+    <span class="emphasis"><em>The BIND 9.11.30 release was withdrawn after a backporting bug was
+    discovered during pre-release testing. ISC would like to acknowledge the
+    assistance of Natan Segal of Bluecat Networks.</em></span>
+  </p>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.29"></a>Notes for BIND 9.11.29</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.29-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          An invalid direction field (not one of <span class="command"><strong>N</strong></span>,
+          <span class="command"><strong>S</strong></span>, <span class="command"><strong>E</strong></span>, <span class="command"><strong>W</strong></span>) in a
+          LOC record resulted in an INSIST failure when a zone file containing
+          such a record was loaded. [GL #2499]
+        </p></li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.28"></a>Notes for BIND 9.11.28</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.28-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+<p>
+          When <span class="command"><strong>tkey-gssapi-keytab</strong></span> or
+          <span class="command"><strong>tkey-gssapi-credential</strong></span> was configured, a specially
+          crafted GSS-TSIG query could cause a buffer overflow in the ISC
+          implementation of SPNEGO (a protocol enabling negotiation of the
+          security mechanism to use for GSSAPI authentication). This flaw could
+          be exploited to crash <span class="command"><strong>named</strong></span>. Theoretically, it also
+          enabled remote code execution, but achieving the latter is very
+          difficult in real-world conditions. (CVE-2020-8625)
+        </p>
+<p>
+          This vulnerability was responsibly reported to us as ZDI-CAN-12302 by
+          Trend Micro Zero Day Initiative. [GL #2354]
+        </p>
+</li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.27"></a>Notes for BIND 9.11.27</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.27-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          Multiple threads could attempt to destroy a single RBTDB instance at
+          the same time, resulting in an unpredictable but low-probability
+          assertion failure in <code class="filename">free_rbtdb()</code>. This has been
+          fixed. [GL #2317]
+        </p></li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.26"></a>Notes for BIND 9.11.26</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.26-changes"></a>Feature Changes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          The default value of <span class="command"><strong>max-recursion-queries</strong></span> was
+          increased from 75 to 100. Since the queries sent towards root and TLD
+          servers are now included in the count (as a result of the fix for
+          CVE-2020-8616), <span class="command"><strong>max-recursion-queries</strong></span> has a higher
+          chance of being exceeded by non-attack queries, which is the main
+          reason for increasing its default value. [GL #2305]
+        </p></li>
+<li class="listitem"><p>
+          The default value of <span class="command"><strong>nocookie-udp-size</strong></span> was restored
+          back to 4096 bytes. Since <span class="command"><strong>max-udp-size</strong></span> is the upper
+          bound for <span class="command"><strong>nocookie-udp-size</strong></span>, this change relieves
+          the operator from having to change
+          <span class="command"><strong>nocookie-udp-size</strong></span> together with
+          <span class="command"><strong>max-udp-size</strong></span> in order to increase the default EDNS
+          buffer size limit. <span class="command"><strong>nocookie-udp-size</strong></span> can still be
+          set to a value lower than <span class="command"><strong>max-udp-size</strong></span>, if desired.
+          [GL #2250]
+        </p></li>
+</ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.26-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          Handling of missing DNS COOKIE responses over UDP was tightened by
+          falling back to TCP. [GL #2275]
+        </p></li>
+<li class="listitem"><p>
+          The CNAME synthesized from a DNAME was incorrectly followed when the
+          QTYPE was CNAME or ANY. [GL #2280]
+        </p></li>
+<li class="listitem"><p>
+          Building with native PKCS#11 support for AEP Keyper has been broken
+          since BIND 9.11.22. This has been fixed. [GL #2315]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.25"></a>Notes for BIND 9.11.25</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.25-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          <span class="command"><strong>named</strong></span> acting as a resolver could incorrectly treat
+          signed zones with no DS record at the parent as bogus. Such zones
+          should be treated as insecure. This has been fixed. [GL #2236]
+        </p></li>
+<li class="listitem"><p>
+          After a Negative Trust Anchor (NTA) is added, BIND performs periodic
+          checks to see if it is still necessary. If BIND encountered a failure
+          while creating a query to perform such a check, it attempted to
+          dereference a NULL pointer, resulting in a crash. [GL #2244]
+        </p></li>
+<li class="listitem"><p>
+          A problem obtaining glue records could prevent a stub zone from
+          functioning properly, if the authoritative server for the zone were
+          configured for minimal responses. [GL #1736]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.24"></a>Notes for BIND 9.11.24</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.24-changes"></a>Feature Changes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+           DNS Flag Day 2020: The default EDNS buffer size has been changed from
+           4096 to 1232 bytes. According to measurements done by multiple
+           parties, this should not cause any operational problems as most of
+           the Internet "core" is able to cope with IP message sizes between
+           1400-1500 bytes; the 1232 size was picked as a conservative minimal
+           number that could be changed by the DNS operator to an estimated path
+           MTU minus the estimated header space. In practice, the smallest MTU
+           witnessed in the operational DNS community is 1500 octets, the
+           maximum Ethernet payload size, so a useful default for maximum
+           DNS/UDP payload size on reliable networks would be 1400 bytes.
+           [GL #2183]
+        </p></li></ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.24-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          <span class="command"><strong>named</strong></span> reported an invalid memory size when running
+          in an environment that did not properly report the number of available
+          memory pages and/or the size of each memory page. [GL #2166]
+        </p></li>
+<li class="listitem"><p>
+          With multiple forwarders configured, <span class="command"><strong>named</strong></span> could
+          fail the <code class="code">REQUIRE(msg-&gt;state == (-1))</code> assertion in
+          <code class="filename">lib/dns/message.c</code>, causing it to crash. This has
+          been fixed. [GL #2124]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.23"></a>Notes for BIND 9.11.23</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.23-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          Parsing of LOC records was made more strict by rejecting a sole period
+          (<strong class="userinput"><code>.</code></strong>) and/or <strong class="userinput"><code>m</code></strong> as a value.
+          These changes prevent zone files using such values from being loaded.
+          Handling of negative altitudes which are not integers was also
+          corrected. [GL #2074]
+        </p></li>
+<li class="listitem"><p>
+          Several problems found by <a class="link" href="https://github.com/google/oss-fuzz" target="_top">OSS-Fuzz</a> were
+          fixed. (None of these are security issues.) [GL !3953] [GL !3975]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.22"></a>Notes for BIND 9.11.22</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.22-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+<p>
+          It was possible to trigger an assertion failure when verifying the
+          response to a TSIG-signed request. This was disclosed in
+          CVE-2020-8622.
+        </p>
+<p>
+          ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
+          of Oracle for bringing this vulnerability to our attention. [GL #2028]
+        </p>
+</li>
+<li class="listitem">
+<p>
+          When BIND 9 was compiled with native PKCS#11 support, it was possible
+          to trigger an assertion failure in code determining the number of bits
+          in the PKCS#11 RSA public key with a specially crafted packet. This
+          was disclosed in CVE-2020-8623.
+        </p>
+<p>
+          ISC would like to thank Lyu Chiy for bringing this vulnerability to
+          our attention. [GL #2037]
+        </p>
+</li>
+<li class="listitem">
+<p>
+          <span class="command"><strong>update-policy</strong></span> rules of type
+          <span class="command"><strong>subdomain</strong></span> were incorrectly treated as
+          <span class="command"><strong>zonesub</strong></span> rules, which allowed keys used in
+          <span class="command"><strong>subdomain</strong></span> rules to update names outside of the
+          specified subdomains. The problem was fixed by making sure
+          <span class="command"><strong>subdomain</strong></span> rules are again processed as described in
+          the ARM. This was disclosed in CVE-2020-8624.
+        </p>
+<p>
+          ISC would like to thank Joop Boonen of credativ GmbH for bringing this
+          vulnerability to our attention. [GL #2055]
+        </p>
+</li>
+</ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.22-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          Wildcard RPZ passthru rules could incorrectly be overridden by other
+          rules that were loaded from RPZ zones which appeared later in the
+          <span class="command"><strong>response-policy</strong></span> statement. This has been fixed.
+          [GL #1619]
+        </p></li>
+<li class="listitem"><p>
+          LMDB locking code was revised to make <span class="command"><strong>rndc reconfig</strong></span>
+          work properly on FreeBSD and with LMDB &gt;= 0.9.26. [GL #1976]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.21"></a>Notes for BIND 9.11.21</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.21-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          <span class="command"><strong>named</strong></span> could crash when cleaning dead nodes in
+          <code class="filename">lib/dns/rbtdb.c</code> that were being reused.
+          [GL #1968]
+        </p></li>
+<li class="listitem"><p>
+          Properly handle missing <span class="command"><strong>kyua</strong></span> command so that
+          <span class="command"><strong>make check</strong></span> does not fail unexpectedly when CMocka
+          is installed, but Kyua is not. [GL #1950]
+        </p></li>
+<li class="listitem"><p>
+          The validator could fail to accept a properly signed RRset if an
+          unsupported algorithm appeared earlier in the DNSKEY RRset than a
+          supported algorithm. It could also stop if it detected a malformed
+          public key. [GL #1689]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.20"></a>Notes for BIND 9.11.20</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.20-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          It was possible to trigger an INSIST failure when a zone with an
+          interior wildcard label was queried in a certain pattern. This was
+          disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
+        </p></li></ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.20-new"></a>New Features</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          <span class="command"><strong>dig</strong></span> and other tools can now print the Extended DNS
+          Error (EDE) option when it appears in a request or a response.
+          [GL #1835]
+        </p></li></ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.20-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          When fully updating the NSEC3 chain for a large zone via IXFR, a
+          temporary loss of performance could be experienced on the secondary
+          server when answering queries for nonexistent data that required
+          DNSSEC proof of non-existence (in other words, queries that required
+          the server to find and to return NSEC3 data). The unnecessary
+          processing step that was causing this delay has now been removed.
+          [GL #1834]
+        </p></li>
+<li class="listitem"><p>
+          A data race in <code class="filename">lib/dns/resolver.c:log_formerr()</code>
+          that could lead to an assertion failure was fixed. [GL #1808]
+        </p></li>
+<li class="listitem"><p>
+          Previously, <span class="command"><strong>provide-ixfr no;</strong></span> failed to return
+          up-to-date responses when the serial number was greater than or equal
+          to the current serial number. [GL #1714]
+        </p></li>
+<li class="listitem"><p>
+          <span class="command"><strong>named-checkconf -p</strong></span> could include spurious text in
+          <span class="command"><strong>server-addresses</strong></span> statements due to an uninitialized
+          DSCP value. This has been fixed. [GL #1812]
+        </p></li>
+<li class="listitem"><p>
+          The ARM has been updated to indicate that the TSIG session key is
+          generated when named starts, regardless of whether it is needed.
+          [GL #1842]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.19"></a>Notes for BIND 9.11.19</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.19-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          To prevent exhaustion of server resources by a maliciously configured
+          domain, the number of recursive queries that can be triggered by a
+          request before aborting recursion has been further limited. Root and
+          top-level domain servers are no longer exempt from the
+          <span class="command"><strong>max-recursion-queries</strong></span> limit. Fetches for missing
+          name server address records are limited to 4 for any domain. This
+          issue was disclosed in CVE-2020-8616. [GL #1388]
+        </p></li>
+<li class="listitem"><p>
+          Replaying a TSIG BADTIME response as a request could
+          trigger an assertion failure. This was disclosed in
+          CVE-2020-8617. [GL #1703]
+        </p></li>
+</ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.19-changes"></a>Feature Changes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          Message IDs in inbound AXFR transfers are now checked for consistency.
+          Log messages are emitted for streams with inconsistent message IDs.
+          [GL #1674]
+        </p></li></ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.19-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          When running on a system with support for Linux capabilities,
+          <span class="command"><strong>named</strong></span> drops root privileges very soon after system
+          startup. This was causing a spurious log message, "unable to set
+          effective uid to 0: Operation not permitted", which has now been
+          silenced. [GL #1042] [GL #1090]
+        </p></li>
+<li class="listitem"><p>
+          When <span class="command"><strong>named-checkconf -z</strong></span> was run, it would sometimes
+          incorrectly set its exit code. It reflected the status of the last
+          view found; if zone-loading errors were found in earlier configured
+          views but not in the last one, the exit code indicated success.
+          Thanks to Graham Clinch. [GL #1807]
+        </p></li>
+<li class="listitem"><p>
+          When built without LMDB support, <span class="command"><strong>named</strong></span> failed to
+          restart after a zone with a double quote (") in its name was added
+          with <span class="command"><strong>rndc addzone</strong></span>. Thanks to Alberto Fernández.
+          [GL #1695]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.18"></a>Notes for BIND 9.11.18</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.18-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          DNS rebinding protection was ineffective when BIND 9 is configured as
+          a forwarding DNS server. Found and responsibly reported by Tobias
+          Klein. [GL #1574]
+        </p></li></ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.18-known"></a>Known Issues</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          We have received reports that in some circumstances, receipt of an
+          IXFR can cause the processing of queries to slow significantly. Some
+          of these are related to RPZ processing, others appear to occur where
+          there are NSEC3-related changes (such as an operator changing the
+          NSEC3 salt used in the hash calculation). These are being
+          investigated.  [GL #1685]
+        </p></li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.17"></a>Notes for BIND 9.11.17</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.17-changes"></a>Feature Changes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          The <span class="command"><strong>configure</strong></span> option
+          <span class="command"><strong>--with-libxml2</strong></span> now uses
+          <span class="command"><strong>pkg-config</strong></span> to detect libxml2 library
+          availability.  You will either have to install
+          <span class="command"><strong>pkg-config</strong></span> or specify the exact path where
+          libxml2 has been installed on your system. [GL #1635]
+        </p></li></ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.17-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          Fixed re-signing issues with inline zones which resulted in
+          records being re-signed late or not at all.
+        </p></li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.16"></a>Notes for BIND 9.11.16</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.16-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          <span class="command"><strong>named</strong></span> crashed when it was queried for a
+          nonexistent name in the CHAOS class. [GL #1540]
+        </p></li></ul></div>
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.15"></a>Notes for BIND 9.11.15</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.15-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Fixed a GeoIP2 lookup bug which was triggered when certain
           libmaxminddb versions were used. [GL #1552]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Fixed several possible race conditions discovered by
           ThreadSanitizer.
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.14"></a>Notes for BIND 9.11.14</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.14-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Fixed a bug that caused <span class="command"><strong>named</strong></span> to leak memory
           on reconfiguration when any GeoIP2 database was in use. [GL #1445]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Fixed several possible race conditions discovered by
           ThreadSanitizer.
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.13"></a>Notes for BIND 9.11.13</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.13-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           Set a limit on the number of concurrently served pipelined TCP
           queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.13-features"></a>New Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
           that reports the maximum number of simultaneous TCP clients BIND
           has handled while running. [GL #1206]
-        </p>
-      </li></ul></div>
-  </div>
-
+        </p></li></ul></div>
+</div>
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.12"></a>Notes for BIND 9.11.12</h3></div></div></div>
-
-  <p>
+<p>
     None.
   </p>
-
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.11"></a>Notes for BIND 9.11.11</h3></div></div></div>
-
-  <p>
+<p>
     None.
   </p>
-
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.10"></a>Notes for BIND 9.11.10</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.10-features"></a>New Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-        <p>
+<p>
           A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
           [GL #605]
         </p>
-        <p>
+<p>
           If you are running multiple DNS Servers (different versions of BIND 9
           or DNS server from multiple vendors) responding from the same IP
           address (anycast or load-balancing scenarios), you'll have to make
           sure that all the servers are configured with the same DNS Cookie
           algorithm and same Server Secret for the best performance.
         </p>
-      </li>
-<li class="listitem">
-        <p>
+</li>
+<li class="listitem"><p>
           DS records included in DNS referral messages can now be validated
           and cached immediately, reducing the number of queries needed for
           a DNSSEC validation. [GL #964]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.10-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
           cause unexpected results; this has been fixed. [GL #1106]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
           to ensure bits 64-71 are zero. [GL #1159]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named-checkconf</strong></span> could crash during
           configuration if configured to use "geoip continent" ACLs with
           legacy GeoIP. [GL #1163]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
           <span class="command"><strong>dnstap-output</strong></span> option when
           <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Handle ETIMEDOUT error on connect() with a non-blocking
           socket. [GL #1133]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.9"></a>Notes for BIND 9.11.9</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.9-features"></a>New Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+<p>
           The new GeoIP2 API from MaxMind is now supported when BIND
           is compiled using <span class="command"><strong>configure --with-geoip2</strong></span>.
           The legacy GeoIP API can be used by compiling with
@@ -301,7 +884,7 @@
           the databases for the legacy API are no longer maintained by
           MaxMind.)
         </p>
-        <p>
+<p>
           The default path to the GeoIP2 databases will be set based
           on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
           for example, if it is in <code class="filename">/usr/local/lib</code>,
@@ -310,7 +893,7 @@
           This value can be overridden in <code class="filename">named.conf</code>
           using the <span class="command"><strong>geoip-directory</strong></span> option.
         </p>
-        <p>
+<p>
           Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
           legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
           <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
@@ -320,60 +903,48 @@
           <span class="command"><strong>as</strong></span>. All of the databases support both IPv4
           and IPv6 lookups. [GL #182]
         </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+</li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.9-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           Glue address records were not being returned in responses
           to root priming queries; this has been corrected. [GL #1092]
-        </p>
-      </li></ul></div>
-  </div>
-
+        </p></li></ul></div>
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.8"></a>Notes for BIND 9.11.8</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.8-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           A race condition could trigger an assertion failure when
           a large number of incoming packets were being rejected.
           This flaw is disclosed in CVE-2019-6471. [GL #942]
-        </p>
-      </li></ul></div>
-  </div>
-
+        </p></li></ul></div>
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.7"></a>Notes for BIND 9.11.7</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.7-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
           option could be exceeded in some cases. This could lead to
           exhaustion of file descriptors. This flaw is disclosed in
           CVE-2018-5743. [GL #615]
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.7-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+<p>
           When <span class="command"><strong>trusted-keys</strong></span> and
           <span class="command"><strong>managed-keys</strong></span> are both configured for the
           same name, or when <span class="command"><strong>trusted-keys</strong></span> is used to
@@ -382,26 +953,23 @@
           <code class="literal">auto</code>, automatic RFC 5011 key
           rollovers will fail.
         </p>
-        <p>
+<p>
           This combination of settings was never intended to work,
           but there was no check for it in the parser. This has been
           corrected; a warning is now logged. (In BIND 9.15 and
           higher this error will be fatal.) [GL #868]
         </p>
-      </li></ul></div>
-  </div>
-
+</li></ul></div>
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.6"></a>Notes for BIND 9.11.6</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.6-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Code change #4964, intended to prevent double signatures
           when deleting an inactive zone DNSKEY in some situations,
           introduced a new problem during zone processing in which
@@ -412,134 +980,105 @@
           NSEC/NSEC3 chain, but incompletely -- this can result in
           a broken chain, affecting validation of proof of nonexistence
           for records in the zone. [GL #771]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> could crash if it managed a DNSSEC
           security root with <span class="command"><strong>managed-keys</strong></span> and the
           authoritative zone rolled the key to an algorithm not supported
           by BIND 9.  This flaw is disclosed in CVE-2018-5745. [GL #780]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> leaked memory when processing a
           request with multiple Key Tag EDNS options present. ISC
           would like to thank Toshifumi Sakaguchi for bringing this
           to our attention.  This flaw is disclosed in CVE-2018-5744.
           [GL #772]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Zone transfer controls for writable DLZ zones were not
           effective as the <span class="command"><strong>allowzonexfr</strong></span> method was
           not being called for such zones. This flaw is disclosed in
           CVE-2019-6465. [GL #790]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.6-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and the
           <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing when
           the standard output is not a tty (e.g. not used by human).  The command
           line options +idnin and +idnout need to be used to enable IDN
           processing when <span class="command"><strong>dig</strong></span> or <span class="command"><strong>nslookup</strong></span>
           is used from the shell scripts.
-        </p>
-      </li></ul></div>
-  </div>
-
+        </p></li></ul></div>
+</div>
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.5"></a>Notes for BIND 9.11.5</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.5-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           <span class="command"><strong>named</strong></span> could crash during recursive processing
           of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
           in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.5-features"></a>New Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           Two new update policy rule types have been added
           <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
           which allow machines with Kerberos principals to update
           the name space at or below the machine names identified
           in the respective principals.
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.5-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
           between views of the same name but different class; this
           has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
           option. [GL #105]
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.5-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           When a negative trust anchor was added to multiple views
           using <span class="command"><strong>rndc nta</strong></span>, the text returned via
           <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
           first line, making it appear that only one NTA had been
           added. This has been fixed. [GL #105]
-        </p>
-      </li></ul></div>
-  </div>
-
+        </p></li></ul></div>
+</div>
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.4"></a>Notes for BIND 9.11.4</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.4-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
           and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
           should be limited to local networks, but they were inadvertently set
           to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
           remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.4-features"></a>New Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
           mechanism. This enables validating resolvers to indicate
           which trust anchors are configured for the root, so that
@@ -547,16 +1086,15 @@
           To disable this feature, add
           <span class="command"><strong>root-key-sentinel no;</strong></span> to
           <code class="filename">named.conf</code>.
-        </p>
-      </li>
+        </p></li>
 <li class="listitem">
-        <p>
+<p>
           Added the ability not to return a DNS COOKIE option when one
           is present in the request.  To prevent a cookie being returned,
           add <span class="command"><strong>answer-cookie no;</strong></span> to
           <code class="filename">named.conf</code>. [GL #173]
         </p>
-        <p>
+<p>
           <span class="command"><strong>answer-cookie no</strong></span> is only intended as a
           temporary measure, for use when <span class="command"><strong>named</strong></span>
           shares an IP address with other servers that do not yet
@@ -568,106 +1106,85 @@
           mechanism, and should not be disabled unless absolutely
           necessary.
         </p>
-      </li>
+</li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.4-removed"></a>Removed Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           <span class="command"><strong>named</strong></span> will now log a warning if the old
           BIND now can be compiled against libidn2 library to add
           IDNA2008 support.  Previously BIND only supported IDNA2003
           using (now obsolete) idnkit-1 library.
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.4-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
           processing on the input domain name, when BIND is compiled
           with IDN support.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Multiple <span class="command"><strong>cookie-secret</strong></span> clause are now
           supported.  The first <span class="command"><strong>cookie-secret</strong></span> in
           <code class="filename">named.conf</code> is used to generate new
           server cookies.  Any others are used to accept old server
           cookies or those generated by other servers using the
           matching <span class="command"><strong>cookie-secret</strong></span>.
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.4-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> now rejects excessively large
           incremental (IXFR) zone transfers in order to prevent
           possible corruption of journal files which could cause
           <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>rndc reload</strong></span> could cause <span class="command"><strong>named</strong></span>
           to leak memory if it was invoked before the zone loading actions
           from a previous <span class="command"><strong>rndc reload</strong></span> command were
           completed. [RT #47076]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.3"></a>Notes for BIND 9.11.3</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.3-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Addresses could be referenced after being freed during resolver
           processing, causing an assertion failure. The chances of this
           happening were remote, but the introduction of a delay in
           resolution increased them. This bug is disclosed in
           CVE-2017-3145. [RT #46839]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           update-policy rules that otherwise ignore the name field now
           require that it be set to "." to ensure that any type list
           present is properly interpreted.  If the name field was omitted
           from the rule declaration and a type list was present it wouldn't
           be interpreted as expected.
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.3-removed"></a>Removed Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           The ISC DNSSEC Lookaside Validation (DLV) service has
           been shut down; all DLV records in the dlv.isc.org zone
           have been removed.  References to the service have been
@@ -677,24 +1194,19 @@
           Setting <span class="command"><strong>dnssec-lookaside</strong></span> to
           <span class="command"><strong>auto</strong></span> or to use dlv.isc.org as a trust
           anchor results in a warning being issued.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> will now log a warning if the old
           root DNSSEC key is explicitly configured and has not been updated.
           [RT #43670]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="proto_changes"></a>Protocol Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
           signing algorithms described in RFC 8080. Note, however, that
           these algorithms must be supported in OpenSSL;
@@ -703,25 +1215,20 @@
           <a class="link" href="https://github.com/openssl/openssl" target="_top">
             https://github.com/openssl/openssl</a>.
           [RT #44696]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           When parsing DNS messages, EDNS KEY TAG options are checked
           for correctness. When printing messages (for example, in
           <span class="command"><strong>dig</strong></span>), EDNS KEY TAG options are printed
           in readable format.
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.3-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> will no longer start or accept
           reconfiguration if <span class="command"><strong>managed-keys</strong></span> or
           <span class="command"><strong>dnssec-validation auto</strong></span> are in use and
@@ -729,280 +1236,216 @@
           <span class="command"><strong>managed-keys-directory</strong></span>, and defaulting
           to the working directory if not specified),
           is not writable by the effective user ID. [RT #46077]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Previously, <span class="command"><strong>update-policy local;</strong></span> accepted
           updates from any source so long as they were signed by the
           locally-generated session key. This has been further restricted;
           updates are now only accepted from locally configured addresses.
           [RT #45492]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.3-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Attempting to validate improperly unsigned CNAME responses
           from secure zones could cause a validator loop. This caused
           a delay in returning SERVFAIL and also increased the chances
           of encountering the crash bug described in CVE-2017-3145.
           [RT #46839]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           When <span class="command"><strong>named</strong></span> was reconfigured, failure of some
           zones to load correctly could leave the system in an inconsistent
           state; while generally harmless, this could lead to a crash later
           when using <span class="command"><strong>rndc addzone</strong></span>.  Reconfiguration changes
           are now fully rolled back in the event of failure. [RT #45841]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Some header files included &lt;isc/util.h&gt; incorrectly as
           it pollutes with namespace with non ISC_ macros and this should
           only be done by explicitly including &lt;isc/util.h&gt;.  This
           has been corrected.  Some code may depend on &lt;isc/util.h&gt;
           being implicitly included via other header files.  Such
           code should explicitly include &lt;isc/util.h&gt;.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Zones created with <span class="command"><strong>rndc addzone</strong></span> could
           temporarily fail to inherit the <span class="command"><strong>allow-transfer</strong></span>
           ACL set in the <span class="command"><strong>options</strong></span> section of
           <code class="filename">named.conf</code>. [RT #46603]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> failed to properly determine whether
           there were active KSK and ZSK keys for an algorithm when
           <span class="command"><strong>update-check-ksk</strong></span> was true (which is the
           default setting). This could leave records unsigned
           when rolling keys. [RT #46743] [RT #46754] [RT #46774]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.2"></a>Notes for BIND 9.11.2</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.2-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           An error in TSIG handling could permit unauthorized zone
           transfers or zone updates. These flaws are disclosed in
           CVE-2017-3142 and CVE-2017-3143. [RT #45383]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The BIND installer on Windows used an unquoted service path,
           which can enable privilege escalation. This flaw is disclosed
           in CVE-2017-3141. [RT #45229]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           With certain RPZ configurations, a response with TTL 0
           could cause <span class="command"><strong>named</strong></span> to go into an infinite
           query loop. This flaw is disclosed in CVE-2017-3140.
           [RT #45181]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.2-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
           for EDNS options in addition to numeric values. For example,
           an EDNS Client-Subnet option could be sent using
           <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
           John Worley of Secure64 for the contribution. [RT #44461]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
           names to assist debugging on operating systems that support that.
           Threads will have names such as "isc-timer", "isc-sockmgr",
           "isc-worker0001", and so on. This will affect the reporting of
           subsidiary thread names in <span class="command"><strong>ps</strong></span> and
           <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           DiG now warns about .local queries which are reserved for
           Multicast DNS. [RT #44783]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.2-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Fixed a bug that was introduced in an earlier development
           release which caused multi-packet AXFR and IXFR messages to fail
           validation if not all packets contained TSIG records; this
           caused interoperability problems with some other DNS
           implementations. [RT #45509]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Reloading or reconfiguring <span class="command"><strong>named</strong></span> could
           fail on some platforms when LMDB was in use. [RT #45203]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Due to some incorrectly deleted code, when BIND was
           built with LMDB, zones that were deleted via
           <span class="command"><strong>rndc delzone</strong></span> were removed from the
           running server but were not removed from the new zone
           database, so that deletion did not persist after a
           server restart. This has been corrected. [RT #45185]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Semicolons are no longer escaped when printing CAA and
           URI records.  This may break applications that depend on the
           presence of the backslash before the semicolon. [RT #45216]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           AD could be set on truncated answer with no records present
           in the answer and authority sections. [RT #45140]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.1"></a>Notes for BIND 9.11.1</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.1-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           <span class="command"><strong>rndc ""</strong></span> could trigger an assertion failure
           in <span class="command"><strong>named</strong></span>. This flaw is disclosed in
           (CVE-2017-3138). [RT #44924]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Some chaining (i.e., type CNAME or DNAME) responses to upstream
           queries could trigger assertion failures. This flaw is disclosed
           in CVE-2017-3137. [RT #44734]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
           can result in an assertion failure. This flaw is disclosed in
           CVE-2017-3136. [RT #44653]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           If a server is configured with a response policy zone (RPZ)
           that rewrites an answer with local data, and is also configured
           for DNS64 address mapping, a NULL pointer can be read
           triggering a server crash.  This flaw is disclosed in
           CVE-2017-3135. [RT #44434]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           A coding error in the <code class="option">nxdomain-redirect</code>
           feature could lead to an assertion failure if the redirection
           namespace was served from a local authoritative data source
           such as a local zone or a DLZ instead of via recursive
           lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> could mishandle authority sections
           with missing RRSIGs, triggering an assertion failure. This
           flaw is disclosed in CVE-2016-9444. [RT #43632]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> mishandled some responses where
           covering RRSIG records were returned without the requested
           data, resulting in an assertion failure. This flaw is
           disclosed in CVE-2016-9147. [RT #43548]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
           records which could trigger an assertion failure when there was
           a class mismatch. This flaw is disclosed in CVE-2016-9131.
           [RT #43522]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           It was possible to trigger assertions when processing
           responses containing answers of type DNAME. This flaw is
           disclosed in CVE-2016-8864. [RT #43465]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Added the ability to specify the maximum number of records
           permitted in a zone (<code class="option">max-records #;</code>).
           This provides a mechanism to block overly large zone
           transfers, which is a potential risk with slave zones from
           other parties, as described in CVE-2016-6170.
           [RT #42143]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.1-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           <span class="command"><strong>dnstap</strong></span> now stores both the local and remote
           addresses for all messages, instead of only the remote address.
           The default output format for <span class="command"><strong>dnstap-read</strong></span> has
@@ -1010,104 +1453,79 @@
           address first and the responding address second, separated by
           "-%gt;" or "%lt;-" to indicate in which direction the message
           was sent. [RT #43595]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Expanded and improved the YAML output from
           <span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
           size and a detailed breakdown of message contents.
           [RT #43622] [RT #43642]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           If an ACL is specified with an address prefix in which the
           prefix length is longer than the address portion (for example,
           192.0.2.1/8), <span class="command"><strong>named</strong></span> will now log a warning.
           In future releases this will be a fatal configuration error.
           [RT #43367]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.1-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           A synthesized CNAME record appearing in a response before the
           associated DNAME could be cached, when it should not have been.
           This was a regression introduced while addressing CVE-2016-8864.
           [RT #44318]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> could deadlock if multiple changes
           to NSEC/NSEC3 parameters for the same zone were being processed
           at the same time. [RT #42770]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> could trigger an assertion when
           sending NOTIFY messages. [RT #44019]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Referencing a nonexistent zone in a <span class="command"><strong>response-policy</strong></span>
           statement could cause an assertion failure during configuration.
           [RT #43787]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>rndc addzone</strong></span> could cause a crash
           when attempting to add a zone with a type other than
           <span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
           Such zones are now rejected. [RT #43665]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> could hang when encountering log
           file names with large apparent gaps in version number (for
           example, when files exist called "logfile.0", "logfile.1",
           and "logfile.1482954169").  This is now handled correctly.
           [RT #38688]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           If a zone was updated while <span class="command"><strong>named</strong></span> was
           processing a query for nonexistent data, it could return
           out-of-sync NSEC3 records causing potential DNSSEC validation
           failure. [RT #43247]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.1-maint"></a>Maintenance</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           The built-in root hints have been updated to include an
           IPv6 address (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.1-misc"></a>Miscellaneous Notes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           Authoritative server support for the EDNS Client Subnet option
           (ECS), introduced in BIND 9.11.0, was based on an early version
           of the specification, and is now known to have incompatibilities
@@ -1117,51 +1535,43 @@
           testing purposes but is not recommended for for production use.
           This was not made sufficiently clear in the documentation at
           the time of release.
-        </p>
-      </li></ul></div>
-  </div>
-
+        </p></li></ul></div>
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.0"></a>Notes for BIND 9.11.0</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.0-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           It was possible to trigger a assertion when rendering a
           message using a specially crafted request. This flaw is
           disclosed in CVE-2016-2776. [RT #43139]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
          getrrsetbyname with a non absolute name could trigger an
          infinite recursion bug in lwresd and named with lwres
          configured if when combined with a search list entry the
          resulting name is too long.  This flaw is disclosed in
          CVE-2016-2775. [RT #42694]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.0-features"></a>New Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-        <p>
+<p>
           A new method of provisioning secondary servers called
           "Catalog Zones" has been added. This is an implementation of
           <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
             draft-muks-dnsop-dns-catalog-zones/
           </a>.
         </p>
-        <p>
+<p>
           A catalog zone is a regular DNS zone which contains a list
           of "member zones", along with the configuration options for
           each of those zones.  When a server is configured to use a
@@ -1174,32 +1584,30 @@
           propagated to slaves using the standard AXFR/IXFR update
           mechanism.
         </p>
-        <p>
+<p>
           This feature should be considered experimental. It currently
           supports only basic features; more advanced features such as
           ACLs and TSIG keys are not yet supported. Example catalog
           zone configurations can be found in the Chapter 9 of the
           BIND Administrator Reference Manual.
         </p>
-        <p>
+<p>
           Support for master entries with TSIG keys has been added to catalog
           zones, as well as support for allow-query and allow-transfer.
         </p>
-      </li>
-<li class="listitem">
-        <p>
+</li>
+<li class="listitem"><p>
           Added an <span class="command"><strong>isc.rndc</strong></span> Python module, which allows
           <span class="command"><strong>rndc</strong></span> commands to be sent from Python programs.
-        </p>
-      </li>
+        </p></li>
 <li class="listitem">
-        <p>
+<p>
           Added support for DynDB, a new interface for loading zone data
           from an external database, developed by Red Hat for the FreeIPA
           project.  (Thanks in particular to Adam Tkac and Petr
           Spacek of Red Hat for the contribution.)
         </p>
-        <p>
+<p>
           Unlike the existing DLZ and SDB interfaces, which provide a
           limited subset of database functionality within BIND -
           translating DNS queries into real-time database lookups with
@@ -1207,22 +1615,22 @@
           DNSSEC-signed data - DynDB is able to fully implement
           and extend the database API used natively by BIND.
         </p>
-        <p>
+<p>
           A DynDB module could pre-load data from an external data
           source, then serve it with the same performance and
           functionality as conventional BIND zones, and with the
           ability to take advantage of database features not
           available in BIND, such as multi-master replication.
         </p>
-      </li>
+</li>
 <li class="listitem">
-        <p>
+<p>
           Fetch quotas are now compiled in by default: they
           no longer require BIND to be configured with
           <span class="command"><strong>--enable-fetchlimit</strong></span>, as was the case
           when the feature was introduced in BIND 9.10.3.
         </p>
-        <p>
+<p>
           These quotas limit the queries that are sent by recursive
           resolvers to authoritative servers experiencing denial-of-service
           attacks. They can both reduce the harm done to authoritative
@@ -1230,9 +1638,8 @@
           experienced by recursive servers when they are being used as a
           vehicle for such an attack.
         </p>
-        <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
-<li class="listitem">
-            <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
+<li class="listitem"><p>
               <code class="option">fetches-per-server</code> limits the number of
               simultaneous queries that can be sent to any single
               authoritative server.  The configured value is a starting
@@ -1240,41 +1647,38 @@
               partially or completely non-responsive. The algorithm used to
               adjust the quota can be configured via the
               <code class="option">fetch-quota-params</code> option.
-            </p>
-          </li>
-<li class="listitem">
-            <p>
+            </p></li>
+<li class="listitem"><p>
               <code class="option">fetches-per-zone</code> limits the number of
               simultaneous queries that can be sent for names within a
               single domain.  (Note: Unlike "fetches-per-server", this
               value is not self-tuning.)
-            </p>
-          </li>
+            </p></li>
 </ul></div>
-        <p>
+<p>
           Statistics counters have also been added to track the number
           of queries affected by these quotas.
         </p>
-      </li>
+</li>
 <li class="listitem">
-        <p>
+<p>
           Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
           flexible method for capturing and logging DNS traffic,
           developed by Robert Edmonds at Farsight Security, Inc.,
           whose assistance is gratefully acknowledged.
         </p>
-        <p>
+<p>
           To enable <span class="command"><strong>dnstap</strong></span> at compile time,
           the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
           libraries must be available, and BIND must be configured with
           <code class="option">--enable-dnstap</code>.
         </p>
-        <p>
+<p>
           A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
           to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
           a human-readable format.
         </p>
-        <p>
+<p>
           <span class="command"><strong>rndc dnstap -roll</strong></span> causes <span class="command"><strong>dnstap</strong></span>
           output files to be rolled like log files -- the most recent output
           file is renamed with a <code class="filename">.0</code> suffix, the next
@@ -1284,18 +1688,18 @@
           argument specifies how many backup log files to retain; if not
           specified or set to 0, there is no limit.
         </p>
-        <p>
+<p>
           <span class="command"><strong>rndc dnstap -reopen</strong></span> simply closes and reopens
           the <span class="command"><strong>dnstap</strong></span> output channel without renaming
           the output file.
         </p>
-        <p>
+<p>
           For more information on <span class="command"><strong>dnstap</strong></span>, see
           <a class="link" href="https://dnstap.info" target="_top">https://dnstap.info</a>.
         </p>
-      </li>
+</li>
 <li class="listitem">
-        <p>
+<p>
           New statistics counters have been added to track traffic
           sizes, as specified in RSSAC002.  Query and response
           message sizes are broken up into ranges of histogram buckets:
@@ -1307,13 +1711,13 @@
           or
           <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
         </p>
-        <p>
+<p>
                 Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
                 rcode-volume reporting are now collected.
         </p>
-      </li>
+</li>
 <li class="listitem">
-        <p>
+<p>
           A new DNSSEC key management utility,
           <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
           is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
@@ -1327,25 +1731,24 @@
           the configured policy changes, keys are corrected automatically.
           See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
         </p>
-        <p>
+<p>
           Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
           the Python lex/yacc module, PLY. The other Python-based tools,
           <span class="command"><strong>dnssec-coverage</strong></span> and
           <span class="command"><strong>dnssec-checkds</strong></span>, have been
           refactored and updated as part of this work.
         </p>
-        <p>
+<p>
           <span class="command"><strong>dnssec-keymgr</strong></span> now takes a -r
           <em class="replaceable"><code>randomfile</code></em> option.
         </p>
-        <p>
+<p>
           (Many thanks to Sebastián
           Castro for his assistance in developing this tool at the IETF
           95 Hackathon in Buenos Aires, April 2016.)
         </p>
-      </li>
-<li class="listitem">
-        <p>
+</li>
+<li class="listitem"><p>
           The serial number of a dynamically updatable zone can
           now be set using
           <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
@@ -1353,10 +1756,8 @@
           zones that have been reset.  Setting the serial number to a value
           larger than that on the slaves will trigger an AXFR-style
           transfer.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           When answering recursive queries, SERVFAIL responses can now be
           cached by the server for a limited time; subsequent queries for
           the same query name and type will return another SERVFAIL until
@@ -1365,10 +1766,8 @@
           on recursive servers.  The SERVFAIL cache timeout is controlled
           by <code class="option">servfail-ttl</code>, which defaults to 1 second
           and has an upper limit of 30.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
           set a "negative trust anchor" (NTA), disabling DNSSEC validation for
           a specific domain; this can be used when responses from a domain
@@ -1380,112 +1779,80 @@
           <code class="filename">named.conf</code>. When added, NTAs are stored in a
           file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
           in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The EDNS Client Subnet (ECS) option is now supported for
           authoritative servers; if a query contains an ECS option then
           ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
           elements can match against the address encoded in the option.
           This can be used to select a view for a query, so that different
           answers can be provided depending on the client network.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The EDNS EXPIRE option has been implemented on the client
           side, allowing a slave server to set the expiration timer
           correctly when transferring zone data from another slave
           server.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           A new <code class="option">masterfile-style</code> zone option controls
           the formatting of text zone files:  When set to
           <code class="literal">full</code>, the zone file will dumped in
           single-line-per-record format.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
           arbitrary EDNS options in DNS requests.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
           yet-to-be-defined EDNS flags in DNS requests.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
           disable EDNS version negotiation.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +header-only</strong></span> can now be used to send
           queries without a question section.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
           to print TTL values with time-unit suffixes: w, d, h, m, s for
           weeks, days, hours, minutes, and seconds.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
           unassigned DNS header flag bit.  This bit is normally zero.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
           can now be used to set the DSCP code point in outgoing query
           packets.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
           if mapped IPv4 addresses can be used.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>nslookup</strong></span> will now look up IPv6 as well
           as IPv4 addresses by default. [RT #40420]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <code class="option">serial-update-method</code> can now be set to
           <code class="literal">date</code>. On update, the serial number will
           be set to the current date in YYYYMMDDNN format.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
           number to YYYYMMDDNN.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
           causes <span class="command"><strong>named</strong></span> to send log messages to the
           specified file by default instead of to the system log.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The rate limiter configured by the
           <code class="option">serial-query-rate</code> option no longer covers
           NOTIFY messages; those are now separately controlled by
@@ -1493,31 +1860,23 @@
           <code class="option">startup-notify-rate</code> (the latter of which
           controls the rate of NOTIFY messages sent when the server
           is first started up or reconfigured).
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The default number of tasks and client objects available
           for serving lightweight resolver queries have been increased,
           and are now configurable via the new <code class="option">lwres-tasks</code>
           and <code class="option">lwres-clients</code> options in
           <code class="filename">named.conf</code>. [RT #35857]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Log output to files can now be buffered by specifying
           <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
           sending queries.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> will now check to see whether
           other name server processes are running before starting up.
           This is implemented in two ways: 1) by refusing to start
@@ -1529,10 +1888,8 @@
           <code class="filename">/var/run/named/named.lock</code>.
           Specifying <code class="literal">none</code> will disable the lock
           file check.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
           which were configured in <code class="filename">named.conf</code>;
           it is no longer restricted to zones which were added by
@@ -1540,22 +1897,17 @@
           this does not edit <code class="filename">named.conf</code>; the zone
           must be removed from the configuration or it will return
           when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
           a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>rndc showzone</strong></span> displays the current
           configuration for a specified zone.
-        </p>
-      </li>
+        </p></li>
 <li class="listitem">
-        <p>
+<p>
           When BIND is built with the <span class="command"><strong>lmdb</strong></span> library
           (Lightning Memory-Mapped Database), <span class="command"><strong>named</strong></span>
           will store the configuration information for zones
@@ -1567,70 +1919,61 @@
           the contents of a database is much faster than rewriting
           a text file.
         </p>
-        <p>
+<p>
           On startup, if <span class="command"><strong>named</strong></span> finds an existing
           NZF file, it will automatically convert it to the new NZD
           database format.
         </p>
-        <p>
+<p>
           To view the contents of an NZD, or to convert an
           NZD back to an NZF file (for example, to revert back
           to an earlier version of BIND which did not support the
           NZD format), use the new command <span class="command"><strong>named-nzd2nzf</strong></span>
           [RT #39837]
         </p>
-      </li>
+</li>
 <li class="listitem">
-        <p>
+<p>
           Added server-side support for pipelined TCP queries.  Clients
           may continue sending queries via TCP while previous queries are
           processed in parallel.  Responses are sent when they are
           ready, not necessarily in the order in which the queries were
           received.
         </p>
-        <p>
+<p>
           To revert to the former behavior for a particular
           client address or range of addresses, specify the address prefix
           in the "keep-response-order" option.  To revert to the former
           behavior for all clients, use "keep-response-order { any; };".
         </p>
-      </li>
-<li class="listitem">
-        <p>
+</li>
+<li class="listitem"><p>
           The new <span class="command"><strong>mdig</strong></span> command is a version of
           <span class="command"><strong>dig</strong></span> that sends multiple pipelined
           queries and then waits for responses, instead of sending one
           query and waiting the response before sending the next. [RT #38261]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           To enable better monitoring and troubleshooting of RFC 5011
           trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
           can be used to check status of trust anchors or to force keys
           to be refreshed.  Also, the managed-keys data file now has
           easier-to-read comments. [RT #38458]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
           now available to enable very verbose query trace logging. This
           option can only be set at compile time. This option has a
           negative performance impact and should be used only for
           debugging. [RT #37520]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           A new <span class="command"><strong>tcp-only</strong></span> option can be specified
           in <span class="command"><strong>server</strong></span> statements to force
           <span class="command"><strong>named</strong></span> to connect to the specified
           server via TCP. [RT #37800]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
           a DNS namespace to use for NXDOMAIN redirection. When a
           recursive lookup returns NXDOMAIN, a second lookup is
@@ -1640,25 +1983,19 @@
           queries to other servers. (The older method, using
           a single <span class="command"><strong>type redirect</strong></span> zone, has
           better average performance but is less flexible.) [RT #37989]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The following types have been implemented: CSYNC, NINFO, RKEY,
           SINK, TA, TALINK.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           A new <span class="command"><strong>message-compression</strong></span> option can be
           used to specify whether or not to use name compression when
           answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
           results in larger responses, but reduces CPU consumption and
           may improve throughput.  The default is <strong class="userinput"><code>yes</code></strong>.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           A <span class="command"><strong>read-only</strong></span> option is now available in the
           <span class="command"><strong>controls</strong></span> statement to grant non-destructive
           control channel access. In such cases, a restricted set of
@@ -1667,28 +2004,22 @@
           reconfigure or stop the server. By default, the control channel
           access is <span class="emphasis"><em>not</em></span> restricted to these
           read-only operations. [RT #40498]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           When loading a signed zone, <span class="command"><strong>named</strong></span> will
           now check whether an RRSIG's inception time is in the future,
           and if so, it will regenerate the RRSIG immediately. This helps
           when a system's clock needs to be reset backwards.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The new <span class="command"><strong>minimal-any</strong></span> option reduces the size
           of answers to UDP queries for type ANY by implementing one of
           the strategies in "draft-ietf-dnsop-refuse-any": returning
           a single arbitrarily-selected RRset that matches the query
           name rather than returning all of the matching RRsets.
           Thanks to Tony Finch for the contribution. [RT #41615]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> now provides feedback to the
           owners of zones which have trust anchors configured
           (<span class="command"><strong>trusted-keys</strong></span>,
@@ -1698,61 +2029,50 @@
           configured trust anchors for the zone.  This is controlled
           by <span class="command"><strong>trust-anchor-telemetry</strong></span> and defaults
           to yes.
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.0-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-        <p>
+<p>
           The logging format used for <span class="command"><strong>querylog</strong></span> has been
           altered. It now includes an additional field indicating the
           address in memory of the client object processing the query.
         </p>
-        <p>
+<p>
           The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
           to be disabled in 2017.  A warning is now logged when
           <span class="command"><strong>named</strong></span> is configured to use this service,
           either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
           [RT #42207]
         </p>
-      </li>
-<li class="listitem">
-        <p>
+</li>
+<li class="listitem"><p>
           The timers returned by the statistics channel (indicating current
           time, server boot time, and most recent reconfiguration time) are
           now reported with millisecond accuracy. [RT #40082]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Updated the compiled-in addresses for H.ROOT-SERVERS.NET
           and L.ROOT-SERVERS.NET.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
           not correctly matched unless the full organization name was
           specified in the ACL (as in
           <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
           They can now match against the AS number alone (as in
           <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           When using native PKCS#11 cryptography (i.e.,
           <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
           of up to 256 characters can now be used.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           NXDOMAIN responses to queries of type DS are now cached separately
           from those for other types. This helps when using "grafted" zones
           of type forward, for which the parent zone does not contain a
@@ -1762,29 +2082,21 @@
           change is only helpful when DNSSEC validation is not enabled.
           "Grafted" zones without a delegation in the parent are not a
           recommended configuration.)
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Update forwarding performance has been improved by allowing
           a single TCP connection to be shared between multiple updates.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           By default, <span class="command"><strong>nsupdate</strong></span> will now check
           the correctness of hostnames when adding records of type
           A, AAAA, MX, SOA, NS, SRV or PTR.  This behavior can be
           disabled with <span class="command"><strong>check-names no</strong></span>.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Added support for OPENPGPKEY type.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The names of the files used to store managed keys and added
           zones for each view are no longer based on the SHA256 hash
           of the view name, except when this is necessary because the
@@ -1797,80 +2109,64 @@
           or <code class="filename">external.nzf</code>).  However, to ensure
           consistent behavior when upgrading, if a file using the old
           name format is found to exist, it will continue to be used.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           "rndc" can now return text output of arbitrary size to
           the caller. (Prior to this, certain commands such as
           "rndc tsig-list" and "rndc zonestatus" could return
           truncated output.)
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
           (e.g., when a zone file cannot be loaded) have been clarified
           to make it easier to diagnose problems.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           When encountering an authoritative name server whose name is
           an alias pointing to another name, the resolver treats
           this as an error and skips to the next server. Previously
           this happened silently; now the error will be logged to
           the newly-created "cname" log category.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           If <span class="command"><strong>named</strong></span> is not configured to validate
           answers, then allow fallback to plain DNS on timeout even when
           we know the server supports EDNS.  This will allow the server to
           potentially resolve signed queries when TCP is being
           blocked.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Large inline-signing changes should be less disruptive.
           Signature generation is now done incrementally; the number
           of signatures to be generated in each quantum is controlled
           by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
           [RT #37927]
-        </p>
-      </li>
+        </p></li>
 <li class="listitem">
-        <p>
+<p>
           The experimental SIT option (code point 65001) of BIND
           9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
           option (code point 10). It is no longer experimental, and
           is sent by default, by both <span class="command"><strong>named</strong></span> and
           <span class="command"><strong>dig</strong></span>.
         </p>
-        <p>
+<p>
           The SIT-related named.conf options have been marked as
           obsolete, and are otherwise ignored.
         </p>
-      </li>
-<li class="listitem">
-        <p>
+</li>
+<li class="listitem"><p>
           When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
           response or a BADCOOKIE response code from a server, it
           will automatically retry the query using the server COOKIE
           that was returned by the server in its initial response.
           [RT #39047]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Retrieving the local port range from net.ipv4.ip_local_port_range
           on Linux is now supported.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           A new <code class="option">nsip-wait-recurse</code> directive has been
           added to RPZ, specifying whether to look up unknown name server
           IP addresses and wait for a response before applying RPZ-NSIP rules.
@@ -1881,131 +2177,105 @@
           be applied on subsequent queries. This improves performance when
           the cache is cold, at the cost of temporary imprecision in applying
           policy directives. [RT #35009]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Within the <code class="option">response-policy</code> option, it is now
           possible to configure RPZ rewrite logging on a per-zone basis
           using the <code class="option">log</code> clause.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The default preferred glue is now the address type of the
           transport the query was received over.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           On machines with 2 or more processors (CPU), the default value
           for the number of UDP listeners has been changed to the number
           of detected processors minus one.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Zone transfers now use smaller message sizes to improve
           message compression. This results in reduced network usage.
-        </p>
-      </li>
+        </p></li>
 <li class="listitem">
-        <p>
+<p>
           Added support for the AVC resource record type (Application
           Visibility and Control).
         </p>
-        <p>
+<p>
           Changed <span class="command"><strong>rndc reconfig</strong></span> behavior so that newly
           added zones are loaded asynchronously and the loading does not
           block the server.
         </p>
-      </li>
-<li class="listitem">
-        <p>
+</li>
+<li class="listitem"><p>
           <span class="command"><strong>minimal-responses</strong></span> now takes two new
           arguments: <code class="option">no-auth</code> suppresses
           populating the authority section but not the additional
           section; <code class="option">no-auth-recursive</code>
           does the same but only when answering recursive queries.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           At server startup time, the queues for processing
           notify and zone refresh queries are now processed in
           LIFO rather than FIFO order, to speed up
           loading of newly added zones. [RT #42825]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           When answering queries of type MX or SRV, TLSA records for
           the target name are now included in the additional section
           to speed up DANE processing. [RT #42894]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> can now use the TCP Fast Open
           mechanism on the server side, if supported by the
           local operating system. [RT #42866]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.0-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
           Windows builds: some Visual Studio compilers generate code that
           crashes when the "%z" printf() format specifier is used. [RT #42380]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Windows installs were failing due to triggering UAC without
           the installation binary being signed.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           A change in the internal binary representation of the RBT database
           node structure enabled a race condition to occur (especially when
           BIND was built with certain compilers or optimizer settings),
           leading to inconsistent database state which caused random
           assertion failures. [RT #42380]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
 </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="end_of_life"></a>End of Life</h3></div></div></div>
-  <p>
+<p>
     BIND 9.11 (Extended Support Version) will be supported until at
     least December, 2021.
   </p>
-  <p>
+<p>
     See <a class="link" href="https://kb.isc.org/docs/aa-00896" target="_top">https://kb.isc.org/docs/aa-00896</a>
     for details of ISC's software support policy.
   </p>
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
-  <p>
+<p>
     Thank you to everyone who assisted us in making this release possible.
   </p>
 </div>
 </div>
-    </div>
+</div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
@@ -2024,6 +2294,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/Bv9ARM.ch10.html b/bind/bind9/doc/arm/Bv9ARM.ch10.html
index 90db26cd..ec1f1f80 100644
--- a/bind/bind9/doc/arm/Bv9ARM.ch10.html
+++ b/bind/bind9/doc/arm/Bv9ARM.ch10.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Appendix B. A Brief History of the DNS and BIND</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch09.html" title="Appendix A. Release Notes">
@@ -35,9 +35,9 @@
 <div class="titlepage"><div><div><h1 class="title">
 <a name="Bv9ARM.ch10"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
 </h1></div></div></div>
-      <p><a name="historical_dns_information"></a>
-        Although the "official" beginning of the Domain Name
-        System occurred in 1984 with the publication of RFC 920, the
+<p><a name="historical_dns_information"></a>
+        Although the Domain Name
+        System "officially" began in 1984 with the publication of RFC 920, the
         core of the new system was described in 1983 in RFCs 882 and
         883. From 1984 to 1987, the ARPAnet (the precursor to today's
         Internet) became a testbed of experimentation for developing the
@@ -45,14 +45,13 @@
         operational network environment.  New RFCs were written and
         published in 1987 that modified the original documents to
         incorporate improvements based on the working model. RFC 1034,
-        "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
-        Names-Implementation and Specification" were published and
+        "Domain Names-Concepts and Facilities," and RFC 1035, "Domain
+        Names-Implementation and Specification," were published and
         became the standards upon which all <acronym class="acronym">DNS</acronym> implementations are
         built.
       </p>
-
-      <p>
-        The first working domain name server, called "Jeeves", was
+<p>
+        The first working domain name server, called "Jeeves," was
         written in 1983-84 by Paul Mockapetris for operation on DEC
         Tops-20
         machines located at the University of Southern California's
@@ -69,11 +68,11 @@
         Administration
         (DARPA).
       </p>
-      <p>
+<p>
         Versions of <acronym class="acronym">BIND</acronym> through
         4.8.3 were maintained by the Computer
         Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
-        Painter, David Riggle and Songnian Zhou made up the initial <acronym class="acronym">BIND</acronym>
+        Painter, David Riggle, and Songnian Zhou made up the initial <acronym class="acronym">BIND</acronym>
         project team. After that, additional work on the software package
         was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
         Corporation
@@ -84,10 +83,10 @@
         Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently
         handled by Mike Karels and Øivind Kure.
       </p>
-      <p>
+<p>
         <acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were
         released by Digital Equipment
-        Corporation (now Compaq Computer Corporation). Paul Vixie, then
+        Corporation (which became Compaq Computer Corporation and eventually merged with Hewlett-Packard). Paul Vixie, then
         a DEC employee, became <acronym class="acronym">BIND</acronym>'s
         primary caretaker. He was assisted
         by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
@@ -96,41 +95,42 @@
         Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
         Wolfhugel, and others.
       </p>
-      <p>
+<p>
         In 1994, <acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by
         Vixie Enterprises. Paul
         Vixie became <acronym class="acronym">BIND</acronym>'s principal
         architect/programmer.
       </p>
-      <p>
+<p>
         <acronym class="acronym">BIND</acronym> versions from 4.9.3 onward
         have been developed and maintained
-        by the Internet Systems Consortium and its predecessor,
-        the Internet Software Consortium,  with support being provided
+        by Internet Systems Consortium and its predecessor,
+        the Internet Software Consortium,  with support provided
         by ISC's sponsors.
       </p>
-      <p>
+<p>
         As co-architects/programmers, Bob Halley and
         Paul Vixie released the first production-ready version of
         <acronym class="acronym">BIND</acronym> version 8 in May 1997.
       </p>
-      <p>
+<p>
         BIND version 9 was released in September 2000 and is a
         major rewrite of nearly all aspects of the underlying
         BIND architecture.
       </p>
-      <p>
+<p>
         BIND versions 4 and 8 are officially deprecated.
         No additional development is done
         on BIND version 4 or BIND version 8.
       </p>
-      <p>
+<p>
         <acronym class="acronym">BIND</acronym> development work is made
         possible today by the sponsorship
-        of several corporations, and by the tireless work efforts of
+        of corporations who purchase professional support services from ISC
+        (https://www.isc.org/contact/) and/or donate to our mission, and by the tireless efforts of
         numerous individuals.
       </p>
-    </div>
+</div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
@@ -148,6 +148,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/Bv9ARM.ch11.html b/bind/bind9/doc/arm/Bv9ARM.ch11.html
index 4bfd00a8..344ccffd 100644
--- a/bind/bind9/doc/arm/Bv9ARM.ch11.html
+++ b/bind/bind9/doc/arm/Bv9ARM.ch11.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Appendix C. General DNS Reference Information</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch10.html" title="Appendix B. A Brief History of the DNS and BIND">
@@ -39,834 +39,434 @@
 <dt><span class="section"><a href="Bv9ARM.ch11.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch11.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#rfcs">Request for Comments (RFCs)</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#rfcs">Requests for Comments (RFCs)</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch11.html#internet_drafts">Internet Drafts</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch11.html#more_about_bind">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
 </dl></dd>
 </dl>
 </div>
-
-      <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h2></div></div></div>
-
-          <p>
-            IPv6 addresses are 128-bit identifiers for interfaces and
-            sets of interfaces which were introduced in the <acronym class="acronym">DNS</acronym> to facilitate
+<p>
+            IPv6 addresses are 128-bit identifiers, for interfaces and
+            sets of interfaces, which were introduced in the <acronym class="acronym">DNS</acronym> to facilitate
             scalable Internet routing. There are three types of addresses: <span class="emphasis"><em>Unicast</em></span>,
             an identifier for a single interface;
             <span class="emphasis"><em>Anycast</em></span>,
             an identifier for a set of interfaces; and <span class="emphasis"><em>Multicast</em></span>,
             an identifier for a set of interfaces. Here we describe the global
             Unicast address scheme. For more information, see RFC 3587,
-            "Global Unicast Address Format."
+            "IPv6 Global Unicast Address Format."
           </p>
-          <p>
+<p>
             IPv6 unicast addresses consist of a
             <span class="emphasis"><em>global routing prefix</em></span>, a
             <span class="emphasis"><em>subnet identifier</em></span>, and an
             <span class="emphasis"><em>interface identifier</em></span>.
           </p>
-          <p>
+<p>
             The global routing prefix is provided by the
-            upstream provider or ISP, and (roughly) corresponds to the
+            upstream provider or ISP, and roughly corresponds to the
             IPv4 <span class="emphasis"><em>network</em></span> section
             of the address range.
 
-            The subnet identifier is for local subnetting, much the
-            same as subnetting an
+            The subnet identifier is for local subnetting, much
+            like subnetting an
             IPv4 /16 network into /24 subnets.
 
             The interface identifier is the address of an individual
             interface on a given network; in IPv6, addresses belong to
             interfaces rather than to machines.
           </p>
-          <p>
+<p>
             The subnetting capability of IPv6 is much more flexible than
-            that of IPv4: subnetting can be carried out on bit boundaries,
+            that of IPv4; subnetting can be carried out on bit boundaries,
             in much the same way as Classless InterDomain Routing
             (CIDR), and the DNS PTR representation ("nibble" format)
             makes setting up reverse zones easier.
           </p>
-          <p>
-            The Interface Identifier must be unique on the local link,
+<p>
+            The interface identifier must be unique on the local link,
             and is usually generated automatically by the IPv6
             implementation, although it is usually possible to
             override the default setting if necessary.  A typical IPv6
             address might look like:
-            <span class="command"><strong>2001:db8:201:9:a00:20ff:fe81:2b32</strong></span>
+            <span class="command"><strong>2001:db8:201:9:a00:20ff:fe81:2b32</strong></span>.
           </p>
-          <p>
+<p>
             IPv6 address specifications often contain long strings
             of zeros, so the architects have included a shorthand for
             specifying
-            them. The double colon (`::') indicates the longest possible
+            them. The double colon ("::") indicates the longest possible
             string
             of zeros that can fit, and can be used only once in an address.
           </p>
-      </div>
-      <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="bibliography"></a>Bibliography (and Suggested Reading)</h2></div></div></div>
-
-        <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="rfcs"></a>Request for Comments (RFCs)</h3></div></div></div>
-
-          <p>
+<a name="rfcs"></a>Requests for Comments (RFCs)</h3></div></div></div>
+<p>
             Specification documents for the Internet protocol suite, including
             the <acronym class="acronym">DNS</acronym>, are published as part of
             the Request for Comments (RFCs)
             series of technical notes. The standards themselves are defined
             by the Internet Engineering Task Force (IETF) and the Internet
-            Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
+            Engineering Steering Group (IESG). RFCs can be obtained online at:
           </p>
-          <p>
-            <a class="link" href="ftp://www.isi.edu/in-notes/" target="_top">
-              ftp://www.isi.edu/in-notes/RFC<em class="replaceable"><code>xxxx</code></em>.txt
+<p>
+            <a class="link" href="https://datatracker.ietf.org/doc/" target="_top">
+            https://datatracker.ietf.org/doc/
             </a>
           </p>
-          <p>
-            (where <em class="replaceable"><code>xxxx</code></em> is
-            the number of the RFC). RFCs are also available via the Web at:
-          </p>
-          <p>
-            <a class="link" href="http://www.ietf.org/rfc/" target="_top">http://www.ietf.org/rfc/</a>.
-          </p>
-          <div class="bibliography">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.12.3.2.6"></a>Bibliography</h4></div></div></div>
-            <div class="bibliodiv">
-              
-
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.1.2"></a><p>[<abbr class="abbrev">RFC974</abbr>] 
-                
-                <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span>
-                <span class="citetitle"><em class="citetitle">Mail Routing and the Domain System</em>. </span>
-                <span class="pubdate">January 1986. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.1.3"></a><p>[<abbr class="abbrev">RFC1034</abbr>] 
-                
-                <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Names &#8212; Concepts and Facilities</em>. </span>
-                <span class="pubdate">November 1987. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.1.4"></a><p>[<abbr class="abbrev">RFC1035</abbr>] 
-                
-                <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span> <span class="citetitle"><em class="citetitle">Domain Names &#8212; Implementation and
-                  Specification</em>. </span>
-                <span class="pubdate">November 1987. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.2"></a><p>[<abbr class="abbrev">RFC2181</abbr>] 
-                
-                <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span>
-                <span class="citetitle"><em class="citetitle">Clarifications to the <acronym class="acronym">DNS</acronym>
-                  Specification</em>. </span>
-                <span class="pubdate">July 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.3"></a><p>[<abbr class="abbrev">RFC2308</abbr>] 
-                
-                <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span>
-                <span class="citetitle"><em class="citetitle">Negative Caching of <acronym class="acronym">DNS</acronym>
-                  Queries</em>. </span>
-                <span class="pubdate">March 1998. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.4"></a><p>[<abbr class="abbrev">RFC1995</abbr>] 
-                
-                <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span>
-                <span class="citetitle"><em class="citetitle">Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></em>. </span>
-                <span class="pubdate">August 1996. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.5"></a><p>[<abbr class="abbrev">RFC1996</abbr>] 
-                
-                <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
-                <span class="citetitle"><em class="citetitle">A Mechanism for Prompt Notification of Zone Changes</em>. </span>
-                <span class="pubdate">August 1996. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.6"></a><p>[<abbr class="abbrev">RFC2136</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span>
-                <span class="citetitle"><em class="citetitle">Dynamic Updates in the Domain Name System</em>. </span>
-                <span class="pubdate">April 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.7"></a><p>[<abbr class="abbrev">RFC2671</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
-                <span class="citetitle"><em class="citetitle">Extension Mechanisms for DNS (EDNS0)</em>. </span>
-                <span class="pubdate">August 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.8"></a><p>[<abbr class="abbrev">RFC2672</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span>
-                <span class="citetitle"><em class="citetitle">Non-Terminal DNS Name Redirection</em>. </span>
-                <span class="pubdate">August 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.9"></a><p>[<abbr class="abbrev">RFC2845</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span>
-                <span class="citetitle"><em class="citetitle">Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</em>. </span>
-                <span class="pubdate">May 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.10"></a><p>[<abbr class="abbrev">RFC2930</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">Secret Key Establishment for DNS (TKEY RR)</em>. </span>
-                <span class="pubdate">September 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.11"></a><p>[<abbr class="abbrev">RFC2931</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">DNS Request and Transaction Signatures (SIG(0)s)</em>. </span>
-                <span class="pubdate">September 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.12"></a><p>[<abbr class="abbrev">RFC3007</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span>
-                <span class="citetitle"><em class="citetitle">Secure Domain Name System (DNS) Dynamic Update</em>. </span>
-                <span class="pubdate">November 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.13"></a><p>[<abbr class="abbrev">RFC3645</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span>
-                <span class="citetitle"><em class="citetitle">Generic Security Service Algorithm for Secret
+<div class="bibliography">
+<div class="titlepage"><div><div><h4 class="title"><a name="id-1.12.3.2.4"></a></h4></div></div></div>
+<div class="bibliodiv">
+<h3 class="title">
+<a name="id-1.12.3.2.4.2"></a>Standards</h3>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.2.2"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.2.3"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.2.4"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
+                  Specification</i>. </span><span class="pubdate">November 1987. </span></p>
+</div>
+</div>
+<div class="bibliodiv">
+<h3 class="title">
+<a name="proposed_standards"></a>Proposed Standards</h3>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.3.2"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
+                  Specification</i>. </span><span class="pubdate">July 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.3.3"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
+                  Queries</i>. </span><span class="pubdate">March 1998. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.3.4"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.3.5"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.3.6"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.3.7"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.3.8"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.3.9"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.3.10"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.3.11"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.3.12"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.3.13"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
-                       (GSS-TSIG)</em>. </span>
-                <span class="pubdate">October 2003. </span>
-              </p>
+                       (GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.3.2"></a><p>[<abbr class="abbrev">RFC3225</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span>
-                <span class="citetitle"><em class="citetitle">Indicating Resolver Support of DNSSEC</em>. </span>
-                <span class="pubdate">December 2001. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.3.3"></a><p>[<abbr class="abbrev">RFC3833</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span>
-                <span class="citetitle"><em class="citetitle">Threat Analysis of the Domain Name System (DNS)</em>. </span>
-                <span class="pubdate">August 2004. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.3.4"></a><p>[<abbr class="abbrev">RFC4033</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
-                <span class="citetitle"><em class="citetitle">DNS Security Introduction and Requirements</em>. </span>
-                <span class="pubdate">March 2005. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.3.5"></a><p>[<abbr class="abbrev">RFC4034</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
-                <span class="citetitle"><em class="citetitle">Resource Records for the DNS Security Extensions</em>. </span>
-                <span class="pubdate">March 2005. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.3.6"></a><p>[<abbr class="abbrev">RFC4035</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
-                <span class="citetitle"><em class="citetitle">Protocol Modifications for the DNS
-                       Security Extensions</em>. </span>
-                <span class="pubdate">March 2005. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.4.2"></a><p>[<abbr class="abbrev">RFC1535</abbr>] 
-                
-                <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span>
-                <span class="citetitle"><em class="citetitle">A Security Problem and Proposed Correction With Widely
-                  Deployed <acronym class="acronym">DNS</acronym> Software</em>. </span>
-                <span class="pubdate">October 1993. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.4.3"></a><p>[<abbr class="abbrev">RFC1536</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span>
-                <span class="citetitle"><em class="citetitle">Common <acronym class="acronym">DNS</acronym> Implementation
-                  Errors and Suggested Fixes</em>. </span>
-                <span class="pubdate">October 1993. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.4.4"></a><p>[<abbr class="abbrev">RFC1982</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span>
-                <span class="citetitle"><em class="citetitle">Serial Number Arithmetic</em>. </span>
-                <span class="pubdate">August 1996. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.4.5"></a><p>[<abbr class="abbrev">RFC4074</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span>
-                <span class="citetitle"><em class="citetitle">Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
-                Queries for IPv6 Addresses</em>. </span>
-                <span class="pubdate">May 2005. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.2"></a><p>[<abbr class="abbrev">RFC1183</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span>
-                <span class="citetitle"><em class="citetitle">New <acronym class="acronym">DNS</acronym> RR Definitions</em>. </span>
-                <span class="pubdate">October 1990. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.3"></a><p>[<abbr class="abbrev">RFC1706</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span>
-                <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> NSAP Resource Records</em>. </span>
-                <span class="pubdate">October 1994. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.4"></a><p>[<abbr class="abbrev">RFC2168</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span>
-                <span class="citetitle"><em class="citetitle">Resolution of Uniform Resource Identifiers using
-                  the Domain Name System</em>. </span>
-                <span class="pubdate">June 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.5"></a><p>[<abbr class="abbrev">RFC1876</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span>
-                <span class="citetitle"><em class="citetitle">A Means for Expressing Location Information in the
+</div>
+<div class="bibliodiv">
+<h3 class="title">
+<a name="id-1.12.3.2.4.4"></a><acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.4.2"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.4.3"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.4.4"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.4.5"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.4.6"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
+                       Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
+</div>
+</div>
+<div class="bibliodiv">
+<h3 class="title">
+<a name="id-1.12.3.2.4.5"></a>Other Important RFCs About <acronym class="acronym">DNS</acronym>
+                Implementation</h3>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.5.2"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
+                  Deployed <acronym class="acronym">DNS</acronym> Software</i>. </span><span class="pubdate">October 1993. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.5.3"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
+                  Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.5.4"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.5.5"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
+                Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
+</div>
+</div>
+<div class="bibliodiv">
+<h3 class="title">
+<a name="id-1.12.3.2.4.6"></a>Resource Record Types</h3>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.2"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.3"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.4"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
+                  the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.5"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
                   Domain
-                  Name System</em>. </span>
-                <span class="pubdate">January 1996. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.6"></a><p>[<abbr class="abbrev">RFC2052</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
-                <span class="citetitle"><em class="citetitle">A <acronym class="acronym">DNS</acronym> RR for Specifying the
+                  Name System</i>. </span><span class="pubdate">January 1996. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.6"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
                   Location of
-                  Services</em>. </span>
-                <span class="pubdate">October 1996. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.7"></a><p>[<abbr class="abbrev">RFC2163</abbr>] 
-                
-                <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span>
-                <span class="citetitle"><em class="citetitle">Using the Internet <acronym class="acronym">DNS</acronym> to
+                  Services</i>. </span><span class="pubdate">October 1996. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.7"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
                   Distribute MIXER
-                  Conformant Global Address Mapping</em>. </span>
-                <span class="pubdate">January 1998. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.8"></a><p>[<abbr class="abbrev">RFC2230</abbr>] 
-                
-                <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span>
-                <span class="citetitle"><em class="citetitle">Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></em>. </span>
-                <span class="pubdate">October 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.9"></a><p>[<abbr class="abbrev">RFC2536</abbr>] 
-                
-                <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">DSA KEYs and SIGs in the Domain Name System (DNS)</em>. </span>
-                <span class="pubdate">March 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.10"></a><p>[<abbr class="abbrev">RFC2537</abbr>] 
-                
-                <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</em>. </span>
-                <span class="pubdate">March 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.11"></a><p>[<abbr class="abbrev">RFC2538</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span>
-                <span class="citetitle"><em class="citetitle">Storing Certificates in the Domain Name System (DNS)</em>. </span>
-                <span class="pubdate">March 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.12"></a><p>[<abbr class="abbrev">RFC2539</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</em>. </span>
-                <span class="pubdate">March 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.13"></a><p>[<abbr class="abbrev">RFC2540</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">Detached Domain Name System (DNS) Information</em>. </span>
-                <span class="pubdate">March 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.14"></a><p>[<abbr class="abbrev">RFC2782</abbr>] 
-                
-                <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span>
-                <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
-                <span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span>
-                <span class="citetitle"><em class="citetitle">A DNS RR for specifying the location of services (DNS SRV)</em>. </span>
-                <span class="pubdate">February 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.15"></a><p>[<abbr class="abbrev">RFC2915</abbr>] 
-                
-                <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span>
-                <span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span>
-                <span class="citetitle"><em class="citetitle">The Naming Authority Pointer (NAPTR) DNS Resource Record</em>. </span>
-                <span class="pubdate">September 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.16"></a><p>[<abbr class="abbrev">RFC3110</abbr>] 
-                
-                <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</em>. </span>
-                <span class="pubdate">May 2001. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.17"></a><p>[<abbr class="abbrev">RFC3123</abbr>] 
-                
-                <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span>
-                <span class="citetitle"><em class="citetitle">A DNS RR Type for Lists of Address Prefixes (APL RR)</em>. </span>
-                <span class="pubdate">June 2001. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.18"></a><p>[<abbr class="abbrev">RFC3596</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span>
-                <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Extensions to support IP
-                  version 6</em>. </span>
-                <span class="pubdate">October 2003. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.19"></a><p>[<abbr class="abbrev">RFC3597</abbr>] 
-                
-                <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span>
-                <span class="citetitle"><em class="citetitle">Handling of Unknown DNS Resource Record (RR) Types</em>. </span>
-                <span class="pubdate">September 2003. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.6.2"></a><p>[<abbr class="abbrev">RFC1101</abbr>] 
-                
-                <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span>
-                <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Encoding of Network Names
-                  and Other Types</em>. </span>
-                <span class="pubdate">April 1989. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.6.3"></a><p>[<abbr class="abbrev">RFC1123</abbr>] 
-                
-                <span class="author"><span class="surname">Braden</span>. </span>
-                <span class="citetitle"><em class="citetitle">Requirements for Internet Hosts - Application and
-                  Support</em>. </span>
-                <span class="pubdate">October 1989. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.6.4"></a><p>[<abbr class="abbrev">RFC1591</abbr>] 
-                
-                <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Name System Structure and Delegation</em>. </span>
-                <span class="pubdate">March 1994. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.6.5"></a><p>[<abbr class="abbrev">RFC2317</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
-                <span class="citetitle"><em class="citetitle">Classless IN-ADDR.ARPA Delegation</em>. </span>
-                <span class="pubdate">March 1998. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.6.6"></a><p>[<abbr class="abbrev">RFC2826</abbr>] 
-                
-                <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span>
-                <span class="citetitle"><em class="citetitle">IAB Technical Comment on the Unique DNS Root</em>. </span>
-                <span class="pubdate">May 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.6.7"></a><p>[<abbr class="abbrev">RFC2929</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Name System (DNS) IANA Considerations</em>. </span>
-                <span class="pubdate">September 2000. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.7.2"></a><p>[<abbr class="abbrev">RFC1033</abbr>] 
-                
-                <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain administrators operations guide</em>. </span>
-                <span class="pubdate">November 1987. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.7.3"></a><p>[<abbr class="abbrev">RFC1537</abbr>] 
-                
-                <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span>
-                <span class="citetitle"><em class="citetitle">Common <acronym class="acronym">DNS</acronym> Data File
-                  Configuration Errors</em>. </span>
-                <span class="pubdate">October 1993. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.7.4"></a><p>[<abbr class="abbrev">RFC1912</abbr>] 
-                
-                <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span>
-                <span class="citetitle"><em class="citetitle">Common <acronym class="acronym">DNS</acronym> Operational and
-                  Configuration Errors</em>. </span>
-                <span class="pubdate">February 1996. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.7.5"></a><p>[<abbr class="abbrev">RFC2010</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
-                <span class="citetitle"><em class="citetitle">Operational Criteria for Root Name Servers</em>. </span>
-                <span class="pubdate">October 1996. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.7.6"></a><p>[<abbr class="abbrev">RFC2219</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span>
-                <span class="citetitle"><em class="citetitle">Use of <acronym class="acronym">DNS</acronym> Aliases for
-                  Network Services</em>. </span>
-                <span class="pubdate">October 1997. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.8.2"></a><p>[<abbr class="abbrev">RFC2825</abbr>] 
-                
-                <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span>
-                <span class="citetitle"><em class="citetitle">A Tangled Web: Issues of I18N, Domain Names,
-                       and the Other Internet protocols</em>. </span>
-                <span class="pubdate">May 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.8.3"></a><p>[<abbr class="abbrev">RFC3490</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span>
-                <span class="citetitle"><em class="citetitle">Internationalizing Domain Names in Applications (IDNA)</em>. </span>
-                <span class="pubdate">March 2003. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.8.4"></a><p>[<abbr class="abbrev">RFC3491</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span>
-                <span class="citetitle"><em class="citetitle">Nameprep: A Stringprep Profile for Internationalized Domain Names</em>. </span>
-                <span class="pubdate">March 2003. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.8.5"></a><p>[<abbr class="abbrev">RFC3492</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span>
-                <span class="citetitle"><em class="citetitle">Punycode: A Bootstring encoding of Unicode
+                  Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.8"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.9"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.10"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.11"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.12"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.13"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.14"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.15"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.16"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.17"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.18"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
+                  version 6</i>. </span><span class="pubdate">October 2003. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.6.19"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
+</div>
+</div>
+<div class="bibliodiv">
+<h3 class="title">
+<a name="id-1.12.3.2.4.7"></a><acronym class="acronym">DNS</acronym> and the Internet</h3>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.7.2"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
+                  and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.7.3"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
+                  Support</i>. </span><span class="pubdate">October 1989. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.7.4"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.7.5"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.7.6"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.7.7"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
+</div>
+</div>
+<div class="bibliodiv">
+<h3 class="title">
+<a name="id-1.12.3.2.4.8"></a><acronym class="acronym">DNS</acronym> Operations</h3>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.8.2"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide</i>. </span><span class="pubdate">November 1987. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.8.3"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
+                  Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.8.4"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
+                  Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.8.5"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers</i>. </span><span class="pubdate">October 1996. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.8.6"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
+                  Network Services</i>. </span><span class="pubdate">October 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.8.7"></a><p>[<abbr class="abbrev">RFC8906</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Andrews</span> and <span class="firstname">R.</span> <span class="surname">Bellis</span>. </span><span class="title"><i>
+                  A Common Operational Problem in DNS Servers: Failure to Communicate
+                </i>. </span><span class="pubdate">September 2020. </span></p>
+</div>
+</div>
+<div class="bibliodiv">
+<h3 class="title">
+<a name="id-1.12.3.2.4.9"></a>Internationalized Domain Names</h3>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.9.2"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
+                       and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.9.3"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.9.4"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.9.5"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
-                       Applications (IDNA)</em>. </span>
-                <span class="pubdate">March 2003. </span>
-              </p>
+                       Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+</div>
+<div class="bibliodiv">
+<h3 class="title">
+<a name="id-1.12.3.2.4.10"></a>Other <acronym class="acronym">DNS</acronym>-related RFCs</h3>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-                <p>
+<p>
                   Note: the following list of RFCs, although
                   <acronym class="acronym">DNS</acronym>-related, are not
                   concerned with implementing software.
                 </p>
-              </div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.3"></a><p>[<abbr class="abbrev">RFC1464</abbr>] 
-                
-                <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span>
-                <span class="citetitle"><em class="citetitle">Using the Domain Name System To Store Arbitrary String
-                  Attributes</em>. </span>
-                <span class="pubdate">May 1993. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.4"></a><p>[<abbr class="abbrev">RFC1713</abbr>] 
-                
-                <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span>
-                <span class="citetitle"><em class="citetitle">Tools for <acronym class="acronym">DNS</acronym> Debugging</em>. </span>
-                <span class="pubdate">November 1994. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.5"></a><p>[<abbr class="abbrev">RFC1794</abbr>] 
-                
-                <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span>
-                <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Support for Load
-                  Balancing</em>. </span>
-                <span class="pubdate">April 1995. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.6"></a><p>[<abbr class="abbrev">RFC2240</abbr>] 
-                
-                <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span>
-                <span class="citetitle"><em class="citetitle">A Legal Basis for Domain Name Allocation</em>. </span>
-                <span class="pubdate">November 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.7"></a><p>[<abbr class="abbrev">RFC2345</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Names and Company Name Retrieval</em>. </span>
-                <span class="pubdate">May 1998. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.8"></a><p>[<abbr class="abbrev">RFC2352</abbr>] 
-                
-                <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span>
-                <span class="citetitle"><em class="citetitle">A Convention For Using Legal Names as Domain Names</em>. </span>
-                <span class="pubdate">May 1998. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.9"></a><p>[<abbr class="abbrev">RFC3071</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span>
-                <span class="citetitle"><em class="citetitle">Reflections on the DNS, RFC 1591, and Categories of Domains</em>. </span>
-                <span class="pubdate">February 2001. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.10"></a><p>[<abbr class="abbrev">RFC3258</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span>
-                <span class="citetitle"><em class="citetitle">Distributing Authoritative Name Servers via
-                       Shared Unicast Addresses</em>. </span>
-                <span class="pubdate">April 2002. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.11"></a><p>[<abbr class="abbrev">RFC3901</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span>
-                <span class="citetitle"><em class="citetitle">DNS IPv6 Transport Operational Guidelines</em>. </span>
-                <span class="pubdate">September 2004. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.10.2"></a><p>[<abbr class="abbrev">RFC1712</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span>
-                <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Encoding of Geographical
-                  Location</em>. </span>
-                <span class="pubdate">November 1994. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.10.3"></a><p>[<abbr class="abbrev">RFC2673</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span>
-                <span class="citetitle"><em class="citetitle">Binary Labels in the Domain Name System</em>. </span>
-                <span class="pubdate">August 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.10.4"></a><p>[<abbr class="abbrev">RFC2874</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span>
-                <span class="citetitle"><em class="citetitle">DNS Extensions to Support IPv6 Address Aggregation
-                       and Renumbering</em>. </span>
-                <span class="pubdate">July 2000. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.10.3"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
+                  Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.10.4"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.10.5"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
+                  Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.10.6"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.10.7"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.10.8"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.10.9"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.10.10"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
+                       Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.10.11"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
+</div>
+</div>
+<div class="bibliodiv">
+<h3 class="title">
+<a name="id-1.12.3.2.4.11"></a>Obsolete and Unimplemented Experimental RFC</h3>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.11.2"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
+                  Location</i>. </span><span class="pubdate">November 1994. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.11.3"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.11.4"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
+                       and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
+</div>
+</div>
+<div class="bibliodiv">
+<h3 class="title">
+<a name="id-1.12.3.2.4.12"></a>Obsoleted DNS Security RFCs</h3>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-                <p>
+<p>
                   Most of these have been consolidated into RFC4033,
                   RFC4034 and RFC4035 which collectively describe DNSSECbis.
                 </p>
-              </div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.3"></a><p>[<abbr class="abbrev">RFC2065</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Name System Security Extensions</em>. </span>
-                <span class="pubdate">January 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.4"></a><p>[<abbr class="abbrev">RFC2137</abbr>] 
-                
-                <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">Secure Domain Name System Dynamic Update</em>. </span>
-                <span class="pubdate">April 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.5"></a><p>[<abbr class="abbrev">RFC2535</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Name System Security Extensions</em>. </span>
-                <span class="pubdate">March 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.6"></a><p>[<abbr class="abbrev">RFC3008</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Name System Security (DNSSEC)
-                       Signing Authority</em>. </span>
-                <span class="pubdate">November 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.7"></a><p>[<abbr class="abbrev">RFC3090</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span>
-                <span class="citetitle"><em class="citetitle">DNS Security Extension Clarification on Zone Status</em>. </span>
-                <span class="pubdate">March 2001. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.8"></a><p>[<abbr class="abbrev">RFC3445</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
-                <span class="citetitle"><em class="citetitle">Limiting the Scope of the KEY Resource Record (RR)</em>. </span>
-                <span class="pubdate">December 2002. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.9"></a><p>[<abbr class="abbrev">RFC3655</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span>
-                <span class="citetitle"><em class="citetitle">Redefinition of DNS Authenticated Data (AD) bit</em>. </span>
-                <span class="pubdate">November 2003. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.10"></a><p>[<abbr class="abbrev">RFC3658</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span>
-                <span class="citetitle"><em class="citetitle">Delegation Signer (DS) Resource Record (RR)</em>. </span>
-                <span class="pubdate">December 2003. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.11"></a><p>[<abbr class="abbrev">RFC3755</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span>
-                <span class="citetitle"><em class="citetitle">Legacy Resolver Compatibility for Delegation Signer (DS)</em>. </span>
-                <span class="pubdate">May 2004. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.12"></a><p>[<abbr class="abbrev">RFC3757</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Name System KEY (DNSKEY) Resource Record
-                      (RR) Secure Entry Point (SEP) Flag</em>. </span>
-                <span class="pubdate">April 2004. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.13"></a><p>[<abbr class="abbrev">RFC3845</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span>
-                <span class="citetitle"><em class="citetitle">DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</em>. </span>
-                <span class="pubdate">August 2004. </span>
-              </p>
-</div>
-            </div>
-          </div>
-        </div>
-        <div class="section">
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.12.3"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.12.4"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.12.5"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.12.6"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
+                       Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.12.7"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.12.8"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.12.9"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.12.10"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.12.11"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.12.12"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
+                      (RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id-1.12.3.2.4.12.13"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
+</div>
+</div>
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="internet_drafts"></a>Internet Drafts</h3></div></div></div>
-
-          <p>
+<p>
             Internet Drafts (IDs) are rough-draft working documents of
             the Internet Engineering Task Force. They are, in essence, RFCs
             in the preliminary stages of development. Implementors are
@@ -876,27 +476,21 @@
             they are "works in progress." IDs have a lifespan of six months
             after which they are deleted unless updated by their authors.
           </p>
-        </div>
-        <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="more_about_bind"></a>Other Documents About <acronym class="acronym">BIND</acronym>
 </h3></div></div></div>
-
-          <p></p>
-          <div class="bibliography">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.12.3.4.3"></a>Bibliography</h4></div></div></div>
-            <div class="biblioentry">
-<a name="id-1.12.3.4.3.1"></a><p>
-              <span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span>
-              <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></em>. </span>
-              <span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span>
-            </p>
-</div>
-          </div>
-        </div>
-      </div>
-    </div>
+<p></p>
+<div class="bibliography">
+<div class="titlepage"><div><div><h4 class="title"><a name="id-1.12.3.4.3"></a></h4></div></div></div>
+<div class="biblioentry">
+<a name="id-1.12.3.4.3.2"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
+</div>
+</div>
+</div>
+</div>
+</div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
@@ -914,6 +508,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/Bv9ARM.ch12.html b/bind/bind9/doc/arm/Bv9ARM.ch12.html
index 72601672..af07b7d6 100644
--- a/bind/bind9/doc/arm/Bv9ARM.ch12.html
+++ b/bind/bind9/doc/arm/Bv9ARM.ch12.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Appendix D. BIND 9 DNS Library Support</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch11.html" title="Appendix C. General DNS Reference Information">
@@ -46,11 +46,10 @@
 </dl></dd>
 </dl>
 </div>
-      <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="bind9.library"></a>BIND 9 DNS Library Support</h2></div></div></div>
-  
-  <p>
+<p>
     This version of BIND 9 "exports" its internal libraries so
     that they can be used by third-party applications more easily (we
     call them "export" libraries in this document). Certain library
@@ -59,32 +58,27 @@
     the calling program initializes the libraries by calling
     <span class="command"><strong>isc_lib_register()</strong></span>.
   </p>
-  <p>
+<p>
     In addition to DNS-related APIs that are used within BIND 9, the
     libraries provide the following features:
   </p>
-  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-      <p>
-	The "DNS client" module. This is a higher level API that
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+	The "DNS client" module. This is a higher-level API that
 	provides an interface to name resolution, single DNS transaction
 	with a particular server, and dynamic update. Regarding name
 	resolution, it supports advanced features such as DNSSEC validation
 	and caching. This module supports both synchronous and asynchronous
 	mode.
-      </p>
-    </li>
-<li class="listitem">
-      <p>
+      </p></li>
+<li class="listitem"><p>
 	The "IRS" (Information Retrieval System) library.  It provides an
 	interface to parse the traditional <code class="filename">resolv.conf</code>
 	file and more advanced, DNS-specific configuration file for the
 	rest of this package (see the description for the
 	<code class="filename">dns.conf</code> file below).
-      </p>
-    </li>
-<li class="listitem">
-      <p>
+      </p></li>
+<li class="listitem"><p>
 	As part of the IRS library, the standard address-name
 	mapping functions, <span class="command"><strong>getaddrinfo()</strong></span> and
 	<span class="command"><strong>getnameinfo()</strong></span>, are provided. They use the
@@ -93,42 +87,37 @@
 	<span class="command"><strong>getaddrinfo()</strong></span> function resolves both A
 	and AAAA RRs concurrently when the address family is
 	unspecified.
-      </p>
-    </li>
-<li class="listitem">
-      <p>
+      </p></li>
+<li class="listitem"><p>
 	An experimental framework to support other event
 	libraries than BIND 9's internal event task system.
-      </p>
-    </li>
+      </p></li>
 </ul></div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.13.2.5"></a>Installation</h3></div></div></div>
-    
-    <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>make install</code></strong>
     </pre>
-    <p>
-      Normal installation of BIND will also install library object
+<p>
+      Normal installation of BIND also installs library object
       and header files.  Root privilege is normally required.
     </p>
-    <p>
-      To see how to build your own application after the installation, see
+<p>
+      To see how to build a custom application after the installation, see
       <code class="filename">lib/samples/Makefile-postinstall.in</code>.
     </p>
-  </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.13.2.6"></a>Known Defects/Restrictions</h3></div></div></div>
-    
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-        <p>
+<p>
 	The "fixed" RRset order is not (currently) supported in the export
-	library. If you want to use "fixed" RRset order for, e.g.
+	library. To use "fixed" RRset order for, e.g.,
 	<span class="command"><strong>named</strong></span> while still building the export library
-	even without the fixed order support, build them separately:
+	even without the fixed-order support, build them separately:
       </p>
 <pre class="screen">
 $ <strong class="userinput"><code>./configure --enable-fixed-rrset <em class="replaceable"><code>[other flags, but not --enable-exportlib]</code></em></code></strong>
@@ -139,34 +128,29 @@ $ <strong class="userinput"><code>make</code></strong>
 </pre>
 <p>
       </p>
-      </li>
-<li class="listitem">
-        <p>
+</li>
+<li class="listitem"><p>
 	RFC 5011 is not supported in the validating stub resolver of the
-	export library. In fact, it is not clear whether it should: trust
+	export library. In fact, it is not clear whether it should be: trust
 	anchors would be a system-wide configuration which would be managed
-	by an administrator, while the stub resolver will be used by
+	by an administrator, while the stub resolver is used by
 	ordinary applications run by a normal user.
-      </p>
-      </li>
-<li class="listitem">
-        <p>
+      </p></li>
+<li class="listitem"><p>
 	Not all common <code class="filename">/etc/resolv.conf</code> options are
 	supported in the IRS library. The only available options in this
 	version are <span class="command"><strong>debug</strong></span> and <span class="command"><strong>ndots</strong></span>.
-      </p>
-      </li>
+      </p></li>
 </ul></div>
-  </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.13.2.7"></a>The dns.conf File</h3></div></div></div>
-    
-    <p>
+<p>
       The IRS library supports an "advanced" configuration file related to
-      the DNS library for configuration parameters that would be beyond the
+      the DNS library, for configuration parameters that would be beyond the
       capability of the <code class="filename">resolv.conf</code> file.
-      Specifically, it is intended to provide DNSSEC related configuration
+      Specifically, it is intended to provide DNSSEC-related configuration
       parameters. By default the path to this configuration file is
       <code class="filename">/etc/dns.conf</code>.  This module is very experimental
       and the configuration syntax or library interfaces may change in
@@ -175,43 +159,39 @@ $ <strong class="userinput"><code>make</code></strong>
       statement in <code class="filename">named.conf</code>. (See
       <a class="xref" href="Bv9ARM.ch06.html#trusted-keys" title="trusted-keys Statement Grammar">the section called &#8220;<span class="command"><strong>trusted-keys</strong></span> Statement Grammar&#8221;</a> for details.)
     </p>
-  </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.13.2.8"></a>Sample Applications</h3></div></div></div>
-    
-    <p>
+<p>
       Some sample application programs using this API are provided for
       reference. The following is a brief description of these
       applications.
     </p>
-    <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id-1.13.2.8.3"></a>sample: a simple stub resolver utility</h4></div></div></div>
-      
-      <p>
-	Sends a query of a given name (of a given optional RR type) to a
+<p>
+	This sends a query of a given name (of a given optional RR type) to a
 	specified recursive server and prints the result as a list of RRs.
 	It can also act as a validating stub resolver if a trust anchor is
-	given via a set of command line options.
+	given via a set of command-line options.
       </p>
-      <p>
+<p>
 	Usage: sample [options] server_address hostname
       </p>
-      <p>
+<p>
 	Options and Arguments:
       </p>
-      <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-t RRtype</span></dt>
-<dd>
-            <p>
-	      specify the RR type of the query.  The default is the A RR.
-	    </p>
-          </dd>
+<dd><p>
+	      specifies the RR type of the query.  The default is the A RR.
+	    </p></dd>
 <dt><span class="term">[-a algorithm] [-e] -k keyname -K keystring</span></dt>
 <dd>
-            <p>
-	      specify a command-line DNS key to validate the answer.  For
+<p>
+	      specifies a command-line DNS key to validate the answer.  For
 	      example, to specify the following DNSKEY of example.com:
 	      </p>
 <div class="literallayout"><p><br>
@@ -226,296 +206,256 @@ $ <strong class="userinput"><code>make</code></strong>
 <p>
 	      -e means that this key is a zone's "key signing key" (also known
 	      as "secure entry point").
-	      When -a is omitted rsasha1 will be used by default.
+	      When -a is omitted rsasha1 is used by default.
 	    </p>
-          </dd>
+</dd>
 <dt><span class="term">-s domain:alt_server_address</span></dt>
-<dd>
-            <p>
-	       specify a separate recursive server address for the specific
+<dd><p>
+	       specifies a separate recursive server address for the specific
 	       "domain".  Example: -s example.com:2001:db8::1234
-	    </p>
-          </dd>
+	    </p></dd>
 <dt><span class="term">server_address</span></dt>
-<dd>
-            <p>
-	      an IP(v4/v6) address of the recursive server to which queries
+<dd><p>
+	      is an IP(v4/v6) address of the recursive server to which queries
 	      are sent.
-	    </p>
-          </dd>
+	    </p></dd>
 <dt><span class="term">hostname</span></dt>
-<dd>
-            <p>
-	      the domain name for the query
-	</p>
-          </dd>
+<dd><p>
+	      is the domain name for the query
+	</p></dd>
 </dl></div>
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id-1.13.2.8.4"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
-      
-      <p>
-      Similar to "sample", but accepts a list
+<p>
+      This is similar to "sample", but accepts a list
       of (query) domain names as a separate file and resolves the names
       asynchronously.</p>
-      <p>
+<p>
 	Usage: sample-async [-s server_address] [-t RR_type] input_file</p>
-      <p>
+<p>
      Options and Arguments:
       </p>
-      <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-s server_address</span></dt>
 <dd>
-       an IPv4 address of the recursive server to which queries are sent.
-      (IPv6 addresses are not supported in this implementation)
+      is an IPv4 address of the recursive server to which queries are sent.
+      (IPv6 addresses are not supported in this implementation.)
       </dd>
 <dt><span class="term">-t RR_type</span></dt>
 <dd>
-      specify the RR type of the queries. The default is the A
+      specifies the RR type of the queries. The default is the A
       RR.
       </dd>
 <dt><span class="term">input_file</span></dt>
 <dd>
-	    a list of domain names to be resolved. each line consists of a
-	    single domain name. Example:
+	    is a list of domain names to be resolved; each line consists of a
+	    single domain name. For example:
       <div class="literallayout"><p><br>
       www.example.com<br>
       mx.example.net<br>
       ns.xxx.example<br>
       </p></div>
-	  </dd>
+</dd>
 </dl></div>
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id-1.13.2.8.5"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
-      
-      <p>
-	Sends a query to a specified server, and prints the response with
-	minimal processing. It doesn't act as a "stub resolver": it stops
+<p>
+	sends a query to a specified server, and prints the response with
+	minimal processing. It does not act as a "stub resolver": it stops
 	the processing once it gets any response from the server, whether
 	it's a referral or an alias (CNAME or DNAME) that would require
 	further queries to get the ultimate answer. In other words, this
 	utility acts as a very simplified <span class="command"><strong>dig</strong></span>.
       </p>
-      <p>
+<p>
 	Usage: sample-request [-t RRtype] server_address hostname
       </p>
-      <p>
+<p>
 	Options and Arguments:
       </p>
-      <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-t RRtype</span></dt>
-<dd>
-	    <p>
-	      specify the RR type of the queries. The default is the A RR.
-            </p>
-          </dd>
+<dd><p>
+	      specifies the RR type of the queries. The default is the A RR.
+            </p></dd>
 <dt><span class="term">server_address</span></dt>
-<dd>
-	    <p>
-	      an IP(v4/v6) address of the recursive server to which
+<dd><p>
+	      is an IP(v4/v6) address of the recursive server to which
 	      the query is sent.
-	    </p>
-          </dd>
+	    </p></dd>
 <dt><span class="term">hostname</span></dt>
-<dd>
-	    <p>
-	      the domain name for the query
-	    </p>
-          </dd>
+<dd><p>
+	      is the domain name for the query
+	    </p></dd>
 </dl></div>
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id-1.13.2.8.6"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
-      
-      <p>
-	This is a test program to check <span class="command"><strong>getaddrinfo()</strong></span> and
+<p>
+	is a test program to check <span class="command"><strong>getaddrinfo()</strong></span> and
 	<span class="command"><strong>getnameinfo()</strong></span> behavior. It takes a host name as an
 	argument, calls <span class="command"><strong>getaddrinfo()</strong></span> with the given host
 	name, and calls <span class="command"><strong>getnameinfo()</strong></span> with the resulting
 	IP addresses returned by <span class="command"><strong>getaddrinfo()</strong></span>. If the
 	dns.conf file exists and defines a trust anchor, the underlying
-	resolver will act as a validating resolver, and
+	resolver acts as a validating resolver, and
 	<span class="command"><strong>getaddrinfo()</strong></span>/<span class="command"><strong>getnameinfo()</strong></span>
-	will fail with an EAI_INSECUREDATA error when DNSSEC validation
+	fails with an EAI_INSECUREDATA error when DNSSEC validation
 	fails.
       </p>
-      <p>
+<p>
 	Usage: sample-gai hostname
       </p>
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id-1.13.2.8.7"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
-      
-      <p>
-	Accepts a single update command as a command-line argument, sends
+<p>
+	accepts a single update command as a command-line argument, sends
 	an update request message to the authoritative server, and shows
 	the response from the server. In other words, this is a simplified
 	<span class="command"><strong>nsupdate</strong></span>.
       </p>
-      <p>
+<p>
 	Usage: sample-update [options] (add|delete) "update data"
       </p>
-      <p>
+<p>
 	Options and Arguments:
       </p>
-      <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a auth_server</span></dt>
-<dd>
-	    <p>
-	      An IP address of the authoritative server that has authority
+<dd><p>
+	      is an IP address of the authoritative server that has authority
 	      for the zone containing the update name.  This should
 	      normally be the primary authoritative server that accepts
 	      dynamic updates.  It can also be a secondary server that is
 	      configured to forward update requests to the primary server.
-	    </p>
-          </dd>
+	    </p></dd>
 <dt><span class="term">-k keyfile</span></dt>
-<dd>
-	    <p>
-	      A TSIG key file to secure the update transaction.  The
+<dd><p>
+	      is a TSIG key file to secure the update transaction.  The
 	      keyfile format is the same as that for the nsupdate utility.
-	    </p>
-          </dd>
+	    </p></dd>
 <dt><span class="term">-p prerequisite</span></dt>
-<dd>
-	    <p>
-	      A prerequisite for the update (only one prerequisite can be
-	      specified).  The prerequisite format is the same as that is
+<dd><p>
+	      is a prerequisite for the update; only one prerequisite can be
+	      specified.  The prerequisite format is the same as that
 	      accepted by the nsupdate utility.
-	    </p>
-          </dd>
+	    </p></dd>
 <dt><span class="term">-r recursive_server</span></dt>
-<dd>
-	    <p>
-	      An IP address of a recursive server that this utility will
-	      use.  A recursive server may be necessary to identify the
+<dd><p>
+	      is an IP address of a recursive server that this utility
+	      uses.  A recursive server may be necessary to identify the
 	      authoritative server address to which the update request is
 	      sent.
-	    </p>
-          </dd>
+	    </p></dd>
 <dt><span class="term">-z zonename</span></dt>
-<dd>
-	    <p>
-	      The domain name of the zone that contains
-	    </p>
-          </dd>
+<dd><p>
+	      is the domain name of the zone that it contains.
+	    </p></dd>
 <dt><span class="term">(add|delete)</span></dt>
-<dd>
-	    <p>
-	      Specify the type of update operation.  Either "add" or
+<dd><p>
+	      specifies the type of update operation.  Either "add" or
 	      "delete" must be specified.
-	    </p>
-          </dd>
+	    </p></dd>
 <dt><span class="term">"update data"</span></dt>
-<dd>
-	    <p>
-	      Specify the data to be updated.  A typical example of the
-	      data would look like "name TTL RRtype RDATA".
-	    </p>
-          </dd>
+<dd><p>
+	      specifies the data to be updated.  A typical example of the
+	      data looks like "name TTL RRtype RDATA".
+	    </p></dd>
 </dl></div>
-      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-	<p>
+<p>
 	  In practice, either -a or -r must be specified.  Others can be
 	  optional; the underlying library routine tries to identify the
 	  appropriate server and the zone name for the update.
 	</p>
-      </div>
-      <p>
+</div>
+<p>
 	Examples: assuming the primary authoritative server of the
 	dynamic.example.com zone has an IPv6 address 2001:db8::1234,
       </p>
-      <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</code></strong></pre>
-      <p>
+<p>
 	adds an A RR for foo.dynamic.example.com using the given key.
       </p>
-      <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</code></strong></pre>
-      <p>
+<p>
 	removes all A RRs for foo.dynamic.example.com using the given key.
       </p>
-      <pre class="screen">
+<pre class="screen">
 $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</code></strong></pre>
-      <p>
+<p>
 	removes all RRs for foo.dynamic.example.com using the given key.
       </p>
-    </div>
-    <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id-1.13.2.8.8"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
-      
-      <p>
-	Checks a set of domains to see the name servers of the domains
+<p>
+	checks a set of domains to ensure the name servers of the domains
 	behave correctly in terms of RFC 4074. This is included in the set
 	of sample programs to show how the export library can be used in a
 	DNS-related application.
       </p>
-      <p>
+<p>
 	Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
       </p>
-      <p>
+<p>
 	Options
       </p>
-      <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-d</span></dt>
-<dd>
-	    <p>
-	      Run in "debug" mode.  With this option nsprobe will dump
-	      every RRs it receives.
-	    </p>
-          </dd>
+<dd><p>
+	      runs in "debug" mode.  With this option, nsprobe dumps
+	      every RR it receives.
+	    </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-	    <p>
-	      Increase verbosity of other normal log messages.  This can be
+<dd><p>
+	      increases verbosity of other normal log messages.  This can be
 	      specified multiple times.
-	    </p>
-          </dd>
+	    </p></dd>
 <dt><span class="term">-c cache_address</span></dt>
-<dd>
-	    <p>
-	      Specify an IP address of a recursive (caching) name server.
+<dd><p>
+	      specifies an IP address of a recursive (caching) name server.
 	      nsprobe uses this server to get the NS RRset of each domain
 	      and the A and/or AAAA RRsets for the name servers.  The
 	      default value is 127.0.0.1.
-	    </p>
-          </dd>
+	    </p></dd>
 <dt><span class="term">input_file</span></dt>
-<dd>
-	    <p>
-	      A file name containing a list of domain (zone) names to be
-	      probed.  when omitted the standard input will be used.  Each
-	      line of the input file specifies a single domain name such as
-	      "example.com".  In general this domain name must be the apex
-	      name of some DNS zone (unlike normal "host names" such as
-	      "www.example.com").  nsprobe first identifies the NS RRsets
+<dd><p>
+	      is a file name containing a list of domain (zone) names to be
+	      probed.  when omitted the standard input is used.  Each
+	      line of the input file specifies a single domain name, such as
+	      "example.com".  In general, this domain name must be the apex
+	      name of some DNS zone, unlike normal "host names" such as
+	      "www.example.com".  nsprobe first identifies the NS RRsets
 	      for the given domain name, and sends A and AAAA queries to
-	      these servers for some "widely used" names under the zone;
+	      these servers for some widely used names under the zone;
 	      specifically, adding "www" and "ftp" to the zone name.
-	    </p>
-          </dd>
+	    </p></dd>
 </dl></div>
-    </div>
-  </div>
-  <div class="section">
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id-1.13.2.9"></a>Library References</h3></div></div></div>
-    
-    <p>
+<p>
       As of this writing, there is no formal "manual" for the libraries,
       except this document, header files (some of which provide pretty
       detailed explanations), and sample application programs.
     </p>
-  </div>
 </div>
-    </div>
+</div>
+</div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
@@ -533,6 +473,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/Bv9ARM.ch13.html b/bind/bind9/doc/arm/Bv9ARM.ch13.html
index 82a0bad9..27cabf35 100644
--- a/bind/bind9/doc/arm/Bv9ARM.ch13.html
+++ b/bind/bind9/doc/arm/Bv9ARM.ch13.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Manual pages</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch12.html" title="Appendix D. BIND 9 DNS Library Support">
-<link rel="next" href="man.dig.html" title="dig">
+<link rel="next" href="man.arpaname.html" title="arpaname">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -24,7 +24,7 @@
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch12.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="man.dig.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.arpaname.html">Next</a>
 </td>
 </tr>
 </table>
@@ -40,19 +40,16 @@
 <p><b>Table of Contents</b></p>
 <dl class="toc">
 <dt>
-<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.mdig.html"><span class="application">mdig</span></a></span><span class="refpurpose"> &#8212; DNS pipelined lookup utility</span>
+<span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> &#8212; translate IP addresses to the corresponding ARPA names</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
+<span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> &#8212; ddns key generation tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.delv.html">delv</a></span><span class="refpurpose"> &#8212; DNS lookup and validation utility</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.nslookup.html">nslookup</a></span><span class="refpurpose"> &#8212; query Internet name servers interactively</span>
+<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-checkds.html"><span class="application">dnssec-checkds</span></a></span><span class="refpurpose"> &#8212; DNSSEC delegation consistency checking tool</span>
@@ -88,13 +85,22 @@
 <span class="refentrytitle"><a href="man.dnssec-verify.html"><span class="application">dnssec-verify</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone verification tool</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.lwresd.html"><span class="application">lwresd</span></a></span><span class="refpurpose"> &#8212; lightweight resolver daemon</span>
+<span class="refentrytitle"><a href="man.dnstap-read.html"><span class="application">dnstap-read</span></a></span><span class="refpurpose"> &#8212; print dnstap data in human-readable form</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
+<span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> &#8212; generate a file containing random data</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> &#8212; configuration file for <span class="command"><strong>named</strong></span></span>
+<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> &#8212; fixes HMAC keys generated by older versions of BIND</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.lwresd.html"><span class="application">lwresd</span></a></span><span class="refpurpose"> &#8212; lightweight resolver daemon</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.mdig.html"><span class="application">mdig</span></a></span><span class="refpurpose"> &#8212; DNS pipelined lookup utility</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
@@ -114,88 +120,44 @@
 <span class="refentrytitle"><a href="man.named-rrchecker.html"><span class="application">named-rrchecker</span></a></span><span class="refpurpose"> &#8212; syntax checker for individual DNS resource records</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> &#8212; rndc configuration file</span>
+<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> &#8212; configuration file for <span class="command"><strong>named</strong></span></span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
+<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> &#8212; ddns key generation tool</span>
+<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> &#8212; translate IP addresses to the corresponding ARPA names</span>
+<span class="refentrytitle"><a href="man.nslookup.html">nslookup</a></span><span class="refpurpose"> &#8212; query Internet name servers interactively</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.dnstap-read.html"><span class="application">dnstap-read</span></a></span><span class="refpurpose"> &#8212; print dnstap data in human-readable form</span>
+<span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> &#8212; generate a file containing random data</span>
+<span class="refentrytitle"><a href="man.pkcs11-destroy.html"><span class="application">pkcs11-destroy</span></a></span><span class="refpurpose"> &#8212; destroy PKCS#11 objects</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> &#8212; fixes HMAC keys generated by older versions of BIND</span>
+<span class="refentrytitle"><a href="man.pkcs11-keygen.html"><span class="application">pkcs11-keygen</span></a></span><span class="refpurpose"> &#8212; generate keys on a PKCS#11 device</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
+<span class="refentrytitle"><a href="man.pkcs11-list.html"><span class="application">pkcs11-list</span></a></span><span class="refpurpose"> &#8212; list PKCS#11 objects</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.pkcs11-destroy.html"><span class="application">pkcs11-destroy</span></a></span><span class="refpurpose"> &#8212; destroy PKCS#11 objects</span>
+<span class="refentrytitle"><a href="man.pkcs11-tokens.html"><span class="application">pkcs11-tokens</span></a></span><span class="refpurpose"> &#8212; list PKCS#11 available tokens</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.pkcs11-list.html"><span class="application">pkcs11-list</span></a></span><span class="refpurpose"> &#8212; list PKCS#11 objects</span>
+<span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.pkcs11-keygen.html"><span class="application">pkcs11-keygen</span></a></span><span class="refpurpose"> &#8212; generate keys on a PKCS#11 device</span>
+<span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> &#8212; rndc configuration file</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.pkcs11-tokens.html"><span class="application">pkcs11-tokens</span></a></span><span class="refpurpose"> &#8212; list PKCS#11 available tokens</span>
+<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
 </dt>
 </dl>
 </div>
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-    </div>
+</div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
@@ -203,16 +165,17 @@
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch12.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="man.dig.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.arpaname.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">Appendix D. BIND 9 DNS Library Support </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> dig</td>
+<td width="40%" align="right" valign="top"> <span class="application">arpaname</span>
+</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/Bv9ARM.html b/bind/bind9/doc/arm/Bv9ARM.html
index 4e60ef94..50ea7b73 100644
--- a/bind/bind9/doc/arm/Bv9ARM.html
+++ b/bind/bind9/doc/arm/Bv9ARM.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>BIND 9 Administrator Reference Manual</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="next" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
 </head>
@@ -32,8 +32,8 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.11.15</p></div>
-<div><p class="copyright">Copyright © 2000-2020 Internet Systems Consortium, Inc. ("ISC")</p></div>
+<div><p class="releaseinfo">BIND Version 9.11.36</p></div>
+<div><p class="copyright">Copyright © 2000-2021 Internet Systems Consortium, Inc. ("ISC")</p></div>
 </div>
 <hr>
 </div>
@@ -60,7 +60,7 @@
 <dt><span class="section"><a href="Bv9ARM.ch02.html#hw_req">Hardware requirements</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch02.html#cpu_req">CPU Requirements</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch02.html#mem_req">Memory Requirements</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch02.html#intensive_env">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch02.html#intensive_env">Name Server-Intensive Environment Issues</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch02.html#supported_os">Supported Operating Systems</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt>
@@ -81,14 +81,14 @@
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
-<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
+<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The Journal File</a></span></dt></dl></dd>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns">Split DNS</a></span></dt>
-<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns_sample">Example split DNS setup</a></span></dt></dl></dd>
+<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns_sample">Example Split DNS Setup</a></span></dt></dl></dd>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.5">Generating a Shared Key</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Loading A New Key</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Loading a New Key</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.7">Instructing the Server to Use a Key</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.8">TSIG-Based Access Control</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.9">Errors</a></span></dt>
@@ -99,22 +99,22 @@
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers for DNSSEC</a></span></dt>
 </dl></dd>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.2">Converting from insecure to secure</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.7">Dynamic DNS update method</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.15">Fully automatic zone signing</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.24">Private-type records</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.31">DNSKEY rollovers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.33">Dynamic DNS update method</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.38">Automatic key rollovers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.40">NSEC3PARAM rollovers via UPDATE</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.42">Converting from NSEC to NSEC3</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.44">Converting from NSEC3 to NSEC</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.46">Converting from secure to insecure</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.50">Periodic re-signing</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.7">Dynamic DNS Update Method</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.15">Fully Automatic Zone Signing</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.24">Private Type Records</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.31">DNSKEY Rollovers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.33">Dynamic DNS Update Method</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.38">Automatic Key Rollovers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.40">NSEC3PARAM Rollovers via UPDATE</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.42">Converting From NSEC to NSEC3</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.44">Converting From NSEC3 to NSEC</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.46">Converting From Secure to Insecure</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.50">Periodic Re-signing</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.52">NSEC3 and OPTOUT</a></span></dt>
 </dl></dd>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
@@ -122,7 +122,7 @@
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.3">Validating Resolver</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.4">Authoritative Server</a></span></dt>
 </dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) Support</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.6">Prerequisites</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.7">Native PKCS#11</a></span></dt>
@@ -137,7 +137,7 @@
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.6">Configuring DLZ</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.7">Sample DLZ Driver</a></span></dt>
 </dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dyndb-info">DynDB (Dynamic Database)</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#dyndb-info">Dynamic Database (DynDB)</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.5">Configuring DynDB</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.6">Sample DynDB Module</a></span></dt>
@@ -146,12 +146,12 @@
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.4">Principle of Operation</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.5">Configuring Catalog Zones</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.6">Catalog Zone format</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.6">Catalog Zone Format</a></span></dt>
 </dl></dd>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#ipv6">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.6">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.7">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.7">Address-to-Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
@@ -213,10 +213,10 @@
 <dt><span class="section"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch06.html#ipv4_reverse">Inverse Mapping in IPv4</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch06.html#zone_directives">Other Zone File Directives</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#generate_directive"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#generate_directive"><acronym class="acronym">BIND</acronym> Primary File Extension: the  <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics">BIND 9 Statistics</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch06.html#statsfile">The Statistics File</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt>
@@ -235,17 +235,38 @@
 <dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#common_problems">Common Problems</a></span></dt>
-<dd><dl><dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2.2">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dd><dl><dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2.2">It's Not Working; How Can I Figure Out What's Wrong?</a></span></dt></dl></dd>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.3">Incrementing and Changing the Serial Number</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#more_help">Where Can I Get Help?</a></span></dt>
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.15</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.36</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.36">Notes for BIND 9.11.36</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.35">Notes for BIND 9.11.35</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.34">Notes for BIND 9.11.34</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.33">Notes for BIND 9.11.33</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.32">Notes for BIND 9.11.32</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.31">Notes for BIND 9.11.31</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.30">Notes for BIND 9.11.30</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.29">Notes for BIND 9.11.29</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.28">Notes for BIND 9.11.28</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.27">Notes for BIND 9.11.27</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.26">Notes for BIND 9.11.26</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.25">Notes for BIND 9.11.25</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.24">Notes for BIND 9.11.24</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.23">Notes for BIND 9.11.23</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.22">Notes for BIND 9.11.22</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.21">Notes for BIND 9.11.21</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.20">Notes for BIND 9.11.20</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.19">Notes for BIND 9.11.19</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.18">Notes for BIND 9.11.18</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.17">Notes for BIND 9.11.17</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.16">Notes for BIND 9.11.16</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.15">Notes for BIND 9.11.15</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.14">Notes for BIND 9.11.14</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.13">Notes for BIND 9.11.13</a></span></dt>
@@ -272,7 +293,7 @@
 <dt><span class="section"><a href="Bv9ARM.ch11.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch11.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#rfcs">Request for Comments (RFCs)</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#rfcs">Requests for Comments (RFCs)</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch11.html#internet_drafts">Internet Drafts</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch11.html#more_about_bind">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
 </dl></dd>
@@ -291,19 +312,16 @@
 <dt><span class="reference"><a href="Bv9ARM.ch13.html">I. Manual pages</a></span></dt>
 <dd><dl>
 <dt>
-<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.mdig.html"><span class="application">mdig</span></a></span><span class="refpurpose"> &#8212; DNS pipelined lookup utility</span>
+<span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> &#8212; translate IP addresses to the corresponding ARPA names</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
+<span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> &#8212; ddns key generation tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.delv.html">delv</a></span><span class="refpurpose"> &#8212; DNS lookup and validation utility</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.nslookup.html">nslookup</a></span><span class="refpurpose"> &#8212; query Internet name servers interactively</span>
+<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-checkds.html"><span class="application">dnssec-checkds</span></a></span><span class="refpurpose"> &#8212; DNSSEC delegation consistency checking tool</span>
@@ -339,13 +357,22 @@
 <span class="refentrytitle"><a href="man.dnssec-verify.html"><span class="application">dnssec-verify</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone verification tool</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.lwresd.html"><span class="application">lwresd</span></a></span><span class="refpurpose"> &#8212; lightweight resolver daemon</span>
+<span class="refentrytitle"><a href="man.dnstap-read.html"><span class="application">dnstap-read</span></a></span><span class="refpurpose"> &#8212; print dnstap data in human-readable form</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
+<span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> &#8212; generate a file containing random data</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> &#8212; configuration file for <span class="command"><strong>named</strong></span></span>
+<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> &#8212; fixes HMAC keys generated by older versions of BIND</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.lwresd.html"><span class="application">lwresd</span></a></span><span class="refpurpose"> &#8212; lightweight resolver daemon</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.mdig.html"><span class="application">mdig</span></a></span><span class="refpurpose"> &#8212; DNS pipelined lookup utility</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
@@ -365,78 +392,45 @@
 <span class="refentrytitle"><a href="man.named-rrchecker.html"><span class="application">named-rrchecker</span></a></span><span class="refpurpose"> &#8212; syntax checker for individual DNS resource records</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> &#8212; rndc configuration file</span>
+<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> &#8212; configuration file for <span class="command"><strong>named</strong></span></span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
+<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> &#8212; ddns key generation tool</span>
+<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> &#8212; translate IP addresses to the corresponding ARPA names</span>
+<span class="refentrytitle"><a href="man.nslookup.html">nslookup</a></span><span class="refpurpose"> &#8212; query Internet name servers interactively</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.dnstap-read.html"><span class="application">dnstap-read</span></a></span><span class="refpurpose"> &#8212; print dnstap data in human-readable form</span>
+<span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> &#8212; generate a file containing random data</span>
+<span class="refentrytitle"><a href="man.pkcs11-destroy.html"><span class="application">pkcs11-destroy</span></a></span><span class="refpurpose"> &#8212; destroy PKCS#11 objects</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> &#8212; fixes HMAC keys generated by older versions of BIND</span>
+<span class="refentrytitle"><a href="man.pkcs11-keygen.html"><span class="application">pkcs11-keygen</span></a></span><span class="refpurpose"> &#8212; generate keys on a PKCS#11 device</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
+<span class="refentrytitle"><a href="man.pkcs11-list.html"><span class="application">pkcs11-list</span></a></span><span class="refpurpose"> &#8212; list PKCS#11 objects</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.pkcs11-destroy.html"><span class="application">pkcs11-destroy</span></a></span><span class="refpurpose"> &#8212; destroy PKCS#11 objects</span>
+<span class="refentrytitle"><a href="man.pkcs11-tokens.html"><span class="application">pkcs11-tokens</span></a></span><span class="refpurpose"> &#8212; list PKCS#11 available tokens</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.pkcs11-list.html"><span class="application">pkcs11-list</span></a></span><span class="refpurpose"> &#8212; list PKCS#11 objects</span>
+<span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.pkcs11-keygen.html"><span class="application">pkcs11-keygen</span></a></span><span class="refpurpose"> &#8212; generate keys on a PKCS#11 device</span>
+<span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> &#8212; rndc configuration file</span>
 </dt>
 <dt>
-<span class="refentrytitle"><a href="man.pkcs11-tokens.html"><span class="application">pkcs11-tokens</span></a></span><span class="refpurpose"> &#8212; list PKCS#11 available tokens</span>
+<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
 </dt>
 </dl></dd>
 </dl>
 </div>
-  
-
-  
-
-  
-
-  
-
-  
-
-  
-
-  
-    
-
-    
-
-    
-
-    
-
-    
-
-    
-
-    
-
-  </div>
+</div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
@@ -453,6 +447,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/Bv9ARM.pdf b/bind/bind9/doc/arm/Bv9ARM.pdf
index b505e9ee..9ef34312 100644
--- a/bind/bind9/doc/arm/Bv9ARM.pdf
+++ b/bind/bind9/doc/arm/Bv9ARM.pdf
diff --git a/bind/bind9/doc/arm/Makefile.in b/bind/bind9/doc/arm/Makefile.in
index cab301f6..4f0aba96 100644
--- a/bind/bind9/doc/arm/Makefile.in
+++ b/bind/bind9/doc/arm/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -21,6 +21,27 @@ PDFOBJS = Bv9ARM.pdf notes.pdf
 
 NOTESXML = notes-download.xml notes-eol.xml notes-intro.xml notes-license.xml \
 	   notes-thankyou.xml \
+	   notes-9.11.36.xml \
+	   notes-9.11.35.xml \
+	   notes-9.11.34.xml \
+	   notes-9.11.33.xml \
+	   notes-9.11.32.xml \
+	   notes-9.11.31.xml \
+	   notes-9.11.30.xml \
+	   notes-9.11.29.xml \
+	   notes-9.11.28.xml \
+	   notes-9.11.27.xml \
+	   notes-9.11.26.xml \
+	   notes-9.11.25.xml \
+	   notes-9.11.24.xml \
+	   notes-9.11.23.xml \
+	   notes-9.11.22.xml \
+	   notes-9.11.21.xml \
+	   notes-9.11.20.xml \
+	   notes-9.11.19.xml \
+	   notes-9.11.18.xml \
+	   notes-9.11.17.xml \
+	   notes-9.11.16.xml \
 	   notes-9.11.15.xml \
 	   notes-9.11.14.xml \
 	   notes-9.11.13.xml \
@@ -70,10 +91,10 @@ notes.pdf: notes-wrapper.xml ${NOTESXML} releaseinfo.xml pkgversion.xml notevers
 #  - remove empty lines from the end of the document,
 #  - prevent GitLab issue/MR identifiers from being split across two lines.
 notes.txt: notes.html
-	${W3M} -dump -cols 75 -O ascii -T text/html < notes.html | \
+	${W3M} -dump -cols 75 -O utf-8 -T text/html < notes.html | \
 		sed 's/  *$$//' | \
 		sed -e :a -e '/^\n*$$/{$$d;N;};/\n$$/ba' | \
-		sed '/ [!#]$$/{N;s| \([!#]\)\(\n\s*\)\([0-9][0-9]*\)|\2\1\3|;};' > notes.txt
+		sed '/ [!#]$$/{N;s| \([!#]\)\(\n[[:space:]]*\)\([0-9][0-9]*\)|\2\1\3|;};' > notes.txt
 
 # use xmllint to process include
 Bv9ARM.html: Bv9ARM-book.xml ${NOTESXML} releaseinfo.xml pkgversion.xml noteversion.xml
diff --git a/bind/bind9/doc/arm/README-SGML b/bind/bind9/doc/arm/README-SGML
index 1f2a9653..47ecff8f 100644
--- a/bind/bind9/doc/arm/README-SGML
+++ b/bind/bind9/doc/arm/README-SGML
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 The BIND v9 ARM master document is now kept in DocBook 5 XML format.
 
diff --git a/bind/bind9/doc/arm/acl.grammar.xml b/bind/bind9/doc/arm/acl.grammar.xml
index 3d838b13..5e62f376 100644
--- a/bind/bind9/doc/arm/acl.grammar.xml
+++ b/bind/bind9/doc/arm/acl.grammar.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/catz.xml b/bind/bind9/doc/arm/catz.xml
index f314b44d..7aa1c9b5 100644
--- a/bind/bind9/doc/arm/catz.xml
+++ b/bind/bind9/doc/arm/catz.xml
@@ -3,95 +3,95 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
-<section xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="catz-info"><info><title>Catalog Zones</title></info>
+<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="catz-info"><info><title>Catalog Zones</title></info>
 
   <para>
     A "catalog zone" is a special DNS zone that contains a list of
     other zones to be served, along with their configuration parameters.
-    Zones listed in a catalog zone are called "member zones".
-    When a catalog zone is loaded or transferred to a slave server
-    which supports this functionality, the slave server will create
+    Zones listed in a catalog zone are called "member zones."
+    When a catalog zone is loaded or transferred to a secondary server
+    which supports this functionality, the secondary server creates
     the member zones automatically. When the catalog zone is updated
     (for example, to add or delete member zones, or change
-    their configuration parameters) those changes are immediately put
+    their configuration parameters), those changes are immediately put
     into effect. Because the catalog zone is a normal DNS zone, these
     configuration changes can be propagated using the standard AXFR/IXFR
     zone transfer mechanism.
   </para>
   <para>
-    Catalog zones' format and behavior are specified as an internet draft
-    for interoperability among DNS implementations.  As of this release, the
+    Catalog zones' format and behavior are specified as an Internet draft
+    for interoperability among DNS implementations.  The
     latest revision of the DNS catalog zones draft can be found here:
-    https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/
+    https://datatracker.ietf.org/doc/draft-toorop-dnsop-dns-catalog-zones/.
   </para>
 
   <section><info><title>Principle of Operation</title></info>
     <para>
-      Normally, if a zone is to be served by a slave server, the
+      Normally, if a zone is to be served by a secondary server, the
       <filename>named.conf</filename> file on the server must list the
       zone, or the zone must be added using <command>rndc addzone</command>.
-      In environments with a large number of slave servers and/or where
+      In environments with a large number of secondary servers, and/or where
       the zones being served are changing frequently, the overhead involved
-      in maintaining consistent zone configuration on all the slave
+      in maintaining consistent zone configuration on all the secondary
       servers can be significant.
     </para>
     <para>
-      A catalog zone is a way to ease this administrative burden.  It is a
-      DNS zone that lists member zones that should be served by slave servers.
-      When a slave server receives an update to the catalog zone, it adds,
+      A catalog zone is a way to ease this administrative burden: it is a
+      DNS zone that lists member zones that should be served by secondary servers.
+      When a secondary server receives an update to the catalog zone, it adds,
       removes, or reconfigures member zones based on the data received.
     </para>
     <para>
-      To use a catalog zone, it must first be set up as a normal zone on
-      the master and the on slave servers that will be configured to use
+      To use a catalog zone, it must first be set up as a normal zone on both
+      the primary and secondary servers that are configured to use
       it.  It must also be added to a <option>catalog-zones</option> list
       in the <option>options</option> or <option>view</option> statement
-      in <filename>named.conf</filename>.  (This is comparable to the way
+      in <filename>named.conf</filename>.  This is comparable to the way
       a policy zone is configured as a normal zone and also listed in
-      a <option>response-policy</option> statement.)
+      a <option>response-policy</option> statement.
     </para>
     <para>
       To use the catalog zone feature to serve a new member zone:
       <itemizedlist>
         <listitem>
           <para>
-	    Set up the the member zone to be served on the master as normal.
-	    This could be done by editing <filename>named.conf</filename>,
+	    Set up the the member zone to be served on the primary as normal.
+	    This can be done by editing <filename>named.conf</filename>
 	    or by running <command>rndc addzone</command>.
           </para>
         </listitem>
         <listitem>
           <para>
             Add an entry to the catalog zone for the new member zone.
-	    This could be done by editing the catalog zone's master file
+	    This can be done by editing the catalog zone's zone file
 	    and running <command>rndc reload</command>, or by updating
 	    the zone using <command>nsupdate</command>.
           </para>
         </listitem>
       </itemizedlist>
-      The change to the catalog zone will be propagated from the master to all
-      slaves using the normal AXFR/IXFR mechanism.  When the slave receives the
-      update to the catalog zone, it will detect the entry for the new member
-      zone, create an instance of of that zone on the slave server, and point
+      The change to the catalog zone is propagated from the primary to all
+      secondaries using the normal AXFR/IXFR mechanism.  When the secondary receives the
+      update to the catalog zone, it detects the entry for the new member
+      zone, creates an instance of that zone on the secondary server, and points
       that instance to the <option>masters</option> specified in the catalog
-      zone data. The newly created member zone is a normal slave zone, so
-      BIND will immediately initiate a transfer of zone contents from the
-      master.  Once complete, the slave will start serving the member zone.
+      zone data. The newly created member zone is a normal secondary zone, so
+      BIND immediately initiates a transfer of zone contents from the
+      primary.  Once complete, the secondary starts serving the member zone.
     </para>
     <para>
-      Removing a member zone from a slave server requires nothing more than
-      deleting the member zone's entry in the catalog zone. The change to the
-      catalog zone is propagated to the slave server using the normal AXFR/IXFR
-      transfer mechanism.  The slave server, on processing the update, will
-      notice that the member zone has been removed.  It will stop serving the
-      zone and remove it from its list of configured zones.  (Removing the
-      member zone from the master server has to be done in the normal way,
+      Removing a member zone from a secondary server requires only
+      deleting the member zone's entry in the catalog zone; the change to the
+      catalog zone is propagated to the secondary server using the normal AXFR/IXFR
+      transfer mechanism.  The secondary server, on processing the update,
+      notices that the member zone has been removed, stops serving the
+      zone, and removes it from its list of configured zones. However, removing the
+      member zone from the primary server must be done
       by editing the configuration file or running
       <command>rndc delzone</command>.)
     </para>
@@ -116,31 +116,31 @@ catalog-zones {
       This statement specifies that the zone
       <literal>catalog.example</literal> is a catalog zone. This zone must be
       properly configured in the same view. In most configurations, it would
-      be a slave zone.
+      be a secondary zone.
     </para>
     <para>
       The options following the zone name are not required, and may be
       specified in any order:
     </para>
     <para>
-      The <option>default-masters</option> option defines the default masters
-      for member zones listed in a catalog zone. This can be overridden by
+      The <option>default-masters</option> option defines the default primaries
+      for member zones listed in a catalog zone, and can be overridden by
       options within a catalog zone. If no such options are included, then
-      member zones will transfer their contents from the servers listed in
+      member zones transfer their contents from the servers listed in
       this option.
     </para>
     <para>
       The <option>in-memory</option> option, if set to <literal>yes</literal>,
       causes member zones to be stored only in memory. This is functionally
-      equivalent to configuring a slave zone without a <option>file</option>.
+      equivalent to configuring a secondary zone without a <option>file</option>
       option.  The default is <literal>no</literal>; member zones' content
-      will be stored locally in a file whose name is automatically generated
+      is stored locally in a file whose name is automatically generated
       from the view name, catalog zone name, and member zone name.
     </para>
     <para>
       The <option>zone-directory</option> option causes local copies of
-      member zones' master files (if <option>in-memory</option> is not set
-      to <literal>yes</literal>) to be stored in the specified directory.
+      member zones' zone files to be stored in the specified directory,
+      if <option>in-memory</option> is not set to <literal>yes</literal>.
       The default is to store zone files in the server's working directory.
       A non-absolute pathname in <option>zone-directory</option> is
       assumed to be relative to the working directory.
@@ -150,21 +150,21 @@ catalog-zones {
       interval between processing of updates to catalog zones, in seconds.
       If an update to a catalog zone (for example, via IXFR) happens less
       than <option>min-update-interval</option> seconds after the most
-      recent update, then the changes will not be carried out until this
+      recent update, the changes are not carried out until this
       interval has elapsed.  The default is <literal>5</literal> seconds.
     </para>
     <para>
       Catalog zones are defined on a per-view basis. Configuring a non-empty
-      <option>catalog-zones</option> statement in a view will automatically
-      turn on <option>allow-new-zones</option> for that view. (Note: this
-      means <command>rndc addzone</command> and <command>rndc delzone</command>
-      will also work in any view that supports catalog zones.)
+      <option>catalog-zones</option> statement in a view automatically
+      turns on <option>allow-new-zones</option> for that view. This
+      means that <command>rndc addzone</command> and <command>rndc delzone</command>
+      also work in any view that supports catalog zones.
     </para>
   </section>
 
-  <section><info><title>Catalog Zone format</title></info>
+  <section><info><title>Catalog Zone Format</title></info>
     <para>
-      A catalog zone is a regular DNS zone; therefore, it has to have a
+      A catalog zone is a regular DNS zone; therefore, it must have a
       single <literal>SOA</literal> and at least one <literal>NS</literal>
       record.
     </para>
@@ -180,14 +180,14 @@ version.catalog.example.    IN TXT "1"
 </screen>
     <para>
       Note that this record must have the domain name
-      version.<replaceable>catalog-zone-name</replaceable>.  This illustrates
-      how the meaning of data stored in a catalog zone is indicated by the
+      "version.<replaceable>catalog-zone-name</replaceable>".
+      The data stored in a catalog zone is indicated by the
       the domain name label immediately before the catalog zone domain.
     </para>
     <para>
       Catalog zone options can be set either globally for the whole catalog
       zone or for a single member zone. Global options override the settings
-      in the configuration file and member zone options override global
+      in the configuration file, and member zone options override global
       options.
     </para>
     <para>
@@ -204,8 +204,8 @@ version.catalog.example.    IN TXT "1"
 	 masters.catalog.example.    IN A 192.0.2.1
 	</screen>
 	<para>
-	  This option defines a master server for the member zones - it
-	  can be either an A or AAAA record. If multiple masters are set the
+	  This option defines a primary server for the member zones, which
+	  can be either an A or AAAA record. If multiple primaries are set, the
 	  order in which they are used is random.
 	</para>
       </listitem>
@@ -216,7 +216,7 @@ version.catalog.example.    IN TXT "1"
          label.masters.catalog.example.	    IN TXT "tsig_key_name"
         </screen>
         <para>
-         This option defines a master server for the member zone with a TSIG
+         This option defines a primary server for the member zone with a TSIG
          key set. The TSIG key must be configured in the configuration file.
          <option>label</option> can be any valid DNS label.
         </para>
@@ -232,9 +232,9 @@ version.catalog.example.    IN TXT "1"
           These options are the equivalents of <option>allow-query</option>
           and <option>allow-transfer</option> in a zone declaration in the
           <filename>named.conf</filename> configuration file. The ACL is
-          processed in order - if there's no match to any rule the default
-          policy is to deny access.  For the syntax of the APL RR see RFC
-          3123
+          processed in order; if there is no match to any rule, the default
+          policy is to deny access.  For the syntax of the APL RR, see RFC
+          3123.
         </para>
       </listitem>
     </itemizedlist>
@@ -261,17 +261,17 @@ label.masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN
 allow-query.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN APL 1:10.0.0.0/24
 </screen>
     <para>
-      As would be expected, options defined for a specific zone override
+      Options defined for a specific zone override
       the global options defined in the catalog zone. These in turn override
       the global options defined in the <literal>catalog-zones</literal>
       statement in the configuration file.
     </para>
     <para>
-      (Note that none of the global records an option will be inherited if
+      Note that none of the global records for an option are inherited if
       any records are defined for that option for the specific zone.  For
       example, if the zone had a <literal>masters</literal> record of type
-      A but not AAAA, then it would <emphasis>not</emphasis> inherit the
-      type AAAA record from the global option.)
+      A but not AAAA, it would <emphasis>not</emphasis> inherit the
+      type AAAA record from the global option.
     </para>
   </section>
 </section>
diff --git a/bind/bind9/doc/arm/controls.grammar.xml b/bind/bind9/doc/arm/controls.grammar.xml
index df4accfe..eb7c3d2d 100644
--- a/bind/bind9/doc/arm/controls.grammar.xml
+++ b/bind/bind9/doc/arm/controls.grammar.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/delegation-only.zoneopt.xml b/bind/bind9/doc/arm/delegation-only.zoneopt.xml
index a26ce24f..58cbf954 100644
--- a/bind/bind9/doc/arm/delegation-only.zoneopt.xml
+++ b/bind/bind9/doc/arm/delegation-only.zoneopt.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/dlz.xml b/bind/bind9/doc/arm/dlz.xml
index 93ee5db5..0faa4202 100644
--- a/bind/bind9/doc/arm/dlz.xml
+++ b/bind/bind9/doc/arm/dlz.xml
@@ -3,27 +3,27 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<section xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="dlz-info"><info><title>DLZ (Dynamically Loadable Zones)</title></info>
+<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dlz-info"><info><title>DLZ (Dynamically Loadable Zones)</title></info>
 
   <para>
-    DLZ (Dynamically Loadable Zones) is an extension to BIND 9 that allows
+    Dynamically Loadable Zones (DLZ) are an extension to BIND 9 that allows
     zone data to be retrieved directly from an external database.  There is
     no required format or schema.  DLZ drivers exist for several different
-    database backends including PostgreSQL, MySQL, and LDAP and can be
+    database backends, including PostgreSQL, MySQL, and LDAP, and can be
     written for any other.
   </para>
   <para>
     Historically, DLZ drivers had to be statically linked with the <command>named</command>
     binary and were turned on via a configure option at compile time (for
-    example, <userinput>"configure --with-dlz-ldap"</userinput>).
-    Currently, the drivers provided in the BIND 9 tarball in
+    example, <userinput>configure --with-dlz-ldap</userinput>).
+    The drivers provided in the BIND 9 tarball in
     <filename>contrib/dlz/drivers</filename> are still linked this
     way.
   </para>
@@ -32,21 +32,21 @@
     dynamically at runtime, via the DLZ "dlopen" driver, which acts as a
     generic wrapper around a shared object implementing the DLZ API.  The
     "dlopen" driver is linked into <command>named</command> by default, so configure options
-    are no longer necessary when using these dynamically linkable drivers,
-    but are still needed for the older drivers in
+    are no longer necessary when using these dynamically linkable drivers;
+    they are still needed for the older drivers in
     <filename>contrib/dlz/drivers</filename>.
   </para>
 
   <para>
-    When the DLZ module provides data to <command>named</command>, it does so in text format.
-    The response is converted to DNS wire format by <command>named</command>.  This
+    The DLZ module provides data to <command>named</command> in text format,
+    which is then converted to DNS wire format by <command>named</command>.  This
     conversion, and the lack of any internal caching, places significant
     limits on the query performance of DLZ modules.  Consequently, DLZ is
     not recommended for use on high-volume servers.  However, it can be
-    used in a hidden master configuration, with slaves retrieving zone
-    updates via AXFR.  (Note, however, that DLZ has no built-in support for
-    DNS notify; slaves are not automatically informed of changes to the
-    zones in the database.)
+    used in a hidden primary configuration, with secondaries retrieving zone
+    updates via AXFR.  Note, however, that DLZ has no built-in support for
+    DNS notify; secondary servers are not automatically informed of changes to the
+    zones in the database.
   </para>
 
   <section><info><title>Configuring DLZ</title></info>
@@ -67,9 +67,9 @@
       loaded at runtime by the dlopen DLZ driver.  Multiple
       <command>dlz</command> statements can be specified; when
       answering a query, all DLZ modules with <option>search</option>
-      set to <literal>yes</literal> will be queried to find out if
-      they contain an answer for the query name; the best available
-      answer will be returned to the client.
+      set to <literal>yes</literal> are queried to see whether
+      they contain an answer for the query name. The best available
+      answer is returned to the client.
     </para>
     <para>
       The <option>search</option> option in the above example can be
@@ -79,11 +79,11 @@
       If <option>search</option> is set to <literal>no</literal>, then
       this DLZ module is <emphasis>not</emphasis> searched for the best
       match when a query is received.  Instead, zones in this DLZ must be
-      separately specified in a zone statement.  This allows you to
-      configure a zone normally using standard zone option semantics,
-      but specify a different database back-end for storage of the
+      separately specified in a zone statement.  This allows users to
+      configure a zone normally using standard zone-option semantics,
+      but specify a different database backend for storage of the
       zone's data.  For example, to implement NXDOMAIN redirection using
-      a DLZ module for back-end storage of redirection rules:
+      a DLZ module for backend storage of redirection rules:
     </para>
     <screen>
     dlz other {
@@ -100,9 +100,9 @@
   <section><info><title>Sample DLZ Driver</title></info>
 
     <para>
-      For guidance in implementation of DLZ modules, the directory
+      For guidance in the implementation of DLZ modules, the directory
       <filename>contrib/dlz/example</filename> contains a basic
-      dynamically-linkable DLZ module--i.e., one which can be
+      dynamically linkable DLZ module - i.e., one which can be
       loaded at runtime by the "dlopen" DLZ driver.
       The example sets up a single zone, whose name is passed
       to the module as an argument in the <command>dlz</command>
@@ -115,7 +115,7 @@
     </screen>
     <para>
       In the above example, the module is configured to create a zone
-      "example.nil", which can answer queries and AXFR requests, and
+      "example.nil", which can answer queries and AXFR requests and
       accept DDNS updates.  At runtime, prior to any updates, the zone
       contains an SOA, NS, and a single A record at the apex:
     </para>
@@ -127,13 +127,13 @@
  example.nil.  1800    IN      A       10.53.0.1
     </screen>
     <para>
-      The sample driver is capable of retrieving information about the
-      querying client, and altering its response on the basis of this
+      The sample driver can retrieve information about the
+      querying client and alter its response on the basis of this
       information.  To demonstrate this feature, the example driver
       responds to queries for "source-addr.<option>zonename</option>&gt;/TXT"
       with the source address of the query.  Note, however, that this
-      record will *not* be included in AXFR or ANY responses.  Normally,
-      this feature would be used to alter responses in some other fashion,
+      record will <emphasis>not</emphasis> be included in AXFR or ANY responses.  Normally,
+      this feature is used to alter responses in some other fashion,
       e.g., by providing different address records for a particular name
       depending on the network from which the query arrived.
     </para>
@@ -141,7 +141,7 @@
       Documentation of the DLZ module API can be found in
       <filename>contrib/dlz/example/README</filename>.  This directory also
       contains the header file <filename>dlz_minimal.h</filename>, which
-      defines the API and should be included by any dynamically-linkable
+      defines the API and should be included by any dynamically linkable
       DLZ module.
     </para>
   </section>
diff --git a/bind/bind9/doc/arm/dnssec.xml b/bind/bind9/doc/arm/dnssec.xml
index de922dcb..7189beb5 100644
--- a/bind/bind9/doc/arm/dnssec.xml
+++ b/bind/bind9/doc/arm/dnssec.xml
@@ -3,27 +3,27 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<section xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="dnssec.dynamic.zones"><info><title>DNSSEC, Dynamic Zones, and Automatic Signing</title></info>
+<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dnssec.dynamic.zones"><info><title>DNSSEC, Dynamic Zones, and Automatic Signing</title></info>
 
   <section><info><title>Converting from insecure to secure</title></info>
 
   </section>
-  <para>Changing a zone from insecure to secure can be done in two
-  ways: using a dynamic DNS update, or the
+  <para>A zone ca be changed from insecure to secure in two
+  ways: using a dynamic DNS update, or via the
   <command>auto-dnssec</command> zone option.</para>
-  <para>For either method, you need to configure
-  <command>named</command> so that it can see the
+  <para>For either method,
+  <command>named</command> must be configured so that it can see the
   <filename>K*</filename> files which contain the public and private
-  parts of the keys that will be used to sign the zone. These files
-  will have been generated by
-  <command>dnssec-keygen</command>. You can do this by placing them
+  parts of the keys that are used to sign the zone. These files
+  are generated by
+  <command>dnssec-keygen</command>, and they should be placed
   in the key-directory, as specified in
   <filename>named.conf</filename>:</para>
   <programlisting>
@@ -35,11 +35,11 @@
 	};
 </programlisting>
   <para>If one KSK and one ZSK DNSKEY key have been generated, this
-  configuration will cause all records in the zone to be signed
-  with the ZSK, and the DNSKEY RRset to be signed with the KSK as
-  well. An NSEC chain will be generated as part of the initial
+  configuration causes all records in the zone to be signed
+  with the ZSK, and the DNSKEY RRset to be signed with the KSK.
+  An NSEC chain is generated as part of the initial
   signing process.</para>
-  <section><info><title>Dynamic DNS update method</title></info>
+  <section><info><title>Dynamic DNS Update Method</title></info>
 
   </section>
   <para>To insert the keys via dynamic update:</para>
@@ -50,15 +50,15 @@
 	&gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
 	&gt; send
 </screen>
-  <para>While the update request will complete almost immediately,
-  the zone will not be completely signed until
-  <command>named</command> has had time to walk the zone and
+  <para>While the update request completes almost immediately,
+  the zone is not completely signed until
+  <command>named</command> has had time to "walk" the zone and
   generate the NSEC and RRSIG records. The NSEC record at the apex
-  will be added last, to signal that there is a complete NSEC
+  is added last, to signal that there is a complete NSEC
   chain.</para>
-  <para>If you wish to sign using NSEC3 instead of NSEC, you should
-  add an NSEC3PARAM record to the initial update request. If you
-  wish the NSEC3 chain to have the OPTOUT bit set, set it in the
+  <para>To sign using NSEC3 instead of NSEC,
+  add an NSEC3PARAM record to the initial update request.
+  The OPTOUT bit in the NSEC3 chain can be set in the
   flags field of the NSEC3PARAM record.</para>
   <screen>
 	% nsupdate
@@ -68,15 +68,15 @@
 	&gt; update add example.net NSEC3PARAM 1 1 100 1234567890
 	&gt; send
 </screen>
-  <para>Again, this update request will complete almost
-  immediately; however, the record won't show up until
+  <para>Again, this update request completes almost
+  immediately; however, the record does not show up until
   <command>named</command> has had a chance to build/remove the
-  relevant chain. A private type record will be created to record
-  the state of the operation (see below for more details), and will
-  be removed once the operation completes.</para>
+  relevant chain. A private type record is created to record
+  the state of the operation (see below for more details), and is
+  removed once the operation completes.</para>
   <para>While the initial signing and NSEC/NSEC3 chain generation
   is happening, other updates are possible as well.</para>
-  <section><info><title>Fully automatic zone signing</title></info>
+  <section><info><title>Fully Automatic Zone Signing</title></info>
 
   </section>
   <para>To enable automatic signing, add the
@@ -89,69 +89,69 @@
   <command>auto-dnssec allow</command>,
   <command>named</command> can search the key directory for keys
   matching the zone, insert them into the zone, and use them to
-  sign the zone. It will do so only when it receives an
+  sign the zone. It does so only when it receives an
   <command>rndc sign &lt;zonename&gt;</command>.</para>
   <para>
   <!-- TODO: this is repeated in the ARM -->
   <command>auto-dnssec maintain</command> includes the above
-  functionality, but will also automatically adjust the zone's
-  DNSKEY records on schedule according to the keys' timing metadata.
+  functionality, but also automatically adjusts the zone's
+  DNSKEY records on a schedule according to the keys' timing metadata.
   (See <xref linkend="man.dnssec-keygen"/> and
   <xref linkend="man.dnssec-settime"/> for more information.)
   </para>
   <para>
-  <command>named</command> will periodically search the key directory
-  for keys matching the zone, and if the keys' metadata indicates
-  that any change should be made the zone, such as adding, removing,
-  or revoking a key, then that action will be carried out.  By default,
+  <command>named</command> periodically searches the key directory
+  for keys matching the zone; if the keys' metadata indicates
+  that any change should be made to the zone - such as adding, removing,
+  or revoking a key - then that action is carried out.  By default,
   the key directory is checked for changes every 60 minutes; this period
-  can be adjusted with the <option>dnssec-loadkeys-interval</option>, up
+  can be adjusted with <option>dnssec-loadkeys-interval</option>, up
   to a maximum of 24 hours.  The <command>rndc loadkeys</command> forces
   <command>named</command> to check for key updates immediately.
   </para>
   <para>
   If keys are present in the key directory the first time the zone
-  is loaded, the zone will be signed immediately, without waiting for an
+  is loaded, the zone is signed immediately, without waiting for an
   <command>rndc sign</command> or <command>rndc loadkeys</command>
-  command. (Those commands can still be used when there are unscheduled
-  key changes, however.)
+  command. Those commands can still be used when there are unscheduled
+  key changes.
   </para>
   <para>
   When new keys are added to a zone, the TTL is set to match that
   of any existing DNSKEY RRset. If there is no existing DNSKEY RRset,
-  then the TTL will be set to the TTL specified when the key was
+  the TTL is set to the TTL specified when the key was
   created (using the <command>dnssec-keygen -L</command> option), if
   any, or to the SOA TTL.
   </para>
   <para>
-  If you wish the zone to be signed using NSEC3 instead of NSEC,
+  To sign the zone using NSEC3 instead of NSEC,
   submit an NSEC3PARAM record via dynamic update prior to the
-  scheduled publication and activation of the keys.  If you wish the
-  NSEC3 chain to have the OPTOUT bit set, set it in the flags field
-  of the NSEC3PARAM record.  The NSEC3PARAM record will not appear in
-  the zone immediately, but it will be stored for later reference.  When
+  scheduled publication and activation of the keys.
+  The OPTOUT bit for the NSEC3 chain can be set in the flags field
+  of the NSEC3PARAM record.  The NSEC3PARAM record does not appear in
+  the zone immediately, but it is stored for later reference.  When
   the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
-  record will appear in the zone.
+  record appears in the zone.
   </para>
   <para>Using the
   <command>auto-dnssec</command> option requires the zone to be
   configured to allow dynamic updates, by adding an
   <command>allow-update</command> or
   <command>update-policy</command> statement to the zone
-  configuration. If this has not been done, the configuration will
-  fail.</para>
-  <section><info><title>Private-type records</title></info>
+  configuration. If this has not been done, the configuration
+  fails.</para>
+  <section><info><title>Private Type Records</title></info>
 
   </section>
   <para>The state of the signing process is signaled by
-  private-type records (with a default type value of 65534). When
-  signing is complete, these records will have a nonzero value for
-  the final octet (for those records which have a nonzero initial
-  octet).</para>
-  <para>The private type record format: If the first octet is
-  non-zero then the record indicates that the zone needs to be
+  private type records (with a default type value of 65534). When
+  signing is complete, these records with a non-zero initial octet
+  have a non-zero value for the final octet.</para>
+  <para>If the first octet of a private type record is
+  non-zero, the record indicates either that the zone needs to be
   signed with the key matching the record, or that all signatures
-  that match the record should be removed.</para>
+  that match the record should be removed. Here are the meanings
+  of the different values of the first octet:</para>
   <para>
     <literallayout>
 <!-- TODO: how to format this? -->
@@ -162,13 +162,13 @@
 </literallayout>
   </para>
   <para>Only records flagged as "complete" can be removed via
-  dynamic update. Attempts to remove other private type records
-  will be silently ignored.</para>
+  dynamic update; attempts to remove other private type records
+  are silently ignored.</para>
   <para>If the first octet is zero (this is a reserved algorithm
-  number that should never appear in a DNSKEY record) then the
-  record indicates changes to the NSEC3 chains are in progress. The
-  rest of the record contains an NSEC3PARAM record. The flag field
-  tells what operation to perform based on the flag bits.</para>
+  number that should never appear in a DNSKEY record), the
+  record indicates that changes to the NSEC3 chains are in progress. The
+  rest of the record contains an NSEC3PARAM record, while the flag field
+  tells what operation to perform based on the flag bits:</para>
   <para>
     <literallayout>
 <!-- TODO: how to format this? -->
@@ -178,97 +178,95 @@
   0x20 NONSEC
 </literallayout>
   </para>
-  <section><info><title>DNSKEY rollovers</title></info>
+  <section><info><title>DNSKEY Rollovers</title></info>
 
   </section>
-  <para>As with insecure-to-secure conversions, rolling DNSSEC
-  keys can be done in two ways: using a dynamic DNS update, or the
+  <para>As with insecure-to-secure conversions, DNSSEC keyrolls
+  can be done in two ways: using a dynamic DNS update, or via the
   <command>auto-dnssec</command> zone option.</para>
-  <section><info><title>Dynamic DNS update method</title></info>
+  <section><info><title>Dynamic DNS Update Method</title></info>
 
   </section>
-  <para> To perform key rollovers via dynamic update, you need to add
-  the <filename>K*</filename> files for the new keys so that
-  <command>named</command> can find them. You can then add the new
-  DNSKEY RRs via dynamic update.
-  <command>named</command> will then cause the zone to be signed
-  with the new keys. When the signing is complete the private type
-  records will be updated so that the last octet is non
-  zero.</para>
-  <para>If this is for a KSK you need to inform the parent and any
-  trust anchor repositories of the new KSK.</para>
-  <para>You should then wait for the maximum TTL in the zone before
+  <para> To perform key rollovers via dynamic update,
+  the <filename>K*</filename> files for the new keys must be added so that
+  <command>named</command> can find them. The new
+  DNSKEY RRs can then be added via dynamic update.
+  <command>named</command> then causes the zone to be signed
+  with the new keys; when the signing is complete, the private type
+  records are updated so that the last octet is non-zero.</para>
+  <para>If this is for a KSK, the parent and any
+  trust anchor repositories of the new KSK must be informed.</para>
+  <para>The maximum TTL in the zone must expire before
   removing the old DNSKEY. If it is a KSK that is being updated,
-  you also need to wait for the DS RRset in the parent to be
-  updated and its TTL to expire. This ensures that all clients will
-  be able to verify at least one signature when you remove the old
-  DNSKEY.</para>
-  <para>The old DNSKEY can be removed via UPDATE. Take care to
+  the DS RRset in the parent must also be
+  updated its TTL allowed to expire. This ensures that all clients
+  are able to verify at least one signature when the old DNSKEY is removed.</para>
+  <para>The old DNSKEY can be removed via UPDATE, taking care to
   specify the correct key.
-  <command>named</command> will clean out any signatures generated
+  <command>named</command> cleans out any signatures generated
   by the old key after the update completes.</para>
-  <section><info><title>Automatic key rollovers</title></info>
+  <section><info><title>Automatic Key Rollovers</title></info>
 
   </section>
   <para>When a new key reaches its activation date (as set by
   <command>dnssec-keygen</command> or <command>dnssec-settime</command>),
-  if the <command>auto-dnssec</command> zone option is set to
-  <constant>maintain</constant>, <command>named</command> will
-  automatically carry out the key rollover.  If the key's algorithm
-  has not previously been used to sign the zone, then the zone will
-  be fully signed as quickly as possible.  However, if the new key
-  is replacing an existing key of the same algorithm, then the
-  zone will be re-signed incrementally, with signatures from the
-  old key being replaced with signatures from the new key as their
+  and if the <command>auto-dnssec</command> zone option is set to
+  <constant>maintain</constant>, <command>named</command>
+  automatically carries out the key rollover.  If the key's algorithm
+  has not previously been used to sign the zone, then the zone is
+  fully signed as quickly as possible.  However, if the new key
+  replaces an existing key of the same algorithm, the
+  zone is re-signed incrementally, with signatures from the
+  old key replaced with signatures from the new key as their
   signature validity periods expire.  By default, this rollover
-  completes in 30 days, after which it will be safe to remove the
+  completes in 30 days, after which it is safe to remove the
   old key from the DNSKEY RRset.</para>
-  <section><info><title>NSEC3PARAM rollovers via UPDATE</title></info>
+  <section><info><title>NSEC3PARAM Rollovers via UPDATE</title></info>
 
   </section>
-  <para>Add the new NSEC3PARAM record via dynamic update. When the
+  <para>The new NSEC3PARAM record can be added via dynamic update. When the
   new NSEC3 chain has been generated, the NSEC3PARAM flag field
-  will be zero. At this point you can remove the old NSEC3PARAM
-  record. The old chain will be removed after the update request
+  is set to zero. At that point, the old NSEC3PARAM
+  record can be removed. The old chain is removed after the update request
   completes.</para>
-  <section><info><title>Converting from NSEC to NSEC3</title></info>
+  <section><info><title>Converting From NSEC to NSEC3</title></info>
 
   </section>
-  <para>To do this, you just need to add an NSEC3PARAM record. When
-  the conversion is complete, the NSEC chain will have been removed
-  and the NSEC3PARAM record will have a zero flag field. The NSEC3
-  chain will be generated before the NSEC chain is
+  <para>To do this, an NSEC3PARAM record must be added. When
+  the conversion is complete, the NSEC chain is removed
+  and the NSEC3PARAM record has a zero flag field. The NSEC3
+  chain is generated before the NSEC chain is
   destroyed.</para>
-  <section><info><title>Converting from NSEC3 to NSEC</title></info>
+  <section><info><title>Converting From NSEC3 to NSEC</title></info>
 
   </section>
   <para>To do this, use <command>nsupdate</command> to
   remove all NSEC3PARAM records with a zero flag
-  field. The NSEC chain will be generated before the NSEC3 chain is
+  field. The NSEC chain is generated before the NSEC3 chain is
   removed.</para>
-  <section><info><title>Converting from secure to insecure</title></info>
+  <section><info><title>Converting From Secure to Insecure</title></info>
 
   </section>
   <para>To convert a signed zone to unsigned using dynamic DNS,
   delete all the DNSKEY records from the zone apex using
   <command>nsupdate</command>. All signatures, NSEC or NSEC3 chains,
-  and associated NSEC3PARAM records will be removed automatically.
-  This will take place after the update request completes.</para>
+  and associated NSEC3PARAM records are removed automatically.
+  This takes place after the update request completes.</para>
   <para> This requires the
   <command>dnssec-secure-to-insecure</command> option to be set to
   <userinput>yes</userinput> in
   <filename>named.conf</filename>.</para>
   <para>In addition, if the <command>auto-dnssec maintain</command>
   zone statement is used, it should be removed or changed to
-  <command>allow</command> instead (or it will re-sign).
+  <command>allow</command> instead; otherwise, it will re-sign).
   </para>
-  <section><info><title>Periodic re-signing</title></info>
+  <section><info><title>Periodic Re-signing</title></info>
 
   </section>
   <para>In any secure zone which supports dynamic updates, <command>named</command>
-  will periodically re-sign RRsets which have not been re-signed as
-  a result of some update action. The signature lifetimes will be
-  adjusted so as to spread the re-sign load over time rather than
+  periodically re-signs RRsets which have not been re-signed as
+  a result of some update action. The signature lifetimes are
+  adjusted to spread the re-sign load over time rather than
   all at once.</para>
   <section><info><title>NSEC3 and OPTOUT</title></info>
 
@@ -280,7 +278,7 @@
   <command>named</command> supports UPDATES to zones where the NSEC3
   records in the chain have mixed OPTOUT state.
   <command>named</command> does not support changing the OPTOUT
-  state of an individual NSEC3 record, the entire chain needs to be
-  changed if the OPTOUT state of an individual NSEC3 needs to be
+  state of an individual NSEC3 record; if the OPTOUT state of an individual NSEC3 needs to be
+  changed, the entire chain must be
   changed.</para>
 </section>
diff --git a/bind/bind9/doc/arm/dyndb.xml b/bind/bind9/doc/arm/dyndb.xml
index a9c5b498..d58ded44 100644
--- a/bind/bind9/doc/arm/dyndb.xml
+++ b/bind/bind9/doc/arm/dyndb.xml
@@ -3,17 +3,17 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<section xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="dyndb-info"><info><title>DynDB (Dynamic Database)</title></info>
+<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dyndb-info"><info><title>Dynamic Database (DynDB)</title></info>
 
   <para>
-    DynDB is an extension to BIND 9 which, like DLZ
+    Dynamic Database, or DynDB, is an extension to BIND 9 which, like DLZ
     (see <xref linkend="dlz-info"/>), allows zone data to be
     retrieved from an external database.  Unlike DLZ, a DynDB module
     provides a full-featured BIND zone database interface.  Where
@@ -27,7 +27,7 @@
   <para>
     A DynDB module supporting LDAP has been created by Red Hat
     and is available from
-    <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://fedorahosted.org/bind-dyndb-ldap/">https://fedorahosted.org/bind-dyndb-ldap/</link>.
+    <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://pagure.io/bind-dyndb-ldap">https://pagure.io/bind-dyndb-ldap</link>.
   </para>
   <para>
     A sample DynDB module for testing and developer guidance
@@ -53,20 +53,20 @@
       different drivers or multiple instances of the same driver.
       Zones provided by a DynDB module are added to the view's zone
       table, and are treated as normal authoritative zones when BIND
-      is responding to queries.  Zone configuration is handled internally
+      responds to queries.  Zone configuration is handled internally
       by the DynDB module.
     </para>
     <para>
       The <replaceable>parameters</replaceable> are passed as an opaque
       string to the DynDB module's initialization routine. Configuration
-      syntax will differ depending on the driver.
+      syntax differs depending on the driver.
     </para>
   </section>
   <section><info><title>Sample DynDB Module</title></info>
 
     <para>
-      For guidance in implementation of DynDB modules, the directory
-      <filename>bin/tests/system/dyndb/driver</filename>.
+      For guidance in the implementation of DynDB modules, the directory
+      <filename>bin/tests/system/dyndb/driver</filename>
       contains a basic DynDB module.
       The example sets up two zones, whose names are passed
       to the module as arguments in the <command>dyndb</command>
@@ -76,7 +76,7 @@
     dyndb sample "sample.so" { example.nil. arpa. };
     </screen>
     <para>
-      In the above example, the module is configured to create a zone
+      In the above example, the module is configured to create a zone,
       "example.nil", which can answer queries and AXFR requests, and
       accept DDNS updates.  At runtime, prior to any updates, the zone
       contains an SOA, NS, and a single A record at the apex:
@@ -89,11 +89,11 @@
  example.nil.  86400    IN      A       127.0.0.1
     </screen>
     <para>
-      When the zone is updated dynamically, the DynDB module will determine
-      whether the updated RR is an address (i.e., type A or AAAA) and if
-      so, it will automatically update the corresponding PTR record in a
-      reverse zone.  (Updates are not stored permanently; all updates are
-      lost when the server is restarted.)
+      When the zone is updated dynamically, the DynDB module determines
+      whether the updated RR is an address (i.e., type A or AAAA); if
+      so, it automatically updates the corresponding PTR record in a
+      reverse zone.  Note that updates are not stored permanently; all updates are
+      lost when the server is restarted.
     </para>
   </section>
 </section>
diff --git a/bind/bind9/doc/arm/forward.zoneopt.xml b/bind/bind9/doc/arm/forward.zoneopt.xml
index 429bbca3..37db8851 100644
--- a/bind/bind9/doc/arm/forward.zoneopt.xml
+++ b/bind/bind9/doc/arm/forward.zoneopt.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/hint.zoneopt.xml b/bind/bind9/doc/arm/hint.zoneopt.xml
index c1b4fad4..c2ff725f 100644
--- a/bind/bind9/doc/arm/hint.zoneopt.xml
+++ b/bind/bind9/doc/arm/hint.zoneopt.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/in-view.zoneopt.xml b/bind/bind9/doc/arm/in-view.zoneopt.xml
index a91b6f37..0fad1ac5 100644
--- a/bind/bind9/doc/arm/in-view.zoneopt.xml
+++ b/bind/bind9/doc/arm/in-view.zoneopt.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/isc-logo.pdf b/bind/bind9/doc/arm/isc-logo.pdf
index 17d38a8a..78770827 100644
--- a/bind/bind9/doc/arm/isc-logo.pdf
+++ b/bind/bind9/doc/arm/isc-logo.pdf
diff --git a/bind/bind9/doc/arm/key.grammar.xml b/bind/bind9/doc/arm/key.grammar.xml
index 33cc23ac..7b39ee1b 100644
--- a/bind/bind9/doc/arm/key.grammar.xml
+++ b/bind/bind9/doc/arm/key.grammar.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/libdns.xml b/bind/bind9/doc/arm/libdns.xml
index 4562f6a7c..bcc537e3 100644
--- a/bind/bind9/doc/arm/libdns.xml
+++ b/bind/bind9/doc/arm/libdns.xml
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<section xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="bind9.library">
+<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="bind9.library">
   <info>
     <title>BIND 9 DNS Library Support</title>
   </info>
@@ -30,7 +30,7 @@
   <itemizedlist>
     <listitem>
       <para>
-	The "DNS client" module. This is a higher level API that
+	The "DNS client" module. This is a higher-level API that
 	provides an interface to name resolution, single DNS transaction
 	with a particular server, and dynamic update. Regarding name
 	resolution, it supports advanced features such as DNSSEC validation
@@ -74,11 +74,11 @@
 $ <userinput>make install</userinput>
     </screen>
     <para>
-      Normal installation of BIND will also install library object
+      Normal installation of BIND also installs library object
       and header files.  Root privilege is normally required.
     </para>
     <para>
-      To see how to build your own application after the installation, see
+      To see how to build a custom application after the installation, see
       <filename>lib/samples/Makefile-postinstall.in</filename>.
     </para>
   </section>
@@ -90,9 +90,9 @@ $ <userinput>make install</userinput>
       <listitem>
         <para>
 	The "fixed" RRset order is not (currently) supported in the export
-	library. If you want to use "fixed" RRset order for, e.g.
+	library. To use "fixed" RRset order for, e.g.,
 	<command>named</command> while still building the export library
-	even without the fixed order support, build them separately:
+	even without the fixed-order support, build them separately:
       <screen>
 $ <userinput>./configure --enable-fixed-rrset <replaceable>[other flags, but not --enable-exportlib]</replaceable></userinput>
 $ <userinput>make</userinput>
@@ -105,9 +105,9 @@ $ <userinput>make</userinput>
       <listitem>
         <para>
 	RFC 5011 is not supported in the validating stub resolver of the
-	export library. In fact, it is not clear whether it should: trust
+	export library. In fact, it is not clear whether it should be: trust
 	anchors would be a system-wide configuration which would be managed
-	by an administrator, while the stub resolver will be used by
+	by an administrator, while the stub resolver is used by
 	ordinary applications run by a normal user.
       </para>
       </listitem>
@@ -126,9 +126,9 @@ $ <userinput>make</userinput>
     </info>
     <para>
       The IRS library supports an "advanced" configuration file related to
-      the DNS library for configuration parameters that would be beyond the
+      the DNS library, for configuration parameters that would be beyond the
       capability of the <filename>resolv.conf</filename> file.
-      Specifically, it is intended to provide DNSSEC related configuration
+      Specifically, it is intended to provide DNSSEC-related configuration
       parameters. By default the path to this configuration file is
       <filename>/etc/dns.conf</filename>.  This module is very experimental
       and the configuration syntax or library interfaces may change in
@@ -152,10 +152,10 @@ $ <userinput>make</userinput>
         <title>sample: a simple stub resolver utility</title>
       </info>
       <para>
-	Sends a query of a given name (of a given optional RR type) to a
+	This sends a query of a given name (of a given optional RR type) to a
 	specified recursive server and prints the result as a list of RRs.
 	It can also act as a validating stub resolver if a trust anchor is
-	given via a set of command line options.
+	given via a set of command-line options.
       </para>
       <para>
 	Usage: sample [options] server_address hostname
@@ -168,7 +168,7 @@ $ <userinput>make</userinput>
           <term>-t RRtype</term>
           <listitem>
             <para>
-	      specify the RR type of the query.  The default is the A RR.
+	      specifies the RR type of the query.  The default is the A RR.
 	    </para>
           </listitem>
         </varlistentry>
@@ -176,7 +176,7 @@ $ <userinput>make</userinput>
           <term>[-a algorithm] [-e] -k keyname -K keystring</term>
           <listitem>
             <para>
-	      specify a command-line DNS key to validate the answer.  For
+	      specifies a command-line DNS key to validate the answer.  For
 	      example, to specify the following DNSKEY of example.com:
 	      <literallayout>
 	              example.com. 3600 IN DNSKEY 257 3 5 xxx
@@ -187,7 +187,7 @@ $ <userinput>make</userinput>
 	      </screen>
 	      -e means that this key is a zone's "key signing key" (also known
 	      as "secure entry point").
-	      When -a is omitted rsasha1 will be used by default.
+	      When -a is omitted rsasha1 is used by default.
 	    </para>
           </listitem>
         </varlistentry>
@@ -195,7 +195,7 @@ $ <userinput>make</userinput>
           <term>-s domain:alt_server_address</term>
           <listitem>
             <para>
-	       specify a separate recursive server address for the specific
+	       specifies a separate recursive server address for the specific
 	       "domain".  Example: -s example.com:2001:db8::1234
 	    </para>
           </listitem>
@@ -204,7 +204,7 @@ $ <userinput>make</userinput>
           <term>server_address</term>
           <listitem>
             <para>
-	      an IP(v4/v6) address of the recursive server to which queries
+	      is an IP(v4/v6) address of the recursive server to which queries
 	      are sent.
 	    </para>
           </listitem>
@@ -213,7 +213,7 @@ $ <userinput>make</userinput>
           <term>hostname</term>
           <listitem>
             <para>
-	      the domain name for the query
+	      is the domain name for the query
 	</para>
           </listitem>
         </varlistentry>
@@ -224,7 +224,7 @@ $ <userinput>make</userinput>
         <title>sample-async: a simple stub resolver, working asynchronously</title>
       </info>
       <para>
-      Similar to "sample", but accepts a list
+      This is similar to "sample", but accepts a list
       of (query) domain names as a separate file and resolves the names
       asynchronously.</para>
       <para>
@@ -236,22 +236,22 @@ $ <userinput>make</userinput>
         <varlistentry>
           <term>-s server_address</term>
           <listitem>
-       an IPv4 address of the recursive server to which queries are sent.
-      (IPv6 addresses are not supported in this implementation)
+      is an IPv4 address of the recursive server to which queries are sent.
+      (IPv6 addresses are not supported in this implementation.)
       </listitem>
         </varlistentry>
         <varlistentry>
           <term>-t RR_type</term>
           <listitem>
-      specify the RR type of the queries. The default is the A
+      specifies the RR type of the queries. The default is the A
       RR.
       </listitem>
         </varlistentry>
         <varlistentry>
           <term>input_file</term>
 	  <listitem>
-	    a list of domain names to be resolved. each line consists of a
-	    single domain name. Example:
+	    is a list of domain names to be resolved; each line consists of a
+	    single domain name. For example:
       <literallayout>
       www.example.com
       mx.example.net
@@ -266,8 +266,8 @@ $ <userinput>make</userinput>
         <title>sample-request: a simple DNS transaction client</title>
       </info>
       <para>
-	Sends a query to a specified server, and prints the response with
-	minimal processing. It doesn't act as a "stub resolver": it stops
+	sends a query to a specified server, and prints the response with
+	minimal processing. It does not act as a "stub resolver": it stops
 	the processing once it gets any response from the server, whether
 	it's a referral or an alias (CNAME or DNAME) that would require
 	further queries to get the ultimate answer. In other words, this
@@ -284,7 +284,7 @@ $ <userinput>make</userinput>
           <term>-t RRtype</term>
           <listitem>
 	    <para>
-	      specify the RR type of the queries. The default is the A RR.
+	      specifies the RR type of the queries. The default is the A RR.
             </para>
           </listitem>
         </varlistentry>
@@ -292,7 +292,7 @@ $ <userinput>make</userinput>
           <term>server_address</term>
           <listitem>
 	    <para>
-	      an IP(v4/v6) address of the recursive server to which
+	      is an IP(v4/v6) address of the recursive server to which
 	      the query is sent.
 	    </para>
           </listitem>
@@ -301,7 +301,7 @@ $ <userinput>make</userinput>
           <term>hostname</term>
           <listitem>
 	    <para>
-	      the domain name for the query
+	      is the domain name for the query
 	    </para>
           </listitem>
         </varlistentry>
@@ -312,15 +312,15 @@ $ <userinput>make</userinput>
         <title>sample-gai: getaddrinfo() and getnameinfo() test code</title>
       </info>
       <para>
-	This is a test program to check <command>getaddrinfo()</command> and
+	is a test program to check <command>getaddrinfo()</command> and
 	<command>getnameinfo()</command> behavior. It takes a host name as an
 	argument, calls <command>getaddrinfo()</command> with the given host
 	name, and calls <command>getnameinfo()</command> with the resulting
 	IP addresses returned by <command>getaddrinfo()</command>. If the
 	dns.conf file exists and defines a trust anchor, the underlying
-	resolver will act as a validating resolver, and
+	resolver acts as a validating resolver, and
 	<command>getaddrinfo()</command>/<command>getnameinfo()</command>
-	will fail with an EAI_INSECUREDATA error when DNSSEC validation
+	fails with an EAI_INSECUREDATA error when DNSSEC validation
 	fails.
       </para>
       <para>
@@ -332,7 +332,7 @@ $ <userinput>make</userinput>
         <title>sample-update: a simple dynamic update client program</title>
       </info>
       <para>
-	Accepts a single update command as a command-line argument, sends
+	accepts a single update command as a command-line argument, sends
 	an update request message to the authoritative server, and shows
 	the response from the server. In other words, this is a simplified
 	<command>nsupdate</command>.
@@ -348,7 +348,7 @@ $ <userinput>make</userinput>
           <term>-a auth_server</term>
           <listitem>
 	    <para>
-	      An IP address of the authoritative server that has authority
+	      is an IP address of the authoritative server that has authority
 	      for the zone containing the update name.  This should
 	      normally be the primary authoritative server that accepts
 	      dynamic updates.  It can also be a secondary server that is
@@ -360,7 +360,7 @@ $ <userinput>make</userinput>
           <term>-k keyfile</term>
           <listitem>
 	    <para>
-	      A TSIG key file to secure the update transaction.  The
+	      is a TSIG key file to secure the update transaction.  The
 	      keyfile format is the same as that for the nsupdate utility.
 	    </para>
           </listitem>
@@ -369,8 +369,8 @@ $ <userinput>make</userinput>
           <term>-p prerequisite</term>
           <listitem>
 	    <para>
-	      A prerequisite for the update (only one prerequisite can be
-	      specified).  The prerequisite format is the same as that is
+	      is a prerequisite for the update; only one prerequisite can be
+	      specified.  The prerequisite format is the same as that
 	      accepted by the nsupdate utility.
 	    </para>
           </listitem>
@@ -379,8 +379,8 @@ $ <userinput>make</userinput>
           <term>-r recursive_server</term>
           <listitem>
 	    <para>
-	      An IP address of a recursive server that this utility will
-	      use.  A recursive server may be necessary to identify the
+	      is an IP address of a recursive server that this utility
+	      uses.  A recursive server may be necessary to identify the
 	      authoritative server address to which the update request is
 	      sent.
 	    </para>
@@ -390,7 +390,7 @@ $ <userinput>make</userinput>
           <term>-z zonename</term>
           <listitem>
 	    <para>
-	      The domain name of the zone that contains
+	      is the domain name of the zone that it contains.
 	    </para>
           </listitem>
         </varlistentry>
@@ -398,7 +398,7 @@ $ <userinput>make</userinput>
           <term>(add|delete)</term>
           <listitem>
 	    <para>
-	      Specify the type of update operation.  Either "add" or
+	      specifies the type of update operation.  Either "add" or
 	      "delete" must be specified.
 	    </para>
           </listitem>
@@ -407,8 +407,8 @@ $ <userinput>make</userinput>
 	  <term>"update data"</term>
           <listitem>
 	    <para>
-	      Specify the data to be updated.  A typical example of the
-	      data would look like "name TTL RRtype RDATA".
+	      specifies the data to be updated.  A typical example of the
+	      data looks like "name TTL RRtype RDATA".
 	    </para>
           </listitem>
         </varlistentry>
@@ -445,7 +445,7 @@ $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dy
         <title>nsprobe: domain/name server checker in terms of RFC 4074</title>
       </info>
       <para>
-	Checks a set of domains to see the name servers of the domains
+	checks a set of domains to ensure the name servers of the domains
 	behave correctly in terms of RFC 4074. This is included in the set
 	of sample programs to show how the export library can be used in a
 	DNS-related application.
@@ -461,8 +461,8 @@ $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dy
           <term>-d</term>
           <listitem>
 	    <para>
-	      Run in "debug" mode.  With this option nsprobe will dump
-	      every RRs it receives.
+	      runs in "debug" mode.  With this option, nsprobe dumps
+	      every RR it receives.
 	    </para>
           </listitem>
         </varlistentry>
@@ -470,7 +470,7 @@ $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dy
           <term>-v</term>
           <listitem>
 	    <para>
-	      Increase verbosity of other normal log messages.  This can be
+	      increases verbosity of other normal log messages.  This can be
 	      specified multiple times.
 	    </para>
           </listitem>
@@ -479,7 +479,7 @@ $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dy
           <term>-c cache_address</term>
           <listitem>
 	    <para>
-	      Specify an IP address of a recursive (caching) name server.
+	      specifies an IP address of a recursive (caching) name server.
 	      nsprobe uses this server to get the NS RRset of each domain
 	      and the A and/or AAAA RRsets for the name servers.  The
 	      default value is 127.0.0.1.
@@ -490,14 +490,14 @@ $ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dy
           <term>input_file</term>
           <listitem>
 	    <para>
-	      A file name containing a list of domain (zone) names to be
-	      probed.  when omitted the standard input will be used.  Each
-	      line of the input file specifies a single domain name such as
-	      "example.com".  In general this domain name must be the apex
-	      name of some DNS zone (unlike normal "host names" such as
-	      "www.example.com").  nsprobe first identifies the NS RRsets
+	      is a file name containing a list of domain (zone) names to be
+	      probed.  when omitted the standard input is used.  Each
+	      line of the input file specifies a single domain name, such as
+	      "example.com".  In general, this domain name must be the apex
+	      name of some DNS zone, unlike normal "host names" such as
+	      "www.example.com".  nsprobe first identifies the NS RRsets
 	      for the given domain name, and sends A and AAAA queries to
-	      these servers for some "widely used" names under the zone;
+	      these servers for some widely used names under the zone;
 	      specifically, adding "www" and "ftp" to the zone name.
 	    </para>
           </listitem>
diff --git a/bind/bind9/doc/arm/logging-categories.xml b/bind/bind9/doc/arm/logging-categories.xml
index 181def70..56d05e8b 100644
--- a/bind/bind9/doc/arm/logging-categories.xml
+++ b/bind/bind9/doc/arm/logging-categories.xml
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<informaltable xmlns:db="http://docbook.org/ns/docbook" version="5.0" colsep="0" rowsep="0">
+<informaltable xmlns="http://docbook.org/ns/docbook" version="5.0" colsep="0" rowsep="0">
   <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
     <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
     <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
@@ -31,8 +31,8 @@
 	</entry>
 	<entry colname="2">
 	  <para>
-	    Logs nameservers that are skipped due to them being
-	    a CNAME rather than A / AAAA records.
+	    Name servers that are skipped for being
+	    a CNAME rather than A/AAAA records.
 	  </para>
 	</entry>
       </row>
@@ -64,7 +64,7 @@
 	</entry>
 	<entry colname="2">
 	  <para>
-	    The default category defines the logging
+	    Logging
 	    options for those categories where no specific
 	    configuration has been
 	    defined.
@@ -77,11 +77,11 @@
 	</entry>
 	<entry colname="2">
 	  <para>
-	    Delegation only.  Logs queries that have been
+	    Queries that have been
 	    forced to NXDOMAIN as the result of a
 	    delegation-only zone or a
 	    <command>delegation-only</command> in a
-	    forward, hint or stub zone declaration.
+	    forward, hint, or stub zone declaration.
 	  </para>
 	</entry>
       </row>
@@ -124,7 +124,7 @@
 	  <para>
 	    Log queries that have been forced to use plain
 	    DNS due to timeouts.  This is often due to
-	    the remote servers not being RFC 1034 compliant
+	    the remote servers not being RFC 1034-compliant
 	    (not always returning FORMERR or similar to
 	    EDNS queries and other extensions to the DNS
 	    when they are not understood).  In other words, this is
@@ -141,11 +141,11 @@
 	  </para>
 	  <para>
 	    Note: eventually <command>named</command> will have to stop
-	    treating such timeouts as due to RFC 1034 non
-	    compliance and start treating it as plain
+	    treating such timeouts as due to RFC 1034
+		non-compliance and start treating it as plain
 	    packet loss.  Falsely classifying packet
-	    loss as due to RFC 1034 non compliance impacts
-	    on DNSSEC validation which requires EDNS for
+	    loss as due to RFC 1034 non-compliance impacts
+	    DNSSEC validation, which requires EDNS for
 	    the DNSSEC records to be returned.
 	  </para>
 	</entry>
@@ -156,8 +156,8 @@
 	</entry>
 	<entry colname="2">
 	  <para>
-	    The catch-all. Many things still aren't
-	    classified into categories, and they all end up here.
+	    Catch-all for many things that still are not
+	    classified into categories.
 	  </para>
 	</entry>
       </row>
@@ -167,8 +167,8 @@
 	</entry>
 	<entry colname="2">
 	  <para>
-	    Lame servers.  These are misconfigurations
-	    in remote servers, discovered by BIND 9 when trying to
+	    Misconfigurations
+	    in remote servers, discovered by <acronym>BIND</acronym> 9 when trying to
 	    query those servers during resolution.
 	  </para>
 	</entry>
@@ -199,11 +199,11 @@
 	</entry>
 	<entry colname="2">
 	  <para>
-	    Specify where queries should be logged to.
+	    Location where queries should be logged.
 	  </para>
 	  <para>
-	    At startup, specifying the category <command>queries</command> will also
-	    enable query logging unless <command>querylog</command> option has been
+	    At startup, specifying the category <command>queries</command> also
+	    enables query logging unless <command>querylog</command> option has been
 	    specified.
 	  </para>
 
@@ -212,16 +212,16 @@
 	    identifier in @0x&lt;hexadecimal-number&gt;
 	    format. Next, it reports the client's IP
 	    address and port number, and the query name,
-	    class and type.  Next, it reports whether the
+	    class, and type.  Next, it reports whether the
 	    Recursion Desired flag was set (+ if set, -
-	    if not set), if the query was signed (S),
-	    EDNS was in used along with the EDNS version
-	    number (E(#)), if TCP was used (T), if DO
-	    (DNSSEC Ok) was set (D), if CD (Checking
-	    Disabled) was set (C), if a valid DNS Server
-	    COOKIE was received (V), or if a DNS COOKIE
+	    if not set), whether the query was signed (S),
+	    whether EDNS was in use along with the EDNS version
+	    number (E(#)), whether TCP was used (T), whether DO
+	    (DNSSEC Ok) was set (D), whether CD (Checking
+	    Disabled) was set (C), whether a valid DNS Server
+	    COOKIE was received (V), and whether a DNS COOKIE
 	    option without a valid Server COOKIE was
-	    present (K).  After this the destination
+	    present (K).  After this, the destination
 	    address the query was sent to is reported.
 	  </para>
 
@@ -232,10 +232,10 @@
 	    <computeroutput>client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</computeroutput>
 	  </para>
 	  <para>
-	    (The first part of this log message, showing the
+	    The first part of this log message, showing the
 	    client address/port number and query name, is
 	    repeated in all subsequent log messages related
-	    to the same query.)
+	    to the same query.
 	  </para>
 	</entry>
       </row>
@@ -262,12 +262,12 @@
 	    These messages include a hash value of the domain name
 	    of the response and the name itself,
 	    except when there is insufficient memory to record
-	    the name for the final notice
+	    the name for the final notice.
 	    The final notice is normally delayed until about one
-	    minute after rate limit stops.
+	    minute after rate limiting stops.
 	    A lack of memory can hurry the final notice,
-	    in which case it starts with an asterisk (*).
-	    Various internal events are logged at debug 1 level
+	    which is indicated by an initial asterisk (*).
+	    Various internal events are logged at debug level 1
 	    and higher.
 	  </para>
 	  <para>
@@ -295,7 +295,7 @@
 	<entry colname="2">
 	  <para>
 	    Information about errors in response policy zone files,
-	    rewritten responses, and at the highest
+	    rewritten responses, and, at the highest
 	    <command>debug</command> levels, mere rewriting
 	    attempts.
 	  </para>
@@ -317,7 +317,7 @@
 	</entry>
 	<entry colname="2">
 	  <para>
-	    Logs queries that have been terminated, either by dropping
+	    Queries that have been terminated, either by dropping
 	    or responding with SERVFAIL, as a result of a fetchlimit
 	    quota being exceeded.
 	  </para>
@@ -329,7 +329,7 @@
 	</entry>
 	<entry colname="2">
 	  <para>
-	    Logs trust-anchor-telemetry requests received by named.
+	    Trust-anchor-telemetry requests received by <command>named</command>.
 	  </para>
 	</entry>
       </row>
@@ -340,9 +340,9 @@
 	<entry colname="2">
 	  <para>
 	    Messages that <command>named</command> was unable to determine the
-	    class of or for which there was no matching <command>view</command>.
-	    A one line summary is also logged to the <command>client</command> category.
-	    This category is best sent to a file or stderr, by
+	    class of, or for which there was no matching <command>view</command>.
+	    A one-line summary is also logged to the <command>client</command> category.
+	    This category is best sent to a file or stderr; by
 	    default it is sent to
 	    the <command>null</command> channel.
 	  </para>
diff --git a/bind/bind9/doc/arm/logging.grammar.xml b/bind/bind9/doc/arm/logging.grammar.xml
index dd14d702..5c7edb9a 100644
--- a/bind/bind9/doc/arm/logging.grammar.xml
+++ b/bind/bind9/doc/arm/logging.grammar.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/man.arpaname.html b/bind/bind9/doc/arm/man.arpaname.html
index 4160efaa..d9a60ae2 100644
--- a/bind/bind9/doc/arm/man.arpaname.html
+++ b/bind/bind9/doc/arm/man.arpaname.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>arpaname</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.ddns-confgen.html" title="ddns-confgen">
-<link rel="next" href="man.dnstap-read.html" title="dnstap-read">
+<link rel="prev" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="next" href="man.ddns-confgen.html" title="ddns-confgen">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center"><span class="application">arpaname</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.ddns-confgen.html">Prev</a> </td>
+<a accesskey="p" href="Bv9ARM.ch13.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.dnstap-read.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.ddns-confgen.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,65 +32,46 @@
 </div>
 <div class="refentry">
 <a name="man.arpaname"></a><div class="titlepage"></div>
-  
-  
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">arpaname</span>
-     &#8212; translate IP addresses to the corresponding ARPA names
-  </p>
+<p><span class="application">arpaname</span> &#8212; translate IP addresses to the corresponding ARPA names</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">arpaname</code> 
-       {<em class="replaceable"><code>ipaddress </code></em>...}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.31.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<div class="cmdsynopsis"><p><code class="command">arpaname</code>  {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.2.7"></a><h2>DESCRIPTION</h2>
+<p>
       <span class="command"><strong>arpaname</strong></span> translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.31.8"></a><h2>SEE ALSO</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.2.8"></a><h2>SEE ALSO</h2>
+<p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.ddns-confgen.html">Prev</a> </td>
+<a accesskey="p" href="Bv9ARM.ch13.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.dnstap-read.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.ddns-confgen.html">Next</a>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">
-<span class="application">ddns-confgen</span> </td>
+<td width="40%" align="left" valign="top">Manual pages </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">dnstap-read</span>
+<td width="40%" align="right" valign="top"> <span class="application">ddns-confgen</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.ddns-confgen.html b/bind/bind9/doc/arm/man.ddns-confgen.html
index 54887c31..1f0d6e12 100644
--- a/bind/bind9/doc/arm/man.ddns-confgen.html
+++ b/bind/bind9/doc/arm/man.ddns-confgen.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>ddns-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.rndc-confgen.html" title="rndc-confgen">
-<link rel="next" href="man.arpaname.html" title="arpaname">
+<link rel="prev" href="man.arpaname.html" title="arpaname">
+<link rel="next" href="man.delv.html" title="delv">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center"><span class="application">ddns-confgen</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.rndc-confgen.html">Prev</a> </td>
+<a accesskey="p" href="man.arpaname.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.arpaname.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.delv.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,63 +32,31 @@
 </div>
 <div class="refentry">
 <a name="man.ddns-confgen"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">ddns-confgen</span>
-     &#8212; ddns key generation tool
-  </p>
+<p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">tsig-keygen</code> 
-       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
-       [name]
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">ddns-confgen</code> 
-       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
-       [
-         -s <em class="replaceable"><code>name</code></em> 
-         |   -z <em class="replaceable"><code>zone</code></em> 
-      ]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.30.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<div class="cmdsynopsis"><p><code class="command">tsig-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [name]</p></div>
+<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em>  |   -z <em class="replaceable"><code>zone</code></em> ]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.3.7"></a><h2>DESCRIPTION</h2>
+<p>
       <span class="command"><strong>tsig-keygen</strong></span> and <span class="command"><strong>ddns-confgen</strong></span>
       are invocation methods for a utility that generates keys for use
       in TSIG signing.  The resulting keys can be used, for example,
       to secure dynamic DNS updates to a zone or for the
       <span class="command"><strong>rndc</strong></span> command channel.
     </p>
-
-    <p>
+<p>
       When run as <span class="command"><strong>tsig-keygen</strong></span>, a domain name
       can be specified on the command line which will be used as
       the name of the generated key.  If no name is specified,
       the default is <code class="constant">tsig-key</code>.
     </p>
-
-    <p>
+<p>
       When run as <span class="command"><strong>ddns-confgen</strong></span>, the generated
       key is accompanied by configuration text and instructions
       that can be used with <span class="command"><strong>nsupdate</strong></span> and
@@ -98,8 +66,7 @@
       <span class="command"><strong>rndc-confgen</strong></span> command for setting
       up command channel security.)
     </p>
-
-    <p>
+<p>
       Note that <span class="command"><strong>named</strong></span> itself can configure a
       local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
       it does this when a zone is configured with
@@ -109,32 +76,24 @@
       if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
       system.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.30.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.3.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
             Specifies the algorithm to use for the TSIG key.  Available
             choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
             hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
             Options are case-insensitive, and the "hmac-" prefix
             may be omitted.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints a short summary of options and arguments.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the key name of the DDNS authentication key.
 	    The default is <code class="constant">ddns-key</code> when neither
 	    the <code class="option">-s</code> nor <code class="option">-z</code> option is
@@ -144,19 +103,15 @@
 	    <code class="constant">ddns-key.example.com.</code>
 	    The key name must have the format of a valid domain name,
 	    consisting of letters, digits, hyphens and periods.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-q</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    (<span class="command"><strong>ddns-confgen</strong></span> only.) Quiet mode:  Print
             only the key, with no explanatory text or usage examples;
             This is essentially identical to <span class="command"><strong>tsig-keygen</strong></span>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
             Specifies a source of random data for generating the
             authorization.  If the operating system does not provide a
             <code class="filename">/dev/random</code> or equivalent device, the
@@ -166,11 +121,9 @@
             instead of the default.  The special value
             <code class="filename">keyboard</code> indicates that keyboard input
             should be used.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
             (<span class="command"><strong>ddns-confgen</strong></span> only.)
 	    Generate configuration example to allow dynamic updates
             of a single hostname.  The example <span class="command"><strong>named.conf</strong></span>
@@ -181,11 +134,9 @@
 	    Note that the "self" nametype cannot be used, since
 	    the name to be updated may differ from the key name.
 	    This option cannot be used with the <code class="option">-z</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
             (<span class="command"><strong>ddns-confgen</strong></span> only.)
 	    Generate configuration example to allow dynamic updates
             of a zone:  The example <span class="command"><strong>named.conf</strong></span> text
@@ -195,47 +146,36 @@
             all subdomain names within that
             <em class="replaceable"><code>zone</code></em>.
 	    This option cannot be used with the <code class="option">-s</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.30.9"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">nsupdate</span>(1)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named.conf</span>(5)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.3.9"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.rndc-confgen.html">Prev</a> </td>
+<a accesskey="p" href="man.arpaname.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.arpaname.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.delv.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">rndc-confgen</span> </td>
+<span class="application">arpaname</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">arpaname</span>
-</td>
+<td width="40%" align="right" valign="top"> delv</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.delv.html b/bind/bind9/doc/arm/man.delv.html
index 36038afe..59628295 100644
--- a/bind/bind9/doc/arm/man.delv.html
+++ b/bind/bind9/doc/arm/man.delv.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>delv</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.host.html" title="host">
-<link rel="next" href="man.nslookup.html" title="nslookup">
+<link rel="prev" href="man.ddns-confgen.html" title="ddns-confgen">
+<link rel="next" href="man.dig.html" title="dig">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center">delv</th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.host.html">Prev</a> </td>
+<a accesskey="p" href="man.ddns-confgen.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.nslookup.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.dig.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,72 +32,25 @@
 </div>
 <div class="refentry">
 <a name="man.delv"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    delv
-     &#8212; DNS lookup and validation utility
-  </p>
+<p>delv &#8212; DNS lookup and validation utility</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">delv</code> 
-       [@server]
-       [
-	[<code class="option">-4</code>]
-	 |  [<code class="option">-6</code>]
-      ]
-       [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>]
-       [<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-d <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-i</code>]
-       [<code class="option">-m</code>]
-       [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
-       [<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
-       [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
-       [name]
-       [type]
-       [class]
-       [queryopt...]
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">delv</code> 
-       [<code class="option">-h</code>]
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">delv</code> 
-       [<code class="option">-v</code>]
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">delv</code> 
-       [queryopt...]
-       [query...]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.5.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>delv</strong></span>
+<div class="cmdsynopsis"><p><code class="command">delv</code>  [@server] [[<code class="option">-4</code>] |  [<code class="option">-6</code>]] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">delv</code>  [<code class="option">-h</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">delv</code>  [<code class="option">-v</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">delv</code>  [queryopt...] [query...]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.4.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>delv</strong></span>
       is a tool for sending
       DNS queries and validating the results, using the same internal
       resolver and validator logic as <span class="command"><strong>named</strong></span>.
     </p>
-    <p>
+<p>
       <span class="command"><strong>delv</strong></span> will send to a specified name server all
       queries needed to fetch and validate the requested data; this
       includes the original requested query, subsequent queries to follow
@@ -107,7 +60,7 @@
       behavior of a name server configured for DNSSEC validating and
       forwarding.
     </p>
-    <p>
+<p>
       By default, responses are validated using built-in DNSSEC trust
       anchor for the root zone (".").  Records returned by
       <span class="command"><strong>delv</strong></span> are either fully validated or
@@ -118,7 +71,7 @@
       be used to check the validity of DNS responses in environments
       where local name servers may not be trustworthy.
     </p>
-    <p>
+<p>
       Unless it is told to query a specific name server,
       <span class="command"><strong>delv</strong></span> will try each of the servers listed in
       <code class="filename">/etc/resolv.conf</code>. If no usable server
@@ -126,18 +79,15 @@
       queries to the localhost addresses (127.0.0.1 for IPv4, ::1
       for IPv6).
     </p>
-    <p>
+<p>
       When no command line arguments or options are given,
       <span class="command"><strong>delv</strong></span> will perform an NS query for "."
       (the root zone).
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.5.8"></a><h2>SIMPLE USAGE</h2>
-
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.4.8"></a><h2>SIMPLE USAGE</h2>
+<p>
       A typical invocation of <span class="command"><strong>delv</strong></span> looks like:
       </p>
 <pre class="programlisting"> delv @server name type </pre>
@@ -148,7 +98,7 @@
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">server</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      is the name or IP address of the name server to query.  This
 	      can be an IPv4 address in dotted-decimal notation or an IPv6
 	      address in colon-delimited notation.  When the supplied
@@ -158,7 +108,7 @@
 	      initial lookup is <span class="emphasis"><em>not</em></span> validated
 	      by DNSSEC).
 	    </p>
-	    <p>
+<p>
 	      If no <em class="parameter"><code>server</code></em> argument is
 	      provided, <span class="command"><strong>delv</strong></span> consults
 	      <code class="filename">/etc/resolv.conf</code>; if an
@@ -171,16 +121,13 @@
 	      the localhost addresses (127.0.0.1 for IPv4,
 	      ::1 for IPv6).
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="constant">name</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      is the domain name to be looked up.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="constant">type</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      indicates what type of query is required &#8212;
 	      ANY, A, MX, etc.
 	      <em class="parameter"><code>type</code></em> can be any valid query
@@ -188,27 +135,23 @@
 	      <em class="parameter"><code>type</code></em> argument is supplied,
 	      <span class="command"><strong>delv</strong></span> will perform a lookup for an
 	      A record.
-	    </p>
-	  </dd>
+	    </p></dd>
 </dl></div>
 <p>
     </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.5.9"></a><h2>OPTIONS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.4.9"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specifies a file from which to read DNSSEC trust anchors.
 	    The default is <code class="filename">/etc/bind.keys</code>, which
 	    is included with <acronym class="acronym">BIND</acronym> 9 and contains
 	    one or more trust anchors for the root zone (".").
 	  </p>
-	  <p>
+<p>
 	    Keys that do not match the root zone name are ignored.
             An alternate key name can be specified using the
 	    <code class="option">+root=NAME</code> options. DNSSEC Lookaside
@@ -216,7 +159,7 @@
 	    <code class="option">+dlv=NAME</code> to specify the name of a
             zone containing DLV records.
 	  </p>
-	  <p>
+<p>
 	    Note: When reading the trust anchor file,
 	    <span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
 	    statements and <code class="option">trusted-keys</code> statements
@@ -230,28 +173,23 @@
 	    <code class="filename">/etc/bind.keys</code> to use DNSSEC
 	    validation in <span class="command"><strong>delv</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-b  <em class="replaceable"><code>address</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the source IP address of the query to
 	    <em class="parameter"><code>address</code></em>.  This must be a valid address
 	    on one of the host's network interfaces or "0.0.0.0" or "::".
 	    An optional source port may be specified by appending
 	    "#&lt;port&gt;"
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the query class for the requested data. Currently,
 	    only class "IN" is supported in <span class="command"><strong>delv</strong></span>
 	    and any other value is ignored.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Set the systemwide debug level to <code class="option">level</code>.
 	    The allowed range is from 0 to 99.
 	    The default is 0 (no debugging).
@@ -260,17 +198,13 @@
 	    See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
 	    and <code class="option">+vtrace</code> options below for additional
 	    debugging details.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Display the <span class="command"><strong>delv</strong></span> help usage output and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-i</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Insecure mode. This disables internal DNSSEC validation.
 	    (Note, however, this does not set the CD bit on upstream
 	    queries. If the server being queried is performing DNSSEC
@@ -278,37 +212,30 @@
 	    can cause <span class="command"><strong>delv</strong></span> to time out. When it
 	    is necessary to examine invalid data to debug a DNSSEC
 	    problem, use <span class="command"><strong>dig +cd</strong></span>.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-m</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Enables memory usage debugging.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies a destination port to use for queries instead of
 	    the standard DNS port number 53.  This option would be used
 	    with a name server that has been configured to listen
 	    for queries on a non-standard port number.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the query name to <em class="parameter"><code>name</code></em>.
 	    While the query name can be specified without using the
 	    <code class="option">-q</code>, it is sometimes necessary to disambiguate
 	    names from types or classes (for example, when looking up the
 	    name "ns", which could be misinterpreted as the type NS,
 	    or "ch", which could be misinterpreted as class CH).
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Sets the query type to <em class="parameter"><code>type</code></em>, which
 	    can be any valid query type supported in BIND 9 except
 	    for zone transfer types AXFR and IXFR. As with
@@ -316,21 +243,18 @@
 	    query name type or class when they are ambiguous.
 	    it is sometimes necessary to disambiguate names from types.
 	  </p>
-	  <p>
+<p>
 	    The default query type is "A", unless the <code class="option">-x</code>
 	    option is supplied to indicate a reverse lookup, in which case
 	    it is "PTR".
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print the <span class="command"><strong>delv</strong></span> version and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Performs a reverse lookup, mapping an addresses to
 	    a name.  <em class="parameter"><code>addr</code></em> is an IPv4 address in
 	    dotted-decimal notation, or a colon-delimited IPv6 address.
@@ -340,33 +264,24 @@
 	    lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
 	    and sets the query type to PTR.  IPv6 addresses are looked up
 	    using nibble format under the IP6.ARPA domain.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-4</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Forces <span class="command"><strong>delv</strong></span> to only use IPv4.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-6</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Forces <span class="command"><strong>delv</strong></span> to only use IPv6.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.5.10"></a><h2>QUERY OPTIONS</h2>
-
-
-    <p><span class="command"><strong>delv</strong></span>
+</div>
+<div class="refsection">
+<a name="id-1.14.4.10"></a><h2>QUERY OPTIONS</h2>
+<p><span class="command"><strong>delv</strong></span>
       provides a number of query options which affect the way results are
       displayed, and in some cases the way lookups are performed.
     </p>
-
-    <p>
+<p>
       Each query option is identified by a keyword preceded by a plus sign
       (<code class="literal">+</code>).  Some keywords set or reset an
       option.  These may be preceded by the string
@@ -378,8 +293,7 @@
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Controls whether to set the CD (checking disabled) bit in
 	      queries sent by <span class="command"><strong>delv</strong></span>. This may be useful
 	      when troubleshooting DNSSEC problems from behind a validating
@@ -388,25 +302,20 @@
 	      the CD flag on queries will cause the resolver to return
 	      invalid responses, which <span class="command"><strong>delv</strong></span> can then
 	      validate internally and report the errors in detail.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]class</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Controls whether to display the CLASS when printing
 	      a record. The default is to display the CLASS.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Controls whether to display the TTL when printing
 	      a record. The default is to display the TTL.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Toggle resolver fetch logging. This reports the
 	      name and type of each query sent by <span class="command"><strong>delv</strong></span>
 	      in the process of carrying out the resolution and validation
@@ -414,69 +323,62 @@
 	      all subsequent queries to follow CNAMEs and to establish a
 	      chain of trust for DNSSEC validation.
 	    </p>
-	    <p>
+<p>
 	      This is equivalent to setting the debug level to 1 in
 	      the "resolver" logging category. Setting the systemwide
 	      debug level to 1 using the <code class="option">-d</code> option will
 	      product the same output (but will affect other logging
 	      categories as well).
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Toggle message logging. This produces a detailed dump of
 	      the responses received by <span class="command"><strong>delv</strong></span> in the
 	      process of carrying out the resolution and validation process.
 	    </p>
-	    <p>
+<p>
 	      This is equivalent to setting the debug level to 10
 	      for the "packets" module of the "resolver" logging
 	      category. Setting the systemwide debug level to 10 using
 	      the <code class="option">-d</code> option will produce the same output
 	      (but will affect other logging categories as well).
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Toggle validation logging. This shows the internal
 	      process of the validator as it determines whether an
 	      answer is validly signed, unsigned, or invalid.
 	    </p>
-	    <p>
+<p>
 	      This is equivalent to setting the debug level to 3
 	      for the "validator" module of the "dnssec" logging
 	      category. Setting the systemwide debug level to 3 using
 	      the <code class="option">-d</code> option will produce the same output
 	      (but will affect other logging categories as well).
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Provide a terse answer.  The default is to print the answer in a
 	      verbose form.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]comments</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggle the display of comment lines in the output.  The default
 	      is to print comments.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggle the display of per-record comments in the output (for
 	      example, human-readable key information about DNSKEY records).
 	      The default is to print per-record comments.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggle the display of cryptographic fields in DNSSEC records.
 	      The contents of these field are unnecessary to debug most DNSSEC
 	      validation failures and removing them makes it easier to see
@@ -484,18 +386,14 @@
 	      When omitted they are replaced by the string "[omitted]" or
 	      in the DNSKEY case the key id is displayed as the replacement,
 	      e.g. "[ key id = value ]".
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]trust</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Controls whether to display the trust level when printing
 	      a record. The default is to display the trust level.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Split long hex- or base64-formatted fields in resource
 	      records into chunks of <em class="parameter"><code>W</code></em> characters
 	      (where <em class="parameter"><code>W</code></em> is rounded up to the nearest
@@ -504,30 +402,24 @@
 	      <em class="parameter"><code>+split=0</code></em> causes fields not to be
 	      split at all.  The default is 56 characters, or 44 characters
 	      when multiline mode is active.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set or clear the display options
 	      <code class="option">+[no]comments</code>,
 	      <code class="option">+[no]rrcomments</code>, and
 	      <code class="option">+[no]trust</code> as a group.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print long records (such as RRSIG, DNSKEY, and SOA records)
 	      in a verbose multi-line format with human-readable comments.
 	      The default is to print each record on a single line, to
 	      facilitate machine parsing of the <span class="command"><strong>delv</strong></span>
 	      output.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Indicates whether to display RRSIG records in the
 	      <span class="command"><strong>delv</strong></span> output.  The default is to
 	      do so.  Note that (unlike in <span class="command"><strong>dig</strong></span>)
@@ -537,11 +429,9 @@
 	      will always occur unless suppressed by the use of
 	      <code class="option">-i</code> or <code class="option">+noroot</code> and
 	      <code class="option">+nodlv</code>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Indicates whether to perform conventional (non-lookaside)
 	      DNSSEC validation, and if so, specifies the
 	      name of a trust anchor.  The default is to validate using
@@ -549,81 +439,66 @@
 	      a built-in key.  If specifying a different trust anchor,
 	      then <code class="option">-a</code> must be used to specify a file
 	      containing the key.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Indicates whether to perform DNSSEC lookaside validation,
 	      and if so, specifies the name of the DLV trust anchor.
 	      The <code class="option">-a</code> option must also be used to specify
               a file containing the DLV key.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Controls whether to use TCP when sending queries.
 	      The default is to use UDP unless a truncated
 	      response has been received.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print all RDATA in unknown RR type presentation format
 	      (RFC 3597). The default is to print RDATA for known types
 	      in the type's presentation format.
-	    </p>
-	  </dd>
+	    </p></dd>
 </dl></div>
 <p>
 
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.5.11"></a><h2>FILES</h2>
-
-    <p><code class="filename">/etc/bind.keys</code></p>
-    <p><code class="filename">/etc/resolv.conf</code></p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.5.12"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">dig</span>(1)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.4.11"></a><h2>FILES</h2>
+<p><code class="filename">/etc/bind.keys</code></p>
+<p><code class="filename">/etc/resolv.conf</code></p>
+</div>
+<div class="refsection">
+<a name="id-1.14.4.12"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <em class="citetitle">RFC4034</em>,
       <em class="citetitle">RFC4035</em>,
       <em class="citetitle">RFC4431</em>,
       <em class="citetitle">RFC5074</em>,
       <em class="citetitle">RFC5155</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.host.html">Prev</a> </td>
+<a accesskey="p" href="man.ddns-confgen.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.nslookup.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.dig.html">Next</a>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">host </td>
+<td width="40%" align="left" valign="top">
+<span class="application">ddns-confgen</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> nslookup</td>
+<td width="40%" align="right" valign="top"> dig</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.dig.html b/bind/bind9/doc/arm/man.dig.html
index 70ccffd8..95b899ec 100644
--- a/bind/bind9/doc/arm/man.dig.html
+++ b/bind/bind9/doc/arm/man.dig.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dig</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="next" href="man.mdig.html" title="mdig">
+<link rel="prev" href="man.delv.html" title="delv">
+<link rel="next" href="man.dnssec-checkds.html" title="dnssec-checkds">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center">dig</th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch13.html">Prev</a> </td>
+<a accesskey="p" href="man.delv.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.mdig.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-checkds.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,63 +32,19 @@
 </div>
 <div class="refentry">
 <a name="man.dig"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    dig
-     &#8212; DNS lookup utility
-  </p>
+<p>dig &#8212; DNS lookup utility</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dig</code> 
-       [@server]
-       [<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>]
-       [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>]
-       [<code class="option">-m</code>]
-       [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
-       [<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
-       [<code class="option">-v</code>]
-       [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
-       [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>]
-       [
-	[<code class="option">-4</code>]
-	 |  [<code class="option">-6</code>]
-      ]
-       [name]
-       [type]
-       [class]
-       [queryopt...]
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">dig</code> 
-       [<code class="option">-h</code>]
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">dig</code> 
-       [global-queryopt...]
-       [query...]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.2.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dig</strong></span> is a flexible tool
+<div class="cmdsynopsis"><p><code class="command">dig</code>  [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>] [[<code class="option">-4</code>] |  [<code class="option">-6</code>]] [name] [type] [class] [queryopt...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dig</code>  [<code class="option">-h</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.5.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>dig</strong></span> is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
       displays the answers that are returned from the name server(s) that
       were queried.  Most DNS administrators use <span class="command"><strong>dig</strong></span> to
@@ -96,8 +52,7 @@
       clarity of output.  Other lookup tools tend to have less functionality
       than <span class="command"><strong>dig</strong></span>.
     </p>
-
-    <p>
+<p>
       Although <span class="command"><strong>dig</strong></span> is normally used with
       command-line
       arguments, it also has a batch mode of operation for reading lookup
@@ -108,43 +63,35 @@
       from the
       command line.
     </p>
-
-    <p>
+<p>
       Unless it is told to query a specific name server,
       <span class="command"><strong>dig</strong></span> will try each of the servers listed in
       <code class="filename">/etc/resolv.conf</code>. If no usable server addresses
       are found, <span class="command"><strong>dig</strong></span> will send the query to the local
       host.
     </p>
-
-    <p>
+<p>
       When no command line arguments or options are given,
       <span class="command"><strong>dig</strong></span> will perform an NS query for "." (the root).
     </p>
-
-    <p>
+<p>
       It is possible to set per-user defaults for <span class="command"><strong>dig</strong></span> via
       <code class="filename">${HOME}/.digrc</code>. This file is read and any
       options in it are applied before the command line arguments.
       The <code class="option">-r</code> option disables this feature, for
       scripts that need predictable behaviour.
     </p>
-
-    <p>
+<p>
       The IN and CH class names overlap with the IN and CH top level
       domain names.  Either use the <code class="option">-t</code> and
       <code class="option">-c</code> options to specify the type and class,
       use the <code class="option">-q</code> the specify the domain name, or
       use "IN." and "CH." when looking up these top level domains.
     </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.2.8"></a><h2>SIMPLE USAGE</h2>
-
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.5.8"></a><h2>SIMPLE USAGE</h2>
+<p>
       A typical invocation of <span class="command"><strong>dig</strong></span> looks like:
       </p>
 <pre class="programlisting"> dig @server name type </pre>
@@ -155,7 +102,7 @@
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">server</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      is the name or IP address of the name server to query.  This
 	      can be an IPv4 address in dotted-decimal notation or an IPv6
 	      address in colon-delimited notation.  When the supplied
@@ -163,7 +110,7 @@
 	      <span class="command"><strong>dig</strong></span> resolves that name before querying
 	      that name server.
 	    </p>
-	    <p>
+<p>
 	      If no <em class="parameter"><code>server</code></em> argument is
 	      provided, <span class="command"><strong>dig</strong></span> consults
 	      <code class="filename">/etc/resolv.conf</code>; if an
@@ -176,16 +123,13 @@
 	      local host.  The reply from the name server that
 	      responds is displayed.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="constant">name</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      is the name of the resource record that is to be looked up.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="constant">type</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      indicates what type of query is required &#8212;
 	      ANY, A, MX, SIG, etc.
 	      <em class="parameter"><code>type</code></em> can be any valid query
@@ -193,116 +137,87 @@
 	      <em class="parameter"><code>type</code></em> argument is supplied,
 	      <span class="command"><strong>dig</strong></span> will perform a lookup for an
 	      A record.
-	    </p>
-	  </dd>
+	    </p></dd>
 </dl></div>
 <p>
     </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.2.9"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.5.9"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-4</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use IPv4 only.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-6</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use IPv6 only.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-b <em class="replaceable"><code>address[<span class="optional">#port</span>]</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Set the source IP address of the query.
 	    The <em class="parameter"><code>address</code></em> must be a valid address on
 	    one of the host's network interfaces, or "0.0.0.0" or "::". An
 	    optional port may be specified by appending "#&lt;port&gt;"
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Set the query class. The
 	    default <em class="parameter"><code>class</code></em> is IN; other classes
 	    are HS for Hesiod records or CH for Chaosnet records.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Batch mode: <span class="command"><strong>dig</strong></span> reads a list of lookup
 	    requests to process from the
 	    given <em class="parameter"><code>file</code></em>. Each line in the file
 	    should be organized in the same way they would be
 	    presented as queries to
 	    <span class="command"><strong>dig</strong></span> using the command-line interface.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-i</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
 	    domain, which is no longer in use. Obsolete bit string
 	    label queries (RFC 2874) are not attempted.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sign queries using TSIG using a key read from the given file.
 	    Key files can be generated using
-	    <span class="citerefentry">
-	      <span class="refentrytitle">tsig-keygen</span>(8)
-	    </span>.
+	    <span class="citerefentry"><span class="refentrytitle">tsig-keygen</span>(8)</span>.
 	    When using TSIG authentication with <span class="command"><strong>dig</strong></span>,
 	    the name server that is queried needs to know the key and
 	    algorithm that is being used. In BIND, this is done by
 	    providing appropriate <span class="command"><strong>key</strong></span>
 	    and <span class="command"><strong>server</strong></span> statements in
 	    <code class="filename">named.conf</code>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-m</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Enable memory usage debugging.
 	    
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Send the query to a non-standard port on the server,
 	    instead of the default port 53. This option would be used
 	    to test a name server that has been configured to listen
 	    for queries on a non-standard port number.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The domain name to query. This is useful to distinguish
 	    the <em class="parameter"><code>name</code></em> from other arguments.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-r</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Do not read options from <code class="filename">${HOME}/.digrc</code>.
 	    This is useful for scripts that need predictable behaviour.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    The resource record type to query. It can be any valid query
 	    type.  If it is a resource record type supported in BIND 9, it
 	    can be given by the type mnemonic (such as "NS" or "AAAA").
@@ -316,28 +231,23 @@
 	    record was
 	    <em class="parameter"><code>N</code></em>.
 	  </p>
-	  <p>
+<p>
 	    All resource record types can be expressed as "TYPEnn", where
 	    "nn" is the number of the type. If the resource record type is
 	    not supported in BIND 9, the result will be displayed as
 	    described in RFC 3597.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-u</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print query times in microseconds instead of milliseconds.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print the version number and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Simplified reverse lookups, for mapping addresses to
 	    names. The <em class="parameter"><code>addr</code></em> is an IPv4 address
 	    in dotted-decimal notation, or a colon-delimited IPv6
@@ -352,11 +262,10 @@
 	    addresses are looked up using nibble format under the
 	    IP6.ARPA domain (but see also the <code class="option">-i</code>
 	    option).
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Sign queries using TSIG with the given authentication key.
 	    <em class="parameter"><code>keyname</code></em> is the name of the key, and
 	    <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
@@ -368,34 +277,28 @@
 	    is not specified, the default is <code class="literal">hmac-md5</code>
 	    or if MD5 was disabled <code class="literal">hmac-sha256</code>.
 	  </p>
-	  <p>
+<p>
 	    NOTE: You should use the <code class="option">-k</code> option and
 	    avoid the <code class="option">-y</code> option, because
 	    with <code class="option">-y</code> the shared secret is supplied as
 	    a command line argument in clear text. This may be visible
 	    in the output from
-	    <span class="citerefentry">
-	      <span class="refentrytitle">ps</span>(1)
-	    </span>
+	    <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
 	    or in a history file maintained by the user's shell.
 	  </p>
-	</dd>
+</dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.2.10"></a><h2>QUERY OPTIONS</h2>
-
-
-    <p><span class="command"><strong>dig</strong></span>
+</div>
+<div class="refsection">
+<a name="id-1.14.5.10"></a><h2>QUERY OPTIONS</h2>
+<p><span class="command"><strong>dig</strong></span>
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
       these set or reset flag bits in the query header, some determine which
       sections of the answer get printed, and others determine the timeout
       and retry strategies.
     </p>
-
-    <p>
+<p>
       Each query option is identified by a keyword preceded by a plus sign
       (<code class="literal">+</code>).  Some keywords set or reset an
       option.  These may be preceded
@@ -411,27 +314,20 @@
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Sets the "aa" flag in the query.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]additional</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Display [do not display] the additional section of a
 	      reply.  The default is to display it.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set [do not set] the AD (authentic data) bit in the
 	      query.  This requests the server to return whether
 	      all of the answer and authority sections have all
@@ -441,89 +337,72 @@
 	      from a OPT-OUT range.  AD=0 indicate that some part
 	      of the answer was insecure or not validated.  This
 	      bit is set by default.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set or clear all display flags.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]answer</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Display [do not display] the answer section of a
 	      reply.  The default is to display it.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]authority</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Display [do not display] the authority section of a
 	      reply.  The default is to display it.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]badcookie</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Retry lookup with the new server cookie if a
 	      BADCOOKIE response is received.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Attempt to display the contents of messages which are
 	      malformed.  The default is to not display malformed
 	      answers.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
-<dd>
-	    <p>
-	      Set the UDP message buffer size advertised using EDNS0
-	      to <em class="parameter"><code>B</code></em> bytes.  The maximum and
-	      minimum sizes of this buffer are 65535 and 0 respectively.
-	      Values outside this range are rounded up or down
-	      appropriately.  Values other than zero will cause a
-	      EDNS query to be sent.
-	    </p>
-	  </dd>
+<dd><p>
+              This option sets the UDP message buffer size advertised
+              using EDNS0 to <em class="parameter"><code>B</code></em> bytes.  The
+              maximum and minimum sizes of this buffer are 65535
+              and 0, respectively.  <code class="literal">+bufsize=0</code>
+              disables EDNS (use <code class="literal">+bufsize=0 +edns</code>
+              to send a EDNS messages with a advertised size of 0
+              bytes). <code class="literal">+bufsize</code> restores the
+              default buffer size.
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set [do not set] the CD (checking disabled) bit in
 	      the query.  This requests the server to not perform
 	      DNSSEC validation of responses.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]class</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Display [do not display] the CLASS when printing the
 	      record.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggles the printing of the initial comment in the
 	      output, identifying the version of <span class="command"><strong>dig</strong></span>
 	      and the query options that have been applied.  This option
 	      always has global effect; it cannot be set globally
 	      and then overridden on a per-lookup basis.  The default
 	      is to print this comment.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]comments</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Toggles the display of some comment lines in the output,
 	      containing information about the packet header and
 	      OPT pseudosection, and the names of the response
 	      section.  The default is to print these comments.
 	    </p>
-	    <p>
+<p>
 	      Other types of comments in the output are not affected by
 	      this option, but can be controlled using other command
 	      line switches. These include <span class="command"><strong>+[no]cmd</strong></span>,
@@ -531,24 +410,23 @@
 	      <span class="command"><strong>+[no]stats</strong></span>, and
 	      <span class="command"><strong>+[no]rrcomments</strong></span>.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Send a COOKIE EDNS option, with optional
 	      value.  Replaying a COOKIE from a previous response will
 	      allow the server to identify a previous client.  The
 	      default is <code class="option">+cookie</code>.
 	    </p>
-	    <p>
+<p>
 	      <span class="command"><strong>+cookie</strong></span> is also set when +trace
 	      is set to better emulate the default queries from a
 	      nameserver.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggle the display of cryptographic fields in DNSSEC
 	      records.  The contents of these field are unnecessary
 	      to debug most DNSSEC validation failures and removing
@@ -557,71 +435,55 @@
 	      are replaced by the string "[omitted]" or in the
 	      DNSKEY case the key id is displayed as the replacement,
 	      e.g. "[ key id = value ]".
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]defname</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Deprecated, treated as a synonym for
 	      <em class="parameter"><code>+[no]search</code></em>
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Requests DNSSEC records be sent by setting the DNSSEC
 	      OK bit (DO) in the OPT record in the additional section
 	      of the query.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+domain=somename</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set the search list to contain the single domain
 	      <em class="parameter"><code>somename</code></em>, as if specified in
 	      a <span class="command"><strong>domain</strong></span> directive in
 	      <code class="filename">/etc/resolv.conf</code>, and enable
 	      search list processing as if the
 	      <em class="parameter"><code>+search</code></em> option were given.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+dscp=value</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set the DSCP code point to be used when sending the
 	      query.  Valid DSCP code points are in the range
 	      [0..63].  By default no code point is explicitly set.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]edns[=#]</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	       Specify the EDNS version to query with.  Valid values
 	       are 0 to 255.  Setting the EDNS version will cause
 	       a EDNS query to be sent.  <code class="option">+noedns</code>
 	       clears the remembered EDNS version.  EDNS is set to
 	       0 by default.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]ednsflags[=#]</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set the must-be-zero EDNS flags bits (Z bits) to the
 	      specified value. Decimal, hex and octal encodings are
 	      accepted. Setting a named flag (e.g. DO) will silently be
 	      ignored. By default, no Z bits are set.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]ednsnegotiation</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Enable / disable EDNS version negotiation. By default
 	      EDNS version negotiation is enabled.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]ednsopt[=code[:value]]</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Specify EDNS option with code point <code class="option">code</code>
 	      and optionally payload of <code class="option">value</code> as a
 	      hexadecimal string.  <code class="option">code</code> can be
@@ -629,104 +491,86 @@
 	      <code class="literal">NSID</code> or <code class="literal">ECS</code>),
 	      or an arbitrary numeric value.  <code class="option">+noednsopt</code>
 	      clears the EDNS options to be sent.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]expire</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Send an EDNS Expire option.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]fail</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Do not try the next server if you receive a SERVFAIL.
 	      The default is to not try the next server which is
 	      the reverse of normal stub resolver behavior.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]header-only</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Send a query with a DNS header without a question section.
 	      The default is to add a question section.  The query type
 	      and query name are ignored when this is set.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]identify</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Show [or do not show] the IP address and port number
 	      that supplied the answer when the
 	      <em class="parameter"><code>+short</code></em> option is enabled.  If
 	      short form answers are requested, the default is not
 	      to show the source address and port number of the
 	      server that provided the answer.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]idnin</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Process [do not process] IDN domain names on input.
 	      This requires IDN SUPPORT to have been enabled at
 	      compile time.
 	    </p>
-	    <p>
+<p>
 	      The default is to process IDN input when standard output
 	      is a tty.  The IDN processing on input is disabled when
 	      dig output is redirected to files, pipes, and other
 	      non-tty file descriptors.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Convert [do not convert] puny code on output.
 	      This requires IDN SUPPORT to have been enabled at
 	      compile time.
 	    </p>
-	    <p>
+<p>
 	      The default is to process puny code on output when
 	      standard output is a tty.  The puny code processing on
 	      output is disabled when dig output is redirected to
 	      files, pipes, and other non-tty file descriptors.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Ignore truncation in UDP responses instead of retrying
 	      with TCP.  By default, TCP retries are performed.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]keepopen</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Keep the TCP socket open between queries and reuse
 	      it rather than creating a new TCP socket for each
 	      lookup.  The default is <code class="option">+nokeepopen</code>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]mapped</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Allow mapped IPv4 over IPv6 addresses to be used.  The
 	      default is <code class="option">+mapped</code>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print records like the SOA records in a verbose
 	      multi-line format with human-readable comments.  The
 	      default is to print each record on a single line, to
 	      facilitate machine parsing of the <span class="command"><strong>dig</strong></span>
 	      output.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+ndots=D</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set the number of dots that have to appear in
 	      <em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em>
 	      for it to be considered absolute.  The default value
@@ -738,64 +582,48 @@
 	      or <code class="option">domain</code> directive in
 	      <code class="filename">/etc/resolv.conf</code> if
 	      <code class="option">+search</code> is set.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Include an EDNS name server ID request when sending
 	      a query.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      When this option is set, <span class="command"><strong>dig</strong></span>
 	      attempts to find the authoritative name servers for
 	      the zone containing the name being looked up and
 	      display the SOA record that each name server has for
 	      the zone.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]onesoa</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print only one (starting) SOA record when performing
 	      an AXFR. The default is to print both the starting
 	      and ending SOA records.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]opcode=value</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set [restore] the DNS message opcode to the specified
 	      value.  The default value is QUERY (0).
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]qr</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggles the display of the query message as it is sent.
 	      By default, the query is not printed.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]question</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggles the display of the question section of a query
 	      when an answer is returned.  The default is to print
 	      the question section as a comment.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]rdflag</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      A synonym for <em class="parameter"><code>+[no]recurse</code></em>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggle the setting of the RD (recursion desired) bit
 	      in the query.  This bit is set by default, which means
 	      <span class="command"><strong>dig</strong></span> normally sends recursive
@@ -804,69 +632,57 @@
 	      when using <em class="parameter"><code>+trace</code></em> except for
 	      an initial recursive query to get the list of root
 	      servers.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+retry=T</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Sets the number of times to retry UDP queries to
 	      server to <em class="parameter"><code>T</code></em> instead of the
 	      default, 2.  Unlike <em class="parameter"><code>+tries</code></em>,
 	      this does not include the initial query.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggle the display of per-record comments in the
 	      output (for example, human-readable key information
 	      about DNSKEY records).  The default is not to print
 	      record comments unless multiline mode is active.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]search</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Use [do not use] the search list defined by the
 	      searchlist or domain directive in
 	      <code class="filename">resolv.conf</code> (if any).  The search
 	      list is not used by default.
 	    </p>
-	    <p>
+<p>
 	      'ndots' from <code class="filename">resolv.conf</code> (default 1)
 	       which may be overridden by <em class="parameter"><code>+ndots</code></em>
 	      determines if the name will be treated as relative
 	      or not and hence whether a search is eventually
 	      performed or not.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Provide a terse answer.  The default is to print the
 	      answer in a verbose form.  This option always has global
 	      effect; it cannot be set globally and then overridden on
 	      a per-lookup basis.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Perform [do not perform] a search showing intermediate
 	      results.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]sigchase</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Chase DNSSEC signature chains. Requires dig be compiled
 	      with -DDIG_SIGCHASE. This feature is deprecated.
 	      Use <span class="command"><strong>delv</strong></span> instead.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+split=W</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Split long hex- or base64-formatted fields in resource
 	      records into chunks of <em class="parameter"><code>W</code></em>
 	      characters (where <em class="parameter"><code>W</code></em> is rounded
@@ -875,23 +691,20 @@
 	      <em class="parameter"><code>+split=0</code></em> causes fields not to
 	      be split at all.  The default is 56 characters, or
 	      44 characters when multiline mode is active.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]stats</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Toggles the printing of statistics: when the query was made,
 	      the size of the reply and so on.  The default behavior is to
 	      print the query statistics as a comment after each lookup.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Send (don't send) an EDNS Client Subnet option with the
 	      specified IP address or network prefix.
 	    </p>
-	    <p>
+<p>
               <span class="command"><strong>dig +subnet=0.0.0.0/0</strong></span>, or simply
               <span class="command"><strong>dig +subnet=0</strong></span> for short, sends an EDNS
               CLIENT-SUBNET option with an empty address and a source
@@ -900,20 +713,17 @@
               <span class="emphasis"><em>not</em></span> be used when resolving
               this query.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Use [do not use] TCP when querying name servers. The
 	      default behavior is to use UDP unless a type
 	      <code class="literal">any</code> or <code class="literal">ixfr=N</code>
 	      query is requested, in which case the default is TCP.
 	      AXFR queries always use TCP.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+timeout=T</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 
 	      Sets the timeout for a query to
 	      <em class="parameter"><code>T</code></em> seconds.  The default
@@ -921,19 +731,16 @@
 	      An attempt to set <em class="parameter"><code>T</code></em> to less
 	      than 1 will result
 	      in a query timeout of 1 second being applied.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]topdown</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      When chasing DNSSEC signature chains perform a top-down
 	      validation.  Requires dig be compiled with -DDIG_SIGCHASE.
 	      This feature is deprecated. Use <span class="command"><strong>delv</strong></span> instead.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]trace</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Toggle tracing of the delegation path from the root
 	      name servers for the name being looked up.  Tracing
 	      is disabled by default.  When tracing is enabled,
@@ -941,91 +748,80 @@
 	      resolve the name being looked up.  It will follow
 	      referrals from the root servers, showing the answer
 	      from each server that was used to resolve the lookup.
-	    </p> <p>
+	    </p>
+<p>
 	      If @server is also specified, it affects only the
 	      initial query for the root zone name servers.
-	    </p> <p>
+	    </p>
+<p>
 	      <span class="command"><strong>+dnssec</strong></span> is also set when +trace
 	      is set to better emulate the default queries from a
 	      nameserver.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+tries=T</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Sets the number of times to try UDP queries to server
 	      to <em class="parameter"><code>T</code></em> instead of the default,
 	      3.  If <em class="parameter"><code>T</code></em> is less than or equal
 	      to zero, the number of tries is silently rounded up
 	      to 1.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+trusted-key=####</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Specifies a file containing trusted keys to be used
 	      with <code class="option">+sigchase</code>.  Each DNSKEY record
 	      must be on its own line.
-	    </p> <p>
+	    </p>
+<p>
 	      If not specified, <span class="command"><strong>dig</strong></span> will look
 	      for <code class="filename">/etc/trusted-key.key</code> then
 	      <code class="filename">trusted-key.key</code> in the current
 	      directory.
-	    </p> <p>
+	    </p>
+<p>
 	      Requires dig be compiled with -DDIG_SIGCHASE.
 	      This feature is deprecated. Use <span class="command"><strong>delv</strong></span> instead.
 	    </p>
-	  </dd>
+</dd>
 <dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Display [do not display] the TTL when printing the
 	      record.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]ttlunits</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Display [do not display] the TTL in friendly human-readable
 	      time units of "s", "m", "h", "d", and "w", representing
 	      seconds, minutes, hours, days and weeks.  Implies +ttlid.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print all RDATA in unknown RR type presentation format
 	      (RFC 3597). The default is to print RDATA for known types
 	      in the type's presentation format.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]vc</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Use [do not use] TCP when querying name servers.  This
 	      alternate syntax to <em class="parameter"><code>+[no]tcp</code></em>
 	      is provided for backwards compatibility.  The "vc"
 	      stands for "virtual circuit".
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]zflag</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Set [do not set] the last unassigned DNS header flag in a
 	      DNS query.  This flag is off by default.
-	    </p>
-	  </dd>
+	    </p></dd>
 </dl></div>
 <p>
 
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.2.11"></a><h2>MULTIPLE QUERIES</h2>
-
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.5.11"></a><h2>MULTIPLE QUERIES</h2>
+<p>
       The BIND 9 implementation of <span class="command"><strong>dig </strong></span>
       supports
       specifying multiple queries on the command line (in addition to
@@ -1033,8 +829,7 @@
       queries can be supplied with its own set of flags, options and query
       options.
     </p>
-
-    <p>
+<p>
       In this case, each <em class="parameter"><code>query</code></em> argument
       represent an
       individual query in the command-line syntax described above.  Each
@@ -1042,8 +837,7 @@
       looked up, an optional query type and class and any query options that
       should be applied to that query.
     </p>
-
-    <p>
+<p>
       A global set of query options, which should be applied to all queries,
       can also be supplied.  These global query options must precede the
       first tuple of name, class, type, options, flags, and query options
@@ -1070,13 +864,10 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       will not print the initial query when it looks up the NS records for
       <code class="literal">isc.org</code>.
     </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.2.12"></a><h2>IDN SUPPORT</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.5.12"></a><h2>IDN SUPPORT</h2>
+<p>
       If <span class="command"><strong>dig</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
       <span class="command"><strong>dig</strong></span> appropriately converts character encoding of
@@ -1086,63 +877,48 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       parameters <em class="parameter"><code>+noidnin</code></em> and
       <em class="parameter"><code>+noidnout</code></em>.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.2.13"></a><h2>FILES</h2>
-
-    <p><code class="filename">/etc/resolv.conf</code>
+</div>
+<div class="refsection">
+<a name="id-1.14.5.13"></a><h2>FILES</h2>
+<p><code class="filename">/etc/resolv.conf</code>
     </p>
-    <p><code class="filename">${HOME}/.digrc</code>
+<p><code class="filename">${HOME}/.digrc</code>
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.2.14"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">delv</span>(1)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">host</span>(1)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.5.14"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">delv</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.2.15"></a><h2>BUGS</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.5.15"></a><h2>BUGS</h2>
+<p>
       There are probably too many query options.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch13.html">Prev</a> </td>
+<a accesskey="p" href="man.delv.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.mdig.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-checkds.html">Next</a>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">Manual pages </td>
+<td width="40%" align="left" valign="top">delv </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">mdig</span>
+<td width="40%" align="right" valign="top"> <span class="application">dnssec-checkds</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.dnssec-checkds.html b/bind/bind9/doc/arm/man.dnssec-checkds.html
index 1c5bbb43..6837620e 100644
--- a/bind/bind9/doc/arm/man.dnssec-checkds.html
+++ b/bind/bind9/doc/arm/man.dnssec-checkds.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,10 +10,10 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-checkds</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.nslookup.html" title="nslookup">
+<link rel="prev" href="man.dig.html" title="dig">
 <link rel="next" href="man.dnssec-coverage.html" title="dnssec-coverage">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
@@ -22,7 +22,7 @@
 <tr><th colspan="3" align="center"><span class="application">dnssec-checkds</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.nslookup.html">Prev</a> </td>
+<a accesskey="p" href="man.dig.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.dnssec-coverage.html">Next</a>
 </td>
@@ -32,122 +32,75 @@
 </div>
 <div class="refentry">
 <a name="man.dnssec-checkds"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-checkds</span>
-     &#8212; DNSSEC delegation consistency checking tool
-  </p>
+<p><span class="application">dnssec-checkds</span> &#8212; DNSSEC delegation consistency checking tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-checkds</code> 
-       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
-       [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>]
-       {zone}
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
-       [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>]
-       {zone}
-   </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.7.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-checkds</strong></span>
+<div class="cmdsynopsis"><p><code class="command">dnssec-checkds</code>  [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.6.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>dnssec-checkds</strong></span>
       verifies the correctness of Delegation Signer (DS) or DNSSEC
       Lookaside Validation (DLV) resource records for keys in a specified
       zone.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.7.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.6.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             If a <code class="option">file</code> is specified, then the zone is
             read from that file to find the DNSKEY records.  If not,
             then the DNSKEY records for the zone are looked up in the DNS.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Check for a DLV record in the specified lookaside domain,
             instead of checking for a DS record in the zone's parent.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>dig path</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies a path to a <span class="command"><strong>dig</strong></span> binary.  Used
             for testing.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>dsfromkey path</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies a path to a <span class="command"><strong>dnssec-dsfromkey</strong></span> binary.
             Used for testing.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.7.9"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dnssec-dsfromkey</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.6.9"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.nslookup.html">Prev</a> </td>
+<a accesskey="p" href="man.dig.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-coverage.html">Next</a>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">nslookup </td>
+<td width="40%" align="left" valign="top">dig </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">dnssec-coverage</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.dnssec-coverage.html b/bind/bind9/doc/arm/man.dnssec-coverage.html
index 35eb89d2..f746796d 100644
--- a/bind/bind9/doc/arm/man.dnssec-coverage.html
+++ b/bind/bind9/doc/arm/man.dnssec-coverage.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-coverage</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
@@ -32,47 +32,22 @@
 </div>
 <div class="refentry">
 <a name="man.dnssec-coverage"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-coverage</span>
-     &#8212; checks future DNSKEY coverage for a zone
-  </p>
+<p><span class="application">dnssec-coverage</span> &#8212; checks future DNSKEY coverage for a zone</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-coverage</code> 
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-l <em class="replaceable"><code>length</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
-       [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>]
-       [<code class="option">-k</code>]
-       [<code class="option">-z</code>]
-       [zone...]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.8.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-coverage</strong></span>
+<div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code>  [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>length</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [<code class="option">-k</code>] [<code class="option">-z</code>] [zone...]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.7.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>dnssec-coverage</strong></span>
       verifies that the DNSSEC keys for a given zone or a set of zones
       have timing metadata set properly to ensure no future lapses in DNSSEC
       coverage.
     </p>
-    <p>
+<p>
       If <code class="option">zone</code> is specified, then keys found in
       the key repository matching that zone are scanned, and an ordered
       list is generated of the events scheduled for that key (i.e.,
@@ -85,54 +60,47 @@
       key is rolled, and cached data signed by the prior key has not had
       time to expire from resolver caches.
     </p>
-    <p>
+<p>
       If <code class="option">zone</code> is not specified, then all keys in the
       key repository will be scanned, and all zones for which there are
       keys will be analyzed.  (Note: This method of reporting is only
       accurate if all the zones that have keys in a given repository
       share the same TTL parameters.)
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.8.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.7.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the directory in which keys can be found.  Defaults to the
             current working directory.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             If a <code class="option">file</code> is specified, then the zone is
             read from that file; the largest TTL and the DNSKEY TTL are
             determined directly from the zone data, and the
             <code class="option">-m</code> and <code class="option">-d</code> options do
             not need to be specified on the command line.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
 <dd>
-          <p>
+<p>
             The length of time to check for DNSSEC coverage.  Key events
             scheduled further into the future than <code class="option">duration</code>
             will be ignored, and assumed to be correct.
           </p>
-          <p>
+<p>
             The value of <code class="option">duration</code> can be set in seconds,
             or in larger units of time by adding a suffix: 'mi' for minutes,
             'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
             'y' for years.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Sets the value to be used as the maximum TTL for the zone or
             zones being analyzed when determining whether there is a
             possibility of validation failure.  When a zone-signing key is
@@ -141,26 +109,26 @@
             before that key can be purged from the DNSKEY RRset.  If that
             condition does not apply, a warning will be generated.
           </p>
-          <p>
+<p>
             The length of the TTL can be set in seconds, or in larger units
             of time by adding a suffix: 'mi' for minutes, 'h' for hours,
             'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
           </p>
-          <p>
+<p>
             This option is not necessary if the <code class="option">-f</code> has
             been used to specify a zone file.  If <code class="option">-f</code> has
             been specified, this option may still be used; it will override
             the value found in the file.
           </p>
-          <p>
+<p>
             If this option is not used and the maximum TTL cannot be retrieved
             from a zone file, a warning is generated and a default value of
             1 week is used.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Sets the value to be used as the DNSKEY TTL for the zone or
             zones being analyzed when determining whether there is a
             possibility of validation failure.  When a key is rolled (that
@@ -169,12 +137,12 @@
             the new key is activated and begins generating signatures.  If
             that condition does not apply, a warning will be generated.
           </p>
-          <p>
+<p>
             The length of the TTL can be set in seconds, or in larger units
             of time by adding a suffix: 'mi' for minutes, 'h' for hours,
             'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
           </p>
-          <p>
+<p>
             This option is not necessary if <code class="option">-f</code> has
             been used to specify a zone file from which the TTL
             of the DNSKEY RRset can be read, or if a default key TTL was
@@ -183,15 +151,15 @@
             this option may still be used; it will override the values
             found in the zone file or the key file.
           </p>
-          <p>
+<p>
             If this option is not used and the key TTL cannot be retrieved
             from the zone file or the key file, then a warning is generated
             and a default value of 1 day is used.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Sets the value to be used as the resign interval for the zone
             or zones being analyzed when determining whether there is a
             possibility of validation failure.  This value defaults to
@@ -201,55 +169,38 @@
             <code class="filename">named.conf</code>, then it should also be
             changed here.
           </p>
-          <p>
+<p>
             The length of the interval can be set in seconds, or in larger
             units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
             'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-k</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    Only check KSK coverage; ignore ZSK events. Cannot be
             used with <code class="option">-z</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-z</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    Only check ZSK coverage; ignore KSK events. Cannot be
             used with <code class="option">-k</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies a path to a <span class="command"><strong>named-compilezone</strong></span> binary.
             Used for testing.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.8.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-checkds</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-dsfromkey</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>
+</div>
+<div class="refsection">
+<a name="id-1.14.7.9"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
@@ -270,6 +221,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.dnssec-dsfromkey.html b/bind/bind9/doc/arm/man.dnssec-dsfromkey.html
index 7534a67d..0825f7a6 100644
--- a/bind/bind9/doc/arm/man.dnssec-dsfromkey.html
+++ b/bind/bind9/doc/arm/man.dnssec-dsfromkey.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-dsfromkey</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-coverage.html" title="dnssec-coverage">
@@ -32,297 +32,185 @@
 </div>
 <div class="refentry">
 <a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-dsfromkey</span>
-     &#8212; DNSSEC DS RR generation tool
-  </p>
+<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       {keyfile}
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-A</code>]
-       {<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
-       [dnsname]
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-1</code> 
-	 |   <code class="option">-2</code> 
-	 |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> 
-      ]
-       [
-	 <code class="option">-C</code> 
-	 |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> 
-      ]
-       [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       {-s}
-       {dnsname}
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-dsfromkey</code> 
-       [
-	 <code class="option">-h</code> 
-	 |   <code class="option">-V</code> 
-      ]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.9.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [ <code class="option">-1</code>  |   <code class="option">-2</code>  |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> ] [ <code class="option">-C</code>  |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> ] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] {keyfile}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [ <code class="option">-1</code>  |   <code class="option">-2</code>  |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> ] [ <code class="option">-C</code>  |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> ] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-A</code>] {<code class="option">-f <em class="replaceable"><code>file</code></em></code>} [dnsname]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [ <code class="option">-1</code>  |   <code class="option">-2</code>  |   <code class="option">-a <em class="replaceable"><code>alg</code></em></code> ] [ <code class="option">-C</code>  |   <code class="option">-l <em class="replaceable"><code>domain</code></em></code> ] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] {-s} {dnsname}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [ <code class="option">-h</code>  |   <code class="option">-V</code> ]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.8.7"></a><h2>DESCRIPTION</h2>
+<p>
       The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
       Signer) resource records (RRs) and other similarly-constructed RRs:
       with the <code class="option">-l</code> option it outputs DLV (DNSSEC Lookaside
       Validation) RRs; or with the <code class="option">-C</code> it outputs CDS (Child
       DS) RRs.
     </p>
-
-    <p>
+<p>
       The input keys can be specified in a number of ways:
     </p>
-
-    <p>
+<p>
       By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
       named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
       by <span class="command"><strong>dnssec-keygen</strong></span>.
     </p>
-
-    <p>
+<p>
       With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
       option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
       or partial zone file (which can contain just the DNSKEY records).
     </p>
-
-    <p>
+<p>
       With the <code class="option">-s</code>
       option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
       a <code class="filename">keyset-</code> file, as generated
       by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
     </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.9.8"></a><h2>OPTIONS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.8.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-1</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    An abbreviation for <code class="option">-a SHA1</code>
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-2</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    An abbreviation for <code class="option">-a SHA-256</code>
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specify a digest algorithm to use when converting DNSKEY
 	    records to DS records. This option can be repeated, so
 	    that multiple DS records are created for each DNSKEY
 	    record.
           </p>
-          <p>
+<p>
 	    The <em class="replaceable"><code>algorithm</code></em> must be one of
 	    SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
 	    and the hyphen may be omitted.  If no algorithm is specified,
 	    the default is to use both SHA-1 and SHA-256.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-A</span></dt>
-<dd>
-          <p>
+<dd><p>
             Include ZSKs when generating DS records. Without this option, only
             keys which have the KSK flag set will be converted to DS records
             and printed. Useful only in <code class="option">-f</code> zone file mode.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the DNS class (default is IN). Useful only
 	    in <code class="option">-s</code> keyset or <code class="option">-f</code>
 	    zone file mode.
-	  </p>
-	  </dd>
+	  </p></dd>
 <dt><span class="term">-C</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Generate CDS records rather than DS records. This is mutually
 	    exclusive with the <code class="option">-l</code> option for generating DLV
 	    records.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
 	    final <em class="replaceable"><code>dnsname</code></em> argument is
 	    the DNS domain name of a zone whose master file can be read
 	    from <code class="option">file</code>.  If the zone name is the same as
 	    <code class="option">file</code>, then it may be omitted.
 	  </p>
-	  <p>
+<p>
 	    If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
 	    the zone data is read from the standard input.  This makes it
 	    possible to use the output of the <span class="command"><strong>dig</strong></span>
 	    command as input, as in:
 	  </p>
-	  <p>
+<p>
 	    <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints usage information.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Look for key files or <code class="filename">keyset-</code> files in
 	    <code class="option">directory</code>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Generate a DLV set instead of a DS set. The specified
 	    <em class="replaceable"><code>domain</code></em> is appended to the name for each
 	    record in the set.
 	    This is mutually exclusive with the <code class="option">-C</code> option
 	    for generating CDS records.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-s</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
 	    final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
 	    domain name used to locate a <code class="filename">keyset-</code> file.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the TTL of the DS records. By default the TTL is omitted.
-	  </p>
-	  </dd>
+	  </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the debugging level.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints version information.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.9.9"></a><h2>EXAMPLE</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.8.9"></a><h2>EXAMPLE</h2>
+<p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
       keyfile name, you can issue the following command:
     </p>
-    <p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
+<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
     </p>
-    <p>
+<p>
       The command would print something like:
     </p>
-    <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
+<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
     </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.9.10"></a><h2>FILES</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.8.10"></a><h2>FILES</h2>
+<p>
       The keyfile can be designated by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
       <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
       <span class="refentrytitle">dnssec-keygen</span>(8).
     </p>
-    <p>
+<p>
       The keyset file name is built from the <code class="option">directory</code>,
       the string <code class="filename">keyset-</code> and the
       <code class="option">dnsname</code>.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.9.11"></a><h2>CAVEAT</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.8.11"></a><h2>CAVEAT</h2>
+<p>
       A keyfile error can give a "file not found" even if the file exists.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.9.12"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.8.12"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 3658</em> (DS RRs),
       <em class="citetitle">RFC 4431</em> (DLV RRs),
@@ -330,8 +218,7 @@
       <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
       <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
@@ -352,6 +239,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.dnssec-importkey.html b/bind/bind9/doc/arm/man.dnssec-importkey.html
index 62607ad8..2ad37dde 100644
--- a/bind/bind9/doc/arm/man.dnssec-importkey.html
+++ b/bind/bind9/doc/arm/man.dnssec-importkey.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-importkey</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
@@ -32,56 +32,18 @@
 </div>
 <div class="refentry">
 <a name="man.dnssec-importkey"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-importkey</span>
-     &#8212; import DNSKEY records from external systems so they can be managed
-  </p>
+<p><span class="application">dnssec-importkey</span> &#8212; import DNSKEY records from external systems so they can be managed</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-importkey</code> 
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-V</code>]
-       {<code class="option">keyfile</code>}
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-importkey</code> 
-       {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>}
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-V</code>]
-       [<code class="option">dnsname</code>]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.10.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-importkey</strong></span>
+<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code>  [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code>  {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.9.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>dnssec-importkey</strong></span>
       reads a public DNSKEY record and generates a pair of
       .key/.private files.  The DNSKEY record may be read from an
       existing .key file, in which case a corresponding .private file
@@ -89,7 +51,7 @@
       from the standard input, in which case both .key and .private
       files will be generated.
     </p>
-    <p>
+<p>
       The newly-created .private file does <span class="emphasis"><em>not</em></span>
       contain private key data, and cannot be used for signing.
       However, having a .private file makes it possible to set
@@ -98,68 +60,53 @@
       public key can be added to and removed from the DNSKEY RRset
       on schedule even if the true private key is stored offline.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.10.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.9.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Zone file mode: instead of a public keyfile name, the argument
 	    is the DNS domain name of a zone master file, which can be read
 	    from <code class="option">file</code>.  If the domain name is the same as
 	    <code class="option">file</code>, then it may be omitted.
 	  </p>
-	  <p>
+<p>
 	    If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
 	    the zone data is read from the standard input.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the directory in which the key files are to reside.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the default TTL to use for this key when it is converted
 	    into a DNSKEY RR.  If the key is imported into a zone,
 	    this is the TTL that will be used for it, unless there was
 	    already a DNSKEY RRset in place, in which case the existing TTL
 	    would take precedence.  Setting the default TTL to
 	    <code class="literal">0</code> or <code class="literal">none</code> removes it.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Emit usage message and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the debugging level.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints version information.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.10.9"></a><h2>TIMING OPTIONS</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.9.9"></a><h2>TIMING OPTIONS</h2>
+<p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
       an offset from the present time.  For convenience, if such an offset
@@ -170,66 +117,48 @@
       is computed in seconds.  To explicitly prevent a date from being
       set, use 'none' or 'never'.
     </p>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which a key is to be published to the zone.
 	    After that date, the key will be included in the zone but will
 	    not be used to sign it.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which CDS and CDNSKEY records that match this
 	    key are to be published to the zone.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be deleted.  After that
 	    date, the key will no longer be included in the zone.  (It
 	    may remain in the key repository, however.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the CDS and CDNSKEY records that match
 	    this key are to be deleted.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.10.10"></a><h2>FILES</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.9.10"></a><h2>FILES</h2>
+<p>
       A keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
       <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
       <span class="refentrytitle">dnssec-keygen</span>(8).
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.10.11"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.9.11"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5011</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
@@ -250,6 +179,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.dnssec-keyfromlabel.html b/bind/bind9/doc/arm/man.dnssec-keyfromlabel.html
index 3cde013a..34e1021c 100644
--- a/bind/bind9/doc/arm/man.dnssec-keyfromlabel.html
+++ b/bind/bind9/doc/arm/man.dnssec-keyfromlabel.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-keyfromlabel</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
@@ -32,58 +32,17 @@
 </div>
 <div class="refentry">
 <a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-keyfromlabel</span>
-     &#8212; DNSSEC key generation tool
-  </p>
+<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-keyfromlabel</code> 
-       {-l <em class="replaceable"><code>label</code></em>}
-       [<code class="option">-3</code>]
-       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
-       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
-       [<code class="option">-G</code>]
-       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
-       [<code class="option">-k</code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
-       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
-       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-y</code>]
-       {name}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.11.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.10.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
       generates a key pair of files that referencing a key object stored
       in a cryptographic hardware service module (HSM).  The private key
       file can be used for DNSSEC signing of zone data as if it were a
@@ -91,57 +50,52 @@
       but the key material is stored within the HSM, and the actual signing
       takes place there.
     </p>
-    <p>
+<p>
       The <code class="option">name</code> of the key is specified on the command
       line.  This must match the name of the zone for which the key is
       being generated.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.11.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.10.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Selects the cryptographic algorithm.  The value of
 	    <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	    These values are case insensitive.
 	  </p>
-	  <p>
+<p>
 	    If no algorithm is specified, then RSASHA1 will be used by
 	    default, unless the <code class="option">-3</code> option is specified,
 	    in which case NSEC3RSASHA1 will be used instead.  (If
 	    <code class="option">-3</code> is used and an algorithm is specified,
 	    that algorithm will be checked for compatibility with NSEC3.)
 	  </p>
-	  <p>
+<p>
 	    Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
 	    algorithm, and DSA is recommended.
 	  </p>
-	  <p>
+<p>
 	    Note 2: DH automatically sets the -k flag.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-3</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
 	    If this option is used and no algorithm is explicitly
 	    set on the command line, NSEC3RSASHA1 will be used by
 	    default.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specifies the cryptographic hardware to use.
 	  </p>
-	  <p>
+<p>
 	    When BIND is built with OpenSSL PKCS#11 support, this defaults
 	    to the string "pkcs11", which identifies an OpenSSL engine
 	    that can drive a cryptographic accelerator or hardware service
@@ -149,20 +103,18 @@
 	    (--enable-native-pkcs11), it defaults to the path of the PKCS#11
 	    provider library specified via "--with-pkcs11".
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specifies the label for a key pair in the crypto hardware.
 	  </p>
-	  <p>
+<p>
 	    When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
 	    PKCS#11 support, the label is an arbitrary string that
-	    identifies a particular key.  It may be preceded by an
-	    optional OpenSSL engine name, followed by a colon, as in
-	    "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
+	    identifies a particular key.
 	  </p>
-	  <p>
+<p>
 	    When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
 	    support, the label is a PKCS#11 URI string in the format
 	    "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
@@ -171,7 +123,7 @@
 	    which the HSM's PIN code can be obtained.  The label will be
 	    stored in the on-disk "private" file.
 	  </p>
-	  <p>
+<p>
 	    If the label contains a
 	    <code class="option">pin-source</code> field, tools using the generated
 	    key files will be able to use the HSM for signing and other
@@ -180,21 +132,18 @@
 	    may reduce the security advantage of using an HSM; be sure
 	    this is what you want to do before making use of this feature.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the owner type of the key.  The value of
 	    <code class="option">nametype</code> must either be ZONE (for a DNSSEC
 	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
 	    a host (KEY)),
 	    USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
 	    These values are case insensitive.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-C</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Compatibility mode:  generates an old-style key, without
 	    any metadata.  By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
 	    will include the key's creation date in the metadata stored
@@ -202,71 +151,53 @@
 	    (publication date, activation date, etc).  Keys that include
 	    this data may be incompatible with older versions of BIND; the
 	    <code class="option">-C</code> option suppresses them.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Indicates that the DNS record containing the key should have
 	    the specified class.  If not specified, class IN is used.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Set the specified flag in the flag field of the KEY/DNSKEY record.
 	    The only recognized flags are KSK (Key Signing Key) and REVOKE.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-G</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Generate a key, but do not publish it or sign with it.  This
 	    option is incompatible with -P and -A.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints a short summary of the options and arguments to
 	    <span class="command"><strong>dnssec-keyfromlabel</strong></span>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the directory in which the key files are to be written.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-k</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Generate KEY records rather than DNSKEY records.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the default TTL to use for this key when it is converted
 	    into a DNSKEY RR.  If the key is imported into a zone,
 	    this is the TTL that will be used for it, unless there was
 	    already a DNSKEY RRset in place, in which case the existing TTL
 	    would take precedence.  Setting the default TTL to
 	    <code class="literal">0</code> or <code class="literal">none</code> removes it.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the protocol value for the key.  The protocol
 	    is a number between 0 and 255.  The default is 3 (DNSSEC).
 	    Other possible values for this argument are listed in
 	    RFC 2535 and its successors.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Generate a key as an explicit successor to an existing key.
 	    The name, algorithm, size, and type of the key will be set
 	    to match the predecessor. The activation date of the new
@@ -274,47 +205,35 @@
 	    one. The publication date will be set to the activation
 	    date minus the prepublication interval, which defaults to
 	    30 days.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Indicates the use of the key.  <code class="option">type</code> must be
 	    one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
 	    is AUTHCONF.  AUTH refers to the ability to authenticate
 	    data, and CONF the ability to encrypt data.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the debugging level.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints version information.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-y</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Allows DNSSEC key files to be generated even if the key ID
 	    would collide with that of an existing key, in the event of
 	    either key being revoked.  (This is only safe to use if you
 	    are sure you won't be using RFC 5011 trust anchor maintenance
 	    with either of the keys involved.)
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.11.9"></a><h2>TIMING OPTIONS</h2>
-
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.10.9"></a><h2>TIMING OPTIONS</h2>
+<p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
       an offset from the present time.  For convenience, if such an offset
@@ -325,67 +244,52 @@
       is computed in seconds.  To explicitly prevent a date from being
       set, use 'none' or 'never'.
     </p>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which a key is to be published to the zone.
 	    After that date, the key will be included in the zone but will
 	    not be used to sign it.  If not set, and if the -G option has
 	    not been used, the default is "now".
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the CDS and CDNSKEY records which match
 	    this key are to be published to the zone.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be activated.  After that
 	    date, the key will be included in the zone and used to sign
 	    it.  If not set, and if the -G option has not been used, the
 	    default is "now".
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be revoked.  After that
 	    date, the key will be flagged as revoked.  It will be included
 	    in the zone and will be used to sign it.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be retired.  After that
 	    date, the key will still be included in the zone, but it
 	    will not be used to sign it.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be deleted.  After that
 	    date, the key will no longer be included in the zone.  (It
 	    may remain in the key repository, however.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the CDS and CDNSKEY records which match
 	    this key are to be deleted.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Sets the prepublication interval for a key.  If set, then
             the publication and activation dates must be separated by at least
             this much time.  If the activation date is specified but the
@@ -394,84 +298,69 @@
             the publication date is specified but activation date isn't,
             then activation will be set to this much time after publication.
           </p>
-          <p>
+<p>
             If the key is being created as an explicit successor to another
             key, then the default prepublication interval is 30 days;
             otherwise it is zero.
           </p>
-          <p>
+<p>
             As with date offsets, if the argument is followed by one of
             the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
             interval is measured in years, months, weeks, days, hours,
             or minutes, respectively.  Without a suffix, the interval is
             measured in seconds.
           </p>
-        </dd>
+</dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.11.10"></a><h2>GENERATED KEY FILES</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.10.10"></a><h2>GENERATED KEY FILES</h2>
+<p>
       When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
       successfully,
       it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
       to the standard output.  This is an identification string for
       the key files it has generated.
     </p>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p><code class="filename">nnnn</code> is the key name.
-	</p>
-      </li>
-<li class="listitem">
-	<p><code class="filename">aaa</code> is the numeric representation
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
+	</p></li>
+<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
 	  of the algorithm.
-	</p>
-      </li>
-<li class="listitem">
-	<p><code class="filename">iiiii</code> is the key identifier (or
+	</p></li>
+<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
 	  footprint).
-	</p>
-      </li>
+	</p></li>
 </ul></div>
-    <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
+<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
       creates two files, with names based
       on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
       contains the public key, and
       <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
       private key.
     </p>
-    <p>
+<p>
       The <code class="filename">.key</code> file contains a DNS KEY record
       that
       can be inserted into a zone file (directly or with a $INCLUDE
       statement).
     </p>
-    <p>
+<p>
       The <code class="filename">.private</code> file contains
       algorithm-specific
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.11.11"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.10.11"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4034</em>,
       <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
@@ -492,6 +381,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.dnssec-keygen.html b/bind/bind9/doc/arm/man.dnssec-keygen.html
index d7c29fb0..5f664de3 100644
--- a/bind/bind9/doc/arm/man.dnssec-keygen.html
+++ b/bind/bind9/doc/arm/man.dnssec-keygen.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-keygen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
@@ -32,93 +32,42 @@
 </div>
 <div class="refentry">
 <a name="man.dnssec-keygen"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-keygen</span>
-     &#8212; DNSSEC key generation tool
-  </p>
+<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-keygen</code> 
-       [<code class="option">-3</code>]
-       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
-       [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
-       [<code class="option">-C</code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
-       [<code class="option">-G</code>]
-       [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-k</code>]
-       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
-       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
-       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       {name}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.12.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-keygen</strong></span>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.11.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>dnssec-keygen</strong></span>
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
       TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
       (Transaction Key) as defined in RFC 2930.
     </p>
-    <p>
+<p>
       The <code class="option">name</code> of the key is specified on the command
       line.  For DNSSEC keys, this must match the name of the zone for
       which the key is being generated.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.12.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.11.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-3</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
 	    If this option is used with an algorithm that has both
 	    NSEC and NSEC3 versions, then the NSEC3 version will be
 	    used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
 	    specifies the NSEC3RSASHA1 algorithm.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
 	    of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
@@ -128,26 +77,26 @@
 	    HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
 	    case insensitive.
 	  </p>
-	  <p>
+<p>
 	    If no algorithm is specified, then RSASHA1 will be used by
 	    default, unless the <code class="option">-3</code> option is specified,
 	    in which case NSEC3RSASHA1 will be used instead.  (If
 	    <code class="option">-3</code> is used and an algorithm is specified,
 	    that algorithm will be checked for compatibility with NSEC3.)
 	  </p>
-	  <p>
+<p>
 	    Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
 	    algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
 	    mandatory.
 	  </p>
-	  <p>
+<p>
 	    Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
 	    automatically set the -T KEY option.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specifies the number of bits in the key.  The choice of key
 	    size depends on the algorithm used.  RSA keys must be
 	    between 512 and 2048 bits.  Diffie Hellman keys must be between
@@ -156,7 +105,7 @@
 	    between 1 and 512 bits. Elliptic curve algorithms don't need
 	    this parameter.
 	  </p>
-	  <p>
+<p>
 	    The key size does not need to be specified if using a default
 	    algorithm.  The default key size is 1024 bits for zone signing
 	    keys (ZSKs) and 2048 bits for key signing keys (KSKs,
@@ -165,10 +114,9 @@
 	    then there is no default key size, and the <code class="option">-b</code>
 	    must be used.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-C</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Compatibility mode: generates an old-style key, without any
 	    timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
 	    will include the key's creation date in the metadata stored with
@@ -176,21 +124,18 @@
 	    (publication date, activation date, etc). Keys that include this
 	    data may be incompatible with older versions of BIND; the
 	    <code class="option">-C</code> option suppresses them.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Indicates that the DNS record containing the key should have
 	    the specified class.  If not specified, class IN is used.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specifies the cryptographic hardware to use, when applicable.
 	  </p>
-	  <p>
+<p>
 	    When BIND is built with OpenSSL PKCS#11 support, this defaults
 	    to the string "pkcs11", which identifies an OpenSSL engine
 	    that can drive a cryptographic accelerator or hardware service
@@ -198,52 +143,39 @@
 	    (--enable-native-pkcs11), it defaults to the path of the PKCS#11
 	    provider library specified via "--with-pkcs11".
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Set the specified flag in the flag field of the KEY/DNSKEY record.
 	    The only recognized flags are KSK (Key Signing Key) and REVOKE.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-G</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Generate a key, but do not publish it or sign with it.  This
 	    option is incompatible with -P and -A.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    If generating a Diffie Hellman key, use this generator.
 	    Allowed values are 2 and 5.  If no generator
 	    is specified, a known prime from RFC 2539 will be used
 	    if possible; otherwise the default is 2.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints a short summary of the options and arguments to
 	    <span class="command"><strong>dnssec-keygen</strong></span>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the directory in which the key files are to be written.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-k</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Deprecated in favor of -T KEY.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the default TTL to use for this key when it is converted
 	    into a DNSKEY RR.  If the key is imported into a zone,
 	    this is the TTL that will be used for it, unless there was
@@ -252,31 +184,25 @@
 	    is no existing DNSKEY RRset, the TTL will default to the
 	    SOA TTL. Setting the default TTL to <code class="literal">0</code>
 	    or <code class="literal">none</code> is the same as leaving it unset.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the owner type of the key.  The value of
 	    <code class="option">nametype</code> must either be ZONE (for a DNSSEC
 	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
 	    with a host (KEY)), USER (for a key associated with a
 	    user(KEY)) or OTHER (DNSKEY).  These values are case
 	    insensitive.  Defaults to ZONE for DNSKEY generation.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the protocol value for the generated key, for use
 	    with <code class="option">-T KEY</code>. The protocol is a number between 0
 	    and 255. The default is 3 (DNSSEC). Other possible values for
 	    this argument are listed in RFC 2535 and its successors.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-q</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Quiet mode: Suppresses unnecessary output, including
 	    progress indication.  Without this option, when
 	    <span class="command"><strong>dnssec-keygen</strong></span> is run interactively
@@ -288,11 +214,9 @@
 	    round of the Miller-Rabin primality test; a space
 	    means that the number has passed all the tests and is
 	    a satisfactory key.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the source of randomness.  If the operating
 	    system does not provide a <code class="filename">/dev/random</code>
 	    or equivalent device, the default source of randomness
@@ -302,11 +226,9 @@
 	    data to be used instead of the default.  The special value
 	    <code class="filename">keyboard</code> indicates that keyboard
 	    input should be used.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Create a new key which is an explicit successor to an
 	    existing key.  The name, algorithm, size, and type of the
 	    key will be set to match the existing key.  The activation
@@ -314,19 +236,16 @@
 	    the existing one.  The publication date will be set to the
 	    activation date minus the prepublication interval, which
 	    defaults to 30 days.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the strength value of the key.  The strength is
 	    a number between 0 and 15, and currently has no defined
 	    purpose in DNSSEC.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specifies the resource record type to use for the key.
 	    <code class="option">rrtype</code> must be either DNSKEY or KEY.  The
 	    default is DNSKEY when using a DNSSEC algorithm, but it can be
@@ -338,37 +257,28 @@
 	    Using any TSIG algorithm (HMAC-* or DH) forces this option
 	    to KEY.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Indicates the use of the key, for use with <code class="option">-T
 	    KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
 	    NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
 	    refers to the ability to authenticate data, and CONF the ability
 	    to encrypt data.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints version information.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the debugging level.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.12.9"></a><h2>TIMING OPTIONS</h2>
-
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.11.9"></a><h2>TIMING OPTIONS</h2>
+<p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
       an offset from the present time.  For convenience, if such an offset
@@ -379,69 +289,54 @@
       is computed in seconds.  To explicitly prevent a date from being
       set, use 'none' or 'never'.
     </p>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which a key is to be published to the zone.
 	    After that date, the key will be included in the zone but will
 	    not be used to sign it.  If not set, and if the -G option has
 	    not been used, the default is "now".
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which CDS and CDNSKEY records that match this
 	    key are to be published to the zone.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be activated.  After that
 	    date, the key will be included in the zone and used to sign
 	    it.  If not set, and if the -G option has not been used, the
 	    default is "now".  If set, if and -P is not set, then
 	    the publication date will be set to the activation date
 	    minus the prepublication interval.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be revoked.  After that
 	    date, the key will be flagged as revoked.  It will be included
 	    in the zone and will be used to sign it.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be retired.  After that
 	    date, the key will still be included in the zone, but it
 	    will not be used to sign it.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the key is to be deleted.  After that
 	    date, the key will no longer be included in the zone.  (It
 	    may remain in the key repository, however.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the date on which the CDS and CDNSKEY records that match this
 	    key are to be deleted.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Sets the prepublication interval for a key.  If set, then
             the publication and activation dates must be separated by at least
             this much time.  If the activation date is specified but the
@@ -450,51 +345,42 @@
             the publication date is specified but activation date isn't,
             then activation will be set to this much time after publication.
           </p>
-          <p>
+<p>
             If the key is being created as an explicit successor to another
             key, then the default prepublication interval is 30 days;
             otherwise it is zero.
           </p>
-          <p>
+<p>
             As with date offsets, if the argument is followed by one of
             the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
             interval is measured in years, months, weeks, days, hours,
             or minutes, respectively.  Without a suffix, the interval is
             measured in seconds.
           </p>
-        </dd>
+</dd>
 </dl></div>
-  </div>
-
-
-  <div class="refsection">
-<a name="id-1.14.12.10"></a><h2>GENERATED KEYS</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.11.10"></a><h2>GENERATED KEYS</h2>
+<p>
       When <span class="command"><strong>dnssec-keygen</strong></span> completes
       successfully,
       it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
       to the standard output.  This is an identification string for
       the key it has generated.
     </p>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p><code class="filename">nnnn</code> is the key name.
-	</p>
-      </li>
-<li class="listitem">
-	<p><code class="filename">aaa</code> is the numeric representation
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
+	</p></li>
+<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
 	  of the
 	  algorithm.
-	</p>
-      </li>
-<li class="listitem">
-	<p><code class="filename">iiiii</code> is the key identifier (or
+	</p></li>
+<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
 	  footprint).
-	</p>
-      </li>
+	</p></li>
 </ul></div>
-    <p><span class="command"><strong>dnssec-keygen</strong></span>
+<p><span class="command"><strong>dnssec-keygen</strong></span>
       creates two files, with names based
       on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
       contains the public key, and
@@ -502,67 +388,60 @@
       private
       key.
     </p>
-    <p>
+<p>
       The <code class="filename">.key</code> file contains a DNS KEY record
       that
       can be inserted into a zone file (directly or with a $INCLUDE
       statement).
     </p>
-    <p>
+<p>
       The <code class="filename">.private</code> file contains
       algorithm-specific
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </p>
-    <p>
+<p>
       Both <code class="filename">.key</code> and <code class="filename">.private</code>
       files are generated for symmetric cryptography algorithms such as
       HMAC-MD5, even though the public and private key are equivalent.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.12.11"></a><h2>EXAMPLE</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.11.11"></a><h2>EXAMPLE</h2>
+<p>
       To generate a 768-bit DSA key for the domain
       <strong class="userinput"><code>example.com</code></strong>, the following command would be
       issued:
     </p>
-    <p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
+<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
     </p>
-    <p>
+<p>
       The command would print a string of the form:
     </p>
-    <p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
+<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
     </p>
-    <p>
+<p>
       In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
       the files <code class="filename">Kexample.com.+003+26160.key</code>
       and
       <code class="filename">Kexample.com.+003+26160.private</code>.
     </p>
-    <p>
+<p>
       To generate a matching key-signing key, issue the command:
     </p>
-    <p>
+<p>
       <strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE -f KSK example.com</code></strong>
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.12.12"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.11.12"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2539</em>,
       <em class="citetitle">RFC 2845</em>,
       <em class="citetitle">RFC 4034</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
@@ -583,6 +462,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.dnssec-keymgr.html b/bind/bind9/doc/arm/man.dnssec-keymgr.html
index 28f4806c..11dc60a0 100644
--- a/bind/bind9/doc/arm/man.dnssec-keymgr.html
+++ b/bind/bind9/doc/arm/man.dnssec-keymgr.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-keymgr</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
@@ -32,49 +32,24 @@
 </div>
 <div class="refentry">
 <a name="man.dnssec-keymgr"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-keymgr</span>
-     &#8212; Ensures correct DNSKEY coverage for a zone based on a defined policy
-  </p>
+<p><span class="application">dnssec-keymgr</span> &#8212; Ensures correct DNSKEY coverage for a zone based on a defined policy</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-keymgr</code> 
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>file</code></em></code>]
-       [<code class="option">-f</code>]
-       [<code class="option">-k</code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-v</code>]
-       [<code class="option">-z</code>]
-       [<code class="option">-g <em class="replaceable"><code>path</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>path</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>path</code></em></code>]
-       [zone...]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.13.7"></a><h2>DESCRIPTION</h2>
-    <p>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keymgr</code>  [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-c <em class="replaceable"><code>file</code></em></code>] [<code class="option">-f</code>] [<code class="option">-k</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-z</code>] [<code class="option">-g <em class="replaceable"><code>path</code></em></code>] [<code class="option">-r <em class="replaceable"><code>path</code></em></code>] [<code class="option">-s <em class="replaceable"><code>path</code></em></code>] [zone...]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.12.7"></a><h2>DESCRIPTION</h2>
+<p>
       <span class="command"><strong>dnssec-keymgr</strong></span> is a high level Python wrapper
       to facilitate the key rollover process for zones handled by
       BIND. It uses the BIND commands for manipulating DNSSEC key
       metadata: <span class="command"><strong>dnssec-keygen</strong></span> and
       <span class="command"><strong>dnssec-settime</strong></span>.
     </p>
-    <p>
+<p>
       DNSSEC policy can be read from a configuration file (default
       <code class="filename">/etc/dnssec-policy.conf</code>), from which the
       key parameters, publication and rollover schedule, and desired
@@ -83,14 +58,14 @@
       per-zone basis, or to set a "<code class="literal">default</code>" policy
       used for all zones.
     </p>
-    <p>
+<p>
       When <span class="command"><strong>dnssec-keymgr</strong></span> runs, it examines the DNSSEC
       keys for one or more zones, comparing their timing metadata against
       the policies for those zones.  If key settings do not conform to the
       DNSSEC policy (for example, because the policy has been changed),
       they are automatically corrected.
     </p>
-    <p>
+<p>
       A zone policy can specify a duration for which we want to
       ensure the key correctness (<code class="option">coverage</code>).  It can
       also specify a rollover period (<code class="option">roll-period</code>).
@@ -98,47 +73,43 @@
       coverage period ends, then a successor key will automatically be
       created and added to the end of the key series.
     </p>
-    <p>
+<p>
       If zones are specified on the command line,
       <span class="command"><strong>dnssec-keymgr</strong></span> will examine only those zones.
       If a specified zone does not already have keys in place, then
       keys will be generated for it according to policy.
     </p>
-    <p>
+<p>
       If zones are <span class="emphasis"><em>not</em></span> specified on the command
       line, then <span class="command"><strong>dnssec-keymgr</strong></span> will search the
       key directory (either the current working directory or the directory
       set by the <code class="option">-K</code> option), and check the keys for
       all the zones represented in the directory.
     </p>
-    <p>
+<p>
       Key times that are in the past will not be updated unless
       the <code class="option">-f</code> is used (see below).  Key inactivation
       and deletion times that are less than five minutes in the future
       will be delayed by five minutes.
     </p>
-    <p>
+<p>
       It is expected that this tool will be run automatically and
       unattended (for example, by <span class="command"><strong>cron</strong></span>).
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.13.8"></a><h2>OPTIONS</h2>
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.12.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-c <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    If <code class="option">-c</code> is specified, then the DNSSEC
 	    policy is read from <code class="option">file</code>.  (If not
 	    specified, then the policy is read from
 	    <code class="filename">/etc/dnssec-policy.conf</code>; if that file
 	    doesn't exist, a built-in global default policy is used.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-f</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Force: allow updating of key events even if they are
 	    already in the past. This is not recommended for use with
 	    zones in which keys have already been published. However,
@@ -147,86 +118,65 @@
 	    keys have not been published in a zone as yet, then this
 	    option can be used to clean them up and turn them into a
 	    proper series of keys with appropriate rollover intervals.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-g <em class="replaceable"><code>keygen-path</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies a path to a <span class="command"><strong>dnssec-keygen</strong></span> binary.
 	    Used for testing.
 	    See also the <code class="option">-s</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print the <span class="command"><strong>dnssec-keymgr</strong></span> help summary
 	    and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sets the directory in which keys can be found.  Defaults to the
 	    current working directory.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-k</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Only apply policies to KSK keys.
 	    See also the <code class="option">-z</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-q</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Quiet: suppress printing of <span class="command"><strong>dnssec-keygen</strong></span>
 	    and <span class="command"><strong>dnssec-settime</strong></span>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies a path to a file containing random data.
 	    This is passed to the <span class="command"><strong>dnssec-keygen</strong></span> binary
 	    using its <code class="option">-r</code> option.
 
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>settime-path</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies a path to a <span class="command"><strong>dnssec-settime</strong></span> binary.
 	    Used for testing.
 	    See also the <code class="option">-g</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print the <span class="command"><strong>dnssec-keymgr</strong></span> version and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-z</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Only apply policies to ZSK keys.
 	    See also the <code class="option">-k</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.13.9"></a><h2>POLICY CONFIGURATION</h2>
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.12.9"></a><h2>POLICY CONFIGURATION</h2>
+<p>
       The <code class="filename">dnssec-policy.conf</code> file can specify three kinds
       of policies:
     </p>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
 	  <span class="emphasis"><em>Policy classes</em></span>
 	  (<code class="option">policy <em class="replaceable"><code>name</code></em> { ... };</code>)
 	  can be inherited by zone policies or other policy classes; these
@@ -235,20 +185,16 @@
 	  1024-bit key sizes, but a class <strong class="userinput"><code>extra</code></strong> might
 	  specify 2048 bits instead; <strong class="userinput"><code>extra</code></strong> would be
 	  used for zones that had unusually high security needs.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
+	</p></li>
+<li class="listitem"><p>
 	  <span class="emphasis"><em>Algorithm policies:</em></span>
 	  (<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
 	  override default per-algorithm settings.  For example, by default,
 	  RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
 	  can be modified using <span class="command"><strong>algorithm-policy</strong></span>, and the
 	  new key sizes would then be used for any key of type RSASHA256.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
+	</p></li>
+<li class="listitem"><p>
 	  <span class="emphasis"><em>Zone policies:</em></span>
 	  (<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
 	  set policy for a single zone by name. A zone policy can inherit
@@ -256,25 +202,21 @@
 	  Zone names beginning with digits (i.e., 0-9) must be quoted.
 	  If a zone does not have its own policy then the
 	  "<code class="literal">default</code>" policy applies.
-	</p>
-      </li>
+	</p></li>
 </ul></div>
-    <p>
+<p>
       Options that can be specified in policies:
     </p>
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>algorithm</strong></span>
 	  <em class="replaceable"><code>name</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The key algorithm. If no policy is defined, the default is
 	    RSASHA256.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>coverage</strong></span>
 	  <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The length of time to ensure that keys will be correct; no action
 	    will be taken to create new keys to be activated after this time.
 	    This can be represented as a number of seconds, or as a duration
@@ -282,120 +224,90 @@
 	    A default value for this option can be set in algorithm policies
 	    as well as in policy classes or zone policies.
 	    If no policy is configured, the default is six months.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>directory</strong></span>
 	  <em class="replaceable"><code>path</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the directory in which keys should be stored.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>key-size</strong></span> <em class="replaceable"><code>keytype</code></em>
 	  <em class="replaceable"><code>size</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specifies the number of bits to use in creating keys.
 	    The keytype is either "zsk" or "ksk".
 	    A default value for this option can be set in algorithm policies
 	    as well as in policy classes or zone policies. If no policy is
 	    configured, the default is 1024 bits for DSA keys and 2048 for
 	    RSA.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>keyttl</strong></span>
 	  <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The key TTL. If no policy is defined, the default is one hour.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>post-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
 	  <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    How long after inactivation a key should be deleted from the zone.
 	    Note: If <code class="option">roll-period</code> is not set, this value is
 	    ignored. The keytype is either "zsk" or "ksk".
 	    A default duration for this option can be set in algorithm
 	    policies as well as in policy classes or zone policies. The default
 	    is one month.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>pre-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
 	  <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    How long before activation a key should be published.  Note: If
 	    <code class="option">roll-period</code> is not set, this value is ignored.
 	    The keytype is either "zsk" or "ksk".
 	    A default duration for this option can be set in algorithm policies
 	    as well as in policy classes or zone policies.  The default is
 	    one month.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>roll-period</strong></span> <em class="replaceable"><code>keytype</code></em>
 	  <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    How frequently keys should be rolled over.
 	    The keytype is either "zsk" or "ksk".
 	    A default duration for this option can be set in algorithm policies
 	    as well as in policy classes or zone policies.  If no policy is
 	    configured, the default is one year for ZSKs. KSKs do not
 	    roll over by default.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><span class="command"><strong>standby</strong></span> <em class="replaceable"><code>keytype</code></em>
 	  <em class="replaceable"><code>number</code></em><code class="literal">;</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Not yet implemented.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.13.10"></a><h2>REMAINING WORK</h2>
-  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-      <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.12.10"></a><h2>REMAINING WORK</h2>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
 	Enable scheduling of KSK rollovers using the <code class="option">-P sync</code>
 	and <code class="option">-D sync</code> options to
 	<span class="command"><strong>dnssec-keygen</strong></span> and
 	<span class="command"><strong>dnssec-settime</strong></span>.  Check the parent zone
 	(as in <span class="command"><strong>dnssec-checkds</strong></span>) to determine when it's
 	safe for the key to roll.
-      </p>
-    </li>
-<li class="listitem">
-      <p>
+      </p></li>
+<li class="listitem"><p>
 	Allow configuration of standby keys and use of the REVOKE bit,
 	for keys that use RFC 5011 semantics.
-      </p>
-    </li>
+      </p></li>
 </ul></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.13.11"></a><h2>SEE ALSO</h2>
-    <p>
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-coverage</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-settime</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-checkds</span>(8)
-      </span>
+</div>
+<div class="refsection">
+<a name="id-1.14.12.11"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">dnssec-coverage</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-settime</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
@@ -416,6 +328,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.dnssec-revoke.html b/bind/bind9/doc/arm/man.dnssec-revoke.html
index 6c69d5fe..c9341ded 100644
--- a/bind/bind9/doc/arm/man.dnssec-revoke.html
+++ b/bind/bind9/doc/arm/man.dnssec-revoke.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-revoke</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-keymgr.html" title="dnssec-keymgr">
@@ -32,88 +32,52 @@
 </div>
 <div class="refentry">
 <a name="man.dnssec-revoke"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-revoke</span>
-     &#8212; set the REVOKED bit on a DNSSEC key
-  </p>
+<p><span class="application">dnssec-revoke</span> &#8212; set the REVOKED bit on a DNSSEC key</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-revoke</code> 
-       [<code class="option">-hr</code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
-       [<code class="option">-f</code>]
-       [<code class="option">-R</code>]
-       {keyfile}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.14.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-revoke</strong></span>
+<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code>  [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.13.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>dnssec-revoke</strong></span>
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
       now-revoked key.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.14.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.13.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-h</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Emit usage message and exit.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the directory in which the key files are to reside.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-r</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    After writing the new keyset files remove the original keyset
 	    files.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the debugging level.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints version information.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Specifies the cryptographic hardware to use, when applicable.
           </p>
-          <p>
+<p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -121,36 +85,27 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-f</span></dt>
-<dd>
-          <p>
+<dd><p>
             Force overwrite: Causes <span class="command"><strong>dnssec-revoke</strong></span> to
             write the new key pair even if a file already exists matching
             the algorithm and key ID of the revoked key.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-R</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    Print the key tag of the key with the REVOKE bit set but do
 	    not revoke the key.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.14.9"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.13.9"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5011</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
@@ -171,6 +126,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.dnssec-settime.html b/bind/bind9/doc/arm/man.dnssec-settime.html
index 70862dff..3e781fd3 100644
--- a/bind/bind9/doc/arm/man.dnssec-settime.html
+++ b/bind/bind9/doc/arm/man.dnssec-settime.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-settime</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">
@@ -32,49 +32,17 @@
 </div>
 <div class="refentry">
 <a name="man.dnssec-settime"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-settime</span>
-     &#8212; set the key timing metadata for a DNSSEC key
-  </p>
+<p><span class="application">dnssec-settime</span> &#8212; set the key timing metadata for a DNSSEC key</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-settime</code> 
-       [<code class="option">-f</code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
-       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
-       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
-       {keyfile}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.15.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-settime</strong></span>
+<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code>  [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.14.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>dnssec-settime</strong></span>
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
       <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
@@ -83,12 +51,12 @@
       determine when a key is to be published, whether it should be
       used for signing a zone, etc.
     </p>
-    <p>
+<p>
       If none of these options is set on the command line,
       then <span class="command"><strong>dnssec-settime</strong></span> simply prints the key timing
       metadata already stored in the key.
     </p>
-    <p>
+<p>
       When key metadata fields are changed, both files of a key
       pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
       <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
@@ -97,16 +65,12 @@
       file.  The private file's permissions are always set to be
       inaccessible to anyone other than the owner (mode 0600).
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.15.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.14.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-f</span></dt>
-<dd>
-          <p>
+<dd><p>
             Force an update of an old-format key with no metadata fields.
             Without this option, <span class="command"><strong>dnssec-settime</strong></span> will
             fail when attempting to update a legacy key.  With this option,
@@ -115,17 +79,13 @@
             set to the present time.  If no other values are specified,
             then the key's publication and activation dates will also
             be set to the present time.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the directory in which the key files are to reside.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the default TTL to use for this key when it is converted
             into a DNSKEY RR.  If the key is imported into a zone,
             this is the TTL that will be used for it, unless there was
@@ -134,32 +94,25 @@
             is no existing DNSKEY RRset, the TTL will default to the
             SOA TTL. Setting the default TTL to <code class="literal">0</code>
             or <code class="literal">none</code> removes it from the key.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-          <p>
+<dd><p>
             Emit usage message and exit.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-          <p>
+<dd><p>
             Prints version information.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the debugging level.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Specifies the cryptographic hardware to use, when applicable.
           </p>
-          <p>
+<p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -167,14 +120,12 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-        </dd>
+</dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.15.9"></a><h2>TIMING OPTIONS</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.14.9"></a><h2>TIMING OPTIONS</h2>
+<p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
       an offset from the present time.  For convenience, if such an offset
@@ -184,65 +135,49 @@
       days, hours, or minutes, respectively.  Without a suffix, the offset
       is computed in seconds.  To unset a date, use 'none' or 'never'.
     </p>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
             not be used to sign it.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the date on which CDS and CDNSKEY records that match this
             key are to be published to the zone.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the date on which the key is to be activated.  After that
             date, the key will be included in the zone and used to sign
             it.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the date on which the key is to be revoked.  After that
             date, the key will be flagged as revoked.  It will be included
             in the zone and will be used to sign it.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the date on which the key is to be retired.  After that
             date, the key will still be included in the zone, but it
             will not be used to sign it.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the date on which the key is to be deleted.  After that
             date, the key will no longer be included in the zone.  (It
             may remain in the key repository, however.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the date on which the CDS and CDNSKEY records that match this
             key are to be deleted.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Select a key for which the key being modified will be an
             explicit successor.  The name, algorithm, size, and type of the
             predecessor key must exactly match those of the key being
@@ -250,11 +185,10 @@
             to the inactivation date of the predecessor.  The publication
             date will be set to the activation date minus the prepublication
             interval, which defaults to 30 days.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Sets the prepublication interval for a key.  If set, then
             the publication and activation dates must be separated by at least
             this much time.  If the activation date is specified but the
@@ -263,40 +197,34 @@
             the publication date is specified but activation date isn't,
             then activation will be set to this much time after publication.
           </p>
-          <p>
+<p>
             If the key is being set to be an explicit successor to another
             key, then the default prepublication interval is 30 days;
             otherwise it is zero.
           </p>
-          <p>
+<p>
             As with date offsets, if the argument is followed by one of
             the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
             interval is measured in years, months, weeks, days, hours,
             or minutes, respectively.  Without a suffix, the interval is
             measured in seconds.
           </p>
-        </dd>
+</dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.15.10"></a><h2>PRINTING OPTIONS</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.14.10"></a><h2>PRINTING OPTIONS</h2>
+<p>
       <span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
       timing metadata associated with a key.
     </p>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-u</span></dt>
-<dd>
-          <p>
+<dd><p>
             Print times in UNIX epoch format.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>C/P/Psync/A/R/I/D/Dsync/all</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Print a specific metadata value or set of metadata values.
             The <code class="option">-p</code> option may be followed by one or more
             of the following letters or strings to indicate which value
@@ -310,25 +238,17 @@
             <code class="option">D</code> for the deletion date, and
             <code class="option">Dsync</code> for the CDS and CDNSKEY deletion date
             To print all of the metadata, use <code class="option">-p all</code>.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.15.11"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.14.11"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5011</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
@@ -349,6 +269,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.dnssec-signzone.html b/bind/bind9/doc/arm/man.dnssec-signzone.html
index cd317337..d85d3c5c 100644
--- a/bind/bind9/doc/arm/man.dnssec-signzone.html
+++ b/bind/bind9/doc/arm/man.dnssec-signzone.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-signzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
@@ -32,72 +32,17 @@
 </div>
 <div class="refentry">
 <a name="man.dnssec-signzone"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-signzone</span>
-     &#8212; DNSSEC zone signing tool
-  </p>
+<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-signzone</code> 
-       [<code class="option">-a</code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-D</code>]
-       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
-       [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>]
-       [<code class="option">-g</code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
-       [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
-       [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>]
-       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-k <em class="replaceable"><code>key</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
-       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
-       [<code class="option">-M <em class="replaceable"><code>maxttl</code></em></code>]
-       [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>]
-       [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
-       [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>]
-       [<code class="option">-P</code>]
-       [<code class="option">-p</code>]
-       [<code class="option">-Q</code>]
-       [<code class="option">-R</code>]
-       [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
-       [<code class="option">-S</code>]
-       [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
-       [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-t</code>]
-       [<code class="option">-u</code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>]
-       [<code class="option">-x</code>]
-       [<code class="option">-z</code>]
-       [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>]
-       [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>]
-       [<code class="option">-A</code>]
-       {zonefile}
-       [key...]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.16.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-signzone</strong></span>
+<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>maxttl</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-Q</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.15.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>dnssec-signzone</strong></span>
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
       zone. The security status of delegations from the signed zone
@@ -105,46 +50,34 @@
       determined by the presence or absence of a
       <code class="filename">keyset</code> file for each child zone.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.16.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.15.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a</span></dt>
-<dd>
-          <p>
+<dd><p>
             Verify all generated signatures.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the DNS class of the zone.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-C</span></dt>
-<dd>
-          <p>
+<dd><p>
             Compatibility mode: Generate a
             <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
             file in addition to
             <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
             when signing a zone, for use by older versions of
             <span class="command"><strong>dnssec-signzone</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Look for <code class="filename">dsset-</code> or
             <code class="filename">keyset-</code> files in <code class="option">directory</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-D</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    Output only those record types automatically managed by
 	    <span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
 	    NSEC3 and NSEC3PARAM records. If smart signing
@@ -153,16 +86,15 @@
 	    zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
 	    cannot be combined with <code class="option">-O raw</code>,
             <code class="option">-O map</code>, or serial number updating.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-          <p>
+<p>
             When applicable, specifies the hardware to use for
             cryptographic operations, such as a secure key store used
             for signing.
           </p>
-          <p>
+<p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -170,39 +102,30 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-g</span></dt>
-<dd>
-          <p>
+<dd><p>
             Generate DS records for child zones from
             <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
             file.  Existing DS records will be removed.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Key repository: Specify a directory to search for DNSSEC keys.
             If not specified, defaults to the current directory.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Treat specified key as a key signing key ignoring any
             key flags.  This option may be specified multiple times.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Generate a DLV set in addition to the key (DNSKEY) and DS sets.
             The domain is appended to the name of the records.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the maximum TTL for the signed zone.
             Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
             input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
@@ -215,11 +138,9 @@
             <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
             (Note: This option is incompatible with <code class="option">-D</code>,
             because it modifies non-DNSSEC data in the output zone.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the date and time when the generated RRSIG records
             become valid.  This can be either an absolute or relative
             time.  An absolute start time is indicated by a number
@@ -228,11 +149,9 @@
             indicated by +N, which is N seconds from the current time.
             If no <code class="option">start-time</code> is specified, the current
             time minus 1 hour (to allow for clock skew) is used.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the date and time when the generated RRSIG records
             expire.  As with <code class="option">start-time</code>, an absolute
             time is indicated in YYYYMMDDHHMMSS notation.  A time relative
@@ -242,11 +161,10 @@
             specified, 30 days from the start time is used as a default.
             <code class="option">end-time</code> must be later than
             <code class="option">start-time</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Specify the date and time when the generated RRSIG records
             for the DNSKEY RRset will expire.  This is to be used in cases
             when the DNSKEY signatures need to persist longer than
@@ -254,7 +172,7 @@
             of the KSK is kept offline and the KSK signature is to be
             refreshed manually.
           </p>
-          <p>
+<p>
             As with <code class="option">start-time</code>, an absolute
             time is indicated in YYYYMMDDHHMMSS notation.  A time relative
             to the start time is indicated with +N, which is N seconds from
@@ -265,34 +183,28 @@
             30 days from the start time.) <code class="option">extended end-time</code>
             must be later than <code class="option">start-time</code>.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             The name of the output file containing the signed zone.  The
             default is to append <code class="filename">.signed</code> to
             the input filename.  If <code class="option">output-file</code> is
             set to <code class="literal">"-"</code>, then the signed zone is
             written to the standard output, with a default output
             format of "full".
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-          <p>
+<dd><p>
             Prints a short summary of the options and arguments to
             <span class="command"><strong>dnssec-signzone</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints version information.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
-          <p>
+<p>
             When a previously-signed zone is passed as input, records
             may be resigned.  The <code class="option">interval</code> option
             specifies the cycle interval as an offset from the current
@@ -300,7 +212,7 @@
             cycle interval, it is retained.  Otherwise, it is considered
             to be expiring soon, and it will be replaced.
           </p>
-          <p>
+<p>
             The default cycle interval is one quarter of the difference
             between the signature end and start times.  So if neither
             <code class="option">end-time</code> or <code class="option">start-time</code>
@@ -311,10 +223,9 @@
             are due to expire in less than 7.5 days, they would be
             replaced.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             The format of the input zone file.
 	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
 	    <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
@@ -323,11 +234,10 @@
             format containing updates can be signed directly.
 	    The use of this option does not make much sense for
 	    non-dynamic zones.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
 <dd>
-          <p>
+<p>
             When signing a zone with a fixed signature lifetime, all
             RRSIG records issued at the time of signing expires
             simultaneously.  If the zone is incrementally signed, i.e.
@@ -338,72 +248,55 @@
             expire time, thus spreading incremental signature
             regeneration over time.
           </p>
-          <p>
+<p>
             Signature lifetime jitter also to some extent benefits
             validators and servers by spreading out cache expiration,
             i.e. if large numbers of RRSIGs don't expire at the same time
             from all caches there will be less congestion than if all
             validators need to refetch at mostly the same time.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             When writing a signed zone to "raw" or "map" format, set the
             "source serial" value in the header to the specified serial
             number.  (This is expected to be used primarily for testing
             purposes.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the number of threads to use.  By default, one
             thread is started for each detected CPU.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
 <dd>
-          <p>
+<p>
             The SOA serial number format of the signed zone.
 	    Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
             <span class="command"><strong>"increment"</strong></span>, <span class="command"><strong>"unixtime"</strong></span>,
             and <span class="command"><strong>"date"</strong></span>.
           </p>
-
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
-<dd>
-                <p>Do not modify the SOA serial number.</p>
-	      </dd>
+<dd><p>Do not modify the SOA serial number.</p></dd>
 <dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
-<dd>
-                <p>Increment the SOA serial number using RFC 1982
-                      arithmetics.</p>
-	      </dd>
+<dd><p>Increment the SOA serial number using RFC 1982
+                      arithmetics.</p></dd>
 <dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
-<dd>
-                <p>Set the SOA serial number to the number of seconds
-	        since epoch.</p>
-	      </dd>
+<dd><p>Set the SOA serial number to the number of seconds
+	        since epoch.</p></dd>
 <dt><span class="term"><span class="command"><strong>"date"</strong></span></span></dt>
-<dd>
-                <p>Set the SOA serial number to today's date in
-                YYYYMMDDNN format.</p>
-	      </dd>
+<dd><p>Set the SOA serial number to today's date in
+                YYYYMMDDNN format.</p></dd>
 </dl></div>
-
-        </dd>
+</dd>
 <dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             The zone origin.  If not specified, the name of the zone file
             is assumed to be the origin.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             The format of the output file containing the signed zone.
 	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
             which is the standard textual representation of the zone;
@@ -416,36 +309,33 @@
             the raw zone file: if N is 0, the raw file can be read by
             any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
             can be read by release 9.9.0 or higher; the default is 1.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p</span></dt>
-<dd>
-          <p>
+<dd><p>
             Use pseudo-random data when signing the zone.  This is faster,
             but less secure, than using real random data.  This option
             may be useful when signing large zones or when the entropy
             source is limited.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-P</span></dt>
 <dd>
-          <p>
+<p>
 	    Disable post sign verification tests.
           </p>
-          <p>
+<p>
 	    The post sign verification test ensures that for each algorithm
 	    in use there is at least one non revoked self signed KSK key,
 	    that all revoked KSK keys are self signed, and that all records
 	    in the zone are signed by the algorithm.
 	    This option skips these tests.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-Q</span></dt>
 <dd>
-          <p>
+<p>
 	    Remove signatures from keys that are no longer active.
           </p>
-          <p>
+<p>
             Normally, when a previously-signed zone is passed as input
             to the signer, and a DNSKEY record has been removed and
             replaced with a new one, signatures from the old key
@@ -457,23 +347,22 @@
             enables ZSK rollover using the procedure described in
             RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-R</span></dt>
 <dd>
-          <p>
+<p>
 	    Remove signatures from keys that are no longer published.
           </p>
-          <p>
+<p>
             This option is similar to <code class="option">-Q</code>, except it
             forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
             keys that are no longer published. This enables ZSK rollover
             using the procedure described in RFC 4641, section 4.2.1.2
             ("Double Signature Zone Signing Key Rollover").
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the source of randomness.  If the operating
             system does not provide a <code class="filename">/dev/random</code>
             or equivalent device, the default source of randomness
@@ -483,65 +372,53 @@
             data to be used instead of the default.  The special value
             <code class="filename">keyboard</code> indicates that keyboard
             input should be used.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-S</span></dt>
 <dd>
-          <p>
+<p>
             Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to
             search the key repository for keys that match the zone being
             signed, and to include them in the zone if appropriate.
           </p>
-          <p>
+<p>
             When a key is found, its timing metadata is examined to
             determine how it should be used, according to the following
             rules.  Each successive rule takes priority over the prior
             ones:
           </p>
-          <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt></dt>
-<dd>
-                <p>
+<dd><p>
                   If no timing metadata has been set for the key, the key is
                   published in the zone and used to sign the zone.
-                </p>
-	      </dd>
+                </p></dd>
 <dt></dt>
-<dd>
-                <p>
+<dd><p>
                   If the key's publication date is set and is in the past, the
                   key is published in the zone.
-                </p>
-	      </dd>
+                </p></dd>
 <dt></dt>
-<dd>
-                <p>
+<dd><p>
                   If the key's activation date is set and in the past, the
                   key is published (regardless of publication date) and
                   used to sign the zone.
-                </p>
-	      </dd>
+                </p></dd>
 <dt></dt>
-<dd>
-                <p>
+<dd><p>
                   If the key's revocation date is set and in the past, and the
                   key is published, then the key is revoked, and the revoked key
                   is used to sign the zone.
-                </p>
-	      </dd>
+                </p></dd>
 <dt></dt>
-<dd>
-                <p>
+<dd><p>
                   If either of the key's unpublication or deletion dates are set
                   and in the past, the key is NOT published or used to sign the
                   zone, regardless of any other metadata.
-                </p>
-	      </dd>
+                </p></dd>
 </dl></div>
-        </dd>
+</dd>
 <dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies a TTL to be used for new DNSKEY records imported
             into the zone from the key repository.  If not
             specified, the default is the TTL value from the zone's SOA
@@ -553,102 +430,81 @@
             them, or if any of the imported DNSKEY records had a default
             TTL value.  In the event of a a conflict between TTL values in
             imported keys, the shortest one is used.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-t</span></dt>
-<dd>
-          <p>
+<dd><p>
             Print statistics at completion.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-u</span></dt>
-<dd>
-          <p>
+<dd><p>
             Update NSEC/NSEC3 chain when re-signing a previously signed
             zone.  With this option, a zone signed with NSEC can be
             switched to NSEC3, or a zone signed with NSEC3 can
             be switch to NSEC or to NSEC3 with different parameters.
             Without this option, <span class="command"><strong>dnssec-signzone</strong></span> will
             retain the existing chain when re-signing.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the debugging level.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-x</span></dt>
-<dd>
-          <p>
+<dd><p>
             Only sign the DNSKEY RRset with key-signing keys, and omit
             signatures from zone-signing keys.  (This is similar to the
             <span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in
             <span class="command"><strong>named</strong></span>.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-z</span></dt>
-<dd>
-          <p>
+<dd><p>
             Ignore KSK flag on key when determining what to sign.  This
             causes KSK-flagged keys to sign all records, not just the
             DNSKEY RRset.  (This is similar to the
             <span class="command"><strong>update-check-ksk no;</strong></span> zone option in
             <span class="command"><strong>named</strong></span>.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Generate an NSEC3 chain with the given hex encoded salt.
 	    A dash (<em class="replaceable"><code>salt</code></em>) can
 	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
 	    When generating an NSEC3 chain, use this many iterations.  The
 	    default is 10.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-A</span></dt>
 <dd>
-          <p>
+<p>
 	    When generating an NSEC3 chain set the OPTOUT flag on all
 	    NSEC3 records and do not generate NSEC3 records for insecure
 	    delegations.
           </p>
-          <p>
+<p>
 	    Using this option twice (i.e., <code class="option">-AA</code>)
 	    turns the OPTOUT flag off for all records.  This is useful
 	    when using the <code class="option">-u</code> option to modify an NSEC3
 	    chain which previously had OPTOUT set.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">zonefile</span></dt>
-<dd>
-          <p>
+<dd><p>
             The file containing the zone to be signed.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">key</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    Specify which keys should be used to sign the zone.  If
 	    no keys are specified, then the zone will be examined
 	    for DNSKEY records at the zone apex.  If these are found and
 	    there are matching private keys, in the current directory,
 	    then these will be used for signing.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.16.9"></a><h2>EXAMPLE</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.15.9"></a><h2>EXAMPLE</h2>
+<p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
       zone with the DSA key generated by <span class="command"><strong>dnssec-keygen</strong></span>
       (Kexample.com.+003+17247).  Because the <span class="command"><strong>-S</strong></span> option
@@ -661,13 +517,13 @@
 Kexample.com.+003+17247
 db.example.com.signed
 %</pre>
-    <p>
+<p>
       In the above example, <span class="command"><strong>dnssec-signzone</strong></span> creates
       the file <code class="filename">db.example.com.signed</code>.  This
       file should be referenced in a zone statement in a
       <code class="filename">named.conf</code> file.
     </p>
-    <p>
+<p>
       This example re-signs a previously signed zone with default parameters.
       The private keys are assumed to be in the current directory.
     </p>
@@ -675,19 +531,14 @@ db.example.com.signed
 % dnssec-signzone -o example.com db.example.com
 db.example.com.signed
 %</pre>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.16.10"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.15.10"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
@@ -708,6 +559,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.dnssec-verify.html b/bind/bind9/doc/arm/man.dnssec-verify.html
index eeca6d5c..efd5847a 100644
--- a/bind/bind9/doc/arm/man.dnssec-verify.html
+++ b/bind/bind9/doc/arm/man.dnssec-verify.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-verify</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
-<link rel="next" href="man.lwresd.html" title="lwresd">
+<link rel="next" href="man.dnstap-read.html" title="dnstap-read">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -24,7 +24,7 @@
 <td width="20%" align="left">
 <a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.lwresd.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.dnstap-read.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,64 +32,35 @@
 </div>
 <div class="refentry">
 <a name="man.dnssec-verify"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnssec-verify</span>
-     &#8212; DNSSEC zone verification tool
-  </p>
+<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnssec-verify</code> 
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
-       [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
-       [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
-       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-x</code>]
-       [<code class="option">-z</code>]
-       {zonefile}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.17.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>dnssec-verify</strong></span>
+<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.16.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>dnssec-verify</strong></span>
       verifies that a zone is fully signed for each algorithm found
       in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
       chains are complete.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.17.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.16.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the DNS class of the zone.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Specifies the cryptographic hardware to use, when applicable.
           </p>
-          <p>
+<p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -97,10 +68,9 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             The format of the input zone file.
 	    Possible formats are <span class="command"><strong>"text"</strong></span> (default)
 	    and <span class="command"><strong>"raw"</strong></span>.
@@ -109,41 +79,32 @@
             format containing updates can be verified independently.
 	    The use of this option does not make much sense for
 	    non-dynamic zones.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             The zone origin.  If not specified, the name of the zone file
             is assumed to be the origin.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the debugging level.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Prints version information.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-x</span></dt>
-<dd>
-          <p>
+<dd><p>
             Only verify that the DNSKEY RRset is signed with key-signing
             keys.  Without this flag, it is assumed that the DNSKEY RRset
             will be signed by all active keys.  When this flag is set,
             it will not be an error if the DNSKEY RRset is not signed
             by zone-signing keys.  This corresponds to the <code class="option">-x</code>
             option in <span class="command"><strong>dnssec-signzone</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-z</span></dt>
 <dd>
-	  <p>
+<p>
 	    Ignore the KSK flag on the keys when determining whether
             the zone if correctly signed.  Without this flag it is
 	    assumed that there will be a non-revoked, self-signed
@@ -151,7 +112,7 @@
 	    that RRsets other than DNSKEY RRset will be signed with
             a different DNSKEY without the KSK flag set.
 	  </p>
-	  <p>
+<p>
 	    With this flag set, we only require that for each algorithm,
             there will be at least one non-revoked, self-signed DNSKEY,
             regardless of the KSK flag state, and that other RRsets
@@ -160,28 +121,21 @@
             for both purposes.  This corresponds to the <code class="option">-z</code>
             option in <span class="command"><strong>dnssec-signzone</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">zonefile</span></dt>
-<dd>
-          <p>
+<dd><p>
             The file containing the zone to be signed.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.17.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-signzone</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.16.9"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
@@ -190,18 +144,18 @@
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.lwresd.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.dnstap-read.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">dnssec-signzone</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">lwresd</span>
+<td width="40%" align="right" valign="top"> <span class="application">dnstap-read</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.dnstap-read.html b/bind/bind9/doc/arm/man.dnstap-read.html
index 6856f185..170c3ca9 100644
--- a/bind/bind9/doc/arm/man.dnstap-read.html
+++ b/bind/bind9/doc/arm/man.dnstap-read.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,10 +10,10 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnstap-read</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.arpaname.html" title="arpaname">
+<link rel="prev" href="man.dnssec-verify.html" title="dnssec-verify">
 <link rel="next" href="man.genrandom.html" title="genrandom">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
@@ -22,7 +22,7 @@
 <tr><th colspan="3" align="center"><span class="application">dnstap-read</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.arpaname.html">Prev</a> </td>
+<a accesskey="p" href="man.dnssec-verify.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.genrandom.html">Next</a>
 </td>
@@ -32,36 +32,17 @@
 </div>
 <div class="refentry">
 <a name="man.dnstap-read"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">dnstap-read</span>
-     &#8212; print dnstap data in human-readable form
-  </p>
+<p><span class="application">dnstap-read</span> &#8212; print dnstap data in human-readable form</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">dnstap-read</code> 
-       [<code class="option">-m</code>]
-       [<code class="option">-p</code>]
-       [<code class="option">-y</code>]
-       {<em class="replaceable"><code>file</code></em>}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.32.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<div class="cmdsynopsis"><p><code class="command">dnstap-read</code>  [<code class="option">-m</code>] [<code class="option">-p</code>] [<code class="option">-y</code>] {<em class="replaceable"><code>file</code></em>}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.17.7"></a><h2>DESCRIPTION</h2>
+<p>
       <span class="command"><strong>dnstap-read</strong></span>
       reads <span class="command"><strong>dnstap</strong></span> data from a specified file
       and prints it in a human-readable format.  By default,
@@ -69,71 +50,55 @@
       format, but if the <code class="option">-y</code> option is specified,
       then a longer and more detailed YAML format is used instead.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.32.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.17.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-m</span></dt>
-<dd>
-          <p>
+<dd><p>
             Trace memory allocations; used for debugging memory leaks.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p</span></dt>
-<dd>
-          <p>
+<dd><p>
             After printing the <span class="command"><strong>dnstap</strong></span> data, print
             the text form of the DNS message that was encapsulated in the
             <span class="command"><strong>dnstap</strong></span> frame.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-y</span></dt>
-<dd>
-          <p>
+<dd><p>
             Print <span class="command"><strong>dnstap</strong></span> data in a detailed YAML
             format.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.32.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">rndc</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.17.9"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.arpaname.html">Prev</a> </td>
+<a accesskey="p" href="man.dnssec-verify.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.genrandom.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">arpaname</span> </td>
+<span class="application">dnssec-verify</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">genrandom</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.genrandom.html b/bind/bind9/doc/arm/man.genrandom.html
index 6892fa91..42c77532 100644
--- a/bind/bind9/doc/arm/man.genrandom.html
+++ b/bind/bind9/doc/arm/man.genrandom.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>genrandom</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnstap-read.html" title="dnstap-read">
-<link rel="next" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
+<link rel="next" href="man.host.html" title="host">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -24,7 +24,7 @@
 <td width="20%" align="left">
 <a accesskey="p" href="man.dnstap-read.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,81 +32,48 @@
 </div>
 <div class="refentry">
 <a name="man.genrandom"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">genrandom</span>
-     &#8212; generate a file containing random data
-  </p>
+<p><span class="application">genrandom</span> &#8212; generate a file containing random data</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">genrandom</code> 
-       [<code class="option">-n <em class="replaceable"><code>number</code></em></code>]
-       {<em class="replaceable"><code>size</code></em>}
-       {<em class="replaceable"><code>filename</code></em>}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.33.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<div class="cmdsynopsis"><p><code class="command">genrandom</code>  [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.18.7"></a><h2>DESCRIPTION</h2>
+<p>
       <span class="command"><strong>genrandom</strong></span>
       generates a file or a set of files containing a specified quantity
       of pseudo-random data, which can be used as a source of entropy for
       other commands on systems with no random device.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.33.8"></a><h2>ARGUMENTS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.18.8"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             In place of generating one file, generates <code class="option">number</code>
             (from 2 to 9) files, appending <code class="option">number</code> to the name.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">size</span></dt>
-<dd>
-          <p>
+<dd><p>
             The size of the file, in kilobytes, to generate.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">filename</span></dt>
-<dd>
-          <p>
+<dd><p>
             The file name into which random data should be written.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.33.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">rand</span>(3)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">arc4random</span>(3)
-      </span>
+</div>
+<div class="refsection">
+<a name="id-1.14.18.9"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
@@ -115,18 +82,17 @@
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnstap-read.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">dnstap-read</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">isc-hmac-fixup</span>
-</td>
+<td width="40%" align="right" valign="top"> host</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.host.html b/bind/bind9/doc/arm/man.host.html
index b8c5d095..ead3939c 100644
--- a/bind/bind9/doc/arm/man.host.html
+++ b/bind/bind9/doc/arm/man.host.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>host</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.mdig.html" title="mdig">
-<link rel="next" href="man.delv.html" title="delv">
+<link rel="prev" href="man.genrandom.html" title="genrandom">
+<link rel="next" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center">host</th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.mdig.html">Prev</a> </td>
+<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.delv.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,56 +32,24 @@
 </div>
 <div class="refentry">
 <a name="man.host"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    host
-     &#8212; DNS lookup utility
-  </p>
+<p>host &#8212; DNS lookup utility</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">host</code> 
-       [<code class="option">-aCdlnrsTUwv</code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>]
-       [<code class="option">-R <em class="replaceable"><code>number</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
-       [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
-       [
-	[<code class="option">-4</code>]
-	 |  [<code class="option">-6</code>]
-      ]
-       [<code class="option">-v</code>]
-       [<code class="option">-V</code>]
-       {name}
-       [server]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.4.7"></a><h2>DESCRIPTION</h2>
-
-
-    <p><span class="command"><strong>host</strong></span>
+<div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTUwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [[<code class="option">-4</code>] |  [<code class="option">-6</code>]] [<code class="option">-v</code>] [<code class="option">-V</code>] {name} [server]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.19.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>host</strong></span>
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
       When no arguments or options are given,
       <span class="command"><strong>host</strong></span>
       prints a short summary of its command line arguments and options.
     </p>
-
-    <p><em class="parameter"><code>name</code></em> is the domain name that is to be
+<p><em class="parameter"><code>name</code></em> is the domain name that is to be
       looked
       up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
       IPv6 address, in which case <span class="command"><strong>host</strong></span> will by
@@ -93,86 +61,68 @@
       should query instead of the server or servers listed in
       <code class="filename">/etc/resolv.conf</code>.
     </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.4.8"></a><h2>OPTIONS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.19.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-4</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use IPv4 only for query transport.
 	    See also the <code class="option">-6</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-6</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use IPv6 only for query transport.
 	    See also the <code class="option">-4</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-a</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    "All". The <code class="option">-a</code> option is normally equivalent
 	    to <code class="option">-v -t <code class="literal">ANY</code></code>.
 	    It also affects the behaviour of the <code class="option">-l</code>
 	    list zone option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Query class: This can be used to lookup HS (Hesiod) or CH
 	    (Chaosnet) class resource records. The default class is IN
 	    (Internet).
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-C</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Check consistency: <span class="command"><strong>host</strong></span> will query the
 	    SOA records for zone <em class="parameter"><code>name</code></em> from all
 	    the listed authoritative name servers for that zone. The
 	    list of name servers is defined by the NS records that are
 	    found for the zone.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-d</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print debugging traces.
 	    Equivalent to the <code class="option">-v</code> verbose option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-i</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Obsolete.
 	    Use the IP6.INT domain for reverse lookups of IPv6
 	    addresses as defined in RFC1886 and deprecated in RFC4159.
 	    The default is to use IP6.ARPA as specified in RFC3596.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-l</span></dt>
 <dd>
-	  <p>
+<p>
 	    List zone:
 	    The <span class="command"><strong>host</strong></span> command performs a zone transfer of
 	    zone <em class="parameter"><code>name</code></em> and prints out the NS,
 	    PTR and address records (A/AAAA).
 	  </p>
-	  <p>
+<p>
 	    Together, the <code class="option">-l -a</code>
 	    options print all records in the zone.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-N <em class="replaceable"><code>ndots</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The number of dots that have to be
 	    in <em class="parameter"><code>name</code></em> for it to be considered
 	    absolute. The default value is that defined using the
@@ -182,11 +132,13 @@
 	    searched for in the domains listed in
 	    the <span class="type">search</span> or <span class="type">domain</span> directive
 	    in <code class="filename">/etc/resolv.conf</code>.
-	  </p>
-	</dd>
+	  </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
+<dd><p>
+	    Specify the port on the server to query.  The default is 53.
+	  </p></dd>
 <dt><span class="term">-r</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Non-recursive query:
 	    Setting this option clears the RD (recursion desired) bit
 	    in the query. This should mean that the name server
@@ -197,35 +149,30 @@
 	    name server by making non-recursive queries and expecting
 	    to receive answers to those queries that can be
 	    referrals to other name servers.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-R <em class="replaceable"><code>number</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Number of retries for UDP queries:
 	    If <em class="parameter"><code>number</code></em> is negative or zero, the
 	    number of retries will default to 1. The default value is
 	    1, or the value of the <em class="parameter"><code>attempts</code></em>
 	    option in <code class="filename">/etc/resolv.conf</code>, if set.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-s</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Do <span class="emphasis"><em>not</em></span> send the query to the next
 	    nameserver if any server responds with a SERVFAIL
 	    response, which is the reverse of normal stub resolver
 	    behavior.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Query type:
 	    The <em class="parameter"><code>type</code></em> argument can be any
 	    recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
 	  </p>
-	  <p>
+<p>
 	    When no query type is specified, <span class="command"><strong>host</strong></span>
 	    automatically selects an appropriate query type. By default, it
 	    looks for A, AAAA, and MX records.
@@ -236,18 +183,17 @@
 	    address, <span class="command"><strong>host</strong></span> will query for PTR
 	    records.
 	  </p>
-	  <p>
+<p>
 	    If a query type of IXFR is chosen the starting serial
 	    number can be specified by appending an equal followed by
 	    the starting serial number
 	    (like <code class="option">-t <code class="literal">IXFR=12345678</code></code>).
 	  </p>
-	</dd>
+</dd>
 <dt>
 <span class="term">-T, </span><span class="term">-U</span>
 </dt>
-<dd>
-	  <p>
+<dd><p>
 	    TCP/UDP:
 	    By default, <span class="command"><strong>host</strong></span> uses UDP when making
 	    queries. The <code class="option">-T</code> option makes it use a TCP
@@ -255,67 +201,55 @@
 	    automatically selected for queries that require it, such
 	    as zone transfer (AXFR) requests.  Type ANY queries default
 	    to TCP but can be forced to UDP initially using <code class="option">-U</code>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Memory usage debugging: the flag can
 	    be <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em>,
 	    or <em class="parameter"><code>trace</code></em>. You can specify
 	    the <code class="option">-m</code> option more than once to set
 	    multiple flags.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Verbose output.
 	    Equivalent to the <code class="option">-d</code> debug option.
 	    Verbose output can also be enabled by setting
 	    the <em class="parameter"><code>debug</code></em> option
 	    in <code class="filename">/etc/resolv.conf</code>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print the version number and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-w</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Wait forever: The query timeout is set to the maximum possible.
 	    See also the <code class="option">-W</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-W <em class="replaceable"><code>wait</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Timeout: Wait for up to <em class="parameter"><code>wait</code></em>
 	    seconds for a reply. If <em class="parameter"><code>wait</code></em> is
 	    less than one, the wait interval is set to one second.
 	  </p>
-	  <p>
+<p>
 	    By default, <span class="command"><strong>host</strong></span> will wait for 5
 	    seconds for UDP responses and 10 seconds for TCP
 	    connections. These defaults can be overridden by
 	    the <em class="parameter"><code>timeout</code></em> option
 	    in <code class="filename">/etc/resolv.conf</code>.
 	  </p>
-	  <p>
+<p>
 	    See also the <code class="option">-w</code> option.
 	  </p>
-	</dd>
+</dd>
 </dl></div>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.4.9"></a><h2>IDN SUPPORT</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.19.9"></a><h2>IDN SUPPORT</h2>
+<p>
       If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
       <span class="command"><strong>host</strong></span> appropriately converts character encoding of
@@ -326,46 +260,38 @@
       The IDN support is disabled if the variable is set when
       <span class="command"><strong>host</strong></span> runs.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.4.10"></a><h2>FILES</h2>
-
-    <p><code class="filename">/etc/resolv.conf</code>
+</div>
+<div class="refsection">
+<a name="id-1.14.19.10"></a><h2>FILES</h2>
+<p><code class="filename">/etc/resolv.conf</code>
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.4.11"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dig</span>(1)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>.
+</div>
+<div class="refsection">
+<a name="id-1.14.19.11"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.mdig.html">Prev</a> </td>
+<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.delv.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">mdig</span> </td>
+<span class="application">genrandom</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> delv</td>
+<td width="40%" align="right" valign="top"> <span class="application">isc-hmac-fixup</span>
+</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.isc-hmac-fixup.html b/bind/bind9/doc/arm/man.isc-hmac-fixup.html
index 163b58c0..3cff3da6 100644
--- a/bind/bind9/doc/arm/man.isc-hmac-fixup.html
+++ b/bind/bind9/doc/arm/man.isc-hmac-fixup.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>isc-hmac-fixup</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.genrandom.html" title="genrandom">
-<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
+<link rel="prev" href="man.host.html" title="host">
+<link rel="next" href="man.lwresd.html" title="lwresd">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
+<a accesskey="p" href="man.host.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.lwresd.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,34 +32,17 @@
 </div>
 <div class="refentry">
 <a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">isc-hmac-fixup</span>
-     &#8212; fixes HMAC keys generated by older versions of BIND
-  </p>
+<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">isc-hmac-fixup</code> 
-       {<em class="replaceable"><code>algorithm</code></em>}
-       {<em class="replaceable"><code>secret</code></em>}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.34.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.20.7"></a><h2>DESCRIPTION</h2>
+<p>
       Versions of BIND 9 up to and including BIND 9.6 had a bug causing
       HMAC-SHA* TSIG keys which were longer than the digest length of the
       hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
@@ -67,13 +50,13 @@
       message authentication code that was incompatible with other DNS
       implementations.
     </p>
-    <p>
+<p>
       This bug was fixed in BIND 9.7.  However, the fix may
       cause incompatibility between older and newer versions of
       BIND, when using long keys.  <span class="command"><strong>isc-hmac-fixup</strong></span>
       modifies those keys to restore compatibility.
     </p>
-    <p>
+<p>
       To modify a key, run <span class="command"><strong>isc-hmac-fixup</strong></span> and
       specify the key's algorithm and secret on the command line.  If the
       secret is longer than the digest length of the algorithm (64 bytes
@@ -82,12 +65,10 @@
       secret.  (If the secret did not require conversion, then it will be
       printed without modification.)
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.34.8"></a><h2>SECURITY CONSIDERATIONS</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.20.8"></a><h2>SECURITY CONSIDERATIONS</h2>
+<p>
       Secrets that have been converted by <span class="command"><strong>isc-hmac-fixup</strong></span>
       are shortened, but as this is how the HMAC protocol works in
       operation anyway, it does not affect security.  RFC 2104 notes,
@@ -95,37 +76,33 @@
       extra length would not significantly increase the function
       strength."
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.34.9"></a><h2>SEE ALSO</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.20.9"></a><h2>SEE ALSO</h2>
+<p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2104</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
+<a accesskey="p" href="man.host.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.lwresd.html">Next</a>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">
-<span class="application">genrandom</span> </td>
+<td width="40%" align="left" valign="top">host </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">nsec3hash</span>
+<td width="40%" align="right" valign="top"> <span class="application">lwresd</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.lwresd.html b/bind/bind9/doc/arm/man.lwresd.html
index 94a15f5a..4d67c41c 100644
--- a/bind/bind9/doc/arm/man.lwresd.html
+++ b/bind/bind9/doc/arm/man.lwresd.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwresd</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-verify.html" title="dnssec-verify">
-<link rel="next" href="man.named.html" title="named">
+<link rel="prev" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
+<link rel="next" href="man.mdig.html" title="mdig">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center"><span class="application">lwresd</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-verify.html">Prev</a> </td>
+<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.mdig.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,59 +32,24 @@
 </div>
 <div class="refentry">
 <a name="man.lwresd"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">lwresd</span>
-     &#8212; lightweight resolver daemon
-  </p>
+<p><span class="application">lwresd</span> &#8212; lightweight resolver daemon</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">lwresd</code> 
-       [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>]
-       [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>]
-       [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>]
-       [<code class="option">-f</code>]
-       [<code class="option">-g</code>]
-       [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>]
-       [<code class="option">-P <em class="replaceable"><code>port</code></em></code>]
-       [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
-       [<code class="option">-s</code>]
-       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
-       [<code class="option">-v</code>]
-       [
-	[<code class="option">-4</code>]
-	 |  [<code class="option">-6</code>]
-      ]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.18.7"></a><h2>DESCRIPTION</h2>
-
-
-    <p><span class="command"><strong>lwresd</strong></span>
+<div class="cmdsynopsis"><p><code class="command">lwresd</code>  [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [[<code class="option">-4</code>] |  [<code class="option">-6</code>]]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.21.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>lwresd</strong></span>
       is the daemon providing name lookup
       services to clients that use the BIND 9 lightweight resolver
       library.  It is essentially a stripped-down, caching-only name
       server that answers queries using the BIND 9 lightweight
       resolver protocol rather than the DNS protocol.
     </p>
-
-    <p><span class="command"><strong>lwresd</strong></span>
+<p><span class="command"><strong>lwresd</strong></span>
       listens for resolver queries on a
       UDP port on the IPv4 loopback interface, 127.0.0.1.  This
       means that <span class="command"><strong>lwresd</strong></span> can only be used by
@@ -92,14 +57,14 @@
       number 921 is used for lightweight resolver requests and
       responses.
     </p>
-    <p>
+<p>
       Incoming lightweight resolver requests are decoded by the
       server which then resolves them using the DNS protocol.  When
       the DNS lookup completes, <span class="command"><strong>lwresd</strong></span> encodes
       the answers in the lightweight resolver format and returns
       them to the client that made the request.
     </p>
-    <p>
+<p>
       If <code class="filename">/etc/resolv.conf</code> contains any
       <code class="option">nameserver</code> entries, <span class="command"><strong>lwresd</strong></span>
       sends recursive DNS queries to those servers.  This is similar
@@ -109,80 +74,60 @@
       queries autonomously starting at the root name servers, using
       a built-in list of root server hints.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.18.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.21.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-4</span></dt>
-<dd>
-          <p>
+<dd><p>
             Use IPv4 only even if the host machine is capable of IPv6.
             <code class="option">-4</code> and <code class="option">-6</code> are mutually
             exclusive.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-6</span></dt>
-<dd>
-          <p>
+<dd><p>
             Use IPv6 only even if the host machine is capable of IPv4.
             <code class="option">-4</code> and <code class="option">-6</code> are mutually
             exclusive.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Use <em class="replaceable"><code>config-file</code></em> as the
             configuration file instead of the default,
             <code class="filename">/etc/lwresd.conf</code>.
 	    
 	    <code class="option">-c</code> can not be used with <code class="option">-C</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Use <em class="replaceable"><code>config-file</code></em> as the
             configuration file instead of the default,
             <code class="filename">/etc/resolv.conf</code>.
 	    <code class="option">-C</code> can not be used with <code class="option">-c</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
             Debugging traces from <span class="command"><strong>lwresd</strong></span> become
             		more verbose as the debug level increases.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-f</span></dt>
-<dd>
-          <p>
+<dd><p>
             Run the server in the foreground (i.e. do not daemonize).
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-g</span></dt>
-<dd>
-          <p>
+<dd><p>
             Run the server in the foreground and force all logging
             to <code class="filename">stderr</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>pid-file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Use <em class="replaceable"><code>pid-file</code></em> as the
             PID file instead of the default,
             <code class="filename">/var/run/lwresd/lwresd.pid</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Turn on memory usage debugging flags.  Possible flags are
             <em class="replaceable"><code>usage</code></em>,
             <em class="replaceable"><code>trace</code></em>,
@@ -191,61 +136,54 @@
             <em class="replaceable"><code>mctx</code></em>.
             These correspond to the ISC_MEM_DEBUGXXXX flags described in
             <code class="filename">&lt;isc/mem.h&gt;</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Create <em class="replaceable"><code>#cpus</code></em> worker threads
             to take advantage of multiple CPUs.  If not specified,
             <span class="command"><strong>lwresd</strong></span> will try to determine the
             number of CPUs present and create one thread per CPU.
             If it is unable to determine the number of CPUs, a
             single worker thread will be created.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-P <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Listen for lightweight resolver queries on port
             <em class="replaceable"><code>port</code></em>.  If
             		not specified, the default is port 921.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Send DNS lookups to port <em class="replaceable"><code>port</code></em>.  If not
             specified, the default is port 53.  This provides a
             way of testing the lightweight resolver daemon with a
             name server that listens for queries on a non-standard
             port number.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-s</span></dt>
 <dd>
-          <p>
+<p>
             Write memory usage statistics to <code class="filename">stdout</code>
             on exit.
           </p>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-            <p>
+<p>
               This option is mainly of interest to BIND 9 developers
               and may be removed or changed in a future release.
             </p>
-          </div>
-        </dd>
+</div>
+</dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd>
-          <p>Chroot
+<p>Chroot
 	    to <em class="replaceable"><code>directory</code></em> after
             processing the command line arguments, but before
             reading the configuration file.
           </p>
-          <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
-            <p>
+<p>
               This option should be used in conjunction with the
               <code class="option">-u</code> option, as chrooting a process
               running as root doesn't enhance security on most
@@ -253,82 +191,60 @@
               defined allows a process with root privileges to
               escape a chroot jail.
             </p>
-          </div>
-        </dd>
+</div>
+</dd>
 <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd>
-          <p>Setuid
+<dd><p>Setuid
 	    to <em class="replaceable"><code>user</code></em> after completing
             privileged operations, such as creating sockets that
             listen on privileged ports.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-          <p>
+<dd><p>
             Report the version number and exit.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.18.9"></a><h2>FILES</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.21.9"></a><h2>FILES</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             The default configuration file.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="filename">/var/run/lwresd.pid</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             The default process-id file.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.18.10"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres</span>(3)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">resolver</span>(5)
-      </span>.
+</div>
+<div class="refsection">
+<a name="id-1.14.21.10"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-verify.html">Prev</a> </td>
+<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.mdig.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">dnssec-verify</span> </td>
+<span class="application">isc-hmac-fixup</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">named</span>
+<td width="40%" align="right" valign="top"> <span class="application">mdig</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.mdig.html b/bind/bind9/doc/arm/man.mdig.html
index b6c6f122..be967015 100644
--- a/bind/bind9/doc/arm/man.mdig.html
+++ b/bind/bind9/doc/arm/man.mdig.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>mdig</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.dig.html" title="dig">
-<link rel="next" href="man.host.html" title="host">
+<link rel="prev" href="man.lwresd.html" title="lwresd">
+<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center"><span class="application">mdig</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.dig.html">Prev</a> </td>
+<a accesskey="p" href="man.lwresd.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,69 +32,29 @@
 </div>
 <div class="refentry">
 <a name="man.mdig"></a><div class="titlepage"></div>
-  
-  
-  
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">mdig</span>
-     &#8212; DNS pipelined lookup utility
-  </p>
+<p><span class="application">mdig</span> &#8212; DNS pipelined lookup utility</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">mdig</code> 
-       {@server}
-       [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-v</code>]
-       [
-	[<code class="option">-4</code>]
-	 |  [<code class="option">-6</code>]
-      ]
-       [<code class="option">-m</code>]
-       [<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
-       [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
-       [<code class="option">-i</code>]
-       [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
-       [plusopt...]
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">mdig</code> 
-       {-h}
-    </p></div>
-
-    <div class="cmdsynopsis"><p>
-      <code class="command">mdig</code> 
-       [@server]
-       {global-opt...}
-       {
+<div class="cmdsynopsis"><p><code class="command">mdig</code>  {@server} [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v</code>] [[<code class="option">-4</code>] |  [<code class="option">-6</code>]] [<code class="option">-m</code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-i</code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [plusopt...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">mdig</code>  {-h}</p></div>
+<div class="cmdsynopsis"><p><code class="command">mdig</code>  [@server] {global-opt...} {
          {local-opt...}
           {query}
-      ...}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.3.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>mdig</strong></span>
+      ...}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.22.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>mdig</strong></span>
       is a multiple/pipelined query version of <span class="command"><strong>dig</strong></span>:
       instead of waiting for a response after sending each query,
       it begins by sending all queries. Responses are displayed in
       the order in which they are received, not in the order the
       corresponding queries were sent.
     </p>
-
-    <p>
+<p>
       <span class="command"><strong>mdig</strong></span> options are a subset of the
       <span class="command"><strong>dig</strong></span> options, and are divided into "anywhere
       options" which can occur anywhere, "global options" which must
@@ -102,8 +62,7 @@
       and "local options" which apply to the next query on the command
       line.
     </p>
-
-    <p>
+<p>
       The {@server} option is a mandatory global
       option.  It is the name or IP address of the name server to query.
       (Unlike <span class="command"><strong>dig</strong></span>, this value is not retrieved from
@@ -114,16 +73,14 @@
       <span class="command"><strong>mdig</strong></span> resolves that name before querying
       the name server.
     </p>
-
-    <p><span class="command"><strong>mdig</strong></span>
+<p><span class="command"><strong>mdig</strong></span>
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
       these set or reset flag bits in the query header, some determine which
       sections of the answer get printed, and others determine the timeout
       and retry strategies.
     </p>
-
-    <p>
+<p>
       Each query option is identified by a keyword preceded by a plus
       sign (<code class="literal">+</code>).  Some keywords set or reset an
       option.  These may be preceded by the string <code class="literal">no</code>
@@ -131,13 +88,10 @@
       values to options like the timeout interval.  They have the
       form <code class="option">+keyword=value</code>.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.3.8"></a><h2>ANYWHERE OPTIONS</h2>
-
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.22.8"></a><h2>ANYWHERE OPTIONS</h2>
+<p>
       The <code class="option">-f</code> option makes <span class="command"><strong>mdig</strong></span>
       operate in batch mode by reading a list of lookup requests to
       process from the file <em class="parameter"><code>filename</code></em>.  The file
@@ -145,45 +99,36 @@
       file should be organized in the same way they would be presented
       as queries to <span class="command"><strong>mdig</strong></span> using the command-line interface.
     </p>
-
-    <p>
+<p>
       The <code class="option">-h</code> causes <span class="command"><strong>mdig</strong></span> to
       print the detailed help with the full list of options and exit.
     </p>
-
-    <p>
+<p>
       The <code class="option">-v</code> causes <span class="command"><strong>mdig</strong></span> to
       print the version number and exit.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.3.9"></a><h2>GLOBAL OPTIONS</h2>
-
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.22.9"></a><h2>GLOBAL OPTIONS</h2>
+<p>
       The <code class="option">-4</code> option forces <span class="command"><strong>mdig</strong></span> to
       only use IPv4 query transport.
     </p>
-
-    <p>
+<p>
       The <code class="option">-6</code> option forces <span class="command"><strong>mdig</strong></span> to
       only use IPv6 query transport.
     </p>
-
-    <p>
+<p>
       The <code class="option">-b</code> option sets the source IP address of the
       query to <em class="parameter"><code>address</code></em>.  This must be a valid
       address on one of the host's network interfaces or "0.0.0.0" or
       "::".  An optional port may be specified by appending
       "#&lt;port&gt;"
     </p>
-
-    <p>
+<p>
       The <code class="option">-m</code> option enables memory usage debugging.
     </p>
-
-    <p>
+<p>
       The <code class="option">-p</code> option is used when a non-standard port
       number is to be queried.
       <em class="parameter"><code>port#</code></em> is the port number
@@ -192,69 +137,55 @@
       test a name server that has been configured to listen for
       queries on a non-standard port number.
     </p>
-
-    <p>
+<p>
       The global query options are:
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="option">+[no]additional</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Display [do not display] the additional section of a
               reply.  The default is to display it.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Set or clear all display flags.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]answer</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Display [do not display] the answer section of a
               reply.  The default is to display it.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]authority</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Display [do not display] the authority section of a
               reply.  The default is to display it.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Attempt to display the contents of messages which are
               malformed.  The default is to not display malformed
               answers.
-            </p>
-          </dd>
+            </p></dd>
+<dt><span class="term"><code class="option">+burst</code></span></dt>
+<dd><p>
+              This option delays queries until the start of the next second.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]cl</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Display [do not display] the CLASS when printing the
               record.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]comments</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Toggle the display of comment lines in the output.
               The default is to print comments.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]continue</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Continue on errors (e.g. timeouts).
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Toggle the display of cryptographic fields in DNSSEC
               records.  The contents of these field are unnecessary
               to debug most DNSSEC validation failures and removing
@@ -263,53 +194,41 @@
               are replaced by the string "[omitted]" or in the
               DNSKEY case the key id is displayed as the replacement,
               e.g. "[ key id = value ]".
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+dscp[=value]</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Set the DSCP code point to be used when sending the
               query.  Valid DSCP code points are in the range
               [0..63].  By default no code point is explicitly set.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Print records like the SOA records in a verbose
               multi-line format with human-readable comments.  The
               default is to print each record on a single line, to
               facilitate machine parsing of the <span class="command"><strong>mdig</strong></span>
               output.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]question</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Print [do not print] the question section of a query
               when an answer is returned.  The default is to print
               the question section as a comment.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Toggle the display of per-record comments in the
               output (for example, human-readable key information
               about DNSKEY records).  The default is not to print
               record comments unless multiline mode is active.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Provide a terse answer.  The default is to print the
               answer in a verbose form.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+split=W</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Split long hex- or base64-formatted fields in resource
               records into chunks of <em class="parameter"><code>W</code></em>
               characters (where <em class="parameter"><code>W</code></em> is rounded
@@ -318,69 +237,54 @@
               <em class="parameter"><code>+split=0</code></em> causes fields not to
               be split at all.  The default is 56 characters, or
               44 characters when multiline mode is active.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Use [do not use] TCP when querying name servers. The
               default behavior is to use UDP.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Display [do not display] the TTL when printing the
               record.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]ttlunits</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Display [do not display] the TTL in friendly human-readable
               time units of "s", "m", "h", "d", and "w", representing
               seconds, minutes, hours, days and weeks.  Implies +ttlid.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]vc</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Use [do not use] TCP when querying name servers.  This
               alternate syntax to <em class="parameter"><code>+[no]tcp</code></em>
               is provided for backwards compatibility.  The "vc"
               stands for "virtual circuit".
-            </p>
-          </dd>
+            </p></dd>
 </dl></div>
 <p>
 
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.3.10"></a><h2>LOCAL OPTIONS</h2>
-
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.22.10"></a><h2>LOCAL OPTIONS</h2>
+<p>
       The <code class="option">-c</code> option sets the query class to
       <em class="parameter"><code>class</code></em>.  It can be any valid query class
       which is supported in BIND 9.  The default query class is "IN".
     </p>
-
-    <p>
+<p>
       The <code class="option">-t</code> option sets the query type to
       <em class="parameter"><code>type</code></em>.  It can be any valid query type
       which is supported in BIND 9.  The default query type is "A",
       unless the <code class="option">-x</code> option is supplied to indicate
       a reverse lookup with the "PTR" query type.
     </p>
-
-    <p>
+<p>
       The <code class="option">-i</code> option sets the reverse domain for
       IPv6 addresses to IP6.INT.
     </p>
-
-    <p>
+<p>
       Reverse lookups &#8212; mapping addresses to names &#8212; are
       simplified by the <code class="option">-x</code> option.
       <em class="parameter"><code>addr</code></em> is an IPv4
@@ -392,26 +296,20 @@
       under the IP6.ARPA domain.  To use the older RFC1886 method
       using the IP6.INT domain specify the <code class="option">-i</code> option.
     </p>
-
-    <p>
+<p>
       The local query options are:
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Sets the "aa" flag in the query.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Set [do not set] the AD (authentic data) bit in the
               query.  This requests the server to return whether
               all of the answer and authority sections have all
@@ -421,110 +319,87 @@
               from a OPT-OUT range.  AD=0 indicate that some part
               of the answer was insecure or not validated.  This
               bit is set by default.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Set the UDP message buffer size advertised using EDNS0
               to <em class="parameter"><code>B</code></em> bytes.  The maximum and
               minimum sizes of this buffer are 65535 and 0 respectively.
               Values outside this range are rounded up or down
               appropriately.  Values other than zero will cause a
               EDNS query to be sent.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Set [do not set] the CD (checking disabled) bit in
               the query.  This requests the server to not perform
               DNSSEC validation of responses.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Send a COOKIE EDNS option, with optional value.
 	      Replaying a COOKIE from a previous response will allow
 	      the server to identify a previous client.  The default
 	      is <code class="option">+nocookie</code>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Requests DNSSEC records be sent by setting the DNSSEC
               OK bit (DO) in the OPT record in the additional section
               of the query.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]edns[=#]</code></span></dt>
-<dd>
-            <p>
+<dd><p>
                Specify the EDNS version to query with.  Valid values
                are 0 to 255.  Setting the EDNS version will cause
                a EDNS query to be sent.  <code class="option">+noedns</code>
                clears the remembered EDNS version.  EDNS is set to
                0 by default.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]ednsflags[=#]</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Set the must-be-zero EDNS flags bits (Z bits) to the
               specified value. Decimal, hex and octal encodings are
               accepted. Setting a named flag (e.g. DO) will silently be
               ignored. By default, no Z bits are set.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]ednsopt[=code[:value]]</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Specify EDNS option with code point <code class="option">code</code>
               and optionally payload of <code class="option">value</code> as a
               hexadecimal string.  <code class="option">+noednsopt</code>
               clears the EDNS options to be sent.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]expire</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Send an EDNS Expire option.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Include an EDNS name server ID request when sending
               a query.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Toggle the setting of the RD (recursion desired) bit
               in the query.  This bit is set by default, which means
               <span class="command"><strong>mdig</strong></span> normally sends recursive
               queries.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+retry=T</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Sets the number of times to retry UDP queries to
               server to <em class="parameter"><code>T</code></em> instead of the
               default, 2.  Unlike <em class="parameter"><code>+tries</code></em>,
               this does not include the initial query.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt>
 <dd>
-	    <p>
+<p>
 	      Send (don't send) an EDNS Client Subnet option with the
               specified IP address or network prefix.
 	    </p>
-	    <p>
+<p>
               <span class="command"><strong>mdig +subnet=0.0.0.0/0</strong></span>, or simply
               <span class="command"><strong>mdig +subnet=0</strong></span> for short, sends an EDNS
               client-subnet option with an empty address and a source
@@ -533,82 +408,70 @@
               <span class="emphasis"><em>not</em></span> be used when resolving
               this query.
 	    </p>
-          </dd>
+</dd>
 <dt><span class="term"><code class="option">+timeout=T</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Sets the timeout for a query to
               <em class="parameter"><code>T</code></em> seconds.  The default
               timeout is 5 seconds for UDP transport and 10 for TCP.
               An attempt to set <em class="parameter"><code>T</code></em> to less
               than 1 will result
               in a query timeout of 1 second being applied.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+tries=T</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Sets the number of times to try UDP queries to server
               to <em class="parameter"><code>T</code></em> instead of the default,
               3.  If <em class="parameter"><code>T</code></em> is less than or equal
               to zero, the number of tries is silently rounded up
               to 1.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+udptimeout=T</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Sets the timeout between UDP query retries.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print all RDATA in unknown RR type presentation format
 	      (RFC 3597). The default is to print RDATA for known types
 	      in the type's presentation format.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]zflag</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Set [do not set] the last unassigned DNS header flag in a
               DNS query.  This flag is off by default.
-            </p>
-          </dd>
+            </p></dd>
 </dl></div>
 <p>
 
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.3.11"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dig</span>(1)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.22.11"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
       <em class="citetitle">RFC1035</em>.
     </p>
-  </div>
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.dig.html">Prev</a> </td>
+<a accesskey="p" href="man.lwresd.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">dig </td>
+<td width="40%" align="left" valign="top">
+<span class="application">lwresd</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> host</td>
+<td width="40%" align="right" valign="top"> <span class="application">named-checkconf</span>
+</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.named-checkconf.html b/bind/bind9/doc/arm/man.named-checkconf.html
index ba8c8aeb..bb51a18c 100644
--- a/bind/bind9/doc/arm/man.named-checkconf.html
+++ b/bind/bind9/doc/arm/man.named-checkconf.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,10 +10,10 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-checkconf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.named.conf.html" title="named.conf">
+<link rel="prev" href="man.mdig.html" title="mdig">
 <link rel="next" href="man.named-checkzone.html" title="named-checkzone">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
@@ -22,7 +22,7 @@
 <tr><th colspan="3" align="center"><span class="application">named-checkconf</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.named.conf.html">Prev</a> </td>
+<a accesskey="p" href="man.mdig.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.named-checkzone.html">Next</a>
 </td>
@@ -32,45 +32,26 @@
 </div>
 <div class="refentry">
 <a name="man.named-checkconf"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">named-checkconf</span>
-     &#8212; named configuration file syntax checking tool
-  </p>
+<p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
 </div>
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named-checkconf</code> 
-       [<code class="option">-hjvz</code>]
-       [<code class="option">-p</code>
+<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-hjvz</code>] [<code class="option">-p</code>
 	 [<code class="option">-x</code>
-      ]]
-       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
-       {filename}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.21.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>named-checkconf</strong></span>
+      ]] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.23.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>named-checkconf</strong></span>
       checks the syntax, but not the semantics, of a
       <span class="command"><strong>named</strong></span> configuration file.  The file is parsed
       and checked for syntax errors, along with all files included by it.
       If no file is specified, <code class="filename">/etc/named.conf</code> is read
       by default.
     </p>
-    <p>
+<p>
       Note: files that <span class="command"><strong>named</strong></span> reads in separate
       parser contexts, such as <code class="filename">rndc.key</code> and
       <code class="filename">bind.keys</code>, are not automatically read
@@ -80,50 +61,37 @@
       successful.  <span class="command"><strong>named-checkconf</strong></span> can be run
       on these files explicitly, however.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.21.8"></a><h2>OPTIONS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.23.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-h</span></dt>
-<dd>
-          <p>
+<dd><p>
             Print the usage summary and exit.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-j</span></dt>
-<dd>
-          <p>
+<dd><p>
             When loading a zonefile read the journal if it exists.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    Print out the <code class="filename">named.conf</code> and included files
 	    in canonical form if no errors were detected.
             See also the <code class="option">-x</code> option.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Chroot to <code class="filename">directory</code> so that include
             directives in the configuration file are processed as if
             run by a similarly chrooted <span class="command"><strong>named</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-          <p>
+<dd><p>
             Print the version of the <span class="command"><strong>named-checkconf</strong></span>
             program and exit.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-x</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    When printing the configuration files in canonical
             form, obscure shared secrets by replacing them with
             strings of question marks ('?'). This allows the
@@ -131,67 +99,53 @@
             files to be shared &#8212; for example, when submitting
             bug reports &#8212; without compromising private data.
             This option cannot be used without <code class="option">-p</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-z</span></dt>
-<dd>
-          <p>
+<dd><p>
 	    Perform a test load of all master zones found in
 	    <code class="filename">named.conf</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">filename</span></dt>
-<dd>
-          <p>
+<dd><p>
             The name of the configuration file to be checked.  If not
             specified, it defaults to <code class="filename">/etc/named.conf</code>.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.21.9"></a><h2>RETURN VALUES</h2>
-
-    <p><span class="command"><strong>named-checkconf</strong></span>
+</div>
+<div class="refsection">
+<a name="id-1.14.23.9"></a><h2>RETURN VALUES</h2>
+<p><span class="command"><strong>named-checkconf</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.21.10"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named-checkzone</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.23.10"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.named.conf.html">Prev</a> </td>
+<a accesskey="p" href="man.mdig.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.named-checkzone.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<code class="filename">named.conf</code> </td>
+<span class="application">mdig</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">named-checkzone</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.named-checkzone.html b/bind/bind9/doc/arm/man.named-checkzone.html
index 32388acd..75e675f2 100644
--- a/bind/bind9/doc/arm/man.named-checkzone.html
+++ b/bind/bind9/doc/arm/man.named-checkzone.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-checkzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.named-checkconf.html" title="named-checkconf">
@@ -32,94 +32,24 @@
 </div>
 <div class="refentry">
 <a name="man.named-checkzone"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">named-checkzone</span>, 
-    <span class="application">named-compilezone</span>
-     &#8212; zone file validity checking or converting tool
-  </p>
+<p><span class="application">named-checkzone</span>, <span class="application">named-compilezone</span> &#8212; zone file validity checking or converting tool</p>
 </div>
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named-checkzone</code> 
-       [<code class="option">-d</code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-j</code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-v</code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
-       [<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
-       [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
-       [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
-       [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
-       [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-D</code>]
-       [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
-       {zonename}
-       {filename}
-    </p></div>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named-compilezone</code> 
-       [<code class="option">-d</code>]
-       [<code class="option">-j</code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-v</code>]
-       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
-       [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
-       [<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
-       [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
-       [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
-       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
-       [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-D</code>]
-       [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
-       {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>}
-       {zonename}
-       {filename}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.22.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>named-checkzone</strong></span>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.24.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>named-checkzone</strong></span>
       checks the syntax and integrity of a zone file.  It performs the
       same checks as <span class="command"><strong>named</strong></span> does when loading a
       zone.  This makes <span class="command"><strong>named-checkzone</strong></span> useful for
       checking zone files before configuring them into a name server.
     </p>
-    <p>
+<p>
         <span class="command"><strong>named-compilezone</strong></span> is similar to
 	<span class="command"><strong>named-checkzone</strong></span>, but it always dumps the
         zone contents to a specified file in a specified format.
@@ -130,62 +60,45 @@
         least be as strict as those specified in the
 	<span class="command"><strong>named</strong></span> configuration file.
      </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.22.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.24.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-d</span></dt>
-<dd>
-          <p>
+<dd><p>
             Enable debugging.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-          <p>
+<dd><p>
             Print the usage summary and exit.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-q</span></dt>
-<dd>
-          <p>
+<dd><p>
             Quiet mode - exit code only.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-          <p>
+<dd><p>
             Print the version of the <span class="command"><strong>named-checkzone</strong></span>
             program and exit.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-j</span></dt>
-<dd>
-          <p>
+<dd><p>
             When loading a zone file, read the journal if it exists.
             The journal file name is assumed to be the zone file name
 	    appended with the string <code class="filename">.jnl</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-J <em class="replaceable"><code>filename</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             When loading the zone file read the journal from the given
             file, if it exists. (Implies -j.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the class of the zone.  If not specified, "IN" is assumed.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	      Perform post-load zone integrity checks.  Possible modes are
 	      <span class="command"><strong>"full"</strong></span> (default),
 	      <span class="command"><strong>"full-sibling"</strong></span>,
@@ -193,19 +106,19 @@
 	      <span class="command"><strong>"local-sibling"</strong></span> and
 	      <span class="command"><strong>"none"</strong></span>.
 	  </p>
-	  <p>
+<p>
 	      Mode <span class="command"><strong>"full"</strong></span> checks that MX records
 	      refer to A or AAAA record (both in-zone and out-of-zone
 	      hostnames).  Mode <span class="command"><strong>"local"</strong></span> only
 	      checks MX records which refer to in-zone hostnames.
 	  </p>
-	  <p>
+<p>
 	      Mode <span class="command"><strong>"full"</strong></span> checks that SRV records
 	      refer to A or AAAA record (both in-zone and out-of-zone
 	      hostnames).  Mode <span class="command"><strong>"local"</strong></span> only
 	      checks SRV records which refer to in-zone hostnames.
 	  </p>
-	  <p>
+<p>
 	      Mode <span class="command"><strong>"full"</strong></span> checks that delegation NS
 	      records refer to A or AAAA record (both in-zone and out-of-zone
 	      hostnames).  It also checks that glue address records
@@ -214,33 +127,31 @@
 	      refer to in-zone hostnames or that some required glue exists,
 	      that is when the nameserver is in a child zone.
 	  </p>
-	  <p>
+<p>
 	      Mode <span class="command"><strong>"full-sibling"</strong></span> and
 	      <span class="command"><strong>"local-sibling"</strong></span> disable sibling glue
 	      checks but are otherwise the same as <span class="command"><strong>"full"</strong></span>
 	      and <span class="command"><strong>"local"</strong></span> respectively.
 	  </p>
-	  <p>
+<p>
 	      Mode <span class="command"><strong>"none"</strong></span> disables the checks.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specify the format of the zone file.
 	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
 	    <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Specify the format of the output file specified.
 	    For <span class="command"><strong>named-checkzone</strong></span>,
 	    this does not cause any effects unless it dumps the zone
 	    contents.
 	  </p>
-	  <p>
+<p>
 	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
 	    which is the standard textual representation of the zone,
 	    and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
@@ -251,10 +162,9 @@
             any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
             can be read by release 9.9.0 or higher; the default is 1.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Perform <span class="command"><strong>"check-names"</strong></span> checks with the
 	    specified failure mode.
             Possible modes are <span class="command"><strong>"fail"</strong></span>
@@ -262,48 +172,38 @@
             <span class="command"><strong>"warn"</strong></span>
 	    (default for <span class="command"><strong>named-checkzone</strong></span>) and
             <span class="command"><strong>"ignore"</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets a maximum permissible TTL for the input file.
             Any record with a TTL higher than this value will cause
             the zone to be rejected.  This is similar to using the
             <span class="command"><strong>max-zone-ttl</strong></span> option in
             <code class="filename">named.conf</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             When compiling a zone to "raw" or "map" format, set the
             "source serial" value in the header to the specified serial
             number.  (This is expected to be used primarily for testing
             purposes.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify whether MX records should be checked to see if they
             are addresses.  Possible modes are <span class="command"><strong>"fail"</strong></span>,
             <span class="command"><strong>"warn"</strong></span> (default) and
             <span class="command"><strong>"ignore"</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Check if a MX record refers to a CNAME.
             Possible modes are <span class="command"><strong>"fail"</strong></span>,
             <span class="command"><strong>"warn"</strong></span> (default) and
             <span class="command"><strong>"ignore"</strong></span>.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify whether NS records should be checked to see if they
             are addresses.
 	    Possible modes are <span class="command"><strong>"fail"</strong></span>
@@ -311,30 +211,24 @@
             <span class="command"><strong>"warn"</strong></span>
 	    (default for <span class="command"><strong>named-checkzone</strong></span>) and
             <span class="command"><strong>"ignore"</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Write zone output to <code class="filename">filename</code>.
 	    If <code class="filename">filename</code> is <code class="filename">-</code> then
 	    write to standard out.
 	    This is mandatory for <span class="command"><strong>named-compilezone</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
             Check for records that are treated as different by DNSSEC but
 	    are semantically equal in plain DNS.
             Possible modes are <span class="command"><strong>"fail"</strong></span>,
             <span class="command"><strong>"warn"</strong></span> (default) and
             <span class="command"><strong>"ignore"</strong></span>.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Specify the style of the dumped zone file.
 	    Possible styles are <span class="command"><strong>"full"</strong></span> (default)
 	    and <span class="command"><strong>"relative"</strong></span>.
@@ -347,102 +241,75 @@
 	    contents.
 	    It also does not have any meaning if the output format
 	    is not text.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Check if a SRV record refers to a CNAME.
             Possible modes are <span class="command"><strong>"fail"</strong></span>,
             <span class="command"><strong>"warn"</strong></span> (default) and
             <span class="command"><strong>"ignore"</strong></span>.
-	  </p>
-        </dd>
+	  </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Chroot to <code class="filename">directory</code> so that
             include
             directives in the configuration file are processed as if
             run by a similarly chrooted <span class="command"><strong>named</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Check if Sender Policy Framework (SPF) records exist
 	    and issues a warning if an SPF-formatted TXT record is
 	    not also present.  Possible modes are <span class="command"><strong>"warn"</strong></span>
 	    (default), <span class="command"><strong>"ignore"</strong></span>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             chdir to <code class="filename">directory</code> so that
             relative
             filenames in master file $INCLUDE directives work.  This
             is similar to the directory clause in
             <code class="filename">named.conf</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-D</span></dt>
-<dd>
-          <p>
+<dd><p>
             Dump zone file in canonical format.
 	    This is always enabled for <span class="command"><strong>named-compilezone</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify whether to check for non-terminal wildcards.
             Non-terminal wildcards are almost always the result of a
             failure to understand the wildcard matching algorithm (RFC 1034).
             Possible modes are <span class="command"><strong>"warn"</strong></span> (default)
             and
             <span class="command"><strong>"ignore"</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">zonename</span></dt>
-<dd>
-          <p>
+<dd><p>
             The domain name of the zone being checked.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">filename</span></dt>
-<dd>
-          <p>
+<dd><p>
             The name of the zone file.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.22.9"></a><h2>RETURN VALUES</h2>
-
-    <p><span class="command"><strong>named-checkzone</strong></span>
+</div>
+<div class="refsection">
+<a name="id-1.14.24.9"></a><h2>RETURN VALUES</h2>
+<p><span class="command"><strong>named-checkzone</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.22.10"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named-checkconf</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.24.10"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
@@ -463,6 +330,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.named-journalprint.html b/bind/bind9/doc/arm/man.named-journalprint.html
index 87bb1cf8..9a6228b4 100644
--- a/bind/bind9/doc/arm/man.named-journalprint.html
+++ b/bind/bind9/doc/arm/man.named-journalprint.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-journalprint</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.named-checkzone.html" title="named-checkzone">
@@ -32,38 +32,22 @@
 </div>
 <div class="refentry">
 <a name="man.named-journalprint"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">named-journalprint</span>
-     &#8212; print zone journal in human-readable form
-  </p>
+<p><span class="application">named-journalprint</span> &#8212; print zone journal in human-readable form</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named-journalprint</code> 
-       {<em class="replaceable"><code>journal</code></em>}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.23.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<div class="cmdsynopsis"><p><code class="command">named-journalprint</code>  {<em class="replaceable"><code>journal</code></em>}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.25.7"></a><h2>DESCRIPTION</h2>
+<p>
       <span class="command"><strong>named-journalprint</strong></span>
       prints the contents of a zone journal file in a human-readable
       form.
     </p>
-    <p>
+<p>
       Journal files are automatically created by <span class="command"><strong>named</strong></span>
       when changes are made to dynamic zones (e.g., by
       <span class="command"><strong>nsupdate</strong></span>).  They record each addition
@@ -74,29 +58,22 @@
       <code class="filename">.jnl</code> to the name of the corresponding
       zone file.
     </p>
-    <p>
+<p>
       <span class="command"><strong>named-journalprint</strong></span> converts the contents of a given
       journal file into a human-readable text format.  Each line begins
       with "add" or "del", to indicate whether the record was added or
       deleted, and continues with the resource record in master-file
       format.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.23.8"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">nsupdate</span>(1)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.25.8"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
@@ -117,6 +94,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.named-nzd2nzf.html b/bind/bind9/doc/arm/man.named-nzd2nzf.html
index 5b3f5b29..4407a489 100644
--- a/bind/bind9/doc/arm/man.named-nzd2nzf.html
+++ b/bind/bind9/doc/arm/man.named-nzd2nzf.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,7 +10,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-nzd2nzf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.named-journalprint.html" title="named-journalprint">
@@ -32,34 +32,19 @@
 </div>
 <div class="refentry">
 <a name="man.named-nzd2nzf"></a><div class="titlepage"></div>
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">named-nzd2nzf</span>
-     &#8212; 
+<p><span class="application">named-nzd2nzf</span> &#8212; 
       Convert an NZD database to NZF text format
-    
-  </p>
+    </p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named-nzd2nzf</code> 
-       {filename}
-    </p></div>
-  </div>
-
-  <div class="refsect1">
-<a name="id-1.14.24.6"></a><h2>DESCRIPTION</h2>
-    
-    <p>
+<div class="cmdsynopsis"><p><code class="command">named-nzd2nzf</code>  {filename}</p></div>
+</div>
+<div class="refsect1">
+<a name="id-1.14.26.6"></a><h2>DESCRIPTION</h2>
+<p>
       <span class="command"><strong>named-nzd2nzf</strong></span> converts an NZD database to NZF
       format and prints it to standard output.  This can be used to
       review the configuration of zones that were added to
@@ -68,37 +53,28 @@
       when rolling back from a newer version
       of BIND to an older version.
     </p>
-  </div>
-
-  <div class="refsect1">
-<a name="id-1.14.24.7"></a><h2>ARGUMENTS</h2>
-    
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsect1">
+<a name="id-1.14.26.7"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">filename</span></dt>
-<dd>
-          <p>
+<dd><p>
             The name of the <code class="filename">.nzd</code> file whose contents
             should be printed.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsect1">
-<a name="id-1.14.24.8"></a><h2>SEE ALSO</h2>
-    
-    <p>
+</div>
+<div class="refsect1">
+<a name="id-1.14.26.8"></a><h2>SEE ALSO</h2>
+<p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>
     </p>
-  </div>
-
-  <div class="refsect1">
-<a name="id-1.14.24.9"></a><h2>AUTHOR</h2>
-    
-    <p><span class="corpauthor">Internet Systems Consortium</span>
+</div>
+<div class="refsect1">
+<a name="id-1.14.26.9"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
@@ -119,6 +95,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.named-rrchecker.html b/bind/bind9/doc/arm/man.named-rrchecker.html
index 86d52a26..033670ca 100644
--- a/bind/bind9/doc/arm/man.named-rrchecker.html
+++ b/bind/bind9/doc/arm/man.named-rrchecker.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-rrchecker</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.named-nzd2nzf.html" title="named-nzd2nzf">
-<link rel="next" href="man.nsupdate.html" title="nsupdate">
+<link rel="next" href="man.named.conf.html" title="named.conf">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -24,7 +24,7 @@
 <td width="20%" align="left">
 <a accesskey="p" href="man.named-nzd2nzf.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.named.conf.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,75 +32,50 @@
 </div>
 <div class="refentry">
 <a name="man.named-rrchecker"></a><div class="titlepage"></div>
-  
-  
-  
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">named-rrchecker</span>
-     &#8212; syntax checker for individual DNS resource records
-  </p>
+<p><span class="application">named-rrchecker</span> &#8212; syntax checker for individual DNS resource records</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named-rrchecker</code> 
-       [<code class="option">-h</code>]
-       [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
-       [<code class="option">-p</code>]
-       [<code class="option">-u</code>]
-       [<code class="option">-C</code>]
-       [<code class="option">-T</code>]
-       [<code class="option">-P</code>]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.25.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>named-rrchecker</strong></span>
+<div class="cmdsynopsis"><p><code class="command">named-rrchecker</code>  [<code class="option">-h</code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-u</code>] [<code class="option">-C</code>] [<code class="option">-T</code>] [<code class="option">-P</code>]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.27.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>named-rrchecker</strong></span>
      read a individual DNS resource record from standard input and checks if it
      is syntactically correct.
     </p>
-    <p>
+<p>
       The <code class="option">-h</code> prints out the help menu.
     </p>
-    <p>
+<p>
       The <code class="option">-o <em class="replaceable"><code>origin</code></em></code>
       option specifies a origin to be used when interpreting the record.
     </p>
-    <p>
+<p>
       The <code class="option">-p</code> prints out the resulting record in canonical
       form.  If there is no canonical form defined then the record will be
       printed in unknown record format.
     </p>
-    <p>
+<p>
       The <code class="option">-u</code> prints out the resulting record in unknown record
       form.
     </p>
-    <p>
+<p>
       The <code class="option">-C</code>, <code class="option">-T</code> and <code class="option">-P</code>
       print out the known class, standard type and private type mnemonics
       respectively.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.25.8"></a><h2>SEE ALSO</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.27.8"></a><h2>SEE ALSO</h2>
+<p>
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 1035</em>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
@@ -109,18 +84,18 @@
 <td width="40%" align="left">
 <a accesskey="p" href="man.named-nzd2nzf.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.named.conf.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">named-nzd2nzf</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">nsupdate</span>
+<td width="40%" align="right" valign="top"> <code class="filename">named.conf</code>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.named.conf.html b/bind/bind9/doc/arm/man.named.conf.html
index 957d0a2b..018c8474 100644
--- a/bind/bind9/doc/arm/man.named.conf.html
+++ b/bind/bind9/doc/arm/man.named.conf.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.named.html" title="named">
-<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
+<link rel="prev" href="man.named-rrchecker.html" title="named-rrchecker">
+<link rel="next" href="man.named.html" title="named">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center"><code class="filename">named.conf</code></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.named.html">Prev</a> </td>
+<a accesskey="p" href="man.named-rrchecker.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,61 +32,42 @@
 </div>
 <div class="refentry">
 <a name="man.named.conf"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <code class="filename">named.conf</code>
-     &#8212; configuration file for <span class="command"><strong>named</strong></span>
-  </p>
+<p><code class="filename">named.conf</code> &#8212; configuration file for <span class="command"><strong>named</strong></span></p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named.conf</code> 
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.7"></a><h2>DESCRIPTION</h2>
-
-    <p><code class="filename">named.conf</code> is the configuration file
+<div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.7"></a><h2>DESCRIPTION</h2>
+<p><code class="filename">named.conf</code> is the configuration file
       for
       <span class="command"><strong>named</strong></span>.  Statements are enclosed
       in braces and terminated with a semi-colon.  Clauses in
       the statements are also semi-colon terminated.  The usual
       comment styles are supported:
     </p>
-    <p>
+<p>
       C style: /* */
     </p>
-    <p>
+<p>
       C++ style: // to end of line
     </p>
-    <p>
+<p>
       Unix style: # to end of line
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.8"></a><h2>ACL</h2>
-
-    <div class="literallayout"><p><br>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.8"></a><h2>ACL</h2>
+<div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.9"></a><h2>CONTROLS</h2>
-
-    <div class="literallayout"><p><br>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.9"></a><h2>CONTROLS</h2>
+<div class="literallayout"><p><br>
 controls {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
 	    * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] allow<br>
@@ -99,43 +80,35 @@ controls {<br>
 	    <em class="replaceable"><code>boolean</code></em> ];<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.10"></a><h2>DLZ</h2>
-
-    <div class="literallayout"><p><br>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.10"></a><h2>DLZ</h2>
+<div class="literallayout"><p><br>
 dlz <em class="replaceable"><code>string</code></em> {<br>
 	database <em class="replaceable"><code>string</code></em>;<br>
 	search <em class="replaceable"><code>boolean</code></em>;<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.11"></a><h2>DYNDB</h2>
-
-    <div class="literallayout"><p><br>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.11"></a><h2>DYNDB</h2>
+<div class="literallayout"><p><br>
 dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
     <em class="replaceable"><code>unspecified-text</code></em> };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.12"></a><h2>KEY</h2>
-
-    <div class="literallayout"><p><br>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.12"></a><h2>KEY</h2>
+<div class="literallayout"><p><br>
 key <em class="replaceable"><code>string</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
 	secret <em class="replaceable"><code>string</code></em>;<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.13"></a><h2>LOGGING</h2>
-
-    <div class="literallayout"><p><br>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.13"></a><h2>LOGGING</h2>
+<div class="literallayout"><p><br>
 logging {<br>
 	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
 	channel <em class="replaceable"><code>string</code></em> {<br>
@@ -152,12 +125,10 @@ logging {<br>
 	};<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.14"></a><h2>LWRES</h2>
-
-    <div class="literallayout"><p><br>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.14"></a><h2>LWRES</h2>
+<div class="literallayout"><p><br>
 lwres {<br>
 	listen-on [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
 	    | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };<br>
@@ -168,32 +139,26 @@ lwres {<br>
 	view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ];<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.15"></a><h2>MANAGED-KEYS</h2>
-
-    <div class="literallayout"><p><br>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.15"></a><h2>MANAGED-KEYS</h2>
+<div class="literallayout"><p><br>
 managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.16"></a><h2>MASTERS</h2>
-
-    <div class="literallayout"><p><br>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.16"></a><h2>MASTERS</h2>
+<div class="literallayout"><p><br>
 masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
     <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
     port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port<br>
     <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.17"></a><h2>OPTIONS</h2>
-
-    <div class="literallayout"><p><br>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.17"></a><h2>OPTIONS</h2>
+<div class="literallayout"><p><br>
 options {<br>
 	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
 	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
@@ -469,12 +434,10 @@ options {<br>
 	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.18"></a><h2>SERVER</h2>
-
-    <div class="literallayout"><p><br>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.18"></a><h2>SERVER</h2>
+<div class="literallayout"><p><br>
 server <em class="replaceable"><code>netprefix</code></em> {<br>
 	bogus <em class="replaceable"><code>boolean</code></em>;<br>
 	edns <em class="replaceable"><code>boolean</code></em>;<br>
@@ -506,12 +469,10 @@ server <em class="replaceable"><code>netprefix</code></em> {<br>
 	transfers <em class="replaceable"><code>integer</code></em>;<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.19"></a><h2>STATISTICS-CHANNELS</h2>
-
-    <div class="literallayout"><p><br>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.19"></a><h2>STATISTICS-CHANNELS</h2>
+<div class="literallayout"><p><br>
 statistics-channels {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
 	    * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [<br>
@@ -519,21 +480,17 @@ statistics-channels {<br>
 	    } ];<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.20"></a><h2>TRUSTED-KEYS</h2>
-
-    <div class="literallayout"><p><br>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.20"></a><h2>TRUSTED-KEYS</h2>
+<div class="literallayout"><p><br>
 trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.21"></a><h2>VIEW</h2>
-
-    <div class="literallayout"><p><br>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.21"></a><h2>VIEW</h2>
+<div class="literallayout"><p><br>
 view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
 	acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
@@ -884,12 +841,10 @@ view <em class="replaceable"><code>string</code></em> [ <em class="replaceable">
 	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.22"></a><h2>ZONE</h2>
-
-    <div class="literallayout"><p><br>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.22"></a><h2>ZONE</h2>
+<div class="literallayout"><p><br>
 zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -983,57 +938,42 @@ zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable">
 	zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
 };<br>
 </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.23"></a><h2>FILES</h2>
-
-    <p><code class="filename">/etc/named.conf</code>
+</div>
+<div class="refsection">
+<a name="id-1.14.28.23"></a><h2>FILES</h2>
+<p><code class="filename">/etc/named.conf</code>
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.20.24"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">ddns-confgen</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named-checkconf</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">rndc</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">rndc-confgen</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.28.24"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.named.html">Prev</a> </td>
+<a accesskey="p" href="man.named-rrchecker.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">named</span> </td>
+<span class="application">named-rrchecker</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">named-checkconf</span>
+<td width="40%" align="right" valign="top"> <span class="application">named</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.named.html b/bind/bind9/doc/arm/man.named.html
index 4a9c575e..597b3841 100644
--- a/bind/bind9/doc/arm/man.named.html
+++ b/bind/bind9/doc/arm/man.named.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.lwresd.html" title="lwresd">
-<link rel="next" href="man.named.conf.html" title="named.conf">
+<link rel="prev" href="man.named.conf.html" title="named.conf">
+<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center"><span class="application">named</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.lwresd.html">Prev</a> </td>
+<a accesskey="p" href="man.named.conf.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.named.conf.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,93 +32,46 @@
 </div>
 <div class="refentry">
 <a name="man.named"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">named</span>
-     &#8212; Internet domain name server
-  </p>
+<p><span class="application">named</span> &#8212; Internet domain name server</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">named</code> 
-       [
-	[<code class="option">-4</code>]
-	 |  [<code class="option">-6</code>]
-      ]
-       [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>]
-       [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>]
-       [<code class="option">-D <em class="replaceable"><code>string</code></em></code>]
-       [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>]
-       [<code class="option">-f</code>]
-       [<code class="option">-g</code>]
-       [<code class="option">-L <em class="replaceable"><code>logfile</code></em></code>]
-       [<code class="option">-M <em class="replaceable"><code>option</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
-       [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>]
-       [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
-       [<code class="option">-s</code>]
-       [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
-       [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>]
-       [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
-       [<code class="option">-v</code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-X <em class="replaceable"><code>lock-file</code></em></code>]
-       [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.19.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>named</strong></span>
+<div class="cmdsynopsis"><p><code class="command">named</code>  [[<code class="option">-4</code>] |  [<code class="option">-6</code>]] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-D <em class="replaceable"><code>string</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-L <em class="replaceable"><code>logfile</code></em></code>] [<code class="option">-M <em class="replaceable"><code>option</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>lock-file</code></em></code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.29.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>named</strong></span>
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
       information on the DNS, see RFCs 1033, 1034, and 1035.
     </p>
-    <p>
+<p>
       When invoked without arguments, <span class="command"><strong>named</strong></span>
       will
       read the default configuration file
       <code class="filename">/etc/named.conf</code>, read any initial
       data, and listen for queries.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.19.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.29.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-4</span></dt>
-<dd>
-          <p>
+<dd><p>
             Use IPv4 only even if the host machine is capable of IPv6.
             <code class="option">-4</code> and <code class="option">-6</code> are mutually
             exclusive.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-6</span></dt>
-<dd>
-          <p>
+<dd><p>
             Use IPv6 only even if the host machine is capable of IPv4.
             <code class="option">-4</code> and <code class="option">-6</code> are mutually
             exclusive.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Use <em class="replaceable"><code>config-file</code></em> as the
             configuration file instead of the default,
             <code class="filename">/etc/named.conf</code>.  To
@@ -128,33 +81,28 @@
             <code class="option">directory</code> option in the configuration
             file, <em class="replaceable"><code>config-file</code></em> should be
             an absolute pathname.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
             Debugging traces from <span class="command"><strong>named</strong></span> become
             more verbose as the debug level increases.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>string</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies a string that is used to identify a instance of
             <span class="command"><strong>named</strong></span> in a process listing.  The contents
             of <em class="replaceable"><code>string</code></em> are
             not examined.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine-name</code></em></span></dt>
 <dd>
-          <p>
+<p>
             When applicable, specifies the hardware to use for
             cryptographic operations, such as a secure key store used
             for signing.
           </p>
-          <p>
+<p>
             When BIND is built with OpenSSL PKCS#11 support, this defaults
             to the string "pkcs11", which identifies an OpenSSL engine
             that can drive a cryptographic accelerator or hardware service
@@ -162,40 +110,31 @@
             (--enable-native-pkcs11), it defaults to the path of the PKCS#11
             provider library specified via "--with-pkcs11".
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-f</span></dt>
-<dd>
-          <p>
+<dd><p>
             Run the server in the foreground (i.e. do not daemonize).
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-g</span></dt>
-<dd>
-          <p>
+<dd><p>
             Run the server in the foreground and force all logging
             to <code class="filename">stderr</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>logfile</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Log to the file <code class="option">logfile</code> by default
             instead of the system log.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-M <em class="replaceable"><code>option</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Sets the default memory context options.  Currently
             the only supported option is
             <em class="replaceable"><code>external</code></em>,
             which causes the internal memory manager to be bypassed
             in favor of system-provided memory allocation functions.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Turn on memory usage debugging flags.  Possible flags are
             <em class="replaceable"><code>usage</code></em>,
             <em class="replaceable"><code>trace</code></em>,
@@ -204,51 +143,46 @@
             <em class="replaceable"><code>mctx</code></em>.
             These correspond to the ISC_MEM_DEBUGXXXX flags described in
             <code class="filename">&lt;isc/mem.h&gt;</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Create <em class="replaceable"><code>#cpus</code></em> worker threads
             to take advantage of multiple CPUs.  If not specified,
             <span class="command"><strong>named</strong></span> will try to determine the
             number of CPUs present and create one thread per CPU.
             If it is unable to determine the number of CPUs, a
             single worker thread will be created.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Listen for queries on port <em class="replaceable"><code>port</code></em>.  If not
             specified, the default is port 53.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-s</span></dt>
 <dd>
-          <p>
+<p>
             Write memory usage statistics to <code class="filename">stdout</code> on exit.
           </p>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-            <p>
+<p>
               This option is mainly of interest to BIND 9 developers
               and may be removed or changed in a future release.
             </p>
-          </div>
-        </dd>
+</div>
+</dd>
 <dt><span class="term">-S <em class="replaceable"><code>#max-socks</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Allow <span class="command"><strong>named</strong></span> to use up to
             <em class="replaceable"><code>#max-socks</code></em> sockets.
             The default value is 4096 on systems built with default
             configuration options, and 21000 on systems built with
             "configure --with-tuning=large".
           </p>
-          <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
-            <p>
+<p>
               This option should be unnecessary for the vast majority
               of users.
               The use of this option could even be harmful because the
@@ -263,18 +197,18 @@
               <span class="command"><strong>named</strong></span> reserves some file descriptors
               for its internal use.
             </p>
-          </div>
-        </dd>
+</div>
+</dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd>
-          <p>Chroot
+<p>Chroot
             to <em class="replaceable"><code>directory</code></em> after
             processing the command line arguments, but before
             reading the configuration file.
           </p>
-          <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
-            <p>
+<p>
               This option should be used in conjunction with the
               <code class="option">-u</code> option, as chrooting a process
               running as root doesn't enhance security on most
@@ -282,11 +216,10 @@
               defined allows a process with root privileges to
               escape a chroot jail.
             </p>
-          </div>
-        </dd>
+</div>
+</dd>
 <dt><span class="term">-U <em class="replaceable"><code>#listeners</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Use <em class="replaceable"><code>#listeners</code></em>
             worker threads to listen for incoming UDP packets on each
             address.  If not specified, <span class="command"><strong>named</strong></span> will
@@ -299,18 +232,17 @@
             be increased as high as that value, but no higher.
             On Windows, the number of UDP listeners is hardwired to 1
             and this option has no effect.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
 <dd>
-          <p>Setuid
+<p>Setuid
             to <em class="replaceable"><code>user</code></em> after completing
             privileged operations, such as creating sockets that
             listen on privileged ports.
           </p>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-            <p>
+<p>
               On Linux, <span class="command"><strong>named</strong></span> uses the kernel's
                         capability mechanism to drop all root privileges
               except the ability to <code class="function">bind(2)</code> to
@@ -323,23 +255,18 @@
               later, since previous kernels did not allow privileges
               to be retained after <code class="function">setuid(2)</code>.
             </p>
-          </div>
-        </dd>
+</div>
+</dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-          <p>
+<dd><p>
             Report the version number and exit.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-          <p>
+<dd><p>
             Report the version number and build options, and exit.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-X <em class="replaceable"><code>lock-file</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Acquire a lock on the specified file at runtime; this
             helps to prevent duplicate <span class="command"><strong>named</strong></span> instances
             from running simultaneously.
@@ -347,68 +274,54 @@
             option in <code class="filename">named.conf</code>.
             If set to <code class="literal">none</code>, the lock file check
             is disabled.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
 <dd>
-          <p>
+<p>
             Load data from <em class="replaceable"><code>cache-file</code></em> into the
             cache of the default view.
           </p>
-          <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
-            <p>
+<p>
               This option must not be used.  It is only of interest
               to BIND 9 developers and may be removed or changed in a
               future release.
             </p>
-          </div>
-        </dd>
+</div>
+</dd>
 </dl></div>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.19.9"></a><h2>SIGNALS</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.29.9"></a><h2>SIGNALS</h2>
+<p>
       In routine operation, signals should not be used to control
       the nameserver; <span class="command"><strong>rndc</strong></span> should be used
       instead.
     </p>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">SIGHUP</span></dt>
-<dd>
-          <p>
+<dd><p>
             Force a reload of the server.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">SIGINT, SIGTERM</span></dt>
-<dd>
-          <p>
+<dd><p>
             Shut down the server.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-
-    <p>
+<p>
       The result of sending any other signals to the server is undefined.
     </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.19.10"></a><h2>CONFIGURATION</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.29.10"></a><h2>CONFIGURATION</h2>
+<p>
       The <span class="command"><strong>named</strong></span> configuration file is too complex
       to describe in detail here.  A complete description is provided
       in the
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-
-    <p>
+<p>
       <span class="command"><strong>named</strong></span> inherits the <code class="function">umask</code>
       (file creation mode mask) from the parent process. If files
       created by <span class="command"><strong>named</strong></span>, such as journal files,
@@ -416,80 +329,53 @@
       should be set explicitly in the script used to start the
       <span class="command"><strong>named</strong></span> process.
     </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.19.11"></a><h2>FILES</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.29.11"></a><h2>FILES</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             The default configuration file.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="filename">/var/run/named/named.pid</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             The default process-id file.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.19.12"></a><h2>SEE ALSO</h2>
-
-    <p><em class="citetitle">RFC 1033</em>,
+</div>
+<div class="refsection">
+<a name="id-1.14.29.12"></a><h2>SEE ALSO</h2>
+<p><em class="citetitle">RFC 1033</em>,
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 1035</em>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named-checkconf</span>
-        (8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named-checkzone</span>
-        (8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">rndc</span>
-        (8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">lwresd</span>
-        (8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named.conf</span>
-        (5)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.lwresd.html">Prev</a> </td>
+<a accesskey="p" href="man.named.conf.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.named.conf.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">lwresd</span> </td>
+<code class="filename">named.conf</code> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <code class="filename">named.conf</code>
+<td width="40%" align="right" valign="top"> <span class="application">nsec3hash</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.nsec3hash.html b/bind/bind9/doc/arm/man.nsec3hash.html
index e9ca0c19..a133b5db 100644
--- a/bind/bind9/doc/arm/man.nsec3hash.html
+++ b/bind/bind9/doc/arm/man.nsec3hash.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>nsec3hash</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
-<link rel="next" href="man.pkcs11-destroy.html" title="pkcs11-destroy">
+<link rel="prev" href="man.named.html" title="named">
+<link rel="next" href="man.nslookup.html" title="nslookup">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center"><span class="application">nsec3hash</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
+<a accesskey="p" href="man.named.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.pkcs11-destroy.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.nslookup.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,105 +32,72 @@
 </div>
 <div class="refentry">
 <a name="man.nsec3hash"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">nsec3hash</span>
-     &#8212; generate NSEC3 hash
-  </p>
+<p><span class="application">nsec3hash</span> &#8212; generate NSEC3 hash</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">nsec3hash</code> 
-       {<em class="replaceable"><code>salt</code></em>}
-       {<em class="replaceable"><code>algorithm</code></em>}
-       {<em class="replaceable"><code>iterations</code></em>}
-       {<em class="replaceable"><code>domain</code></em>}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.35.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<div class="cmdsynopsis"><p><code class="command">nsec3hash</code>  {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.30.7"></a><h2>DESCRIPTION</h2>
+<p>
       <span class="command"><strong>nsec3hash</strong></span> generates an NSEC3 hash based on
       a set of NSEC3 parameters.  This can be used to check the validity
       of NSEC3 records in a signed zone.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.35.8"></a><h2>ARGUMENTS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.30.8"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">salt</span></dt>
-<dd>
-          <p>
+<dd><p>
             The salt provided to the hash algorithm.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">algorithm</span></dt>
-<dd>
-          <p>
+<dd><p>
             A number indicating the hash algorithm.  Currently the
             only supported hash algorithm for NSEC3 is SHA-1, which is
             indicated by the number 1; consequently "1" is the only
             useful value for this argument.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">iterations</span></dt>
-<dd>
-          <p>
+<dd><p>
             The number of additional times the hash should be performed.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">domain</span></dt>
-<dd>
-          <p>
+<dd><p>
             The domain name to be hashed.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.35.9"></a><h2>SEE ALSO</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.30.9"></a><h2>SEE ALSO</h2>
+<p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5155</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
+<a accesskey="p" href="man.named.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.pkcs11-destroy.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.nslookup.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">isc-hmac-fixup</span> </td>
+<span class="application">named</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">pkcs11-destroy</span>
-</td>
+<td width="40%" align="right" valign="top"> nslookup</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.nslookup.html b/bind/bind9/doc/arm/man.nslookup.html
index d9de9eea..ee394768 100644
--- a/bind/bind9/doc/arm/man.nslookup.html
+++ b/bind/bind9/doc/arm/man.nslookup.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>nslookup</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.delv.html" title="delv">
-<link rel="next" href="man.dnssec-checkds.html" title="dnssec-checkds">
+<link rel="prev" href="man.nsec3hash.html" title="nsec3hash">
+<link rel="next" href="man.nsupdate.html" title="nsupdate">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center">nslookup</th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.delv.html">Prev</a> </td>
+<a accesskey="p" href="man.nsec3hash.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-checkds.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,35 +32,17 @@
 </div>
 <div class="refentry">
 <a name="man.nslookup"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    nslookup
-     &#8212; query Internet name servers interactively
-  </p>
+<p>nslookup &#8212; query Internet name servers interactively</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">nslookup</code> 
-       [<code class="option">-option</code>]
-       [name | -]
-       [server]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.6.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>Nslookup</strong></span>
+<div class="cmdsynopsis"><p><code class="command">nslookup</code>  [<code class="option">-option</code>] [name | -] [server]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.31.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>Nslookup</strong></span>
       is a program to query Internet domain name servers.  <span class="command"><strong>Nslookup</strong></span>
       has two modes: interactive and non-interactive.  Interactive mode allows
       the user to query name servers for information about various hosts and
@@ -69,37 +51,29 @@
       used to print just the name and requested information for a host or
       domain.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.6.8"></a><h2>ARGUMENTS</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.31.8"></a><h2>ARGUMENTS</h2>
+<p>
       Interactive mode is entered in the following cases:
       </p>
 <div class="orderedlist"><ol class="orderedlist" type="a">
-<li class="listitem">
-          <p>
+<li class="listitem"><p>
             when no arguments are given (the default name server will be used)
-          </p>
-        </li>
-<li class="listitem">
-          <p>
+          </p></li>
+<li class="listitem"><p>
             when the first argument is a hyphen (-) and the second argument is
             the host name or Internet address of a name server.
-          </p>
-        </li>
+          </p></li>
 </ol></div>
 <p>
     </p>
-
-    <p>
+<p>
       Non-interactive mode is used when the name or Internet address of the
       host to be looked up is given as the first argument. The optional second
       argument specifies the host name or address of a name server.
     </p>
-
-    <p>
+<p>
       Options can also be specified on the command line if they precede the
       arguments and are prefixed with a hyphen.  For example, to
       change the default query type to host information, and the initial
@@ -112,277 +86,238 @@ nslookup -query=hinfo  -timeout=10
 <p>
       
     </p>
-    <p>
+<p>
       The <code class="option">-version</code> option causes
       <span class="command"><strong>nslookup</strong></span> to print the version
       number and immediately exits.
     </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.6.9"></a><h2>INTERACTIVE COMMANDS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.31.9"></a><h2>INTERACTIVE COMMANDS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
 <dd>
-          <p>
+<p>
             Look up information for host using the current default server or
             using server, if specified.  If host is an Internet address and
             the query type is A or PTR, the name of the host is returned.
             If host is a name and does not have a trailing period, the
             search list is used to qualify the name.
           </p>
-
-          <p>
+<p>
             To look up a host not in the current domain, append a period to
             the name.
           </p>
-        </dd>
+</dd>
 <dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
-          <p></p>
-        </dd>
+<dd><p></p></dd>
 <dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
             server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
             the current default server.  If an authoritative answer can't be
             found, the names of servers that might have the answer are
             returned.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">root</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             not implemented
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">finger</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             not implemented
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">ls</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             not implemented
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">view</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             not implemented
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">help</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             not implemented
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">?</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             not implemented
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">exit</code></span></dt>
-<dd>
-          <p>
+<dd><p>
             Exits the program.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term"><code class="constant">set</code>
           <em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
 <dd>
-          <p>
+<p>
             This command is used to change state information that affects
             the lookups.  Valid keywords are:
             </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">all</code></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     Prints the current values of the frequently used
                     options to <span class="command"><strong>set</strong></span>.
                     Information about the  current default
                     server and host is also printed.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
 <dd>
-                  <p>
+<p>
                     Change the query class to one of:
                     </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">IN</code></span></dt>
-<dd>
-                          <p>
+<dd><p>
                             the Internet class
-                          </p>
-                        </dd>
+                          </p></dd>
 <dt><span class="term"><code class="constant">CH</code></span></dt>
-<dd>
-                          <p>
+<dd><p>
                             the Chaos class
-                          </p>
-                        </dd>
+                          </p></dd>
 <dt><span class="term"><code class="constant">HS</code></span></dt>
-<dd>
-                          <p>
+<dd><p>
                             the Hesiod class
-                          </p>
-                        </dd>
+                          </p></dd>
 <dt><span class="term"><code class="constant">ANY</code></span></dt>
-<dd>
-                          <p>
+<dd><p>
                             wildcard
-                          </p>
-                        </dd>
+                          </p></dd>
 </dl></div>
 <p>
                     The class specifies the protocol group of the information.
 
                   </p>
-		  <p>
+<p>
                     (Default = IN; abbreviation = cl)
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
 <dd>
-                  <p>
-		    Turn on or off the display of the full response packet and
-		    any intermediate response packets when searching.
+<p>
+                    Turn on or off the display of the full response packet and
+                    any intermediate response packets when searching.
                   </p>
-		  <p>
+<p>
                     (Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
 <dd>
-                  <p>
+<p>
                     Turn debugging mode on or off.  This displays more about
-	            what nslookup is doing.
+                    what nslookup is doing.
                   </p>
-		  <p>
+<p>
                     (Default = nod2)
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     Sets the search list to <em class="replaceable"><code>name</code></em>.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
 <dd>
-                  <p>
+<p>
                     If the lookup request contains at least one period but
                     doesn't end with a trailing period, append the domain
                     names in the domain search list to the request until an
                     answer is received.
                   </p>
-		  <p>
+<p>
                     (Default = search)
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
 <dd>
-                  <p>
+<p>
                     Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
                   </p>
-		  <p>
+<p>
                     (Default = 53; abbreviation = po)
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
-                  <p></p>
-                </dd>
+<dd><p></p></dd>
 <dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
 <dd>
-                  <p>
+<p>
                     Change the type of the information query.
                   </p>
-		  <p>
-                    (Default = A; abbreviations = q, ty)
+<p>
+                    (Default = A and then AAAA; abbreviations = q, ty)
                   </p>
-                </dd>
+<p>
+                      <span class="bold"><strong>Note:</strong></span> It is
+                      only possible to specify one query type, only
+                      the default behavior looks up both when an
+                      alternative is not specified.
+                    </p>
+</dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
 <dd>
-                  <p>
+<p>
                     Tell the name server to query other servers if it does not
                     have the
                     information.
                   </p>
-		  <p>
+<p>
                     (Default = recurse; abbreviation = [no]rec)
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><code class="constant">ndots=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd>
-                  <p>
-		    Set the number of dots (label separators) in a domain
-		    that will disable searching.  Absolute names always
-		    stop searching.
-                  </p>
-                </dd>
+<dd><p>
+                    Set the number of dots (label separators) in a domain
+                    that will disable searching.  Absolute names always
+                    stop searching.
+                  </p></dd>
 <dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     Set the number of retries to number.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd>
-                  <p>
+<dd><p>
                     Change the initial timeout interval for waiting for a
                     reply to number seconds.
-                  </p>
-                </dd>
+                  </p></dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
 <dd>
-                  <p>
+<p>
                     Always use a virtual circuit when sending requests to the
                     server.
                   </p>
-		  <p>
+<p>
                     (Default = novc)
                   </p>
-                </dd>
+</dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
 <dd>
-                  <p>
-		    Try the next nameserver if a nameserver responds with
-		    SERVFAIL or a referral (nofail) or terminate query
-		    (fail) on such a response.
-		  </p>
-		  <p>
+<p>
+                    Try the next nameserver if a nameserver responds with
+                    SERVFAIL or a referral (nofail) or terminate query
+                    (fail) on such a response.
+                  </p>
+<p>
                     (Default = nofail)
                   </p>
-	        </dd>
+</dd>
 </dl></div>
 <p>
           </p>
-        </dd>
+</dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.6.10"></a><h2>RETURN VALUES</h2>
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.31.10"></a><h2>RETURN VALUES</h2>
+<p>
       <span class="command"><strong>nslookup</strong></span> returns with an exit status of 1
       if any query failed, and 0 otherwise.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.6.11"></a><h2>IDN SUPPORT</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.31.11"></a><h2>IDN SUPPORT</h2>
+<p>
       If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
       <span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
@@ -394,48 +329,39 @@ nslookup -query=hinfo  -timeout=10
       <span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
       a tty.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.6.12"></a><h2>FILES</h2>
-
-    <p><code class="filename">/etc/resolv.conf</code>
+</div>
+<div class="refsection">
+<a name="id-1.14.31.12"></a><h2>FILES</h2>
+<p><code class="filename">/etc/resolv.conf</code>
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.6.13"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">dig</span>(1)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">host</span>(1)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>.
+</div>
+<div class="refsection">
+<a name="id-1.14.31.13"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
     </p>
-  </div>
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.delv.html">Prev</a> </td>
+<a accesskey="p" href="man.nsec3hash.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-checkds.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">delv </td>
+<td width="40%" align="left" valign="top">
+<span class="application">nsec3hash</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">dnssec-checkds</span>
+<td width="40%" align="right" valign="top"> <span class="application">nsupdate</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.nsupdate.html b/bind/bind9/doc/arm/man.nsupdate.html
index d6c65179..0e52d22c 100644
--- a/bind/bind9/doc/arm/man.nsupdate.html
+++ b/bind/bind9/doc/arm/man.nsupdate.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>nsupdate</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.named-rrchecker.html" title="named-rrchecker">
-<link rel="next" href="man.rndc.html" title="rndc">
+<link rel="prev" href="man.nslookup.html" title="nslookup">
+<link rel="next" href="man.pkcs11-destroy.html" title="pkcs11-destroy">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center"><span class="application">nsupdate</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.named-rrchecker.html">Prev</a> </td>
+<a accesskey="p" href="man.nslookup.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.pkcs11-destroy.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,51 +32,17 @@
 </div>
 <div class="refentry">
 <a name="man.nsupdate"></a><div class="titlepage"></div>
-  
-  
-
-  
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">nsupdate</span>
-     &#8212; Dynamic DNS update utility
-  </p>
+<p><span class="application">nsupdate</span> &#8212; Dynamic DNS update utility</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">nsupdate</code> 
-       [<code class="option">-d</code>]
-       [<code class="option">-D</code>]
-       [<code class="option">-i</code>]
-       [<code class="option">-L <em class="replaceable"><code>level</code></em></code>]
-       [
-	[<code class="option">-g</code>]
-	 |  [<code class="option">-o</code>]
-	 |  [<code class="option">-l</code>]
-	 |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>]
-	 |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]
-      ]
-       [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>]
-       [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>]
-       [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>]
-       [<code class="option">-v</code>]
-       [<code class="option">-T</code>]
-       [<code class="option">-P</code>]
-       [<code class="option">-V</code>]
-       [filename]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.26.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>nsupdate</strong></span>
+<div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [<code class="option">-i</code>] [<code class="option">-L <em class="replaceable"><code>level</code></em></code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-l</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [<code class="option">-T</code>] [<code class="option">-P</code>] [<code class="option">-V</code>] [filename]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.32.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>nsupdate</strong></span>
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
       This allows resource records to be added or removed from a zone
@@ -85,27 +51,27 @@
       one
       resource record.
     </p>
-    <p>
+<p>
       Zones that are under dynamic control via
       <span class="command"><strong>nsupdate</strong></span>
       or a DHCP server should not be edited by hand.
       Manual edits could
       conflict with dynamic updates and cause data to be lost.
     </p>
-    <p>
+<p>
       The resource records that are dynamically added or removed with
       <span class="command"><strong>nsupdate</strong></span>
       have to be in the same zone.
       Requests are sent to the zone's master server.
       This is identified by the MNAME field of the zone's SOA record.
     </p>
-    <p>
+<p>
       Transaction signatures can be used to authenticate the Dynamic
       DNS updates.  These use the TSIG resource record type described
       in RFC 2845 or the SIG(0) record described in RFC 2535 and
       RFC 2931 or GSS-TSIG as described in RFC 3645.
     </p>
-    <p>
+<p>
       TSIG relies on
       a shared secret that should only be known to
       <span class="command"><strong>nsupdate</strong></span> and the name server.
@@ -120,47 +86,37 @@
       uses the <code class="option">-y</code> or <code class="option">-k</code> options
       to provide the TSIG shared secret.  These options are mutually exclusive.
     </p>
-    <p>
+<p>
       SIG(0) uses public key cryptography.
       To use a SIG(0) key, the public key must be stored in a KEY
       record in a zone served by the name server.
     </p>
-    <p>
+<p>
       GSS-TSIG uses Kerberos credentials.  Standard GSS-TSIG mode
       is switched on with the <code class="option">-g</code> flag.  A
       non-standards-compliant variant of GSS-TSIG used by Windows
       2000 can be switched on with the <code class="option">-o</code> flag.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.26.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.32.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-d</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Debug mode. This provides tracing information about the
 	    update requests that are made and the replies received
 	    from the name server.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-D</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Extra debug mode.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-i</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Force interactive mode, even when standard input is not a terminal.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The file containing the TSIG authentication key.
 	    Keyfiles may be in two formats: a single file containing
 	    a <code class="filename">named.conf</code>-format <span class="command"><strong>key</strong></span>
@@ -172,11 +128,9 @@
 	    The <code class="option">-k</code> may also be used to specify a SIG(0) key used
 	    to authenticate Dynamic DNS update requests.  In this case, the key
 	    specified is not an HMAC-MD5 key.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-l</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Local-host only mode. This sets the server address to
 	    localhost (disabling the <span class="command"><strong>server</strong></span> so that the server
 	    address cannot be overridden).  Connections to the local server will
@@ -185,40 +139,30 @@
 	    local master zone has set <span class="command"><strong>update-policy</strong></span> to
 	    <span class="command"><strong>local</strong></span>.  The location of this key file can be
 	    overridden with the <code class="option">-k</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Set the logging debug level.  If zero, logging is disabled.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Set the port to use for connections to a name server. The
 	    default is 53.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-P</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print the list of private BIND-specific resource record
 	    types whose format is understood
 	    by <span class="command"><strong>nsupdate</strong></span>. See also
 	    the <code class="option">-T</code> option.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>udpretries</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The number of UDP retries. The default is 3. If zero, only
 	    one update request will be made.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-R <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd>
-	<p>
+<dd><p>
 	  Where to obtain randomness. If the operating system
 	  does not provide a <code class="filename">/dev/random</code> or
 	  equivalent device, the default source of randomness is keyboard
@@ -227,60 +171,51 @@
 	  instead of the default.  The special value
 	  <code class="filename">keyboard</code> indicates that keyboard input
 	  should be used.  This option may be specified multiple times.
-	</p>
-	</dd>
+	</p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>timeout</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The maximum time an update request can take before it is
 	    aborted. The default is 300 seconds. Zero can be used to
 	    disable the timeout.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-T</span></dt>
 <dd>
-	  <p>
+<p>
 	    Print the list of IANA standard resource record types
 	    whose format is understood by <span class="command"><strong>nsupdate</strong></span>.
 	    <span class="command"><strong>nsupdate</strong></span> will exit after the lists are
 	    printed. The <code class="option">-T</code> option can be combined
 	    with the <code class="option">-P</code> option.
 	  </p>
-	  <p>
+<p>
 	    Other types can be entered using "TYPEXXXXX" where "XXXXX" is the
 	    decimal value of the type with no leading zeros.  The rdata,
 	    if present, will be parsed using the UNKNOWN rdata format,
 	    (&lt;backslash&gt; &lt;hash&gt; &lt;space&gt; &lt;length&gt;
 	    &lt;space&gt; &lt;hexstring&gt;).
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term">-u <em class="replaceable"><code>udptimeout</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    The UDP retry interval. The default is 3 seconds. If zero,
 	    the interval will be computed from the timeout interval and
 	    number of UDP retries.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use TCP even for small update requests.
 	    By default, <span class="command"><strong>nsupdate</strong></span>
 	    uses UDP to send update requests to the name server unless they are too
 	    large to fit in a UDP request in which case TCP will be used.
 	    TCP may be preferable when a batch of update requests is made.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Print the version number and exit.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
 <dd>
-	  <p>
+<p>
 	    Literal TSIG authentication key.
 	    <em class="parameter"><code>keyname</code></em> is the name of the key, and
 	    <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
@@ -292,23 +227,19 @@
 	    is not specified, the default is <code class="literal">hmac-md5</code>
 	    or if MD5 was disabled <code class="literal">hmac-sha256</code>.
 	  </p>
-	  <p>
+<p>
 	    NOTE: Use of the <code class="option">-y</code> option is discouraged because the
 	    shared secret is supplied as a command line argument in clear text.
 	    This may be visible in the output from
-	    <span class="citerefentry">
-	      <span class="refentrytitle">ps</span>(1)
-	    </span>
+	    <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
 	    or in a history file maintained by the user's shell.
 	  </p>
-	</dd>
+</dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.26.9"></a><h2>INPUT FORMAT</h2>
-
-    <p><span class="command"><strong>nsupdate</strong></span>
+</div>
+<div class="refsection">
+<a name="id-1.14.32.9"></a><h2>INPUT FORMAT</h2>
+<p><span class="command"><strong>nsupdate</strong></span>
       reads input from
       <em class="parameter"><code>filename</code></em>
       or standard input.
@@ -322,7 +253,7 @@
       Updates will be rejected if the tests for the prerequisite conditions
       fail.
     </p>
-    <p>
+<p>
       Every update request consists of zero or more prerequisites
       and zero or more updates.
       This allows a suitably authenticated update request to proceed if some
@@ -332,7 +263,7 @@
       accumulated commands to be sent as one Dynamic DNS update request to the
       name server.
     </p>
-    <p>
+<p>
       The command formats and their meaning are as follows:
       </p>
 <div class="variablelist"><dl class="variablelist">
@@ -341,8 +272,7 @@
 	       {servername}
 	       [port]
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Sends all dynamic update requests to the name server
 	      <em class="parameter"><code>servername</code></em>.
 	      When no server statement is provided,
@@ -358,15 +288,13 @@
 	      If no port number is specified, the default DNS port number of
 	      53 is
 	      used.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>local</strong></span>
 	       {address}
 	       [port]
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Sends all dynamic update requests using the local
 	      <em class="parameter"><code>address</code></em>.
 
@@ -378,14 +306,12 @@
 	      can additionally be used to make requests come from a specific
 	      port.
 	      If no port number is specified, the system will assign one.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>zone</strong></span>
 	       {zonename}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Specifies that all updates are to be made to the zone
 	      <em class="parameter"><code>zonename</code></em>.
 	      If no
@@ -394,38 +320,32 @@
 	      <span class="command"><strong>nsupdate</strong></span>
 	      will attempt determine the correct zone to update based on the
 	      rest of the input.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>class</strong></span>
 	       {classname}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Specify the default class.
 	      If no <em class="parameter"><code>class</code></em> is specified, the
 	      default class is
 	      <em class="parameter"><code>IN</code></em>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>ttl</strong></span>
 	       {seconds}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Specify the default time to live for records to be added.
 	      The value <em class="parameter"><code>none</code></em> will clear the default
 	      ttl.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>key</strong></span>
 	       [hmac:] {keyname}
 	       {secret}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Specifies that all updates are to be TSIG-signed using the
 	      <em class="parameter"><code>keyname</code></em> <em class="parameter"><code>secret</code></em> pair.
 	      If <em class="parameter"><code>hmac</code></em> is specified, then it sets the
@@ -434,80 +354,66 @@
 	      <code class="literal">hmac-sha256</code>.  The <span class="command"><strong>key</strong></span>
 	      command overrides any key specified on the command line via
 	      <code class="option">-y</code> or <code class="option">-k</code>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	    <span class="command"><strong>gsstsig</strong></span>
 	  </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Use GSS-TSIG to sign the updated.  This is equivalent to
 	      specifying <code class="option">-g</code> on the command line.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	    <span class="command"><strong>oldgsstsig</strong></span>
 	  </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Use the Windows 2000 version of GSS-TSIG to sign the updated.
 	      This is equivalent to specifying <code class="option">-o</code> on the
 	      command line.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	    <span class="command"><strong>realm</strong></span>
 	     {[<span class="optional">realm_name</span>]}
 	  </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather
 	      than the default realm in <code class="filename">krb5.conf</code>.  If no
 	      realm is specified the saved realm is cleared.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	    <span class="command"><strong>check-names</strong></span>
 	     {[<span class="optional">yes_or_no</span>]}
 	  </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Turn on or off check-names processing on records to
 	      be added.  Check-names has no effect on prerequisites
 	      or records to be deleted.  By default check-names
 	      processing is on.  If check-names processing fails
 	      the record will not be added to the UPDATE message.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>[<span class="optional">prereq</span>] nxdomain</strong></span>
 	       {domain-name}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Requires that no resource record of any type exists with name
 	      <em class="parameter"><code>domain-name</code></em>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>[<span class="optional">prereq</span>] yxdomain</strong></span>
 	       {domain-name}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Requires that
 	      <em class="parameter"><code>domain-name</code></em>
 	      exists (has as at least one resource record, of any type).
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>[<span class="optional">prereq</span>] nxrrset</strong></span>
 	       {domain-name}
 	       [class]
 	       {type}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Requires that no resource record exists of the specified
 	      <em class="parameter"><code>type</code></em>,
 	      <em class="parameter"><code>class</code></em>
@@ -516,16 +422,14 @@
 	      If
 	      <em class="parameter"><code>class</code></em>
 	      is omitted, IN (internet) is assumed.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span>
 	       {domain-name}
 	       [class]
 	       {type}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      This requires that a resource record of the specified
 	      <em class="parameter"><code>type</code></em>,
 	      <em class="parameter"><code>class</code></em>
@@ -535,8 +439,7 @@
 	      If
 	      <em class="parameter"><code>class</code></em>
 	      is omitted, IN (internet) is assumed.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span>
 	       {domain-name}
@@ -544,8 +447,7 @@
 	       {type}
 	       {data...}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      The
 	      <em class="parameter"><code>data</code></em>
 	      from each set of prerequisites of this form
@@ -566,8 +468,7 @@
 	      are written in the standard text representation of the resource
 	      record's
 	      RDATA.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span>
 	       {domain-name}
@@ -575,8 +476,7 @@
 	       [class]
 	       [type [data...]]
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Deletes any resource records named
 	      <em class="parameter"><code>domain-name</code></em>.
 	      If
@@ -589,8 +489,7 @@
 	      is not supplied.  The
 	      <em class="parameter"><code>ttl</code></em>
 	      is ignored, and is only allowed for compatibility.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>[<span class="optional">update</span>] add</strong></span>
 	       {domain-name}
@@ -599,80 +498,62 @@
 	       {type}
 	       {data...}
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Adds a new resource record with the specified
 	      <em class="parameter"><code>ttl</code></em>,
 	      <em class="parameter"><code>class</code></em>
 	      and
 	      <em class="parameter"><code>data</code></em>.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>show</strong></span>
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Displays the current message, containing all of the
 	      prerequisites and
 	      updates specified since the last send.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>send</strong></span>
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Sends the current message.  This is equivalent to entering a
 	      blank line.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>answer</strong></span>
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Displays the answer.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>debug</strong></span>
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Turn on debugging.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>version</strong></span>
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print version number.
-	    </p>
-	  </dd>
+	    </p></dd>
 <dt><span class="term">
 	      <span class="command"><strong>help</strong></span>
 	    </span></dt>
-<dd>
-	    <p>
+<dd><p>
 	      Print a list of commands.
-	    </p>
-	  </dd>
+	    </p></dd>
 </dl></div>
 <p>
     </p>
-
-    <p>
+<p>
       Lines beginning with a semicolon are comments and are ignored.
     </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.26.10"></a><h2>EXAMPLES</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.32.10"></a><h2>EXAMPLES</h2>
+<p>
       The examples below show how
       <span class="command"><strong>nsupdate</strong></span>
       could be used to insert and delete resource records from the
@@ -693,7 +574,7 @@
 </pre>
 <p>
     </p>
-    <p>
+<p>
       Any A records for
       <span class="type">oldhost.example.com</span>
       are deleted.
@@ -710,7 +591,7 @@
 </pre>
 <p>
     </p>
-    <p>
+<p>
       The prerequisite condition gets the name server to check that there
       are no resource records of any type for
       <span class="type">nickname.example.com</span>.
@@ -723,50 +604,33 @@
       (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
       RRSIG, DNSKEY and NSEC records.)
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.26.11"></a><h2>FILES</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.32.11"></a><h2>FILES</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    used to identify default name server
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    sets the default TSIG key for use in local-only mode
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    base-64 encoding of HMAC-MD5 key created by
-	    <span class="citerefentry">
-	      <span class="refentrytitle">dnssec-keygen</span>(8)
-	    </span>.
-	  </p>
-	</dd>
+	    <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
+	  </p></dd>
 <dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    base-64 encoding of HMAC-MD5 key created by
-	    <span class="citerefentry">
-	      <span class="refentrytitle">dnssec-keygen</span>(8)
-	    </span>.
-	  </p>
-	</dd>
+	    <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.26.12"></a><h2>SEE ALSO</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.32.12"></a><h2>SEE ALSO</h2>
+<p>
       <em class="citetitle">RFC 2136</em>,
       <em class="citetitle">RFC 3007</em>,
       <em class="citetitle">RFC 2104</em>,
@@ -774,49 +638,39 @@
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 2535</em>,
       <em class="citetitle">RFC 2931</em>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">ddns-confgen</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">dnssec-keygen</span>(8)
-      </span>.
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.26.13"></a><h2>BUGS</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.32.13"></a><h2>BUGS</h2>
+<p>
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
       for its cryptographic operations, and may change in future
       releases.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.named-rrchecker.html">Prev</a> </td>
+<a accesskey="p" href="man.nslookup.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.pkcs11-destroy.html">Next</a>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">
-<span class="application">named-rrchecker</span> </td>
+<td width="40%" align="left" valign="top">nslookup </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">rndc</span>
+<td width="40%" align="right" valign="top"> <span class="application">pkcs11-destroy</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.pkcs11-destroy.html b/bind/bind9/doc/arm/man.pkcs11-destroy.html
index 108fd366..93ad6636 100644
--- a/bind/bind9/doc/arm/man.pkcs11-destroy.html
+++ b/bind/bind9/doc/arm/man.pkcs11-destroy.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>pkcs11-destroy</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.nsec3hash.html" title="nsec3hash">
-<link rel="next" href="man.pkcs11-list.html" title="pkcs11-list">
+<link rel="prev" href="man.nsupdate.html" title="nsupdate">
+<link rel="next" href="man.pkcs11-keygen.html" title="pkcs11-keygen">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center"><span class="application">pkcs11-destroy</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.nsec3hash.html">Prev</a> </td>
+<a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.pkcs11-list.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.pkcs11-keygen.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,136 +32,90 @@
 </div>
 <div class="refentry">
 <a name="man.pkcs11-destroy"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">pkcs11-destroy</span>
-     &#8212; destroy PKCS#11 objects
-  </p>
+<p><span class="application">pkcs11-destroy</span> &#8212; destroy PKCS#11 objects</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">pkcs11-destroy</code> 
-       [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
-       {
-         -i <em class="replaceable"><code>ID</code></em> 
-         |   -l <em class="replaceable"><code>label</code></em> 
-      }
-       [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
-       [<code class="option">-w <em class="replaceable"><code>seconds</code></em></code>]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.36.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-destroy</code>  [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] { -i <em class="replaceable"><code>ID</code></em>  |   -l <em class="replaceable"><code>label</code></em> } [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>] [<code class="option">-w <em class="replaceable"><code>seconds</code></em></code>]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.33.7"></a><h2>DESCRIPTION</h2>
+<p>
       <span class="command"><strong>pkcs11-destroy</strong></span> destroys keys stored in a
       PKCS#11 device, identified by their <code class="option">ID</code> or
       <code class="option">label</code>.
     </p>
-    <p>
+<p>
       Matching keys are displayed before being destroyed.  By default,
       there is a five second delay to allow the user to interrupt the
       process before the destruction takes place.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.36.8"></a><h2>ARGUMENTS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.33.8"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the PKCS#11 provider module.  This must be the full
             path to a shared library object implementing the PKCS#11 API
             for the device.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Open the session with the given PKCS#11 slot.  The default is
             slot 0.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>ID</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Destroy keys with the given object ID.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Destroy keys with the given label.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the PIN for the device.  If no PIN is provided on the
             command line, <span class="command"><strong>pkcs11-destroy</strong></span> will prompt for it.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-w <em class="replaceable"><code>seconds</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify how long to pause before carrying out key destruction.
             The default is five seconds.  If set to <code class="literal">0</code>,
             destruction will be immediate.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.36.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-list</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-tokens</span>(8)
-      </span>
+</div>
+<div class="refsection">
+<a name="id-1.14.33.9"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-tokens</span>(8)</span>
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.nsec3hash.html">Prev</a> </td>
+<a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.pkcs11-list.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.pkcs11-keygen.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">nsec3hash</span> </td>
+<span class="application">nsupdate</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">pkcs11-list</span>
+<td width="40%" align="right" valign="top"> <span class="application">pkcs11-keygen</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.pkcs11-keygen.html b/bind/bind9/doc/arm/man.pkcs11-keygen.html
index 9bd1b48d..7f1110e0 100644
--- a/bind/bind9/doc/arm/man.pkcs11-keygen.html
+++ b/bind/bind9/doc/arm/man.pkcs11-keygen.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>pkcs11-keygen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.pkcs11-list.html" title="pkcs11-list">
-<link rel="next" href="man.pkcs11-tokens.html" title="pkcs11-tokens">
+<link rel="prev" href="man.pkcs11-destroy.html" title="pkcs11-destroy">
+<link rel="next" href="man.pkcs11-list.html" title="pkcs11-list">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center"><span class="application">pkcs11-keygen</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.pkcs11-list.html">Prev</a> </td>
+<a accesskey="p" href="man.pkcs11-destroy.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.pkcs11-tokens.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.pkcs11-list.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,174 +32,115 @@
 </div>
 <div class="refentry">
 <a name="man.pkcs11-keygen"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">pkcs11-keygen</span>
-     &#8212; generate keys on a PKCS#11 device
-  </p>
+<p><span class="application">pkcs11-keygen</span> &#8212; generate keys on a PKCS#11 device</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">pkcs11-keygen</code> 
-       {-a <em class="replaceable"><code>algorithm</code></em>}
-       [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
-       [<code class="option">-e</code>]
-       [<code class="option">-i <em class="replaceable"><code>id</code></em></code>]
-       [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
-       [<code class="option">-P</code>]
-       [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-S</code>]
-       [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
-       {label}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.38.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-e</code>] [<code class="option">-i <em class="replaceable"><code>id</code></em></code>] [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>] [<code class="option">-q</code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] {label}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.34.7"></a><h2>DESCRIPTION</h2>
+<p>
       <span class="command"><strong>pkcs11-keygen</strong></span> causes a PKCS#11 device to generate
       a new key pair with the given <code class="option">label</code> (which must be
       unique) and with <code class="option">keysize</code> bits of prime.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.38.8"></a><h2>ARGUMENTS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.34.8"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the key algorithm class: Supported classes are RSA,
             DSA, DH, ECC and ECX. In addition to these strings, the
             <code class="option">algorithm</code> can be specified as a DNSSEC
             signing algorithm that will be used with this key; for
             example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
             to ECC, and ED25519 to ECX.  The default class is "RSA".
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Create the key pair with <code class="option">keysize</code> bits of
             prime. For ECC keys, the only valid values are 256 and 384,
             and the default is 256. For ECX kyes, the only valid values
             are 256 and 456, and the default is 256.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-e</span></dt>
-<dd>
-          <p>
+<dd><p>
             For RSA keys only, use a large exponent.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>id</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Create key objects with id. The id is either
             an unsigned short 2 byte or an unsigned long 4 byte number.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the PKCS#11 provider module.  This must be the full
             path to a shared library object implementing the PKCS#11 API
             for the device.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-P</span></dt>
-<dd>
-          <p>
+<dd><p>
             Set the new private key to be non-sensitive and extractable.
             The allows the private key data to be read from the PKCS#11
             device.  The default is for private keys to be sensitive and
             non-extractable.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the PIN for the device.  If no PIN is provided on
             the command line, <span class="command"><strong>pkcs11-keygen</strong></span> will
             prompt for it.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-q</span></dt>
-<dd>
-          <p>
+<dd><p>
             Quiet mode: suppress unnecessary output.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-S</span></dt>
-<dd>
-          <p>
+<dd><p>
             For Diffie-Hellman (DH) keys only, use a special prime of
             768, 1024 or 1536 bit size and base (aka generator) 2.
 	    If not specified, bit size will default to 1024.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Open the session with the given PKCS#11 slot.  The default is
             slot 0.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.38.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-destroy</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-list</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-tokens</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">dnssec-keyfromlabel</span>(8)
-      </span>
+</div>
+<div class="refsection">
+<a name="id-1.14.34.9"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-destroy</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-tokens</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keyfromlabel</span>(8)</span>
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.pkcs11-list.html">Prev</a> </td>
+<a accesskey="p" href="man.pkcs11-destroy.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.pkcs11-tokens.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.pkcs11-list.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">pkcs11-list</span> </td>
+<span class="application">pkcs11-destroy</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">pkcs11-tokens</span>
+<td width="40%" align="right" valign="top"> <span class="application">pkcs11-list</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.pkcs11-list.html b/bind/bind9/doc/arm/man.pkcs11-list.html
index c419123b..68d3d9a9 100644
--- a/bind/bind9/doc/arm/man.pkcs11-list.html
+++ b/bind/bind9/doc/arm/man.pkcs11-list.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>pkcs11-list</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.pkcs11-destroy.html" title="pkcs11-destroy">
-<link rel="next" href="man.pkcs11-keygen.html" title="pkcs11-keygen">
+<link rel="prev" href="man.pkcs11-keygen.html" title="pkcs11-keygen">
+<link rel="next" href="man.pkcs11-tokens.html" title="pkcs11-tokens">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center"><span class="application">pkcs11-list</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.pkcs11-destroy.html">Prev</a> </td>
+<a accesskey="p" href="man.pkcs11-keygen.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.pkcs11-keygen.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.pkcs11-tokens.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,38 +32,17 @@
 </div>
 <div class="refentry">
 <a name="man.pkcs11-list"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">pkcs11-list</span>
-     &#8212; list PKCS#11 objects
-  </p>
+<p><span class="application">pkcs11-list</span> &#8212; list PKCS#11 objects</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">pkcs11-list</code> 
-       [<code class="option">-P</code>]
-       [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
-       [-i <em class="replaceable"><code>ID</code></em>]
-       [-l <em class="replaceable"><code>label</code></em>]
-       [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.37.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-list</code>  [<code class="option">-P</code>] [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] [-i <em class="replaceable"><code>ID</code></em>] [-l <em class="replaceable"><code>label</code></em>] [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.35.7"></a><h2>DESCRIPTION</h2>
+<p>
       <span class="command"><strong>pkcs11-list</strong></span>
       lists the PKCS#11 objects with <code class="option">ID</code> or
       <code class="option">label</code> or by default all objects.
@@ -72,92 +51,69 @@
       attribute is also displayed, as either <code class="literal">true</code>,
       <code class="literal">false</code>, or <code class="literal">never</code>.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.37.8"></a><h2>ARGUMENTS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.35.8"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-P</span></dt>
-<dd>
-          <p>
+<dd><p>
             List only the public objects. (Note that on some PKCS#11
             devices, all objects are private.)
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the PKCS#11 provider module.  This must be the full
             path to a shared library object implementing the PKCS#11 API
             for the device.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Open the session with the given PKCS#11 slot.  The default is
             slot 0.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>ID</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             List only key objects with the given object ID.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             List only key objects with the given label.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the PIN for the device.  If no PIN is provided on the
             command line, <span class="command"><strong>pkcs11-list</strong></span> will prompt for it.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.37.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-destroy</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-tokens</span>(8)
-      </span>
+</div>
+<div class="refsection">
+<a name="id-1.14.35.9"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-destroy</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-tokens</span>(8)</span>
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.pkcs11-destroy.html">Prev</a> </td>
+<a accesskey="p" href="man.pkcs11-keygen.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.pkcs11-keygen.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.pkcs11-tokens.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">pkcs11-destroy</span> </td>
+<span class="application">pkcs11-keygen</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">pkcs11-keygen</span>
+<td width="40%" align="right" valign="top"> <span class="application">pkcs11-tokens</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.pkcs11-tokens.html b/bind/bind9/doc/arm/man.pkcs11-tokens.html
index 3afdfaa9..c1596a52 100644
--- a/bind/bind9/doc/arm/man.pkcs11-tokens.html
+++ b/bind/bind9/doc/arm/man.pkcs11-tokens.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,10 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>pkcs11-tokens</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.pkcs11-keygen.html" title="pkcs11-keygen">
+<link rel="prev" href="man.pkcs11-list.html" title="pkcs11-list">
+<link rel="next" href="man.rndc-confgen.html" title="rndc-confgen">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -21,104 +22,75 @@
 <tr><th colspan="3" align="center"><span class="application">pkcs11-tokens</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.pkcs11-keygen.html">Prev</a> </td>
+<a accesskey="p" href="man.pkcs11-list.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> </td>
+<td width="20%" align="right"> <a accesskey="n" href="man.rndc-confgen.html">Next</a>
+</td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry">
 <a name="man.pkcs11-tokens"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">pkcs11-tokens</span>
-     &#8212; list PKCS#11 available tokens
-  </p>
+<p><span class="application">pkcs11-tokens</span> &#8212; list PKCS#11 available tokens</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">pkcs11-tokens</code> 
-       [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
-       [<code class="option">-v</code>]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.39.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-tokens</code>  [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-v</code>]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.36.7"></a><h2>DESCRIPTION</h2>
+<p>
       <span class="command"><strong>pkcs11-tokens</strong></span>
       lists the PKCS#11 available tokens with defaults from the slot/token
       scan performed at application initialization.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.39.8"></a><h2>ARGUMENTS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.36.8"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specify the PKCS#11 provider module.  This must be the full
             path to a shared library object implementing the PKCS#11 API
             for the device.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-v</span></dt>
-<dd>
-          <p>
+<dd><p>
             Make the PKCS#11 libisc initialization verbose.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.39.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-destroy</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-keygen</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">pkcs11-list</span>(8)
-      </span>
+</div>
+<div class="refsection">
+<a name="id-1.14.36.9"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-destroy</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(8)</span>
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.pkcs11-keygen.html">Prev</a> </td>
+<a accesskey="p" href="man.pkcs11-list.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> </td>
+<td width="40%" align="right"> <a accesskey="n" href="man.rndc-confgen.html">Next</a>
+</td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">pkcs11-keygen</span> </td>
+<span class="application">pkcs11-list</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> </td>
+<td width="40%" align="right" valign="top"> <span class="application">rndc-confgen</span>
+</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.rndc-confgen.html b/bind/bind9/doc/arm/man.rndc-confgen.html
index 251f0da6..74bd715a 100644
--- a/bind/bind9/doc/arm/man.rndc-confgen.html
+++ b/bind/bind9/doc/arm/man.rndc-confgen.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.rndc.conf.html" title="rndc.conf">
-<link rel="next" href="man.ddns-confgen.html" title="ddns-confgen">
+<link rel="prev" href="man.pkcs11-tokens.html" title="pkcs11-tokens">
+<link rel="next" href="man.rndc.conf.html" title="rndc.conf">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center"><span class="application">rndc-confgen</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
+<a accesskey="p" href="man.pkcs11-tokens.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.ddns-confgen.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,43 +32,17 @@
 </div>
 <div class="refentry">
 <a name="man.rndc-confgen"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">rndc-confgen</span>
-     &#8212; rndc key generation tool
-  </p>
+<p><span class="application">rndc-confgen</span> &#8212; rndc key generation tool</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">rndc-confgen</code> 
-       [<code class="option">-a</code>]
-       [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>]
-       [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>]
-       [<code class="option">-h</code>]
-       [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
-       [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
-       [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>address</code></em></code>]
-       [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>]
-       [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.29.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>rndc-confgen</strong></span>
+<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.37.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>rndc-confgen</strong></span>
       generates configuration files
       for <span class="command"><strong>rndc</strong></span>.  It can be used as a
       convenient alternative to writing the
@@ -81,17 +55,13 @@
       avoid the need for a <code class="filename">rndc.conf</code> file
       and a <span class="command"><strong>controls</strong></span> statement altogether.
     </p>
-
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.29.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.37.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-a</span></dt>
 <dd>
-          <p>
+<p>
             Do automatic <span class="command"><strong>rndc</strong></span> configuration.
             This creates a file <code class="filename">rndc.key</code>
             in <code class="filename">/etc</code> (or whatever
@@ -106,7 +76,7 @@
             <span class="command"><strong>named</strong></span> on the local host
             with no further configuration.
           </p>
-          <p>
+<p>
             Running <span class="command"><strong>rndc-confgen -a</strong></span> allows
             BIND 9 and <span class="command"><strong>rndc</strong></span> to be used as
             drop-in
@@ -114,7 +84,7 @@
             with no changes to the existing BIND 8
             <code class="filename">named.conf</code> file.
           </p>
-          <p>
+<p>
             If a more elaborate configuration than that
             generated by <span class="command"><strong>rndc-confgen -a</strong></span>
             is required, for example if rndc is to be used remotely,
@@ -125,57 +95,44 @@
             <code class="filename">named.conf</code>
             as directed.
           </p>
-        </dd>
+</dd>
 <dt><span class="term">-A <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the algorithm to use for the TSIG key.  Available
             choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
             hmac-sha384 and hmac-sha512.  The default is hmac-md5 or
             if MD5 was disabled hmac-sha256.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the size of the authentication key in bits.
             Must be between 1 and 512 bits; the default is the
             hash size.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Used with the <span class="command"><strong>-a</strong></span> option to specify
             an alternate location for <code class="filename">rndc.key</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-h</span></dt>
-<dd>
-          <p>
+<dd><p>
             Prints a short summary of the options and arguments to
             <span class="command"><strong>rndc-confgen</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the key name of the rndc authentication key.
             This must be a valid domain name.
             The default is <code class="constant">rndc-key</code>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the command channel port where <span class="command"><strong>named</strong></span>
             listens for connections from <span class="command"><strong>rndc</strong></span>.
             The default is 953.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies a source of random data for generating the
             authorization.  If the operating
             system does not provide a <code class="filename">/dev/random</code>
@@ -186,30 +143,24 @@
             data to be used instead of the default.  The special value
             <code class="filename">keyboard</code> indicates that keyboard
             input should be used.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Specifies the IP address where <span class="command"><strong>named</strong></span>
             listens for command channel connections from
             <span class="command"><strong>rndc</strong></span>.  The default is the loopback
             address 127.0.0.1.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Used with the <span class="command"><strong>-a</strong></span> option to specify
             a directory where <span class="command"><strong>named</strong></span> will run
             chrooted.  An additional copy of the <code class="filename">rndc.key</code>
             will be written relative to this directory so that
             it will be found by the chrooted <span class="command"><strong>named</strong></span>.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd>
-          <p>
+<dd><p>
             Used with the <span class="command"><strong>-a</strong></span> option to set the
             owner
             of the <code class="filename">rndc.key</code> file generated.
@@ -217,66 +168,54 @@
             <span class="command"><strong>-t</strong></span> is also specified only the file
             in
             the chroot area has its owner changed.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.29.9"></a><h2>EXAMPLES</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.37.9"></a><h2>EXAMPLES</h2>
+<p>
       To allow <span class="command"><strong>rndc</strong></span> to be used with
       no manual configuration, run
     </p>
-    <p><strong class="userinput"><code>rndc-confgen -a</code></strong>
+<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
     </p>
-    <p>
+<p>
       To print a sample <code class="filename">rndc.conf</code> file and
       corresponding <span class="command"><strong>controls</strong></span> and <span class="command"><strong>key</strong></span>
       statements to be manually inserted into <code class="filename">named.conf</code>,
       run
     </p>
-    <p><strong class="userinput"><code>rndc-confgen</code></strong>
+<p><strong class="userinput"><code>rndc-confgen</code></strong>
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.29.10"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">rndc</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">rndc.conf</span>(5)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">named</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.37.10"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
+<a accesskey="p" href="man.pkcs11-tokens.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.ddns-confgen.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<code class="filename">rndc.conf</code> </td>
+<span class="application">pkcs11-tokens</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">ddns-confgen</span>
+<td width="40%" align="right" valign="top"> <code class="filename">rndc.conf</code>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.rndc.conf.html b/bind/bind9/doc/arm/man.rndc.conf.html
index 75bd4468..a318c961 100644
--- a/bind/bind9/doc/arm/man.rndc.conf.html
+++ b/bind/bind9/doc/arm/man.rndc.conf.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,11 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.rndc.html" title="rndc">
-<link rel="next" href="man.rndc-confgen.html" title="rndc-confgen">
+<link rel="prev" href="man.rndc-confgen.html" title="rndc-confgen">
+<link rel="next" href="man.rndc.html" title="rndc">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,9 +22,9 @@
 <tr><th colspan="3" align="center"><code class="filename">rndc.conf</code></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.rndc.html">Prev</a> </td>
+<a accesskey="p" href="man.rndc-confgen.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.rndc-confgen.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
 </td>
 </tr>
 </table>
@@ -32,32 +32,17 @@
 </div>
 <div class="refentry">
 <a name="man.rndc.conf"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <code class="filename">rndc.conf</code>
-     &#8212; rndc configuration file
-  </p>
+<p><code class="filename">rndc.conf</code> &#8212; rndc configuration file</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">rndc.conf</code> 
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.28.7"></a><h2>DESCRIPTION</h2>
-
-    <p><code class="filename">rndc.conf</code> is the configuration file
+<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.38.7"></a><h2>DESCRIPTION</h2>
+<p><code class="filename">rndc.conf</code> is the configuration file
       for <span class="command"><strong>rndc</strong></span>, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
       <code class="filename">named.conf</code>.  Statements are enclosed
@@ -65,21 +50,21 @@
       the statements are also semi-colon terminated.  The usual
       comment styles are supported:
     </p>
-    <p>
+<p>
       C style: /* */
     </p>
-    <p>
+<p>
       C++ style: // to end of line
     </p>
-    <p>
+<p>
       Unix style: # to end of line
     </p>
-    <p><code class="filename">rndc.conf</code> is much simpler than
+<p><code class="filename">rndc.conf</code> is much simpler than
       <code class="filename">named.conf</code>.  The file uses three
       statements: an options statement, a server statement
       and a key statement.
     </p>
-    <p>
+<p>
       The <code class="option">options</code> statement contains five clauses.
       The <code class="option">default-server</code> clause is followed by the
       name or address of a name server.  This host will be used when
@@ -102,7 +87,7 @@
       can be used to set the IPv4 and IPv6 source addresses
       respectively.
     </p>
-    <p>
+<p>
       After the <code class="option">server</code> keyword, the server
       statement includes a string which is the hostname or address
       for a name server.  The statement has three possible clauses:
@@ -116,7 +101,7 @@
       of supplied then these will be used to specify the IPv4 and IPv6
       source addresses respectively.
     </p>
-    <p>
+<p>
       The <code class="option">key</code> statement begins with an identifying
       string, the name of the key.  The statement has two clauses.
       <code class="option">algorithm</code> identifies the authentication algorithm
@@ -127,7 +112,7 @@
       the base-64 encoding of the algorithm's authentication key.  The
       base-64 string is enclosed in double quotes.
     </p>
-    <p>
+<p>
       There are two common ways to generate the base-64 string for the
       secret.  The BIND 9 program <span class="command"><strong>rndc-confgen</strong></span>
       can
@@ -140,13 +125,10 @@
       ship with BIND 9 but is available on many systems.  See the
       EXAMPLE section for sample command lines for each.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.28.8"></a><h2>EXAMPLE</h2>
-
-
-    <pre class="programlisting">
+</div>
+<div class="refsection">
+<a name="id-1.14.38.8"></a><h2>EXAMPLE</h2>
+<pre class="programlisting">
       options {
         default-server  localhost;
         default-key     samplekey;
@@ -154,14 +136,14 @@
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
       server localhost {
         key             samplekey;
       };
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
       server testserver {
         key		testkey;
         addresses	{ localhost port 5353; };
@@ -169,7 +151,7 @@
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
       key samplekey {
         algorithm       hmac-sha256;
         secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
@@ -177,7 +159,7 @@
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
       key testkey {
         algorithm	hmac-sha256;
         secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
@@ -185,8 +167,7 @@
     </pre>
 <p>
     </p>
-
-    <p>
+<p>
       In the above example, <span class="command"><strong>rndc</strong></span> will by
       default use
       the server at localhost (127.0.0.1) and the key called samplekey.
@@ -196,16 +177,16 @@
       uses the HMAC-SHA256 algorithm and its secret clause contains the
       base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
     </p>
-    <p>
+<p>
       If <span class="command"><strong>rndc -s testserver</strong></span> is used then <span class="command"><strong>rndc</strong></span> will
       connect to server on localhost port 5353 using the key testkey.
     </p>
-    <p>
+<p>
       To generate a random secret with <span class="command"><strong>rndc-confgen</strong></span>:
     </p>
-    <p><strong class="userinput"><code>rndc-confgen</code></strong>
+<p><strong class="userinput"><code>rndc-confgen</code></strong>
     </p>
-    <p>
+<p>
       A complete <code class="filename">rndc.conf</code> file, including
       the
       randomly generated key, will be written to the standard
@@ -213,61 +194,50 @@
       <code class="option">controls</code> statements for
       <code class="filename">named.conf</code> are also printed.
     </p>
-    <p>
+<p>
       To generate a base-64 secret with <span class="command"><strong>mmencode</strong></span>:
     </p>
-    <p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
+<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.28.9"></a><h2>NAME SERVER CONFIGURATION</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.38.9"></a><h2>NAME SERVER CONFIGURATION</h2>
+<p>
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the <code class="filename">rndc.conf</code>
       file, using the controls statement in <code class="filename">named.conf</code>.
       See the sections on the <code class="option">controls</code> statement in the
       BIND 9 Administrator Reference Manual for details.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.28.10"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">rndc</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">rndc-confgen</span>(8)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">mmencode</span>(1)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.38.10"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.rndc.html">Prev</a> </td>
+<a accesskey="p" href="man.rndc-confgen.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.rndc-confgen.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">rndc</span> </td>
+<span class="application">rndc-confgen</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">rndc-confgen</span>
+<td width="40%" align="right" valign="top"> <span class="application">rndc</span>
 </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/man.rndc.html b/bind/bind9/doc/arm/man.rndc.html
index 15692952..6ef7c0a5 100644
--- a/bind/bind9/doc/arm/man.rndc.html
+++ b/bind/bind9/doc/arm/man.rndc.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,11 +10,10 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.nsupdate.html" title="nsupdate">
-<link rel="next" href="man.rndc.conf.html" title="rndc.conf">
+<link rel="prev" href="man.rndc.conf.html" title="rndc.conf">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -22,52 +21,26 @@
 <tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
+<a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
-</td>
+<td width="20%" align="right"> </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry">
 <a name="man.rndc"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">rndc</span>
-     &#8212; name server control utility
-  </p>
+<p><span class="application">rndc</span> &#8212; name server control utility</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">rndc</code> 
-       [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>]
-       [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>]
-       [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>]
-       [<code class="option">-s <em class="replaceable"><code>server</code></em></code>]
-       [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
-       [<code class="option">-q</code>]
-       [<code class="option">-r</code>]
-       [<code class="option">-V</code>]
-       [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>]
-       {command}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.27.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>rndc</strong></span>
+<div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.14.39.7"></a><h2>DESCRIPTION</h2>
+<p><span class="command"><strong>rndc</strong></span>
       controls the operation of a name
       server.  It supersedes the <span class="command"><strong>ndc</strong></span> utility
       that was provided in old BIND releases.  If
@@ -76,7 +49,7 @@
       supported commands and the available options and their
       arguments.
     </p>
-    <p><span class="command"><strong>rndc</strong></span>
+<p><span class="command"><strong>rndc</strong></span>
       communicates with the name server over a TCP connection, sending
       commands authenticated with digital signatures.  In the current
       versions of
@@ -90,38 +63,30 @@
       over the channel must be signed by a key_id known to the
       server.
     </p>
-    <p><span class="command"><strong>rndc</strong></span>
+<p><span class="command"><strong>rndc</strong></span>
       reads a configuration file to
       determine how to contact the name server and decide what
       algorithm and key it should use.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.27.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+</div>
+<div class="refsection">
+<a name="id-1.14.39.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use <em class="replaceable"><code>source-address</code></em>
 	    as the source address for the connection to the server.
 	    Multiple instances are permitted to allow setting of both
 	    the IPv4 and IPv6 source addresses.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use <em class="replaceable"><code>config-file</code></em>
 	    as the configuration file instead of the default,
 	    <code class="filename">/etc/rndc.conf</code>.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use <em class="replaceable"><code>key-file</code></em>
 	    as the key file instead of the default,
 	    <code class="filename">/etc/rndc.key</code>.  The key in
@@ -129,52 +94,40 @@
 	    authenticate
 	    commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
 	    does not exist.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
-<dd>
-	  <p><em class="replaceable"><code>server</code></em> is
+<dd><p><em class="replaceable"><code>server</code></em> is
 	    the name or address of the server which matches a
 	    server statement in the configuration file for
 	    <span class="command"><strong>rndc</strong></span>.  If no server is supplied on the
 	    command line, the host named by the default-server clause
 	    in the options statement of the <span class="command"><strong>rndc</strong></span>
 	    configuration file will be used.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Send commands to TCP port
 	    <em class="replaceable"><code>port</code></em>
 	    instead
 	    of BIND 9's default control channel port, 953.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-q</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Quiet mode: Message text returned by the server
 	    will not be printed except when there is an error.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-r</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Instructs <span class="command"><strong>rndc</strong></span> to print the result code
 	    returned by <span class="command"><strong>named</strong></span> after executing the
 	    requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-V</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Enable verbose logging.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Use the key <em class="replaceable"><code>key_id</code></em>
 	    from the configuration file.
 	    <em class="replaceable"><code>key_id</code></em>
@@ -190,26 +143,22 @@
 	    which are used to send authenticated control commands
 	    to name servers.  It should therefore not have general read
 	    or write access.
-	  </p>
-	</dd>
+	  </p></dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.27.9"></a><h2>COMMANDS</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.39.9"></a><h2>COMMANDS</h2>
+<p>
       A list of commands supported by <span class="command"><strong>rndc</strong></span> can
       be seen by running <span class="command"><strong>rndc</strong></span> without arguments.
     </p>
-    <p>
+<p>
       Currently supported commands are:
     </p>
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Add a zone while the server is running.  This
 	    command requires the
 	    <span class="command"><strong>allow-new-zones</strong></span> option to be set
@@ -219,7 +168,7 @@
 	    configuration text that would ordinarily be
 	    placed in <code class="filename">named.conf</code>.
 	  </p>
-	  <p>
+<p>
 	    The configuration is saved in a file called
 	    <code class="filename"><em class="replaceable"><code>name</code></em>.nzf</code>,
 	    where <em class="replaceable"><code>name</code></em> is the
@@ -232,28 +181,28 @@
 	    configuration, so that zones that were added
 	    can persist after a restart.
 	  </p>
-	  <p>
+<p>
 	    This sample <span class="command"><strong>addzone</strong></span> command
 	    would add the zone <code class="literal">example.com</code>
 	    to the default view:
 	  </p>
-	  <p>
+<p>
 <code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
 	  </p>
-	  <p>
+<p>
 	    (Note the brackets and semi-colon around the zone
 	    configuration text.)
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc delzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Delete a zone while the server is running.
 	  </p>
-	  <p>
+<p>
 	    If the <code class="option">-clean</code> argument is specified,
 	    the zone's master file (and journal file, if any)
 	    will be deleted along with the zone.  Without the
@@ -263,7 +212,7 @@
 	    be cleaned up will be reported in the output
 	    of the <span class="command"><strong>rndc delzone</strong></span> command.)
 	  </p>
-	  <p>
+<p>
 	    If the zone was originally added via
 	    <span class="command"><strong>rndc addzone</strong></span>, then it will be
 	    removed permanently. However, if it was originally
@@ -273,13 +222,12 @@
 	    come back. To remove it permanently, it must also be
 	    removed from <code class="filename">named.conf</code>
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>dnstap ( -reopen | -roll [<span class="optional"><em class="replaceable"><code>number</code></em></span>] )</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Close and re-open DNSTAP output files.
 	    <span class="command"><strong>rndc dnstap -reopen</strong></span> allows the output
 	    file to be renamed externally, so
@@ -290,43 +238,34 @@
 	    previous most recent output file is moved to ".1", and so on.
 	    If <em class="replaceable"><code>number</code></em> is specified, then the
 	    number of backup log files is limited to that number.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zones|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Dump the server's caches (default) and/or zones to
 	    the dump file for the specified views.  If no view
             is specified, all views are dumped.
 	    (See the <span class="command"><strong>dump-file</strong></span> option in
 	    the BIND 9 Administrator Reference Manual.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Flushes the server's cache.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Flushes the given name from the view's DNS cache
 	    and, if applicable, from the view's nameserver address
 	    database, bad server cache and SERVFAIL cache.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Flushes the given name, and all of its subdomains,
 	    from the view's DNS cache, address database,
 	    bad server cache, and SERVFAIL cache.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Suspend updates to a dynamic zone.  If no zone is
 	    specified, then all zones are suspended.  This allows
 	    manual edits to be made to a zone normally updated by
@@ -335,13 +274,13 @@
 	    All dynamic update attempts will be refused while
 	    the zone is frozen.
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc thaw</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Stop the server immediately.  Recent changes
 	    made through dynamic update or IXFR are not saved to
 	    the master files, but will be rolled forward from the
@@ -350,13 +289,13 @@
 	    This allows an external process to determine when <span class="command"><strong>named</strong></span>
 	    had completed halting.
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc stop</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Fetch all DNSSEC keys for the given zone
 	    from the key directory.  If they are within
 	    their publication period, merge them into the
@@ -365,7 +304,7 @@
 	    immediately re-signed by the new keys, but is
 	    allowed to incrementally re-sign over time.
 	  </p>
-	  <p>
+<p>
 	    This command requires that the
 	    <span class="command"><strong>auto-dnssec</strong></span> zone option
 	    be set to <code class="literal">maintain</code>,
@@ -374,10 +313,9 @@
 	    (See "Dynamic Update Policies" in the Administrator
 	    Reference Manual for more details.)
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    When run with the "status" keyword, print the current
 	    status of the managed-keys database for the specified
 	    view, or for all views if none is specified.  When run
@@ -387,11 +325,10 @@
 	    immediate dump of the managed-keys database to disk (in
 	    the file <code class="filename">managed-keys.bind</code> or
 	    (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>modzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Modify the configuration of a zone while the server
 	    is running.  This command requires the
 	    <span class="command"><strong>allow-new-zones</strong></span> option to be
@@ -402,7 +339,7 @@
 	    configuration text that would ordinarily be
 	    placed in <code class="filename">named.conf</code>.
 	  </p>
-	  <p>
+<p>
 	    If the zone was originally added via
 	    <span class="command"><strong>rndc addzone</strong></span>, the configuration
 	    changes will be recorded permanently and will still be
@@ -415,32 +352,30 @@
 	    permanent, it must also be modified in
 	    <code class="filename">named.conf</code>
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc delzone</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Resend NOTIFY messages for the zone.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Sets the server's debugging level to 0.
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc trace</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>nta
 	    [<span class="optional">( -class <em class="replaceable"><code>class</code></em> | -dump | -force | -remove | -lifetime <em class="replaceable"><code>duration</code></em>)</span>]
 	<em class="replaceable"><code>domain</code></em>
 	[<span class="optional"><em class="replaceable"><code>view</code></em></span>]
 	</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Sets a DNSSEC negative trust anchor (NTA)
 	    for <code class="option">domain</code>, with a lifetime of
 	    <code class="option">duration</code>.  The default lifetime is
@@ -448,7 +383,7 @@
 	    <code class="option">nta-lifetime</code> option, and defaults to
 	    one hour.  The lifetime cannot exceed one week.
 	  </p>
-	  <p>
+<p>
 	    A negative trust anchor selectively disables
 	    DNSSEC validation for zones that are known to be
 	    failing because of misconfiguration rather than
@@ -459,7 +394,7 @@
 	    insecure rather than bogus.  This continues until the
 	    NTA's lifetime is elapsed.
 	  </p>
-	  <p>
+<p>
 	    NTAs persist across restarts of the <span class="command"><strong>named</strong></span> server.
 	    The NTAs for a view are saved in a file called
 	    <code class="filename"><em class="replaceable"><code>name</code></em>.nta</code>,
@@ -469,11 +404,11 @@
 	    cryptographic hash generated from the name
 	    of the view.
 	  </p>
-	  <p>
+<p>
 	    An existing NTA can be removed by using the
 	    <code class="option">-remove</code> option.
 	  </p>
-	  <p>
+<p>
 	    An NTA's lifetime can be specified with the
 	    <code class="option">-lifetime</code> option.  TTL-style
 	    suffixes can be used to specify the lifetime in
@@ -482,13 +417,13 @@
 	    new value.  Setting <code class="option">lifetime</code> to zero
 	    is equivalent to <code class="option">-remove</code>.
 	  </p>
-	  <p>
+<p>
 	    If the <code class="option">-dump</code> is used, any other arguments
 	    are ignored, and a list of existing NTAs is printed
 	    (note that this may include NTAs that are expired but
 	    have not yet been cleaned up).
 	  </p>
-	  <p>
+<p>
 	    Normally, <span class="command"><strong>named</strong></span> will periodically
 	    test to see whether data below an NTA can now be
 	    validated (see the <code class="option">nta-recheck</code> option
@@ -500,25 +435,25 @@
 	    lifetime, regardless of whether data could be
 	    validated if the NTA were not present.
 	  </p>
-	  <p>
+<p>
 	    The view class can be specified with <code class="option">-class</code>.
 	    The default is class <strong class="userinput"><code>IN</code></strong>, which is
 	    the only class for which DNSSEC is currently supported.
 	  </p>
-	  <p>
+<p>
 	    All of these options can be shortened, i.e., to
 	    <code class="option">-l</code>, <code class="option">-r</code>, <code class="option">-d</code>,
 	    <code class="option">-f</code>, and <code class="option">-c</code>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional"> on | off </span>] </span></dt>
 <dd>
-	  <p>
+<p>
 	    Enable or disable query logging.  (For backward
 	    compatibility, this command can also be used without
 	    an argument to toggle query logging on and off.)
 	  </p>
-	  <p>
+<p>
 	    Query logging can also be enabled
 	    by explicitly directing the <span class="command"><strong>queries</strong></span>
 	    <span class="command"><strong>category</strong></span> to a
@@ -529,10 +464,9 @@
 	    <span class="command"><strong>options</strong></span> section of
 	    <code class="filename">named.conf</code>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Reload the configuration file and load new zones,
 	    but do not reload existing zone files even if they
 	    have changed.
@@ -540,43 +474,34 @@
 	    is a large number of zones because it avoids the need
 	    to examine the
 	    modification times of the zones files.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Dump the list of queries <span class="command"><strong>named</strong></span> is currently
 	    recursing on, and the list of domains to which iterative
 	    queries are currently being sent.  (The second list includes
 	    the number of fetches currently active for the given domain,
 	    and how many have been passed or dropped because of the
 	    <code class="option">fetches-per-zone</code> option.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Schedule zone maintenance for the given zone.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Reload configuration file and zones.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Reload the given zone.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Retransfer the given slave zone from the master server.
 	  </p>
-	  <p>
+<p>
 	    If the zone is configured to use
 	    <span class="command"><strong>inline-signing</strong></span>, the signed
 	    version of the zone is discarded; after the
@@ -584,24 +509,22 @@
 	    signed version will be regenerated with all new
 	    signatures.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	     Scan the list of available network interfaces
 	     for changes, without performing a full
 	     <span class="command"><strong>reconfig</strong></span> or waiting for the
 	     <span class="command"><strong>interface-interval</strong></span> timer.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional">-</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Dump the server's security roots and negative trust anchors
 	    for the specified views.  If no view is specified, all views
 	    are dumped.
 	  </p>
-	  <p>
+<p>
 	    If the first argument is "-", then the output is
 	    returned via the <span class="command"><strong>rndc</strong></span> response channel
 	    and printed to the standard output.
@@ -610,22 +533,22 @@
 	    overridden via the <code class="option">secroots-file</code> option in
 	    <code class="filename">named.conf</code>.
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc managed-keys</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Print the configuration of a running zone.
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc zonestatus</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Fetch all DNSSEC keys for the given zone
 	    from the key directory (see the
 	    <span class="command"><strong>key-directory</strong></span> option in
@@ -635,7 +558,7 @@
 	    is changed, then the zone is automatically
 	    re-signed with the new key set.
 	  </p>
-	  <p>
+<p>
 	    This command requires that the
 	    <span class="command"><strong>auto-dnssec</strong></span> zone option be set
 	    to <code class="literal">allow</code> or
@@ -645,13 +568,13 @@
 	    (See "Dynamic Update Policies" in the Administrator
 	    Reference Manual for more details.)
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc loadkeys</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) | -serial <em class="replaceable"><code>value</code></em> ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    List, edit, or remove the DNSSEC signing state records
 	    for the specified zone.  The status of ongoing DNSSEC
 	    operations (such as signing or generating
@@ -664,7 +587,7 @@
 	    or have finished signing the zone, and which NSEC3
 	    chains are being created or removed.
 	  </p>
-	  <p>
+<p>
 	    <span class="command"><strong>rndc signing -clear</strong></span> can remove
 	    a single key (specified in the same format that
 	    <span class="command"><strong>rndc signing -list</strong></span> uses to
@@ -673,7 +596,7 @@
 	    that a key has not yet finished signing the zone
 	    will be retained.
 	  </p>
-	  <p>
+<p>
 	    <span class="command"><strong>rndc signing -nsec3param</strong></span> sets
 	    the NSEC3 parameters for a zone.  This is the
 	    only supported mechanism for using NSEC3 with
@@ -682,7 +605,7 @@
 	    an NSEC3PARAM resource record: hash algorithm,
 	    flags, iterations, and salt, in that order.
 	  </p>
-	  <p>
+<p>
 	    Currently, the only defined value for hash algorithm
 	    is <code class="literal">1</code>, representing SHA-1.
 	    The <code class="option">flags</code> may be set to
@@ -697,7 +620,7 @@
 	    which causes <span class="command"><strong>named</strong></span> to generate a
 	    random 64-bit salt.
 	  </p>
-	  <p>
+<p>
 	    So, for example, to create an NSEC3 chain using
 	    the SHA-1 hash algorithm, no opt-out flag,
 	    10 iterations, and a salt value of "FFFF", use:
@@ -706,40 +629,36 @@
 	    salt, use:
 	    <span class="command"><strong>rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
 	  </p>
-	  <p>
+<p>
 	    <span class="command"><strong>rndc signing -nsec3param none</strong></span>
 	    removes an existing NSEC3 chain and replaces it
 	    with NSEC.
 	  </p>
-	  <p>
+<p>
 	    <span class="command"><strong>rndc signing -serial value</strong></span> sets
 	    the serial number of the zone to value.  If the value
 	    would cause the serial number to go backwards it will
 	    be rejected.  The primary use is to set the serial on
 	    inline signed zones.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Write server statistics to the statistics file.
 	    (See the <span class="command"><strong>statistics-file</strong></span> option in
 	    the BIND 9 Administrator Reference Manual.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Display status of the server.
 	    Note that the number of zones includes the internal <span class="command"><strong>bind/CH</strong></span> zone
 	    and the default <span class="command"><strong>./IN</strong></span>
 	    hint zone if there is not an
 	    explicit root zone configured.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Stop the server, making sure any recent changes
 	    made through dynamic update or IXFR are first saved to
 	    the master files of the updated zones.
@@ -747,20 +666,18 @@
 	    This allows an external process to determine when <span class="command"><strong>named</strong></span>
 	    had completed stopping.
 	  </p>
-	  <p>See also <span class="command"><strong>rndc halt</strong></span>.</p>
-	</dd>
+<p>See also <span class="command"><strong>rndc halt</strong></span>.</p>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Sync changes in the journal file for a dynamic zone
 	    to the master file.  If the "-clean" option is
 	    specified, the journal file is also removed.  If
 	    no zone is specified, then all zones are synced.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Enable updates to a frozen dynamic zone.  If no
 	    zone is specified, then all frozen zones are
 	    enabled.  This causes the server to reload the zone
@@ -774,55 +691,47 @@
 	    zone has changed, any existing journal file will be
 	    removed.
 	  </p>
-	  <p>See also <span class="command"><strong>rndc freeze</strong></span>.</p>
-	</dd>
+<p>See also <span class="command"><strong>rndc freeze</strong></span>.</p>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Increment the servers debugging level by one.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Sets the server's debugging level to an explicit
 	    value.
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc notrace</strong></span>.
 	  </p>
-	</dd>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Delete a given TKEY-negotiated key from the server.
 	    (This does not apply to statically configured TSIG
 	    keys.)
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    List the names of all TSIG keys currently configured
 	    for use by <span class="command"><strong>named</strong></span> in each view.  The
 	    list includes both statically configured keys and dynamic
 	    TKEY-negotiated keys.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>validation ( on | off | status ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
-<dd>
-	  <p>
+<dd><p>
 	    Enable, disable, or check the current status of
 	    DNSSEC validation.
 	    Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
 	    set to <strong class="userinput"><code>yes</code></strong> or
 	    <strong class="userinput"><code>auto</code></strong> to be effective.
 	    It defaults to enabled.
-	  </p>
-	</dd>
+	  </p></dd>
 <dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd>
-	  <p>
+<p>
 	    Displays the current status of the given zone,
 	    including the master file name and any include
 	    files from which it was loaded, when it was most
@@ -833,67 +742,50 @@
 	    management or inline signing, and the scheduled
 	    refresh or expiry times for the zone.
 	  </p>
-	  <p>
+<p>
 	    See also <span class="command"><strong>rndc showzone</strong></span>.
 	  </p>
-	</dd>
+</dd>
 </dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.27.10"></a><h2>LIMITATIONS</h2>
-
-    <p>
+</div>
+<div class="refsection">
+<a name="id-1.14.39.10"></a><h2>LIMITATIONS</h2>
+<p>
       There is currently no way to provide the shared secret for a
       <code class="option">key_id</code> without using the configuration file.
     </p>
-    <p>
+<p>
       Several error messages could be clearer.
     </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.14.27.11"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-	<span class="refentrytitle">rndc.conf</span>(5)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">rndc-confgen</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named</span>(8)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">named.conf</span>(5)
-      </span>,
-      <span class="citerefentry">
-	<span class="refentrytitle">ndc</span>(8)
-      </span>,
+</div>
+<div class="refsection">
+<a name="id-1.14.39.11"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
+      <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-  </div>
-
+</div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
+<a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
-</td>
+<td width="40%" align="right"> </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">nsupdate</span> </td>
+<code class="filename">rndc.conf</code> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <code class="filename">rndc.conf</code>
-</td>
+<td width="40%" align="right" valign="top"> </td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.15 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.36 (Extended Support Version)</p>
 </body>
 </html>
diff --git a/bind/bind9/doc/arm/managed-keys.grammar.xml b/bind/bind9/doc/arm/managed-keys.grammar.xml
index d79f27fe..043fff8a 100644
--- a/bind/bind9/doc/arm/managed-keys.grammar.xml
+++ b/bind/bind9/doc/arm/managed-keys.grammar.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/managed-keys.xml b/bind/bind9/doc/arm/managed-keys.xml
index ba45a6c1..bd2f7247 100644
--- a/bind/bind9/doc/arm/managed-keys.xml
+++ b/bind/bind9/doc/arm/managed-keys.xml
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<section xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="rfc5011.support"><info><title>Dynamic Trust Anchor Management</title></info>
+<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="rfc5011.support"><info><title>Dynamic Trust Anchor Management</title></info>
 
   <para>
     BIND is able to maintain DNSSEC trust anchors using RFC 5011 key
@@ -38,53 +38,52 @@ also in DNSSEC section above here in ARM -->
     KSK. All KSKs which do not sign the zone are "stand-by"
     keys.</para>
     <para>Any validating resolver which is configured to use the
-    active KSK as an RFC 5011-managed trust anchor will take note
-    of the stand-by KSKs in the zone's DNSKEY RRset, and store them
-    for future reference. The resolver will recheck the zone
-    periodically, and after 30 days, if the new key is still there,
-    then the key will be accepted by the resolver as a valid trust
-    anchor for the zone. Any time after this 30-day acceptance
+    active KSK as an RFC 5011-managed trust anchor takes note
+    of the stand-by KSKs in the zone's DNSKEY RRset, and stores them
+    for future reference. The resolver rechecks the zone
+    periodically; after 30 days, if the new key is still there,
+    the key is accepted by the resolver as a valid trust
+    anchor for the zone. Anytime after this 30-day acceptance
     timer has completed, the active KSK can be revoked, and the
     zone can be "rolled over" to the newly accepted key.</para>
     <para>The easiest way to place a stand-by key in a zone is to
     use the "smart signing" features of
     <command>dnssec-keygen</command> and
-    <command>dnssec-signzone</command>. If a key with a publication
+    <command>dnssec-signzone</command>. If a key exists with a publication
     date in the past, but an activation date which is unset or in
-    the future, "
-    <command>dnssec-signzone -S</command>" will include the DNSKEY
-    record in the zone, but will not sign with it:</para>
+    the future, <command>dnssec-signzone -S</command> includes the DNSKEY
+    record in the zone but does not sign with it:</para>
     <screen>
 $ <userinput>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</userinput>
 $ <userinput>dnssec-signzone -S -K keys example.net</userinput>
 </screen>
-    <para>To revoke a key, the new command
-    <command>dnssec-revoke</command> has been added. This adds the
-    REVOKED bit to the key flags and re-generates the
+    <para>To revoke a key, use the command
+    <command>dnssec-revoke</command>. This adds the
+    REVOKED bit to the key flags and regenerates the
     <filename>K*.key</filename> and
     <filename>K*.private</filename> files.</para>
     <para>After revoking the active key, the zone must be signed
-    with both the revoked KSK and the new active KSK. (Smart
-    signing takes care of this automatically.)</para>
+    with both the revoked KSK and the new active KSK. Smart
+    signing takes care of this automatically.</para>
     <para>Once a key has been revoked and used to sign the DNSKEY
-    RRset in which it appears, that key will never again be
+    RRset in which it appears, that key is never again
     accepted as a valid trust anchor by the resolver. However,
-    validation can proceed using the new active key (which had been
-    accepted by the resolver when it was a stand-by key).</para>
+    validation can proceed using the new active key, which was
+    accepted by the resolver when it was a stand-by key.</para>
     <para>See RFC 5011 for more details on key rollover
     scenarios.</para>
     <para>When a key has been revoked, its key ID changes,
-    increasing by 128, and wrapping around at 65535. So, for
+    increasing by 128 and wrapping around at 65535. So, for
     example, the key "<filename>Kexample.com.+005+10000</filename>" becomes
     "<filename>Kexample.com.+005+10128</filename>".</para>
-    <para>If two keys have IDs exactly 128 apart, and one is
-    revoked, then the two key IDs will collide, causing several
+    <para>If two keys have IDs exactly 128 apart and one is
+    revoked, the two key IDs will collide, causing several
     problems. To prevent this,
-    <command>dnssec-keygen</command> will not generate a new key if
-    another key is present which may collide. This checking will
-    only occur if the new keys are written to the same directory
-    which holds all other keys in use for that zone.</para>
-    <para>Older versions of BIND 9 did not have this precaution.
+    <command>dnssec-keygen</command> does not generate a new key if
+    another key which may collide is present. This checking
+    only occurs if the new keys are written to the same directory
+    that holds all other keys in use for that zone.</para>
+    <para>Older versions of BIND 9 did not have this protection.
     Exercise caution if using key revocation on keys that were
     generated by previous releases, or if using keys stored in
     multiple directories or on multiple machines.</para>
diff --git a/bind/bind9/doc/arm/master.zoneopt.xml b/bind/bind9/doc/arm/master.zoneopt.xml
index 85df9bdb..fc21458c 100644
--- a/bind/bind9/doc/arm/master.zoneopt.xml
+++ b/bind/bind9/doc/arm/master.zoneopt.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/masters.grammar.xml b/bind/bind9/doc/arm/masters.grammar.xml
index 658fdfc1..6f77c359 100644
--- a/bind/bind9/doc/arm/masters.grammar.xml
+++ b/bind/bind9/doc/arm/masters.grammar.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.0.xml b/bind/bind9/doc/arm/notes-9.11.0.xml
index eea3bd54..7feafd60 100644
--- a/bind/bind9/doc/arm/notes-9.11.0.xml
+++ b/bind/bind9/doc/arm/notes-9.11.0.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.1.xml b/bind/bind9/doc/arm/notes-9.11.1.xml
index dfaf5ed8..a5c48abc 100644
--- a/bind/bind9/doc/arm/notes-9.11.1.xml
+++ b/bind/bind9/doc/arm/notes-9.11.1.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.10.xml b/bind/bind9/doc/arm/notes-9.11.10.xml
index 5b02e8c6..4357aaf6 100644
--- a/bind/bind9/doc/arm/notes-9.11.10.xml
+++ b/bind/bind9/doc/arm/notes-9.11.10.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.11.xml b/bind/bind9/doc/arm/notes-9.11.11.xml
index 9b76e58e..c420ec30 100644
--- a/bind/bind9/doc/arm/notes-9.11.11.xml
+++ b/bind/bind9/doc/arm/notes-9.11.11.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.12.xml b/bind/bind9/doc/arm/notes-9.11.12.xml
index 3fabd7af..d3c2ed44 100644
--- a/bind/bind9/doc/arm/notes-9.11.12.xml
+++ b/bind/bind9/doc/arm/notes-9.11.12.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.13.xml b/bind/bind9/doc/arm/notes-9.11.13.xml
index e184ad2f..013f0a99 100644
--- a/bind/bind9/doc/arm/notes-9.11.13.xml
+++ b/bind/bind9/doc/arm/notes-9.11.13.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.14.xml b/bind/bind9/doc/arm/notes-9.11.14.xml
index 70331fa5..0c72f110 100644
--- a/bind/bind9/doc/arm/notes-9.11.14.xml
+++ b/bind/bind9/doc/arm/notes-9.11.14.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.15.xml b/bind/bind9/doc/arm/notes-9.11.15.xml
index 35d22211..b952a23c 100644
--- a/bind/bind9/doc/arm/notes-9.11.15.xml
+++ b/bind/bind9/doc/arm/notes-9.11.15.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.16.xml b/bind/bind9/doc/arm/notes-9.11.16.xml
new file mode 100644
index 00000000..2e70dd4a
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.16.xml
@@ -0,0 +1,25 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.16"><info><title>Notes for BIND 9.11.16</title></info>
+
+  <section xml:id="relnotes-9.11.16-bugs"><info><title>Bug Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          <command>named</command> crashed when it was queried for a
+          nonexistent name in the CHAOS class. [GL #1540]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.17.xml b/bind/bind9/doc/arm/notes-9.11.17.xml
new file mode 100644
index 00000000..ed48f038
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.17.xml
@@ -0,0 +1,40 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.17"><info><title>Notes for BIND 9.11.17</title></info>
+
+  <section xml:id="relnotes-9.11.17-changes"><info><title>Feature Changes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          The <command>configure</command> option
+          <command>--with-libxml2</command> now uses
+          <command>pkg-config</command> to detect libxml2 library
+          availability.  You will either have to install
+          <command>pkg-config</command> or specify the exact path where
+          libxml2 has been installed on your system. [GL #1635]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+  <section xml:id="relnotes-9.11.17-bugs"><info><title>Bug Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          Fixed re-signing issues with inline zones which resulted in
+          records being re-signed late or not at all.
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.18.xml b/bind/bind9/doc/arm/notes-9.11.18.xml
new file mode 100644
index 00000000..5a085426
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.18.xml
@@ -0,0 +1,41 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.18"><info><title>Notes for BIND 9.11.18</title></info>
+
+  <section xml:id="relnotes-9.11.18-security"><info><title>Security Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          DNS rebinding protection was ineffective when BIND 9 is configured as
+          a forwarding DNS server. Found and responsibly reported by Tobias
+          Klein. [GL #1574]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+  <section xml:id="relnotes-9.11.18-known"><info><title>Known Issues</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          We have received reports that in some circumstances, receipt of an
+          IXFR can cause the processing of queries to slow significantly. Some
+          of these are related to RPZ processing, others appear to occur where
+          there are NSEC3-related changes (such as an operator changing the
+          NSEC3 salt used in the hash calculation). These are being
+          investigated.  [GL #1685]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.19.xml b/bind/bind9/doc/arm/notes-9.11.19.xml
new file mode 100644
index 00000000..a91ee46a
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.19.xml
@@ -0,0 +1,80 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.19"><info><title>Notes for BIND 9.11.19</title></info>
+
+  <section xml:id="relnotes-9.11.19-security"><info><title>Security Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          To prevent exhaustion of server resources by a maliciously configured
+          domain, the number of recursive queries that can be triggered by a
+          request before aborting recursion has been further limited. Root and
+          top-level domain servers are no longer exempt from the
+          <command>max-recursion-queries</command> limit. Fetches for missing
+          name server address records are limited to 4 for any domain. This
+          issue was disclosed in CVE-2020-8616. [GL #1388]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Replaying a TSIG BADTIME response as a request could
+          trigger an assertion failure. This was disclosed in
+          CVE-2020-8617. [GL #1703]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+  <section xml:id="relnotes-9.11.19-changes"><info><title>Feature Changes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          Message IDs in inbound AXFR transfers are now checked for consistency.
+          Log messages are emitted for streams with inconsistent message IDs.
+          [GL #1674]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+  <section xml:id="relnotes-9.11.19-bugs"><info><title>Bug Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          When running on a system with support for Linux capabilities,
+          <command>named</command> drops root privileges very soon after system
+          startup. This was causing a spurious log message, "unable to set
+          effective uid to 0: Operation not permitted", which has now been
+          silenced. [GL #1042] [GL #1090]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          When <command>named-checkconf -z</command> was run, it would sometimes
+          incorrectly set its exit code. It reflected the status of the last
+          view found; if zone-loading errors were found in earlier configured
+          views but not in the last one, the exit code indicated success.
+          Thanks to Graham Clinch. [GL #1807]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          When built without LMDB support, <command>named</command> failed to
+          restart after a zone with a double quote (") in its name was added
+          with <command>rndc addzone</command>. Thanks to Alberto Fernández.
+          [GL #1695]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.2.xml b/bind/bind9/doc/arm/notes-9.11.2.xml
index fd0a0944..34faecdc 100644
--- a/bind/bind9/doc/arm/notes-9.11.2.xml
+++ b/bind/bind9/doc/arm/notes-9.11.2.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.20.xml b/bind/bind9/doc/arm/notes-9.11.20.xml
new file mode 100644
index 00000000..c9d07be1
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.20.xml
@@ -0,0 +1,81 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.20"><info><title>Notes for BIND 9.11.20</title></info>
+
+  <section xml:id="relnotes-9.11.20-security"><info><title>Security Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          It was possible to trigger an INSIST failure when a zone with an
+          interior wildcard label was queried in a certain pattern. This was
+          disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+  <section xml:id="relnotes-9.11.20-new"><info><title>New Features</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          <command>dig</command> and other tools can now print the Extended DNS
+          Error (EDE) option when it appears in a request or a response.
+          [GL #1835]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+  <section xml:id="relnotes-9.11.20-bugs"><info><title>Bug Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          When fully updating the NSEC3 chain for a large zone via IXFR, a
+          temporary loss of performance could be experienced on the secondary
+          server when answering queries for nonexistent data that required
+          DNSSEC proof of non-existence (in other words, queries that required
+          the server to find and to return NSEC3 data). The unnecessary
+          processing step that was causing this delay has now been removed.
+          [GL #1834]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          A data race in <filename>lib/dns/resolver.c:log_formerr()</filename>
+          that could lead to an assertion failure was fixed. [GL #1808]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Previously, <command>provide-ixfr no;</command> failed to return
+          up-to-date responses when the serial number was greater than or equal
+          to the current serial number. [GL #1714]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <command>named-checkconf -p</command> could include spurious text in
+          <command>server-addresses</command> statements due to an uninitialized
+          DSCP value. This has been fixed. [GL #1812]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The ARM has been updated to indicate that the TSIG session key is
+          generated when named starts, regardless of whether it is needed.
+          [GL #1842]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.21.xml b/bind/bind9/doc/arm/notes-9.11.21.xml
new file mode 100644
index 00000000..79d61762
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.21.xml
@@ -0,0 +1,41 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.21"><info><title>Notes for BIND 9.11.21</title></info>
+
+  <section xml:id="relnotes-9.11.21-bugs"><info><title>Bug Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          <command>named</command> could crash when cleaning dead nodes in
+          <filename>lib/dns/rbtdb.c</filename> that were being reused.
+          [GL #1968]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Properly handle missing <command>kyua</command> command so that
+          <command>make check</command> does not fail unexpectedly when CMocka
+          is installed, but Kyua is not. [GL #1950]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The validator could fail to accept a properly signed RRset if an
+          unsupported algorithm appeared earlier in the DNSKEY RRset than a
+          supported algorithm. It could also stop if it detected a malformed
+          public key. [GL #1689]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.22.xml b/bind/bind9/doc/arm/notes-9.11.22.xml
new file mode 100644
index 00000000..bb48bc45
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.22.xml
@@ -0,0 +1,76 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.22"><info><title>Notes for BIND 9.11.22</title></info>
+
+  <section xml:id="relnotes-9.11.22-security"><info><title>Security Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          It was possible to trigger an assertion failure when verifying the
+          response to a TSIG-signed request. This was disclosed in
+          CVE-2020-8622.
+        </para>
+        <para>
+          ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
+          of Oracle for bringing this vulnerability to our attention. [GL #2028]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          When BIND 9 was compiled with native PKCS#11 support, it was possible
+          to trigger an assertion failure in code determining the number of bits
+          in the PKCS#11 RSA public key with a specially crafted packet. This
+          was disclosed in CVE-2020-8623.
+        </para>
+        <para>
+          ISC would like to thank Lyu Chiy for bringing this vulnerability to
+          our attention. [GL #2037]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <command>update-policy</command> rules of type
+          <command>subdomain</command> were incorrectly treated as
+          <command>zonesub</command> rules, which allowed keys used in
+          <command>subdomain</command> rules to update names outside of the
+          specified subdomains. The problem was fixed by making sure
+          <command>subdomain</command> rules are again processed as described in
+          the ARM. This was disclosed in CVE-2020-8624.
+        </para>
+        <para>
+          ISC would like to thank Joop Boonen of credativ GmbH for bringing this
+          vulnerability to our attention. [GL #2055]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+  <section xml:id="relnotes-9.11.22-bugs"><info><title>Bug Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          Wildcard RPZ passthru rules could incorrectly be overridden by other
+          rules that were loaded from RPZ zones which appeared later in the
+          <command>response-policy</command> statement. This has been fixed.
+          [GL #1619]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          LMDB locking code was revised to make <command>rndc reconfig</command>
+          work properly on FreeBSD and with LMDB >= 0.9.26. [GL #1976]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.23.xml b/bind/bind9/doc/arm/notes-9.11.23.xml
new file mode 100644
index 00000000..0631c62b
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.23.xml
@@ -0,0 +1,36 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.23"><info><title>Notes for BIND 9.11.23</title></info>
+
+  <section xml:id="relnotes-9.11.23-bugs"><info><title>Bug Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          Parsing of LOC records was made more strict by rejecting a sole period
+          (<userinput>.</userinput>) and/or <userinput>m</userinput> as a value.
+          These changes prevent zone files using such values from being loaded.
+          Handling of negative altitudes which are not integers was also
+          corrected. [GL #2074]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Several problems found by <link
+          xmlns:xlink="http://www.w3.org/1999/xlink"
+          xlink:href="https://github.com/google/oss-fuzz">OSS-Fuzz</link> were
+          fixed. (None of these are security issues.) [GL !3953] [GL !3975]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.24.xml b/bind/bind9/doc/arm/notes-9.11.24.xml
new file mode 100644
index 00000000..4a54752c
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.24.xml
@@ -0,0 +1,54 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.24"><info><title>Notes for BIND 9.11.24</title></info>
+
+  <section xml:id="relnotes-9.11.24-changes"><info><title>Feature Changes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+           DNS Flag Day 2020: The default EDNS buffer size has been changed from
+           4096 to 1232 bytes. According to measurements done by multiple
+           parties, this should not cause any operational problems as most of
+           the Internet "core" is able to cope with IP message sizes between
+           1400-1500 bytes; the 1232 size was picked as a conservative minimal
+           number that could be changed by the DNS operator to an estimated path
+           MTU minus the estimated header space. In practice, the smallest MTU
+           witnessed in the operational DNS community is 1500 octets, the
+           maximum Ethernet payload size, so a useful default for maximum
+           DNS/UDP payload size on reliable networks would be 1400 bytes.
+           [GL #2183]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+  <section xml:id="relnotes-9.11.24-bugs"><info><title>Bug Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          <command>named</command> reported an invalid memory size when running
+          in an environment that did not properly report the number of available
+          memory pages and/or the size of each memory page. [GL #2166]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          With multiple forwarders configured, <command>named</command> could
+          fail the <code>REQUIRE(msg->state == (-1))</code> assertion in
+          <filename>lib/dns/message.c</filename>, causing it to crash. This has
+          been fixed. [GL #2124]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.25.xml b/bind/bind9/doc/arm/notes-9.11.25.xml
new file mode 100644
index 00000000..f8a37233
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.25.xml
@@ -0,0 +1,41 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.25"><info><title>Notes for BIND 9.11.25</title></info>
+
+  <section xml:id="relnotes-9.11.25-bugs"><info><title>Bug Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          <command>named</command> acting as a resolver could incorrectly treat
+          signed zones with no DS record at the parent as bogus. Such zones
+          should be treated as insecure. This has been fixed. [GL #2236]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          After a Negative Trust Anchor (NTA) is added, BIND performs periodic
+          checks to see if it is still necessary. If BIND encountered a failure
+          while creating a query to perform such a check, it attempted to
+          dereference a NULL pointer, resulting in a crash. [GL #2244]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          A problem obtaining glue records could prevent a stub zone from
+          functioning properly, if the authoritative server for the zone were
+          configured for minimal responses. [GL #1736]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.26.xml b/bind/bind9/doc/arm/notes-9.11.26.xml
new file mode 100644
index 00000000..b1a65951
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.26.xml
@@ -0,0 +1,65 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.26"><info><title>Notes for BIND 9.11.26</title></info>
+
+  <section xml:id="relnotes-9.11.26-changes"><info><title>Feature Changes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          The default value of <command>max-recursion-queries</command> was
+          increased from 75 to 100. Since the queries sent towards root and TLD
+          servers are now included in the count (as a result of the fix for
+          CVE-2020-8616), <command>max-recursion-queries</command> has a higher
+          chance of being exceeded by non-attack queries, which is the main
+          reason for increasing its default value. [GL #2305]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The default value of <command>nocookie-udp-size</command> was restored
+          back to 4096 bytes. Since <command>max-udp-size</command> is the upper
+          bound for <command>nocookie-udp-size</command>, this change relieves
+          the operator from having to change
+          <command>nocookie-udp-size</command> together with
+          <command>max-udp-size</command> in order to increase the default EDNS
+          buffer size limit. <command>nocookie-udp-size</command> can still be
+          set to a value lower than <command>max-udp-size</command>, if desired.
+          [GL #2250]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+  <section xml:id="relnotes-9.11.26-bugs"><info><title>Bug Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          Handling of missing DNS COOKIE responses over UDP was tightened by
+          falling back to TCP. [GL #2275]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The CNAME synthesized from a DNAME was incorrectly followed when the
+          QTYPE was CNAME or ANY. [GL #2280]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Building with native PKCS#11 support for AEP Keyper has been broken
+          since BIND 9.11.22. This has been fixed. [GL #2315]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.27.xml b/bind/bind9/doc/arm/notes-9.11.27.xml
new file mode 100644
index 00000000..79a08cd8
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.27.xml
@@ -0,0 +1,27 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.27"><info><title>Notes for BIND 9.11.27</title></info>
+
+  <section xml:id="relnotes-9.11.27-bugs"><info><title>Bug Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          Multiple threads could attempt to destroy a single RBTDB instance at
+          the same time, resulting in an unpredictable but low-probability
+          assertion failure in <filename>free_rbtdb()</filename>. This has been
+          fixed. [GL #2317]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.28.xml b/bind/bind9/doc/arm/notes-9.11.28.xml
new file mode 100644
index 00000000..ee40f43a
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.28.xml
@@ -0,0 +1,35 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.28"><info><title>Notes for BIND 9.11.28</title></info>
+
+  <section xml:id="relnotes-9.11.28-security"><info><title>Security Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          When <command>tkey-gssapi-keytab</command> or
+          <command>tkey-gssapi-credential</command> was configured, a specially
+          crafted GSS-TSIG query could cause a buffer overflow in the ISC
+          implementation of SPNEGO (a protocol enabling negotiation of the
+          security mechanism to use for GSSAPI authentication). This flaw could
+          be exploited to crash <command>named</command>. Theoretically, it also
+          enabled remote code execution, but achieving the latter is very
+          difficult in real-world conditions. (CVE-2020-8625)
+        </para>
+        <para>
+          This vulnerability was responsibly reported to us as ZDI-CAN-12302 by
+          Trend Micro Zero Day Initiative. [GL #2354]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.29.xml b/bind/bind9/doc/arm/notes-9.11.29.xml
new file mode 100644
index 00000000..66ec8acf
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.29.xml
@@ -0,0 +1,27 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.29"><info><title>Notes for BIND 9.11.29</title></info>
+
+  <section xml:id="relnotes-9.11.29-bugs"><info><title>Bug Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          An invalid direction field (not one of <command>N</command>,
+          <command>S</command>, <command>E</command>, <command>W</command>) in a
+          LOC record resulted in an INSIST failure when a zone file containing
+          such a record was loaded. [GL #2499]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.3.xml b/bind/bind9/doc/arm/notes-9.11.3.xml
index 9dcbd275..11167232 100644
--- a/bind/bind9/doc/arm/notes-9.11.3.xml
+++ b/bind/bind9/doc/arm/notes-9.11.3.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.30.xml b/bind/bind9/doc/arm/notes-9.11.30.xml
new file mode 100644
index 00000000..8decf45b
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.30.xml
@@ -0,0 +1,20 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.30"><info><title>Notes for BIND 9.11.30</title></info>
+
+  <para>
+    <emphasis>The BIND 9.11.30 release was withdrawn after a backporting bug was
+    discovered during pre-release testing. ISC would like to acknowledge the
+    assistance of Natan Segal of Bluecat Networks.</emphasis>
+  </para>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.31.xml b/bind/bind9/doc/arm/notes-9.11.31.xml
new file mode 100644
index 00000000..127b71b6
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.31.xml
@@ -0,0 +1,74 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.31"><info><title>Notes for BIND 9.11.31</title></info>
+
+  <section xml:id="relnotes-9.11.31-security"><info><title>Security Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          A malformed incoming IXFR transfer could trigger an assertion failure
+          in <command>named</command>, causing it to quit abnormally.
+          (CVE-2021-25214)
+        </para>
+        <para>
+          ISC would like to thank Greg Kuechle of SaskTel for bringing this
+          vulnerability to our attention. [GL #2467]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <command>named</command> crashed when a DNAME record placed in the
+          ANSWER section during DNAME chasing turned out to be the final answer
+          to a client query. (CVE-2021-25215)
+        </para>
+        <para>
+          ISC would like to thank <link
+          xmlns:xlink="http://www.w3.org/1999/xlink"
+          xlink:href="https://github.com/sivakesava1">Siva Kakarla</link> for
+          bringing this vulnerability to our attention. [GL #2540]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          When a server's configuration set the
+          <command>tkey-gssapi-keytab</command> or
+          <command>tkey-gssapi-credential</command> option, a specially crafted
+          GSS-TSIG query could cause a buffer overflow in the ISC implementation
+          of SPNEGO (a protocol enabling negotiation of the security mechanism
+          used for GSSAPI authentication). This flaw could be exploited to crash
+          <command>named</command> binaries compiled for 64-bit platforms, and
+          could enable remote code execution when <command>named</command> was
+          compiled for 32-bit platforms. (CVE-2021-25216)
+        </para>
+        <para>
+          This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro
+          Zero Day Initiative. [GL #2604]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+  <section xml:id="relnotes-9.11.31-changes"><info><title>Feature Changes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          The ISC implementation of SPNEGO was removed from BIND 9 source code.
+          Instead, BIND 9 now always uses the SPNEGO implementation provided by
+          the system GSSAPI library when it is built with GSSAPI support. All
+          major contemporary Kerberos/GSSAPI libraries contain an implementation
+          of the SPNEGO mechanism. [GL #2607]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.32.xml b/bind/bind9/doc/arm/notes-9.11.32.xml
new file mode 100644
index 00000000..06b8fefe
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.32.xml
@@ -0,0 +1,37 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.32"><info><title>Notes for BIND 9.11.32</title></info>
+
+  <section xml:id="relnotes-9.11.32-changes"><info><title>Feature Changes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          DNSSEC responses containing NSEC3 records with iteration counts
+          greater than 150 are now treated as insecure. [GL #2445]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The maximum supported number of NSEC3 iterations that can be
+          configured for a zone has been reduced to 150. [GL #2642]
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The implementation of the ZONEMD RR type has been updated to match RFC
+          8976. [GL #2658]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.33.xml b/bind/bind9/doc/arm/notes-9.11.33.xml
new file mode 100644
index 00000000..d7314507
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.33.xml
@@ -0,0 +1,20 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.33"><info><title>Notes for BIND 9.11.33</title></info>
+
+  <para>
+    This maintenance release of BIND 9.11 contains no significant changes,
+    although some minor updates have been made (for example, to eliminate
+    compiler warnings emitted by GCC 11).
+  </para>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.34.xml b/bind/bind9/doc/arm/notes-9.11.34.xml
new file mode 100644
index 00000000..37b091d1
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.34.xml
@@ -0,0 +1,20 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.34"><info><title>Notes for BIND 9.11.34</title></info>
+
+  <para>
+    This maintenance release of BIND 9.11 contains no significant changes,
+    although some minor updates have been made (for example, to fix build issues
+    on Solaris 11).
+  </para>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.35.xml b/bind/bind9/doc/arm/notes-9.11.35.xml
new file mode 100644
index 00000000..67edcc69
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.35.xml
@@ -0,0 +1,28 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.35"><info><title>Notes for BIND 9.11.35</title></info>
+
+  <section xml:id="relnotes-9.11.35-security"><info><title>Security Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          <command>named</command> failed to check the opcode of responses when
+          performing zone refreshes, stub zone updates, and UPDATE forwarding.
+          This could lead to an assertion failure under certain conditions and
+          has been addressed by rejecting responses whose opcode does not match
+          the expected value. [GL #2762]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.36.xml b/bind/bind9/doc/arm/notes-9.11.36.xml
new file mode 100644
index 00000000..d307b8dd
--- /dev/null
+++ b/bind/bind9/doc/arm/notes-9.11.36.xml
@@ -0,0 +1,41 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.36"><info><title>Notes for BIND 9.11.36</title></info>
+
+  <section xml:id="relnotes-9.11.36-security"><info><title>Security Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+          The <command>lame-ttl</command> option controls how long
+          <command>named</command> caches certain types of broken responses from
+          authoritative servers (see the <link xmlns:xlink="http://www.w3.org/1999/xlink"
+          xlink:href="https://kb.isc.org/docs/cve-2021-25219">security advisory</link>
+          for details). This caching mechanism could be abused by an attacker to
+          significantly degrade resolver performance. The vulnerability has been
+          mitigated by changing the default value of <command>lame-ttl</command>
+          to <command>0</command> and overriding any explicitly set value with
+          <command>0</command>, effectively disabling this mechanism altogether.
+          ISC's testing has determined that doing that has a negligible impact
+          on resolver performance while also preventing abuse. Administrators
+          may observe more traffic towards servers issuing certain types of
+          broken responses than in previous BIND 9 releases, depending on client
+          query patterns. (CVE-2021-25219)
+        </para>
+        <para>
+          ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
+          bringing this vulnerability to our attention. [GL #2899]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+</section>
diff --git a/bind/bind9/doc/arm/notes-9.11.4.xml b/bind/bind9/doc/arm/notes-9.11.4.xml
index af435859..65394d9b 100644
--- a/bind/bind9/doc/arm/notes-9.11.4.xml
+++ b/bind/bind9/doc/arm/notes-9.11.4.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.5.xml b/bind/bind9/doc/arm/notes-9.11.5.xml
index 7683f7a6..05aa2fbc 100644
--- a/bind/bind9/doc/arm/notes-9.11.5.xml
+++ b/bind/bind9/doc/arm/notes-9.11.5.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.6.xml b/bind/bind9/doc/arm/notes-9.11.6.xml
index 1cdd003a..c895297c 100644
--- a/bind/bind9/doc/arm/notes-9.11.6.xml
+++ b/bind/bind9/doc/arm/notes-9.11.6.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.7.xml b/bind/bind9/doc/arm/notes-9.11.7.xml
index 067746e1..9e753abb 100644
--- a/bind/bind9/doc/arm/notes-9.11.7.xml
+++ b/bind/bind9/doc/arm/notes-9.11.7.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.8.xml b/bind/bind9/doc/arm/notes-9.11.8.xml
index 2002a52c..ee78f91e 100644
--- a/bind/bind9/doc/arm/notes-9.11.8.xml
+++ b/bind/bind9/doc/arm/notes-9.11.8.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-9.11.9.xml b/bind/bind9/doc/arm/notes-9.11.9.xml
index 4a3ec107..67a211f7 100644
--- a/bind/bind9/doc/arm/notes-9.11.9.xml
+++ b/bind/bind9/doc/arm/notes-9.11.9.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-download.xml b/bind/bind9/doc/arm/notes-download.xml
index 84bb469e..00972b05 100644
--- a/bind/bind9/doc/arm/notes-download.xml
+++ b/bind/bind9/doc/arm/notes-download.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-eol.xml b/bind/bind9/doc/arm/notes-eol.xml
index 1b48ce63..949488be 100644
--- a/bind/bind9/doc/arm/notes-eol.xml
+++ b/bind/bind9/doc/arm/notes-eol.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-intro.xml b/bind/bind9/doc/arm/notes-intro.xml
index 24653571..fcea2612 100644
--- a/bind/bind9/doc/arm/notes-intro.xml
+++ b/bind/bind9/doc/arm/notes-intro.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-license.xml b/bind/bind9/doc/arm/notes-license.xml
index 745bed1e..769eef20 100644
--- a/bind/bind9/doc/arm/notes-license.xml
+++ b/bind/bind9/doc/arm/notes-license.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-thankyou.xml b/bind/bind9/doc/arm/notes-thankyou.xml
index f84ad559..612b1389 100644
--- a/bind/bind9/doc/arm/notes-thankyou.xml
+++ b/bind/bind9/doc/arm/notes-thankyou.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/notes-wrapper.xml b/bind/bind9/doc/arm/notes-wrapper.xml
index 2a8f6d88..fc5d927d 100644
--- a/bind/bind9/doc/arm/notes-wrapper.xml
+++ b/bind/bind9/doc/arm/notes-wrapper.xml
@@ -5,14 +5,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<article xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info><title/></info>
+<article xmlns="http://docbook.org/ns/docbook" version="5.0"><info><title/></info>
 
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes.xml"/>
 </article>
diff --git a/bind/bind9/doc/arm/notes.html b/bind/bind9/doc/arm/notes.html
index c94dec18..eeaec385 100644
--- a/bind/bind9/doc/arm/notes.html
+++ b/bind/bind9/doc/arm/notes.html
@@ -9,31 +9,28 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title></title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
-
-  <div class="section">
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.11.15</h2></div></div></div>
-  
-  <div class="section">
+<a name="id-1.2"></a>Release Notes for BIND Version 9.11.36</h2></div></div></div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
-  <p>
+<p>
     BIND 9.11 (Extended Support Version) is a stable branch of BIND.
     This document summarizes significant changes since the last
     production release on that branch.
   </p>
-  <p>
+<p>
     Please see the file <code class="filename">CHANGES</code> for a more
     detailed list of changes and bug fixes.
   </p>
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_download"></a>Download</h3></div></div></div>
-  <p>
+<p>
     The latest versions of BIND 9 software can always be found at
     <a class="link" href="https://www.isc.org/download/" target="_top">https://www.isc.org/download/</a>.
     There you will find additional information about each release,
@@ -41,210 +38,773 @@
     operating systems.
   </p>
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License Change</h3></div></div></div>
-  <p>
+<p>
     With the release of BIND 9.11.0, ISC changed to the open
     source license for BIND from the ISC license to the Mozilla
     Public License (MPL 2.0).
   </p>
-  <p>
+<p>
     The MPL-2.0 license requires that if you make changes to
     licensed software (e.g. BIND) and distribute them outside
     your organization, that you publish those changes under that
     same license. It does not require that you publish or disclose
     anything other than the changes you made to our software.
   </p>
-  <p>
+<p>
     This requirement will not affect anyone who is using BIND, with
     or without modifications, without redistributing it, nor anyone
     redistributing it without changes. Therefore, this change will be
     without consequence for most individuals and organizations who are
     using BIND.
   </p>
-  <p>
+<p>
     Those unsure whether or not the license change affects their
     use of BIND, or who wish to discuss how to comply with the
     license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
     https://www.isc.org/mission/contact/</a>.
   </p>
 </div>
-
-  <div class="section">
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.36"></a>Notes for BIND 9.11.36</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.36-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+<p>
+          The <span class="command"><strong>lame-ttl</strong></span> option controls how long
+          <span class="command"><strong>named</strong></span> caches certain types of broken responses from
+          authoritative servers (see the <a class="link" href="https://kb.isc.org/docs/cve-2021-25219" target="_top">security advisory</a>
+          for details). This caching mechanism could be abused by an attacker to
+          significantly degrade resolver performance. The vulnerability has been
+          mitigated by changing the default value of <span class="command"><strong>lame-ttl</strong></span>
+          to <span class="command"><strong>0</strong></span> and overriding any explicitly set value with
+          <span class="command"><strong>0</strong></span>, effectively disabling this mechanism altogether.
+          ISC's testing has determined that doing that has a negligible impact
+          on resolver performance while also preventing abuse. Administrators
+          may observe more traffic towards servers issuing certain types of
+          broken responses than in previous BIND 9 releases, depending on client
+          query patterns. (CVE-2021-25219)
+        </p>
+<p>
+          ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
+          bringing this vulnerability to our attention. [GL #2899]
+        </p>
+</li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.35"></a>Notes for BIND 9.11.35</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.35-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          <span class="command"><strong>named</strong></span> failed to check the opcode of responses when
+          performing zone refreshes, stub zone updates, and UPDATE forwarding.
+          This could lead to an assertion failure under certain conditions and
+          has been addressed by rejecting responses whose opcode does not match
+          the expected value. [GL #2762]
+        </p></li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.34"></a>Notes for BIND 9.11.34</h3></div></div></div>
+<p>
+    This maintenance release of BIND 9.11 contains no significant changes,
+    although some minor updates have been made (for example, to fix build issues
+    on Solaris 11).
+  </p>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.33"></a>Notes for BIND 9.11.33</h3></div></div></div>
+<p>
+    This maintenance release of BIND 9.11 contains no significant changes,
+    although some minor updates have been made (for example, to eliminate
+    compiler warnings emitted by GCC 11).
+  </p>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.32"></a>Notes for BIND 9.11.32</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.32-changes"></a>Feature Changes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          DNSSEC responses containing NSEC3 records with iteration counts
+          greater than 150 are now treated as insecure. [GL #2445]
+        </p></li>
+<li class="listitem"><p>
+          The maximum supported number of NSEC3 iterations that can be
+          configured for a zone has been reduced to 150. [GL #2642]
+        </p></li>
+<li class="listitem"><p>
+          The implementation of the ZONEMD RR type has been updated to match RFC
+          8976. [GL #2658]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.31"></a>Notes for BIND 9.11.31</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.31-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+<p>
+          A malformed incoming IXFR transfer could trigger an assertion failure
+          in <span class="command"><strong>named</strong></span>, causing it to quit abnormally.
+          (CVE-2021-25214)
+        </p>
+<p>
+          ISC would like to thank Greg Kuechle of SaskTel for bringing this
+          vulnerability to our attention. [GL #2467]
+        </p>
+</li>
+<li class="listitem">
+<p>
+          <span class="command"><strong>named</strong></span> crashed when a DNAME record placed in the
+          ANSWER section during DNAME chasing turned out to be the final answer
+          to a client query. (CVE-2021-25215)
+        </p>
+<p>
+          ISC would like to thank <a class="link" href="https://github.com/sivakesava1" target="_top">Siva Kakarla</a> for
+          bringing this vulnerability to our attention. [GL #2540]
+        </p>
+</li>
+<li class="listitem">
+<p>
+          When a server's configuration set the
+          <span class="command"><strong>tkey-gssapi-keytab</strong></span> or
+          <span class="command"><strong>tkey-gssapi-credential</strong></span> option, a specially crafted
+          GSS-TSIG query could cause a buffer overflow in the ISC implementation
+          of SPNEGO (a protocol enabling negotiation of the security mechanism
+          used for GSSAPI authentication). This flaw could be exploited to crash
+          <span class="command"><strong>named</strong></span> binaries compiled for 64-bit platforms, and
+          could enable remote code execution when <span class="command"><strong>named</strong></span> was
+          compiled for 32-bit platforms. (CVE-2021-25216)
+        </p>
+<p>
+          This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro
+          Zero Day Initiative. [GL #2604]
+        </p>
+</li>
+</ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.31-changes"></a>Feature Changes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          The ISC implementation of SPNEGO was removed from BIND 9 source code.
+          Instead, BIND 9 now always uses the SPNEGO implementation provided by
+          the system GSSAPI library when it is built with GSSAPI support. All
+          major contemporary Kerberos/GSSAPI libraries contain an implementation
+          of the SPNEGO mechanism. [GL #2607]
+        </p></li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.30"></a>Notes for BIND 9.11.30</h3></div></div></div>
+<p>
+    <span class="emphasis"><em>The BIND 9.11.30 release was withdrawn after a backporting bug was
+    discovered during pre-release testing. ISC would like to acknowledge the
+    assistance of Natan Segal of Bluecat Networks.</em></span>
+  </p>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.29"></a>Notes for BIND 9.11.29</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.29-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          An invalid direction field (not one of <span class="command"><strong>N</strong></span>,
+          <span class="command"><strong>S</strong></span>, <span class="command"><strong>E</strong></span>, <span class="command"><strong>W</strong></span>) in a
+          LOC record resulted in an INSIST failure when a zone file containing
+          such a record was loaded. [GL #2499]
+        </p></li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.28"></a>Notes for BIND 9.11.28</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.28-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+<p>
+          When <span class="command"><strong>tkey-gssapi-keytab</strong></span> or
+          <span class="command"><strong>tkey-gssapi-credential</strong></span> was configured, a specially
+          crafted GSS-TSIG query could cause a buffer overflow in the ISC
+          implementation of SPNEGO (a protocol enabling negotiation of the
+          security mechanism to use for GSSAPI authentication). This flaw could
+          be exploited to crash <span class="command"><strong>named</strong></span>. Theoretically, it also
+          enabled remote code execution, but achieving the latter is very
+          difficult in real-world conditions. (CVE-2020-8625)
+        </p>
+<p>
+          This vulnerability was responsibly reported to us as ZDI-CAN-12302 by
+          Trend Micro Zero Day Initiative. [GL #2354]
+        </p>
+</li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.27"></a>Notes for BIND 9.11.27</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.27-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          Multiple threads could attempt to destroy a single RBTDB instance at
+          the same time, resulting in an unpredictable but low-probability
+          assertion failure in <code class="filename">free_rbtdb()</code>. This has been
+          fixed. [GL #2317]
+        </p></li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.26"></a>Notes for BIND 9.11.26</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.26-changes"></a>Feature Changes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          The default value of <span class="command"><strong>max-recursion-queries</strong></span> was
+          increased from 75 to 100. Since the queries sent towards root and TLD
+          servers are now included in the count (as a result of the fix for
+          CVE-2020-8616), <span class="command"><strong>max-recursion-queries</strong></span> has a higher
+          chance of being exceeded by non-attack queries, which is the main
+          reason for increasing its default value. [GL #2305]
+        </p></li>
+<li class="listitem"><p>
+          The default value of <span class="command"><strong>nocookie-udp-size</strong></span> was restored
+          back to 4096 bytes. Since <span class="command"><strong>max-udp-size</strong></span> is the upper
+          bound for <span class="command"><strong>nocookie-udp-size</strong></span>, this change relieves
+          the operator from having to change
+          <span class="command"><strong>nocookie-udp-size</strong></span> together with
+          <span class="command"><strong>max-udp-size</strong></span> in order to increase the default EDNS
+          buffer size limit. <span class="command"><strong>nocookie-udp-size</strong></span> can still be
+          set to a value lower than <span class="command"><strong>max-udp-size</strong></span>, if desired.
+          [GL #2250]
+        </p></li>
+</ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.26-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          Handling of missing DNS COOKIE responses over UDP was tightened by
+          falling back to TCP. [GL #2275]
+        </p></li>
+<li class="listitem"><p>
+          The CNAME synthesized from a DNAME was incorrectly followed when the
+          QTYPE was CNAME or ANY. [GL #2280]
+        </p></li>
+<li class="listitem"><p>
+          Building with native PKCS#11 support for AEP Keyper has been broken
+          since BIND 9.11.22. This has been fixed. [GL #2315]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.25"></a>Notes for BIND 9.11.25</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.25-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          <span class="command"><strong>named</strong></span> acting as a resolver could incorrectly treat
+          signed zones with no DS record at the parent as bogus. Such zones
+          should be treated as insecure. This has been fixed. [GL #2236]
+        </p></li>
+<li class="listitem"><p>
+          After a Negative Trust Anchor (NTA) is added, BIND performs periodic
+          checks to see if it is still necessary. If BIND encountered a failure
+          while creating a query to perform such a check, it attempted to
+          dereference a NULL pointer, resulting in a crash. [GL #2244]
+        </p></li>
+<li class="listitem"><p>
+          A problem obtaining glue records could prevent a stub zone from
+          functioning properly, if the authoritative server for the zone were
+          configured for minimal responses. [GL #1736]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.24"></a>Notes for BIND 9.11.24</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.24-changes"></a>Feature Changes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+           DNS Flag Day 2020: The default EDNS buffer size has been changed from
+           4096 to 1232 bytes. According to measurements done by multiple
+           parties, this should not cause any operational problems as most of
+           the Internet "core" is able to cope with IP message sizes between
+           1400-1500 bytes; the 1232 size was picked as a conservative minimal
+           number that could be changed by the DNS operator to an estimated path
+           MTU minus the estimated header space. In practice, the smallest MTU
+           witnessed in the operational DNS community is 1500 octets, the
+           maximum Ethernet payload size, so a useful default for maximum
+           DNS/UDP payload size on reliable networks would be 1400 bytes.
+           [GL #2183]
+        </p></li></ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.24-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          <span class="command"><strong>named</strong></span> reported an invalid memory size when running
+          in an environment that did not properly report the number of available
+          memory pages and/or the size of each memory page. [GL #2166]
+        </p></li>
+<li class="listitem"><p>
+          With multiple forwarders configured, <span class="command"><strong>named</strong></span> could
+          fail the <code class="code">REQUIRE(msg-&gt;state == (-1))</code> assertion in
+          <code class="filename">lib/dns/message.c</code>, causing it to crash. This has
+          been fixed. [GL #2124]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.23"></a>Notes for BIND 9.11.23</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.23-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          Parsing of LOC records was made more strict by rejecting a sole period
+          (<strong class="userinput"><code>.</code></strong>) and/or <strong class="userinput"><code>m</code></strong> as a value.
+          These changes prevent zone files using such values from being loaded.
+          Handling of negative altitudes which are not integers was also
+          corrected. [GL #2074]
+        </p></li>
+<li class="listitem"><p>
+          Several problems found by <a class="link" href="https://github.com/google/oss-fuzz" target="_top">OSS-Fuzz</a> were
+          fixed. (None of these are security issues.) [GL !3953] [GL !3975]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.22"></a>Notes for BIND 9.11.22</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.22-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+<p>
+          It was possible to trigger an assertion failure when verifying the
+          response to a TSIG-signed request. This was disclosed in
+          CVE-2020-8622.
+        </p>
+<p>
+          ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
+          of Oracle for bringing this vulnerability to our attention. [GL #2028]
+        </p>
+</li>
+<li class="listitem">
+<p>
+          When BIND 9 was compiled with native PKCS#11 support, it was possible
+          to trigger an assertion failure in code determining the number of bits
+          in the PKCS#11 RSA public key with a specially crafted packet. This
+          was disclosed in CVE-2020-8623.
+        </p>
+<p>
+          ISC would like to thank Lyu Chiy for bringing this vulnerability to
+          our attention. [GL #2037]
+        </p>
+</li>
+<li class="listitem">
+<p>
+          <span class="command"><strong>update-policy</strong></span> rules of type
+          <span class="command"><strong>subdomain</strong></span> were incorrectly treated as
+          <span class="command"><strong>zonesub</strong></span> rules, which allowed keys used in
+          <span class="command"><strong>subdomain</strong></span> rules to update names outside of the
+          specified subdomains. The problem was fixed by making sure
+          <span class="command"><strong>subdomain</strong></span> rules are again processed as described in
+          the ARM. This was disclosed in CVE-2020-8624.
+        </p>
+<p>
+          ISC would like to thank Joop Boonen of credativ GmbH for bringing this
+          vulnerability to our attention. [GL #2055]
+        </p>
+</li>
+</ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.22-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          Wildcard RPZ passthru rules could incorrectly be overridden by other
+          rules that were loaded from RPZ zones which appeared later in the
+          <span class="command"><strong>response-policy</strong></span> statement. This has been fixed.
+          [GL #1619]
+        </p></li>
+<li class="listitem"><p>
+          LMDB locking code was revised to make <span class="command"><strong>rndc reconfig</strong></span>
+          work properly on FreeBSD and with LMDB &gt;= 0.9.26. [GL #1976]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.21"></a>Notes for BIND 9.11.21</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.21-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          <span class="command"><strong>named</strong></span> could crash when cleaning dead nodes in
+          <code class="filename">lib/dns/rbtdb.c</code> that were being reused.
+          [GL #1968]
+        </p></li>
+<li class="listitem"><p>
+          Properly handle missing <span class="command"><strong>kyua</strong></span> command so that
+          <span class="command"><strong>make check</strong></span> does not fail unexpectedly when CMocka
+          is installed, but Kyua is not. [GL #1950]
+        </p></li>
+<li class="listitem"><p>
+          The validator could fail to accept a properly signed RRset if an
+          unsupported algorithm appeared earlier in the DNSKEY RRset than a
+          supported algorithm. It could also stop if it detected a malformed
+          public key. [GL #1689]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.20"></a>Notes for BIND 9.11.20</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.20-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          It was possible to trigger an INSIST failure when a zone with an
+          interior wildcard label was queried in a certain pattern. This was
+          disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
+        </p></li></ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.20-new"></a>New Features</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          <span class="command"><strong>dig</strong></span> and other tools can now print the Extended DNS
+          Error (EDE) option when it appears in a request or a response.
+          [GL #1835]
+        </p></li></ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.20-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          When fully updating the NSEC3 chain for a large zone via IXFR, a
+          temporary loss of performance could be experienced on the secondary
+          server when answering queries for nonexistent data that required
+          DNSSEC proof of non-existence (in other words, queries that required
+          the server to find and to return NSEC3 data). The unnecessary
+          processing step that was causing this delay has now been removed.
+          [GL #1834]
+        </p></li>
+<li class="listitem"><p>
+          A data race in <code class="filename">lib/dns/resolver.c:log_formerr()</code>
+          that could lead to an assertion failure was fixed. [GL #1808]
+        </p></li>
+<li class="listitem"><p>
+          Previously, <span class="command"><strong>provide-ixfr no;</strong></span> failed to return
+          up-to-date responses when the serial number was greater than or equal
+          to the current serial number. [GL #1714]
+        </p></li>
+<li class="listitem"><p>
+          <span class="command"><strong>named-checkconf -p</strong></span> could include spurious text in
+          <span class="command"><strong>server-addresses</strong></span> statements due to an uninitialized
+          DSCP value. This has been fixed. [GL #1812]
+        </p></li>
+<li class="listitem"><p>
+          The ARM has been updated to indicate that the TSIG session key is
+          generated when named starts, regardless of whether it is needed.
+          [GL #1842]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.19"></a>Notes for BIND 9.11.19</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.19-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          To prevent exhaustion of server resources by a maliciously configured
+          domain, the number of recursive queries that can be triggered by a
+          request before aborting recursion has been further limited. Root and
+          top-level domain servers are no longer exempt from the
+          <span class="command"><strong>max-recursion-queries</strong></span> limit. Fetches for missing
+          name server address records are limited to 4 for any domain. This
+          issue was disclosed in CVE-2020-8616. [GL #1388]
+        </p></li>
+<li class="listitem"><p>
+          Replaying a TSIG BADTIME response as a request could
+          trigger an assertion failure. This was disclosed in
+          CVE-2020-8617. [GL #1703]
+        </p></li>
+</ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.19-changes"></a>Feature Changes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          Message IDs in inbound AXFR transfers are now checked for consistency.
+          Log messages are emitted for streams with inconsistent message IDs.
+          [GL #1674]
+        </p></li></ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.19-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+          When running on a system with support for Linux capabilities,
+          <span class="command"><strong>named</strong></span> drops root privileges very soon after system
+          startup. This was causing a spurious log message, "unable to set
+          effective uid to 0: Operation not permitted", which has now been
+          silenced. [GL #1042] [GL #1090]
+        </p></li>
+<li class="listitem"><p>
+          When <span class="command"><strong>named-checkconf -z</strong></span> was run, it would sometimes
+          incorrectly set its exit code. It reflected the status of the last
+          view found; if zone-loading errors were found in earlier configured
+          views but not in the last one, the exit code indicated success.
+          Thanks to Graham Clinch. [GL #1807]
+        </p></li>
+<li class="listitem"><p>
+          When built without LMDB support, <span class="command"><strong>named</strong></span> failed to
+          restart after a zone with a double quote (") in its name was added
+          with <span class="command"><strong>rndc addzone</strong></span>. Thanks to Alberto Fernández.
+          [GL #1695]
+        </p></li>
+</ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.18"></a>Notes for BIND 9.11.18</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.18-security"></a>Security Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          DNS rebinding protection was ineffective when BIND 9 is configured as
+          a forwarding DNS server. Found and responsibly reported by Tobias
+          Klein. [GL #1574]
+        </p></li></ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.18-known"></a>Known Issues</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          We have received reports that in some circumstances, receipt of an
+          IXFR can cause the processing of queries to slow significantly. Some
+          of these are related to RPZ processing, others appear to occur where
+          there are NSEC3-related changes (such as an operator changing the
+          NSEC3 salt used in the hash calculation). These are being
+          investigated.  [GL #1685]
+        </p></li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.17"></a>Notes for BIND 9.11.17</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.17-changes"></a>Feature Changes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          The <span class="command"><strong>configure</strong></span> option
+          <span class="command"><strong>--with-libxml2</strong></span> now uses
+          <span class="command"><strong>pkg-config</strong></span> to detect libxml2 library
+          availability.  You will either have to install
+          <span class="command"><strong>pkg-config</strong></span> or specify the exact path where
+          libxml2 has been installed on your system. [GL #1635]
+        </p></li></ul></div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.17-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          Fixed re-signing issues with inline zones which resulted in
+          records being re-signed late or not at all.
+        </p></li></ul></div>
+</div>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.16"></a>Notes for BIND 9.11.16</h3></div></div></div>
+<div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.16-bugs"></a>Bug Fixes</h4></div></div></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+          <span class="command"><strong>named</strong></span> crashed when it was queried for a
+          nonexistent name in the CHAOS class. [GL #1540]
+        </p></li></ul></div>
+</div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.15"></a>Notes for BIND 9.11.15</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.15-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Fixed a GeoIP2 lookup bug which was triggered when certain
           libmaxminddb versions were used. [GL #1552]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Fixed several possible race conditions discovered by
           ThreadSanitizer.
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.14"></a>Notes for BIND 9.11.14</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.14-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Fixed a bug that caused <span class="command"><strong>named</strong></span> to leak memory
           on reconfiguration when any GeoIP2 database was in use. [GL #1445]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Fixed several possible race conditions discovered by
           ThreadSanitizer.
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.13"></a>Notes for BIND 9.11.13</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.13-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           Set a limit on the number of concurrently served pipelined TCP
           queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.13-features"></a>New Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
           that reports the maximum number of simultaneous TCP clients BIND
           has handled while running. [GL #1206]
-        </p>
-      </li></ul></div>
-  </div>
-
+        </p></li></ul></div>
+</div>
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.12"></a>Notes for BIND 9.11.12</h3></div></div></div>
-
-  <p>
+<p>
     None.
   </p>
-
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.11"></a>Notes for BIND 9.11.11</h3></div></div></div>
-
-  <p>
+<p>
     None.
   </p>
-
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.10"></a>Notes for BIND 9.11.10</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.10-features"></a>New Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-        <p>
+<p>
           A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
           [GL #605]
         </p>
-        <p>
+<p>
           If you are running multiple DNS Servers (different versions of BIND 9
           or DNS server from multiple vendors) responding from the same IP
           address (anycast or load-balancing scenarios), you'll have to make
           sure that all the servers are configured with the same DNS Cookie
           algorithm and same Server Secret for the best performance.
         </p>
-      </li>
-<li class="listitem">
-        <p>
+</li>
+<li class="listitem"><p>
           DS records included in DNS referral messages can now be validated
           and cached immediately, reducing the number of queries needed for
           a DNSSEC validation. [GL #964]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.10-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
           cause unexpected results; this has been fixed. [GL #1106]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
           to ensure bits 64-71 are zero. [GL #1159]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named-checkconf</strong></span> could crash during
           configuration if configured to use "geoip continent" ACLs with
           legacy GeoIP. [GL #1163]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
           <span class="command"><strong>dnstap-output</strong></span> option when
           <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Handle ETIMEDOUT error on connect() with a non-blocking
           socket. [GL #1133]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.9"></a>Notes for BIND 9.11.9</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.9-features"></a>New Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+<p>
           The new GeoIP2 API from MaxMind is now supported when BIND
           is compiled using <span class="command"><strong>configure --with-geoip2</strong></span>.
           The legacy GeoIP API can be used by compiling with
@@ -252,7 +812,7 @@
           the databases for the legacy API are no longer maintained by
           MaxMind.)
         </p>
-        <p>
+<p>
           The default path to the GeoIP2 databases will be set based
           on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
           for example, if it is in <code class="filename">/usr/local/lib</code>,
@@ -261,7 +821,7 @@
           This value can be overridden in <code class="filename">named.conf</code>
           using the <span class="command"><strong>geoip-directory</strong></span> option.
         </p>
-        <p>
+<p>
           Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
           legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
           <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
@@ -271,60 +831,48 @@
           <span class="command"><strong>as</strong></span>. All of the databases support both IPv4
           and IPv6 lookups. [GL #182]
         </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+</li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.9-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           Glue address records were not being returned in responses
           to root priming queries; this has been corrected. [GL #1092]
-        </p>
-      </li></ul></div>
-  </div>
-
+        </p></li></ul></div>
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.8"></a>Notes for BIND 9.11.8</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.8-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           A race condition could trigger an assertion failure when
           a large number of incoming packets were being rejected.
           This flaw is disclosed in CVE-2019-6471. [GL #942]
-        </p>
-      </li></ul></div>
-  </div>
-
+        </p></li></ul></div>
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.7"></a>Notes for BIND 9.11.7</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.7-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
           option could be exceeded in some cases. This could lead to
           exhaustion of file descriptors. This flaw is disclosed in
           CVE-2018-5743. [GL #615]
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.7-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+<p>
           When <span class="command"><strong>trusted-keys</strong></span> and
           <span class="command"><strong>managed-keys</strong></span> are both configured for the
           same name, or when <span class="command"><strong>trusted-keys</strong></span> is used to
@@ -333,26 +881,23 @@
           <code class="literal">auto</code>, automatic RFC 5011 key
           rollovers will fail.
         </p>
-        <p>
+<p>
           This combination of settings was never intended to work,
           but there was no check for it in the parser. This has been
           corrected; a warning is now logged. (In BIND 9.15 and
           higher this error will be fatal.) [GL #868]
         </p>
-      </li></ul></div>
-  </div>
-
+</li></ul></div>
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.6"></a>Notes for BIND 9.11.6</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.6-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Code change #4964, intended to prevent double signatures
           when deleting an inactive zone DNSKEY in some situations,
           introduced a new problem during zone processing in which
@@ -363,134 +908,105 @@
           NSEC/NSEC3 chain, but incompletely -- this can result in
           a broken chain, affecting validation of proof of nonexistence
           for records in the zone. [GL #771]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> could crash if it managed a DNSSEC
           security root with <span class="command"><strong>managed-keys</strong></span> and the
           authoritative zone rolled the key to an algorithm not supported
           by BIND 9.  This flaw is disclosed in CVE-2018-5745. [GL #780]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> leaked memory when processing a
           request with multiple Key Tag EDNS options present. ISC
           would like to thank Toshifumi Sakaguchi for bringing this
           to our attention.  This flaw is disclosed in CVE-2018-5744.
           [GL #772]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Zone transfer controls for writable DLZ zones were not
           effective as the <span class="command"><strong>allowzonexfr</strong></span> method was
           not being called for such zones. This flaw is disclosed in
           CVE-2019-6465. [GL #790]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.6-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and the
           <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing when
           the standard output is not a tty (e.g. not used by human).  The command
           line options +idnin and +idnout need to be used to enable IDN
           processing when <span class="command"><strong>dig</strong></span> or <span class="command"><strong>nslookup</strong></span>
           is used from the shell scripts.
-        </p>
-      </li></ul></div>
-  </div>
-
+        </p></li></ul></div>
+</div>
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.5"></a>Notes for BIND 9.11.5</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.5-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           <span class="command"><strong>named</strong></span> could crash during recursive processing
           of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
           in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.5-features"></a>New Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           Two new update policy rule types have been added
           <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
           which allow machines with Kerberos principals to update
           the name space at or below the machine names identified
           in the respective principals.
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.5-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
           between views of the same name but different class; this
           has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
           option. [GL #105]
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.5-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           When a negative trust anchor was added to multiple views
           using <span class="command"><strong>rndc nta</strong></span>, the text returned via
           <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
           first line, making it appear that only one NTA had been
           added. This has been fixed. [GL #105]
-        </p>
-      </li></ul></div>
-  </div>
-
+        </p></li></ul></div>
+</div>
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.4"></a>Notes for BIND 9.11.4</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.4-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
           and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
           should be limited to local networks, but they were inadvertently set
           to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
           remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.4-features"></a>New Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
           mechanism. This enables validating resolvers to indicate
           which trust anchors are configured for the root, so that
@@ -498,16 +1014,15 @@
           To disable this feature, add
           <span class="command"><strong>root-key-sentinel no;</strong></span> to
           <code class="filename">named.conf</code>.
-        </p>
-      </li>
+        </p></li>
 <li class="listitem">
-        <p>
+<p>
           Added the ability not to return a DNS COOKIE option when one
           is present in the request.  To prevent a cookie being returned,
           add <span class="command"><strong>answer-cookie no;</strong></span> to
           <code class="filename">named.conf</code>. [GL #173]
         </p>
-        <p>
+<p>
           <span class="command"><strong>answer-cookie no</strong></span> is only intended as a
           temporary measure, for use when <span class="command"><strong>named</strong></span>
           shares an IP address with other servers that do not yet
@@ -519,106 +1034,85 @@
           mechanism, and should not be disabled unless absolutely
           necessary.
         </p>
-      </li>
+</li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.4-removed"></a>Removed Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           <span class="command"><strong>named</strong></span> will now log a warning if the old
           BIND now can be compiled against libidn2 library to add
           IDNA2008 support.  Previously BIND only supported IDNA2003
           using (now obsolete) idnkit-1 library.
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.4-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
           processing on the input domain name, when BIND is compiled
           with IDN support.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Multiple <span class="command"><strong>cookie-secret</strong></span> clause are now
           supported.  The first <span class="command"><strong>cookie-secret</strong></span> in
           <code class="filename">named.conf</code> is used to generate new
           server cookies.  Any others are used to accept old server
           cookies or those generated by other servers using the
           matching <span class="command"><strong>cookie-secret</strong></span>.
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.4-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> now rejects excessively large
           incremental (IXFR) zone transfers in order to prevent
           possible corruption of journal files which could cause
           <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>rndc reload</strong></span> could cause <span class="command"><strong>named</strong></span>
           to leak memory if it was invoked before the zone loading actions
           from a previous <span class="command"><strong>rndc reload</strong></span> command were
           completed. [RT #47076]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.3"></a>Notes for BIND 9.11.3</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.3-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Addresses could be referenced after being freed during resolver
           processing, causing an assertion failure. The chances of this
           happening were remote, but the introduction of a delay in
           resolution increased them. This bug is disclosed in
           CVE-2017-3145. [RT #46839]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           update-policy rules that otherwise ignore the name field now
           require that it be set to "." to ensure that any type list
           present is properly interpreted.  If the name field was omitted
           from the rule declaration and a type list was present it wouldn't
           be interpreted as expected.
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.3-removed"></a>Removed Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           The ISC DNSSEC Lookaside Validation (DLV) service has
           been shut down; all DLV records in the dlv.isc.org zone
           have been removed.  References to the service have been
@@ -628,24 +1122,19 @@
           Setting <span class="command"><strong>dnssec-lookaside</strong></span> to
           <span class="command"><strong>auto</strong></span> or to use dlv.isc.org as a trust
           anchor results in a warning being issued.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> will now log a warning if the old
           root DNSSEC key is explicitly configured and has not been updated.
           [RT #43670]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="proto_changes"></a>Protocol Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
           signing algorithms described in RFC 8080. Note, however, that
           these algorithms must be supported in OpenSSL;
@@ -654,25 +1143,20 @@
           <a class="link" href="https://github.com/openssl/openssl" target="_top">
             https://github.com/openssl/openssl</a>.
           [RT #44696]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           When parsing DNS messages, EDNS KEY TAG options are checked
           for correctness. When printing messages (for example, in
           <span class="command"><strong>dig</strong></span>), EDNS KEY TAG options are printed
           in readable format.
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.3-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> will no longer start or accept
           reconfiguration if <span class="command"><strong>managed-keys</strong></span> or
           <span class="command"><strong>dnssec-validation auto</strong></span> are in use and
@@ -680,280 +1164,216 @@
           <span class="command"><strong>managed-keys-directory</strong></span>, and defaulting
           to the working directory if not specified),
           is not writable by the effective user ID. [RT #46077]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Previously, <span class="command"><strong>update-policy local;</strong></span> accepted
           updates from any source so long as they were signed by the
           locally-generated session key. This has been further restricted;
           updates are now only accepted from locally configured addresses.
           [RT #45492]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.3-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Attempting to validate improperly unsigned CNAME responses
           from secure zones could cause a validator loop. This caused
           a delay in returning SERVFAIL and also increased the chances
           of encountering the crash bug described in CVE-2017-3145.
           [RT #46839]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           When <span class="command"><strong>named</strong></span> was reconfigured, failure of some
           zones to load correctly could leave the system in an inconsistent
           state; while generally harmless, this could lead to a crash later
           when using <span class="command"><strong>rndc addzone</strong></span>.  Reconfiguration changes
           are now fully rolled back in the event of failure. [RT #45841]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Some header files included &lt;isc/util.h&gt; incorrectly as
           it pollutes with namespace with non ISC_ macros and this should
           only be done by explicitly including &lt;isc/util.h&gt;.  This
           has been corrected.  Some code may depend on &lt;isc/util.h&gt;
           being implicitly included via other header files.  Such
           code should explicitly include &lt;isc/util.h&gt;.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Zones created with <span class="command"><strong>rndc addzone</strong></span> could
           temporarily fail to inherit the <span class="command"><strong>allow-transfer</strong></span>
           ACL set in the <span class="command"><strong>options</strong></span> section of
           <code class="filename">named.conf</code>. [RT #46603]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> failed to properly determine whether
           there were active KSK and ZSK keys for an algorithm when
           <span class="command"><strong>update-check-ksk</strong></span> was true (which is the
           default setting). This could leave records unsigned
           when rolling keys. [RT #46743] [RT #46754] [RT #46774]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.2"></a>Notes for BIND 9.11.2</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.2-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           An error in TSIG handling could permit unauthorized zone
           transfers or zone updates. These flaws are disclosed in
           CVE-2017-3142 and CVE-2017-3143. [RT #45383]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The BIND installer on Windows used an unquoted service path,
           which can enable privilege escalation. This flaw is disclosed
           in CVE-2017-3141. [RT #45229]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           With certain RPZ configurations, a response with TTL 0
           could cause <span class="command"><strong>named</strong></span> to go into an infinite
           query loop. This flaw is disclosed in CVE-2017-3140.
           [RT #45181]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.2-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
           for EDNS options in addition to numeric values. For example,
           an EDNS Client-Subnet option could be sent using
           <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
           John Worley of Secure64 for the contribution. [RT #44461]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
           names to assist debugging on operating systems that support that.
           Threads will have names such as "isc-timer", "isc-sockmgr",
           "isc-worker0001", and so on. This will affect the reporting of
           subsidiary thread names in <span class="command"><strong>ps</strong></span> and
           <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           DiG now warns about .local queries which are reserved for
           Multicast DNS. [RT #44783]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.2-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Fixed a bug that was introduced in an earlier development
           release which caused multi-packet AXFR and IXFR messages to fail
           validation if not all packets contained TSIG records; this
           caused interoperability problems with some other DNS
           implementations. [RT #45509]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Reloading or reconfiguring <span class="command"><strong>named</strong></span> could
           fail on some platforms when LMDB was in use. [RT #45203]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Due to some incorrectly deleted code, when BIND was
           built with LMDB, zones that were deleted via
           <span class="command"><strong>rndc delzone</strong></span> were removed from the
           running server but were not removed from the new zone
           database, so that deletion did not persist after a
           server restart. This has been corrected. [RT #45185]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Semicolons are no longer escaped when printing CAA and
           URI records.  This may break applications that depend on the
           presence of the backslash before the semicolon. [RT #45216]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           AD could be set on truncated answer with no records present
           in the answer and authority sections. [RT #45140]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.1"></a>Notes for BIND 9.11.1</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.1-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           <span class="command"><strong>rndc ""</strong></span> could trigger an assertion failure
           in <span class="command"><strong>named</strong></span>. This flaw is disclosed in
           (CVE-2017-3138). [RT #44924]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Some chaining (i.e., type CNAME or DNAME) responses to upstream
           queries could trigger assertion failures. This flaw is disclosed
           in CVE-2017-3137. [RT #44734]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
           can result in an assertion failure. This flaw is disclosed in
           CVE-2017-3136. [RT #44653]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           If a server is configured with a response policy zone (RPZ)
           that rewrites an answer with local data, and is also configured
           for DNS64 address mapping, a NULL pointer can be read
           triggering a server crash.  This flaw is disclosed in
           CVE-2017-3135. [RT #44434]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           A coding error in the <code class="option">nxdomain-redirect</code>
           feature could lead to an assertion failure if the redirection
           namespace was served from a local authoritative data source
           such as a local zone or a DLZ instead of via recursive
           lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> could mishandle authority sections
           with missing RRSIGs, triggering an assertion failure. This
           flaw is disclosed in CVE-2016-9444. [RT #43632]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> mishandled some responses where
           covering RRSIG records were returned without the requested
           data, resulting in an assertion failure. This flaw is
           disclosed in CVE-2016-9147. [RT #43548]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
           records which could trigger an assertion failure when there was
           a class mismatch. This flaw is disclosed in CVE-2016-9131.
           [RT #43522]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           It was possible to trigger assertions when processing
           responses containing answers of type DNAME. This flaw is
           disclosed in CVE-2016-8864. [RT #43465]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Added the ability to specify the maximum number of records
           permitted in a zone (<code class="option">max-records #;</code>).
           This provides a mechanism to block overly large zone
           transfers, which is a potential risk with slave zones from
           other parties, as described in CVE-2016-6170.
           [RT #42143]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.1-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           <span class="command"><strong>dnstap</strong></span> now stores both the local and remote
           addresses for all messages, instead of only the remote address.
           The default output format for <span class="command"><strong>dnstap-read</strong></span> has
@@ -961,104 +1381,79 @@
           address first and the responding address second, separated by
           "-%gt;" or "%lt;-" to indicate in which direction the message
           was sent. [RT #43595]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Expanded and improved the YAML output from
           <span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
           size and a detailed breakdown of message contents.
           [RT #43622] [RT #43642]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           If an ACL is specified with an address prefix in which the
           prefix length is longer than the address portion (for example,
           192.0.2.1/8), <span class="command"><strong>named</strong></span> will now log a warning.
           In future releases this will be a fatal configuration error.
           [RT #43367]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.1-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           A synthesized CNAME record appearing in a response before the
           associated DNAME could be cached, when it should not have been.
           This was a regression introduced while addressing CVE-2016-8864.
           [RT #44318]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> could deadlock if multiple changes
           to NSEC/NSEC3 parameters for the same zone were being processed
           at the same time. [RT #42770]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> could trigger an assertion when
           sending NOTIFY messages. [RT #44019]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Referencing a nonexistent zone in a <span class="command"><strong>response-policy</strong></span>
           statement could cause an assertion failure during configuration.
           [RT #43787]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>rndc addzone</strong></span> could cause a crash
           when attempting to add a zone with a type other than
           <span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
           Such zones are now rejected. [RT #43665]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> could hang when encountering log
           file names with large apparent gaps in version number (for
           example, when files exist called "logfile.0", "logfile.1",
           and "logfile.1482954169").  This is now handled correctly.
           [RT #38688]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           If a zone was updated while <span class="command"><strong>named</strong></span> was
           processing a query for nonexistent data, it could return
           out-of-sync NSEC3 records causing potential DNSSEC validation
           failure. [RT #43247]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.1-maint"></a>Maintenance</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           The built-in root hints have been updated to include an
           IPv6 address (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
+        </p></li></ul></div>
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.1-misc"></a>Miscellaneous Notes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
           Authoritative server support for the EDNS Client Subnet option
           (ECS), introduced in BIND 9.11.0, was based on an early version
           of the specification, and is now known to have incompatibilities
@@ -1068,51 +1463,43 @@
           testing purposes but is not recommended for for production use.
           This was not made sufficiently clear in the documentation at
           the time of release.
-        </p>
-      </li></ul></div>
-  </div>
-
+        </p></li></ul></div>
 </div>
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.11.0"></a>Notes for BIND 9.11.0</h3></div></div></div>
-
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.0-security"></a>Security Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           It was possible to trigger a assertion when rendering a
           message using a specially crafted request. This flaw is
           disclosed in CVE-2016-2776. [RT #43139]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
          getrrsetbyname with a non absolute name could trigger an
          infinite recursion bug in lwresd and named with lwres
          configured if when combined with a search list entry the
          resulting name is too long.  This flaw is disclosed in
          CVE-2016-2775. [RT #42694]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.0-features"></a>New Features</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-        <p>
+<p>
           A new method of provisioning secondary servers called
           "Catalog Zones" has been added. This is an implementation of
           <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
             draft-muks-dnsop-dns-catalog-zones/
           </a>.
         </p>
-        <p>
+<p>
           A catalog zone is a regular DNS zone which contains a list
           of "member zones", along with the configuration options for
           each of those zones.  When a server is configured to use a
@@ -1125,32 +1512,30 @@
           propagated to slaves using the standard AXFR/IXFR update
           mechanism.
         </p>
-        <p>
+<p>
           This feature should be considered experimental. It currently
           supports only basic features; more advanced features such as
           ACLs and TSIG keys are not yet supported. Example catalog
           zone configurations can be found in the Chapter 9 of the
           BIND Administrator Reference Manual.
         </p>
-        <p>
+<p>
           Support for master entries with TSIG keys has been added to catalog
           zones, as well as support for allow-query and allow-transfer.
         </p>
-      </li>
-<li class="listitem">
-        <p>
+</li>
+<li class="listitem"><p>
           Added an <span class="command"><strong>isc.rndc</strong></span> Python module, which allows
           <span class="command"><strong>rndc</strong></span> commands to be sent from Python programs.
-        </p>
-      </li>
+        </p></li>
 <li class="listitem">
-        <p>
+<p>
           Added support for DynDB, a new interface for loading zone data
           from an external database, developed by Red Hat for the FreeIPA
           project.  (Thanks in particular to Adam Tkac and Petr
           Spacek of Red Hat for the contribution.)
         </p>
-        <p>
+<p>
           Unlike the existing DLZ and SDB interfaces, which provide a
           limited subset of database functionality within BIND -
           translating DNS queries into real-time database lookups with
@@ -1158,22 +1543,22 @@
           DNSSEC-signed data - DynDB is able to fully implement
           and extend the database API used natively by BIND.
         </p>
-        <p>
+<p>
           A DynDB module could pre-load data from an external data
           source, then serve it with the same performance and
           functionality as conventional BIND zones, and with the
           ability to take advantage of database features not
           available in BIND, such as multi-master replication.
         </p>
-      </li>
+</li>
 <li class="listitem">
-        <p>
+<p>
           Fetch quotas are now compiled in by default: they
           no longer require BIND to be configured with
           <span class="command"><strong>--enable-fetchlimit</strong></span>, as was the case
           when the feature was introduced in BIND 9.10.3.
         </p>
-        <p>
+<p>
           These quotas limit the queries that are sent by recursive
           resolvers to authoritative servers experiencing denial-of-service
           attacks. They can both reduce the harm done to authoritative
@@ -1181,9 +1566,8 @@
           experienced by recursive servers when they are being used as a
           vehicle for such an attack.
         </p>
-        <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
-<li class="listitem">
-            <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
+<li class="listitem"><p>
               <code class="option">fetches-per-server</code> limits the number of
               simultaneous queries that can be sent to any single
               authoritative server.  The configured value is a starting
@@ -1191,41 +1575,38 @@
               partially or completely non-responsive. The algorithm used to
               adjust the quota can be configured via the
               <code class="option">fetch-quota-params</code> option.
-            </p>
-          </li>
-<li class="listitem">
-            <p>
+            </p></li>
+<li class="listitem"><p>
               <code class="option">fetches-per-zone</code> limits the number of
               simultaneous queries that can be sent for names within a
               single domain.  (Note: Unlike "fetches-per-server", this
               value is not self-tuning.)
-            </p>
-          </li>
+            </p></li>
 </ul></div>
-        <p>
+<p>
           Statistics counters have also been added to track the number
           of queries affected by these quotas.
         </p>
-      </li>
+</li>
 <li class="listitem">
-        <p>
+<p>
           Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
           flexible method for capturing and logging DNS traffic,
           developed by Robert Edmonds at Farsight Security, Inc.,
           whose assistance is gratefully acknowledged.
         </p>
-        <p>
+<p>
           To enable <span class="command"><strong>dnstap</strong></span> at compile time,
           the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
           libraries must be available, and BIND must be configured with
           <code class="option">--enable-dnstap</code>.
         </p>
-        <p>
+<p>
           A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
           to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
           a human-readable format.
         </p>
-        <p>
+<p>
           <span class="command"><strong>rndc dnstap -roll</strong></span> causes <span class="command"><strong>dnstap</strong></span>
           output files to be rolled like log files -- the most recent output
           file is renamed with a <code class="filename">.0</code> suffix, the next
@@ -1235,18 +1616,18 @@
           argument specifies how many backup log files to retain; if not
           specified or set to 0, there is no limit.
         </p>
-        <p>
+<p>
           <span class="command"><strong>rndc dnstap -reopen</strong></span> simply closes and reopens
           the <span class="command"><strong>dnstap</strong></span> output channel without renaming
           the output file.
         </p>
-        <p>
+<p>
           For more information on <span class="command"><strong>dnstap</strong></span>, see
           <a class="link" href="https://dnstap.info" target="_top">https://dnstap.info</a>.
         </p>
-      </li>
+</li>
 <li class="listitem">
-        <p>
+<p>
           New statistics counters have been added to track traffic
           sizes, as specified in RSSAC002.  Query and response
           message sizes are broken up into ranges of histogram buckets:
@@ -1258,13 +1639,13 @@
           or
           <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
         </p>
-        <p>
+<p>
                 Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
                 rcode-volume reporting are now collected.
         </p>
-      </li>
+</li>
 <li class="listitem">
-        <p>
+<p>
           A new DNSSEC key management utility,
           <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
           is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
@@ -1278,25 +1659,24 @@
           the configured policy changes, keys are corrected automatically.
           See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
         </p>
-        <p>
+<p>
           Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
           the Python lex/yacc module, PLY. The other Python-based tools,
           <span class="command"><strong>dnssec-coverage</strong></span> and
           <span class="command"><strong>dnssec-checkds</strong></span>, have been
           refactored and updated as part of this work.
         </p>
-        <p>
+<p>
           <span class="command"><strong>dnssec-keymgr</strong></span> now takes a -r
           <em class="replaceable"><code>randomfile</code></em> option.
         </p>
-        <p>
+<p>
           (Many thanks to Sebastián
           Castro for his assistance in developing this tool at the IETF
           95 Hackathon in Buenos Aires, April 2016.)
         </p>
-      </li>
-<li class="listitem">
-        <p>
+</li>
+<li class="listitem"><p>
           The serial number of a dynamically updatable zone can
           now be set using
           <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
@@ -1304,10 +1684,8 @@
           zones that have been reset.  Setting the serial number to a value
           larger than that on the slaves will trigger an AXFR-style
           transfer.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           When answering recursive queries, SERVFAIL responses can now be
           cached by the server for a limited time; subsequent queries for
           the same query name and type will return another SERVFAIL until
@@ -1316,10 +1694,8 @@
           on recursive servers.  The SERVFAIL cache timeout is controlled
           by <code class="option">servfail-ttl</code>, which defaults to 1 second
           and has an upper limit of 30.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
           set a "negative trust anchor" (NTA), disabling DNSSEC validation for
           a specific domain; this can be used when responses from a domain
@@ -1331,112 +1707,80 @@
           <code class="filename">named.conf</code>. When added, NTAs are stored in a
           file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
           in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The EDNS Client Subnet (ECS) option is now supported for
           authoritative servers; if a query contains an ECS option then
           ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
           elements can match against the address encoded in the option.
           This can be used to select a view for a query, so that different
           answers can be provided depending on the client network.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The EDNS EXPIRE option has been implemented on the client
           side, allowing a slave server to set the expiration timer
           correctly when transferring zone data from another slave
           server.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           A new <code class="option">masterfile-style</code> zone option controls
           the formatting of text zone files:  When set to
           <code class="literal">full</code>, the zone file will dumped in
           single-line-per-record format.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
           arbitrary EDNS options in DNS requests.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
           yet-to-be-defined EDNS flags in DNS requests.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
           disable EDNS version negotiation.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +header-only</strong></span> can now be used to send
           queries without a question section.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
           to print TTL values with time-unit suffixes: w, d, h, m, s for
           weeks, days, hours, minutes, and seconds.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
           unassigned DNS header flag bit.  This bit is normally zero.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
           can now be used to set the DSCP code point in outgoing query
           packets.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
           if mapped IPv4 addresses can be used.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>nslookup</strong></span> will now look up IPv6 as well
           as IPv4 addresses by default. [RT #40420]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <code class="option">serial-update-method</code> can now be set to
           <code class="literal">date</code>. On update, the serial number will
           be set to the current date in YYYYMMDDNN format.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
           number to YYYYMMDDNN.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
           causes <span class="command"><strong>named</strong></span> to send log messages to the
           specified file by default instead of to the system log.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The rate limiter configured by the
           <code class="option">serial-query-rate</code> option no longer covers
           NOTIFY messages; those are now separately controlled by
@@ -1444,31 +1788,23 @@
           <code class="option">startup-notify-rate</code> (the latter of which
           controls the rate of NOTIFY messages sent when the server
           is first started up or reconfigured).
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The default number of tasks and client objects available
           for serving lightweight resolver queries have been increased,
           and are now configurable via the new <code class="option">lwres-tasks</code>
           and <code class="option">lwres-clients</code> options in
           <code class="filename">named.conf</code>. [RT #35857]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Log output to files can now be buffered by specifying
           <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
           sending queries.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> will now check to see whether
           other name server processes are running before starting up.
           This is implemented in two ways: 1) by refusing to start
@@ -1480,10 +1816,8 @@
           <code class="filename">/var/run/named/named.lock</code>.
           Specifying <code class="literal">none</code> will disable the lock
           file check.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
           which were configured in <code class="filename">named.conf</code>;
           it is no longer restricted to zones which were added by
@@ -1491,22 +1825,17 @@
           this does not edit <code class="filename">named.conf</code>; the zone
           must be removed from the configuration or it will return
           when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
           a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>rndc showzone</strong></span> displays the current
           configuration for a specified zone.
-        </p>
-      </li>
+        </p></li>
 <li class="listitem">
-        <p>
+<p>
           When BIND is built with the <span class="command"><strong>lmdb</strong></span> library
           (Lightning Memory-Mapped Database), <span class="command"><strong>named</strong></span>
           will store the configuration information for zones
@@ -1518,70 +1847,61 @@
           the contents of a database is much faster than rewriting
           a text file.
         </p>
-        <p>
+<p>
           On startup, if <span class="command"><strong>named</strong></span> finds an existing
           NZF file, it will automatically convert it to the new NZD
           database format.
         </p>
-        <p>
+<p>
           To view the contents of an NZD, or to convert an
           NZD back to an NZF file (for example, to revert back
           to an earlier version of BIND which did not support the
           NZD format), use the new command <span class="command"><strong>named-nzd2nzf</strong></span>
           [RT #39837]
         </p>
-      </li>
+</li>
 <li class="listitem">
-        <p>
+<p>
           Added server-side support for pipelined TCP queries.  Clients
           may continue sending queries via TCP while previous queries are
           processed in parallel.  Responses are sent when they are
           ready, not necessarily in the order in which the queries were
           received.
         </p>
-        <p>
+<p>
           To revert to the former behavior for a particular
           client address or range of addresses, specify the address prefix
           in the "keep-response-order" option.  To revert to the former
           behavior for all clients, use "keep-response-order { any; };".
         </p>
-      </li>
-<li class="listitem">
-        <p>
+</li>
+<li class="listitem"><p>
           The new <span class="command"><strong>mdig</strong></span> command is a version of
           <span class="command"><strong>dig</strong></span> that sends multiple pipelined
           queries and then waits for responses, instead of sending one
           query and waiting the response before sending the next. [RT #38261]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           To enable better monitoring and troubleshooting of RFC 5011
           trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
           can be used to check status of trust anchors or to force keys
           to be refreshed.  Also, the managed-keys data file now has
           easier-to-read comments. [RT #38458]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
           now available to enable very verbose query trace logging. This
           option can only be set at compile time. This option has a
           negative performance impact and should be used only for
           debugging. [RT #37520]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           A new <span class="command"><strong>tcp-only</strong></span> option can be specified
           in <span class="command"><strong>server</strong></span> statements to force
           <span class="command"><strong>named</strong></span> to connect to the specified
           server via TCP. [RT #37800]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
           a DNS namespace to use for NXDOMAIN redirection. When a
           recursive lookup returns NXDOMAIN, a second lookup is
@@ -1591,25 +1911,19 @@
           queries to other servers. (The older method, using
           a single <span class="command"><strong>type redirect</strong></span> zone, has
           better average performance but is less flexible.) [RT #37989]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The following types have been implemented: CSYNC, NINFO, RKEY,
           SINK, TA, TALINK.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           A new <span class="command"><strong>message-compression</strong></span> option can be
           used to specify whether or not to use name compression when
           answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
           results in larger responses, but reduces CPU consumption and
           may improve throughput.  The default is <strong class="userinput"><code>yes</code></strong>.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           A <span class="command"><strong>read-only</strong></span> option is now available in the
           <span class="command"><strong>controls</strong></span> statement to grant non-destructive
           control channel access. In such cases, a restricted set of
@@ -1618,28 +1932,22 @@
           reconfigure or stop the server. By default, the control channel
           access is <span class="emphasis"><em>not</em></span> restricted to these
           read-only operations. [RT #40498]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           When loading a signed zone, <span class="command"><strong>named</strong></span> will
           now check whether an RRSIG's inception time is in the future,
           and if so, it will regenerate the RRSIG immediately. This helps
           when a system's clock needs to be reset backwards.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The new <span class="command"><strong>minimal-any</strong></span> option reduces the size
           of answers to UDP queries for type ANY by implementing one of
           the strategies in "draft-ietf-dnsop-refuse-any": returning
           a single arbitrarily-selected RRset that matches the query
           name rather than returning all of the matching RRsets.
           Thanks to Tony Finch for the contribution. [RT #41615]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> now provides feedback to the
           owners of zones which have trust anchors configured
           (<span class="command"><strong>trusted-keys</strong></span>,
@@ -1649,61 +1957,50 @@
           configured trust anchors for the zone.  This is controlled
           by <span class="command"><strong>trust-anchor-telemetry</strong></span> and defaults
           to yes.
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.0-changes"></a>Feature Changes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-        <p>
+<p>
           The logging format used for <span class="command"><strong>querylog</strong></span> has been
           altered. It now includes an additional field indicating the
           address in memory of the client object processing the query.
         </p>
-        <p>
+<p>
           The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
           to be disabled in 2017.  A warning is now logged when
           <span class="command"><strong>named</strong></span> is configured to use this service,
           either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
           [RT #42207]
         </p>
-      </li>
-<li class="listitem">
-        <p>
+</li>
+<li class="listitem"><p>
           The timers returned by the statistics channel (indicating current
           time, server boot time, and most recent reconfiguration time) are
           now reported with millisecond accuracy. [RT #40082]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Updated the compiled-in addresses for H.ROOT-SERVERS.NET
           and L.ROOT-SERVERS.NET.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
           not correctly matched unless the full organization name was
           specified in the ACL (as in
           <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
           They can now match against the AS number alone (as in
           <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           When using native PKCS#11 cryptography (i.e.,
           <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
           of up to 256 characters can now be used.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           NXDOMAIN responses to queries of type DS are now cached separately
           from those for other types. This helps when using "grafted" zones
           of type forward, for which the parent zone does not contain a
@@ -1713,29 +2010,21 @@
           change is only helpful when DNSSEC validation is not enabled.
           "Grafted" zones without a delegation in the parent are not a
           recommended configuration.)
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Update forwarding performance has been improved by allowing
           a single TCP connection to be shared between multiple updates.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           By default, <span class="command"><strong>nsupdate</strong></span> will now check
           the correctness of hostnames when adding records of type
           A, AAAA, MX, SOA, NS, SRV or PTR.  This behavior can be
           disabled with <span class="command"><strong>check-names no</strong></span>.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Added support for OPENPGPKEY type.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The names of the files used to store managed keys and added
           zones for each view are no longer based on the SHA256 hash
           of the view name, except when this is necessary because the
@@ -1748,80 +2037,64 @@
           or <code class="filename">external.nzf</code>).  However, to ensure
           consistent behavior when upgrading, if a file using the old
           name format is found to exist, it will continue to be used.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           "rndc" can now return text output of arbitrary size to
           the caller. (Prior to this, certain commands such as
           "rndc tsig-list" and "rndc zonestatus" could return
           truncated output.)
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
           (e.g., when a zone file cannot be loaded) have been clarified
           to make it easier to diagnose problems.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           When encountering an authoritative name server whose name is
           an alias pointing to another name, the resolver treats
           this as an error and skips to the next server. Previously
           this happened silently; now the error will be logged to
           the newly-created "cname" log category.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           If <span class="command"><strong>named</strong></span> is not configured to validate
           answers, then allow fallback to plain DNS on timeout even when
           we know the server supports EDNS.  This will allow the server to
           potentially resolve signed queries when TCP is being
           blocked.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Large inline-signing changes should be less disruptive.
           Signature generation is now done incrementally; the number
           of signatures to be generated in each quantum is controlled
           by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
           [RT #37927]
-        </p>
-      </li>
+        </p></li>
 <li class="listitem">
-        <p>
+<p>
           The experimental SIT option (code point 65001) of BIND
           9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
           option (code point 10). It is no longer experimental, and
           is sent by default, by both <span class="command"><strong>named</strong></span> and
           <span class="command"><strong>dig</strong></span>.
         </p>
-        <p>
+<p>
           The SIT-related named.conf options have been marked as
           obsolete, and are otherwise ignored.
         </p>
-      </li>
-<li class="listitem">
-        <p>
+</li>
+<li class="listitem"><p>
           When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
           response or a BADCOOKIE response code from a server, it
           will automatically retry the query using the server COOKIE
           that was returned by the server in its initial response.
           [RT #39047]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Retrieving the local port range from net.ipv4.ip_local_port_range
           on Linux is now supported.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           A new <code class="option">nsip-wait-recurse</code> directive has been
           added to RPZ, specifying whether to look up unknown name server
           IP addresses and wait for a response before applying RPZ-NSIP rules.
@@ -1832,129 +2105,102 @@
           be applied on subsequent queries. This improves performance when
           the cache is cold, at the cost of temporary imprecision in applying
           policy directives. [RT #35009]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Within the <code class="option">response-policy</code> option, it is now
           possible to configure RPZ rewrite logging on a per-zone basis
           using the <code class="option">log</code> clause.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           The default preferred glue is now the address type of the
           transport the query was received over.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           On machines with 2 or more processors (CPU), the default value
           for the number of UDP listeners has been changed to the number
           of detected processors minus one.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Zone transfers now use smaller message sizes to improve
           message compression. This results in reduced network usage.
-        </p>
-      </li>
+        </p></li>
 <li class="listitem">
-        <p>
+<p>
           Added support for the AVC resource record type (Application
           Visibility and Control).
         </p>
-        <p>
+<p>
           Changed <span class="command"><strong>rndc reconfig</strong></span> behavior so that newly
           added zones are loaded asynchronously and the loading does not
           block the server.
         </p>
-      </li>
-<li class="listitem">
-        <p>
+</li>
+<li class="listitem"><p>
           <span class="command"><strong>minimal-responses</strong></span> now takes two new
           arguments: <code class="option">no-auth</code> suppresses
           populating the authority section but not the additional
           section; <code class="option">no-auth-recursive</code>
           does the same but only when answering recursive queries.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           At server startup time, the queues for processing
           notify and zone refresh queries are now processed in
           LIFO rather than FIFO order, to speed up
           loading of newly added zones. [RT #42825]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           When answering queries of type MX or SRV, TLSA records for
           the target name are now included in the additional section
           to speed up DANE processing. [RT #42894]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           <span class="command"><strong>named</strong></span> can now use the TCP Fast Open
           mechanism on the server side, if supported by the
           local operating system. [RT #42866]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="relnotes-9.11.0-bugs"></a>Bug Fixes</h4></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
           Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
           Windows builds: some Visual Studio compilers generate code that
           crashes when the "%z" printf() format specifier is used. [RT #42380]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           Windows installs were failing due to triggering UAC without
           the installation binary being signed.
-        </p>
-      </li>
-<li class="listitem">
-        <p>
+        </p></li>
+<li class="listitem"><p>
           A change in the internal binary representation of the RBT database
           node structure enabled a race condition to occur (especially when
           BIND was built with certain compilers or optimizer settings),
           leading to inconsistent database state which caused random
           assertion failures. [RT #42380]
-        </p>
-      </li>
+        </p></li>
 </ul></div>
-  </div>
-
 </div>
-
-  <div class="section">
+</div>
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="end_of_life"></a>End of Life</h3></div></div></div>
-  <p>
+<p>
     BIND 9.11 (Extended Support Version) will be supported until at
     least December, 2021.
   </p>
-  <p>
+<p>
     See <a class="link" href="https://kb.isc.org/docs/aa-00896" target="_top">https://kb.isc.org/docs/aa-00896</a>
     for details of ISC's software support policy.
   </p>
 </div>
-  <div class="section">
+<div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
-  <p>
+<p>
     Thank you to everyone who assisted us in making this release possible.
   </p>
 </div>
-</div>
-</div></body>
+</div></div></body>
 </html>
diff --git a/bind/bind9/doc/arm/notes.pdf b/bind/bind9/doc/arm/notes.pdf
index b073f88c..3bf4d7d3 100644
--- a/bind/bind9/doc/arm/notes.pdf
+++ b/bind/bind9/doc/arm/notes.pdf
diff --git a/bind/bind9/doc/arm/notes.txt b/bind/bind9/doc/arm/notes.txt
index 00a84048..95a28a23 100644
--- a/bind/bind9/doc/arm/notes.txt
+++ b/bind/bind9/doc/arm/notes.txt
@@ -1,4 +1,4 @@
-Release Notes for BIND Version 9.11.15
+Release Notes for BIND Version 9.11.36
 
 Introduction
 
@@ -36,34 +36,411 @@ Those unsure whether or not the license change affects their use of BIND,
 or who wish to discuss how to comply with the license may contact ISC at
 https://www.isc.org/mission/contact/.
 
+Notes for BIND 9.11.36
+
+Security Fixes
+
+  • The lame-ttl option controls how long named caches certain types of
+    broken responses from authoritative servers (see the security advisory
+    for details). This caching mechanism could be abused by an attacker to
+    significantly degrade resolver performance. The vulnerability has been
+    mitigated by changing the default value of lame-ttl to 0 and
+    overriding any explicitly set value with 0, effectively disabling this
+    mechanism altogether. ISC's testing has determined that doing that has
+    a negligible impact on resolver performance while also preventing
+    abuse. Administrators may observe more traffic towards servers issuing
+    certain types of broken responses than in previous BIND 9 releases,
+    depending on client query patterns. (CVE-2021-25219)
+
+    ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
+    bringing this vulnerability to our attention. [GL #2899]
+
+Notes for BIND 9.11.35
+
+Security Fixes
+
+  • named failed to check the opcode of responses when performing zone
+    refreshes, stub zone updates, and UPDATE forwarding. This could lead
+    to an assertion failure under certain conditions and has been
+    addressed by rejecting responses whose opcode does not match the
+    expected value. [GL #2762]
+
+Notes for BIND 9.11.34
+
+This maintenance release of BIND 9.11 contains no significant changes,
+although some minor updates have been made (for example, to fix build
+issues on Solaris 11).
+
+Notes for BIND 9.11.33
+
+This maintenance release of BIND 9.11 contains no significant changes,
+although some minor updates have been made (for example, to eliminate
+compiler warnings emitted by GCC 11).
+
+Notes for BIND 9.11.32
+
+Feature Changes
+
+  • DNSSEC responses containing NSEC3 records with iteration counts
+    greater than 150 are now treated as insecure. [GL #2445]
+
+  • The maximum supported number of NSEC3 iterations that can be
+    configured for a zone has been reduced to 150. [GL #2642]
+
+  • The implementation of the ZONEMD RR type has been updated to match RFC
+    8976. [GL #2658]
+
+Notes for BIND 9.11.31
+
+Security Fixes
+
+  • A malformed incoming IXFR transfer could trigger an assertion failure
+    in named, causing it to quit abnormally. (CVE-2021-25214)
+
+    ISC would like to thank Greg Kuechle of SaskTel for bringing this
+    vulnerability to our attention. [GL #2467]
+
+  • named crashed when a DNAME record placed in the ANSWER section during
+    DNAME chasing turned out to be the final answer to a client query.
+    (CVE-2021-25215)
+
+    ISC would like to thank Siva Kakarla for bringing this vulnerability
+    to our attention. [GL #2540]
+
+  • When a server's configuration set the tkey-gssapi-keytab or
+    tkey-gssapi-credential option, a specially crafted GSS-TSIG query
+    could cause a buffer overflow in the ISC implementation of SPNEGO (a
+    protocol enabling negotiation of the security mechanism used for
+    GSSAPI authentication). This flaw could be exploited to crash named
+    binaries compiled for 64-bit platforms, and could enable remote code
+    execution when named was compiled for 32-bit platforms.
+    (CVE-2021-25216)
+
+    This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro
+    Zero Day Initiative. [GL #2604]
+
+Feature Changes
+
+  • The ISC implementation of SPNEGO was removed from BIND 9 source code.
+    Instead, BIND 9 now always uses the SPNEGO implementation provided by
+    the system GSSAPI library when it is built with GSSAPI support. All
+    major contemporary Kerberos/GSSAPI libraries contain an implementation
+    of the SPNEGO mechanism. [GL #2607]
+
+Notes for BIND 9.11.30
+
+The BIND 9.11.30 release was withdrawn after a backporting bug was
+discovered during pre-release testing. ISC would like to acknowledge the
+assistance of Natan Segal of Bluecat Networks.
+
+Notes for BIND 9.11.29
+
+Bug Fixes
+
+  • An invalid direction field (not one of N, S, E, W) in a LOC record
+    resulted in an INSIST failure when a zone file containing such a
+    record was loaded. [GL #2499]
+
+Notes for BIND 9.11.28
+
+Security Fixes
+
+  • When tkey-gssapi-keytab or tkey-gssapi-credential was configured, a
+    specially crafted GSS-TSIG query could cause a buffer overflow in the
+    ISC implementation of SPNEGO (a protocol enabling negotiation of the
+    security mechanism to use for GSSAPI authentication). This flaw could
+    be exploited to crash named. Theoretically, it also enabled remote
+    code execution, but achieving the latter is very difficult in
+    real-world conditions. (CVE-2020-8625)
+
+    This vulnerability was responsibly reported to us as ZDI-CAN-12302 by
+    Trend Micro Zero Day Initiative. [GL #2354]
+
+Notes for BIND 9.11.27
+
+Bug Fixes
+
+  • Multiple threads could attempt to destroy a single RBTDB instance at
+    the same time, resulting in an unpredictable but low-probability
+    assertion failure in free_rbtdb(). This has been fixed. [GL #2317]
+
+Notes for BIND 9.11.26
+
+Feature Changes
+
+  • The default value of max-recursion-queries was increased from 75 to
+    100. Since the queries sent towards root and TLD servers are now
+    included in the count (as a result of the fix for CVE-2020-8616),
+    max-recursion-queries has a higher chance of being exceeded by
+    non-attack queries, which is the main reason for increasing its
+    default value. [GL #2305]
+
+  • The default value of nocookie-udp-size was restored back to 4096
+    bytes. Since max-udp-size is the upper bound for nocookie-udp-size,
+    this change relieves the operator from having to change
+    nocookie-udp-size together with max-udp-size in order to increase the
+    default EDNS buffer size limit. nocookie-udp-size can still be set to
+    a value lower than max-udp-size, if desired. [GL #2250]
+
+Bug Fixes
+
+  • Handling of missing DNS COOKIE responses over UDP was tightened by
+    falling back to TCP. [GL #2275]
+
+  • The CNAME synthesized from a DNAME was incorrectly followed when the
+    QTYPE was CNAME or ANY. [GL #2280]
+
+  • Building with native PKCS#11 support for AEP Keyper has been broken
+    since BIND 9.11.22. This has been fixed. [GL #2315]
+
+Notes for BIND 9.11.25
+
+Bug Fixes
+
+  • named acting as a resolver could incorrectly treat signed zones with
+    no DS record at the parent as bogus. Such zones should be treated as
+    insecure. This has been fixed. [GL #2236]
+
+  • After a Negative Trust Anchor (NTA) is added, BIND performs periodic
+    checks to see if it is still necessary. If BIND encountered a failure
+    while creating a query to perform such a check, it attempted to
+    dereference a NULL pointer, resulting in a crash. [GL #2244]
+
+  • A problem obtaining glue records could prevent a stub zone from
+    functioning properly, if the authoritative server for the zone were
+    configured for minimal responses. [GL #1736]
+
+Notes for BIND 9.11.24
+
+Feature Changes
+
+  • DNS Flag Day 2020: The default EDNS buffer size has been changed from
+    4096 to 1232 bytes. According to measurements done by multiple
+    parties, this should not cause any operational problems as most of the
+    Internet "core" is able to cope with IP message sizes between
+    1400-1500 bytes; the 1232 size was picked as a conservative minimal
+    number that could be changed by the DNS operator to an estimated path
+    MTU minus the estimated header space. In practice, the smallest MTU
+    witnessed in the operational DNS community is 1500 octets, the maximum
+    Ethernet payload size, so a useful default for maximum DNS/UDP payload
+    size on reliable networks would be 1400 bytes. [GL #2183]
+
+Bug Fixes
+
+  • named reported an invalid memory size when running in an environment
+    that did not properly report the number of available memory pages and/
+    or the size of each memory page. [GL #2166]
+
+  • With multiple forwarders configured, named could fail the REQUIRE
+    (msg->state == (-1)) assertion in lib/dns/message.c, causing it to
+    crash. This has been fixed. [GL #2124]
+
+Notes for BIND 9.11.23
+
+Bug Fixes
+
+  • Parsing of LOC records was made more strict by rejecting a sole period
+    (.) and/or m as a value. These changes prevent zone files using such
+    values from being loaded. Handling of negative altitudes which are not
+    integers was also corrected. [GL #2074]
+
+  • Several problems found by OSS-Fuzz were fixed. (None of these are
+    security issues.) [GL !3953] [GL !3975]
+
+Notes for BIND 9.11.22
+
+Security Fixes
+
+  • It was possible to trigger an assertion failure when verifying the
+    response to a TSIG-signed request. This was disclosed in
+    CVE-2020-8622.
+
+    ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
+    of Oracle for bringing this vulnerability to our attention. [GL #2028]
+
+  • When BIND 9 was compiled with native PKCS#11 support, it was possible
+    to trigger an assertion failure in code determining the number of bits
+    in the PKCS#11 RSA public key with a specially crafted packet. This
+    was disclosed in CVE-2020-8623.
+
+    ISC would like to thank Lyu Chiy for bringing this vulnerability to
+    our attention. [GL #2037]
+
+  • update-policy rules of type subdomain were incorrectly treated as
+    zonesub rules, which allowed keys used in subdomain rules to update
+    names outside of the specified subdomains. The problem was fixed by
+    making sure subdomain rules are again processed as described in the
+    ARM. This was disclosed in CVE-2020-8624.
+
+    ISC would like to thank Joop Boonen of credativ GmbH for bringing this
+    vulnerability to our attention. [GL #2055]
+
+Bug Fixes
+
+  • Wildcard RPZ passthru rules could incorrectly be overridden by other
+    rules that were loaded from RPZ zones which appeared later in the
+    response-policy statement. This has been fixed. [GL #1619]
+
+  • LMDB locking code was revised to make rndc reconfig work properly on
+    FreeBSD and with LMDB >= 0.9.26. [GL #1976]
+
+Notes for BIND 9.11.21
+
+Bug Fixes
+
+  • named could crash when cleaning dead nodes in lib/dns/rbtdb.c that
+    were being reused. [GL #1968]
+
+  • Properly handle missing kyua command so that make check does not fail
+    unexpectedly when CMocka is installed, but Kyua is not. [GL #1950]
+
+  • The validator could fail to accept a properly signed RRset if an
+    unsupported algorithm appeared earlier in the DNSKEY RRset than a
+    supported algorithm. It could also stop if it detected a malformed
+    public key. [GL #1689]
+
+Notes for BIND 9.11.20
+
+Security Fixes
+
+  • It was possible to trigger an INSIST failure when a zone with an
+    interior wildcard label was queried in a certain pattern. This was
+    disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
+
+New Features
+
+  • dig and other tools can now print the Extended DNS Error (EDE) option
+    when it appears in a request or a response. [GL #1835]
+
+Bug Fixes
+
+  • When fully updating the NSEC3 chain for a large zone via IXFR, a
+    temporary loss of performance could be experienced on the secondary
+    server when answering queries for nonexistent data that required
+    DNSSEC proof of non-existence (in other words, queries that required
+    the server to find and to return NSEC3 data). The unnecessary
+    processing step that was causing this delay has now been removed. [GL
+    #1834]
+
+  • A data race in lib/dns/resolver.c:log_formerr() that could lead to an
+    assertion failure was fixed. [GL #1808]
+
+  • Previously, provide-ixfr no; failed to return up-to-date responses
+    when the serial number was greater than or equal to the current serial
+    number. [GL #1714]
+
+  • named-checkconf -p could include spurious text in server-addresses
+    statements due to an uninitialized DSCP value. This has been fixed.
+    [GL #1812]
+
+  • The ARM has been updated to indicate that the TSIG session key is
+    generated when named starts, regardless of whether it is needed. [GL
+    #1842]
+
+Notes for BIND 9.11.19
+
+Security Fixes
+
+  • To prevent exhaustion of server resources by a maliciously configured
+    domain, the number of recursive queries that can be triggered by a
+    request before aborting recursion has been further limited. Root and
+    top-level domain servers are no longer exempt from the
+    max-recursion-queries limit. Fetches for missing name server address
+    records are limited to 4 for any domain. This issue was disclosed in
+    CVE-2020-8616. [GL #1388]
+
+  • Replaying a TSIG BADTIME response as a request could trigger an
+    assertion failure. This was disclosed in CVE-2020-8617. [GL #1703]
+
+Feature Changes
+
+  • Message IDs in inbound AXFR transfers are now checked for consistency.
+    Log messages are emitted for streams with inconsistent message IDs.
+    [GL #1674]
+
+Bug Fixes
+
+  • When running on a system with support for Linux capabilities, named
+    drops root privileges very soon after system startup. This was causing
+    a spurious log message, "unable to set effective uid to 0: Operation
+    not permitted", which has now been silenced. [GL #1042] [GL #1090]
+
+  • When named-checkconf -z was run, it would sometimes incorrectly set
+    its exit code. It reflected the status of the last view found; if
+    zone-loading errors were found in earlier configured views but not in
+    the last one, the exit code indicated success. Thanks to Graham
+    Clinch. [GL #1807]
+
+  • When built without LMDB support, named failed to restart after a zone
+    with a double quote (") in its name was added with rndc addzone.
+    Thanks to Alberto Fernández. [GL #1695]
+
+Notes for BIND 9.11.18
+
+Security Fixes
+
+  • DNS rebinding protection was ineffective when BIND 9 is configured as
+    a forwarding DNS server. Found and responsibly reported by Tobias
+    Klein. [GL #1574]
+
+Known Issues
+
+  • We have received reports that in some circumstances, receipt of an
+    IXFR can cause the processing of queries to slow significantly. Some
+    of these are related to RPZ processing, others appear to occur where
+    there are NSEC3-related changes (such as an operator changing the
+    NSEC3 salt used in the hash calculation). These are being
+    investigated. [GL #1685]
+
+Notes for BIND 9.11.17
+
+Feature Changes
+
+  • The configure option --with-libxml2 now uses pkg-config to detect
+    libxml2 library availability. You will either have to install
+    pkg-config or specify the exact path where libxml2 has been installed
+    on your system. [GL #1635]
+
+Bug Fixes
+
+  • Fixed re-signing issues with inline zones which resulted in records
+    being re-signed late or not at all.
+
+Notes for BIND 9.11.16
+
+Bug Fixes
+
+  • named crashed when it was queried for a nonexistent name in the CHAOS
+    class. [GL #1540]
+
 Notes for BIND 9.11.15
 
 Bug Fixes
 
-  * Fixed a GeoIP2 lookup bug which was triggered when certain
+  • Fixed a GeoIP2 lookup bug which was triggered when certain
     libmaxminddb versions were used. [GL #1552]
 
-  * Fixed several possible race conditions discovered by ThreadSanitizer.
+  • Fixed several possible race conditions discovered by ThreadSanitizer.
 
 Notes for BIND 9.11.14
 
 Bug Fixes
 
-  * Fixed a bug that caused named to leak memory on reconfiguration when
+  • Fixed a bug that caused named to leak memory on reconfiguration when
     any GeoIP2 database was in use. [GL #1445]
 
-  * Fixed several possible race conditions discovered by ThreadSanitizer.
+  • Fixed several possible race conditions discovered by ThreadSanitizer.
 
 Notes for BIND 9.11.13
 
 Security Fixes
 
-  * Set a limit on the number of concurrently served pipelined TCP
+  • Set a limit on the number of concurrently served pipelined TCP
     queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
 
 New Features
 
-  * Added a new statistics variable tcp-highwater that reports the maximum
+  • Added a new statistics variable tcp-highwater that reports the maximum
     number of simultaneous TCP clients BIND has handled while running. [GL
     #1206]
 
@@ -79,7 +456,7 @@ Notes for BIND 9.11.10
 
 New Features
 
-  * A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
+  • A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
     [GL #605]
 
     If you are running multiple DNS Servers (different versions of BIND 9
@@ -88,32 +465,32 @@ New Features
     sure that all the servers are configured with the same DNS Cookie
     algorithm and same Server Secret for the best performance.
 
-  * DS records included in DNS referral messages can now be validated and
+  • DS records included in DNS referral messages can now be validated and
     cached immediately, reducing the number of queries needed for a DNSSEC
     validation. [GL #964]
 
 Bug Fixes
 
-  * Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
+  • Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
     unexpected results; this has been fixed. [GL #1106]
 
-  * named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are
+  • named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are
     zero. [GL #1159]
 
-  * named-checkconf could crash during configuration if configured to use
+  • named-checkconf could crash during configuration if configured to use
     "geoip continent" ACLs with legacy GeoIP. [GL #1163]
 
-  * named-checkconf now correctly reports a missing dnstap-output option
+  • named-checkconf now correctly reports a missing dnstap-output option
     when dnstap is set. [GL #1136]
 
-  * Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #
-    1133]
+  • Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL
+    #1133]
 
 Notes for BIND 9.11.9
 
 New Features
 
-  * The new GeoIP2 API from MaxMind is now supported when BIND is compiled
+  • The new GeoIP2 API from MaxMind is now supported when BIND is compiled
     using configure --with-geoip2. The legacy GeoIP API can be used by
     compiling with configure --with-geoip instead. (Note that the
     databases for the legacy API are no longer maintained by MaxMind.)
@@ -132,14 +509,14 @@ New Features
 
 Bug Fixes
 
-  * Glue address records were not being returned in responses to root
+  • Glue address records were not being returned in responses to root
     priming queries; this has been corrected. [GL #1092]
 
 Notes for BIND 9.11.8
 
 Security Fixes
 
-  * A race condition could trigger an assertion failure when a large
+  • A race condition could trigger an assertion failure when a large
     number of incoming packets were being rejected. This flaw is disclosed
     in CVE-2019-6471. [GL #942]
 
@@ -147,27 +524,27 @@ Notes for BIND 9.11.7
 
 Security Fixes
 
-  * The TCP client quota set using the tcp-clients option could be
+  • The TCP client quota set using the tcp-clients option could be
     exceeded in some cases. This could lead to exhaustion of file
     descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]
 
 Feature Changes
 
-  * When trusted-keys and managed-keys are both configured for the same
+  • When trusted-keys and managed-keys are both configured for the same
     name, or when trusted-keys is used to configure a trust anchor for the
     root zone and dnssec-validation is set to auto, automatic RFC 5011 key
     rollovers will fail.
 
     This combination of settings was never intended to work, but there was
     no check for it in the parser. This has been corrected; a warning is
-    now logged. (In BIND 9.15 and higher this error will be fatal.) [GL #
-    868]
+    now logged. (In BIND 9.15 and higher this error will be fatal.) [GL
+    #868]
 
 Notes for BIND 9.11.6
 
 Security Fixes
 
-  * Code change #4964, intended to prevent double signatures when deleting
+  • Code change #4964, intended to prevent double signatures when deleting
     an inactive zone DNSKEY in some situations, introduced a new problem
     during zone processing in which some delegation glue RRsets are
     incorrectly identified as needing RRSIGs, which are then created for
@@ -177,23 +554,23 @@ Security Fixes
     affecting validation of proof of nonexistence for records in the zone.
     [GL #771]
 
-  * named could crash if it managed a DNSSEC security root with
+  • named could crash if it managed a DNSSEC security root with
     managed-keys and the authoritative zone rolled the key to an algorithm
     not supported by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL
     #780]
 
-  * named leaked memory when processing a request with multiple Key Tag
+  • named leaked memory when processing a request with multiple Key Tag
     EDNS options present. ISC would like to thank Toshifumi Sakaguchi for
     bringing this to our attention. This flaw is disclosed in
     CVE-2018-5744. [GL #772]
 
-  * Zone transfer controls for writable DLZ zones were not effective as
+  • Zone transfer controls for writable DLZ zones were not effective as
     the allowzonexfr method was not being called for such zones. This flaw
     is disclosed in CVE-2019-6465. [GL #790]
 
 Feature Changes
 
-  * When compiled with IDN support, the dig and the nslookup commands now
+  • When compiled with IDN support, the dig and the nslookup commands now
     disable IDN processing when the standard output is not a tty (e.g. not
     used by human). The command line options +idnin and +idnout need to be
     used to enable IDN processing when dig or nslookup is used from the
@@ -203,26 +580,26 @@ Notes for BIND 9.11.5
 
 Security Fixes
 
-  * named could crash during recursive processing of DNAME records when
+  • named could crash during recursive processing of DNAME records when
     deny-answer-aliases was in use. This flaw is disclosed in
     CVE-2018-5740. [GL #387]
 
 New Features
 
-  * Two new update policy rule types have been added krb5-selfsub and
+  • Two new update policy rule types have been added krb5-selfsub and
     ms-selfsub which allow machines with Kerberos principals to update the
     name space at or below the machine names identified in the respective
     principals.
 
 Feature Changes
 
-  * The rndc nta command could not differentiate between views of the same
+  • The rndc nta command could not differentiate between views of the same
     name but different class; this has been corrected with the addition of
     a -class option. [GL #105]
 
 Bug Fixes
 
-  * When a negative trust anchor was added to multiple views using rndc
+  • When a negative trust anchor was added to multiple views using rndc
     nta, the text returned via rndc was incorrectly truncated after the
     first line, making it appear that only one NTA had been added. This
     has been fixed. [GL #105]
@@ -231,7 +608,7 @@ Notes for BIND 9.11.4
 
 Security Fixes
 
-  * When recursion is enabled but the allow-recursion and
+  • When recursion is enabled but the allow-recursion and
     allow-query-cache ACLs are not specified, they should be limited to
     local networks, but they were inadvertently set to match the default
     allow-query, thus allowing remote queries. This flaw is disclosed in
@@ -239,13 +616,13 @@ Security Fixes
 
 New Features
 
-  * named now supports the "root key sentinel" mechanism. This enables
+  • named now supports the "root key sentinel" mechanism. This enables
     validating resolvers to indicate which trust anchors are configured
     for the root, so that information about root key rollover status can
     be gathered. To disable this feature, add root-key-sentinel no; to
     named.conf.
 
-  * Added the ability not to return a DNS COOKIE option when one is
+  • Added the ability not to return a DNS COOKIE option when one is
     present in the request. To prevent a cookie being returned, add
     answer-cookie no; to named.conf. [GL #173]
 
@@ -260,27 +637,27 @@ New Features
 
 Removed Features
 
-  * named will now log a warning if the old BIND now can be compiled
+  • named will now log a warning if the old BIND now can be compiled
     against libidn2 library to add IDNA2008 support. Previously BIND only
     supported IDNA2003 using (now obsolete) idnkit-1 library.
 
 Feature Changes
 
-  * dig +noidnin can be used to disable IDN processing on the input domain
+  • dig +noidnin can be used to disable IDN processing on the input domain
     name, when BIND is compiled with IDN support.
 
-  * Multiple cookie-secret clause are now supported. The first
+  • Multiple cookie-secret clause are now supported. The first
     cookie-secret in named.conf is used to generate new server cookies.
     Any others are used to accept old server cookies or those generated by
     other servers using the matching cookie-secret.
 
 Bug Fixes
 
-  * named now rejects excessively large incremental (IXFR) zone transfers
+  • named now rejects excessively large incremental (IXFR) zone transfers
     in order to prevent possible corruption of journal files which could
     cause named to abort when loading zones. [GL #339]
 
-  * rndc reload could cause named to leak memory if it was invoked before
+  • rndc reload could cause named to leak memory if it was invoked before
     the zone loading actions from a previous rndc reload command were
     completed. [RT #47076]
 
@@ -288,77 +665,77 @@ Notes for BIND 9.11.3
 
 Security Fixes
 
-  * Addresses could be referenced after being freed during resolver
+  • Addresses could be referenced after being freed during resolver
     processing, causing an assertion failure. The chances of this
     happening were remote, but the introduction of a delay in resolution
     increased them. This bug is disclosed in CVE-2017-3145. [RT #46839]
 
-  * update-policy rules that otherwise ignore the name field now require
+  • update-policy rules that otherwise ignore the name field now require
     that it be set to "." to ensure that any type list present is properly
     interpreted. If the name field was omitted from the rule declaration
     and a type list was present it wouldn't be interpreted as expected.
 
 Removed Features
 
-  * The ISC DNSSEC Lookaside Validation (DLV) service has been shut down;
+  • The ISC DNSSEC Lookaside Validation (DLV) service has been shut down;
     all DLV records in the dlv.isc.org zone have been removed. References
     to the service have been removed from BIND documentation. Lookaside
     validation is no longer used by default by delv. The DLV key has been
     removed from bind.keys. Setting dnssec-lookaside to auto or to use
     dlv.isc.org as a trust anchor results in a warning being issued.
 
-  * named will now log a warning if the old root DNSSEC key is explicitly
+  • named will now log a warning if the old root DNSSEC key is explicitly
     configured and has not been updated. [RT #43670]
 
 Protocol Changes
 
-  * BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC signing
+  • BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC signing
     algorithms described in RFC 8080. Note, however, that these algorithms
     must be supported in OpenSSL; currently they are only available in the
     development branch of OpenSSL at https://github.com/openssl/openssl.
     [RT #44696]
 
-  * When parsing DNS messages, EDNS KEY TAG options are checked for
+  • When parsing DNS messages, EDNS KEY TAG options are checked for
     correctness. When printing messages (for example, in dig), EDNS KEY
     TAG options are printed in readable format.
 
 Feature Changes
 
-  * named will no longer start or accept reconfiguration if managed-keys
+  • named will no longer start or accept reconfiguration if managed-keys
     or dnssec-validation auto are in use and the managed-keys directory
     (specified by managed-keys-directory, and defaulting to the working
     directory if not specified), is not writable by the effective user ID.
     [RT #46077]
 
-  * Previously, update-policy local; accepted updates from any source so
+  • Previously, update-policy local; accepted updates from any source so
     long as they were signed by the locally-generated session key. This
     has been further restricted; updates are now only accepted from
     locally configured addresses. [RT #45492]
 
 Bug Fixes
 
-  * Attempting to validate improperly unsigned CNAME responses from secure
+  • Attempting to validate improperly unsigned CNAME responses from secure
     zones could cause a validator loop. This caused a delay in returning
     SERVFAIL and also increased the chances of encountering the crash bug
     described in CVE-2017-3145. [RT #46839]
 
-  * When named was reconfigured, failure of some zones to load correctly
+  • When named was reconfigured, failure of some zones to load correctly
     could leave the system in an inconsistent state; while generally
     harmless, this could lead to a crash later when using rndc addzone.
     Reconfiguration changes are now fully rolled back in the event of
     failure. [RT #45841]
 
-  * Some header files included <isc/util.h> incorrectly as it pollutes
+  • Some header files included <isc/util.h> incorrectly as it pollutes
     with namespace with non ISC_ macros and this should only be done by
     explicitly including <isc/util.h>. This has been corrected. Some code
     may depend on <isc/util.h> being implicitly included via other header
     files. Such code should explicitly include <isc/util.h>.
 
-  * Zones created with rndc addzone could temporarily fail to inherit the
-    allow-transfer ACL set in the options section of named.conf. [RT #
-    46603]
+  • Zones created with rndc addzone could temporarily fail to inherit the
+    allow-transfer ACL set in the options section of named.conf. [RT
+    #46603]
 
-  * named failed to properly determine whether there were active KSK and
+  • named failed to properly determine whether there were active KSK and
     ZSK keys for an algorithm when update-check-ksk was true (which is the
     default setting). This could leave records unsigned when rolling keys.
     [RT #46743] [RT #46754] [RT #46774]
@@ -367,157 +744,157 @@ Notes for BIND 9.11.2
 
 Security Fixes
 
-  * An error in TSIG handling could permit unauthorized zone transfers or
+  • An error in TSIG handling could permit unauthorized zone transfers or
     zone updates. These flaws are disclosed in CVE-2017-3142 and
     CVE-2017-3143. [RT #45383]
 
-  * The BIND installer on Windows used an unquoted service path, which can
+  • The BIND installer on Windows used an unquoted service path, which can
     enable privilege escalation. This flaw is disclosed in CVE-2017-3141.
     [RT #45229]
 
-  * With certain RPZ configurations, a response with TTL 0 could cause
+  • With certain RPZ configurations, a response with TTL 0 could cause
     named to go into an infinite query loop. This flaw is disclosed in
     CVE-2017-3140. [RT #45181]
 
 Feature Changes
 
-  * dig +ednsopt now accepts the names for EDNS options in addition to
+  • dig +ednsopt now accepts the names for EDNS options in addition to
     numeric values. For example, an EDNS Client-Subnet option could be
     sent using dig +ednsopt=ecs:.... Thanks to John Worley of Secure64 for
     the contribution. [RT #44461]
 
-  * Threads in named are now set to human-readable names to assist
+  • Threads in named are now set to human-readable names to assist
     debugging on operating systems that support that. Threads will have
     names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so on.
     This will affect the reporting of subsidiary thread names in ps and
     top, but not the main thread. [RT #43234]
 
-  * DiG now warns about .local queries which are reserved for Multicast
+  • DiG now warns about .local queries which are reserved for Multicast
     DNS. [RT #44783]
 
 Bug Fixes
 
-  * Fixed a bug that was introduced in an earlier development release
+  • Fixed a bug that was introduced in an earlier development release
     which caused multi-packet AXFR and IXFR messages to fail validation if
     not all packets contained TSIG records; this caused interoperability
     problems with some other DNS implementations. [RT #45509]
 
-  * Reloading or reconfiguring named could fail on some platforms when
+  • Reloading or reconfiguring named could fail on some platforms when
     LMDB was in use. [RT #45203]
 
-  * Due to some incorrectly deleted code, when BIND was built with LMDB,
+  • Due to some incorrectly deleted code, when BIND was built with LMDB,
     zones that were deleted via rndc delzone were removed from the running
     server but were not removed from the new zone database, so that
     deletion did not persist after a server restart. This has been
     corrected. [RT #45185]
 
-  * Semicolons are no longer escaped when printing CAA and URI records.
+  • Semicolons are no longer escaped when printing CAA and URI records.
     This may break applications that depend on the presence of the
     backslash before the semicolon. [RT #45216]
 
-  * AD could be set on truncated answer with no records present in the
+  • AD could be set on truncated answer with no records present in the
     answer and authority sections. [RT #45140]
 
 Notes for BIND 9.11.1
 
 Security Fixes
 
-  * rndc "" could trigger an assertion failure in named. This flaw is
+  • rndc "" could trigger an assertion failure in named. This flaw is
     disclosed in (CVE-2017-3138). [RT #44924]
 
-  * Some chaining (i.e., type CNAME or DNAME) responses to upstream
+  • Some chaining (i.e., type CNAME or DNAME) responses to upstream
     queries could trigger assertion failures. This flaw is disclosed in
     CVE-2017-3137. [RT #44734]
 
-  * dns64 with break-dnssec yes; can result in an assertion failure. This
+  • dns64 with break-dnssec yes; can result in an assertion failure. This
     flaw is disclosed in CVE-2017-3136. [RT #44653]
 
-  * If a server is configured with a response policy zone (RPZ) that
+  • If a server is configured with a response policy zone (RPZ) that
     rewrites an answer with local data, and is also configured for DNS64
     address mapping, a NULL pointer can be read triggering a server crash.
     This flaw is disclosed in CVE-2017-3135. [RT #44434]
 
-  * A coding error in the nxdomain-redirect feature could lead to an
+  • A coding error in the nxdomain-redirect feature could lead to an
     assertion failure if the redirection namespace was served from a local
     authoritative data source such as a local zone or a DLZ instead of via
     recursive lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
 
-  * named could mishandle authority sections with missing RRSIGs,
+  • named could mishandle authority sections with missing RRSIGs,
     triggering an assertion failure. This flaw is disclosed in
     CVE-2016-9444. [RT #43632]
 
-  * named mishandled some responses where covering RRSIG records were
+  • named mishandled some responses where covering RRSIG records were
     returned without the requested data, resulting in an assertion
     failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
 
-  * named incorrectly tried to cache TKEY records which could trigger an
+  • named incorrectly tried to cache TKEY records which could trigger an
     assertion failure when there was a class mismatch. This flaw is
     disclosed in CVE-2016-9131. [RT #43522]
 
-  * It was possible to trigger assertions when processing responses
+  • It was possible to trigger assertions when processing responses
     containing answers of type DNAME. This flaw is disclosed in
     CVE-2016-8864. [RT #43465]
 
-  * Added the ability to specify the maximum number of records permitted
+  • Added the ability to specify the maximum number of records permitted
     in a zone (max-records #;). This provides a mechanism to block overly
     large zone transfers, which is a potential risk with slave zones from
     other parties, as described in CVE-2016-6170. [RT #42143]
 
 Feature Changes
 
-  * dnstap now stores both the local and remote addresses for all
+  • dnstap now stores both the local and remote addresses for all
     messages, instead of only the remote address. The default output
     format for dnstap-read has been updated to include these addresses,
     with the initiating address first and the responding address second,
     separated by "-%gt;" or "%lt;-" to indicate in which direction the
     message was sent. [RT #43595]
 
-  * Expanded and improved the YAML output from dnstap-read -y: it now
+  • Expanded and improved the YAML output from dnstap-read -y: it now
     includes packet size and a detailed breakdown of message contents. [RT
     #43622] [RT #43642]
 
-  * If an ACL is specified with an address prefix in which the prefix
+  • If an ACL is specified with an address prefix in which the prefix
     length is longer than the address portion (for example, 192.0.2.1/8),
     named will now log a warning. In future releases this will be a fatal
     configuration error. [RT #43367]
 
 Bug Fixes
 
-  * A synthesized CNAME record appearing in a response before the
+  • A synthesized CNAME record appearing in a response before the
     associated DNAME could be cached, when it should not have been. This
-    was a regression introduced while addressing CVE-2016-8864. [RT #
-    44318]
+    was a regression introduced while addressing CVE-2016-8864. [RT
+    #44318]
 
-  * named could deadlock if multiple changes to NSEC/NSEC3 parameters for
+  • named could deadlock if multiple changes to NSEC/NSEC3 parameters for
     the same zone were being processed at the same time. [RT #42770]
 
-  * named could trigger an assertion when sending NOTIFY messages. [RT #
-    44019]
+  • named could trigger an assertion when sending NOTIFY messages. [RT
+    #44019]
 
-  * Referencing a nonexistent zone in a response-policy statement could
+  • Referencing a nonexistent zone in a response-policy statement could
     cause an assertion failure during configuration. [RT #43787]
 
-  * rndc addzone could cause a crash when attempting to add a zone with a
-    type other than master or slave. Such zones are now rejected. [RT #
-    43665]
+  • rndc addzone could cause a crash when attempting to add a zone with a
+    type other than master or slave. Such zones are now rejected. [RT
+    #43665]
 
-  * named could hang when encountering log file names with large apparent
+  • named could hang when encountering log file names with large apparent
     gaps in version number (for example, when files exist called
     "logfile.0", "logfile.1", and "logfile.1482954169"). This is now
     handled correctly. [RT #38688]
 
-  * If a zone was updated while named was processing a query for
+  • If a zone was updated while named was processing a query for
     nonexistent data, it could return out-of-sync NSEC3 records causing
     potential DNSSEC validation failure. [RT #43247]
 
 Maintenance
 
-  * The built-in root hints have been updated to include an IPv6 address
+  • The built-in root hints have been updated to include an IPv6 address
     (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
 
 Miscellaneous Notes
 
-  * Authoritative server support for the EDNS Client Subnet option (ECS),
+  • Authoritative server support for the EDNS Client Subnet option (ECS),
     introduced in BIND 9.11.0, was based on an early version of the
     specification, and is now known to have incompatibilities with other
     ECS implementations. It is also inefficient, requiring a separate view
@@ -530,18 +907,18 @@ Notes for BIND 9.11.0
 
 Security Fixes
 
-  * It was possible to trigger a assertion when rendering a message using
+  • It was possible to trigger a assertion when rendering a message using
     a specially crafted request. This flaw is disclosed in CVE-2016-2776.
     [RT #43139]
 
-  * getrrsetbyname with a non absolute name could trigger an infinite
+  • getrrsetbyname with a non absolute name could trigger an infinite
     recursion bug in lwresd and named with lwres configured if when
     combined with a search list entry the resulting name is too long. This
     flaw is disclosed in CVE-2016-2775. [RT #42694]
 
 New Features
 
-  * A new method of provisioning secondary servers called "Catalog Zones"
+  • A new method of provisioning secondary servers called "Catalog Zones"
     has been added. This is an implementation of
     draft-muks-dnsop-dns-catalog-zones/ .
 
@@ -563,10 +940,10 @@ New Features
     Support for master entries with TSIG keys has been added to catalog
     zones, as well as support for allow-query and allow-transfer.
 
-  * Added an isc.rndc Python module, which allows rndc commands to be sent
+  • Added an isc.rndc Python module, which allows rndc commands to be sent
     from Python programs.
 
-  * Added support for DynDB, a new interface for loading zone data from an
+  • Added support for DynDB, a new interface for loading zone data from an
     external database, developed by Red Hat for the FreeIPA project.
     (Thanks in particular to Adam Tkac and Petr Spacek of Red Hat for the
     contribution.)
@@ -582,7 +959,7 @@ New Features
     BIND zones, and with the ability to take advantage of database
     features not available in BIND, such as multi-master replication.
 
-  * Fetch quotas are now compiled in by default: they no longer require
+  • Fetch quotas are now compiled in by default: they no longer require
     BIND to be configured with --enable-fetchlimit, as was the case when
     the feature was introduced in BIND 9.10.3.
 
@@ -592,21 +969,21 @@ New Features
     resource exhaustion that can be experienced by recursive servers when
     they are being used as a vehicle for such an attack.
 
-      + fetches-per-server limits the number of simultaneous queries that
+      â–¡ fetches-per-server limits the number of simultaneous queries that
         can be sent to any single authoritative server. The configured
         value is a starting point; it is automatically adjusted downward
         if the server is partially or completely non-responsive. The
         algorithm used to adjust the quota can be configured via the
         fetch-quota-params option.
 
-      + fetches-per-zone limits the number of simultaneous queries that
+      â–¡ fetches-per-zone limits the number of simultaneous queries that
         can be sent for names within a single domain. (Note: Unlike
         "fetches-per-server", this value is not self-tuning.)
 
     Statistics counters have also been added to track the number of
     queries affected by these quotas.
 
-  * Added support for dnstap, a fast, flexible method for capturing and
+  • Added support for dnstap, a fast, flexible method for capturing and
     logging DNS traffic, developed by Robert Edmonds at Farsight Security,
     Inc., whose assistance is gratefully acknowledged.
 
@@ -628,7 +1005,7 @@ New Features
 
     For more information on dnstap, see https://dnstap.info.
 
-  * New statistics counters have been added to track traffic sizes, as
+  • New statistics counters have been added to track traffic sizes, as
     specified in RSSAC002. Query and response message sizes are broken up
     into ranges of histogram buckets: TCP and UDP queries of size 0-15,
     16-31, ..., 272-288, and 288+, and TCP and UDP responses of size 0-15,
@@ -640,7 +1017,7 @@ New Features
     Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
     rcode-volume reporting are now collected.
 
-  * A new DNSSEC key management utility, dnssec-keymgr, has been added.
+  • A new DNSSEC key management utility, dnssec-keymgr, has been added.
     This tool is meant to run unattended (e.g., under cron). It reads a
     policy definition file (default /etc/dnssec-policy.conf) and creates
     or updates DNSSEC keys as necessary to ensure that a zone's keys match
@@ -657,16 +1034,16 @@ New Features
 
     dnssec-keymgr now takes a -r randomfile option.
 
-    (Many thanks to Sebasti?n Castro for his assistance in developing this
+    (Many thanks to Sebastián Castro for his assistance in developing this
     tool at the IETF 95 Hackathon in Buenos Aires, April 2016.)
 
-  * The serial number of a dynamically updatable zone can now be set using
+  • The serial number of a dynamically updatable zone can now be set using
     rndc signing -serial number zonename. This is particularly useful with
     inline-signing zones that have been reset. Setting the serial number
     to a value larger than that on the slaves will trigger an AXFR-style
     transfer.
 
-  * When answering recursive queries, SERVFAIL responses can now be cached
+  • When answering recursive queries, SERVFAIL responses can now be cached
     by the server for a limited time; subsequent queries for the same
     query name and type will return another SERVFAIL until the cache times
     out. This reduces the frequency of retries when a query is
@@ -674,7 +1051,7 @@ New Features
     SERVFAIL cache timeout is controlled by servfail-ttl, which defaults
     to 1 second and has an upper limit of 30.
 
-  * The new rndc nta command can now be used to set a "negative trust
+  • The new rndc nta command can now be used to set a "negative trust
     anchor" (NTA), disabling DNSSEC validation for a specific domain; this
     can be used when responses from a domain are known to be failing
     validation due to administrative error rather than because of a
@@ -684,72 +1061,72 @@ New Features
     named.conf. When added, NTAs are stored in a file (viewname.nta) in
     order to persist across restarts of the named server.
 
-  * The EDNS Client Subnet (ECS) option is now supported for authoritative
+  • The EDNS Client Subnet (ECS) option is now supported for authoritative
     servers; if a query contains an ECS option then ACLs containing geoip
     or ecs elements can match against the address encoded in the option.
     This can be used to select a view for a query, so that different
     answers can be provided depending on the client network.
 
-  * The EDNS EXPIRE option has been implemented on the client side,
+  • The EDNS EXPIRE option has been implemented on the client side,
     allowing a slave server to set the expiration timer correctly when
     transferring zone data from another slave server.
 
-  * A new masterfile-style zone option controls the formatting of text
+  • A new masterfile-style zone option controls the formatting of text
     zone files: When set to full, the zone file will dumped in
     single-line-per-record format.
 
-  * dig +ednsopt can now be used to set arbitrary EDNS options in DNS
+  • dig +ednsopt can now be used to set arbitrary EDNS options in DNS
     requests.
 
-  * dig +ednsflags can now be used to set yet-to-be-defined EDNS flags in
+  • dig +ednsflags can now be used to set yet-to-be-defined EDNS flags in
     DNS requests.
 
-  * dig +[no]ednsnegotiation can now be used enable / disable EDNS version
+  • dig +[no]ednsnegotiation can now be used enable / disable EDNS version
     negotiation.
 
-  * dig +header-only can now be used to send queries without a question
+  • dig +header-only can now be used to send queries without a question
     section.
 
-  * dig +ttlunits causes dig to print TTL values with time-unit suffixes:
+  • dig +ttlunits causes dig to print TTL values with time-unit suffixes:
     w, d, h, m, s for weeks, days, hours, minutes, and seconds.
 
-  * dig +zflag can be used to set the last unassigned DNS header flag bit.
+  • dig +zflag can be used to set the last unassigned DNS header flag bit.
     This bit is normally zero.
 
-  * dig +dscp=value can now be used to set the DSCP code point in outgoing
+  • dig +dscp=value can now be used to set the DSCP code point in outgoing
     query packets.
 
-  * dig +mapped can now be used to determine if mapped IPv4 addresses can
+  • dig +mapped can now be used to determine if mapped IPv4 addresses can
     be used.
 
-  * nslookup will now look up IPv6 as well as IPv4 addresses by default.
+  • nslookup will now look up IPv6 as well as IPv4 addresses by default.
     [RT #40420]
 
-  * serial-update-method can now be set to date. On update, the serial
+  • serial-update-method can now be set to date. On update, the serial
     number will be set to the current date in YYYYMMDDNN format.
 
-  * dnssec-signzone -N date also sets the serial number to YYYYMMDDNN.
+  • dnssec-signzone -N date also sets the serial number to YYYYMMDDNN.
 
-  * named -L filename causes named to send log messages to the specified
+  • named -L filename causes named to send log messages to the specified
     file by default instead of to the system log.
 
-  * The rate limiter configured by the serial-query-rate option no longer
+  • The rate limiter configured by the serial-query-rate option no longer
     covers NOTIFY messages; those are now separately controlled by
     notify-rate and startup-notify-rate (the latter of which controls the
     rate of NOTIFY messages sent when the server is first started up or
     reconfigured).
 
-  * The default number of tasks and client objects available for serving
+  • The default number of tasks and client objects available for serving
     lightweight resolver queries have been increased, and are now
     configurable via the new lwres-tasks and lwres-clients options in
     named.conf. [RT #35857]
 
-  * Log output to files can now be buffered by specifying buffered yes;
+  • Log output to files can now be buffered by specifying buffered yes;
     when creating a channel.
 
-  * delv +tcp will exclusively use TCP when sending queries.
+  • delv +tcp will exclusively use TCP when sending queries.
 
-  * named will now check to see whether other name server processes are
+  • named will now check to see whether other name server processes are
     running before starting up. This is implemented in two ways: 1) by
     refusing to start if the configured network interfaces all return
     "address in use", and 2) by attempting to acquire a lock on a file
@@ -757,18 +1134,18 @@ New Features
     default lock file is /var/run/named/named.lock. Specifying none will
     disable the lock file check.
 
-  * rndc delzone can now be applied to zones which were configured in
+  • rndc delzone can now be applied to zones which were configured in
     named.conf; it is no longer restricted to zones which were added by
     rndc addzone. (Note, however, that this does not edit named.conf; the
     zone must be removed from the configuration or it will return when
     named is restarted or reloaded.)
 
-  * rndc modzone can be used to reconfigure a zone, using similar syntax
+  • rndc modzone can be used to reconfigure a zone, using similar syntax
     to rndc addzone.
 
-  * rndc showzone displays the current configuration for a specified zone.
+  • rndc showzone displays the current configuration for a specified zone.
 
-  * When BIND is built with the lmdb library (Lightning Memory-Mapped
+  • When BIND is built with the lmdb library (Lightning Memory-Mapped
     Database), named will store the configuration information for zones
     that are added via rndc addzone in a database, rather than in a flat
     "NZF" file. This dramatically improves performance for rndc delzone
@@ -783,7 +1160,7 @@ New Features
     did not support the NZD format), use the new command named-nzd2nzf [RT
     #39837]
 
-  * Added server-side support for pipelined TCP queries. Clients may
+  • Added server-side support for pipelined TCP queries. Clients may
     continue sending queries via TCP while previous queries are processed
     in parallel. Responses are sent when they are ready, not necessarily
     in the order in which the queries were received.
@@ -793,24 +1170,24 @@ New Features
     "keep-response-order" option. To revert to the former behavior for all
     clients, use "keep-response-order { any; };".
 
-  * The new mdig command is a version of dig that sends multiple pipelined
+  • The new mdig command is a version of dig that sends multiple pipelined
     queries and then waits for responses, instead of sending one query and
     waiting the response before sending the next. [RT #38261]
 
-  * To enable better monitoring and troubleshooting of RFC 5011 trust
+  • To enable better monitoring and troubleshooting of RFC 5011 trust
     anchor management, the new rndc managed-keys can be used to check
     status of trust anchors or to force keys to be refreshed. Also, the
     managed-keys data file now has easier-to-read comments. [RT #38458]
 
-  * An --enable-querytrace configure switch is now available to enable
+  • An --enable-querytrace configure switch is now available to enable
     very verbose query trace logging. This option can only be set at
     compile time. This option has a negative performance impact and should
     be used only for debugging. [RT #37520]
 
-  * A new tcp-only option can be specified in server statements to force
+  • A new tcp-only option can be specified in server statements to force
     named to connect to the specified server via TCP. [RT #37800]
 
-  * The nxdomain-redirect option specifies a DNS namespace to use for
+  • The nxdomain-redirect option specifies a DNS namespace to use for
     NXDOMAIN redirection. When a recursive lookup returns NXDOMAIN, a
     second lookup is initiated with the specified name appended to the
     query name. This allows NXDOMAIN redirection data to be supplied by
@@ -818,34 +1195,34 @@ New Features
     other servers. (The older method, using a single type redirect zone,
     has better average performance but is less flexible.) [RT #37989]
 
-  * The following types have been implemented: CSYNC, NINFO, RKEY, SINK,
+  • The following types have been implemented: CSYNC, NINFO, RKEY, SINK,
     TA, TALINK.
 
-  * A new message-compression option can be used to specify whether or not
+  • A new message-compression option can be used to specify whether or not
     to use name compression when answering queries. Setting this to no
     results in larger responses, but reduces CPU consumption and may
     improve throughput. The default is yes.
 
-  * A read-only option is now available in the controls statement to grant
+  • A read-only option is now available in the controls statement to grant
     non-destructive control channel access. In such cases, a restricted
     set of rndc commands are allowed, which can report information from
     named, but cannot reconfigure or stop the server. By default, the
     control channel access is not restricted to these read-only
     operations. [RT #40498]
 
-  * When loading a signed zone, named will now check whether an RRSIG's
+  • When loading a signed zone, named will now check whether an RRSIG's
     inception time is in the future, and if so, it will regenerate the
     RRSIG immediately. This helps when a system's clock needs to be reset
     backwards.
 
-  * The new minimal-any option reduces the size of answers to UDP queries
+  • The new minimal-any option reduces the size of answers to UDP queries
     for type ANY by implementing one of the strategies in
     "draft-ietf-dnsop-refuse-any": returning a single arbitrarily-selected
     RRset that matches the query name rather than returning all of the
-    matching RRsets. Thanks to Tony Finch for the contribution. [RT #
-    41615]
+    matching RRsets. Thanks to Tony Finch for the contribution. [RT
+    #41615]
 
-  * named now provides feedback to the owners of zones which have trust
+  • named now provides feedback to the owners of zones which have trust
     anchors configured (trusted-keys, managed-keys, dnssec-validation
     auto; and dnssec-lookaside auto;) by sending a daily query which
     encodes the keyids of the configured trust anchors for the zone. This
@@ -853,7 +1230,7 @@ New Features
 
 Feature Changes
 
-  * The logging format used for querylog has been altered. It now includes
+  • The logging format used for querylog has been altered. It now includes
     an additional field indicating the address in memory of the client
     object processing the query.
 
@@ -862,23 +1239,23 @@ Feature Changes
     use this service, either explicitly or via dnssec-lookaside auto;. [RT
     #42207]
 
-  * The timers returned by the statistics channel (indicating current
+  • The timers returned by the statistics channel (indicating current
     time, server boot time, and most recent reconfiguration time) are now
     reported with millisecond accuracy. [RT #40082]
 
-  * Updated the compiled-in addresses for H.ROOT-SERVERS.NET and
+  • Updated the compiled-in addresses for H.ROOT-SERVERS.NET and
     L.ROOT-SERVERS.NET.
 
-  * ACLs containing geoip asnum elements were not correctly matched unless
+  • ACLs containing geoip asnum elements were not correctly matched unless
     the full organization name was specified in the ACL (as in geoip asnum
     "AS1234 Example, Inc.";). They can now match against the AS number
     alone (as in geoip asnum "AS1234";).
 
-  * When using native PKCS#11 cryptography (i.e., configure
+  • When using native PKCS#11 cryptography (i.e., configure
     --enable-native-pkcs11) HSM PINs of up to 256 characters can now be
     used.
 
-  * NXDOMAIN responses to queries of type DS are now cached separately
+  • NXDOMAIN responses to queries of type DS are now cached separately
     from those for other types. This helps when using "grafted" zones of
     type forward, for which the parent zone does not contain a delegation,
     such as local top-level domains. Previously a query of type DS for
@@ -887,16 +1264,16 @@ Feature Changes
     when DNSSEC validation is not enabled. "Grafted" zones without a
     delegation in the parent are not a recommended configuration.)
 
-  * Update forwarding performance has been improved by allowing a single
+  • Update forwarding performance has been improved by allowing a single
     TCP connection to be shared between multiple updates.
 
-  * By default, nsupdate will now check the correctness of hostnames when
+  • By default, nsupdate will now check the correctness of hostnames when
     adding records of type A, AAAA, MX, SOA, NS, SRV or PTR. This behavior
     can be disabled with check-names no.
 
-  * Added support for OPENPGPKEY type.
+  • Added support for OPENPGPKEY type.
 
-  * The names of the files used to store managed keys and added zones for
+  • The names of the files used to store managed keys and added zones for
     each view are no longer based on the SHA256 hash of the view name,
     except when this is necessary because the view name contains
     characters that would be incompatible with use as a file name. For
@@ -907,30 +1284,30 @@ Feature Changes
     However, to ensure consistent behavior when upgrading, if a file using
     the old name format is found to exist, it will continue to be used.
 
-  * "rndc" can now return text output of arbitrary size to the caller.
+  • "rndc" can now return text output of arbitrary size to the caller.
     (Prior to this, certain commands such as "rndc tsig-list" and "rndc
     zonestatus" could return truncated output.)
 
-  * Errors reported when running rndc addzone (e.g., when a zone file
+  • Errors reported when running rndc addzone (e.g., when a zone file
     cannot be loaded) have been clarified to make it easier to diagnose
     problems.
 
-  * When encountering an authoritative name server whose name is an alias
+  • When encountering an authoritative name server whose name is an alias
     pointing to another name, the resolver treats this as an error and
     skips to the next server. Previously this happened silently; now the
     error will be logged to the newly-created "cname" log category.
 
-  * If named is not configured to validate answers, then allow fallback to
+  • If named is not configured to validate answers, then allow fallback to
     plain DNS on timeout even when we know the server supports EDNS. This
     will allow the server to potentially resolve signed queries when TCP
     is being blocked.
 
-  * Large inline-signing changes should be less disruptive. Signature
+  • Large inline-signing changes should be less disruptive. Signature
     generation is now done incrementally; the number of signatures to be
     generated in each quantum is controlled by "sig-signing-signatures
     number;". [RT #37927]
 
-  * The experimental SIT option (code point 65001) of BIND 9.10.0 through
+  • The experimental SIT option (code point 65001) of BIND 9.10.0 through
     BIND 9.10.2 has been replaced with the COOKIE option (code point 10).
     It is no longer experimental, and is sent by default, by both named
     and dig.
@@ -938,15 +1315,15 @@ Feature Changes
     The SIT-related named.conf options have been marked as obsolete, and
     are otherwise ignored.
 
-  * When dig receives a truncated (TC=1) response or a BADCOOKIE response
+  • When dig receives a truncated (TC=1) response or a BADCOOKIE response
     code from a server, it will automatically retry the query using the
     server COOKIE that was returned by the server in its initial response.
     [RT #39047]
 
-  * Retrieving the local port range from net.ipv4.ip_local_port_range on
+  • Retrieving the local port range from net.ipv4.ip_local_port_range on
     Linux is now supported.
 
-  * A new nsip-wait-recurse directive has been added to RPZ, specifying
+  • A new nsip-wait-recurse directive has been added to RPZ, specifying
     whether to look up unknown name server IP addresses and wait for a
     response before applying RPZ-NSIP rules. The default is yes. If set to
     no, named will only apply RPZ-NSIP rules to servers whose addresses
@@ -955,51 +1332,51 @@ Feature Changes
     performance when the cache is cold, at the cost of temporary
     imprecision in applying policy directives. [RT #35009]
 
-  * Within the response-policy option, it is now possible to configure RPZ
+  • Within the response-policy option, it is now possible to configure RPZ
     rewrite logging on a per-zone basis using the log clause.
 
-  * The default preferred glue is now the address type of the transport
+  • The default preferred glue is now the address type of the transport
     the query was received over.
 
-  * On machines with 2 or more processors (CPU), the default value for the
+  • On machines with 2 or more processors (CPU), the default value for the
     number of UDP listeners has been changed to the number of detected
     processors minus one.
 
-  * Zone transfers now use smaller message sizes to improve message
+  • Zone transfers now use smaller message sizes to improve message
     compression. This results in reduced network usage.
 
-  * Added support for the AVC resource record type (Application Visibility
+  • Added support for the AVC resource record type (Application Visibility
     and Control).
 
     Changed rndc reconfig behavior so that newly added zones are loaded
     asynchronously and the loading does not block the server.
 
-  * minimal-responses now takes two new arguments: no-auth suppresses
+  • minimal-responses now takes two new arguments: no-auth suppresses
     populating the authority section but not the additional section;
     no-auth-recursive does the same but only when answering recursive
     queries.
 
-  * At server startup time, the queues for processing notify and zone
+  • At server startup time, the queues for processing notify and zone
     refresh queries are now processed in LIFO rather than FIFO order, to
     speed up loading of newly added zones. [RT #42825]
 
-  * When answering queries of type MX or SRV, TLSA records for the target
+  • When answering queries of type MX or SRV, TLSA records for the target
     name are now included in the additional section to speed up DANE
     processing. [RT #42894]
 
-  * named can now use the TCP Fast Open mechanism on the server side, if
+  • named can now use the TCP Fast Open mechanism on the server side, if
     supported by the local operating system. [RT #42866]
 
 Bug Fixes
 
-  * Fixed a crash when calling rndc stats on some Windows builds: some
+  • Fixed a crash when calling rndc stats on some Windows builds: some
     Visual Studio compilers generate code that crashes when the "%z"
     printf() format specifier is used. [RT #42380]
 
-  * Windows installs were failing due to triggering UAC without the
+  • Windows installs were failing due to triggering UAC without the
     installation binary being signed.
 
-  * A change in the internal binary representation of the RBT database
+  • A change in the internal binary representation of the RBT database
     node structure enabled a race condition to occur (especially when BIND
     was built with certain compilers or optimizer settings), leading to
     inconsistent database state which caused random assertion failures.
diff --git a/bind/bind9/doc/arm/notes.xml b/bind/bind9/doc/arm/notes.xml
index 91809ab5..da69bcda 100644
--- a/bind/bind9/doc/arm/notes.xml
+++ b/bind/bind9/doc/arm/notes.xml
@@ -9,18 +9,39 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
-<section xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info/>
+<section xmlns="http://docbook.org/ns/docbook" version="5.0"><info/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-intro.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-download.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-license.xml"/>
 
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.36.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.35.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.34.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.33.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.32.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.31.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.30.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.29.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.28.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.27.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.26.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.25.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.24.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.23.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.22.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.21.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.20.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.19.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.18.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.17.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.16.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.15.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.14.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.13.xml"/>
diff --git a/bind/bind9/doc/arm/noteversion.xml.in b/bind/bind9/doc/arm/noteversion.xml.in
index 14bbba43..b2294aa0 100644
--- a/bind/bind9/doc/arm/noteversion.xml.in
+++ b/bind/bind9/doc/arm/noteversion.xml.in
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/options.grammar.xml b/bind/bind9/doc/arm/options.grammar.xml
index 6a8796ae..793ac0b8 100644
--- a/bind/bind9/doc/arm/options.grammar.xml
+++ b/bind/bind9/doc/arm/options.grammar.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/pkcs11.xml b/bind/bind9/doc/arm/pkcs11.xml
index 973845f1..a04c59c9 100644
--- a/bind/bind9/doc/arm/pkcs11.xml
+++ b/bind/bind9/doc/arm/pkcs11.xml
@@ -5,17 +5,17 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<section xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="pkcs11"><info><title>PKCS#11 (Cryptoki) support</title></info>
+<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pkcs11"><info><title>PKCS#11 (Cryptoki) Support</title></info>
 
   <para>
-    PKCS#11 (Public Key Cryptography Standard #11) defines a
+    Public Key Cryptography Standard #11 (PKCS#11) defines a
     platform-independent API for the control of hardware security
     modules (HSMs) and other cryptographic support devices.
   </para>
diff --git a/bind/bind9/doc/arm/pkgversion.xml.in b/bind/bind9/doc/arm/pkgversion.xml.in
index 74abbfcd..d8b50f27 100644
--- a/bind/bind9/doc/arm/pkgversion.xml.in
+++ b/bind/bind9/doc/arm/pkgversion.xml.in
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/redirect.zoneopt.xml b/bind/bind9/doc/arm/redirect.zoneopt.xml
index 335cfa03..a869f0cf 100644
--- a/bind/bind9/doc/arm/redirect.zoneopt.xml
+++ b/bind/bind9/doc/arm/redirect.zoneopt.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/releaseinfo.xml.in b/bind/bind9/doc/arm/releaseinfo.xml.in
index fa7a3cd5..164871ad 100644
--- a/bind/bind9/doc/arm/releaseinfo.xml.in
+++ b/bind/bind9/doc/arm/releaseinfo.xml.in
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/server.grammar.xml b/bind/bind9/doc/arm/server.grammar.xml
index 7dfefdab..03905aec 100644
--- a/bind/bind9/doc/arm/server.grammar.xml
+++ b/bind/bind9/doc/arm/server.grammar.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/slave.zoneopt.xml b/bind/bind9/doc/arm/slave.zoneopt.xml
index 10d08d69..5ec41d54 100644
--- a/bind/bind9/doc/arm/slave.zoneopt.xml
+++ b/bind/bind9/doc/arm/slave.zoneopt.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/static-stub.zoneopt.xml b/bind/bind9/doc/arm/static-stub.zoneopt.xml
index ca278340..18229a05 100644
--- a/bind/bind9/doc/arm/static-stub.zoneopt.xml
+++ b/bind/bind9/doc/arm/static-stub.zoneopt.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/statistics-channels.grammar.xml b/bind/bind9/doc/arm/statistics-channels.grammar.xml
index d2c381d4..4f233b43 100644
--- a/bind/bind9/doc/arm/statistics-channels.grammar.xml
+++ b/bind/bind9/doc/arm/statistics-channels.grammar.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/stub.zoneopt.xml b/bind/bind9/doc/arm/stub.zoneopt.xml
index 7365ece5..bda400ca 100644
--- a/bind/bind9/doc/arm/stub.zoneopt.xml
+++ b/bind/bind9/doc/arm/stub.zoneopt.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/arm/trusted-keys.grammar.xml b/bind/bind9/doc/arm/trusted-keys.grammar.xml
index b0bd3d79..5bf60311 100644
--- a/bind/bind9/doc/arm/trusted-keys.grammar.xml
+++ b/bind/bind9/doc/arm/trusted-keys.grammar.xml
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/design/addressdb b/bind/bind9/doc/design/addressdb
index 5e290e13..693c3baa 100644
--- a/bind/bind9/doc/design/addressdb
+++ b/bind/bind9/doc/design/addressdb
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 You are lost in a maze of twisty little pointers, all alike...
 
diff --git a/bind/bind9/doc/design/cds-child b/bind/bind9/doc/design/cds-child
index 034f25ea..aa48468d 100644
--- a/bind/bind9/doc/design/cds-child
+++ b/bind/bind9/doc/design/cds-child
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 	  CDS / CDNSKEY Child side processing.
 
@@ -16,14 +16,14 @@ See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 * dnssec-signzone should add cds and/or cdnskey to zone apex iff the
   DNSKEY is published and is signing the DNSKEY RRset.  CDS and CDNSKEY
   records are only removed if there is a deletion date set (implicit on
-  matching DNSKEY going inactive / unpublished or explict).
+  matching DNSKEY going inactive / unpublished or explicit).
 
   Non-matching CDS and CDNSKEY are removed.
 
 * auto-dnssec maintain should cds and/or cdnskey to zone apex iff the 
   DNSKEY is published and is signing the DNSKEY RRset.   CDS and CDNSKEY
   records are only removed if there is a deletion date set (implicit on
-  matching DNSKEY going inactive / unpublished or explict).
+  matching DNSKEY going inactive / unpublished or explicit).
 
 * UPDATE should check that CDS and CDNSKEY match a active DNSKEY that
   is signing the DNSKEY RRset and ignore otherwise.  This should be
diff --git a/bind/bind9/doc/design/compression b/bind/bind9/doc/design/compression
index ade7dc49..b1ed1691 100644
--- a/bind/bind9/doc/design/compression
+++ b/bind/bind9/doc/design/compression
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 			Name Compression
 
@@ -53,7 +53,7 @@ Implementation:
 	the valid compression methods of the RBT.  All nodes of the RBT
 	will have an offset excluding the root node.
 
-	The local compression RBT will be initalised with the owner name
+	The local compression RBT will be initialised with the owner name
 	and the start of the rdata will be recorded.
 
 	We will use deepest partial match to find the potential
@@ -70,7 +70,7 @@ Functions:
 	dns_result_t
 	dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx);
 
-	Initalises cctx to empty and sets whether 16 bit global
+	Initialises cctx to empty and sets whether 16 bit global
 	compression targets are to be added to the global RBT based on the
 	edns value.
 
@@ -78,7 +78,7 @@ Functions:
 	dns_compress_localinit(dns_compress_t *cctx, dns_name_t *owner,
 			       isc_buffer_t *target);
 
-	Initalise a RBT for local compression, freeing and existing RBT.
+	Initialise a RBT for local compression, freeing and existing RBT.
 	Record current offset.
 
 	dns_compress_invalidate(dns_compress_t *cctx);
@@ -130,7 +130,7 @@ Functions:
 
 	Find the best best match in the global / local RBT.  Returns prefix,
 	suffix and offset of the bestmatch.  Findglobal(), findlocal()
-	requires as workspace as it may be neccessary to spit a bit stream
+	requires as workspace as it may be necessary to spit a bit stream
 	label.  The result prefix will be such that it can be added to the
 	wire format followed by a compression pointer pointing to offset.
 	Suffix is returned so that it is possible to add the compression
@@ -143,7 +143,7 @@ Functions:
 	Add compression pointers pointing to lebels (if any) in prefix.
 	The offset to the first label is passed in offset.
 
-Dependancy:
+Dependency:
 
 	Requires RBT deepest match.
 	Requires the ability to walk the RBT and remove any node which
diff --git a/bind/bind9/doc/design/database b/bind/bind9/doc/design/database
index 8f00f4b8..8a8fa58e 100644
--- a/bind/bind9/doc/design/database
+++ b/bind/bind9/doc/design/database
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Databases
 
diff --git a/bind/bind9/doc/design/db_rules b/bind/bind9/doc/design/db_rules
index ef4de0e0..8496f34a 100644
--- a/bind/bind9/doc/design/db_rules
+++ b/bind/bind9/doc/design/db_rules
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Here is a more formal statement of the important database design
 rules.  Each rule has a 5 character mnemonic, for use in source code
diff --git a/bind/bind9/doc/design/decompression b/bind/bind9/doc/design/decompression
index 3c4f6b1d..8246ac65 100644
--- a/bind/bind9/doc/design/decompression
+++ b/bind/bind9/doc/design/decompression
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 			Name Decompression
 
@@ -11,16 +11,16 @@ Overview.
 
 	In general the resolver / nameserver should accept any compression
 	method at any time regardless of whether it was legal to
-	send it.  This fits with the priciple of being liberal with
+	send it.  This fits with the principle of being liberal with
 	what you accept and strict with what you send.
 
-	There are a few cases where it does not make sence to accept
+	There are a few cases where it does not make sense to accept
 	compression pointers of a given type. i.e. the first domain name
 	in a message, local compression pointers in the ownername of a RR
 	or in a question.
 
 	When performing regression testing however we should be as strict
-	as possible.  Hence we need to be able modifiy the behaviour of the
+	as possible.  Hence we need to be able modify the behaviour of the
 	decompression routines.
 
 	To be able to decompress a domain name we need some or all of the
@@ -53,13 +53,13 @@ Functions:
 	void
 	dns_decompress_init(dns_decompress_t *dctx, int edns,
 			    bool strict);
-	initalise dctx
+	initialise dctx
 	dctx->ownername is invalidated
 
 	void
 	dns_decompress_localinit(dns_decompress_t *dctx, dns_name_t *name,
 				 isc_buffer_t *source);
-	initalise dctx->ownername
+	initialise dctx->ownername
 	record source->current to dctx->rdata
 
 	void
diff --git a/bind/bind9/doc/design/dispatch b/bind/bind9/doc/design/dispatch
index 0729f623..42676670 100644
--- a/bind/bind9/doc/design/dispatch
+++ b/bind/bind9/doc/design/dispatch
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 UDP receive:
 
@@ -34,7 +34,7 @@ UDP restart:
 /*
  * If too many recv()'s are already running, just return.
  *
- * If noone is attached to us, just return.
+ * If no one is attached to us, just return.
  *
  * Allocate a new buffer to receive into.
  * If no more buffers:
diff --git a/bind/bind9/doc/design/dscp b/bind/bind9/doc/design/dscp
index 36d5cc15..800ad8c7 100644
--- a/bind/bind9/doc/design/dscp
+++ b/bind/bind9/doc/design/dscp
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 	Differentiate Services Code Point Support
 
@@ -82,7 +82,7 @@ struct isc_socketevent {
         unsigned int            dscp;           /*%< UDP dscp value */
 };
 
-A convience function will be provided to allocate and intialize the structure.
+A convenience function will be provided to allocate and initialize the structure.
 
 isc_socketevent_t *
 isc_socket_socketevent(isc_socket_t *sock0, isc_eventtype_t eventtype,
diff --git a/bind/bind9/doc/design/keydone b/bind/bind9/doc/design/keydone
index aac8db96..212d0bde 100644
--- a/bind/bind9/doc/design/keydone
+++ b/bind/bind9/doc/design/keydone
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
         rndc keydone <rdata> zone [class [view]]
 
diff --git a/bind/bind9/doc/design/logging b/bind/bind9/doc/design/logging
index 84767954..7ce5c590 100644
--- a/bind/bind9/doc/design/logging
+++ b/bind/bind9/doc/design/logging
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 OVERVIEW
 
@@ -22,7 +22,7 @@ any, libraries will write log messages.
 FUNDAMENTALS
 
 This section describes the basics of how the system works, introduces
-terms and defines C preprocessor symbols used in conjuction with
+terms and defines C preprocessor symbols used in conjunction with
 logging functions.  Actual uses of functions are demonstrated in the
 following two sections.
 
@@ -115,7 +115,7 @@ no version control.
 Since null channels go nowhere, no additional destination
 specification is necessary.
 
-The words "destination" and "channel" can be used interchangably in
+The words "destination" and "channel" can be used interchangeably in
 some contexts.  Referring to a file channel, for example, means a
 channel that has a file destination.
 
@@ -154,7 +154,7 @@ corresponding print strings appear in a log message:
 
 You can set all four of those options with ISC_LOG_PRINTALL.
 
-Syslog channels do not need ISC_LOG_PRINTTIME, but it is usally a good
+Syslog channels do not need ISC_LOG_PRINTTIME, but it is usually a good
 idea for file and file descriptor feeds.
 
 The additional option does not affect formatting.  It is
@@ -286,7 +286,7 @@ rudimentary initialization of both.
       isc_log_create(mctx, &lctx, &lcfg) != ISC_R_SUCCESS))
           oops_it_didnt_work();
 
-3) Initalize any additional libraries.  The convention for the name of
+3) Initialize any additional libraries.  The convention for the name of
 the initialization function is {library}_log_init, with just a pointer
 to the logging context as an argument.  The function can only be
 called once in a program or it will generate an assertion error.
@@ -376,7 +376,7 @@ isc_log_usechannel().  When it is all ready:
 
   result = isc_logconfig_use(lctx, newlcfg);
 
-If the new configration is successfully installed, then the old one
+If the new configuration is successfully installed, then the old one
 will be destroyed, freeing all memory it used.
 
 There are three additional functions you might find useful in your
@@ -479,7 +479,7 @@ ISC_LOG_PRINTMODULE.  On rare occasion it might be necessary to
 differentiate very similar messages in the same module.
 
 When available, include standard library return codes via %s in the
-format string, with strerrr(errno) from the system libary or functions
+format string, with strerrr(errno) from the system library or functions
 like isc_result_totext(result) and dns_result_totext(result).
 
 THINGS I AM NOT KEEN ABOUT
diff --git a/bind/bind9/doc/design/lwres b/bind/bind9/doc/design/lwres
index fe2bc315..3ac6675d 100644
--- a/bind/bind9/doc/design/lwres
+++ b/bind/bind9/doc/design/lwres
@@ -1,8 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-$Id: lwres,v 1.6 2004/03/05 05:04:46 marka Exp $
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 This document describes the bind v9 lightweight resolver.
 
@@ -134,7 +132,7 @@ various options, including search lists, sort lists, etc.
 
 API
 
-The simpliest interface is to call lwres_getaddrsbyname() or
+The simplest interface is to call lwres_getaddrsbyname() or
 lwres_getnamebyaddr(), both of which are blocking calls.  That is, a
 packet is transmitted to the local lightweight resolver, and the call
 will not return until a response is received or the timeout period
diff --git a/bind/bind9/doc/design/ncache b/bind/bind9/doc/design/ncache
index 5bce7fa3..d3d116e0 100644
--- a/bind/bind9/doc/design/ncache
+++ b/bind/bind9/doc/design/ncache
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Negative Caching
 
diff --git a/bind/bind9/doc/design/rdataset b/bind/bind9/doc/design/rdataset
index 0d0945c0..045bd3c3 100644
--- a/bind/bind9/doc/design/rdataset
+++ b/bind/bind9/doc/design/rdataset
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Need way to "dup" an rdataset (i.e. different rdataset handle, same underlying
 data).
diff --git a/bind/bind9/doc/design/red-black b/bind/bind9/doc/design/red-black
index 1fa5a4ae..8e312608 100644
--- a/bind/bind9/doc/design/red-black
+++ b/bind/bind9/doc/design/red-black
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
                  Red-Black Tree Implementation Notes
 
@@ -34,7 +34,7 @@ Algorithms_, Cormen, Leiserson, and Rivest, MIT Press / McGraw Hill,
 
 In BIND9, the red-black tree implementation uses DNS names as keys,
 and can store arbitrary data with each key value.  "name" and "key"
-are used interchangably in this document.
+are used interchangeably in this document.
 
 The basic red-black tree algorithm is further adapted for use in BIND9
 to incorporate the notion of hierarchy, creating a tree of red-black
@@ -227,7 +227,7 @@ Each node in the tree of trees is represented by the following structure:
           /*
            * The following bitfields add up to a total bitwidth of 32.
            * The range of values necessary for each item is indicated,
-           * but in the case of "attributes" the field is wider to accomodate
+           * but in the case of "attributes" the field is wider to accommodate
            * possible future expansion.  "offsetlen" could be one bit
            * narrower by always adjusting its value by 1 to find the real
            * offsetlen, but doing so does not gain anything (except perhaps
diff --git a/bind/bind9/doc/design/resolver b/bind/bind9/doc/design/resolver
index 68f6c316..d1616c1e 100644
--- a/bind/bind9/doc/design/resolver
+++ b/bind/bind9/doc/design/resolver
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Multi-target Resolver
 =====================
diff --git a/bind/bind9/doc/design/search b/bind/bind9/doc/design/search
index 10f2d56c..6d2d20a7 100644
--- a/bind/bind9/doc/design/search
+++ b/bind/bind9/doc/design/search
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 What follows is pseudocode for the zone and cache lookup algorithms, as they
 will work in the RBT DB.
diff --git a/bind/bind9/doc/design/tasks b/bind/bind9/doc/design/tasks
index 20287681..27df1a7c 100644
--- a/bind/bind9/doc/design/tasks
+++ b/bind/bind9/doc/design/tasks
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Changes I made last week to the task code simplified the task shutdown
 and termination model.  Here's how things now work:
@@ -14,7 +14,7 @@ When a task is shutdown:
 	Any attempts to add shutdown events with isc_task_onshutdown()
 	will fail, since the task is already shutting down
 
-Task shutdown can be initiated explicity, via a call to isc_task_shutdown(),
+Task shutdown can be initiated explicitly, via a call to isc_task_shutdown(),
 or implicitly, when the following conditions occur:
 
 	The "shutting down" attribute of the task is not set
@@ -60,7 +60,7 @@ to the task queue.
 
 Event action (callback) rules:
   * no locks held on your behald when entering a callback.
-  * not allowed to block, except when aquiring a lock.
+  * not allowed to block, except when acquiring a lock.
   * not allowed to hold a lock when exiting the callback.
 
 
diff --git a/bind/bind9/doc/design/unsupported-algorithms-in-bind9 b/bind/bind9/doc/design/unsupported-algorithms-in-bind9
index 25fef1a4..ffb258c2 100644
--- a/bind/bind9/doc/design/unsupported-algorithms-in-bind9
+++ b/bind/bind9/doc/design/unsupported-algorithms-in-bind9
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 # Unsupported algorithms in BIND 9
 
diff --git a/bind/bind9/doc/design/verify b/bind/bind9/doc/design/verify
index 5e076756..ce637bf1 100644
--- a/bind/bind9/doc/design/verify
+++ b/bind/bind9/doc/design/verify
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 	dnssec-verify a tool to verify a zone is correctly signed.
 
@@ -9,7 +9,7 @@ See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 * check that each RRSIG set has a valid RRSIG and that all DNSKEY algorithms
 	in use are checked.
 * provide a mechanism to mark DNSKEY algorithms to be ignored to support
-	verification of zones that are in the processs of adding/removing
+	verification of zones that are in the process of adding/removing
 	support for a algorithm.
 * provide a mechanism to check the zone as of a specified date and time.
 * check that RRSIG won't expire within the TTL interval.
diff --git a/bind/bind9/doc/design/windows-nt b/bind/bind9/doc/design/windows-nt
index c8e7a371..c5a62e96 100644
--- a/bind/bind9/doc/design/windows-nt
+++ b/bind/bind9/doc/design/windows-nt
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
                      Windows NT Portability Notes
 
diff --git a/bind/bind9/doc/design/zone b/bind/bind9/doc/design/zone
index 227576d8..c21bf0b5 100644
--- a/bind/bind9/doc/design/zone
+++ b/bind/bind9/doc/design/zone
@@ -1,13 +1,13 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 			Zones
 
 Overview
 
 	Zones are the unit of delegation in the DNS and may go from holding
-	RR's only at the zone top to holding the complete hierachy (private
+	RR's only at the zone top to holding the complete hierarchy (private
 	roots zones).  Zones have an associated database which is the
 	container for the RR sets that make up the zone.
 
@@ -56,7 +56,7 @@ Overview
 		support IXFR requests.  While the entire contents of the old
 		version does not need to be kept, a change log needs to be
 		kept.  An index into this log would be useful in speeding
-		up replies. These versions have an explict expiry date.
+		up replies. These versions have an explicit expiry date.
 
 		"How long are we going to keep them operationally?"
                 While there are expriry dates based on last update /
@@ -100,9 +100,9 @@ Overview
 	configurations to be identified earlier providing for a more stable
 	DNS.
 
-Compatability:
+Compatibility:
 
-	Zones are required to be configuration file compatable with
+	Zones are required to be configuration file compatible with
 	BIND 8.x.
 
 Types:
diff --git a/bind/bind9/doc/dev/DBC b/bind/bind9/doc/dev/DBC
index 6daf43c9..9a26e9af 100644
--- a/bind/bind9/doc/dev/DBC
+++ b/bind/bind9/doc/dev/DBC
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Design By Contract
 
diff --git a/bind/bind9/doc/dev/autoconf b/bind/bind9/doc/dev/autoconf
index 9ad6c719..08284cb3 100644
--- a/bind/bind9/doc/dev/autoconf
+++ b/bind/bind9/doc/dev/autoconf
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Here are some hints on how to use autoconf correctly when doing
 BIND 9 development.
diff --git a/bind/bind9/doc/dev/coding.html b/bind/bind9/doc/dev/coding.html
index 60add3dc..0b7d7491 100644
--- a/bind/bind9/doc/dev/coding.html
+++ b/bind/bind9/doc/dev/coding.html
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
@@ -325,7 +325,7 @@ should be used for generic variables (e.g. iteration counters, array
 subscripts).  Other than for generic variables, if a negative value isn't
 meaningful, the variable should be unsigned.  Assignments and
 comparisons between signed and unsigned integers should be avoided;
-suppressing the warnings with casts is not desireable.<P>
+suppressing the warnings with casts is not desirable.<P>
 
 <H4>Casting</H4>
 Casting should be avoided when possible.  When it is necessary, there
diff --git a/bind/bind9/doc/dev/cvs-usage b/bind/bind9/doc/dev/cvs-usage
index 40e80282..974d8fc5 100644
--- a/bind/bind9/doc/dev/cvs-usage
+++ b/bind/bind9/doc/dev/cvs-usage
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Notes on CVS Usage
 
@@ -24,7 +24,7 @@ Here's how the 9.0 release branch was created:
 
 
 
-Renaming files by respository copy
+Renaming files by repository copy
 
 
 When you need to rename or move a file that is under CVS control, use
diff --git a/bind/bind9/doc/dev/dev.md b/bind/bind9/doc/dev/dev.md
index e47c9af8..20b5ba2b 100644
--- a/bind/bind9/doc/dev/dev.md
+++ b/bind/bind9/doc/dev/dev.md
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
@@ -33,7 +33,7 @@
 
 ### <a name="reviews"></a>The code review process
 
-Every line of code comitted to BIND has been reviewed by ISC engineers
+Every line of code committed to BIND has been reviewed by ISC engineers
 first.
 
 The code review process is a dialog between the original author and the
@@ -54,7 +54,7 @@ maintenance and support burden for changes that would only be useful
 to a tiny niche).  Second, whether the approach taken is consistent
 with ISC's open-internet goals, BIND architecture, and DNS best
 practices.  Third, the contribution is checked for correctness and
-completness.
+completeness.
 
 Obvious bottlenecks and places where performance or reliability may suffer
 are noted as part of the review.
@@ -243,7 +243,7 @@ libraries.
 #### <a name="layout"></a> Source tree layout
 
 * `bind9/bin`: binaries
-    * `bind9/bin/named`: source code for `named` and `lwresd` binaries; includes server configuration, interface manager, client manger, and high-level processing logic for query, update, and xfer.
+    * `bind9/bin/named`: source code for `named` and `lwresd` binaries; includes server configuration, interface manager, client manager, and high-level processing logic for query, update, and xfer.
     * `bind9/bin/dnssec`: DNSSEC-related tools written in C:
       `dnssec-keygen`, `dnssec-signzone`, `dnssec-settime`,
       `dnssec-revoke`, `dnssec-keyfromlabel`, `dnssec-dsfromkey`,
@@ -376,13 +376,13 @@ on failure (setting `errno` to indicate what the nature of the problem
 was), BIND style always keeps indication of the function's success or
 failure separate from its returned data.  Similarly, the C library
 function `fread()` returns the number of characters read and then
-depends on `feof()` and `ferror()` to determine whether an error occured
+depends on `feof()` and `ferror()` to determine whether an error occurred
 or the end of file was reached, but BIND's version uses result codes:
 
         char buffer[BUFSIZ];
         size_t n;
 
-        result = isc_stdio_read(buffer, 1, sizeof(bufer), fp, &n);
+        result = isc_stdio_read(buffer, 1, sizeof(buffer), fp, &n);
         if (result == ISC_R_SUCCESS) {
                 /* Do something with 'buffer'. */
         } else if (result == ISC_R_EOF) {
@@ -405,7 +405,7 @@ in header files called `result.h` (for example, the result codes defined
 for the ISC library are in `lib/isc/include/isc/result.h`.
 
 ISC library result codes (many of which are generically useful elsewhere)
-begin with `ISC_R`: examples inclue `ISC_R_SUCCESS`, `ISC_R_FAILURE`,
+begin with `ISC_R`: examples include `ISC_R_SUCCESS`, `ISC_R_FAILURE`,
 `ISC_R_NOMEMORY`, etc. 
 
 DNS library result codes begin with `DNS_R`: `DNS_R_SERVFAIL`, `DNS_R_NXRRSET`,
@@ -894,7 +894,7 @@ success:
         }
 
 In some cases, calling an iterator function causes the acquisition of
-database and/or node locks.  Rather than reaquire these locks every time
+database and/or node locks.  Rather than reacquire these locks every time
 one of these functions is called, they are often simply held until the
 iterator is destroyed.  If a caller wishes to hold an iterator open but not
 use it for a while, it should call the iterator's `pause()` function (such
@@ -1009,7 +1009,7 @@ Other channels may be configured by the user via `named.conf`.
 
 `ISC_LOG_DYNAMIC` indicates to the logging system that
 debugging messages are desired, but only at the current debugging level
-of the program.  The debugging level can be modifid dynamically at
+of the program.  The debugging level can be modified dynamically at
 runtime; in `named` this can be done by the `"rndc trace"` command.
 When the debugging level is 0 (turned off), then no debugging messages are
 written to the channel.  If the debugging level is raised, only debugging
@@ -1079,7 +1079,7 @@ the following steps need to be taken to initialize it.
             isc_log_create(mctx, &lctx, &lcfg) != ISC_R_SUCCESS))
                 oops_it_didnt_work();
 
-1. Initalize any additional libraries.  The convention for the name of
+1. Initialize any additional libraries.  The convention for the name of
    the initialization function is `{library}_log_init()`, with a pointer to
    the logging context as an argument.  The function can only be called
    once in a program or it will generate an assertion.
@@ -1346,7 +1346,7 @@ In most cases this can just be a function that returns `true`.
 "checknames" checks the contents of the rdata with the given
 owner name to ensure that it meets externally defined syntax rules.
 If `false` is returned, then `bad` will point to the name that
-caused the probelm.
+caused the problem.
 
         static int
         casecompare[_<class>]_<type>(const dns_rdata_t *rdata1,
@@ -1407,7 +1407,7 @@ associated event is triggered.
          */
         isc_socket_recv(sock, &region, 1, recvdone, NULL);
 
-A timer is set for a specifed time in the future, and the event will
+A timer is set for a specified time in the future, and the event will
 be triggered at that time.
 
         /*
diff --git a/bind/bind9/doc/dev/magic_numbers b/bind/bind9/doc/dev/magic_numbers
index d1a1ea40..381f66e0 100644
--- a/bind/bind9/doc/dev/magic_numbers
+++ b/bind/bind9/doc/dev/magic_numbers
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Magic Numbers
 
diff --git a/bind/bind9/doc/dev/rdata.md b/bind/bind9/doc/dev/rdata.md
index 4ea04b53..1e3a7c6a 100644
--- a/bind/bind9/doc/dev/rdata.md
+++ b/bind/bind9/doc/dev/rdata.md
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
@@ -21,7 +21,7 @@ for encoding, decoding and comparing dns data preventing the problems that
 occurred in BIND 8.x and earlier, in which there were multiple places in the
 code base that decoded wire format to internal format or compared rdata,
 sometimes with subtly different behaviour (bugs), and sometimes failing to
-support a particular type, leading to internal inconsistancy.
+support a particular type, leading to internal inconsistency.
 
 Each of these generic routines calls type-specific routines that provide
 the type-specific details.
@@ -35,7 +35,7 @@ on how to do this.
 Adding a new rdata type requires determining whether the new rdata type is
 class-specific or generic, writing code to perform the rdata operations for the
 type, then integrating it into the build by placing the code into the rdata
-hierachy at the correct location under `lib/dns/rdata`.  Running `make clean`
+hierarchy at the correct location under `lib/dns/rdata`.  Running `make clean`
 followed by `make` in `lib/dns` will cause the new rdata type to be picked up
 and compiled.
 
@@ -144,7 +144,7 @@ type name.
 |Parameter|Description |
 |---------|-----------------------|
 |`class`|This argument should be ignored when used with a class-generic RR type, otherwise `REQUIRE(class == <value>)` should be present at the start of the function.|
-|`type`|This should be tested with a `REQUIRE(type == <value>)` statement at the begining of the function.|
+|`type`|This should be tested with a `REQUIRE(type == <value>)` statement at the beginning of the function.|
 |`lexer`|This is used to read the input text stream.|
 |`origin`|This is a absolute name used to qualify unqualified / partially qualified domain names in the text stream.  It is passed to the name parsing routines.|
 |`downcase`|This is passed to the name parsing routines to determine whether to downcase the names it generates or leave them in the case they are presented in.|
@@ -210,7 +210,7 @@ decompression methods if there is a domain name in the rdata.
 |Parameter|Description |
 |---------|-----------------------|
 |`class`|This argument should be ignored when used with a class-generic RR type otherwise `REQUIRE(class == <value>)` should be present at the start of the function.|
-|`type`|This should be tested with a `REQUIRE(type == <value>)` statement at the begining of the function.|
+|`type`|This should be tested with a `REQUIRE(type == <value>)` statement at the beginning of the function.|
 |`source`|This is a `BINARY` buffer with the `active` region containing a resource record in wire format.|
 |`dctx`|This is the decompression context and is passed to `dns_name_fromwire()`, along with `downcase`, to enable a compressed domain name to be extracted from the source.|
 |`downcase`|This is passed to `dns_name_fromwire()` to say whether the extracted domain name should be downcased during the extraction.|
diff --git a/bind/bind9/doc/dev/release b/bind/bind9/doc/dev/release
index 80325648..ded38212 100644
--- a/bind/bind9/doc/dev/release
+++ b/bind/bind9/doc/dev/release
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Preparing a bind9 release
 
@@ -121,7 +121,7 @@ release.
       sh util/altbuild.sh v9_1
 
    Alteratively, you can do this after building the kit, by giving
-   the kit .tar.gz file as an argument to altbuild.sh instad of
+   the kit .tar.gz file as an argument to altbuild.sh instead of
    the CVS tag.
 
  - If you can (= your system is similar enough to the one Tale is using),
diff --git a/bind/bind9/doc/dev/results b/bind/bind9/doc/dev/results
index b242d73e..d2528153 100644
--- a/bind/bind9/doc/dev/results
+++ b/bind/bind9/doc/dev/results
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Result Codes
 
diff --git a/bind/bind9/doc/dev/style.md b/bind/bind9/doc/dev/style.md
index 33b5172f..985ee099 100644
--- a/bind/bind9/doc/dev/style.md
+++ b/bind/bind9/doc/dev/style.md
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
@@ -278,7 +278,7 @@ Historically, when a controlling statement such as `if` or `else` had
 only a single action associated with it, then BIND style specified that
 no bracing was to used around that action.  This has been revised: in
 newly added code, braces are now preferred around all control statement
-code blocks.  Note that legacy code has not yet been udpated to adhere to
+code blocks.  Note that legacy code has not yet been updated to adhere to
 this.
 
 Good:
@@ -372,7 +372,7 @@ should be used for generic variables (e.g. iteration counters, array
 subscripts).  Other than for generic variables, if a negative value isn't
 meaningful, the variable should be unsigned.  Assignments and comparisons
 between signed and unsigned integers should be avoided; suppressing the
-warnings with casts is not desireable.
+warnings with casts is not desirable.
 
 C99 standard integer types must be used when `unsigned long` or
 `short` could be ambiguous.
@@ -483,7 +483,7 @@ with printf, and also when a simple (non-compound) value is being used in
 assignment or as part of a calculation.
 
 If a statement containing a ternary operator spills over more than one
-line, put the `?` and `:` at the begginning of the following lines with two
+line, put the `?` and `:` at the beginning of the following lines with two
 additional spaces of indent.
 
 Using the ternary operator to specify a return value is very rarely
@@ -560,7 +560,7 @@ In some cases, structures are specific to a single C file and are
 opaque outside that file.  In these cases, the `typedef` occurs in the
 associated header file, but the structure definition in the C file
 itself.  Examples of this include the zone object `dns_zone_t`;
-the structure is only acessable via get/set functions in
+the structure is only accessible via get/set functions in
 `lib/dns/zone.c`.  Other times, structure members can be accessed
 from outside the C file where they are implemented; examples include
 `dns_view_t`.  Which way to implement a particular object is up to
@@ -647,13 +647,13 @@ support it.  Is it in the POSIX standard?  If so, how long has it been
 there? (BIND is still run on some operating systems released in the
 1990s.)  Is its behavior the same on all platforms?  Is its signature
 the same?  Are integer parameters the same size and signedness?  Does it
-alwasy return the same values on success, and set the same `errno` codes
+always return the same values on success, and set the same `errno` codes
 on failure?
 
 If there is a chance the library call may not be completely portable,
 edit `configure.in` to check for it on the local system and only call
 it from within a suitable `#ifdef`.  If the function is nonoptional, 
-it may be necessary to add your own implentation of it (or copy one
+it may be necessary to add your own implementation of it (or copy one
 from a source with a BSD-compatible license).
 
 BIND provides portable internal versions of many common library calls.
diff --git a/bind/bind9/doc/dev/tests b/bind/bind9/doc/dev/tests
index 5cccc28a..2d51edec 100644
--- a/bind/bind9/doc/dev/tests
+++ b/bind/bind9/doc/dev/tests
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 We do hourly test builds of the bind9 tree.  This is an attempt to
 document how they work.
diff --git a/bind/bind9/doc/dev/unexpected b/bind/bind9/doc/dev/unexpected
index b170fc7b..2c6de454 100644
--- a/bind/bind9/doc/dev/unexpected
+++ b/bind/bind9/doc/dev/unexpected
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Unexpected Errors
 
diff --git a/bind/bind9/doc/doxygen/Makefile.in b/bind/bind9/doc/doxygen/Makefile.in
index 5cb25022..d452c927 100644
--- a/bind/bind9/doc/doxygen/Makefile.in
+++ b/bind/bind9/doc/doxygen/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/doc/doxygen/doxygen-input-filter.in b/bind/bind9/doc/doxygen/doxygen-input-filter.in
index 419fca53..00c48a80 100644
--- a/bind/bind9/doc/doxygen/doxygen-input-filter.in
+++ b/bind/bind9/doc/doxygen/doxygen-input-filter.in
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/doc/doxygen/isc-footer.html b/bind/bind9/doc/doxygen/isc-footer.html
index 10176369..f1ed5480 100644
--- a/bind/bind9/doc/doxygen/isc-footer.html
+++ b/bind/bind9/doc/doxygen/isc-footer.html
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/doxygen/isc-header.html b/bind/bind9/doc/doxygen/isc-header.html
index a8d5cc66..7d7e2f80 100644
--- a/bind/bind9/doc/doxygen/isc-header.html
+++ b/bind/bind9/doc/doxygen/isc-header.html
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/doxygen/mainpage b/bind/bind9/doc/doxygen/mainpage
index d3dcf970..df31f5d9 100644
--- a/bind/bind9/doc/doxygen/mainpage
+++ b/bind/bind9/doc/doxygen/mainpage
@@ -77,7 +77,7 @@
 ///     critical.
 ///
 /// \li If we ever get really ambitious, we might try processing
-///     Doxygen's XML output, which is basicly a dump of what Doxygen
+///     Doxygen's XML output, which is basically a dump of what Doxygen
 ///     was able to scrape from the sources.   This would be a major
 ///     project, just something to think about if there's something we
 ///     really don't like about the output Doxygen generates.  Punt
diff --git a/bind/bind9/doc/expired/draft-ietf-dnsind-indirect-key-00.txt b/bind/bind9/doc/expired/draft-ietf-dnsind-indirect-key-00.txt
index 7857081e..98141c2a 100644
--- a/bind/bind9/doc/expired/draft-ietf-dnsind-indirect-key-00.txt
+++ b/bind/bind9/doc/expired/draft-ietf-dnsind-indirect-key-00.txt
@@ -133,7 +133,7 @@ INTERNET-DRAFT                                          Indirect KEY RRs
    KEY RRs can be associated with users, zones, and hosts or other end

    entities named in the DNS.

 

-   For reasons given below, it will sometimes be desireable to store a

+   For reasons given below, it will sometimes be desirable to store a

    key or keys elsewhere and merely point to it from the KEY RR.

    Indirect key storage makes it possible to point to a key service via

    a URL, to have a compact pointer to a larger key or set of keys, to

@@ -160,7 +160,7 @@ INTERNET-DRAFT                                          Indirect KEY RRs
    DNS.

 

    When the algorithm byte of a KEY RR has the value 252, the "public

-   key" portion of the RR is formated as follows:

+   key" portion of the RR is formatted as follows:

 

                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3

     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

@@ -467,4 +467,3 @@ Expiration and File Name
 

 

 D. Eastlake 3rd                                                 [Page 8]

-

diff --git a/bind/bind9/doc/expired/draft-ietf-dnsind-keyreferral-00.txt b/bind/bind9/doc/expired/draft-ietf-dnsind-keyreferral-00.txt
index 7670b4c6..7b151bce 100644
--- a/bind/bind9/doc/expired/draft-ietf-dnsind-keyreferral-00.txt
+++ b/bind/bind9/doc/expired/draft-ietf-dnsind-keyreferral-00.txt
@@ -374,7 +374,7 @@ expectations.
 
     If a zone is being attacked by a masquerader, and parents do not
     make any statements about the security of child zones, then an
-    easy and successfull attack may occur.  An attacker only needs
+    easy and successful attack may occur.  An attacker only needs
     to supply either fake name server records or glue records to
     redirect queries.
 
diff --git a/bind/bind9/doc/expired/draft-ietf-dnsind-kitchen-sink-02.txt b/bind/bind9/doc/expired/draft-ietf-dnsind-kitchen-sink-02.txt
index 9a35062c..5cb37610 100644
--- a/bind/bind9/doc/expired/draft-ietf-dnsind-kitchen-sink-02.txt
+++ b/bind/bind9/doc/expired/draft-ietf-dnsind-kitchen-sink-02.txt
@@ -309,7 +309,7 @@ INTERNET-DRAFT                          The Kitchen Sink Resource Record
         the size limitations of DNS RRs may be overcome in the MIME case
         by using the "Content-Type: message/external-body" mechanism.
 
-        3 - Text tagged data.  The data potion consists of text formated
+        3 - Text tagged data.  The data potion consists of text formatted
         as specified in the TXT RR except that the first and every
         subsequent odd numbered text item is considered to be a tag
         labeling the immediately following text item.  If there are an
@@ -337,7 +337,7 @@ INTERNET-DRAFT                          The Kitchen Sink Resource Record
         the data portion is indicated by an initial BER encoded OID
         which is prefixed by a one octet unsigned length count for the
         OID.  The subcoding octet is available for whatever use the
-        private formating wishes to make of it.
+        private formatting wishes to make of it.
 
         253 - Private coding format indicated by a domain name.  The
         format of the data portion is indicated by an initial wire
@@ -351,13 +351,13 @@ D. Eastlake 3rd                                                 [Page 6]
 INTERNET-DRAFT                          The Kitchen Sink Resource Record
 
 
-        use the private formating wishes to make of it.
+        use the private formatting wishes to make of it.
 
         254 - Private coding format indicated by a URI.  The format of
         the data portion is indicated by an initial URI [RFC 2396] which
         is terminated by a zero (null) valued octet followed by the data
         with that format.  The subcoding octet is available for whatever
-        use the private formating wishes to make of it.  The manner in
+        use the private formatting wishes to make of it.  The manner in
         which the URI specifies the format is not defined but presumably
         the retriever will recognize the URI by some pattern match.
 
diff --git a/bind/bind9/doc/expired/draft-ietf-dnsind-local-compression-05.txt b/bind/bind9/doc/expired/draft-ietf-dnsind-local-compression-05.txt
index ec27e3ac..f23b00d5 100644
--- a/bind/bind9/doc/expired/draft-ietf-dnsind-local-compression-05.txt
+++ b/bind/bind9/doc/expired/draft-ietf-dnsind-local-compression-05.txt
@@ -124,7 +124,7 @@ INTERNET-DRAFT              DNS Compression                    June 1999
 4. Local Compression
 
    We often observe a certain locality in the domain names used as owner
-   and occuring in the RDATA section, e.g. in MX or NS RRs but also in
+   and occurring in the RDATA section, e.g. in MX or NS RRs but also in
    newer RR types [RFC1183]:
 
       host.foo.bar.example  RP  adm.foo.bar.example  adm.persons.bar.example
@@ -167,7 +167,7 @@ INTERNET-DRAFT              DNS Compression                    June 1999
       relative to the start of RDATA is determined by subtracting 256
       from the value of the pointer.
 
-   Local pointers MUST point to a previous occurence of the same name in
+   Local pointers MUST point to a previous occurrence of the same name in
    the same RR.  Even domain names in another RR of the same type cannot
    serve as compression targets since the order of RRs in an RRSet is
    not necessarily stable.  The length of the compressed name(s) MUST be
diff --git a/bind/bind9/doc/expired/draft-ietf-dnsind-sec-rr-00.txt b/bind/bind9/doc/expired/draft-ietf-dnsind-sec-rr-00.txt
index 81ab5155..1cd3e9e5 100644
--- a/bind/bind9/doc/expired/draft-ietf-dnsind-sec-rr-00.txt
+++ b/bind/bind9/doc/expired/draft-ietf-dnsind-sec-rr-00.txt
@@ -354,7 +354,7 @@ know to ask for this from a parent-serving name server.
 2.1 Negative Answer Bitmap
 
 The Negative Answer Bitmap indicates the mechanism for use in denying
-the existance of data.  The bitmap is 16 bits, the most significant
+the existence of data.  The bitmap is 16 bits, the most significant
 bit called 0, least significant is 15.
 
    Bit  0 = The parent doesn't know what the child uses (1=Yes)
@@ -541,7 +541,7 @@ interpretation of this option is undefined.
 
 3. Master File Representation
 
-The SEC RR fields are to be represented as hexidecimal fields, with a
+The SEC RR fields are to be represented as hexadecimal fields, with a
 preceeding '0x', or in decimal format.  Hexidecimal SHOULD be used.
 
 For example, the SEC RR representing a zone that use signed NXT
diff --git a/bind/bind9/doc/expired/draft-ietf-dnssec-indirect-key-01.txt b/bind/bind9/doc/expired/draft-ietf-dnssec-indirect-key-01.txt
index a4804b79..7a8414cc 100644
--- a/bind/bind9/doc/expired/draft-ietf-dnssec-indirect-key-01.txt
+++ b/bind/bind9/doc/expired/draft-ietf-dnssec-indirect-key-01.txt
@@ -127,7 +127,7 @@ INTERNET-DRAFT                                          Indirect KEY RRs
    KEY RRs can be associated with users, zones, and hosts or other end
    entities named in the DNS.
 
-   For reasons given below, in many cases it will be desireable to store
+   For reasons given below, in many cases it will be desirable to store
    a key or keys elsewhere and merely point to it from the KEY RR.
    Indirect key storage makes it possible to point to a key service via
    a URL, to have a compact pointer to a larger key or set of keys, to
@@ -185,7 +185,7 @@ INTERNET-DRAFT                                          Indirect KEY RRs
    DNS.
 
    When the algorithm byte of a KEY RR has thae value 252, the "public
-   key" portion of the RR is formated as follows:
+   key" portion of the RR is formatted as follows:
 
                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
diff --git a/bind/bind9/doc/expired/draft-ietf-dnssec-secfail-00.txt b/bind/bind9/doc/expired/draft-ietf-dnssec-secfail-00.txt
index 67b22bb7..f639f9af 100644
--- a/bind/bind9/doc/expired/draft-ietf-dnssec-secfail-00.txt
+++ b/bind/bind9/doc/expired/draft-ietf-dnssec-secfail-00.txt
@@ -60,7 +60,7 @@ Wellington, Gudmundsson           Expires February 1999         [Page 1]
 Internet-Draft            dnssec-secfail-00.txt              August 1998
 
 
-     verification.  The end resolver must be notified of this occurence
+     verification.  The end resolver must be notified of this occurrence
      in such a way that it will not confuse it with another error.
 
 
diff --git a/bind/bind9/doc/expired/draft-ietf-dnssec-update2-00.txt b/bind/bind9/doc/expired/draft-ietf-dnssec-update2-00.txt
index 860f5fa9..72683873 100644
--- a/bind/bind9/doc/expired/draft-ietf-dnssec-update2-00.txt
+++ b/bind/bind9/doc/expired/draft-ietf-dnssec-update2-00.txt
@@ -247,7 +247,7 @@ INTERNET-DRAFT             Secure DNS Update                 August 1998
    DNS security also permits the storage of public keys in the DNS via
    KEY RRs.  These KEY RRs are also, of course, authenticated by SIG
    RRs.  KEY RRs for zones may be stored in their superzone and/or their
-   authoritive subzone servers so that the secure DNS tree of zones can
+   authoritative subzone servers so that the secure DNS tree of zones can
    be traversed by a security aware resolver.
 
 
@@ -723,7 +723,7 @@ INTERNET-DRAFT             Secure DNS Update                 August 1998
    specified in draft-ietf-dnssec-secext2-*.txt, a public request
    signature is a SIG RR occurring at the end of a request with a type
    covered field of zero.  As specified in draft-ietf-dnsind-tsig-*.txt,
-   a secret key request signature is a TSIG RR occuring at the end of
+   a secret key request signature is a TSIG RR occurring at the end of
    the request.  Each request SIG or TSIG signs the entire request,
    including DNS header, but excluding any other request signatures and
    with the ARCOUNT in the DNS header set to what it would be without
diff --git a/bind/bind9/doc/expired/draft-ietf-ipngwg-rfc2292bis-01.txt b/bind/bind9/doc/expired/draft-ietf-ipngwg-rfc2292bis-01.txt
index 017ef839..55187806 100644
--- a/bind/bind9/doc/expired/draft-ietf-ipngwg-rfc2292bis-01.txt
+++ b/bind/bind9/doc/expired/draft-ietf-ipngwg-rfc2292bis-01.txt
@@ -2344,7 +2344,7 @@ INTERNET-DRAFT        Advanced Sockets API for IPv6         Oct 22, 1999
    the updated "previous" total length computed by advancing past the
    option that was returned and past any options that didn't match the
    type.  This returned "previous" length can then be passed to
-   subsequent calls to inet6_opt_find() for finding the next occurance
+   subsequent calls to inet6_opt_find() for finding the next occurrence
    of the same option type.
 
    If an option of the specified type is not located, the return value
diff --git a/bind/bind9/doc/misc/Makefile.in b/bind/bind9/doc/misc/Makefile.in
index c4967ff5..1065ba59 100644
--- a/bind/bind9/doc/misc/Makefile.in
+++ b/bind/bind9/doc/misc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/doc/misc/dnssec b/bind/bind9/doc/misc/dnssec
index 84db388f..f7624e5e 100644
--- a/bind/bind9/doc/misc/dnssec
+++ b/bind/bind9/doc/misc/dnssec
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 DNSSEC Release Notes
 
diff --git a/bind/bind9/doc/misc/docbook-grammars.pl b/bind/bind9/doc/misc/docbook-grammars.pl
index 43f47e81..47d22088 100644
--- a/bind/bind9/doc/misc/docbook-grammars.pl
+++ b/bind/bind9/doc/misc/docbook-grammars.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/doc/misc/docbook-options.pl b/bind/bind9/doc/misc/docbook-options.pl
index 6495b53e..3541febc 100644
--- a/bind/bind9/doc/misc/docbook-options.pl
+++ b/bind/bind9/doc/misc/docbook-options.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -47,7 +47,7 @@ print <<END;
 
 <!-- Generated by doc/misc/docbook-options.pl -->
 
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
   <info>
     <date>$DATE</date>
   </info>
diff --git a/bind/bind9/doc/misc/docbook-zoneopt.pl b/bind/bind9/doc/misc/docbook-zoneopt.pl
index 295fc286..7f50968f 100644
--- a/bind/bind9/doc/misc/docbook-zoneopt.pl
+++ b/bind/bind9/doc/misc/docbook-zoneopt.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/doc/misc/format-options.pl b/bind/bind9/doc/misc/format-options.pl
index 338d61eb..5c6cf776 100644
--- a/bind/bind9/doc/misc/format-options.pl
+++ b/bind/bind9/doc/misc/format-options.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/doc/misc/ipv6 b/bind/bind9/doc/misc/ipv6
index 02cd19a2..849625a2 100644
--- a/bind/bind9/doc/misc/ipv6
+++ b/bind/bind9/doc/misc/ipv6
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Currently, there are multiple interesting problems with ipv6
 implementations on various platforms.  These problems range from not
@@ -51,7 +51,7 @@ ipv6 addresses separately.
 
 In any case, bind9 named binds to specific addresses for ipv4 sockets.
 
-The followings are historical notes when we always bound to the ipv6
+The following are historical notes when we always bound to the ipv6
 wildcard port regardless of the availability of the API support.
 These problems should not happen with the closer checks above.
 
diff --git a/bind/bind9/doc/misc/migration b/bind/bind9/doc/misc/migration
index aa78a74a..dcda481c 100644
--- a/bind/bind9/doc/misc/migration
+++ b/bind/bind9/doc/misc/migration
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
                    BIND 8 to BIND 9 Migration Notes
 
diff --git a/bind/bind9/doc/misc/migration-4to9 b/bind/bind9/doc/misc/migration-4to9
index 4d038a51..c089399a 100644
--- a/bind/bind9/doc/misc/migration-4to9
+++ b/bind/bind9/doc/misc/migration-4to9
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 		   BIND 4 to BIND 9 Migration Notes
 
diff --git a/bind/bind9/doc/misc/rfc-compliance b/bind/bind9/doc/misc/rfc-compliance
index 8064ebef..caa91418 100644
--- a/bind/bind9/doc/misc/rfc-compliance
+++ b/bind/bind9/doc/misc/rfc-compliance
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 BIND 9 is striving for strict compliance with IETF standards.  We
 believe this release of BIND 9 complies with the following RFCs, with
@@ -154,8 +154,8 @@ used.
 supporting GOST.
 
 [13] Section 5.5 does not match reality.  Named uses the presence
-of DO=1 to detect if validation may be occuring.  CD has no bearing
-on whether validation is occuring or not.
+of DO=1 to detect if validation may be occurring.  CD has no bearing
+on whether validation is occurring or not.
 
 [14] Conditional on the OpenSSL library being linked against
 supporting ECDSA.
diff --git a/bind/bind9/doc/misc/roadmap b/bind/bind9/doc/misc/roadmap
index 3ce9dbc6..e9ab0c45 100644
--- a/bind/bind9/doc/misc/roadmap
+++ b/bind/bind9/doc/misc/roadmap
@@ -1,8 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-$Id: roadmap,v 1.2 2004/03/05 05:04:54 marka Exp $
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Road Map to the BIND 9 Source Tree
 
diff --git a/bind/bind9/doc/misc/sdb b/bind/bind9/doc/misc/sdb
index d36e79ca..b47b6cf2 100644
--- a/bind/bind9/doc/misc/sdb
+++ b/bind/bind9/doc/misc/sdb
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Using the BIND 9 Simplified Database Interface
 
diff --git a/bind/bind9/doc/misc/sort-options.pl b/bind/bind9/doc/misc/sort-options.pl
index 500f0604..eebfa21a 100644
--- a/bind/bind9/doc/misc/sort-options.pl
+++ b/bind/bind9/doc/misc/sort-options.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/doc/misc/tcp-fast-open b/bind/bind9/doc/misc/tcp-fast-open
index 020ec053..f3f28b45 100644
--- a/bind/bind9/doc/misc/tcp-fast-open
+++ b/bind/bind9/doc/misc/tcp-fast-open
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 Some systems (Linux, FreeBSD, OS X/macOS and Windows 10) support
 the TCP Fast Open (RFC 7413) mechanism in their recent versions.
diff --git a/bind/bind9/doc/rfc/rfc1034.txt b/bind/bind9/doc/rfc/rfc1034.txt
index 55cdb21f..44af4782 100644
--- a/bind/bind9/doc/rfc/rfc1034.txt
+++ b/bind/bind9/doc/rfc/rfc1034.txt
@@ -1743,7 +1743,7 @@ difficult.
 
 Every resolver implementation uses slightly different algorithms, and
 typically spends much more logic dealing with errors of various sorts
-than typical occurances.  This section outlines a recommended basic
+than typical occurrences.  This section outlines a recommended basic
 strategy for resolver operation, but leaves details to [RFC-1035].
 
 5.3.1. Stub resolvers
@@ -2865,13 +2865,13 @@ RFC 1034             Domain Concepts and Facilities        November 1987
                 Facilities," RFC-882, USC/Information Sciences
                 Institute, November 1983.
 
-                Superceeded by this memo.
+                Superseded by this memo.
 
 [RFC-883]       P. Mockapetris, "Domain names - Implementation and
                 Specification," RFC-883, USC/Information Sciences
                 Institute, November 1983.
 
-                Superceeded by this memo.
+                Superseded by this memo.
 
 [RFC-920]       J. Postel and J. Reynolds, "Domain Requirements",
                 RFC-920, USC/Information Sciences Institute
diff --git a/bind/bind9/doc/rfc/rfc1035.txt b/bind/bind9/doc/rfc/rfc1035.txt
index b1a9bf5a..cf84e9f8 100644
--- a/bind/bind9/doc/rfc/rfc1035.txt
+++ b/bind/bind9/doc/rfc/rfc1035.txt
@@ -1120,7 +1120,7 @@ RFC 1035        Domain Implementation and Specification    November 1987
 
 A records cause no additional section processing.  The RDATA section of
 an A line in a master file is an Internet address expressed as four
-decimal numbers separated by dots without any imbedded spaces (e.g.,
+decimal numbers separated by dots without any embedded spaces (e.g.,
 "10.2.0.52" or "192.0.5.6").
 
 3.4.2. WKS RDATA format
@@ -1636,7 +1636,7 @@ RDATA           a variable length string of octets that describes the
 In order to reduce the size of messages, the domain system utilizes a
 compression scheme which eliminates the repetition of domain names in a
 message.  In this scheme, an entire domain name or a list of labels at
-the end of a domain name is replaced with a pointer to a prior occurance
+the end of a domain name is replaced with a pointer to a prior occurrence
 of the same name.
 
 The pointer takes the form of a two octet sequence:
@@ -1662,7 +1662,7 @@ represented as either:
 
    - a sequence of labels ending with a pointer
 
-Pointers can only be used for occurances of a domain name where the
+Pointers can only be used for occurrences of a domain name where the
 format is not class specific.  If this were not the case, a name server
 or resolver would be required to know the format of all RRs it handled.
 As yet, there are no such cases, but they may occur in future RDATA
@@ -2825,13 +2825,13 @@ RFC 1035        Domain Implementation and Specification    November 1987
                 Facilities," RFC-882, USC/Information Sciences
                 Institute, November 1983.
 
-                Superceeded by this memo.
+                Superseded by this memo.
 
 [RFC-883]       P. Mockapetris, "Domain names - Implementation and
                 Specification," RFC-883, USC/Information Sciences
                 Institute, November 1983.
 
-                Superceeded by this memo.
+                Superseded by this memo.
 
 [RFC-920]       J. Postel and J. Reynolds, "Domain Requirements",
                 RFC-920, USC/Information Sciences Institute,
diff --git a/bind/bind9/doc/rfc/rfc1101.txt b/bind/bind9/doc/rfc/rfc1101.txt
index 66c9d8b8..0688fd15 100644
--- a/bind/bind9/doc/rfc/rfc1101.txt
+++ b/bind/bind9/doc/rfc/rfc1101.txt
@@ -694,7 +694,7 @@ RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
                Specification", RFC 883, USC/Information Sciences
                Institute, November 1983.
 
-               Superceeded by RFC 1035.
+               Superseded by RFC 1035.
 
    [RFC 920]   Postel, J. and J. Reynolds, "Domain Requirements", RFC
                920, October 1984.
diff --git a/bind/bind9/doc/rfc/rfc1611.txt b/bind/bind9/doc/rfc/rfc1611.txt
index ed5b93a8..aadf7ebb 100644
--- a/bind/bind9/doc/rfc/rfc1611.txt
+++ b/bind/bind9/doc/rfc/rfc1611.txt
@@ -1262,7 +1262,7 @@ RFC 1611               DNS Server MIB Extensions                May 1994
                "IP address of host which was the source of the most
                recent successful zone transfer for this zone.  If
                unknown (e.g., zone has never been successfully
-               transfered) or irrelevant (e.g., zone was loaded from
+               transferred) or irrelevant (e.g., zone was loaded from
                stable storage), this value should be 0.0.0.0."
        ::= { dnsServZoneEntry 9 }
 
diff --git a/bind/bind9/doc/rfc/rfc1706.txt b/bind/bind9/doc/rfc/rfc1706.txt
index 5b5d8219..71397d36 100644
--- a/bind/bind9/doc/rfc/rfc1706.txt
+++ b/bind/bind9/doc/rfc/rfc1706.txt
@@ -215,7 +215,7 @@ RFC 1706                      DNS NSAP RRs                  October 1994
              47.0005.80.005a00.0000.1000.0020.00800a123456.00.
 
    Other NSAP formats have different lengths and different
-   administratively defined field widths to accomodate different
+   administratively defined field widths to accommodate different
    requirements. For more information on NSAP formats in use see RFC
    1629 [1].
 
diff --git a/bind/bind9/doc/rfc/rfc2136.txt b/bind/bind9/doc/rfc/rfc2136.txt
index 4d62702e..97bf7c5c 100644
--- a/bind/bind9/doc/rfc/rfc2136.txt
+++ b/bind/bind9/doc/rfc/rfc2136.txt
@@ -1201,7 +1201,7 @@ RFC 2136                       DNS Update                     April 1997
 
    7.10. Deferral of SOA SERIAL autoincrements is made possible so that
    serial numbers can be conserved and wraparound at 2**32 can be made
-   an infrequent occurance.  Visible (to DNS clients) SOA SERIALs need
+   an infrequent occurrence.  Visible (to DNS clients) SOA SERIALs need
    to differ if the zone differs.  Note that the Authority Section SOA
    in a QUERY response is a form of visibility, for the purposes of this
    prerequisite.
diff --git a/bind/bind9/doc/rfc/rfc2168.txt b/bind/bind9/doc/rfc/rfc2168.txt
index 3eed1bdb..766ce4bc 100644
--- a/bind/bind9/doc/rfc/rfc2168.txt
+++ b/bind/bind9/doc/rfc/rfc2168.txt
@@ -472,7 +472,7 @@ RFC 2168            Resolution of URIs Using the DNS           June 1997
    Recall that the regular expression used \2 to extract a domain name
    from the CID, and \. for matching the literal '.' characters
    seperating the domain name components. Since '\' is the escape
-   character, literal occurances of a backslash must be escaped by
+   character, literal occurrences of a backslash must be escaped by
    another backslash. For the case of the cid.urn.net record above, the
    regular expression entered into the zone file should be
    "/urn:cid:.+@([^\\.]+\\.)(.*)$/\\2/i".  When the client code actually
@@ -717,7 +717,7 @@ Substitution Expression Grammar:
 
 subst_expr   = delim-char  ere  delim-char  repl  delim-char  *flags
 delim-char   = "/" / "!" / ... (Any non-digit or non-flag character other
-               than backslash '\'. All occurances of a delim_char in a
+               than backslash '\'. All occurrences of a delim_char in a
                subst_expr must be the same character.)
 ere          = POSIX Extended Regular Expression (see [13], section
                2.8.4)
@@ -824,7 +824,7 @@ Usage
 
    For the edification of implementers, pseudocode for a client routine
    using NAPTRs is given below. This code is provided merely as a
-   convience, it does not have any weight as a standard way to process
+   convenience, it does not have any weight as a standard way to process
    NAPTR records. Also, as is the case with pseudocode, it has never
    been executed and may contain logical errors. You have been warned.
 
diff --git a/bind/bind9/doc/rfc/rfc2308.txt b/bind/bind9/doc/rfc/rfc2308.txt
index 9123a952..b4d463b8 100644
--- a/bind/bind9/doc/rfc/rfc2308.txt
+++ b/bind/bind9/doc/rfc/rfc2308.txt
@@ -134,7 +134,7 @@ RFC 2308                       DNS NCACHE                     March 1998
    and the authority section may have SOA, NXT [RFC2065] and SIG RRsets.
 
    It is possible to distinguish between a referral and a NXDOMAIN
-   response by the presense of NXDOMAIN in the RCODE regardless of the
+   response by the presence of NXDOMAIN in the RCODE regardless of the
    presence of NS or SOA records in the authority section.
 
    NXDOMAIN responses can be categorised into four types by the contents
diff --git a/bind/bind9/doc/rfc/rfc2535.txt b/bind/bind9/doc/rfc/rfc2535.txt
index fe0b3d07..24630ee4 100644
--- a/bind/bind9/doc/rfc/rfc2535.txt
+++ b/bind/bind9/doc/rfc/rfc2535.txt
@@ -219,7 +219,7 @@ RFC 2535                DNS Security Extensions               March 1999
    considerations.
 
    Section 11 specified IANA considerations for allocation of additional
-   values of paramters defined in this document.
+   values of parameters defined in this document.
 
 
 
diff --git a/bind/bind9/doc/rfc/rfc2538.txt b/bind/bind9/doc/rfc/rfc2538.txt
index c53e3efd..0f2edb85 100644
--- a/bind/bind9/doc/rfc/rfc2538.txt
+++ b/bind/bind9/doc/rfc/rfc2538.txt
@@ -151,7 +151,7 @@ RFC 2538            Storing Certificates in the DNS           March 1999
    certificate section (see 2.3 below).  (NOTE: X.509 certificates do
    not include their X.500 directory type designating OID as a prefix.)
 
-   The SPKI type is reserved to indicate a certificate formated as to be
+   The SPKI type is reserved to indicate a certificate formatted as to be
    specified by the IETF SPKI working group.
 
    The PGP type indicates a Pretty Good Privacy certificate as described
diff --git a/bind/bind9/doc/rfc/rfc2915.txt b/bind/bind9/doc/rfc/rfc2915.txt
index 2022ba11..61dfd11a 100644
--- a/bind/bind9/doc/rfc/rfc2915.txt
+++ b/bind/bind9/doc/rfc/rfc2915.txt
@@ -370,7 +370,7 @@ RFC 2915                      NAPTR DNS RR                September 2000
 
 subst_expr   = delim-char  ere  delim-char  repl  delim-char  *flags
 delim-char   = "/" / "!" / ... <Any non-digit or non-flag character
-               other than backslash '\'. All occurances of a delim_char
+               other than backslash '\'. All occurrences of a delim_char
                in a subst_expr must be the same character.>
 ere          = POSIX Extended Regular Expression
 repl         = 1 * ( OCTET /  backref )
@@ -620,7 +620,7 @@ Mealling & Daniel           Standards Track                    [Page 11]
 RFC 2915                      NAPTR DNS RR                September 2000
 
 
-   character, literal occurances of a backslash must be escaped by
+   character, literal occurrences of a backslash must be escaped by
    another backslash.  For the case of the cid.urn.arpa record above,
    the regular expression entered into the master file should be
    "/urn:cid:.+@([^\\.]+\\.)(.*)$/\\2/i".  When the client code actually
diff --git a/bind/bind9/doc/rfc/rfc4193.txt b/bind/bind9/doc/rfc/rfc4193.txt
index 17e2c0b4..44051e95 100644
--- a/bind/bind9/doc/rfc/rfc4193.txt
+++ b/bind/bind9/doc/rfc/rfc4193.txt
@@ -662,7 +662,7 @@ RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
 
       - Can be used for inter-site VPNs.
 
-      - If accidently leaked outside of a site via routing or DNS, there
+      - If accidentally leaked outside of a site via routing or DNS, there
         is no conflict with any other addresses.
 
 
diff --git a/bind/bind9/doc/rfc/rfc5507.txt b/bind/bind9/doc/rfc/rfc5507.txt
index a286d908..f3d6482b 100644
--- a/bind/bind9/doc/rfc/rfc5507.txt
+++ b/bind/bind9/doc/rfc/rfc5507.txt
@@ -677,7 +677,7 @@ RFC 5507         Design Choices When Expanding the DNS        April 2009
 
 
    a subtype is reduced to hoping that whatever scheme one has come up
-   with will not accidently conflict with somebody else's subtyping
+   with will not accidentally conflict with somebody else's subtyping
    scheme, and that it will not be possible to mis-parse one
    application's use of TXT Resource Records as data intended for a
    different application.  Any attempt to impose a standardized format
diff --git a/bind/bind9/doc/tex/Makefile.in b/bind/bind9/doc/tex/Makefile.in
index c4bb6038..ca8b697d 100644
--- a/bind/bind9/doc/tex/Makefile.in
+++ b/bind/bind9/doc/tex/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/doc/tex/armstyle.sty.in b/bind/bind9/doc/tex/armstyle.sty.in
index 906a5632..78fa82f1 100644
--- a/bind/bind9/doc/tex/armstyle.sty.in
+++ b/bind/bind9/doc/tex/armstyle.sty.in
@@ -89,7 +89,9 @@
     % trim enough for it to fit on the page, and we do not trim
     % so much that we clip out part of the graphic itself.
     % This seems to work, anyway.
-    \includegraphics[trim=400 150 400 0,clip,scale=2.5]{isc-logo.pdf}
+    % trim=left bottom right top
+    %\includegraphics[trim=400 150 400 0,clip,scale=2.5]{isc-logo.pdf} % old logo
+    \includegraphics[trim=175 320 200 200,clip]{isc-logo.pdf}
   \end{center}\par
   \newpage
   \thispagestyle{empty}
@@ -97,9 +99,9 @@
   \DBKcopyright \\
   \vfill\null
   \begin{center}
-    Internet Systems Consortium \\
-    950 Charter Street \\
-    Redwood City, California \\
+    Internet Systems Consortium, Inc. \\
+    PO Box 360 \\
+    Newmarket, NH 03857 \\
     USA \\
     https://www.isc.org/
   \end{center}
diff --git a/bind/bind9/doc/xsl/Makefile.in b/bind/bind9/doc/xsl/Makefile.in
index 3138c29c..33e7c600 100644
--- a/bind/bind9/doc/xsl/Makefile.in
+++ b/bind/bind9/doc/xsl/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/doc/xsl/arm-param.xsl b/bind/bind9/doc/xsl/arm-param.xsl
index c3014914..c0d3b372 100644
--- a/bind/bind9/doc/xsl/arm-param.xsl
+++ b/bind/bind9/doc/xsl/arm-param.xsl
@@ -4,7 +4,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
@@ -16,7 +16,7 @@
   xmlns:db="http://docbook.org/ns/docbook">
 
   <!-- <optional> and <command> rendered in <programlisting>s.
-       For each overriden element, the parameters must be defined.
+       For each overridden element, the parameters must be defined.
        They are mandatory, and $probe must be set to 0 by default.
 
        Only dblatex 0.2.12, with the verbatim.boldseq template works
diff --git a/bind/bind9/doc/xsl/copyright.xsl b/bind/bind9/doc/xsl/copyright.xsl
index 100249b0..87ff84ac 100644
--- a/bind/bind9/doc/xsl/copyright.xsl
+++ b/bind/bind9/doc/xsl/copyright.xsl
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
@@ -40,13 +40,13 @@
   <xsl:variable name="isc.copyright">
     <xsl:call-template name="isc.copyright.format">
       <xsl:with-param name="text">
-        <xsl:for-each select="book/info/copyright | refentry/docinfo/copyright">
+        <xsl:for-each select="db:book/db:info/db:copyright | db:refentry/db:docinfo/db:copyright">
 	  <xsl:text>Copyright (C) </xsl:text>
 	  <xsl:call-template name="copyright.years">
-	    <xsl:with-param name="years" select="year"/>
+	    <xsl:with-param name="years" select="db:year"/>
 	  </xsl:call-template>
 	  <xsl:text> </xsl:text>
-	  <xsl:value-of select="holder"/>
+	  <xsl:value-of select="db:holder"/>
           <xsl:value-of select="$isc.copyright.breakline"/>
 	  <xsl:text>&#10;</xsl:text>
 	</xsl:for-each>
diff --git a/bind/bind9/doc/xsl/graphics/caution.eps b/bind/bind9/doc/xsl/graphics/caution.eps
index c9473b72..ff3c2c4c 100644
--- a/bind/bind9/doc/xsl/graphics/caution.eps
+++ b/bind/bind9/doc/xsl/graphics/caution.eps
@@ -82,8 +82,8 @@ readbinarystring
 } if
 pop exch pop
 } bdf
-/_NXLevel2 defed { 
-_NXLevel2 not { 
+/_NXLevel1 defed { 
+_NXLevel1 not { 
 /colorimage where {
 userdict eq {
 /_rci false def 
diff --git a/bind/bind9/doc/xsl/graphics/important.eps b/bind/bind9/doc/xsl/graphics/important.eps
index c9473b72..ff3c2c4c 100644
--- a/bind/bind9/doc/xsl/graphics/important.eps
+++ b/bind/bind9/doc/xsl/graphics/important.eps
@@ -82,8 +82,8 @@ readbinarystring
 } if
 pop exch pop
 } bdf
-/_NXLevel2 defed { 
-_NXLevel2 not { 
+/_NXLevel1 defed { 
+_NXLevel1 not { 
 /colorimage where {
 userdict eq {
 /_rci false def 
diff --git a/bind/bind9/doc/xsl/graphics/note.eps b/bind/bind9/doc/xsl/graphics/note.eps
index 39be23fa..f5df5217 100644
--- a/bind/bind9/doc/xsl/graphics/note.eps
+++ b/bind/bind9/doc/xsl/graphics/note.eps
@@ -82,8 +82,8 @@ readbinarystring
 } if
 pop exch pop
 } bdf
-/_NXLevel2 defed { 
-_NXLevel2 not { 
+/_NXLevel1 defed { 
+_NXLevel1 not { 
 /colorimage where {
 userdict eq {
 /_rci false def 
diff --git a/bind/bind9/doc/xsl/graphics/tip.eps b/bind/bind9/doc/xsl/graphics/tip.eps
index a28ad883..0edd2ef7 100644
--- a/bind/bind9/doc/xsl/graphics/tip.eps
+++ b/bind/bind9/doc/xsl/graphics/tip.eps
@@ -82,8 +82,8 @@ readbinarystring
 } if
 pop exch pop
 } bdf
-/_NXLevel2 defed { 
-_NXLevel2 not { 
+/_NXLevel1 defed { 
+_NXLevel1 not { 
 /colorimage where {
 userdict eq {
 /_rci false def 
diff --git a/bind/bind9/doc/xsl/graphics/warning.eps b/bind/bind9/doc/xsl/graphics/warning.eps
index c9473b72..ff3c2c4c 100644
--- a/bind/bind9/doc/xsl/graphics/warning.eps
+++ b/bind/bind9/doc/xsl/graphics/warning.eps
@@ -82,8 +82,8 @@ readbinarystring
 } if
 pop exch pop
 } bdf
-/_NXLevel2 defed { 
-_NXLevel2 not { 
+/_NXLevel1 defed { 
+_NXLevel1 not { 
 /colorimage where {
 userdict eq {
 /_rci false def 
diff --git a/bind/bind9/doc/xsl/isc-docbook-chunk.xsl.in b/bind/bind9/doc/xsl/isc-docbook-chunk.xsl.in
index 6f9977e1..e2ee26e8 100644
--- a/bind/bind9/doc/xsl/isc-docbook-chunk.xsl.in
+++ b/bind/bind9/doc/xsl/isc-docbook-chunk.xsl.in
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/xsl/isc-docbook-html.xsl.in b/bind/bind9/doc/xsl/isc-docbook-html.xsl.in
index 6d27de8b..c424a2bc 100644
--- a/bind/bind9/doc/xsl/isc-docbook-html.xsl.in
+++ b/bind/bind9/doc/xsl/isc-docbook-html.xsl.in
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/xsl/isc-docbook-text.xsl b/bind/bind9/doc/xsl/isc-docbook-text.xsl
index 1e45e0d3..e54a78a6 100644
--- a/bind/bind9/doc/xsl/isc-docbook-text.xsl
+++ b/bind/bind9/doc/xsl/isc-docbook-text.xsl
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/xsl/isc-manpage.xsl.in b/bind/bind9/doc/xsl/isc-manpage.xsl.in
index 69ff9036..3cfe835f 100644
--- a/bind/bind9/doc/xsl/isc-manpage.xsl.in
+++ b/bind/bind9/doc/xsl/isc-manpage.xsl.in
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/xsl/isc-notes-html.xsl.in b/bind/bind9/doc/xsl/isc-notes-html.xsl.in
index 3f6b2a29..4845bb03 100644
--- a/bind/bind9/doc/xsl/isc-notes-html.xsl.in
+++ b/bind/bind9/doc/xsl/isc-notes-html.xsl.in
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/xsl/notes-param.xsl b/bind/bind9/doc/xsl/notes-param.xsl
index f2b3e8b2..57ad2e97 100644
--- a/bind/bind9/doc/xsl/notes-param.xsl
+++ b/bind/bind9/doc/xsl/notes-param.xsl
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/doc/xsl/pre-latex.xsl b/bind/bind9/doc/xsl/pre-latex.xsl
index b527daaa..88a7034b 100644
--- a/bind/bind9/doc/xsl/pre-latex.xsl
+++ b/bind/bind9/doc/xsl/pre-latex.xsl
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/docutil/patch-db2latex-duplicate-template-bug b/bind/bind9/docutil/patch-db2latex-duplicate-template-bug
index c9354ae1..751c536a 100644
--- a/bind/bind9/docutil/patch-db2latex-duplicate-template-bug
+++ b/bind/bind9/docutil/patch-db2latex-duplicate-template-bug
@@ -9,7 +9,7 @@
 ;; take it from there.  I've sent this patch off to the port
 ;; maintainer but have not yet heard anything back.
 ;; 
-;; I don't really know whther this is the "right" fix, but it seems to
+;; I don't really know whether this is the "right" fix, but it seems to
 ;; work, and I'm pretty sure that the code this patch deletes does not
 ;; work as it stands, so at worst the result after applying this patch
 ;; should be no worse than the result without this patch.
@@ -26,7 +26,7 @@ Index: xsl/qandaset.mod.xsl
 -<xsl:template name="question.answer.label">
 -	<!-- variable: deflabel -->
 -  <xsl:variable name="deflabel">
--  	<!-- chck whether someone has a defaultlabel attribute -->
+-  	<!-- check whether someone has a defaultlabel attribute -->
 -    <xsl:choose>
 -		<xsl:when test="ancestor-or-self::*[@defaultlabel]">
 -        	<xsl:value-of select="(ancestor-or-self::*[@defaultlabel])[last()]/@defaultlabel"/>
diff --git a/bind/bind9/isc-config.sh.1 b/bind/bind9/isc-config.sh.1
index e163913a..b30397db 100644
--- a/bind/bind9/isc-config.sh.1
+++ b/bind/bind9/isc-config.sh.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: isc-config.sh
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2009-02-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -91,5 +91,5 @@ returns an exit status of 1 if invoked with invalid arguments or no arguments at
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/isc-config.sh.docbook b/bind/bind9/isc-config.sh.docbook
index 978dbf14..2dcf9361 100644
--- a/bind/bind9/isc-config.sh.docbook
+++ b/bind/bind9/isc-config.sh.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-config.sh">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-config.sh">
   <info>
     <date>2009-02-18</date>
   </info>
@@ -34,6 +34,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/isc-config.sh.html b/bind/bind9/isc-config.sh.html
index 269fa57e..b53ce96b 100644
--- a/bind/bind9/isc-config.sh.html
+++ b/bind/bind9/isc-config.sh.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,47 +10,26 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>isc-config.sh</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.isc-config.sh"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    <span class="application">isc-config.sh</span>
-     &#8212; Get information about the installed version of ISC BIND
-  </p>
+<p><span class="application">isc-config.sh</span> &#8212; Get information about the installed version of ISC BIND</p>
 </div>
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">isc-config.sh</code> 
-       [<code class="option">--cflags</code>]
-       [<code class="option">--exec-prefix</code>]
-       [<code class="option">--libs</code>]
-       [<code class="option">--prefix</code>]
-       [<code class="option">--version</code>]
-       [libraries...]
-    </p></div>
-  </div>
-
-  <div class="refsection">
+<div class="cmdsynopsis"><p><code class="command">isc-config.sh</code>  [<code class="option">--cflags</code>] [<code class="option">--exec-prefix</code>] [<code class="option">--libs</code>] [<code class="option">--prefix</code>] [<code class="option">--version</code>] [libraries...]</p></div>
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><span class="command"><strong>isc-config.sh</strong></span>
+<p><span class="command"><strong>isc-config.sh</strong></span>
 	prints information related to the installed version of ISC BIND,
 	such as the compiler and linker flags required to compile
 	and link programs that use ISC BIND libraries.
     </p>
-    <p>
+<p>
 	The optional libraries are used to report specific details
 	for compiling and linking for the listed libraries.
 	The allowed choices are:
@@ -63,65 +42,47 @@
 	Multiple libraries may be listed on the command line.
 	(Some libraries require other libraries, so are implied.)
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
-    <div class="variablelist"><dl class="variablelist">
+<div class="variablelist"><dl class="variablelist">
 <dt><span class="term">--cflags</span></dt>
-<dd>
-          <p>
+<dd><p>
             Prints the compiler command line options required to
             compile files that use ISC BIND.
             Use the <code class="option">libraries</code> command line argument(s)
             to print additional specific flags to pass to the C compiler.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">--exec-prefix</span></dt>
-<dd>
-          <p>
+<dd><p>
             Prints the directory prefix used in the ISC BIND installation
             for architecture dependent files to standard output.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">--libs</span></dt>
-<dd>
-          <p>
+<dd><p>
             Prints the linker command line options used to
             link with the ISC BIND libraries.
             Use the <code class="option">libraries</code> command line argument(s)
             to print additional specific flags.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">--prefix</span></dt>
-<dd>
-          <p>
+<dd><p>
             Prints the directory prefix used in the ISC BIND installation
             for architecture independent files to standard output.
-          </p>
-        </dd>
+          </p></dd>
 <dt><span class="term">--version</span></dt>
-<dd>
-          <p>
+<dd><p>
             Prints the version of the installed ISC BIND suite.
-          </p>
-        </dd>
+          </p></dd>
 </dl></div>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>RETURN VALUES</h2>
-
-    <p><span class="command"><strong>isc-config.sh</strong></span>
+<p><span class="command"><strong>isc-config.sh</strong></span>
       returns an exit status of 1 if
       invoked with invalid arguments or no arguments at all.
       It returns 0 if information was successfully printed.
     </p>
-  </div>
-
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/isc-config.sh.in b/bind/bind9/isc-config.sh.in
index a8a0a89e..006b29c5 100644
--- a/bind/bind9/isc-config.sh.in
+++ b/bind/bind9/isc-config.sh.in
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/Makefile.in b/bind/bind9/lib/Makefile.in
index 81270a0e..f089bea7 100644
--- a/bind/bind9/lib/Makefile.in
+++ b/bind/bind9/lib/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/bind9/Makefile.in b/bind/bind9/lib/bind9/Makefile.in
index 73a55989..704259dd 100644
--- a/bind/bind9/lib/bind9/Makefile.in
+++ b/bind/bind9/lib/bind9/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -61,7 +61,7 @@ libbind9.la: ${OBJS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS} ${DNSDEPLIBS}
 	${LIBTOOL_MODE_LINK} \
 		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libbind9.la -rpath ${libdir} \
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ \
+		${OBJS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ \
 		${LIBS}
 
 timestamp: libbind9.@A@
diff --git a/bind/bind9/lib/bind9/check.c b/bind/bind9/lib/bind9/check.c
index 8bdfa6f3..f9908607 100644
--- a/bind/bind9/lib/bind9/check.c
+++ b/bind/bind9/lib/bind9/check.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -2335,14 +2335,14 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 
 	/*
 	 * Check that a RFC 1918 / ULA reverse zone is not forward first
-	 * unless explictly configured to be so.
+	 * unless explicitly configured to be so.
 	 */
 	if (ztype == CFG_ZONE_FORWARD && (rfc1918 || ula)) {
 		obj = NULL;
 		(void)cfg_map_get(zoptions, "forward", &obj);
 		if (obj == NULL) {
 			/*
-			 * Forward mode not explicity configured.
+			 * Forward mode not explicitly configured.
 			 */
 			if (voptions != NULL)
 				cfg_map_get(voptions, "forward", &obj);
@@ -3963,7 +3963,7 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 			result = ISC_R_FAILURE;
 
 	/*
-	 * Use case insensitive comparision as not all file systems are
+	 * Use case insensitive comparison as not all file systems are
 	 * case sensitive. This will prevent people using FOO.DB and foo.db
 	 * on case sensitive file systems but that shouldn't be a major issue.
 	 */
diff --git a/bind/bind9/lib/bind9/getaddresses.c b/bind/bind9/lib/bind9/getaddresses.c
index 46cd4d51..c38bd9fe 100644
--- a/bind/bind9/lib/bind9/getaddresses.c
+++ b/bind/bind9/lib/bind9/getaddresses.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/bind9/include/Makefile.in b/bind/bind9/lib/bind9/include/Makefile.in
index b2b35623..e0b89b68 100644
--- a/bind/bind9/lib/bind9/include/Makefile.in
+++ b/bind/bind9/lib/bind9/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/bind9/include/bind9/Makefile.in b/bind/bind9/lib/bind9/include/bind9/Makefile.in
index 247fbc59..261b01c0 100644
--- a/bind/bind9/lib/bind9/include/bind9/Makefile.in
+++ b/bind/bind9/lib/bind9/include/bind9/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/bind9/include/bind9/check.h b/bind/bind9/lib/bind9/include/bind9/check.h
index f796e268..8b695fce 100644
--- a/bind/bind9/lib/bind9/include/bind9/check.h
+++ b/bind/bind9/lib/bind9/include/bind9/check.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/bind9/include/bind9/getaddresses.h b/bind/bind9/lib/bind9/include/bind9/getaddresses.h
index 2ffbf9f0..2dff8fe3 100644
--- a/bind/bind9/lib/bind9/include/bind9/getaddresses.h
+++ b/bind/bind9/lib/bind9/include/bind9/getaddresses.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/bind9/include/bind9/version.h b/bind/bind9/lib/bind9/include/bind9/version.h
index fcc08790..1ea55f51 100644
--- a/bind/bind9/lib/bind9/include/bind9/version.h
+++ b/bind/bind9/lib/bind9/include/bind9/version.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/bind9/version.c b/bind/bind9/lib/bind9/version.c
index 89003c73..362d6982 100644
--- a/bind/bind9/lib/bind9/version.c
+++ b/bind/bind9/lib/bind9/version.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/bind9/win32/DLLMain.c b/bind/bind9/lib/bind9/win32/DLLMain.c
index 8ff10175..f442c2f8 100644
--- a/bind/bind9/lib/bind9/win32/DLLMain.c
+++ b/bind/bind9/lib/bind9/win32/DLLMain.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/bind9/win32/libbind9.vcxproj.in b/bind/bind9/lib/bind9/win32/libbind9.vcxproj.in
index 4449df0b..cff1372b 100644
--- a/bind/bind9/lib/bind9/win32/libbind9.vcxproj.in
+++ b/bind/bind9/lib/bind9/win32/libbind9.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBBIND9_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <AdditionalIncludeDirectories>./;../../../;include;../include;../../isc/win32;../../isc/win32/include;../../isc/include;../../isccfg/include;../../dns/include;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/lib/bind9/win32/version.c b/bind/bind9/lib/bind9/win32/version.c
index 68ce9925..63d5a5fa 100644
--- a/bind/bind9/lib/bind9/win32/version.c
+++ b/bind/bind9/lib/bind9/win32/version.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/Makefile.in b/bind/bind9/lib/dns/Makefile.in
index 7f09bd68..1d0f5df4 100644
--- a/bind/bind9/lib/dns/Makefile.in
+++ b/bind/bind9/lib/dns/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -24,13 +24,11 @@ VERSION=@BIND9_VERSION@
 
 @BIND9_MAKE_INCLUDES@
 
-USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
-
 CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
 		${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
 		@DST_OPENSSL_INC@ @DST_GSSAPI_INC@
 
-CDEFINES =	-DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+CDEFINES =	-DUSE_MD5 @CRYPTO@ @USE_GSSAPI@
 
 CWARNINGS =
 
@@ -109,7 +107,7 @@ GEOIPL2INKSRCS = geoip2.c
 
 DNSTAPSRCS = dnstap.c dnstap.pb-c.c
 
-DNSSRCS =	acache.c acl.c adb.c badcache. byaddr.c \
+DNSSRCS =	acache.c acl.c adb.c badcache.c byaddr.c \
 		cache.c callbacks.c clientinfo.c compress.c \
 		db.c dbiterator.c dbtable.c diff.c dispatch.c \
 		dlz.c dns64.c dnssec.c ds.c dyndb.c fixedname.c forward.c \
@@ -217,7 +215,7 @@ rdata.@O@: include
 
 rbtdb64.@O@: rbtdb64.c rbtdb.c
 
-depend: include
+depend: include @DNSTAPSRCS@
 subdirs: include
 ${OBJS}: include
 
@@ -228,5 +226,3 @@ dnstap.pb-c.c dnstap.pb-c.h: dnstap.proto
 	$(PROTOC_C) --c_out=. --proto_path ${srcdir} dnstap.proto
 
 dnstap.pb-c.@O@: dnstap.pb-c.c
-
-spnego.@O@: spnego_asn1.c spnego.h
diff --git a/bind/bind9/lib/dns/acache.c b/bind/bind9/lib/dns/acache.c
index fc6973f4..cd87b84a 100644
--- a/bind/bind9/lib/dns/acache.c
+++ b/bind/bind9/lib/dns/acache.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -174,9 +174,32 @@ struct acache_cleaner {
 };
 
 struct dns_acachestats {
+#ifdef ACACHE_HAVESTDATOMIC
+	_Atomic(unsigned int)		hits;
+	_Atomic(unsigned int)		queries;
+	_Atomic(unsigned int)		misses;
+#define ACACHE_STATSLOCK(x) (void)0
+#define ACACHE_STATSUNLOCK(x) (void)0
+#define ACACHE_INC(x)	atomic_fetch_add(&(x), 1)
+#define ACACHE_LOAD(x)  atomic_load(&(x))
+#else
 	unsigned int			hits;
 	unsigned int			queries;
 	unsigned int			misses;
+#if defined(ISC_PLATFORM_HAVEXADD)
+#define ACACHE_STATSLOCK(x) (void)0
+#define ACACHE_STATSUNLOCK(x) (void)0
+#define ACACHE_INC(x) isc_atomic_xadd((int32_t*)&(x), 1)
+#define ACACHE_LOAD(x) isc_atomic_xadd((int32_t*)&(x), 0)
+#else
+	isc_mutex_t			lock;
+#define ISC_HAVE_STATSLOCK
+#define ACACHE_STATSLOCK(l)	LOCK(l)
+#define ACACHE_STATSUNLOCK(l)	UNLOCK(l)
+#define ACACHE_INC(x) ((x)++)
+#define ACACHE_LOAD(x) (x)
+#endif
+#endif
 	unsigned int			adds;
 	unsigned int			deleted;
 	unsigned int			cleaned;
@@ -472,6 +495,10 @@ destroy(dns_acache_t *acache) {
 
 	DESTROYLOCK(&acache->cleaner.lock);
 
+#ifdef ISC_HAVE_STATSLOCK
+	DESTROYLOCK(&acache->stats.lock);
+#endif
+
 	DESTROYLOCK(&acache->lock);
 	acache->magic = 0;
 
@@ -709,6 +736,7 @@ end_cleaning(acache_cleaner_t *cleaner, isc_event_t *event) {
 	acache->stats.cleaned += cleaner->ncleaned;
 	acache->stats.cleaner_runs++;
 
+	ACACHE_STATSLOCK(&acache->stats.lock);
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
 		      ISC_LOG_NOTICE,
 		      "acache %p stats: hits=%d misses=%d queries=%d "
@@ -716,13 +744,15 @@ end_cleaning(acache_cleaner_t *cleaner, isc_event_t *event) {
 		      "cleaned=%d cleaner_runs=%d overmem=%d "
 		      "overmem_nocreates=%d nomem=%d",
 		      acache,
-		      acache->stats.hits, acache->stats.misses,
-		      acache->stats.queries,
+		      ACACHE_LOAD(acache->stats.hits),
+		      ACACHE_LOAD(acache->stats.misses),
+		      ACACHE_LOAD(acache->stats.queries),
 		      acache->stats.adds, acache->stats.deleted,
 		      acache->stats.cleaned, acache->stats.cleaner_runs,
 		      acache->stats.overmem, acache->stats.overmem_nocreates,
 		      acache->stats.nomem);
 	reset_stats(acache);
+	ACACHE_STATSUNLOCK(&acache->stats.lock);
 
 	isc_stdtime_get(&cleaner->last_cleanup_time);
 
@@ -1089,6 +1119,17 @@ dns_acache_create(dns_acache_t **acachep, isc_mem_t *mctx,
 		return (result);
 	}
 
+#ifdef ISC_HAVE_STATSLOCK
+	result = isc_mutex_init(&acache->stats.lock);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&acache->lock);
+		isc_refcount_decrement(&acache->refs, NULL);
+		isc_refcount_destroy(&acache->refs);
+		isc_mem_put(mctx, acache, sizeof(*acache));
+		return (result);
+	}
+#endif
+
 	acache->mctx = NULL;
 	isc_mem_attach(mctx, &acache->mctx);
 	ISC_LIST_INIT(acache->entries);
@@ -1151,6 +1192,9 @@ dns_acache_create(dns_acache_t **acachep, isc_mem_t *mctx,
  cleanup:
 	if (acache->task != NULL)
 		isc_task_detach(&acache->task);
+#ifdef ISC_HAVE_STATSLOCK
+	DESTROYLOCK(&acache->stats.lock);
+#endif
 	DESTROYLOCK(&acache->lock);
 	isc_refcount_decrement(&acache->refs, NULL);
 	isc_refcount_destroy(&acache->refs);
@@ -1181,8 +1225,10 @@ dns_acache_attach(dns_acache_t *source, dns_acache_t **targetp) {
 
 void
 dns_acache_countquerymiss(dns_acache_t *acache) {
-	acache->stats.misses++; 	/* XXXSK danger: unlocked! */
-	acache->stats.queries++;	/* XXXSK danger: unlocked! */
+	ACACHE_STATSLOCK(&acache->stats.lock);
+	ACACHE_INC(acache->stats.misses);
+	ACACHE_INC(acache->stats.queries);
+	ACACHE_STATSUNLOCK(&acache->stats.lock);
 }
 
 void
@@ -1529,8 +1575,10 @@ dns_acache_getentry(dns_acacheentry_t *entry, dns_zone_t **zonep,
 		}
 	}
 
-	entry->acache->stats.hits++; /* XXXMLG danger: unlocked! */
-	entry->acache->stats.queries++;
+	ACACHE_STATSLOCK(&entry->acache->stats.lock);
+	ACACHE_INC(entry->acache->stats.hits);
+	ACACHE_INC(entry->acache->stats.queries);
+	ACACHE_STATSUNLOCK(&entry->acache->stats.lock);
 
 	ACACHE_UNLOCK(&acache->entrylocks[locknum], isc_rwlocktype_read);
 
diff --git a/bind/bind9/lib/dns/acl.c b/bind/bind9/lib/dns/acl.c
index 3fc8ab78..b5cb7355 100644
--- a/bind/bind9/lib/dns/acl.c
+++ b/bind/bind9/lib/dns/acl.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -565,10 +565,11 @@ dns_acl_detach(dns_acl_t **aclp) {
 
 	REQUIRE(DNS_ACL_VALID(acl));
 
+	*aclp = NULL;
+
 	isc_refcount_decrement(&acl->refcount, &refs);
 	if (refs == 0)
 		destroy(acl);
-	*aclp = NULL;
 }
 
 
diff --git a/bind/bind9/lib/dns/adb.c b/bind/bind9/lib/dns/adb.c
index 3d12221c..e12c804f 100644
--- a/bind/bind9/lib/dns/adb.c
+++ b/bind/bind9/lib/dns/adb.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...)
  */
 #define FIND_WANTEVENT(fn)      (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
 #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
-#define FIND_AVOIDFETCHES(fn)   (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
-				 != 0)
-#define FIND_STARTATZONE(fn)    (((fn)->options & DNS_ADBFIND_STARTATZONE) \
-				 != 0)
-#define FIND_HINTOK(fn)         (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
-#define FIND_GLUEOK(fn)         (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
-#define FIND_HAS_ADDRS(fn)      (!ISC_LIST_EMPTY((fn)->list))
-#define FIND_RETURNLAME(fn)     (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
+#define FIND_AVOIDFETCHES(fn)	(((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
+#define FIND_STARTATZONE(fn)	(((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
+#define FIND_HINTOK(fn)		(((fn)->options & DNS_ADBFIND_HINTOK) != 0)
+#define FIND_GLUEOK(fn)		(((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
+#define FIND_HAS_ADDRS(fn)	(!ISC_LIST_EMPTY((fn)->list))
+#define FIND_RETURNLAME(fn)	(((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
+#define FIND_NOFETCH(fn)	(((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
 
 /*
  * These are currently used on simple unsigned ints, so they are
@@ -2597,7 +2596,7 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 	result = isc_taskmgr_excltask(adb->taskmgr, &adb->excl);
 	if (result != ISC_R_SUCCESS) {
 		DP(DEF_LEVEL, "adb: task-exclusive mode unavailable, "
-			      "intializing table sizes to %u\n",
+			      "initializing table sizes to %u\n",
 			      nbuckets[11]);
 		adb->nentries = nbuckets[11];
 		adb->nnames = nbuckets[11];
@@ -2827,9 +2826,8 @@ dns_adb_detach(dns_adb_t **adbx) {
 	adb = *adbx;
 	*adbx = NULL;
 
-	INSIST(adb->erefcnt > 0);
-
 	LOCK(&adb->reflock);
+	INSIST(adb->erefcnt > 0);
 	adb->erefcnt--;
 	need_exit_check = (adb->erefcnt == 0 && adb->irefcnt == 0);
 	UNLOCK(&adb->reflock);
@@ -3155,21 +3153,26 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 		 * Listen to negative cache hints, and don't start
 		 * another query.
 		 */
-		if (NCACHE_RESULT(result) || AUTH_NX(result))
+		if (NCACHE_RESULT(result) || AUTH_NX(result)) {
 			goto fetch;
+		}
 
-		if (!NAME_FETCH_V6(adbname))
+		if (!NAME_FETCH_V6(adbname)) {
 			wanted_fetches |= DNS_ADBFIND_INET6;
+		}
 	}
 
  fetch:
 	if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
 	    (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
+	{
 		have_address = true;
-	else
+	} else {
 		have_address = false;
-	if (wanted_fetches != 0 &&
-	    ! (FIND_AVOIDFETCHES(find) && have_address)) {
+	}
+	if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) &&
+	    !FIND_NOFETCH(find))
+	{
 		/*
 		 * We're missing at least one address family.  Either the
 		 * caller hasn't instructed us to avoid fetches, or we don't
@@ -3177,8 +3180,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 		 * be acceptable so we have to launch fetches.
 		 */
 
-		if (FIND_STARTATZONE(find))
+		if (FIND_STARTATZONE(find)) {
 			start_at_zone = true;
+		}
 
 		/*
 		 * Start V4.
@@ -3453,18 +3457,16 @@ dump_adb(dns_adb_t *adb, FILE *f, bool debug, isc_stdtime_t now) {
 			adb, adb->erefcnt, adb->irefcnt,
 			isc_mempool_getallocated(adb->nhmp));
 
-	for (i = 0; i < adb->nnames; i++)
-		LOCK(&adb->namelocks[i]);
-	for (i = 0; i < adb->nentries; i++)
-		LOCK(&adb->entrylocks[i]);
-
 	/*
 	 * Dump the names
 	 */
 	for (i = 0; i < adb->nnames; i++) {
+		LOCK(&adb->namelocks[i]);
 		name = ISC_LIST_HEAD(adb->names[i]);
-		if (name == NULL)
+		if (name == NULL) {
+			UNLOCK(&adb->namelocks[i]);
 			continue;
+		}
 		if (debug)
 			fprintf(f, "; bucket %u\n", i);
 		for (;
@@ -3502,26 +3504,21 @@ dump_adb(dns_adb_t *adb, FILE *f, bool debug, isc_stdtime_t now) {
 				print_find_list(f, name);
 			}
 		}
+		UNLOCK(&adb->namelocks[i]);
 	}
 
 	fprintf(f, ";\n; Unassociated entries\n;\n");
 
 	for (i = 0; i < adb->nentries; i++) {
+		LOCK(&adb->entrylocks[i]);
 		entry = ISC_LIST_HEAD(adb->entries[i]);
 		while (entry != NULL) {
 			if (entry->nh == 0)
 				dump_entry(f, adb, entry, debug, now);
 			entry = ISC_LIST_NEXT(entry, plink);
 		}
-	}
-
-	/*
-	 * Unlock everything
-	 */
-	for (i = 0; i < adb->nentries; i++)
 		UNLOCK(&adb->entrylocks[i]);
-	for (i = 0; i < adb->nnames; i++)
-		UNLOCK(&adb->namelocks[i]);
+	}
 }
 
 static void
@@ -3640,6 +3637,7 @@ print_namehook_list(FILE *f, const char *legend,
 		    dns_adb_t *adb, dns_adbnamehooklist_t *list,
 		    bool debug, isc_stdtime_t now)
 {
+	int addr_bucket = DNS_ADB_INVALIDBUCKET;
 	dns_adbnamehook_t *nh;
 
 	for (nh = ISC_LIST_HEAD(*list);
@@ -3648,8 +3646,19 @@ print_namehook_list(FILE *f, const char *legend,
 	{
 		if (debug)
 			fprintf(f, ";\tHook(%s) %p\n", legend, nh);
+		if (addr_bucket != nh->entry->lock_bucket) {
+			if (addr_bucket != DNS_ADB_INVALIDBUCKET) {
+				UNLOCK(&adb->entrylocks[addr_bucket]);
+			}
+			addr_bucket = nh->entry->lock_bucket;
+			INSIST(addr_bucket != DNS_ADB_INVALIDBUCKET);
+			LOCK(&adb->entrylocks[addr_bucket]);
+		}
 		dump_entry(f, adb, nh->entry, debug, now);
 	}
+	if (addr_bucket != DNS_ADB_INVALIDBUCKET) {
+		UNLOCK(&adb->entrylocks[addr_bucket]);
+	}
 }
 
 static inline void
@@ -4787,10 +4796,18 @@ dns_adb_setquota(dns_adb_t *adb, uint32_t quota, uint32_t freq,
 }
 
 bool
-dns_adbentry_overquota(dns_adbentry_t *entry) {
+dns_adbentry_overquota(dns_adb_t *adb, dns_adbentry_t *entry) {
+	int bucket;
 	bool block;
+
 	REQUIRE(DNS_ADBENTRY_VALID(entry));
+
+	bucket = entry->lock_bucket;
+
+	LOCK(&adb->entrylocks[bucket]);
 	block = (entry->quota != 0 && entry->active >= entry->quota);
+	UNLOCK(&adb->entrylocks[bucket]);
+
 	return (block);
 }
 
diff --git a/bind/bind9/lib/dns/api b/bind/bind9/lib/dns/api
index 48195424..60ad98f6 100644
--- a/bind/bind9/lib/dns/api
+++ b/bind/bind9/lib/dns/api
@@ -8,6 +8,6 @@
 # 9.10-sub: 180-189
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
-LIBINTERFACE = 1109
-LIBREVISION = 0
+LIBINTERFACE = 1115
+LIBREVISION = 3
 LIBAGE = 0
diff --git a/bind/bind9/lib/dns/badcache.c b/bind/bind9/lib/dns/badcache.c
index 5c784bec..c60f60e8 100644
--- a/bind/bind9/lib/dns/badcache.c
+++ b/bind/bind9/lib/dns/badcache.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/byaddr.c b/bind/bind9/lib/dns/byaddr.c
index 1dd31b93..e24be6e3 100644
--- a/bind/bind9/lib/dns/byaddr.c
+++ b/bind/bind9/lib/dns/byaddr.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/cache.c b/bind/bind9/lib/dns/cache.c
index 4701ff85..2965a4f1 100644
--- a/bind/bind9/lib/dns/cache.c
+++ b/bind/bind9/lib/dns/cache.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/callbacks.c b/bind/bind9/lib/dns/callbacks.c
index 42dae51f..f9c9be4c 100644
--- a/bind/bind9/lib/dns/callbacks.c
+++ b/bind/bind9/lib/dns/callbacks.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/catz.c b/bind/bind9/lib/dns/catz.c
index 901c0cda..304b0386 100644
--- a/bind/bind9/lib/dns/catz.c
+++ b/bind/bind9/lib/dns/catz.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -536,8 +536,8 @@ dns_catz_zones_merge(dns_catz_zone_t *target, dns_catz_zone_t *newzone) {
 
 		dns_name_format(&entry->name, zname, DNS_NAME_FORMATSIZE);
 		result = addzone(entry, target, target->catzs->view,
-			      target->catzs->taskmgr,
-			      target->catzs->zmm->udata);
+				 target->catzs->taskmgr,
+				 target->catzs->zmm->udata);
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
 			      DNS_LOGMODULE_MASTER, ISC_LOG_INFO,
 			      "catz: adding zone '%s' from catalog "
@@ -1497,6 +1497,7 @@ dns_catz_generate_masterfilename(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
 	isc_region_t r;
 	isc_result_t result;
 	size_t rlen;
+	bool special = false;
 
 	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
 	REQUIRE(entry != NULL);
@@ -1512,24 +1513,39 @@ dns_catz_generate_masterfilename(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
 	isc_buffer_putstr(tbuf, zone->catzs->view->name);
 	isc_buffer_putstr(tbuf, "_");
 	result = dns_name_totext(&zone->name, true, tbuf);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		goto cleanup;
+	}
 
 	isc_buffer_putstr(tbuf, "_");
 	result = dns_name_totext(&entry->name, true, tbuf);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		goto cleanup;
+	}
+
+	/*
+	 * Search for slash and other special characters in the view and
+	 * zone names.  Add a null terminator so we can use strpbrk(), then
+	 * remove it.
+	 */
+	isc_buffer_putuint8(tbuf, 0);
+	if (strpbrk(isc_buffer_base(tbuf), "\\/:") != NULL) {
+		special = true;
+	}
+	isc_buffer_subtract(tbuf, 1);
 
 	/* __catz__<digest>.db */
 	rlen = ISC_SHA256_DIGESTSTRINGLENGTH + 12;
 
 	/* optionally prepend with <zonedir>/ */
-	if (entry->opts.zonedir != NULL)
+	if (entry->opts.zonedir != NULL) {
 		rlen += strlen(entry->opts.zonedir) + 1;
+	}
 
 	result = isc_buffer_reserve(buffer, (unsigned int)rlen);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		goto cleanup;
+	}
 
 	if (entry->opts.zonedir != NULL) {
 		isc_buffer_putstr(*buffer, entry->opts.zonedir);
@@ -1538,7 +1554,7 @@ dns_catz_generate_masterfilename(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
 
 	isc_buffer_usedregion(tbuf, &r);
 	isc_buffer_putstr(*buffer, "__catz__");
-	if (tbuf->used > ISC_SHA256_DIGESTSTRINGLENGTH) {
+	if (special || tbuf->used > ISC_SHA256_DIGESTSTRINGLENGTH) {
 		isc_sha256_init(&sha256);
 		isc_sha256_update(&sha256, r.base, r.length);
 		/* we can do that because digest string < 2 * DNS_NAME */
@@ -1562,7 +1578,7 @@ dns_catz_generate_zonecfg(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
 {
 	/*
 	 * We have to generate a text buffer with regular zone config:
-	 * zone foo.bar {
+	 * zone "foo.bar" {
 	 * 	type slave;
 	 * 	masters [ dscp X ] { ip1 port port1; ip2 port port2; };
 	 * }
@@ -1590,17 +1606,18 @@ dns_catz_generate_zonecfg(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
 	}
 
 	isc_buffer_setautorealloc(buffer, true);
-	isc_buffer_putstr(buffer, "zone ");
+	isc_buffer_putstr(buffer, "zone \"");
 	dns_name_totext(&entry->name, true, buffer);
-	isc_buffer_putstr(buffer, " { type slave; masters");
+	isc_buffer_putstr(buffer, "\" { type slave; masters");
 
 	/*
 	 * DSCP value has no default, but when it is specified, it is identical
-	 * for all masters and cannot be overriden for a specific master IP, so
+	 * for all masters and cannot be overridden for a specific master IP, so
 	 * use the DSCP value set for the first master
 	 */
 	if (entry->opts.masters.count > 0 &&
-	    entry->opts.masters.dscps[0] >= 0) {
+	    entry->opts.masters.dscps[0] >= 0)
+	{
 		isc_buffer_putstr(buffer, " dscp ");
 		snprintf(pbuf, sizeof(pbuf), "%hd",
 			 entry->opts.masters.dscps[0]);
@@ -1642,8 +1659,9 @@ dns_catz_generate_zonecfg(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
 			isc_buffer_putstr(buffer, " key ");
 			result = dns_name_totext(entry->opts.masters.keys[i],
 						 true, buffer);
-			if (result != ISC_R_SUCCESS)
+			if (result != ISC_R_SUCCESS) {
 				goto cleanup;
+			}
 		}
 		isc_buffer_putstr(buffer, "; ");
 	}
@@ -1651,8 +1669,9 @@ dns_catz_generate_zonecfg(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
 	if (entry->opts.in_memory == false) {
 		isc_buffer_putstr(buffer, "file \"");
 		result = dns_catz_generate_masterfilename(zone, entry, &buffer);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			goto cleanup;
+		}
 		isc_buffer_putstr(buffer, "\"; ");
 
 	}
@@ -1671,11 +1690,13 @@ dns_catz_generate_zonecfg(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
 
 	isc_buffer_putstr(buffer, "};");
 	*buf = buffer;
+
 	return (ISC_R_SUCCESS);
 
 cleanup:
-	if (buffer != NULL)
+	if (buffer != NULL) {
 		isc_buffer_free(&buffer);
+	}
 	return (result);
 }
 
diff --git a/bind/bind9/lib/dns/client.c b/bind/bind9/lib/dns/client.c
index 822b4f90..c2dca94b 100644
--- a/bind/bind9/lib/dns/client.c
+++ b/bind/bind9/lib/dns/client.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -1413,17 +1413,17 @@ dns_client_startresolve(dns_client_t *client, dns_name_t *name,
 	ISC_LIST_INIT(event->answerlist);
 
 	rctx = isc_mem_get(mctx, sizeof(*rctx));
-	if (rctx == NULL)
+	if (rctx == NULL) {
 		result = ISC_R_NOMEMORY;
-	else {
+		goto cleanup;
+	} else {
 		result = isc_mutex_init(&rctx->lock);
 		if (result != ISC_R_SUCCESS) {
 			isc_mem_put(mctx, rctx, sizeof(*rctx));
 			rctx = NULL;
+			goto cleanup;
 		}
 	}
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
 
 	result = getrdataset(mctx, &rdataset);
 	if (result != ISC_R_SUCCESS)
@@ -1812,17 +1812,17 @@ dns_client_startrequest(dns_client_t *client, dns_message_t *qmessage,
 	}
 
 	ctx = isc_mem_get(client->mctx, sizeof(*ctx));
-	if (ctx == NULL)
+	if (ctx == NULL) {
 		result = ISC_R_NOMEMORY;
-	else {
+		goto cleanup;
+	} else {
 		result = isc_mutex_init(&ctx->lock);
 		if (result != ISC_R_SUCCESS) {
 			isc_mem_put(client->mctx, ctx, sizeof(*ctx));
 			ctx = NULL;
+			goto cleanup;
 		}
 	}
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
 
 	ctx->client = client;
 	ISC_LINK_INIT(ctx, link);
@@ -1961,7 +1961,7 @@ static void
 update_sendevent(updatectx_t *uctx, isc_result_t result) {
 	isc_task_t *task;
 
-	dns_message_destroy(&uctx->updatemsg);
+	dns_message_detach(&uctx->updatemsg);
 	if (uctx->tsigkey != NULL)
 		dns_tsigkey_detach(&uctx->tsigkey);
 	if (uctx->sig0key != NULL)
@@ -2012,7 +2012,7 @@ update_done(isc_task_t *task, isc_event_t *event) {
 
  out:
 	if (answer != NULL)
-		dns_message_destroy(&answer);
+		dns_message_detach(&answer);
 	isc_event_free(&event);
 
 	LOCK(&uctx->lock);
@@ -2354,7 +2354,7 @@ receive_soa(isc_task_t *task, isc_event_t *event) {
 		dns_request_t *newrequest = NULL;
 
 		/* Retry SOA request without TSIG */
-		dns_message_destroy(&rcvmsg);
+		dns_message_detach(&rcvmsg);
 		dns_message_renderreset(uctx->soaquery);
 		reqoptions = 0;
 		if (uctx->want_tcp)
@@ -2477,14 +2477,14 @@ receive_soa(isc_task_t *task, isc_event_t *event) {
 	}
 
 	if (!droplabel || result != ISC_R_SUCCESS) {
-		dns_message_destroy(&uctx->soaquery);
+		dns_message_detach(&uctx->soaquery);
 		LOCK(&uctx->lock);
 		dns_request_destroy(&uctx->soareq);
 		UNLOCK(&uctx->lock);
 	}
 
 	if (rcvmsg != NULL)
-		dns_message_destroy(&rcvmsg);
+		dns_message_detach(&rcvmsg);
 
 	if (result != ISC_R_SUCCESS)
 		update_sendevent(uctx, result);
@@ -2541,7 +2541,7 @@ request_soa(updatectx_t *uctx) {
 	}
 	if (name != NULL)
 		dns_message_puttempname(soaquery, &name);
-	dns_message_destroy(&soaquery);
+	dns_message_detach(&soaquery);
 
 	return (result);
 }
@@ -3040,7 +3040,7 @@ dns_client_startupdate(dns_client_t *client, dns_rdataclass_t rdclass,
 		UNLOCK(&client->lock);
 	}
 	if (uctx->updatemsg != NULL)
-		dns_message_destroy(&uctx->updatemsg);
+		dns_message_detach(&uctx->updatemsg);
 	while ((sa = ISC_LIST_HEAD(uctx->servers)) != NULL) {
 		ISC_LIST_UNLINK(uctx->servers, sa, link);
 		isc_mem_put(client->mctx, sa, sizeof(*sa));
diff --git a/bind/bind9/lib/dns/clientinfo.c b/bind/bind9/lib/dns/clientinfo.c
index 6d025d98..32f7edd4 100644
--- a/bind/bind9/lib/dns/clientinfo.c
+++ b/bind/bind9/lib/dns/clientinfo.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/compress.c b/bind/bind9/lib/dns/compress.c
index ec97235d..63da24e4 100644
--- a/bind/bind9/lib/dns/compress.c
+++ b/bind/bind9/lib/dns/compress.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/db.c b/bind/bind9/lib/dns/db.c
index ee3e00d5..a28a5661 100644
--- a/bind/bind9/lib/dns/db.c
+++ b/bind/bind9/lib/dns/db.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/dbiterator.c b/bind/bind9/lib/dns/dbiterator.c
index 548f6115..528f8018 100644
--- a/bind/bind9/lib/dns/dbiterator.c
+++ b/bind/bind9/lib/dns/dbiterator.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/dbtable.c b/bind/bind9/lib/dns/dbtable.c
index 3cc7cb69..fc187c68 100644
--- a/bind/bind9/lib/dns/dbtable.c
+++ b/bind/bind9/lib/dns/dbtable.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/diff.c b/bind/bind9/lib/dns/diff.c
index 2777b24c..3a05912b 100644
--- a/bind/bind9/lib/dns/diff.c
+++ b/bind/bind9/lib/dns/diff.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/dispatch.c b/bind/bind9/lib/dns/dispatch.c
index 94df6bab..0252803a 100644
--- a/bind/bind9/lib/dns/dispatch.c
+++ b/bind/bind9/lib/dns/dispatch.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -599,34 +599,22 @@ new_portentry(dns_dispatch_t *disp, in_port_t port) {
 }
 
 /*%
- * The caller must not hold the qid->lock.
+ * The caller must hold the qid->lock.
  */
 static void
 deref_portentry(dns_dispatch_t *disp, dispportentry_t **portentryp) {
 	dispportentry_t *portentry = *portentryp;
-	dns_qid_t *qid;
+	*portentryp = NULL;
 
 	REQUIRE(disp->port_table != NULL);
 	REQUIRE(portentry != NULL && portentry->refs > 0);
 
-	qid = DNS_QID(disp);
-	LOCK(&qid->lock);
-	portentry->refs--;
-
-	if (portentry->refs == 0) {
+	if (--portentry->refs == 0) {
 		ISC_LIST_UNLINK(disp->port_table[portentry->port %
 						 DNS_DISPATCH_PORTTABLESIZE],
 				portentry, link);
 		isc_mempool_put(disp->portpool, portentry);
 	}
-
-	/*
-	 * Set '*portentryp' to NULL inside the lock so that
-	 * dispsock->portentry does not change in socket_search.
-	 */
-	*portentryp = NULL;
-
-	UNLOCK(&qid->lock);
 }
 
 /*%
@@ -764,9 +752,9 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 	if (result == ISC_R_SUCCESS) {
 		dispsock->socket = sock;
 		dispsock->host = *dest;
-		dispsock->portentry = portentry;
 		dispsock->bucket = bucket;
 		LOCK(&qid->lock);
+		dispsock->portentry = portentry;
 		ISC_LIST_APPEND(qid->sock_table[bucket], dispsock, blink);
 		UNLOCK(&qid->lock);
 		*dispsockp = dispsock;
@@ -791,7 +779,7 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 static void
 destroy_dispsocket(dns_dispatch_t *disp, dispsocket_t **dispsockp) {
 	dispsocket_t *dispsock;
-	dns_qid_t *qid;
+	dns_qid_t *qid = DNS_QID(disp);
 
 	/*
 	 * The dispatch must be locked.
@@ -803,19 +791,24 @@ destroy_dispsocket(dns_dispatch_t *disp, dispsocket_t **dispsockp) {
 
 	disp->nsockets--;
 	dispsock->magic = 0;
-	if (dispsock->portentry != NULL)
+	if (dispsock->portentry != NULL) {
+		/* socket_search() tests and dereferences portentry. */
+		LOCK(&qid->lock);
 		deref_portentry(disp, &dispsock->portentry);
-	if (dispsock->socket != NULL)
+		UNLOCK(&qid->lock);
+	}
+	if (dispsock->socket != NULL) {
 		isc_socket_detach(&dispsock->socket);
+	}
 	if (ISC_LINK_LINKED(dispsock, blink)) {
-		qid = DNS_QID(disp);
 		LOCK(&qid->lock);
 		ISC_LIST_UNLINK(qid->sock_table[dispsock->bucket], dispsock,
 				blink);
 		UNLOCK(&qid->lock);
 	}
-	if (dispsock->task != NULL)
+	if (dispsock->task != NULL) {
 		isc_task_detach(&dispsock->task);
+	}
 	isc_mempool_put(disp->mgr->spool, dispsock);
 
 	*dispsockp = NULL;
@@ -828,7 +821,7 @@ destroy_dispsocket(dns_dispatch_t *disp, dispsocket_t **dispsockp) {
 static void
 deactivate_dispsocket(dns_dispatch_t *disp, dispsocket_t *dispsock) {
 	isc_result_t result;
-	dns_qid_t *qid;
+	dns_qid_t *qid = DNS_QID(disp);
 
 	/*
 	 * The dispatch must be locked.
@@ -840,14 +833,16 @@ deactivate_dispsocket(dns_dispatch_t *disp, dispsocket_t *dispsock) {
 	}
 
 	INSIST(dispsock->portentry != NULL);
+	/* socket_search() tests and dereferences portentry. */
+	LOCK(&qid->lock);
 	deref_portentry(disp, &dispsock->portentry);
+	UNLOCK(&qid->lock);
 
 	if (disp->nsockets > DNS_DISPATCH_POOLSOCKS)
 		destroy_dispsocket(disp, &dispsock);
 	else {
 		result = isc_socket_close(dispsock->socket);
 
-		qid = DNS_QID(disp);
 		LOCK(&qid->lock);
 		ISC_LIST_UNLINK(qid->sock_table[dispsock->bucket], dispsock,
 				blink);
@@ -1203,11 +1198,6 @@ udp_recv(isc_event_t *ev_in, dns_dispatch_t *disp, dispsocket_t *dispsock) {
 			     "search for response in bucket %d: %s",
 			     bucket, (resp == NULL ? "not found" : "found"));
 
-		if (resp == NULL) {
-			inc_stats(mgr, dns_resstatscounter_mismatch);
-			free_buffer(disp, ev->region.base, ev->region.length);
-			goto unlock;
-		}
 	} else if (resp->id != id || !isc_sockaddr_equal(&ev->address,
 							 &resp->host)) {
 		dispatch_log(disp, LVL(90),
@@ -1217,6 +1207,12 @@ udp_recv(isc_event_t *ev_in, dns_dispatch_t *disp, dispsocket_t *dispsock) {
 		goto unlock;
 	}
 
+	if (resp == NULL) {
+		inc_stats(mgr, dns_resstatscounter_mismatch);
+		free_buffer(disp, ev->region.base, ev->region.length);
+		goto unlock;
+	}
+
 	/*
 	 * Now that we have the original dispatch the query was sent
 	 * from check that the address and port the response was
@@ -1364,7 +1360,7 @@ tcp_recv(isc_task_t *task, isc_event_t *ev_in) {
 
 	if (disp->refcount == 0) {
 		/*
-		 * This dispatcher is shutting down.  Force cancelation.
+		 * This dispatcher is shutting down.  Force cancellation.
 		 */
 		tcpmsg->result = ISC_R_CANCELED;
 	}
@@ -2904,7 +2900,7 @@ get_udpsocket(dns_dispatchmgr_t *mgr, dns_dispatch_t *disp,
 			result = open_socket(sockmgr, &localaddr_bound,
 					     0, &sock, NULL);
 			/*
-			 * Continue if the port choosen is already in use
+			 * Continue if the port chosen is already in use
 			 * or the OS has reserved it.
 			 */
 			if (result == ISC_R_NOPERM ||
@@ -3593,7 +3589,7 @@ do_cancel(dns_dispatch_t *disp) {
 
 	/*
 	 * Search for the first response handler without packets outstanding
-	 * unless a specific hander is given.
+	 * unless a specific handler is given.
 	 */
 	LOCK(&qid->lock);
 	for (resp = linear_first(qid);
diff --git a/bind/bind9/lib/dns/dlz.c b/bind/bind9/lib/dns/dlz.c
index 6c93d979..66434e69 100644
--- a/bind/bind9/lib/dns/dlz.c
+++ b/bind/bind9/lib/dns/dlz.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/dns64.c b/bind/bind9/lib/dns/dns64.c
index 490445c7..dd56757c 100644
--- a/bind/bind9/lib/dns/dns64.c
+++ b/bind/bind9/lib/dns/dns64.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/dnssec.c b/bind/bind9/lib/dns/dnssec.c
index 19041f39..b6b2405f 100644
--- a/bind/bind9/lib/dns/dnssec.c
+++ b/bind/bind9/lib/dns/dnssec.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -673,6 +673,7 @@ syncpublish(dst_key_t *key, isc_stdtime_t now) {
 	isc_result_t result;
 	isc_stdtime_t when;
 	int major, minor;
+	bool publish;
 
 	/*
 	 * Is this an old-style key?
@@ -686,16 +687,16 @@ syncpublish(dst_key_t *key, isc_stdtime_t now) {
 	if (major == 1 && minor <= 2)
 		return (false);
 
+	publish = false;
 	result = dst_key_gettime(key, DST_TIME_SYNCPUBLISH, &when);
-	if (result != ISC_R_SUCCESS)
-		return (false);
-
+	if (result == ISC_R_SUCCESS && when <= now) {
+		publish = true;
+	}
 	result = dst_key_gettime(key, DST_TIME_SYNCDELETE, &when);
-	if (result != ISC_R_SUCCESS)
-		return (true);
-	if (when <= now)
-		return (false);
-	return (true);
+	if (result == ISC_R_SUCCESS && when < now) {
+		publish = false;
+	}
+	return (publish);
 }
 
 /*%<
@@ -1897,7 +1898,7 @@ publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
 		isc_stdtime_t now;
 
 		dst_key_format(key->key, keystr, sizeof(keystr));
-		report("Key %s: Delaying activation to match the DNSKEY TTL.\n",
+		report("Key %s: Delaying activation to match the DNSKEY TTL.",
 		       keystr, ttl);
 
 		isc_stdtime_get(&now);
@@ -2040,7 +2041,7 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
 		return (ISC_R_SUCCESS);
 
 	/*
-	 * Unconditionaly remove CDS/DNSKEY records for removed keys.
+	 * Unconditionally remove CDS/DNSKEY records for removed keys.
 	 */
 	for (key = ISC_LIST_HEAD(*rmkeys);
 	     key != NULL;
diff --git a/bind/bind9/lib/dns/dnstap.c b/bind/bind9/lib/dns/dnstap.c
index 21965247..fad1e3b0 100644
--- a/bind/bind9/lib/dns/dnstap.c
+++ b/bind/bind9/lib/dns/dnstap.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -895,7 +895,9 @@ dns_dt_open(const char *filename, dns_dtmode_t mode, isc_mem_t *mctx,
 	handle = NULL;
 
  cleanup:
-	if (result != ISC_R_SUCCESS && handle->reader != NULL) {
+	if (result != ISC_R_SUCCESS &&
+	    handle != NULL && handle->reader != NULL)
+	{
 		fstrm_reader_destroy(&handle->reader);
 		handle->reader = NULL;
 	}
@@ -1039,7 +1041,7 @@ dns_dt_parse(isc_mem_t *mctx, isc_region_t *src, dns_dtdata_t **destp) {
 	result = dns_message_parse(d->msg, &b, 0);
 	if (result != ISC_R_SUCCESS) {
 		if (result != DNS_R_RECOVERABLE)
-			dns_message_destroy(&d->msg);
+			dns_message_detach(&d->msg);
 		result = ISC_R_SUCCESS;
 	}
 
@@ -1246,7 +1248,7 @@ dns_dtdata_free(dns_dtdata_t **dp) {
 	d = *dp;
 
 	if (d->msg != NULL)
-		dns_message_destroy(&d->msg);
+		dns_message_detach(&d->msg);
 	if (d->frame != NULL)
 		dnstap__dnstap__free_unpacked(d->frame, NULL);
 
diff --git a/bind/bind9/lib/dns/dnstap.proto b/bind/bind9/lib/dns/dnstap.proto
index 1ed1bb00..22784cd0 100644
--- a/bind/bind9/lib/dns/dnstap.proto
+++ b/bind/bind9/lib/dns/dnstap.proto
@@ -105,7 +105,7 @@ message Message {
 
     enum Type {
         // AUTH_QUERY is a DNS query message received from a resolver by an
-        // authoritative name server, from the perspective of the authorative
+        // authoritative name server, from the perspective of the authoritative
         // name server.
         AUTH_QUERY = 1;
 
diff --git a/bind/bind9/lib/dns/ds.c b/bind/bind9/lib/dns/ds.c
index d0b75cdb..30518f46 100644
--- a/bind/bind9/lib/dns/ds.c
+++ b/bind/bind9/lib/dns/ds.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/dst_api.c b/bind/bind9/lib/dns/dst_api.c
index 5c15d9a7..9b7a9063 100644
--- a/bind/bind9/lib/dns/dst_api.c
+++ b/bind/bind9/lib/dns/dst_api.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/dst_gost.h b/bind/bind9/lib/dns/dst_gost.h
index e42c6a15..63630743 100644
--- a/bind/bind9/lib/dns/dst_gost.h
+++ b/bind/bind9/lib/dns/dst_gost.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/dst_internal.h b/bind/bind9/lib/dns/dst_internal.h
index 11e5fc6f..e6ee5d5a 100644
--- a/bind/bind9/lib/dns/dst_internal.h
+++ b/bind/bind9/lib/dns/dst_internal.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/dst_lib.c b/bind/bind9/lib/dns/dst_lib.c
index 4edf7281..52beafb1 100644
--- a/bind/bind9/lib/dns/dst_lib.c
+++ b/bind/bind9/lib/dns/dst_lib.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/dst_openssl.h b/bind/bind9/lib/dns/dst_openssl.h
index e085f113..2b2dcc79 100644
--- a/bind/bind9/lib/dns/dst_openssl.h
+++ b/bind/bind9/lib/dns/dst_openssl.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/dst_parse.c b/bind/bind9/lib/dns/dst_parse.c
index 7e35bc5f..fc6e1ca5 100644
--- a/bind/bind9/lib/dns/dst_parse.c
+++ b/bind/bind9/lib/dns/dst_parse.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/dst_parse.h b/bind/bind9/lib/dns/dst_parse.h
index a2600e1d..5121356c 100644
--- a/bind/bind9/lib/dns/dst_parse.h
+++ b/bind/bind9/lib/dns/dst_parse.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/dst_pkcs11.h b/bind/bind9/lib/dns/dst_pkcs11.h
index b8011f2c..0d12563f 100644
--- a/bind/bind9/lib/dns/dst_pkcs11.h
+++ b/bind/bind9/lib/dns/dst_pkcs11.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/dst_result.c b/bind/bind9/lib/dns/dst_result.c
index caee5f09..603fae8c 100644
--- a/bind/bind9/lib/dns/dst_result.c
+++ b/bind/bind9/lib/dns/dst_result.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/dyndb.c b/bind/bind9/lib/dns/dyndb.c
index 15561ce4..2b3a34e2 100644
--- a/bind/bind9/lib/dns/dyndb.c
+++ b/bind/bind9/lib/dns/dyndb.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/ecdb.c b/bind/bind9/lib/dns/ecdb.c
index 47994ea5..fc94ccf8 100644
--- a/bind/bind9/lib/dns/ecdb.c
+++ b/bind/bind9/lib/dns/ecdb.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/fixedname.c b/bind/bind9/lib/dns/fixedname.c
index 3d5de3b4..e5768bed 100644
--- a/bind/bind9/lib/dns/fixedname.c
+++ b/bind/bind9/lib/dns/fixedname.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/forward.c b/bind/bind9/lib/dns/forward.c
index cf1865fe..b9f29f6c 100644
--- a/bind/bind9/lib/dns/forward.c
+++ b/bind/bind9/lib/dns/forward.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/gen-unix.h b/bind/bind9/lib/dns/gen-unix.h
index 16b75241..53295171 100644
--- a/bind/bind9/lib/dns/gen-unix.h
+++ b/bind/bind9/lib/dns/gen-unix.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/gen-win32.h b/bind/bind9/lib/dns/gen-win32.h
index 47910326..a7109034 100644
--- a/bind/bind9/lib/dns/gen-win32.h
+++ b/bind/bind9/lib/dns/gen-win32.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -62,6 +62,7 @@
 #include <stdbool.h>
 #include <stdio.h>
 #include <string.h>
+#include <time.h>
 #include <windows.h>
 
 #include <isc/lang.h>
@@ -268,6 +269,16 @@ end_directory(isc_dir_t *dir) {
 		FindClose(dir->handle);
 }
 
+inline struct tm *
+gmtime_r(const time_t *clock, struct tm *result) {
+	errno_t ret = gmtime_s(result, clock);
+	if (ret != 0) {
+		errno = ret;
+		return (NULL);
+	}
+	return (result);
+}
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_GEN_WIN32_H */
diff --git a/bind/bind9/lib/dns/gen.c b/bind/bind9/lib/dns/gen.c
index 5fbdc3bf..89e043a0 100644
--- a/bind/bind9/lib/dns/gen.c
+++ b/bind/bind9/lib/dns/gen.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -689,7 +689,8 @@ main(int argc, char **argv) {
 	}
 
 	if (now != -1) {
-		struct tm *tm = gmtime(&now);
+		struct tm t, *tm = gmtime_r(&now, &t);
+
 		if (tm != NULL && tm->tm_year > 104) {
 			n = snprintf(year, sizeof(year), "-%d",
 				     tm->tm_year + 1900);
@@ -768,7 +769,6 @@ main(int argc, char **argv) {
 		 * Add in reserved/special types.  This will let us
 		 * sort them without special cases.
 		 */
-		insert_into_typenames(0, "reserved0", RESERVED);
 		insert_into_typenames(100, "uinfo", RESERVEDNAME);
 		insert_into_typenames(101, "uid", RESERVEDNAME);
 		insert_into_typenames(102, "gid", RESERVEDNAME);
diff --git a/bind/bind9/lib/dns/geoip.c b/bind/bind9/lib/dns/geoip.c
index ea19bbe9..0408667f 100644
--- a/bind/bind9/lib/dns/geoip.c
+++ b/bind/bind9/lib/dns/geoip.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/geoip2.c b/bind/bind9/lib/dns/geoip2.c
index c498d8d4..e3a977e5 100644
--- a/bind/bind9/lib/dns/geoip2.c
+++ b/bind/bind9/lib/dns/geoip2.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -24,6 +24,7 @@
 
 #include <isc/mem.h>
 #include <isc/once.h>
+#include <isc/platform.h>
 #include <isc/sockaddr.h>
 #include <isc/string.h>
 #include <isc/thread.h>
@@ -74,15 +75,41 @@ typedef struct geoip_state {
 	MMDB_entry_s entry;
 } geoip_state_t;
 
+#if defined(ISC_PLATFORM_HAVESTDATOMIC)
+#if defined(__cplusplus)
+#include <isc/stdatomic.h>
+#else
+#include <stdatomic.h>
+#endif
+#endif
+
+#ifdef ISC_PLATFORM_USETHREADS
 static isc_mutex_t key_mutex;
-static bool state_key_initialized = false;
+#if defined(ISC_PLATFORM_HAVESTDATOMIC)
+static _Atomic(int32_t)		state_key_initialized = 0;
+#define GEOIP2_LOAD(x)		atomic_load(&(x))
+#define GEOIP2_STORE(x, v)	atomic_store(&(x), v)
+#else
+static int32_t			state_key_initialized = 0;
+#if defined(ISC_PLATFORM_HAVEXADD)
+#define GEOIP2_LOAD(x)		isc_atomic_xadd(&(x), 0)
+#define GEOIP2_STORE(x, v)	isc_atomic_store(&(x), v)
+#else
+#define GEOIP2_LOAD(x)		(x)
+#define GEOIP2_STORE(x, v)	(x) = (v)
+#endif
+#endif
 static isc_thread_key_t state_key;
 static isc_once_t mutex_once = ISC_ONCE_INIT;
+#else
+static geoip_state_t *saved_state = NULL;
+#endif
 static isc_mem_t *state_mctx = NULL;
 
+#ifdef ISC_PLATFORM_USETHREADS
 static void
 key_mutex_init(void) {
-	isc_mutex_init(&key_mutex);
+	RUNTIME_CHECK(isc_mutex_init(&key_mutex) == ISC_R_SUCCESS);
 }
 
 static void
@@ -95,7 +122,7 @@ free_state(void *arg) {
 	isc_thread_key_setspecific(state_key, NULL);
 }
 
-static isc_result_t
+ISC_NO_SANITIZE_THREAD static isc_result_t
 state_key_init(void) {
 	isc_result_t result;
 
@@ -104,9 +131,9 @@ state_key_init(void) {
 		return (result);
 	}
 
-	if (!state_key_initialized) {
+	if (!GEOIP2_LOAD(state_key_initialized)) {
 		LOCK(&key_mutex);
-		if (!state_key_initialized) {
+		if (!GEOIP2_LOAD(state_key_initialized)) {
 			int ret;
 
 			if (state_mctx == NULL) {
@@ -120,7 +147,7 @@ state_key_init(void) {
 
 			ret = isc_thread_key_create(&state_key, free_state);
 			if (ret == 0) {
-				state_key_initialized = true;
+				GEOIP2_STORE(state_key_initialized, 1);
 			} else {
 				result = ISC_R_FAILURE;
 			}
@@ -131,6 +158,22 @@ state_key_init(void) {
 
 	return (result);
 }
+#else
+static isc_result_t
+state_key_init(void) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (state_mctx == NULL) {
+		result = isc_mem_create(0, 0, &state_mctx);
+		if (result == ISC_R_SUCCESS) {
+			isc_mem_setname(state_mctx, "geoip_state", NULL);
+			isc_mem_setdestroycheck(state_mctx, false);
+		}
+	}
+
+	return (result);
+}
+#endif
 
 static isc_result_t
 set_state(const MMDB_s *db, const isc_netaddr_t *addr,
@@ -145,19 +188,44 @@ set_state(const MMDB_s *db, const isc_netaddr_t *addr,
 		return (result);
 	}
 
+#ifdef ISC_PLATFORM_USETHREADS
 	state = (geoip_state_t *) isc_thread_key_getspecific(state_key);
+#else
+	state = saved_state;
+#endif
 	if (state == NULL) {
+#ifdef ISC_PLATFORM_USETHREADS
+		LOCK(&key_mutex);
+#endif
 		state = (geoip_state_t *) isc_mem_get(state_mctx,
 						      sizeof(geoip_state_t));
+#ifdef ISC_PLATFORM_USETHREADS
+		UNLOCK(&key_mutex);
+#endif
+		if (state == NULL) {
+			return (ISC_R_NOMEMORY);
+		}
 		memset(state, 0, sizeof(*state));
 
+#ifdef ISC_PLATFORM_USETHREADS
 		result = isc_thread_key_setspecific(state_key, state);
 		if (result != ISC_R_SUCCESS) {
+			LOCK(&key_mutex);
 			isc_mem_put(state_mctx, state, sizeof(geoip_state_t));
+			UNLOCK(&key_mutex);
 			return (result);
 		}
+#else
+		saved_state = state;
+#endif
 
+#ifdef ISC_PLATFORM_USETHREADS
+		LOCK(&key_mutex);
+#endif
 		isc_mem_attach(state_mctx, &state->mctx);
+#ifdef ISC_PLATFORM_USETHREADS
+		UNLOCK(&key_mutex);
+#endif
 	}
 
 	state->db = db;
@@ -185,7 +253,11 @@ get_entry_for(MMDB_s * const db, const isc_netaddr_t *addr) {
 		return (NULL);
 	}
 
+#ifdef ISC_PLATFORM_USETHREADS
 	state = (geoip_state_t *) isc_thread_key_getspecific(state_key);
+#else
+	state = saved_state;
+#endif
 	if (state != NULL) {
 		if (db == state->db && isc_netaddr_equal(addr, &state->addr)) {
 			return (state);
@@ -577,6 +649,12 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, uint8_t *scope,
 
 void
 dns_geoip_shutdown(void) {
+#ifndef ISC_PLATFORM_USETHREADS
+	if (saved_state != NULL) {
+		isc_mem_putanddetach(&saved_state->mctx,
+				     saved_state, sizeof(geoip_state_t));
+	}
+#endif
 	if (state_mctx != NULL) {
 		isc_mem_detach(&state_mctx);
 	}
diff --git a/bind/bind9/lib/dns/gssapi_link.c b/bind/bind9/lib/dns/gssapi_link.c
index 2134dcb5..e2ebc51c 100644
--- a/bind/bind9/lib/dns/gssapi_link.c
+++ b/bind/bind9/lib/dns/gssapi_link.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/gssapictx.c b/bind/bind9/lib/dns/gssapictx.c
index e21c7de2..482c25e1 100644
--- a/bind/bind9/lib/dns/gssapictx.c
+++ b/bind/bind9/lib/dns/gssapictx.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -47,16 +47,6 @@
 #include "dst_internal.h"
 
 /*
- * If we're using our own SPNEGO implementation (see configure.in),
- * pull it in now.  Otherwise, we just use whatever GSSAPI supplies.
- */
-#if defined(GSSAPI) && defined(USE_ISC_SPNEGO)
-#include "spnego.h"
-#define	gss_accept_sec_context	gss_accept_sec_context_spnego
-#define	gss_init_sec_context	gss_init_sec_context_spnego
-#endif
-
-/*
  * Solaris8 apparently needs an explicit OID set, and Solaris10 needs
  * one for anything but Kerberos.  Supplying an explicit OID set
  * doesn't appear to hurt anything in other implementations, so we
@@ -70,29 +60,23 @@
 #include ISC_PLATFORM_KRB5HEADER
 #endif
 
-static unsigned char krb5_mech_oid_bytes[] = {
-	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
-};
-
-#ifndef USE_ISC_SPNEGO
-static unsigned char spnego_mech_oid_bytes[] = {
-	0x2b, 0x06, 0x01, 0x05, 0x05, 0x02
-};
-#endif
-
-static gss_OID_desc mech_oid_set_array[] = {
-	{ sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes },
-#ifndef USE_ISC_SPNEGO
-	{ sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes },
-#endif
+#ifndef GSS_KRB5_MECHANISM
+static unsigned char krb5_mech_oid_bytes[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
+					       0x12, 0x01, 0x02, 0x02 };
+static gss_OID_desc __gss_krb5_mechanism_oid_desc = {
+	sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes
 };
-
-static gss_OID_set_desc mech_oid_set = {
-	sizeof(mech_oid_set_array) / sizeof(*mech_oid_set_array),
-	mech_oid_set_array
+#define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc)
+#endif /* ifndef GSS_KRB5_MECHANISM */
+
+#ifndef GSS_SPNEGO_MECHANISM
+static unsigned char spnego_mech_oid_bytes[] = { 0x2b, 0x06, 0x01,
+						 0x05, 0x05, 0x02 };
+static gss_OID_desc __gss_spnego_mechanism_oid_desc = {
+	sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes
 };
-
-#endif
+#define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc)
+#endif /* ifndef GSS_SPNEGO_MECHANISM */
 
 #define REGION_TO_GBUFFER(r, gb) \
 	do { \
@@ -113,7 +97,6 @@ static gss_OID_set_desc mech_oid_set = {
 		goto out; \
 	} while (0)
 
-#ifdef GSSAPI
 static inline void
 name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
 		gss_buffer_desc *gbuffer)
@@ -193,9 +176,7 @@ log_cred(const gss_cred_id_t cred) {
 		gss_log(3, "failed gss_release_name: %s",
 			gss_error_tostring(gret, minor, buf, sizeof(buf)));
 }
-#endif
 
-#ifdef GSSAPI
 /*
  * check for the most common configuration errors.
  *
@@ -244,13 +225,43 @@ check_config(const char *gss_name) {
 	}
 	krb5_free_context(krb5_ctx);
 }
-#endif
+
+static OM_uint32
+mech_oid_set_create(OM_uint32 *minor, gss_OID_set *mech_oid_set) {
+	OM_uint32 gret;
+
+	gret = gss_create_empty_oid_set(minor, mech_oid_set);
+	if (gret != GSS_S_COMPLETE) {
+		return (gret);
+	}
+
+	gret = gss_add_oid_set_member(minor, GSS_KRB5_MECHANISM, mech_oid_set);
+	if (gret != GSS_S_COMPLETE) {
+		goto release;
+	}
+
+	gret = gss_add_oid_set_member(minor, GSS_SPNEGO_MECHANISM,
+				      mech_oid_set);
+	if (gret != GSS_S_COMPLETE) {
+		goto release;
+	}
+
+release:
+	REQUIRE(gss_release_oid_set(minor, mech_oid_set) == GSS_S_COMPLETE);
+
+	return (gret);
+}
+
+static void
+mech_oid_set_release(gss_OID_set *mech_oid_set) {
+	OM_uint32 minor;
+
+	REQUIRE(gss_release_oid_set(&minor, mech_oid_set) == GSS_S_COMPLETE);
+}
 
 isc_result_t
 dst_gssapi_acquirecred(dns_name_t *name, bool initiate,
-		       gss_cred_id_t *cred)
-{
-#ifdef GSSAPI
+		       gss_cred_id_t *cred) {
 	isc_result_t result;
 	isc_buffer_t namebuf;
 	gss_name_t gname;
@@ -260,6 +271,7 @@ dst_gssapi_acquirecred(dns_name_t *name, bool initiate,
 	OM_uint32 lifetime;
 	gss_cred_usage_t usage;
 	char buf[1024];
+	gss_OID_set mech_oid_set = NULL;
 
 	REQUIRE(cred != NULL && *cred == NULL);
 
@@ -302,8 +314,15 @@ dst_gssapi_acquirecred(dns_name_t *name, bool initiate,
 	else
 		usage = GSS_C_ACCEPT;
 
-	gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE,
-				&mech_oid_set, usage, cred, NULL, &lifetime);
+	gret = mech_oid_set_create(&minor, &mech_oid_set);
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "failed to create OID_set: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		return (ISC_R_FAILURE);
+	}
+
+	gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, mech_oid_set,
+				usage, (gss_cred_id_t *)cred, NULL, &lifetime);
 
 	if (gret != GSS_S_COMPLETE) {
 		gss_log(3, "failed to acquire %s credentials for %s: %s",
@@ -324,6 +343,8 @@ dst_gssapi_acquirecred(dns_name_t *name, bool initiate,
 	result = ISC_R_SUCCESS;
 
 cleanup:
+	mech_oid_set_release(&mech_oid_set);
+
 	if (gname != NULL) {
 		gret = gss_release_name(&minor, &gname);
 		if (gret != GSS_S_COMPLETE)
@@ -333,24 +354,12 @@ cleanup:
 	}
 
 	return (result);
-#else
-	REQUIRE(cred != NULL && *cred == NULL);
-
-	UNUSED(name);
-	UNUSED(initiate);
-	UNUSED(cred);
-
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
 }
 
 bool
 dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
 				    const dns_name_t *name,
-				    const dns_name_t *realm,
-				    bool subdomain)
-{
-#ifdef GSSAPI
+				    const dns_name_t *realm, bool subdomain) {
 	char sbuf[DNS_NAME_FORMATSIZE];
 	char rbuf[DNS_NAME_FORMATSIZE];
 	char *sname;
@@ -419,22 +428,12 @@ dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
 	}
 
 	return (true);
-#else
-	UNUSED(signer);
-	UNUSED(name);
-	UNUSED(realm);
-	UNUSED(subdomain);
-	return (false);
-#endif
 }
 
 bool
 dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
 				  const dns_name_t *name,
-				  const dns_name_t *realm,
-				  bool subdomain)
-{
-#ifdef GSSAPI
+				  const dns_name_t *realm, bool subdomain) {
 	char sbuf[DNS_NAME_FORMATSIZE];
 	char rbuf[DNS_NAME_FORMATSIZE];
 	char *sname;
@@ -506,18 +505,10 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
 	}
 
 	return (true);
-#else
-	UNUSED(signer);
-	UNUSED(name);
-	UNUSED(realm);
-	UNUSED(subdomain);
-	return (false);
-#endif
 }
 
 isc_result_t
 dst_gssapi_releasecred(gss_cred_id_t *cred) {
-#ifdef GSSAPI
 	OM_uint32 gret, minor;
 	char buf[1024];
 
@@ -531,15 +522,9 @@ dst_gssapi_releasecred(gss_cred_id_t *cred) {
 	}
 	*cred = NULL;
 
-	return(ISC_R_SUCCESS);
-#else
-	UNUSED(cred);
-
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
+	return (ISC_R_SUCCESS);
 }
 
-#ifdef GSSAPI
 /*
  * Format a gssapi error message info into a char ** on the given memory
  * context. This is used to return gssapi error messages back up the
@@ -561,14 +546,11 @@ gss_err_message(isc_mem_t *mctx, uint32_t major, uint32_t minor,
 	if (estr != NULL)
 		(*err_message) = isc_mem_strdup(mctx, estr);
 }
-#endif
 
 isc_result_t
 dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
 		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
-		   isc_mem_t *mctx, char **err_message)
-{
-#ifdef GSSAPI
+		   isc_mem_t *mctx, char **err_message) {
 	isc_region_t r;
 	isc_buffer_t namebuf;
 	gss_name_t gname;
@@ -647,16 +629,6 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
 		(void)gss_release_buffer(&minor, &gouttoken);
 	(void)gss_release_name(&minor, &gname);
 	return (result);
-#else
-	UNUSED(name);
-	UNUSED(intoken);
-	UNUSED(outtoken);
-	UNUSED(gssctx);
-	UNUSED(mctx);
-	UNUSED(err_message);
-
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
 }
 
 isc_result_t
@@ -664,9 +636,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
 		     const char *gssapi_keytab,
 		     isc_region_t *intoken, isc_buffer_t **outtoken,
 		     gss_ctx_id_t *ctxout, dns_name_t *principal,
-		     isc_mem_t *mctx)
-{
-#ifdef GSSAPI
+		     isc_mem_t *mctx) {
 	isc_region_t r;
 	isc_buffer_t namebuf;
 	gss_buffer_desc gnamebuf = GSS_C_EMPTY_BUFFER, gintoken,
@@ -745,6 +715,9 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
 	default:
 		gss_log(3, "failed gss_accept_sec_context: %s",
 			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		if (gouttoken.length > 0U) {
+			(void)gss_release_buffer(&minor, &gouttoken);
+		}
 		return (result);
 	}
 
@@ -807,23 +780,10 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
 	}
 
 	return (result);
-#else
-	UNUSED(cred);
-	UNUSED(gssapi_keytab);
-	UNUSED(intoken);
-	UNUSED(outtoken);
-	UNUSED(ctxout);
-	UNUSED(principal);
-	UNUSED(mctx);
-
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
 }
 
 isc_result_t
-dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx)
-{
-#ifdef GSSAPI
+dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx) {
 	OM_uint32 gret, minor;
 	char buf[1024];
 
@@ -838,18 +798,11 @@ dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx)
 		gss_log(3, "Failure deleting security context %s",
 			gss_error_tostring(gret, minor, buf, sizeof(buf)));
 	}
-	return(ISC_R_SUCCESS);
-#else
-	UNUSED(mctx);
-	UNUSED(gssctx);
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
+	return (ISC_R_SUCCESS);
 }
 
 char *
-gss_error_tostring(uint32_t major, uint32_t minor,
-		   char *buf, size_t buflen) {
-#ifdef GSSAPI
+gss_error_tostring(uint32_t major, uint32_t minor, char *buf, size_t buflen) {
 	gss_buffer_desc msg_minor = GSS_C_EMPTY_BUFFER,
 			msg_major = GSS_C_EMPTY_BUFFER;
 	OM_uint32 msg_ctx, minor_stat;
@@ -867,18 +820,103 @@ gss_error_tostring(uint32_t major, uint32_t minor,
 	snprintf(buf, buflen, "GSSAPI error: Major = %s, Minor = %s.",
 		(char *)msg_major.value, (char *)msg_minor.value);
 
-	if (msg_major.length != 0U)
+	if (msg_major.length != 0U) {
 		(void)gss_release_buffer(&minor_stat, &msg_major);
-	if (msg_minor.length != 0U)
+	}
+	if (msg_minor.length != 0U) {
 		(void)gss_release_buffer(&minor_stat, &msg_minor);
-	return(buf);
-#else
-	snprintf(buf, buflen, "GSSAPI error: Major = %u, Minor = %u.",
-		 major, minor);
+	}
+	return (buf);
+}
+
+#else  /* ifdef GSSAPI */
+
+isc_result_t
+dst_gssapi_acquirecred(dns_name_t *name, bool initiate,
+		       gss_cred_id_t *cred) {
+	REQUIRE(cred != NULL && *cred == NULL);
+
+	UNUSED(name);
+	UNUSED(initiate);
+	UNUSED(cred);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+bool
+dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
+				    const dns_name_t *name,
+				    const dns_name_t *realm, bool subdomain) {
+	UNUSED(signer);
+	UNUSED(name);
+	UNUSED(realm);
+	UNUSED(subdomain);
+	return (false);
+}
+
+bool
+dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
+				  const dns_name_t *name,
+				  const dns_name_t *realm, bool subdomain) {
+	UNUSED(signer);
+	UNUSED(name);
+	UNUSED(realm);
+	UNUSED(subdomain);
+	return (false);
+}
+
+isc_result_t
+dst_gssapi_releasecred(gss_cred_id_t *cred) {
+	UNUSED(cred);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
+		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
+		   isc_mem_t *mctx, char **err_message) {
+	UNUSED(name);
+	UNUSED(intoken);
+	UNUSED(outtoken);
+	UNUSED(gssctx);
+	UNUSED(mctx);
+	UNUSED(err_message);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dst_gssapi_acceptctx(gss_cred_id_t cred, const char *gssapi_keytab,
+		     isc_region_t *intoken, isc_buffer_t **outtoken,
+		     gss_ctx_id_t *ctxout, dns_name_t *principal,
+		     isc_mem_t *mctx) {
+	UNUSED(cred);
+	UNUSED(gssapi_keytab);
+	UNUSED(intoken);
+	UNUSED(outtoken);
+	UNUSED(ctxout);
+	UNUSED(principal);
+	UNUSED(mctx);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx) {
+	UNUSED(mctx);
+	UNUSED(gssctx);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+char *
+gss_error_tostring(uint32_t major, uint32_t minor, char *buf, size_t buflen) {
+	snprintf(buf, buflen, "GSSAPI error: Major = %u, Minor = %u.", major,
+		 minor);
 
 	return (buf);
-#endif
 }
+#endif /* ifdef GSSAPI */
 
 void
 gss_log(int level, const char *fmt, ...) {
diff --git a/bind/bind9/lib/dns/hmac_link.c b/bind/bind9/lib/dns/hmac_link.c
index 3b6579bf..9d434e74 100644
--- a/bind/bind9/lib/dns/hmac_link.c
+++ b/bind/bind9/lib/dns/hmac_link.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/Makefile.in b/bind/bind9/lib/dns/include/Makefile.in
index 5467ea14..3aad93b3 100644
--- a/bind/bind9/lib/dns/include/Makefile.in
+++ b/bind/bind9/lib/dns/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/Makefile.in b/bind/bind9/lib/dns/include/dns/Makefile.in
index 29cec461..dd200024 100644
--- a/bind/bind9/lib/dns/include/dns/Makefile.in
+++ b/bind/bind9/lib/dns/include/dns/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/acache.h b/bind/bind9/lib/dns/include/dns/acache.h
index 7b1dcd79..d63c1fc0 100644
--- a/bind/bind9/lib/dns/include/dns/acache.h
+++ b/bind/bind9/lib/dns/include/dns/acache.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: acache.h,v 1.8 2007/06/19 23:47:16 tbox Exp $ */
-
 #ifndef DNS_ACACHE_H
 #define DNS_ACACHE_H 1
 
diff --git a/bind/bind9/lib/dns/include/dns/acl.h b/bind/bind9/lib/dns/include/dns/acl.h
index 2014cba3..0913ccde 100644
--- a/bind/bind9/lib/dns/include/dns/acl.h
+++ b/bind/bind9/lib/dns/include/dns/acl.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/adb.h b/bind/bind9/lib/dns/include/dns/adb.h
index ca35bac8..2eb77b3e 100644
--- a/bind/bind9/lib/dns/include/dns/adb.h
+++ b/bind/bind9/lib/dns/include/dns/adb.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -207,6 +207,10 @@ struct dns_adbfind {
  *      lame for this query.
  */
 #define DNS_ADBFIND_OVERQUOTA		0x00000400
+/*%
+ *	Don't perform a fetch even if there are no address records available.
+ */
+#define DNS_ADBFIND_NOFETCH		0x00000800
 
 /*%
  * The answers to queries come back as a list of these.
@@ -754,7 +758,7 @@ void
 dns_adb_setcookie(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
 		  const unsigned char *cookie, size_t len);
 /*%<
- * Record the COOKIE associated with this addresss.  If
+ * Record the COOKIE associated with this address.  If
  * cookie is NULL or len is zero the recorded COOKIE is cleared.
  *
  * Requires:
@@ -766,7 +770,7 @@ size_t
 dns_adb_getcookie(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
 		  unsigned char *cookie, size_t len);
 /*
- * Retieve the saved COOKIE value and store it in 'cookie' which has
+ * Retrieve the saved COOKIE value and store it in 'cookie' which has
  * size 'len'.
  *
  * Requires:
@@ -811,7 +815,7 @@ dns_adb_setquota(dns_adb_t *adb, uint32_t quota, uint32_t freq,
  */
 
 bool
-dns_adbentry_overquota(dns_adbentry_t *entry);
+dns_adbentry_overquota(dns_adb_t *adb, dns_adbentry_t *entry);
 /*%<
  * Returns true if the specified ADB has too many active fetches.
  *
diff --git a/bind/bind9/lib/dns/include/dns/badcache.h b/bind/bind9/lib/dns/include/dns/badcache.h
index 276e3cb7..2237a0ee 100644
--- a/bind/bind9/lib/dns/include/dns/badcache.h
+++ b/bind/bind9/lib/dns/include/dns/badcache.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/bit.h b/bind/bind9/lib/dns/include/dns/bit.h
index 9ebb57a8..f65c774f 100644
--- a/bind/bind9/lib/dns/include/dns/bit.h
+++ b/bind/bind9/lib/dns/include/dns/bit.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/byaddr.h b/bind/bind9/lib/dns/include/dns/byaddr.h
index 9fe3009c..719d2467 100644
--- a/bind/bind9/lib/dns/include/dns/byaddr.h
+++ b/bind/bind9/lib/dns/include/dns/byaddr.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/cache.h b/bind/bind9/lib/dns/include/dns/cache.h
index 62797dbb..ab4b0b54 100644
--- a/bind/bind9/lib/dns/include/dns/cache.h
+++ b/bind/bind9/lib/dns/include/dns/cache.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/callbacks.h b/bind/bind9/lib/dns/include/dns/callbacks.h
index 9c723f38..4c7d73d9 100644
--- a/bind/bind9/lib/dns/include/dns/callbacks.h
+++ b/bind/bind9/lib/dns/include/dns/callbacks.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/catz.h b/bind/bind9/lib/dns/include/dns/catz.h
index df087a61..297f3ce3 100644
--- a/bind/bind9/lib/dns/include/dns/catz.h
+++ b/bind/bind9/lib/dns/include/dns/catz.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -46,7 +46,7 @@ ISC_LANG_BEGINDECLS
  */
 struct dns_catz_entry_options {
 	/*
-	 * Options that can be overriden in catalog zone
+	 * Options that can be overridden in catalog zone
 	 */
 	/* default-masters definition */
 	dns_ipkeylist_t masters;
@@ -322,13 +322,15 @@ dns_catz_generate_zonecfg(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
 /* Methods provided by named to dynamically modify the member zones */
 /* xxxwpk TODO config! */
 typedef isc_result_t (*dns_catz_zoneop_fn_t)(dns_catz_entry_t *entry,
-		dns_catz_zone_t *origin, dns_view_t *view,
-		isc_taskmgr_t *taskmgr, void *udata);
+					     dns_catz_zone_t *origin,
+					     dns_view_t *view,
+					     isc_taskmgr_t *taskmgr,
+					     void *udata);
 struct dns_catz_zonemodmethods {
 	dns_catz_zoneop_fn_t addzone;
 	dns_catz_zoneop_fn_t modzone;
 	dns_catz_zoneop_fn_t delzone;
-	void * udata;
+	void *udata;
 };
 
 
diff --git a/bind/bind9/lib/dns/include/dns/cert.h b/bind/bind9/lib/dns/include/dns/cert.h
index 188d2830..ce33540d 100644
--- a/bind/bind9/lib/dns/include/dns/cert.h
+++ b/bind/bind9/lib/dns/include/dns/cert.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/client.h b/bind/bind9/lib/dns/include/dns/client.h
index d3c57904..f71d16fa 100644
--- a/bind/bind9/lib/dns/include/dns/client.h
+++ b/bind/bind9/lib/dns/include/dns/client.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -443,7 +443,7 @@ dns_client_startrequest(dns_client_t *client, dns_message_t *qmessage,
 			dns_clientreqtrans_t **transp);
 
 /*%<
- * Send a DNS request containig a query message 'query' to 'server'.
+ * Send a DNS request containing a query message 'query' to 'server'.
  *
  * 'parseoptions' will be used when the response packet is parsed, and will be
  * passed to dns_message_parse() via dns_request_getresponse().  See
diff --git a/bind/bind9/lib/dns/include/dns/clientinfo.h b/bind/bind9/lib/dns/include/dns/clientinfo.h
index 1d85ec45..11e0f2a7 100644
--- a/bind/bind9/lib/dns/include/dns/clientinfo.h
+++ b/bind/bind9/lib/dns/include/dns/clientinfo.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/compress.h b/bind/bind9/lib/dns/include/dns/compress.h
index 0c951d78..3d11e4a4 100644
--- a/bind/bind9/lib/dns/include/dns/compress.h
+++ b/bind/bind9/lib/dns/include/dns/compress.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/db.h b/bind/bind9/lib/dns/include/dns/db.h
index ae6ae365..96f3a8f4 100644
--- a/bind/bind9/lib/dns/include/dns/db.h
+++ b/bind/bind9/lib/dns/include/dns/db.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id$ */
-
 #ifndef DNS_DB_H
 #define DNS_DB_H 1
 
@@ -724,7 +722,7 @@ dns_db_findnodeext(dns_db_t *db, dns_name_t *name, bool create,
  *
  * dns_db_findnodeext() (findnode extended) also accepts parameters
  * 'methods' and 'clientinfo', which, when provided, enable the database to
- * retreive information about the client from the caller, and modify its
+ * retrieve information about the client from the caller, and modify its
  * response on the basis of that information.
  *
  * Notes:
@@ -774,7 +772,7 @@ dns_db_findext(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  * Find the best match for 'name' and 'type' in version 'version' of 'db'.
  *
  * dns_db_findext() (find extended) also accepts parameters 'methods'
- * and 'clientinfo', which when provided enable the database to retreive
+ * and 'clientinfo', which when provided enable the database to retrieve
  * information about the client from the caller, and modify its response
  * on the basis of this information.
  *
@@ -1488,7 +1486,7 @@ dns_db_getoriginnode(dns_db_t *db, dns_dbnode_t **nodep);
 isc_result_t
 dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
 			  dns_hash_t *hash, uint8_t *flags,
-			  uint16_t *interations,
+			  uint16_t *iterations,
 			  unsigned char *salt, size_t *salt_length);
 /*%<
  * Get the NSEC3 parameters that are associated with this zone.
diff --git a/bind/bind9/lib/dns/include/dns/dbiterator.h b/bind/bind9/lib/dns/include/dns/dbiterator.h
index 8b50c8c8..9ed43c21 100644
--- a/bind/bind9/lib/dns/include/dns/dbiterator.h
+++ b/bind/bind9/lib/dns/include/dns/dbiterator.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/dbtable.h b/bind/bind9/lib/dns/include/dns/dbtable.h
index 8f139b90..b9756cd1 100644
--- a/bind/bind9/lib/dns/include/dns/dbtable.h
+++ b/bind/bind9/lib/dns/include/dns/dbtable.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/diff.h b/bind/bind9/lib/dns/include/dns/diff.h
index 50f6e9d8..b75c9c0f 100644
--- a/bind/bind9/lib/dns/include/dns/diff.h
+++ b/bind/bind9/lib/dns/include/dns/diff.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/dispatch.h b/bind/bind9/lib/dns/include/dns/dispatch.h
index 476863ac..9e6f8865 100644
--- a/bind/bind9/lib/dns/include/dns/dispatch.h
+++ b/bind/bind9/lib/dns/include/dns/dispatch.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/dlz.h b/bind/bind9/lib/dns/include/dns/dlz.h
index cc43f7cb..2ee613bd 100644
--- a/bind/bind9/lib/dns/include/dns/dlz.h
+++ b/bind/bind9/lib/dns/include/dns/dlz.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/dlz_dlopen.h b/bind/bind9/lib/dns/include/dns/dlz_dlopen.h
index 3719aa74..2efd39ba 100644
--- a/bind/bind9/lib/dns/include/dns/dlz_dlopen.h
+++ b/bind/bind9/lib/dns/include/dns/dlz_dlopen.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/dns64.h b/bind/bind9/lib/dns/include/dns/dns64.h
index 34c2ad50..7fa0be59 100644
--- a/bind/bind9/lib/dns/include/dns/dns64.h
+++ b/bind/bind9/lib/dns/include/dns/dns64.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -56,7 +56,7 @@ dns_dns64_create(isc_mem_t *mctx, isc_netaddr_t *prefix,
  * clients apply.  'mapped' defines which A records are candidated for
  * mapping.  If 'mapped' is NULL then all A records will be mapped.
  * 'excluded' defines which AAAA are to be treated as non-existent for the
- * purposed of determining whether to perform syntesis.  If 'excluded' is
+ * purposed of determining whether to perform synthesis.  If 'excluded' is
  * NULL then no AAAA records prevent synthesis.
  *
  * If DNS_DNS64_RECURSIVE_ONLY is set then the record will only match if
@@ -151,7 +151,7 @@ dns_dns64_aaaaok(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
 /*
  * Determine if there are any non-excluded AAAA records in from the
  * matching dns64 records in the list starting at 'dns64'.  If there
- * is a non-exluded address return true.  If all addresses are
+ * is a non-excluded address return true.  If all addresses are
  * excluded in the matched records return false.   If no records
  * match then return true.
  *
diff --git a/bind/bind9/lib/dns/include/dns/dnssec.h b/bind/bind9/lib/dns/include/dns/dnssec.h
index 3aaeaf5d..31e2586c 100644
--- a/bind/bind9/lib/dns/include/dns/dnssec.h
+++ b/bind/bind9/lib/dns/include/dns/dnssec.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/dnstap.h b/bind/bind9/lib/dns/include/dns/dnstap.h
index d8835564..1ba60016 100644
--- a/bind/bind9/lib/dns/include/dns/dnstap.h
+++ b/bind/bind9/lib/dns/include/dns/dnstap.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/ds.h b/bind/bind9/lib/dns/include/dns/ds.h
index 51f13b2e..20b46661 100644
--- a/bind/bind9/lib/dns/include/dns/ds.h
+++ b/bind/bind9/lib/dns/include/dns/ds.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/dsdigest.h b/bind/bind9/lib/dns/include/dns/dsdigest.h
index b029ecd4..7097ffcf 100644
--- a/bind/bind9/lib/dns/include/dns/dsdigest.h
+++ b/bind/bind9/lib/dns/include/dns/dsdigest.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/dyndb.h b/bind/bind9/lib/dns/include/dns/dyndb.h
index d5fedb5f..d95b229d 100644
--- a/bind/bind9/lib/dns/include/dns/dyndb.h
+++ b/bind/bind9/lib/dns/include/dns/dyndb.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -22,7 +22,7 @@ ISC_LANG_BEGINDECLS
 
 /*!
  * \brief
- * Context for intializing a dyndb module.
+ * Context for initializing a dyndb module.
  *
  * This structure passes global server data to which a dyndb
  * module will need access -- the server memory context, hash
@@ -71,7 +71,7 @@ typedef isc_result_t dns_dyndb_register_t(isc_mem_t *mctx,
  * 'parameters' contains the driver configuration text. 'dctx' is the
  * initialization context set up in dns_dyndb_createctx().
  *
- * '*instp' must be set to the driver instance handle if the functino
+ * '*instp' must be set to the driver instance handle if the function
  * is successful.
  *
  * Returns:
diff --git a/bind/bind9/lib/dns/include/dns/ecdb.h b/bind/bind9/lib/dns/include/dns/ecdb.h
index 6d6c8806..b277a898 100644
--- a/bind/bind9/lib/dns/include/dns/ecdb.h
+++ b/bind/bind9/lib/dns/include/dns/ecdb.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/edns.h b/bind/bind9/lib/dns/include/dns/edns.h
index 018c89d3..44aa0973 100644
--- a/bind/bind9/lib/dns/include/dns/edns.h
+++ b/bind/bind9/lib/dns/include/dns/edns.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/events.h b/bind/bind9/lib/dns/include/dns/events.h
index bd051c1e..6cc56355 100644
--- a/bind/bind9/lib/dns/include/dns/events.h
+++ b/bind/bind9/lib/dns/include/dns/events.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/fixedname.h b/bind/bind9/lib/dns/include/dns/fixedname.h
index 6a9b5551..4b04905a 100644
--- a/bind/bind9/lib/dns/include/dns/fixedname.h
+++ b/bind/bind9/lib/dns/include/dns/fixedname.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/forward.h b/bind/bind9/lib/dns/include/dns/forward.h
index eb0e0458..674a08a8 100644
--- a/bind/bind9/lib/dns/include/dns/forward.h
+++ b/bind/bind9/lib/dns/include/dns/forward.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/geoip.h b/bind/bind9/lib/dns/include/dns/geoip.h
index 2b336e12..a0cc5ece 100644
--- a/bind/bind9/lib/dns/include/dns/geoip.h
+++ b/bind/bind9/lib/dns/include/dns/geoip.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/ipkeylist.h b/bind/bind9/lib/dns/include/dns/ipkeylist.h
index 5b012b42..9652256a 100644
--- a/bind/bind9/lib/dns/include/dns/ipkeylist.h
+++ b/bind/bind9/lib/dns/include/dns/ipkeylist.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -80,8 +80,8 @@ dns_ipkeylist_resize(isc_mem_t *mctx, dns_ipkeylist_t *ipkl, unsigned int n);
  * \li	'n' >= ipkl->count
  *
  * Returns:
- * \li	#ISC_R_SUCCESS if successs
- * \li	#ISC_R_NOMEMORY if there's no memory, ipkeylist is left untoched
+ * \li	#ISC_R_SUCCESS if success
+ * \li	#ISC_R_NOMEMORY if there's no memory, ipkeylist is left untouched
  */
 
 #endif
diff --git a/bind/bind9/lib/dns/include/dns/iptable.h b/bind/bind9/lib/dns/include/dns/iptable.h
index 26a6ad5f..4a4cc4b9 100644
--- a/bind/bind9/lib/dns/include/dns/iptable.h
+++ b/bind/bind9/lib/dns/include/dns/iptable.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/journal.h b/bind/bind9/lib/dns/include/dns/journal.h
index 8bcb5513..1eaea537 100644
--- a/bind/bind9/lib/dns/include/dns/journal.h
+++ b/bind/bind9/lib/dns/include/dns/journal.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/keydata.h b/bind/bind9/lib/dns/include/dns/keydata.h
index f12932ad..c0f56eea 100644
--- a/bind/bind9/lib/dns/include/dns/keydata.h
+++ b/bind/bind9/lib/dns/include/dns/keydata.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/keyflags.h b/bind/bind9/lib/dns/include/dns/keyflags.h
index 6d41a1c7..5e995da7 100644
--- a/bind/bind9/lib/dns/include/dns/keyflags.h
+++ b/bind/bind9/lib/dns/include/dns/keyflags.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/keytable.h b/bind/bind9/lib/dns/include/dns/keytable.h
index a94fa3e4..6e102279 100644
--- a/bind/bind9/lib/dns/include/dns/keytable.h
+++ b/bind/bind9/lib/dns/include/dns/keytable.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -427,7 +427,7 @@ dns_keynode_detach(isc_mem_t *mctx, dns_keynode_t **target);
 void
 dns_keynode_detachall(isc_mem_t *mctx, dns_keynode_t **target);
 /*%<
- * Detach a keynode and all its succesors.
+ * Detach a keynode and all its successors.
  */
 
 isc_result_t
diff --git a/bind/bind9/lib/dns/include/dns/keyvalues.h b/bind/bind9/lib/dns/include/dns/keyvalues.h
index ad17261a..667f0aba 100644
--- a/bind/bind9/lib/dns/include/dns/keyvalues.h
+++ b/bind/bind9/lib/dns/include/dns/keyvalues.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/lib.h b/bind/bind9/lib/dns/include/dns/lib.h
index d63efdd1..89a68389 100644
--- a/bind/bind9/lib/dns/include/dns/lib.h
+++ b/bind/bind9/lib/dns/include/dns/lib.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/log.h b/bind/bind9/lib/dns/include/dns/log.h
index 278ada0a..fec54bc0 100644
--- a/bind/bind9/lib/dns/include/dns/log.h
+++ b/bind/bind9/lib/dns/include/dns/log.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/lookup.h b/bind/bind9/lib/dns/include/dns/lookup.h
index 1af58fea..5bc36b18 100644
--- a/bind/bind9/lib/dns/include/dns/lookup.h
+++ b/bind/bind9/lib/dns/include/dns/lookup.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/master.h b/bind/bind9/lib/dns/include/dns/master.h
index 61c93b00..d626636c 100644
--- a/bind/bind9/lib/dns/include/dns/master.h
+++ b/bind/bind9/lib/dns/include/dns/master.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/masterdump.h b/bind/bind9/lib/dns/include/dns/masterdump.h
index b01ca087..948fa65b 100644
--- a/bind/bind9/lib/dns/include/dns/masterdump.h
+++ b/bind/bind9/lib/dns/include/dns/masterdump.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/message.h b/bind/bind9/lib/dns/include/dns/message.h
index 6c9a14eb..f64522b4 100644
--- a/bind/bind9/lib/dns/include/dns/message.h
+++ b/bind/bind9/lib/dns/include/dns/message.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -21,6 +21,7 @@
 
 #include <isc/lang.h>
 #include <isc/magic.h>
+#include <isc/refcount.h>
 
 #include <dns/compress.h>
 #include <dns/masterdump.h>
@@ -99,15 +100,17 @@
 #define DNS_MESSAGEEXTFLAG_DO		0x8000U
 
 /*%< EDNS0 extended OPT codes */
-#define DNS_OPT_LLQ		1		/*%< LLQ opt code */
-#define DNS_OPT_NSID		3		/*%< NSID opt code */
-#define DNS_OPT_CLIENT_SUBNET	8		/*%< client subnet opt code */
-#define DNS_OPT_EXPIRE		9		/*%< EXPIRE opt code */
-#define DNS_OPT_COOKIE		10		/*%< COOKIE opt code */
-#define DNS_OPT_PAD		12		/*%< PAD opt code */
-#define DNS_OPT_KEY_TAG		14		/*%< Key tag opt code */
-#define DNS_OPT_CLIENT_TAG	16		/*%< Client tag opt code */
-#define DNS_OPT_SERVER_TAG	17		/*%< Server tag opt code */
+#define DNS_OPT_LLQ	      1	 /*%< LLQ opt code */
+#define DNS_OPT_NSID	      3	 /*%< NSID opt code */
+#define DNS_OPT_CLIENT_SUBNET 8	 /*%< client subnet opt code */
+#define DNS_OPT_EXPIRE	      9	 /*%< EXPIRE opt code */
+#define DNS_OPT_COOKIE	      10 /*%< COOKIE opt code */
+#define DNS_OPT_TCP_KEEPALIVE 11 /*%< TCP keepalive opt code */
+#define DNS_OPT_PAD	      12 /*%< PAD opt code */
+#define DNS_OPT_KEY_TAG	      14 /*%< Key tag opt code */
+#define DNS_OPT_EDE	      15 /*%< Extended DNS Error opt code */
+#define DNS_OPT_CLIENT_TAG    16 /*%< Client tag opt code */
+#define DNS_OPT_SERVER_TAG    17 /*%< Server tag opt code */
 
 /*%< Experimental options [65001...65534] as per RFC6891 */
 
@@ -192,6 +195,7 @@ typedef struct dns_msgblock dns_msgblock_t;
 struct dns_message {
 	/* public from here down */
 	unsigned int			magic;
+	isc_refcount_t			refcount;
 
 	dns_messageid_t			id;
 	unsigned int			flags;
@@ -261,6 +265,8 @@ struct dns_message {
 
 	dns_rdatasetorderfunc_t		order;
 	const void *			order_arg;
+
+	dns_indent_t			indent;
 };
 
 struct dns_ednsopt {
@@ -306,8 +312,8 @@ dns_message_reset(dns_message_t *msg, unsigned int intent);
 /*%<
  * Reset a message structure to default state.  All internal lists are freed
  * or reset to a default state as well.  This is simply a more efficient
- * way to call dns_message_destroy() followed by dns_message_allocate(),
- * since it avoid many memory allocations.
+ * way to call dns_message_detach() (assuming last reference is hold),
+ * followed by dns_message_create(), since it avoid many memory allocations.
  *
  * If any data loanouts (buffers, names, rdatas, etc) were requested,
  * the caller must no longer use them after this call.
@@ -322,16 +328,23 @@ dns_message_reset(dns_message_t *msg, unsigned int intent);
  */
 
 void
-dns_message_destroy(dns_message_t **msgp);
+dns_message_attach(dns_message_t *source, dns_message_t **target);
 /*%<
- * Destroy all state in the message.
+ * Attach to message 'source'.
  *
  * Requires:
+ *\li	'source' to be a valid message.
+ *\li	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_message_detach(dns_message_t **messagep);
+/*%<
+ * Detach *messagep from its message.
+ * list.
  *
- *\li	'msgp' be valid.
- *
- * Ensures:
- *\li	'*msgp' == NULL
+ * Requires:
+ *\li	'*messagep' to be a valid message.
  */
 
 isc_result_t
diff --git a/bind/bind9/lib/dns/include/dns/name.h b/bind/bind9/lib/dns/include/dns/name.h
index 2cf0da40..0ca5d475 100644
--- a/bind/bind9/lib/dns/include/dns/name.h
+++ b/bind/bind9/lib/dns/include/dns/name.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -478,7 +478,7 @@ dns_name_equal(const dns_name_t *name1, const dns_name_t *name2);
  * \li	Because it only needs to test for equality, dns_name_equal() can be
  *	significantly faster than dns_name_fullcompare() or dns_name_compare().
  *
- * \li	Offsets tables are not used in the comparision.
+ * \li	Offsets tables are not used in the comparison.
  *
  * \li	It makes no sense for one of the names to be relative and the
  *	other absolute.  If both names are relative, then to be meaningfully
diff --git a/bind/bind9/lib/dns/include/dns/ncache.h b/bind/bind9/lib/dns/include/dns/ncache.h
index 2942c26e..c984a18f 100644
--- a/bind/bind9/lib/dns/include/dns/ncache.h
+++ b/bind/bind9/lib/dns/include/dns/ncache.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/nsec.h b/bind/bind9/lib/dns/include/dns/nsec.h
index 18cec170..4e12cbea 100644
--- a/bind/bind9/lib/dns/include/dns/nsec.h
+++ b/bind/bind9/lib/dns/include/dns/nsec.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/nsec3.h b/bind/bind9/lib/dns/include/dns/nsec3.h
index 07d2bf08..f36ba99e 100644
--- a/bind/bind9/lib/dns/include/dns/nsec3.h
+++ b/bind/bind9/lib/dns/include/dns/nsec3.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -24,7 +24,8 @@
 #include <dns/rdatastruct.h>
 #include <dns/types.h>
 
-#define DNS_NSEC3_SALTSIZE 255
+#define DNS_NSEC3_SALTSIZE	255
+#define DNS_NSEC3_MAXITERATIONS 150U
 
 /*
  * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
@@ -200,18 +201,10 @@ dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
  *	'answer' to be non NULL.
  */
 
-isc_result_t
-dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
-			isc_mem_t *mctx, unsigned int *iterationsp);
+unsigned int
+dns_nsec3_maxiterations(void);
 /*%<
- * Find the maximum permissible number of iterations allowed based on
- * the key strength.
- *
- * Requires:
- *	'db' to be valid.
- *	'version' to be valid or NULL.
- *	'mctx' to be valid.
- *	'iterationsp' to be non NULL.
+ * Return the maximum permissible number of NSEC3 iterations.
  */
 
 bool
diff --git a/bind/bind9/lib/dns/include/dns/nta.h b/bind/bind9/lib/dns/include/dns/nta.h
index edbaa77c..6a7739eb 100644
--- a/bind/bind9/lib/dns/include/dns/nta.h
+++ b/bind/bind9/lib/dns/include/dns/nta.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -52,6 +52,7 @@ struct dns_ntatable {
 	/* Locked by rwlock. */
 	uint32_t		references;
 	dns_rbt_t		*table;
+	bool	   		shuttingdown;
 };
 
 #define NTATABLE_MAGIC		ISC_MAGIC('N', 'T', 'A', 't')
@@ -199,6 +200,13 @@ dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp);
 /*%<
  * Save the NTA table to the file opened as 'fp', for later loading.
  */
+
+void
+dns_ntatable_shutdown(dns_ntatable_t *ntatable);
+/*%<
+ * Cancel future checks to see if NTAs can be removed.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_NTA_H */
diff --git a/bind/bind9/lib/dns/include/dns/opcode.h b/bind/bind9/lib/dns/include/dns/opcode.h
index ff9e82e6..dcf9bed8 100644
--- a/bind/bind9/lib/dns/include/dns/opcode.h
+++ b/bind/bind9/lib/dns/include/dns/opcode.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/order.h b/bind/bind9/lib/dns/include/dns/order.h
index e7c05166..f27512e6 100644
--- a/bind/bind9/lib/dns/include/dns/order.h
+++ b/bind/bind9/lib/dns/include/dns/order.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/peer.h b/bind/bind9/lib/dns/include/dns/peer.h
index 58a1354f..2c737fc3 100644
--- a/bind/bind9/lib/dns/include/dns/peer.h
+++ b/bind/bind9/lib/dns/include/dns/peer.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/portlist.h b/bind/bind9/lib/dns/include/dns/portlist.h
index 471db973..30705acc 100644
--- a/bind/bind9/lib/dns/include/dns/portlist.h
+++ b/bind/bind9/lib/dns/include/dns/portlist.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/private.h b/bind/bind9/lib/dns/include/dns/private.h
index 86047468..0d3fb3b9 100644
--- a/bind/bind9/lib/dns/include/dns/private.h
+++ b/bind/bind9/lib/dns/include/dns/private.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/rbt.h b/bind/bind9/lib/dns/include/dns/rbt.h
index 67ac3e4d..076bf369 100644
--- a/bind/bind9/lib/dns/include/dns/rbt.h
+++ b/bind/bind9/lib/dns/include/dns/rbt.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -159,10 +159,10 @@ struct dns_rbtnode {
 	 * separate region of memory.
 	 */
 	void *data;
+	unsigned int locknum;
 	unsigned int :0;                /* start of bitfields c/o node lock */
 	unsigned int dirty:1;
 	unsigned int wild:1;
-	unsigned int locknum:DNS_RBT_LOCKLENGTH;
 #ifndef DNS_RBT_USEISCREFCOUNT
 	unsigned int references:DNS_RBT_REFLENGTH;
 #endif
diff --git a/bind/bind9/lib/dns/include/dns/rcode.h b/bind/bind9/lib/dns/include/dns/rcode.h
index 59146af6..30664b6f 100644
--- a/bind/bind9/lib/dns/include/dns/rcode.h
+++ b/bind/bind9/lib/dns/include/dns/rcode.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/rdata.h b/bind/bind9/lib/dns/include/dns/rdata.h
index 0e2fbf5d..804cd5b7 100644
--- a/bind/bind9/lib/dns/include/dns/rdata.h
+++ b/bind/bind9/lib/dns/include/dns/rdata.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -509,7 +509,7 @@ dns_rdata_tostruct(const dns_rdata_t *rdata, void *target, isc_mem_t *mctx);
  *
  * Requires:
  *
- *\li	'rdata' is a valid, non-empty rdata.
+ *\li	'rdata' is a valid, non-empty, non-pseudo rdata.
  *
  *\li	'target' to point to a valid pointer for the type and class.
  *
diff --git a/bind/bind9/lib/dns/include/dns/rdataclass.h b/bind/bind9/lib/dns/include/dns/rdataclass.h
index 67fe1c71..cc481cd6 100644
--- a/bind/bind9/lib/dns/include/dns/rdataclass.h
+++ b/bind/bind9/lib/dns/include/dns/rdataclass.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/rdatalist.h b/bind/bind9/lib/dns/include/dns/rdatalist.h
index 63015e18..de34a1cc 100644
--- a/bind/bind9/lib/dns/include/dns/rdatalist.h
+++ b/bind/bind9/lib/dns/include/dns/rdatalist.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/rdataset.h b/bind/bind9/lib/dns/include/dns/rdataset.h
index 5295d8e4..ed9119a6 100644
--- a/bind/bind9/lib/dns/include/dns/rdataset.h
+++ b/bind/bind9/lib/dns/include/dns/rdataset.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/rdatasetiter.h b/bind/bind9/lib/dns/include/dns/rdatasetiter.h
index 54b3e90d..15857f63 100644
--- a/bind/bind9/lib/dns/include/dns/rdatasetiter.h
+++ b/bind/bind9/lib/dns/include/dns/rdatasetiter.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/rdataslab.h b/bind/bind9/lib/dns/include/dns/rdataslab.h
index 2e0d0e1b..f38d539a 100644
--- a/bind/bind9/lib/dns/include/dns/rdataslab.h
+++ b/bind/bind9/lib/dns/include/dns/rdataslab.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/rdatatype.h b/bind/bind9/lib/dns/include/dns/rdatatype.h
index 0e792325..398ed975 100644
--- a/bind/bind9/lib/dns/include/dns/rdatatype.h
+++ b/bind/bind9/lib/dns/include/dns/rdatatype.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/request.h b/bind/bind9/lib/dns/include/dns/request.h
index 672d3e9d..cb4b95b7 100644
--- a/bind/bind9/lib/dns/include/dns/request.h
+++ b/bind/bind9/lib/dns/include/dns/request.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/resolver.h b/bind/bind9/lib/dns/include/dns/resolver.h
index 6da41b7a..7b3c0470 100644
--- a/bind/bind9/lib/dns/include/dns/resolver.h
+++ b/bind/bind9/lib/dns/include/dns/resolver.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -688,7 +688,7 @@ dns_resolver_getquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which);
  * are exceeded. If 'which' is set to quotatype "zone", then the
  * result specified in 'resp' will be used when the fetches-per-zone
  * quota is exceeded by a fetch.  If 'which' is set to quotatype "server",
- * then the reuslt specified in 'resp' will be used when the
+ * then the result specified in 'resp' will be used when the
  * fetches-per-server quota has been exceeded for all the
  * authoritative servers for a zone.  Valid choices are
  * DNS_R_DROP or DNS_R_SERVFAIL.
diff --git a/bind/bind9/lib/dns/include/dns/result.h b/bind/bind9/lib/dns/include/dns/result.h
index 92fa5e12..b1007873 100644
--- a/bind/bind9/lib/dns/include/dns/result.h
+++ b/bind/bind9/lib/dns/include/dns/result.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -153,8 +153,18 @@
 #define DNS_R_BADTSIG			(ISC_RESULTCLASS_DNS + 115)
 #define DNS_R_BADSIG0			(ISC_RESULTCLASS_DNS + 116)
 #define DNS_R_TOOMANYRECORDS		(ISC_RESULTCLASS_DNS + 117)
+#define DNS_R_VERIFYFAILURE		(ISC_RESULTCLASS_DNS + 118)
+#define DNS_R_ATZONETOP			(ISC_RESULTCLASS_DNS + 119)
+#define DNS_R_NOKEYMATCH		(ISC_RESULTCLASS_DNS + 120)
+#define DNS_R_TOOMANYKEYS		(ISC_RESULTCLASS_DNS + 121)
+#define DNS_R_KEYNOTACTIVE		(ISC_RESULTCLASS_DNS + 122)
+#define DNS_R_NSEC3ITERRANGE		(ISC_RESULTCLASS_DNS + 123)
+#define DNS_R_NSEC3SALTRANGE		(ISC_RESULTCLASS_DNS + 124)
+#define DNS_R_NSEC3BADALG		(ISC_RESULTCLASS_DNS + 125)
+#define DNS_R_NSEC3RESALT		(ISC_RESULTCLASS_DNS + 126)
+
+#define DNS_R_NRESULTS			127	/*%< Number of results */
 
-#define DNS_R_NRESULTS			118	/*%< Number of results */
 
 /*
  * DNS wire format rcodes.
diff --git a/bind/bind9/lib/dns/include/dns/rootns.h b/bind/bind9/lib/dns/include/dns/rootns.h
index f6a18199..a097f65a 100644
--- a/bind/bind9/lib/dns/include/dns/rootns.h
+++ b/bind/bind9/lib/dns/include/dns/rootns.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/rpz.h b/bind/bind9/lib/dns/include/dns/rpz.h
index 36763c27..32ce3357 100644
--- a/bind/bind9/lib/dns/include/dns/rpz.h
+++ b/bind/bind9/lib/dns/include/dns/rpz.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/rriterator.h b/bind/bind9/lib/dns/include/dns/rriterator.h
index 8c0c076a..b88aa53d 100644
--- a/bind/bind9/lib/dns/include/dns/rriterator.h
+++ b/bind/bind9/lib/dns/include/dns/rriterator.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: rriterator.h,v 1.4 2011/11/01 23:47:00 tbox Exp $ */
-
 #ifndef DNS_RRITERATOR_H
 #define DNS_RRITERATOR_H 1
 
diff --git a/bind/bind9/lib/dns/include/dns/rrl.h b/bind/bind9/lib/dns/include/dns/rrl.h
index 0301ed8d..5a658868 100644
--- a/bind/bind9/lib/dns/include/dns/rrl.h
+++ b/bind/bind9/lib/dns/include/dns/rrl.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/sdb.h b/bind/bind9/lib/dns/include/dns/sdb.h
index c033b60d..7e3c2a8a 100644
--- a/bind/bind9/lib/dns/include/dns/sdb.h
+++ b/bind/bind9/lib/dns/include/dns/sdb.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/sdlz.h b/bind/bind9/lib/dns/include/dns/sdlz.h
index 5b6bc3e7..0318d1ba 100644
--- a/bind/bind9/lib/dns/include/dns/sdlz.h
+++ b/bind/bind9/lib/dns/include/dns/sdlz.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/secalg.h b/bind/bind9/lib/dns/include/dns/secalg.h
index e27d6b48..f1938552 100644
--- a/bind/bind9/lib/dns/include/dns/secalg.h
+++ b/bind/bind9/lib/dns/include/dns/secalg.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/secproto.h b/bind/bind9/lib/dns/include/dns/secproto.h
index 7ee8958f..09f45cf1 100644
--- a/bind/bind9/lib/dns/include/dns/secproto.h
+++ b/bind/bind9/lib/dns/include/dns/secproto.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/soa.h b/bind/bind9/lib/dns/include/dns/soa.h
index 1e97e7a9..cb0f982b 100644
--- a/bind/bind9/lib/dns/include/dns/soa.h
+++ b/bind/bind9/lib/dns/include/dns/soa.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/ssu.h b/bind/bind9/lib/dns/include/dns/ssu.h
index 402583c7..74faf47e 100644
--- a/bind/bind9/lib/dns/include/dns/ssu.h
+++ b/bind/bind9/lib/dns/include/dns/ssu.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/stats.h b/bind/bind9/lib/dns/include/dns/stats.h
index 9ef47af5..bcfb878d 100644
--- a/bind/bind9/lib/dns/include/dns/stats.h
+++ b/bind/bind9/lib/dns/include/dns/stats.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id$ */
-
 #ifndef DNS_STATS_H
 #define DNS_STATS_H 1
 
diff --git a/bind/bind9/lib/dns/include/dns/tcpmsg.h b/bind/bind9/lib/dns/include/dns/tcpmsg.h
index 1e8f29bf..eb3f5c26 100644
--- a/bind/bind9/lib/dns/include/dns/tcpmsg.h
+++ b/bind/bind9/lib/dns/include/dns/tcpmsg.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/time.h b/bind/bind9/lib/dns/include/dns/time.h
index 012b7330..2e533d68 100644
--- a/bind/bind9/lib/dns/include/dns/time.h
+++ b/bind/bind9/lib/dns/include/dns/time.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/timer.h b/bind/bind9/lib/dns/include/dns/timer.h
index 845cf6c1..04781b4f 100644
--- a/bind/bind9/lib/dns/include/dns/timer.h
+++ b/bind/bind9/lib/dns/include/dns/timer.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/tkey.h b/bind/bind9/lib/dns/include/dns/tkey.h
index f2500fac..c316e805 100644
--- a/bind/bind9/lib/dns/include/dns/tkey.h
+++ b/bind/bind9/lib/dns/include/dns/tkey.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/tsec.h b/bind/bind9/lib/dns/include/dns/tsec.h
index 95e16c87..4f27ba3b 100644
--- a/bind/bind9/lib/dns/include/dns/tsec.h
+++ b/bind/bind9/lib/dns/include/dns/tsec.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/tsig.h b/bind/bind9/lib/dns/include/dns/tsig.h
index bd67ca6f..2fa1ab1a 100644
--- a/bind/bind9/lib/dns/include/dns/tsig.h
+++ b/bind/bind9/lib/dns/include/dns/tsig.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -69,7 +69,7 @@ struct dns_tsig_keyring {
 	unsigned int generated;
 	unsigned int maxgenerated;
 	ISC_LIST(dns_tsigkey_t) lru;
-	unsigned int references;
+	isc_refcount_t references;
 };
 
 struct dns_tsigkey {
diff --git a/bind/bind9/lib/dns/include/dns/ttl.h b/bind/bind9/lib/dns/include/dns/ttl.h
index 9241f109..d4d59ac7 100644
--- a/bind/bind9/lib/dns/include/dns/ttl.h
+++ b/bind/bind9/lib/dns/include/dns/ttl.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/types.h b/bind/bind9/lib/dns/include/dns/types.h
index 567e8a87..2468e3c3 100644
--- a/bind/bind9/lib/dns/include/dns/types.h
+++ b/bind/bind9/lib/dns/include/dns/types.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -385,6 +385,11 @@ typedef enum {
 	dns_updatemethod_date
 } dns_updatemethod_t;
 
+typedef struct {
+	const char *string;
+	size_t      count;
+} dns_indent_t;
+
 /*
  * Functions.
  */
diff --git a/bind/bind9/lib/dns/include/dns/update.h b/bind/bind9/lib/dns/include/dns/update.h
index 6700c8f2..436b9e23 100644
--- a/bind/bind9/lib/dns/include/dns/update.h
+++ b/bind/bind9/lib/dns/include/dns/update.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/validator.h b/bind/bind9/lib/dns/include/dns/validator.h
index 81e46d8f..cc4478d6 100644
--- a/bind/bind9/lib/dns/include/dns/validator.h
+++ b/bind/bind9/lib/dns/include/dns/validator.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/version.h b/bind/bind9/lib/dns/include/dns/version.h
index 0552e81e..9d66a144 100644
--- a/bind/bind9/lib/dns/include/dns/version.h
+++ b/bind/bind9/lib/dns/include/dns/version.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/view.h b/bind/bind9/lib/dns/include/dns/view.h
index c849dec1..53f1db12 100644
--- a/bind/bind9/lib/dns/include/dns/view.h
+++ b/bind/bind9/lib/dns/include/dns/view.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -240,12 +240,7 @@ struct dns_view {
 
 #ifdef HAVE_LMDB
 #include <lmdb.h>
-/*
- * MDB_NOTLS is used to prevent problems after configuration is reloaded, due
- * to the way LMDB's use of thread-local storage (TLS) interacts with the BIND9
- * thread model.
- */
-#define DNS_LMDB_COMMON_FLAGS		(MDB_CREATE | MDB_NOSUBDIR | MDB_NOTLS)
+#define DNS_LMDB_COMMON_FLAGS		(MDB_CREATE | MDB_NOSUBDIR | MDB_NOLOCK)
 #ifndef __OpenBSD__
 #define DNS_LMDB_FLAGS			(DNS_LMDB_COMMON_FLAGS)
 #else /* __OpenBSD__ */
diff --git a/bind/bind9/lib/dns/include/dns/xfrin.h b/bind/bind9/lib/dns/include/dns/xfrin.h
index 123ba56a..a9308344 100644
--- a/bind/bind9/lib/dns/include/dns/xfrin.h
+++ b/bind/bind9/lib/dns/include/dns/xfrin.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/zone.h b/bind/bind9/lib/dns/include/dns/zone.h
index c059ce29..cd6f72b9 100644
--- a/bind/bind9/lib/dns/include/dns/zone.h
+++ b/bind/bind9/lib/dns/include/dns/zone.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -322,7 +322,7 @@ dns_zone_getfile(dns_zone_t *zone);
 void
 dns_zone_setmaxrecords(dns_zone_t *zone, uint32_t records);
 /*%<
- * 	Sets the maximim number of records permitted in a zone.
+ * 	Sets the maximum number of records permitted in a zone.
  *	0 implies unlimited.
  *
  * Requires:
@@ -335,7 +335,7 @@ dns_zone_setmaxrecords(dns_zone_t *zone, uint32_t records);
 uint32_t
 dns_zone_getmaxrecords(dns_zone_t *zone);
 /*%<
- * 	Gets the maximim number of records permitted in a zone.
+ * 	Gets the maximum number of records permitted in a zone.
  *	0 implies unlimited.
  *
  * Requires:
diff --git a/bind/bind9/lib/dns/include/dns/zonekey.h b/bind/bind9/lib/dns/include/dns/zonekey.h
index 01a0369e..dd45fbc7 100644
--- a/bind/bind9/lib/dns/include/dns/zonekey.h
+++ b/bind/bind9/lib/dns/include/dns/zonekey.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dns/zt.h b/bind/bind9/lib/dns/include/dns/zt.h
index 84ca8eaa..e658e5bb 100644
--- a/bind/bind9/lib/dns/include/dns/zt.h
+++ b/bind/bind9/lib/dns/include/dns/zt.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dst/Makefile.in b/bind/bind9/lib/dns/include/dst/Makefile.in
index 04727f73..49924837 100644
--- a/bind/bind9/lib/dns/include/dst/Makefile.in
+++ b/bind/bind9/lib/dns/include/dst/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dst/dst.h b/bind/bind9/lib/dns/include/dst/dst.h
index 1924e74c..5b42ab48 100644
--- a/bind/bind9/lib/dns/include/dst/dst.h
+++ b/bind/bind9/lib/dns/include/dst/dst.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dst/gssapi.h b/bind/bind9/lib/dns/include/dst/gssapi.h
index 17a9f548..8e315878 100644
--- a/bind/bind9/lib/dns/include/dst/gssapi.h
+++ b/bind/bind9/lib/dns/include/dst/gssapi.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -37,9 +37,6 @@
 #include ISC_PLATFORM_GSSAPI_KRB5_HEADER
 #endif
 #endif
-#ifndef GSS_SPNEGO_MECHANISM
-#define GSS_SPNEGO_MECHANISM ((void*)0)
-#endif
 #endif
 
 ISC_LANG_BEGINDECLS
diff --git a/bind/bind9/lib/dns/include/dst/lib.h b/bind/bind9/lib/dns/include/dst/lib.h
index 508439fd..85f799f2 100644
--- a/bind/bind9/lib/dns/include/dst/lib.h
+++ b/bind/bind9/lib/dns/include/dst/lib.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/include/dst/result.h b/bind/bind9/lib/dns/include/dst/result.h
index 0855d808..edf32e24 100644
--- a/bind/bind9/lib/dns/include/dst/result.h
+++ b/bind/bind9/lib/dns/include/dst/result.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/ipkeylist.c b/bind/bind9/lib/dns/ipkeylist.c
index 4f114e5d..6e97f6da 100644
--- a/bind/bind9/lib/dns/ipkeylist.c
+++ b/bind/bind9/lib/dns/ipkeylist.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/iptable.c b/bind/bind9/lib/dns/iptable.c
index 10713a09..909103ea 100644
--- a/bind/bind9/lib/dns/iptable.c
+++ b/bind/bind9/lib/dns/iptable.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/journal.c b/bind/bind9/lib/dns/journal.c
index bea961f4..1f046504 100644
--- a/bind/bind9/lib/dns/journal.c
+++ b/bind/bind9/lib/dns/journal.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/key.c b/bind/bind9/lib/dns/key.c
index 16dadf89..f09e84ef 100644
--- a/bind/bind9/lib/dns/key.c
+++ b/bind/bind9/lib/dns/key.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/keydata.c b/bind/bind9/lib/dns/keydata.c
index 135d9680..3e7d5375 100644
--- a/bind/bind9/lib/dns/keydata.c
+++ b/bind/bind9/lib/dns/keydata.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/keytable.c b/bind/bind9/lib/dns/keytable.c
index 57b86088..37bfa9b0 100644
--- a/bind/bind9/lib/dns/keytable.c
+++ b/bind/bind9/lib/dns/keytable.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/lib.c b/bind/bind9/lib/dns/lib.c
index 304814bb..d9417ded 100644
--- a/bind/bind9/lib/dns/lib.c
+++ b/bind/bind9/lib/dns/lib.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lib.c,v 1.19 2009/09/03 00:12:23 each Exp $ */
-
 /*! \file */
 
 #include <config.h>
diff --git a/bind/bind9/lib/dns/log.c b/bind/bind9/lib/dns/log.c
index fb1da41c..31d099e1 100644
--- a/bind/bind9/lib/dns/log.c
+++ b/bind/bind9/lib/dns/log.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/lookup.c b/bind/bind9/lib/dns/lookup.c
index acd9c344..43a7ec76 100644
--- a/bind/bind9/lib/dns/lookup.c
+++ b/bind/bind9/lib/dns/lookup.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/master.c b/bind/bind9/lib/dns/master.c
index 2a87bca3..7d26b810 100644
--- a/bind/bind9/lib/dns/master.c
+++ b/bind/bind9/lib/dns/master.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -666,9 +666,9 @@ nibbles(char *numbuf, size_t length, unsigned int width, char mode, int value) {
 			width--;
 		count++;
 		/*
-		 * If width is non zero then we need to add a label seperator.
+		 * If width is non zero then we need to add a label separator.
 		 * If value is non zero then we need to add another label and
-		 * that requires a label seperator.
+		 * that requires a label separator.
 		 */
 		if (width > 0 || value != 0) {
 			if (length > 0U) {
@@ -3088,7 +3088,9 @@ resign_fromlist(dns_rdatalist_t *this, dns_loadctx_t *lctx) {
 	else
 		when = sig.timeexpire - lctx->resign;
 
+	/* cppcheck-suppress nullPointerRedundantCheck */
 	rdata = ISC_LIST_NEXT(rdata, link);
+	/* cppcheck-suppress nullPointerRedundantCheck */
 	while (rdata != NULL) {
 		(void)dns_rdata_tostruct(rdata, &sig, NULL);
 		if (isc_serial_gt(sig.timesigned, lctx->now))
@@ -3203,8 +3205,9 @@ load_quantum(isc_task_t *task, isc_event_t *event) {
 	dns_loadctx_t *lctx;
 
 	REQUIRE(event != NULL);
+	REQUIRE(DNS_LCTX_VALID(event->ev_arg));
+
 	lctx = event->ev_arg;
-	REQUIRE(DNS_LCTX_VALID(lctx));
 
 	if (lctx->canceled)
 		result = ISC_R_CANCELED;
diff --git a/bind/bind9/lib/dns/masterdump.c b/bind/bind9/lib/dns/masterdump.c
index 13d1a3e0..fa839a0e 100644
--- a/bind/bind9/lib/dns/masterdump.c
+++ b/bind/bind9/lib/dns/masterdump.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/message.c b/bind/bind9/lib/dns/message.c
index 70733ab1..2812ab5a 100644
--- a/bind/bind9/lib/dns/message.c
+++ b/bind/bind9/lib/dns/message.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -23,7 +23,9 @@
 #include <isc/buffer.h>
 #include <isc/mem.h>
 #include <isc/print.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/refcount.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
+#include <isc/utf8.h>
 #include <isc/util.h>
 
 #include <dns/dnssec.h>
@@ -144,6 +146,32 @@ static const char *opcodetext[] = {
 	"RESERVED15"
 };
 
+static const char *edetext[] = { "Other",
+				 "Unsupported DNSKEY Algorithm",
+				 "Unsupported DS Digest Type",
+				 "Stale Answer",
+				 "Forged Answer",
+				 "DNSSEC Indeterminate",
+				 "DNSSEC Bogus",
+				 "Signature Expired",
+				 "Signature Not Yet Valid",
+				 "DNSKEY Missing",
+				 "RRSIGs Missing",
+				 "No Zone Key Bit Set",
+				 "NSEC Missing",
+				 "Cached Error",
+				 "Not Ready",
+				 "Blocked",
+				 "Censored",
+				 "Filtered",
+				 "Prohibited",
+				 "Stale NXDOMAIN Answer",
+				 "Not Authoritative",
+				 "Not Supported",
+				 "No Reachable Authority",
+				 "Network Error",
+				 "Invalid Data" };
+
 /*%
  * "helper" type, which consists of a block of some type, and is linkable.
  * For it to work, sizeof(dns_msgblock_t) must be a multiple of the pointer
@@ -427,6 +455,8 @@ msginit(dns_message_t *m) {
 	m->tkey = 0;
 	m->rdclass_set = 0;
 	m->querytsig = NULL;
+	m->indent.string = dns_master_indentstr;
+	m->indent.count = dns_master_indent;
 }
 
 static inline void
@@ -525,7 +555,7 @@ msgresetsigs(dns_message_t *msg, bool replying) {
 
 /*
  * Free all but one (or everything) for this message.  This is used by
- * both dns_message_reset() and dns_message_destroy().
+ * both dns_message_reset() and dns__message_destroy().
  */
 static void
 msgreset(dns_message_t *msg, bool everything) {
@@ -765,6 +795,8 @@ dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp)
 
 	m->cctx = NULL;
 
+	isc_refcount_init(&m->refcount, 1);
+
 	*msgp = m;
 	return (ISC_R_SUCCESS);
 
@@ -797,23 +829,40 @@ dns_message_reset(dns_message_t *msg, unsigned int intent) {
 	msg->from_to_wire = intent;
 }
 
-void
-dns_message_destroy(dns_message_t **msgp) {
-	dns_message_t *msg;
-
-	REQUIRE(msgp != NULL);
-	REQUIRE(DNS_MESSAGE_VALID(*msgp));
-
-	msg = *msgp;
-	*msgp = NULL;
+static void
+dns__message_destroy(dns_message_t *msg) {
+	REQUIRE(msg != NULL);
+	REQUIRE(DNS_MESSAGE_VALID(msg));
 
 	msgreset(msg, true);
 	isc_mempool_destroy(&msg->namepool);
 	isc_mempool_destroy(&msg->rdspool);
+	isc_refcount_destroy(&msg->refcount);
 	msg->magic = 0;
 	isc_mem_putanddetach(&msg->mctx, msg, sizeof(dns_message_t));
 }
 
+void
+dns_message_attach(dns_message_t *source, dns_message_t **target) {
+	REQUIRE(DNS_MESSAGE_VALID(source));
+
+	isc_refcount_increment(&source->refcount, NULL);
+	*target = source;
+}
+
+void
+dns_message_detach(dns_message_t **messagep) {
+	REQUIRE(messagep != NULL && DNS_MESSAGE_VALID(*messagep));
+	dns_message_t *msg = *messagep;
+	*messagep = NULL;
+	int32_t refs;
+
+	isc_refcount_decrement(&msg->refcount, &refs);
+	if (refs == 0) {
+		dns__message_destroy(msg);
+	}
+}
+
 static isc_result_t
 findname(dns_name_t **foundname, dns_name_t *target,
 	 dns_namelist_t *section)
@@ -1685,6 +1734,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
 	msg->header_ok = 0;
 	msg->question_ok = 0;
 
+	if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
+		isc_buffer_usedregion(&origsource, &msg->saved);
+	} else {
+		msg->saved.length = isc_buffer_usedlength(&origsource);
+		msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
+		if (msg->saved.base == NULL) {
+			return (ISC_R_NOMEMORY);
+		}
+		memmove(msg->saved.base, isc_buffer_base(&origsource),
+			msg->saved.length);
+		msg->free_saved = 1;
+	}
+
 	isc_buffer_remainingregion(source, &r);
 	if (r.length < DNS_MESSAGE_HEADERLEN)
 		return (ISC_R_UNEXPECTEDEND);
@@ -1760,17 +1822,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
 	}
 
  truncated:
-	if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
-		isc_buffer_usedregion(&origsource, &msg->saved);
-	else {
-		msg->saved.length = isc_buffer_usedlength(&origsource);
-		msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
-		if (msg->saved.base == NULL)
-			return (ISC_R_NOMEMORY);
-		memmove(msg->saved.base, isc_buffer_base(&origsource),
-			msg->saved.length);
-		msg->free_saved = 1;
-	}
 
 	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
 		return (DNS_R_RECOVERABLE);
@@ -2289,10 +2340,11 @@ dns_message_renderend(dns_message_t *msg) {
 		dns_message_renderrelease(msg, msg->opt_reserved);
 		msg->opt_reserved = 0;
 		/*
-		 * Set the extended rcode.
+		 * Set the extended rcode.  Cast msg->rcode to dns_ttl_t
+		 * so that we do a unsigned shift.
 		 */
 		msg->opt->ttl &= ~DNS_MESSAGE_EDNSRCODE_MASK;
-		msg->opt->ttl |= ((msg->rcode << 20) &
+		msg->opt->ttl |= (((dns_ttl_t)(msg->rcode) << 20) &
 				  DNS_MESSAGE_EDNSRCODE_MASK);
 		/*
 		 * Render.
@@ -3268,8 +3320,8 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
 		if ((__flags & DNS_STYLEFLAG_INDENT) == 0ULL && \
 		    (__flags & DNS_STYLEFLAG_YAML) == 0ULL) \
 			break; \
-		for (__i = 0; __i < dns_master_indent; __i++) { \
-			ADD_STRING(target, dns_master_indentstr); \
+		for (__i = 0; __i < msg->indent.count; __i++) { \
+			ADD_STRING(target, msg->indent.string); \
 		} \
 	} while (0)
 
@@ -3289,7 +3341,7 @@ dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
 	REQUIRE(target != NULL);
 	REQUIRE(VALID_SECTION(section));
 
-	saveindent = dns_master_indent;
+	saveindent = msg->indent.count;
 	sflags = dns_master_styleflags(style);
 	if (ISC_LIST_EMPTY(msg->sections[section]))
 		goto cleanup;
@@ -3319,7 +3371,7 @@ dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
 		goto cleanup;
 	}
 	if ((sflags & DNS_STYLEFLAG_YAML) != 0) {
-		dns_master_indent++;
+		msg->indent.count++;
 	}
 	do {
 		name = NULL;
@@ -3359,7 +3411,7 @@ dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
 		result = dns_message_nextname(msg, section);
 	} while (result == ISC_R_SUCCESS);
 	if ((sflags & DNS_STYLEFLAG_YAML) != 0) {
-		dns_master_indent--;
+		msg->indent.count--;
 	}
 	if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
 	    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0 &&
@@ -3372,7 +3424,7 @@ dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
 		result = ISC_R_SUCCESS;
 
  cleanup:
-	dns_master_indent = saveindent;
+	msg->indent.count = saveindent;
 	return (result);
 }
 
@@ -3489,7 +3541,8 @@ dns_message_pseudosectiontoyaml(dns_message_t *msg,
 	isc_buffer_t optbuf;
 	uint16_t optcode, optlen;
 	unsigned char *optdata;
-	unsigned int saveindent = dns_master_indent;
+	unsigned int saveindent = msg->indent.count;
+	unsigned int optindent;
 
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(target != NULL);
@@ -3504,11 +3557,11 @@ dns_message_pseudosectiontoyaml(dns_message_t *msg,
 
 		INDENT(style);
 		ADD_STRING(target, "OPT_PSEUDOSECTION:\n");
-		dns_master_indent++;
+		msg->indent.count++;
 
 		INDENT(style);
 		ADD_STRING(target, "EDNS:\n");
-		dns_master_indent++;
+		msg->indent.count++;
 
 		INDENT(style);
 		ADD_STRING(target, "version: ");
@@ -3544,7 +3597,7 @@ dns_message_pseudosectiontoyaml(dns_message_t *msg,
 		 * Print EDNS info, if any.
 		 *
 		 * WARNING: The option contents may be malformed as
-		 * dig +ednsopt=value:<content> does not validity
+		 * dig +ednsopt=value:<content> does not perform validity
 		 * checking.
 		 */
 		dns_rdata_init(&rdata);
@@ -3552,7 +3605,10 @@ dns_message_pseudosectiontoyaml(dns_message_t *msg,
 
 		isc_buffer_init(&optbuf, rdata.data, rdata.length);
 		isc_buffer_add(&optbuf, rdata.length);
+		optindent = msg->indent.count;
 		while (isc_buffer_remaininglength(&optbuf) != 0) {
+			bool extra_text = false;
+			msg->indent.count = optindent;
 			INSIST(isc_buffer_remaininglength(&optbuf) >= 4U);
 			optcode = isc_buffer_getuint16(&optbuf);
 			optlen = isc_buffer_getuint16(&optbuf);
@@ -3632,6 +3688,33 @@ dns_message_pseudosectiontoyaml(dns_message_t *msg,
 					ADD_STRING(target, "\n");
 					continue;
 				}
+			} else if (optcode == DNS_OPT_EDE) {
+				INDENT(style);
+				ADD_STRING(target, "EDE");
+				if (optlen >= 2U) {
+					uint16_t ede;
+					ADD_STRING(target, ":\n");
+					msg->indent.count++;
+					INDENT(style);
+					ADD_STRING(target, "INFO-CODE:");
+					ede = isc_buffer_getuint16(&optbuf);
+					snprintf(buf, sizeof(buf), " %u", ede);
+					ADD_STRING(target, buf);
+					if (ede < ARRAY_SIZE(edetext)) {
+						ADD_STRING(target, " (");
+						ADD_STRING(target,
+							   edetext[ede]);
+						ADD_STRING(target, ")");
+					}
+					ADD_STRING(target, "\n");
+					optlen -= 2;
+					if (optlen != 0) {
+						INDENT(style);
+						ADD_STRING(target,
+							   "EXTRA-TEXT");
+						extra_text = true;
+					}
+				}
 			} else if (optcode == DNS_OPT_CLIENT_TAG) {
 				uint16_t id;
 				INDENT(style);
@@ -3668,22 +3751,31 @@ dns_message_pseudosectiontoyaml(dns_message_t *msg,
 
 			if (optlen != 0) {
 				int i;
+				bool utf8ok = false;
+
 				ADD_STRING(target, ": ");
 
 				optdata = isc_buffer_current(&optbuf);
-				for (i = 0; i < optlen; i++) {
-					const char *sep;
-					switch (optcode) {
-					case DNS_OPT_COOKIE:
-						sep = "";
-						break;
-					default:
-						sep = " ";
-						break;
+				if (extra_text) {
+					utf8ok = isc_utf8_valid(optdata,
+								optlen);
+				}
+				if (!utf8ok) {
+					for (i = 0; i < optlen; i++) {
+						const char *sep;
+						switch (optcode) {
+						case DNS_OPT_COOKIE:
+							sep = "";
+							break;
+						default:
+							sep = " ";
+							break;
+						}
+						snprintf(buf, sizeof(buf),
+							 "%02x%s", optdata[i],
+							 sep);
+						ADD_STRING(target, buf);
 					}
-					snprintf(buf, sizeof(buf), "%02x%s",
-						 optdata[i], sep);
-					ADD_STRING(target, buf);
 				}
 
 				isc_buffer_forward(&optbuf, optlen);
@@ -3719,24 +3811,34 @@ dns_message_pseudosectiontoyaml(dns_message_t *msg,
 				 * For non-COOKIE options, add a printable
 				 * version
 				 */
-				ADD_STRING(target, "(\"");
+				if (!extra_text) {
+					ADD_STRING(target, "(\"");
+				} else {
+					ADD_STRING(target, "\"");
+				}
 				if (isc_buffer_availablelength(target) < optlen)
 				{
 					result = ISC_R_NOSPACE;
 					goto cleanup;
 				}
 				for (i = 0; i < optlen; i++) {
-					if (isprint(optdata[i]))
-						isc_buffer_putmem(target,
-								  &optdata[i],
-								  1);
-					else
+					if (isprint(optdata[i]) ||
+					    (utf8ok && optdata[i] > 127)) {
+						isc_buffer_putmem(
+							target, &optdata[i], 1);
+					} else {
 						isc_buffer_putstr(target, ".");
+					}
+				}
+				if (!extra_text) {
+					ADD_STRING(target, "\")");
+				} else {
+					ADD_STRING(target, "\"");
 				}
-				ADD_STRING(target, "\")");
 			}
 			ADD_STRING(target, "\n");
 		}
+		msg->indent.count = optindent;
 		result = ISC_R_SUCCESS;
 		goto cleanup;
 	case DNS_PSEUDOSECTION_TSIG:
@@ -3768,7 +3870,7 @@ dns_message_pseudosectiontoyaml(dns_message_t *msg,
 	result = ISC_R_UNEXPECTED;
 
  cleanup:
-	dns_master_indent = saveindent;
+	msg->indent.count = saveindent;
 	return (result);
 }
 
@@ -3782,7 +3884,7 @@ dns_message_pseudosectiontotext(dns_message_t *msg,
 	dns_rdataset_t *ps = NULL;
 	dns_name_t *name = NULL;
 	isc_result_t result;
-	char buf[sizeof("1234567890")];
+	char buf[sizeof("1234567890 ")];
 	uint32_t mbz;
 	dns_rdata_t rdata;
 	isc_buffer_t optbuf;
@@ -3916,6 +4018,33 @@ dns_message_pseudosectiontotext(dns_message_t *msg,
 					ADD_STRING(target, "\n");
 					continue;
 				}
+			} else if (optcode == DNS_OPT_EDE) {
+				ADD_STRING(target, "; EDE");
+				if (optlen >= 2U) {
+					uint16_t ede;
+					ede = isc_buffer_getuint16(&optbuf);
+					snprintf(buf, sizeof(buf), ": %u", ede);
+					ADD_STRING(target, buf);
+					if (ede < ARRAY_SIZE(edetext)) {
+						ADD_STRING(target, " (");
+						ADD_STRING(target,
+							   edetext[ede]);
+						ADD_STRING(target, ")");
+					}
+					optlen -= 2;
+				} else if (optlen == 1U) {
+					/* Malformed */
+					optdata = isc_buffer_current(&optbuf);
+					snprintf(buf, sizeof(buf),
+						 ": %02x (\"%c\")\n",
+						 optdata[0],
+						 isprint(optdata[0])
+							 ? optdata[0]
+							 : '.');
+					isc_buffer_forward(&optbuf, optlen);
+					ADD_STRING(target, buf);
+					continue;
+				}
 			} else if (optcode == DNS_OPT_CLIENT_TAG) {
 				uint16_t id;
 				ADD_STRING(target, "; CLIENT-TAG");
@@ -3948,22 +4077,30 @@ dns_message_pseudosectiontotext(dns_message_t *msg,
 
 			if (optlen != 0) {
 				int i;
+				bool utf8ok = false;
 				ADD_STRING(target, ": ");
 
 				optdata = isc_buffer_current(&optbuf);
-				for (i = 0; i < optlen; i++) {
-					const char *sep;
-					switch (optcode) {
-					case DNS_OPT_COOKIE:
-						sep = "";
-						break;
-					default:
-						sep = " ";
-						break;
+				if (optcode == DNS_OPT_EDE) {
+					utf8ok = isc_utf8_valid(optdata,
+								optlen);
+				}
+				if (!utf8ok) {
+					for (i = 0; i < optlen; i++) {
+						const char *sep;
+						switch (optcode) {
+						case DNS_OPT_COOKIE:
+							sep = "";
+							break;
+						default:
+							sep = " ";
+							break;
+						}
+						snprintf(buf, sizeof(buf),
+							 "%02x%s", optdata[i],
+							 sep);
+						ADD_STRING(target, buf);
 					}
-					snprintf(buf, sizeof(buf), "%02x%s",
-						 optdata[i], sep);
-					ADD_STRING(target, buf);
 				}
 
 				isc_buffer_forward(&optbuf, optlen);
@@ -3997,20 +4134,29 @@ dns_message_pseudosectiontotext(dns_message_t *msg,
 
 				/*
 				 * For non-COOKIE options, add a printable
-				 * version
+				 * version.
 				 */
-				ADD_STRING(target, "(\"");
+				if (optcode != DNS_OPT_EDE) {
+					ADD_STRING(target, "(\"");
+				} else {
+					ADD_STRING(target, "(");
+				}
 				if (isc_buffer_availablelength(target) < optlen)
 					return (ISC_R_NOSPACE);
 				for (i = 0; i < optlen; i++) {
-					if (isprint(optdata[i]))
-						isc_buffer_putmem(target,
-								  &optdata[i],
-								  1);
-					else
+					if (isprint(optdata[i]) ||
+					    (utf8ok && optdata[i] > 127)) {
+						isc_buffer_putmem(
+							target, &optdata[i], 1);
+					} else {
 						isc_buffer_putstr(target, ".");
+					}
+				}
+				if (optcode != DNS_OPT_EDE) {
+					ADD_STRING(target, "\")");
+				} else {
+					ADD_STRING(target, ")");
 				}
-				ADD_STRING(target, "\")");
 			}
 			ADD_STRING(target, "\n");
 		}
diff --git a/bind/bind9/lib/dns/name.c b/bind/bind9/lib/dns/name.c
index 6bb213a4..9713cf5f 100644
--- a/bind/bind9/lib/dns/name.c
+++ b/bind/bind9/lib/dns/name.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -1280,6 +1280,7 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 			return (ISC_R_UNEXPECTEDEND);
 		if (state == ft_ordinary) {
 			INSIST(count != 0);
+			INSIST(label != NULL);
 			*label = count;
 			labels++;
 			INSIST(labels <= 127);
diff --git a/bind/bind9/lib/dns/ncache.c b/bind/bind9/lib/dns/ncache.c
index d71f0d8f..7d417716 100644
--- a/bind/bind9/lib/dns/ncache.c
+++ b/bind/bind9/lib/dns/ncache.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/nsec.c b/bind/bind9/lib/dns/nsec.c
index c8a203ff..d90c3858 100644
--- a/bind/bind9/lib/dns/nsec.c
+++ b/bind/bind9/lib/dns/nsec.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/nsec3.c b/bind/bind9/lib/dns/nsec3.c
index 6ae7ca85..cdb82454 100644
--- a/bind/bind9/lib/dns/nsec3.c
+++ b/bind/bind9/lib/dns/nsec3.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -1774,72 +1774,10 @@ dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
 	return (result);
 }
 
-isc_result_t
-dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
-			isc_mem_t *mctx, unsigned int *iterationsp)
+unsigned int
+dns_nsec3_maxiterations(void)
 {
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dst_key_t *key = NULL;
-	isc_buffer_t buffer;
-	isc_result_t result;
-	unsigned int bits, minbits = 4096;
-
-	result = dns_db_getoriginnode(db, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
-				     0, 0, &rdataset, NULL);
-	dns_db_detachnode(db, &node);
-	if (result == ISC_R_NOTFOUND) {
-		*iterationsp = 0;
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdataset_current(&rdataset, &rdata);
-
-		REQUIRE(rdata.type == dns_rdatatype_key ||
-			rdata.type == dns_rdatatype_dnskey);
-		REQUIRE(rdata.length > 3);
-
-		/* Skip unsupported algorithms when
-		 * calculating the maximum iterations.
-		 */
-		if (!dst_algorithm_supported(rdata.data[3]))
-			continue;
-
-		isc_buffer_init(&buffer, rdata.data, rdata.length);
-		isc_buffer_add(&buffer, rdata.length);
-		CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,
-				      &buffer, mctx, &key));
-		bits = dst_key_size(key);
-		dst_key_free(&key);
-		if (minbits > bits)
-			minbits = bits;
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
-
-	if (minbits <= 1024)
-		*iterationsp = 150;
-	else if (minbits <= 2048)
-		*iterationsp = 500;
-	else
-		*iterationsp = 2500;
-	result = ISC_R_SUCCESS;
-
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	return (result);
+	return (DNS_NSEC3_MAXITERATIONS);
 }
 
 isc_result_t
@@ -1974,6 +1912,13 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
 	first = true;
 
 	while (qlabels >= zlabels) {
+		/*
+		 * If there are too many iterations reject the NSEC3 record.
+		 */
+		if (nsec3.iterations > DNS_NSEC3_MAXITERATIONS) {
+			return (DNS_R_NSEC3ITERRANGE);
+		}
+
 		length = isc_iterated_hash(hash, nsec3.hash, nsec3.iterations,
 					   nsec3.salt, nsec3.salt_length,
 					   qname->ndata, qname->length);
diff --git a/bind/bind9/lib/dns/nta.c b/bind/bind9/lib/dns/nta.c
index 7c790db2..73febe44 100644
--- a/bind/bind9/lib/dns/nta.c
+++ b/bind/bind9/lib/dns/nta.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -132,6 +132,7 @@ dns_ntatable_create(dns_view_t *view,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_rbt;
 
+	ntatable->shuttingdown = false;
 	ntatable->timermgr = timermgr;
 	ntatable->taskmgr = taskmgr;
 
@@ -248,27 +249,31 @@ fetch_done(isc_task_t *task, isc_event_t *event) {
 		(void) isc_timer_reset(nta->timer, isc_timertype_inactive,
 				       NULL, NULL, true);
 	nta_detach(view->mctx, &nta);
+	dns_view_weakdetach(&view);
 }
 
 static void
 checkbogus(isc_task_t *task, isc_event_t *event) {
 	dns_nta_t *nta = event->ev_arg;
 	dns_ntatable_t *ntatable = nta->ntatable;
-	dns_view_t *view = ntatable->view;
+	dns_view_t *view = NULL;
 	isc_result_t result;
 
 	if (nta->fetch != NULL) {
 		dns_resolver_cancelfetch(nta->fetch);
 		nta->fetch = NULL;
 	}
-	if (dns_rdataset_isassociated(&nta->rdataset))
+	if (dns_rdataset_isassociated(&nta->rdataset)) {
 		dns_rdataset_disassociate(&nta->rdataset);
-	if (dns_rdataset_isassociated(&nta->sigrdataset))
+	}
+	if (dns_rdataset_isassociated(&nta->sigrdataset)) {
 		dns_rdataset_disassociate(&nta->sigrdataset);
+	}
 
 	isc_event_free(&event);
 
 	nta_ref(nta);
+	dns_view_weakattach(ntatable->view, &view);
 	result = dns_resolver_createfetch(view->resolver, nta->name,
 					  dns_rdatatype_nsec,
 					  NULL, NULL, NULL,
@@ -277,8 +282,10 @@ checkbogus(isc_task_t *task, isc_event_t *event) {
 					  &nta->rdataset,
 					  &nta->sigrdataset,
 					  &nta->fetch);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		nta_detach(view->mctx, &nta);
+		dns_view_weakdetach(&view);
+	}
 }
 
 static isc_result_t
@@ -342,11 +349,10 @@ nta_create(dns_ntatable_t *ntatable, dns_name_t *name, dns_nta_t **target) {
 }
 
 isc_result_t
-dns_ntatable_add(dns_ntatable_t *ntatable, dns_name_t *name,
-		 bool force, isc_stdtime_t now,
-		 uint32_t lifetime)
+dns_ntatable_add(dns_ntatable_t *ntatable, dns_name_t *name, bool force,
+		 isc_stdtime_t now, uint32_t lifetime)
 {
-	isc_result_t result;
+	isc_result_t result = ISC_R_SUCCESS;
 	dns_nta_t *nta = NULL;
 	dns_rbtnode_t *node;
 	dns_view_t *view;
@@ -355,27 +361,34 @@ dns_ntatable_add(dns_ntatable_t *ntatable, dns_name_t *name,
 
 	view = ntatable->view;
 
+	RWLOCK(&ntatable->rwlock, isc_rwlocktype_write);
+
+	if (ntatable->shuttingdown) {
+		goto unlock;
+	}
+
 	result = nta_create(ntatable, name, &nta);
-	if (result != ISC_R_SUCCESS)
-		return (result);
+	if (result != ISC_R_SUCCESS) {
+		goto unlock;
+	}
 
 	nta->expiry = now + lifetime;
 	nta->forced = force;
 
-	RWLOCK(&ntatable->rwlock, isc_rwlocktype_write);
-
 	node = NULL;
 	result = dns_rbt_addnode(ntatable->table, name, &node);
 	if (result == ISC_R_SUCCESS) {
-		if (!force)
+		if (!force) {
 			(void)settimer(ntatable, nta, lifetime);
+		}
 		node->data = nta;
 		nta = NULL;
 	} else if (result == ISC_R_EXISTS) {
 		dns_nta_t *n = node->data;
 		if (n == NULL) {
-			if (!force)
+			if (!force) {
 				(void)settimer(ntatable, nta, lifetime);
+			}
 			node->data = nta;
 			nta = NULL;
 		} else {
@@ -385,10 +398,12 @@ dns_ntatable_add(dns_ntatable_t *ntatable, dns_name_t *name,
 		result = ISC_R_SUCCESS;
 	}
 
+unlock:
 	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_write);
 
-	if (nta != NULL)
+	if (nta != NULL) {
 		nta_detach(view->mctx, &nta);
+	}
 
 	return (result);
 }
@@ -720,3 +735,33 @@ dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp) {
 	else
 		return (written ? ISC_R_SUCCESS : ISC_R_NOTFOUND);
 }
+
+void
+dns_ntatable_shutdown(dns_ntatable_t *ntatable) {
+	isc_result_t result;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+
+	REQUIRE(VALID_NTATABLE(ntatable));
+
+	RWLOCK(&ntatable->rwlock, isc_rwlocktype_write);
+	ntatable->shuttingdown = true;
+
+	dns_rbtnodechain_init(&chain, ntatable->view->mctx);
+	result = dns_rbtnodechain_first(&chain, ntatable->table, NULL, NULL);
+	while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+		if (node->data != NULL) {
+			dns_nta_t *nta = (dns_nta_t *)node->data;
+			if (nta->timer != NULL) {
+				(void)isc_timer_reset(nta->timer,
+						      isc_timertype_inactive,
+						      NULL, NULL, true);
+			}
+		}
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	}
+
+	dns_rbtnodechain_invalidate(&chain);
+	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_write);
+}
diff --git a/bind/bind9/lib/dns/openssl_link.c b/bind/bind9/lib/dns/openssl_link.c
index 13e838f8..1e57c71e 100644
--- a/bind/bind9/lib/dns/openssl_link.c
+++ b/bind/bind9/lib/dns/openssl_link.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/openssldh_link.c b/bind/bind9/lib/dns/openssldh_link.c
index 30de3431..eb042cef 100644
--- a/bind/bind9/lib/dns/openssldh_link.c
+++ b/bind/bind9/lib/dns/openssldh_link.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/openssldsa_link.c b/bind/bind9/lib/dns/openssldsa_link.c
index 8abf4bb0..2420d0fc 100644
--- a/bind/bind9/lib/dns/openssldsa_link.c
+++ b/bind/bind9/lib/dns/openssldsa_link.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/opensslecdsa_link.c b/bind/bind9/lib/dns/opensslecdsa_link.c
index e9ea5ead..83b5b51c 100644
--- a/bind/bind9/lib/dns/opensslecdsa_link.c
+++ b/bind/bind9/lib/dns/opensslecdsa_link.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/openssleddsa_link.c b/bind/bind9/lib/dns/openssleddsa_link.c
index a0912135..8b115ec2 100644
--- a/bind/bind9/lib/dns/openssleddsa_link.c
+++ b/bind/bind9/lib/dns/openssleddsa_link.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -425,7 +425,6 @@ static bool
 openssleddsa_isprivate(const dst_key_t *key) {
 	EVP_PKEY *pkey = key->keydata.pkey;
 	int len;
-	unsigned long err;
 
 	if (pkey == NULL)
 		return (false);
@@ -434,8 +433,9 @@ openssleddsa_isprivate(const dst_key_t *key) {
 	if (len > 0)
 		return (true);
 	/* can check if first error is EC_R_INVALID_PRIVATE_KEY */
-	while ((err = ERR_get_error()) != 0)
+	while (ERR_get_error() != 0) {
 		/**/;
+	}
 
 	return (false);
 }
diff --git a/bind/bind9/lib/dns/opensslgost_link.c b/bind/bind9/lib/dns/opensslgost_link.c
index 481b91c9..2cd90bbf 100644
--- a/bind/bind9/lib/dns/opensslgost_link.c
+++ b/bind/bind9/lib/dns/opensslgost_link.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/opensslrsa_link.c b/bind/bind9/lib/dns/opensslrsa_link.c
index ec35f50d..19f9056a 100644
--- a/bind/bind9/lib/dns/opensslrsa_link.c
+++ b/bind/bind9/lib/dns/opensslrsa_link.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -1703,56 +1703,52 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	isc_result_t ret;
 	EVP_PKEY *pkey = NULL;
 	RSA *rsa = NULL, *pubrsa = NULL;
-	char *colon, *tmpengine = NULL;
 	const BIGNUM *ex = NULL;
 
 	UNUSED(pin);
 
 	if (engine == NULL) {
-		if (strchr(label, ':') == NULL)
-			DST_RET(DST_R_NOENGINE);
-		tmpengine = isc_mem_strdup(key->mctx, label);
-		if (tmpengine == NULL)
-			DST_RET(ISC_R_NOMEMORY);
-		colon = strchr(tmpengine, ':');
-		INSIST(colon != NULL);
-		*colon = '\0';
+		DST_RET(DST_R_NOENGINE);
 	}
 	e = dst__openssl_getengine(engine);
-	if (e == NULL)
+	if (e == NULL) {
 		DST_RET(DST_R_NOENGINE);
+	}
 	pkey = ENGINE_load_public_key(e, label, NULL, NULL);
 	if (pkey != NULL) {
 		pubrsa = EVP_PKEY_get1_RSA(pkey);
 		EVP_PKEY_free(pkey);
-		if (pubrsa == NULL)
+		if (pubrsa == NULL) {
 			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+		}
 	}
 	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
-	if (pkey == NULL)
+	if (pkey == NULL) {
 		DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
 					       ISC_R_NOTFOUND));
-	if (tmpengine != NULL) {
-		key->engine = tmpengine;
-		tmpengine = NULL;
-	} else {
-		key->engine = isc_mem_strdup(key->mctx, engine);
-		if (key->engine == NULL)
-			DST_RET(ISC_R_NOMEMORY);
+	}
+	key->engine = isc_mem_strdup(key->mctx, engine);
+	if (key->engine == NULL) {
+		DST_RET(ISC_R_NOMEMORY);
 	}
 	key->label = isc_mem_strdup(key->mctx, label);
-	if (key->label == NULL)
+	if (key->label == NULL) {
 		DST_RET(ISC_R_NOMEMORY);
+	}
 	rsa = EVP_PKEY_get1_RSA(pkey);
-	if (rsa == NULL)
+	if (rsa == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
+	}
+	if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) {
 		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
 	RSA_get0_key(rsa, NULL, &ex, NULL);
-	if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS)
+	if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) {
 		DST_RET(ISC_R_RANGE);
-	if (pubrsa != NULL)
+	}
+	if (pubrsa != NULL) {
 		RSA_free(pubrsa);
+	}
 	key->key_size = EVP_PKEY_bits(pkey);
 #if USE_EVP
 	key->keydata.pkey = pkey;
@@ -1764,8 +1760,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	return (ISC_R_SUCCESS);
 
  err:
-	if (tmpengine != NULL)
-		isc_mem_free(key->mctx, tmpengine);
 	if (rsa != NULL)
 		RSA_free(rsa);
 	if (pubrsa != NULL)
diff --git a/bind/bind9/lib/dns/order.c b/bind/bind9/lib/dns/order.c
index 6ffc4a0f..1d7a37ef 100644
--- a/bind/bind9/lib/dns/order.c
+++ b/bind/bind9/lib/dns/order.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: order.c,v 1.10 2007/06/19 23:47:16 tbox Exp $ */
-
 /*! \file */
 
 #include <config.h>
diff --git a/bind/bind9/lib/dns/peer.c b/bind/bind9/lib/dns/peer.c
index 93ea98e9..0867febe 100644
--- a/bind/bind9/lib/dns/peer.c
+++ b/bind/bind9/lib/dns/peer.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: peer.c,v 1.33 2009/09/02 23:48:02 tbox Exp $ */
-
 /*! \file */
 
 #include <config.h>
diff --git a/bind/bind9/lib/dns/pkcs11.c b/bind/bind9/lib/dns/pkcs11.c
index 5a2c5020..6b303092 100644
--- a/bind/bind9/lib/dns/pkcs11.c
+++ b/bind/bind9/lib/dns/pkcs11.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/pkcs11dh_link.c b/bind/bind9/lib/dns/pkcs11dh_link.c
index e2b60ea7..fb0a12fb 100644
--- a/bind/bind9/lib/dns/pkcs11dh_link.c
+++ b/bind/bind9/lib/dns/pkcs11dh_link.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
 	CK_ATTRIBUTE *attr;
 	int special = 0;
+	unsigned int bits;
 	isc_result_t result;
 
 	isc_buffer_remainingregion(data, &r);
@@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	pub = r.base;
 	isc_region_consume(&r, publen);
 
-	key->key_size = pk11_numbits(prime, plen_);
+	result = pk11_numbits(prime, plen_, &bits);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	key->key_size = bits;
 
 	dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
 	if (dh->repr == NULL)
@@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t ret;
 	int i;
+	unsigned int bits;
 	pk11_object_t *dh = NULL;
 	CK_ATTRIBUTE *attr;
 	isc_mem_t *mctx;
@@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 
 	attr = pk11_attribute_bytype(dh, CKA_PRIME);
 	INSIST(attr != NULL);
-	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+	key->key_size = bits;
 
 	return (ISC_R_SUCCESS);
 
diff --git a/bind/bind9/lib/dns/pkcs11dsa_link.c b/bind/bind9/lib/dns/pkcs11dsa_link.c
index 12d707a1..6d60e55a 100644
--- a/bind/bind9/lib/dns/pkcs11dsa_link.c
+++ b/bind/bind9/lib/dns/pkcs11dsa_link.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t ret;
 	int i;
+	unsigned int bits;
 	pk11_object_t *dsa = NULL;
 	CK_ATTRIBUTE *attr;
 	isc_mem_t *mctx = key->mctx;
@@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 
 	attr = pk11_attribute_bytype(dsa, CKA_PRIME);
 	INSIST(attr != NULL);
-	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+	key->key_size = bits;
 
 	return (ISC_R_SUCCESS);
 
diff --git a/bind/bind9/lib/dns/pkcs11ecdsa_link.c b/bind/bind9/lib/dns/pkcs11ecdsa_link.c
index e2e09c0a..28f37615 100644
--- a/bind/bind9/lib/dns/pkcs11ecdsa_link.c
+++ b/bind/bind9/lib/dns/pkcs11ecdsa_link.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/pkcs11eddsa_link.c b/bind/bind9/lib/dns/pkcs11eddsa_link.c
index 015d0e86..8189980a 100644
--- a/bind/bind9/lib/dns/pkcs11eddsa_link.c
+++ b/bind/bind9/lib/dns/pkcs11eddsa_link.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/pkcs11gost_link.c b/bind/bind9/lib/dns/pkcs11gost_link.c
index b5c98f40..eb7c83fb 100644
--- a/bind/bind9/lib/dns/pkcs11gost_link.c
+++ b/bind/bind9/lib/dns/pkcs11gost_link.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/pkcs11rsa_link.c b/bind/bind9/lib/dns/pkcs11rsa_link.c
index 096c1a8e..fd6ec0a9 100644
--- a/bind/bind9/lib/dns/pkcs11rsa_link.c
+++ b/bind/bind9/lib/dns/pkcs11rsa_link.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -332,6 +332,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
 		key->key_alg == DST_ALG_RSASHA256 ||
 		key->key_alg == DST_ALG_RSASHA512);
 #endif
+	REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS);
 
 	/*
 	 * Reject incorrect RSA key lengths.
@@ -376,6 +377,9 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
 	for (attr = pk11_attribute_first(rsa);
 	     attr != NULL;
 	     attr = pk11_attribute_next(rsa, attr))
+	{
+		unsigned int bits;
+
 		switch (attr->type) {
 		case CKA_MODULUS:
 			INSIST(keyTemplate[5].type == attr->type);
@@ -396,12 +400,15 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
 			memmove(keyTemplate[6].pValue, attr->pValue,
 				attr->ulValueLen);
 			keyTemplate[6].ulValueLen = attr->ulValueLen;
-			if (pk11_numbits(attr->pValue,
-					 attr->ulValueLen) > maxbits &&
-			    maxbits != 0)
+			ret = pk11_numbits(attr->pValue, attr->ulValueLen,
+					   &bits);
+			if (ret != ISC_R_SUCCESS ||
+			    (bits > maxbits && maxbits != 0)) {
 				DST_RET(DST_R_VERIFYFAILURE);
+			}
 			break;
 		}
+	}
 	pk11_ctx->object = CK_INVALID_HANDLE;
 	pk11_ctx->ontoken = false;
 	PK11_RET(pkcs_C_CreateObject,
@@ -1060,6 +1067,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	for (attr = pk11_attribute_first(rsa);
 	     attr != NULL;
 	     attr = pk11_attribute_next(rsa, attr))
+	{
+		unsigned int bits;
+
 		switch (attr->type) {
 		case CKA_MODULUS:
 			INSIST(keyTemplate[5].type == attr->type);
@@ -1080,12 +1090,15 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 			memmove(keyTemplate[6].pValue, attr->pValue,
 				attr->ulValueLen);
 			keyTemplate[6].ulValueLen = attr->ulValueLen;
-			if (pk11_numbits(attr->pValue,
-					 attr->ulValueLen)
-				> RSA_MAX_PUBEXP_BITS)
+			ret = pk11_numbits(attr->pValue, attr->ulValueLen,
+					   &bits);
+			if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS)
+			{
 				DST_RET(DST_R_VERIFYFAILURE);
+			}
 			break;
 		}
+	}
 	pk11_ctx->object = CK_INVALID_HANDLE;
 	pk11_ctx->ontoken = false;
 	PK11_RET(pkcs_C_CreateObject,
@@ -1461,6 +1474,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	CK_BYTE *exponent = NULL, *modulus = NULL;
 	CK_ATTRIBUTE *attr;
 	unsigned int length;
+	unsigned int bits;
+	isc_result_t ret = ISC_R_SUCCESS;
 
 	isc_buffer_remainingregion(data, &r);
 	if (r.length == 0)
@@ -1478,9 +1493,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	if (e_bytes == 0) {
 		if (r.length < 2) {
-			isc_safe_memwipe(rsa, sizeof(*rsa));
-			isc_mem_put(key->mctx, rsa, sizeof(*rsa));
-			return (DST_R_INVALIDPUBLICKEY);
+			DST_RET(DST_R_INVALIDPUBLICKEY);
 		}
 		e_bytes = (*r.base) << 8;
 		isc_region_consume(&r, 1);
@@ -1489,16 +1502,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	}
 
 	if (r.length < e_bytes) {
-		isc_safe_memwipe(rsa, sizeof(*rsa));
-		isc_mem_put(key->mctx, rsa, sizeof(*rsa));
-		return (DST_R_INVALIDPUBLICKEY);
+		DST_RET(DST_R_INVALIDPUBLICKEY);
 	}
 	exponent = r.base;
 	isc_region_consume(&r, e_bytes);
 	modulus = r.base;
 	mod_bytes = r.length;
 
-	key->key_size = pk11_numbits(modulus, mod_bytes);
+	ret = pk11_numbits(modulus, mod_bytes, &bits);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+	key->key_size = bits;
 
 	isc_buffer_forward(data, length);
 
@@ -1548,9 +1563,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 			    rsa->repr,
 			    rsa->attrcnt * sizeof(*attr));
 	}
+	ret = ISC_R_NOMEMORY;
+
+    err:
 	isc_safe_memwipe(rsa, sizeof(*rsa));
 	isc_mem_put(key->mctx, rsa, sizeof(*rsa));
-	return (ISC_R_NOMEMORY);
+	return (ret);
 }
 
 static isc_result_t
@@ -1729,6 +1747,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
 	pk11_object_t *pubrsa;
 	pk11_context_t *pk11_ctx = NULL;
 	isc_result_t ret;
+	unsigned int bits;
 
 	if (label == NULL)
 		return (DST_R_NOENGINE);
@@ -1815,7 +1834,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
 
 	attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
 	INSIST(attr != NULL);
-	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+	key->key_size = bits;
 
 	return (ISC_R_SUCCESS);
 
@@ -1901,6 +1924,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	CK_ATTRIBUTE *attr;
 	isc_mem_t *mctx = key->mctx;
 	const char *engine = NULL, *label = NULL;
+	unsigned int bits;
 
 	/* read private key file */
 	ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
@@ -2044,12 +2068,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 
 	attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
 	INSIST(attr != NULL);
-	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+	key->key_size = bits;
 
 	attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
 	INSIST(attr != NULL);
-	if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
+
+	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+	if (bits > RSA_MAX_PUBEXP_BITS) {
 		DST_RET(ISC_R_RANGE);
+	}
 
 	dst__privstruct_free(&priv, mctx);
 	isc_safe_memwipe(&priv, sizeof(priv));
@@ -2084,6 +2118,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	pk11_context_t *pk11_ctx = NULL;
 	isc_result_t ret;
 	unsigned int i;
+	unsigned int bits;
 
 	UNUSED(pin);
 
@@ -2178,12 +2213,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 
 	attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
 	INSIST(attr != NULL);
-	if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
+
+	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+	if (bits > RSA_MAX_PUBEXP_BITS) {
 		DST_RET(ISC_R_RANGE);
+	}
 
 	attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
 	INSIST(attr != NULL);
-	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+	key->key_size = bits;
 
 	pk11_return_session(pk11_ctx);
 	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
diff --git a/bind/bind9/lib/dns/portlist.c b/bind/bind9/lib/dns/portlist.c
index 7de71785..e34a6a94 100644
--- a/bind/bind9/lib/dns/portlist.c
+++ b/bind/bind9/lib/dns/portlist.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/private.c b/bind/bind9/lib/dns/private.c
index 9651381d..7b40a4f0 100644
--- a/bind/bind9/lib/dns/private.c
+++ b/bind/bind9/lib/dns/private.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rbt.c b/bind/bind9/lib/dns/rbt.c
index 8815b3eb..b9a35417 100644
--- a/bind/bind9/lib/dns/rbt.c
+++ b/bind/bind9/lib/dns/rbt.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -218,6 +218,9 @@ getdata(dns_rbtnode_t *node, file_header_t *header) {
 #define IS_ROOT(node)           ((node)->is_root == 1)
 #define FINDCALLBACK(node)      ((node)->find_callback == 1)
 
+#define WANTEMPTYDATA_OR_DATA(options, node)	\
+	((options & DNS_RBTFIND_EMPTYDATA) != 0 || DATA(node) != NULL)
+
 /*%
  * Structure elements from the rbtdb.c, not
  * used as part of the rbt.c algorithms.
@@ -234,7 +237,7 @@ getdata(dns_rbtnode_t *node, file_header_t *header) {
  *
  * &lt;name_data&gt; contains the name of the node when it was created.
  * &lt;oldoffsetlen&gt; contains the length of &lt;offsets&gt; when the node was created.
- * &lt;offsets&gt; contains the offets into name for each label when the node was
+ * &lt;offsets&gt; contains the offsets into name for each label when the node was
  * created.
  */
 
@@ -1705,9 +1708,9 @@ dns_rbt_findnode(dns_rbt_t *rbt, const dns_name_t *name, dns_name_t *foundname,
 				/*
 				 * This might be the closest enclosing name.
 				 */
-				if (DATA(current) != NULL ||
-				    (options & DNS_RBTFIND_EMPTYDATA) != 0)
+				if (WANTEMPTYDATA_OR_DATA(options, current)) {
 					*node = current;
+				}
 
 				/*
 				 * Point the chain to the next level.   This
@@ -1778,8 +1781,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, const dns_name_t *name, dns_name_t *foundname,
 	 * ISC_R_SUCCESS to indicate an exact match.
 	 */
 	if (current != NULL && (options & DNS_RBTFIND_NOEXACT) == 0 &&
-	    (DATA(current) != NULL ||
-	     (options & DNS_RBTFIND_EMPTYDATA) != 0)) {
+	     (WANTEMPTYDATA_OR_DATA(options, current))) {
 		/*
 		 * Found an exact match.
 		 */
@@ -2016,11 +2018,11 @@ dns_rbt_findname(dns_rbt_t *rbt, const dns_name_t *name, unsigned int options,
 	result = dns_rbt_findnode(rbt, name, foundname, &node, NULL,
 				  options, NULL, NULL);
 
-	if (node != NULL &&
-	    (DATA(node) != NULL || (options & DNS_RBTFIND_EMPTYDATA) != 0))
+	if (node != NULL && WANTEMPTYDATA_OR_DATA(options, node)) {
 		*data = DATA(node);
-	else
+	} else {
 		result = ISC_R_NOTFOUND;
+	}
 
 	return (result);
 }
@@ -2857,9 +2859,10 @@ deletetreeflat(dns_rbt_t *rbt, unsigned int quantum, bool unhash,
 			dns_rbtnode_t *node = root;
 			root = PARENT(root);
 
-			if (DATA(node) != NULL && rbt->data_deleter != NULL)
+			if (rbt->data_deleter != NULL && DATA(node) != NULL) {
 				rbt->data_deleter(DATA(node),
 						  rbt->deleter_arg);
+			}
 			if (unhash)
 				unhash_node(rbt, node);
 			/*
diff --git a/bind/bind9/lib/dns/rbtdb.c b/bind/bind9/lib/dns/rbtdb.c
index 20597146..3ee18766 100644
--- a/bind/bind9/lib/dns/rbtdb.c
+++ b/bind/bind9/lib/dns/rbtdb.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -145,7 +145,7 @@ typedef uint64_t                    rbtdb_serial_t;
 #define acache_callback acache_callback64
 #define acache_cancelentry acache_cancelentry64
 #define activeempty activeempty64
-#define activeemtpynode activeemtpynode64
+#define activeemptynode activeemptynode64
 #define add32 add64
 #define add_changed add_changed64
 #define add_empty_wildcards add_empty_wildcards64
@@ -317,8 +317,10 @@ typedef uint32_t                    rbtdb_rdatatype_t;
 		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname)
 #define RBTDB_RDATATYPE_SIGDNAME \
 		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname)
-#define RBTDB_RDATATYPE_SIGDDS \
+#define RBTDB_RDATATYPE_SIGDS \
 		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds)
+#define RBTDB_RDATATYPE_SIGSOA \
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa)
 #define RBTDB_RDATATYPE_NCACHEANY \
 		RBTDB_RDATATYPE_VALUE(0, dns_rdatatype_any)
 
@@ -397,6 +399,23 @@ typedef isc_mutex_t nodelock_t;
 #define NODE_WEAKDOWNGRADE(l)   ((void)0)
 #endif
 
+#if defined(ISC_PLATFORM_HAVESTDATOMIC)
+#if defined(__cplusplus)
+#include <isc/stdatomic.h>
+#else
+#include <stdatomic.h>
+#endif
+#define DNS_RBTDB_STDATOMIC 1
+#define DNS_RBTDB_INC(x) atomic_fetch_add(&(x), (1))
+#define DNS_RBTDB_LOAD(x) atomic_load(&(x))
+#elif defined(ISC_PLATFORM_HAVEXADD)
+#define DNS_RBTDB_INC(x) isc_atomic_xadd((int *)&(x), 1);
+#define DNS_RBTDB_LOAD(x) isc_atomic_xadd((int *)&(x), 0);
+#else
+#define DNS_RBTDB_INC(x) ((x)++)
+#define DNS_RBTDB_LOAD(x) (x)
+#endif
+
 /*%
  * Whether to rate-limit updating the LRU to avoid possible thread contention.
  * Our performance measurement has shown the cost is marginal, so it's defined
@@ -455,7 +474,11 @@ typedef struct rdatasetheader {
 	 * this rdataset.
 	 */
 
-	uint32_t                    count;
+#ifdef DNS_RBTDB_STDATOMIC
+	_Atomic(uint32_t)                count;
+#else
+	uint32_t                         count;
+#endif
 	/*%<
 	 * Monotonously increased every time this rdataset is bound so that
 	 * it is used as the base of the starting point in DNS responses
@@ -950,7 +973,11 @@ static char FILE_VERSION[32] = "\0";
  *      that indicates that the database does not implement cyclic
  *      processing.
  */
+#ifdef DNS_RBTDB_STDATOMIC
+static _Atomic(unsigned int) init_count;
+#else
 static unsigned int init_count;
+#endif
 
 /*
  * Locking
@@ -1014,6 +1041,18 @@ hexdump(const char *desc, unsigned char *data, size_t size) {
 #define DNS_RDATASET_COUNT 0
 #endif /* DNS_RDATASET_FIXED */
 
+ISC_NO_SANITIZE_THREAD static ISC_NO_SANITIZE_INLINE unsigned int
+get_init_count(void) {
+	unsigned int value = DNS_RBTDB_INC(init_count);
+	return (value);
+}
+
+ISC_NO_SANITIZE_THREAD static ISC_NO_SANITIZE_INLINE unsigned int
+get_header_count(rdatasetheader_t *header) {
+	unsigned int value = DNS_RBTDB_INC(header->count);
+	return (value);
+}
+
 /*
  * DB Routines
  */
@@ -1137,14 +1176,19 @@ ttl_sooner(void *v1, void *v2) {
 	return (h1->rdh_ttl < h2->rdh_ttl);
 }
 
+/*%
+ * Return which RRset should be resigned sooner.  If the RRsets have the
+ * same signing time, prefer the other RRset over the SOA RRset.
+ */
 static bool
 resign_sooner(void *v1, void *v2) {
 	rdatasetheader_t *h1 = v1;
 	rdatasetheader_t *h2 = v2;
 
 	return (h1->resign < h2->resign ||
-		(h1->resign == h2->resign &&
-		 h1->resign_lsb < h2->resign_lsb));
+		(h1->resign == h2->resign && h1->resign_lsb < h2->resign_lsb) ||
+		(h1->resign == h2->resign && h1->resign_lsb == h2->resign_lsb &&
+		 h2->type == RBTDB_RDATATYPE_SIGSOA));
 }
 
 /*%
@@ -1409,11 +1453,11 @@ maybe_free_rbtdb(dns_rbtdb_t *rbtdb) {
 	for (i = 0; i < rbtdb->node_lock_count; i++) {
 		NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
 		rbtdb->node_locks[i].exiting = true;
-		NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
 		if (isc_refcount_current(&rbtdb->node_locks[i].references)
 		    == 0) {
 			inactive++;
 		}
+		NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
 	}
 
 	if (inactive != 0) {
@@ -2083,11 +2127,16 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
  * Caller must be holding the node lock.
  */
 static inline void
-new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
+new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+	      isc_rwlocktype_t locktype) {
 	unsigned int lockrefs, noderefs;
 	isc_refcount_t *lockref;
 
-	INSIST(!ISC_LINK_LINKED(node, deadlink));
+	if (locktype == isc_rwlocktype_write && ISC_LINK_LINKED(node, deadlink))
+	{
+		ISC_LIST_UNLINK(rbtdb->deadnodes[node->locknum], node,
+				deadlink);
+	}
 	dns_rbtnode_refincrement0(node, &noderefs);
 	if (noderefs == 1) {    /* this is the first reference to the node */
 		lockref = &rbtdb->node_locks[node->locknum].references;
@@ -2107,15 +2156,14 @@ is_leaf(dns_rbtnode_t *node) {
 }
 
 static inline void
-send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
+send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+		   isc_rwlocktype_t locktype) {
 	isc_event_t *ev;
 	dns_db_t *db;
 
-	ev = isc_event_allocate(rbtdb->common.mctx, NULL,
-				DNS_EVENT_RBTPRUNE,
-				prune_tree, node,
-				sizeof(isc_event_t));
-	new_reference(rbtdb, node);
+	ev = isc_event_allocate(rbtdb->common.mctx, NULL, DNS_EVENT_RBTPRUNE,
+				prune_tree, node, sizeof(isc_event_t));
+	new_reference(rbtdb, node, locktype);
 	db = NULL;
 	attach((dns_db_t *)rbtdb, &db);
 	ev->ev_sender = db;
@@ -2140,18 +2188,19 @@ cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) {
 		ISC_LIST_UNLINK(rbtdb->deadnodes[bucketnum], node, deadlink);
 
 		/*
-		 * Since we're holding a tree write lock, it should be
-		 * impossible for this node to be referenced by others.
-		 *
-		 * decrement_reference may not have tested node->down, as
-		 * the tree_lock was not held, before adding the node to
-		 * deadnodes so we test it here.
+		 * We might have reactivated this node without a tree write
+		 * lock, so we couldn't remove this node from deadnodes then
+		 * and we have to do it now.
 		 */
-		INSIST(dns_rbtnode_refcurrent(node) == 0 &&
-		       node->data == NULL);
+		if (dns_rbtnode_refcurrent(node) != 0 ||
+		    node->data != NULL) {
+			node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]);
+			count--;
+			continue;
+		}
 
 		if (is_leaf(node) && rbtdb->task != NULL) {
-			send_to_prune_tree(rbtdb, node);
+			send_to_prune_tree(rbtdb, node, isc_rwlocktype_write);
 		} else if (node->down == NULL && node->data == NULL) {
 			/*
 			 * Not a interior node and not needing to be
@@ -2218,7 +2267,7 @@ reactivate_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 			cleanup_dead_nodes(rbtdb, node->locknum);
 	}
 
-	new_reference(rbtdb, node);
+	new_reference(rbtdb, node, locktype);
 
 	NODE_WEAKUNLOCK(nodelock, locktype);
 	NODE_STRONGUNLOCK(nodelock);
@@ -2358,15 +2407,17 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 		 * periodic walk-through).
 		 */
 		if (!pruning && is_leaf(node) && rbtdb->task != NULL) {
-			send_to_prune_tree(rbtdb, node);
+			send_to_prune_tree(rbtdb, node, isc_rwlocktype_write);
 			no_reference = false;
 		} else {
 			delete_node(rbtdb, node);
 		}
 	} else {
 		INSIST(node->data == NULL);
-		INSIST(!ISC_LINK_LINKED(node, deadlink));
-		ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node, deadlink);
+		if (!ISC_LINK_LINKED(node, deadlink)) {
+			ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node,
+					deadlink);
+		}
 	}
 
  restore_locks:
@@ -2431,17 +2482,16 @@ prune_tree(isc_task_t *task, isc_event_t *event) {
 
 			/*
 			 * We need to gain a reference to the node before
-			 * decrementing it in the next iteration.  In addition,
-			 * if the node is in the dead-nodes list, extract it
-			 * from the list beforehand as we do in
-			 * reactivate_node().
+			 * decrementing it in the next iteration.
 			 */
-			if (ISC_LINK_LINKED(parent, deadlink))
+			if (ISC_LINK_LINKED(parent, deadlink)) {
 				ISC_LIST_UNLINK(rbtdb->deadnodes[locknum],
 						parent, deadlink);
-			new_reference(rbtdb, parent);
-		} else
+			}
+			new_reference(rbtdb, parent, isc_rwlocktype_write);
+		} else {
 			parent = NULL;
+		}
 
 		node = parent;
 	} while (node != NULL);
@@ -3220,7 +3270,7 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 		 * We increment the reference count on node to ensure that
 		 * search->zonecut_rdataset will still be valid later.
 		 */
-		new_reference(search->rbtdb, node);
+		new_reference(search->rbtdb, node, isc_rwlocktype_read);
 		search->zonecut = node;
 		search->zonecut_rdataset = found;
 		search->need_cleanup = true;
@@ -3271,11 +3321,10 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 }
 
 static inline void
-bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
-	      rdatasetheader_t *header, isc_stdtime_t now,
-	      dns_rdataset_t *rdataset)
-{
-	unsigned char *raw;     /* RDATASLAB */
+bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdatasetheader_t *header,
+	      isc_stdtime_t now, isc_rwlocktype_t locktype,
+	      dns_rdataset_t *rdataset) {
+	unsigned char *raw; /* RDATASLAB */
 
 	/*
 	 * Caller must be holding the node reader lock.
@@ -3288,7 +3337,7 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	if (rdataset == NULL)
 		return;
 
-	new_reference(rbtdb, node);
+	new_reference(rbtdb, node, locktype);
 
 	INSIST(rdataset->methods == NULL);      /* We must be disassociated. */
 
@@ -3310,7 +3359,7 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	rdataset->private2 = node;
 	raw = (unsigned char *)header + sizeof(*header);
 	rdataset->private3 = raw;
-	rdataset->count = header->count++;
+	rdataset->count = get_header_count(header);
 	if (rdataset->count == UINT32_MAX)
 		rdataset->count = 0;
 
@@ -3383,11 +3432,13 @@ setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep,
 		NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
 			  isc_rwlocktype_read);
 		bind_rdataset(search->rbtdb, node, search->zonecut_rdataset,
-			      search->now, rdataset);
+			      search->now, isc_rwlocktype_read, rdataset);
 		if (sigrdataset != NULL && search->zonecut_sigrdataset != NULL)
+		{
 			bind_rdataset(search->rbtdb, node,
-				      search->zonecut_sigrdataset,
-				      search->now, sigrdataset);
+				      search->zonecut_sigrdataset, search->now,
+				      isc_rwlocktype_read, sigrdataset);
+		}
 		NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
 			    isc_rwlocktype_read);
 	}
@@ -3505,7 +3556,7 @@ activeempty(rbtdb_search_t *search, dns_rbtnodechain_t *chain,
 }
 
 static inline bool
-activeemtpynode(rbtdb_search_t *search, dns_name_t *qname, dns_name_t *wname) {
+activeemptynode(rbtdb_search_t *search, dns_name_t *qname, dns_name_t *wname) {
 	dns_fixedname_t fnext;
 	dns_fixedname_t forigin;
 	dns_fixedname_t fprev;
@@ -3729,7 +3780,7 @@ find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep,
 				NODE_UNLOCK(lock, isc_rwlocktype_read);
 				if (header != NULL ||
 				    activeempty(search, &wchain, wname)) {
-					if (activeemtpynode(search, qname,
+					if (activeemptynode(search, qname,
 							    wname)) {
 						return (ISC_R_NOTFOUND);
 					}
@@ -3823,6 +3874,7 @@ previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
 	isc_result_t result;
 
 	REQUIRE(nodep != NULL && *nodep == NULL);
+	REQUIRE(type == dns_rdatatype_nsec3 || firstp != NULL);
 
 	if (type == dns_rdatatype_nsec3) {
 		result = dns_rbtnodechain_prev(&search->chain, NULL, NULL);
@@ -3848,11 +3900,9 @@ previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
 			if (result != ISC_R_SUCCESS)
 				return (result);
 			nsecnode = NULL;
-			result = dns_rbt_findnode(search->rbtdb->nsec,
-						  target, NULL,
-						  &nsecnode, nsecchain,
-						  DNS_RBTFIND_NOOPTIONS,
-						  NULL, NULL);
+			result = dns_rbt_findnode(
+				search->rbtdb->nsec, target, NULL, &nsecnode,
+				nsecchain, DNS_RBTFIND_EMPTYDATA, NULL, NULL);
 			if (result == ISC_R_SUCCESS) {
 				/*
 				 * Since this was the first loop, finding the
@@ -3897,9 +3947,10 @@ previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
 		*nodep = NULL;
 		result = dns_rbt_findnode(search->rbtdb->tree, target, NULL,
 					  nodep, &search->chain,
-					  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
-		if (result == ISC_R_SUCCESS)
+					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+		if (result == ISC_R_SUCCESS) {
 			return (result);
+		}
 
 		/*
 		 * There should always be a node in the main tree with the
@@ -4031,19 +4082,22 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 							      foundname, NULL);
 				if (result == ISC_R_SUCCESS) {
 					if (nodep != NULL) {
-						new_reference(search->rbtdb,
-							      node);
+						new_reference(
+							search->rbtdb, node,
+							isc_rwlocktype_read);
 						*nodep = node;
 					}
 					bind_rdataset(search->rbtdb, node,
 						      found, search->now,
+						      isc_rwlocktype_read,
 						      rdataset);
-					if (foundsig != NULL)
-						bind_rdataset(search->rbtdb,
-							      node,
-							      foundsig,
-							      search->now,
-							      sigrdataset);
+					if (foundsig != NULL) {
+						bind_rdataset(
+							search->rbtdb, node,
+							foundsig, search->now,
+							isc_rwlocktype_read,
+							sigrdataset);
+					}
 				}
 			} else if (found == NULL && foundsig == NULL) {
 				/*
@@ -4124,7 +4178,6 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	rdatasetheader_t *foundsig, *cnamesig, *nsecsig;
 	rbtdb_rdatatype_t sigtype;
 	bool active;
-	dns_rbtnodechain_t chain;
 	nodelock_t *lock;
 	dns_rbt_t *tree;
 
@@ -4204,8 +4257,15 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				goto tree_exit;
 		}
 
-		chain = search.chain;
-		active = activeempty(&search, &chain, name);
+		active = false;
+		if ((options & DNS_DBFIND_FORCENSEC3) == 0) {
+			/*
+			 * The NSEC3 tree won't have empty nodes,
+			 * so it isn't necessary to check for them.
+			 */
+			dns_rbtnodechain_t chain = search.chain;
+			active = activeempty(&search, &chain, name);
+		}
 
 		/*
 		 * If we're here, then the name does not exist, is not
@@ -4248,7 +4308,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		 * DS records live above the zone cut in ordinary zone so
 		 * we want to ignore any referral.
 		 *
-		 * Stub zones don't have anything "above" the delgation so
+		 * Stub zones don't have anything "above" the delegation so
 		 * we always return a referral.
 		 */
 		if (node->find_callback &&
@@ -4317,7 +4377,8 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				 * ensure that search->zonecut_rdataset will
 				 * still be valid later.
 				 */
-				new_reference(search.rbtdb, node);
+				new_reference(search.rbtdb, node,
+					      isc_rwlocktype_read);
 				search.zonecut = node;
 				search.zonecut_rdataset = header;
 				search.zonecut_sigrdataset = NULL;
@@ -4490,18 +4551,19 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 			goto node_exit;
 		}
 		if (nodep != NULL) {
-			new_reference(search.rbtdb, node);
+			new_reference(search.rbtdb, node, isc_rwlocktype_read);
 			*nodep = node;
 		}
 		if ((search.rbtversion->secure == dns_db_secure &&
 		     !search.rbtversion->havensec3) ||
 		    (search.options & DNS_DBFIND_FORCENSEC) != 0)
 		{
-			bind_rdataset(search.rbtdb, node, nsecheader,
-				      0, rdataset);
-			if (nsecsig != NULL)
-				bind_rdataset(search.rbtdb, node,
-					      nsecsig, 0, sigrdataset);
+			bind_rdataset(search.rbtdb, node, nsecheader, 0,
+				      isc_rwlocktype_read, rdataset);
+			if (nsecsig != NULL) {
+				bind_rdataset(search.rbtdb, node, nsecsig, 0,
+					      isc_rwlocktype_read, sigrdataset);
+			}
 		}
 		if (wild)
 			foundname->attributes |= DNS_NAMEATTR_WILDCARD;
@@ -4567,18 +4629,21 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	}
 
 	if (nodep != NULL) {
-		if (!at_zonecut)
-			new_reference(search.rbtdb, node);
-		else
+		if (!at_zonecut) {
+			new_reference(search.rbtdb, node, isc_rwlocktype_read);
+		} else {
 			search.need_cleanup = false;
+		}
 		*nodep = node;
 	}
 
 	if (type != dns_rdatatype_any) {
-		bind_rdataset(search.rbtdb, node, found, 0, rdataset);
-		if (foundsig != NULL)
+		bind_rdataset(search.rbtdb, node, found, 0, isc_rwlocktype_read,
+			      rdataset);
+		if (foundsig != NULL) {
 			bind_rdataset(search.rbtdb, node, foundsig, 0,
-				      sigrdataset);
+				      isc_rwlocktype_read, sigrdataset);
+		}
 	}
 
 	if (wild)
@@ -4748,8 +4813,7 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 		 * We increment the reference count on node to ensure that
 		 * search->zonecut_rdataset will still be valid later.
 		 */
-		new_reference(search->rbtdb, node);
-		INSIST(!ISC_LINK_LINKED(node, deadlink));
+		new_reference(search->rbtdb, node, locktype);
 		search->zonecut = node;
 		search->zonecut_rdataset = dname_header;
 		search->zonecut_sigrdataset = sigdname_header;
@@ -4855,14 +4919,16 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
 			}
 			result = DNS_R_DELEGATION;
 			if (nodep != NULL) {
-				new_reference(search->rbtdb, node);
+				new_reference(search->rbtdb, node, locktype);
 				*nodep = node;
 			}
 			bind_rdataset(search->rbtdb, node, found, search->now,
-				      rdataset);
-			if (foundsig != NULL)
+				      locktype, rdataset);
+			if (foundsig != NULL) {
 				bind_rdataset(search->rbtdb, node, foundsig,
-					      search->now, sigrdataset);
+					      search->now, locktype,
+					      sigrdataset);
+			}
 			if (need_headerupdate(found, search->now) ||
 			    (foundsig != NULL &&
 			     need_headerupdate(foundsig, search->now))) {
@@ -4954,14 +5020,16 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 		if (found != NULL) {
 			result = dns_name_concatenate(name, origin,
 						      foundname, NULL);
-			if (result != ISC_R_SUCCESS)
+			if (result != ISC_R_SUCCESS) {
 				goto unlock_node;
-			bind_rdataset(search->rbtdb, node, found,
-				      now, rdataset);
-			if (foundsig != NULL)
+			}
+			bind_rdataset(search->rbtdb, node, found, now, locktype,
+				      rdataset);
+			if (foundsig != NULL) {
 				bind_rdataset(search->rbtdb, node, foundsig,
-					      now, sigrdataset);
-			new_reference(search->rbtdb, node);
+					      now, locktype, sigrdataset);
+			}
+			new_reference(search->rbtdb, node, locktype);
 			*nodep = node;
 			result = DNS_R_COVERINGNSEC;
 		} else if (!empty_node) {
@@ -5216,19 +5284,21 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		 */
 		if (nsheader != NULL) {
 			if (nodep != NULL) {
-				new_reference(search.rbtdb, node);
-				INSIST(!ISC_LINK_LINKED(node, deadlink));
+				new_reference(search.rbtdb, node, locktype);
 				*nodep = node;
 			}
 			bind_rdataset(search.rbtdb, node, nsheader, search.now,
-				      rdataset);
-			if (need_headerupdate(nsheader, search.now))
+				      locktype, rdataset);
+			if (need_headerupdate(nsheader, search.now)) {
 				update = nsheader;
+			}
 			if (nssig != NULL) {
 				bind_rdataset(search.rbtdb, node, nssig,
-					      search.now, sigrdataset);
-				if (need_headerupdate(nssig, search.now))
+					      search.now, locktype,
+					      sigrdataset);
+				if (need_headerupdate(nssig, search.now)) {
 					updatesig = nssig;
+				}
 			}
 			result = DNS_R_DELEGATION;
 			goto node_exit;
@@ -5246,8 +5316,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	 */
 
 	if (nodep != NULL) {
-		new_reference(search.rbtdb, node);
-		INSIST(!ISC_LINK_LINKED(node, deadlink));
+		new_reference(search.rbtdb, node, locktype);
 		*nodep = node;
 	}
 
@@ -5276,16 +5345,19 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	}
 
 	if (type != dns_rdatatype_any || result == DNS_R_NCACHENXDOMAIN ||
-	    result == DNS_R_NCACHENXRRSET) {
-		bind_rdataset(search.rbtdb, node, found, search.now,
+	    result == DNS_R_NCACHENXRRSET)
+	{
+		bind_rdataset(search.rbtdb, node, found, search.now, locktype,
 			      rdataset);
-		if (need_headerupdate(found, search.now))
+		if (need_headerupdate(found, search.now)) {
 			update = found;
+		}
 		if (!NEGATIVE(found) && foundsig != NULL) {
 			bind_rdataset(search.rbtdb, node, foundsig, search.now,
-				      sigrdataset);
-			if (need_headerupdate(foundsig, search.now))
+				      locktype, sigrdataset);
+			if (need_headerupdate(foundsig, search.now)) {
 				updatesig = foundsig;
+			}
 		}
 	}
 
@@ -5431,15 +5503,16 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 	}
 
 	if (nodep != NULL) {
-		new_reference(search.rbtdb, node);
-		INSIST(!ISC_LINK_LINKED(node, deadlink));
+		new_reference(search.rbtdb, node, locktype);
 		*nodep = node;
 	}
 
-	bind_rdataset(search.rbtdb, node, found, search.now, rdataset);
-	if (foundsig != NULL)
+	bind_rdataset(search.rbtdb, node, found, search.now, locktype,
+		      rdataset);
+	if (foundsig != NULL) {
 		bind_rdataset(search.rbtdb, node, foundsig, search.now,
-			      sigrdataset);
+			      locktype, sigrdataset);
+	}
 
 	if (need_headerupdate(found, search.now) ||
 	    (foundsig != NULL &&  need_headerupdate(foundsig, search.now))) {
@@ -5791,10 +5864,12 @@ zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		}
 	}
 	if (found != NULL) {
-		bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
-		if (foundsig != NULL)
+		bind_rdataset(rbtdb, rbtnode, found, now, isc_rwlocktype_read,
+			      rdataset);
+		if (foundsig != NULL) {
 			bind_rdataset(rbtdb, rbtnode, foundsig, now,
-				      sigrdataset);
+				      isc_rwlocktype_read, sigrdataset);
+		}
 	}
 
 	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
@@ -5879,16 +5954,17 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		}
 	}
 	if (found != NULL) {
-		bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
-		if (!NEGATIVE(found) && foundsig != NULL)
-			bind_rdataset(rbtdb, rbtnode, foundsig, now,
+		bind_rdataset(rbtdb, rbtnode, found, now, locktype, rdataset);
+		if (!NEGATIVE(found) && foundsig != NULL) {
+			bind_rdataset(rbtdb, rbtnode, foundsig, now, locktype,
 				      sigrdataset);
+		}
 	}
 
-	NODE_UNLOCK(lock, locktype);
-
-	if (found == NULL)
+	if (found == NULL) {
+		NODE_UNLOCK(lock, locktype);
 		return (ISC_R_NOTFOUND);
+	}
 
 	if (NEGATIVE(found)) {
 		/*
@@ -5900,6 +5976,8 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			result = DNS_R_NCACHENXRRSET;
 	}
 
+	NODE_UNLOCK(lock, locktype);
+
 	update_cachestats(rbtdb, result);
 
 	return (result);
@@ -6048,6 +6126,9 @@ resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader) {
 	return (result);
 }
 
+/*
+ * node write lock must be held.
+ */
 static void
 resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
 	      rdatasetheader_t *header)
@@ -6060,7 +6141,8 @@ resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
 				header->heap_index);
 		header->heap_index = 0;
 		if (version != NULL) {
-			new_reference(rbtdb, header->node);
+			new_reference(rbtdb, header->node,
+				      isc_rwlocktype_write);
 			ISC_LIST_APPEND(version->resigned_list, header, link);
 		}
 	}
@@ -6084,6 +6166,9 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
 	RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
 }
 
+/*
+ * write lock on rbtnode must be held.
+ */
 static isc_result_t
 add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
       rdatasetheader_t *newheader, unsigned int options, bool loading,
@@ -6207,10 +6292,13 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 					free_rdataset(rbtdb,
 						      rbtdb->common.mctx,
 						      newheader);
-					if (addedrdataset != NULL)
-						bind_rdataset(rbtdb, rbtnode,
-							      topheader, now,
-							      addedrdataset);
+					if (addedrdataset != NULL) {
+						bind_rdataset(
+							rbtdb, rbtnode,
+							topheader, now,
+							isc_rwlocktype_write,
+							addedrdataset);
+					}
 					return (DNS_R_UNCHANGED);
 				}
 				/*
@@ -6264,6 +6352,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
 			if (addedrdataset != NULL)
 				bind_rdataset(rbtdb, rbtnode, header, now,
+					      isc_rwlocktype_write,
 					      addedrdataset);
 			return (DNS_R_UNCHANGED);
 		}
@@ -6363,6 +6452,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
 			if (addedrdataset != NULL)
 				bind_rdataset(rbtdb, rbtnode, header, now,
+					      isc_rwlocktype_write,
 					      addedrdataset);
 			return (ISC_R_SUCCESS);
 		}
@@ -6384,7 +6474,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 		    (header->type == dns_rdatatype_a ||
 		     header->type == dns_rdatatype_aaaa ||
 		     header->type == dns_rdatatype_ds ||
-		     header->type == RBTDB_RDATATYPE_SIGDDS) &&
+		     header->type == RBTDB_RDATATYPE_SIGDS) &&
 		    !header_nx && !newheader_nx &&
 		    header->trust >= newheader->trust &&
 		    dns_rdataslab_equal((unsigned char *)header,
@@ -6409,6 +6499,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
 			if (addedrdataset != NULL)
 				bind_rdataset(rbtdb, rbtnode, header, now,
+					      isc_rwlocktype_write,
 					      addedrdataset);
 			return (ISC_R_SUCCESS);
 		}
@@ -6598,8 +6689,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	    cname_and_other_data(rbtnode, rbtversion->serial))
 		return (DNS_R_CNAMEANDOTHER);
 
-	if (addedrdataset != NULL)
-		bind_rdataset(rbtdb, rbtnode, newheader, now, addedrdataset);
+	if (addedrdataset != NULL) {
+		bind_rdataset(rbtdb, rbtnode, newheader, now,
+			      isc_rwlocktype_write, addedrdataset);
+	}
 
 	return (ISC_R_SUCCESS);
 }
@@ -6747,6 +6840,13 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
 
 	if (rbtdb->common.methods == &zone_methods) {
+		/*
+		 * SOA records are only allowed at top of zone.
+		 */
+		if (rdataset->type == dns_rdatatype_soa &&
+		    node != rbtdb->origin_node) {
+			return (DNS_R_NOTZONETOP);
+		}
 		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
 		REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
 			  (rdataset->type == dns_rdatatype_nsec3 ||
@@ -6785,7 +6885,7 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		newheader->attributes |= RDATASET_ATTR_ZEROTTL;
 	newheader->noqname = NULL;
 	newheader->closest = NULL;
-	newheader->count = init_count++;
+	newheader->count = get_init_count();
 	newheader->trust = rdataset->trust;
 	newheader->additional_auth = NULL;
 	newheader->additional_glue = NULL;
@@ -6981,7 +7081,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	newheader->trust = 0;
 	newheader->noqname = NULL;
 	newheader->closest = NULL;
-	newheader->count = init_count++;
+	newheader->count = get_init_count();
 	newheader->additional_auth = NULL;
 	newheader->additional_glue = NULL;
 	newheader->last_used = 0;
@@ -7132,12 +7232,17 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			result = DNS_R_UNCHANGED;
 	}
 
-	if (result == ISC_R_SUCCESS && newrdataset != NULL)
-		bind_rdataset(rbtdb, rbtnode, newheader, 0, newrdataset);
+	if (result == ISC_R_SUCCESS && newrdataset != NULL) {
+		bind_rdataset(rbtdb, rbtnode, newheader, 0,
+			      isc_rwlocktype_write, newrdataset);
+	}
 
 	if (result == DNS_R_NXRRSET && newrdataset != NULL &&
 	    (options & DNS_DBSUB_WANTOLD) != 0)
-		bind_rdataset(rbtdb, rbtnode, header, 0, newrdataset);
+	{
+		bind_rdataset(rbtdb, rbtnode, header, 0, isc_rwlocktype_write,
+			      newrdataset);
+	}
 
  unlock:
 	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
@@ -7422,7 +7527,7 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 	newheader->serial = 1;
 	newheader->noqname = NULL;
 	newheader->closest = NULL;
-	newheader->count = init_count++;
+	newheader->count = get_init_count();
 	newheader->additional_auth = NULL;
 	newheader->additional_glue = NULL;
 	newheader->last_used = 0;
@@ -8061,7 +8166,7 @@ getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
 	onode = (dns_rbtnode_t *)rbtdb->origin_node;
 	if (onode != NULL) {
 		NODE_STRONGLOCK(&rbtdb->node_locks[onode->locknum].lock);
-		new_reference(rbtdb, onode);
+		new_reference(rbtdb, onode, isc_rwlocktype_none);
 		NODE_STRONGUNLOCK(&rbtdb->node_locks[onode->locknum].lock);
 
 		*nodep = rbtdb->origin_node;
@@ -8202,7 +8307,7 @@ getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
 	rdatasetheader_t *header = NULL, *this;
 	unsigned int i;
 	isc_result_t result = ISC_R_NOTFOUND;
-	unsigned int locknum;
+	unsigned int locknum = 0;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 
@@ -8210,38 +8315,65 @@ getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
 
 	for (i = 0; i < rbtdb->node_lock_count; i++) {
 		NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_read);
+
+		/*
+		 * Find for the earliest signing time among all of the
+		 * heaps, each of which is covered by a different bucket
+		 * lock.
+		 */
 		this = isc_heap_element(rbtdb->heaps[i], 1);
 		if (this == NULL) {
+			/* Nothing found; unlock and try the next heap. */
 			NODE_UNLOCK(&rbtdb->node_locks[i].lock,
 				    isc_rwlocktype_read);
 			continue;
 		}
-		if (header == NULL)
+
+		if (header == NULL) {
+			/*
+			 * Found a signing time: retain the bucket lock and
+			 * preserve the lock number so we can unlock it
+			 * later.
+			 */
 			header = this;
-		else if (resign_sooner(this, header)) {
-			locknum = header->node->locknum;
+			locknum = i;
+		} else if (resign_sooner(this, header)) {
+			/*
+			 * Found an earlier signing time; release the
+			 * previous bucket lock and retain this one instead.
+			 */
 			NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
 				    isc_rwlocktype_read);
 			header = this;
-		} else
+			locknum = i;
+		} else {
+			/*
+			 * Earliest signing time in this heap isn't
+			 * an improvement; unlock and try the next heap.
+			 */
 			NODE_UNLOCK(&rbtdb->node_locks[i].lock,
 				    isc_rwlocktype_read);
+		}
 	}
 
-	if (header == NULL)
-		goto unlock;
-
-	bind_rdataset(rbtdb, header->node, header, 0, rdataset);
+	if (header != NULL) {
+		/*
+		 * Found something; pass back the answer and unlock
+		 * the bucket.
+		 */
+		bind_rdataset(rbtdb, header->node, header, 0,
+			      isc_rwlocktype_read, rdataset);
 
-	if (foundname != NULL)
-		dns_rbt_fullnamefromnode(header->node, foundname);
+		if (foundname != NULL) {
+			dns_rbt_fullnamefromnode(header->node, foundname);
+		}
 
-	NODE_UNLOCK(&rbtdb->node_locks[header->node->locknum].lock,
-		    isc_rwlocktype_read);
+		NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+			    isc_rwlocktype_read);
 
-	result = ISC_R_SUCCESS;
+		result = ISC_R_SUCCESS;
+	}
 
- unlock:
 	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
 
 	return (result);
@@ -9217,7 +9349,7 @@ rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
 		  isc_rwlocktype_read);
 
 	bind_rdataset(rbtdb, rbtnode, header, rbtiterator->common.now,
-		      rdataset);
+		      isc_rwlocktype_read, rdataset);
 
 	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
 		    isc_rwlocktype_read);
@@ -9271,7 +9403,7 @@ flush_deletions(rbtdb_dbiterator_t *rbtdbiter) {
 		 * Note that "%d node of %d in tree" can report things like
 		 * "flush_deletions: 59 nodes of 41 in tree".  This means
 		 * That some nodes appear on the deletions list more than
-		 * once.  Only the last occurence will actually be deleted.
+		 * once.  Only the last occurrence will actually be deleted.
 		 */
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
@@ -9653,7 +9785,7 @@ dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
 		result = ISC_R_SUCCESS;
 
 	NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
-	new_reference(rbtdb, node);
+	new_reference(rbtdb, node, isc_rwlocktype_none);
 	NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
 
 	*nodep = rbtdbiter->node;
@@ -10433,7 +10565,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
 		 * We first need to gain a new reference to the node to meet a
 		 * requirement of decrement_reference().
 		 */
-		new_reference(rbtdb, header->node);
+		new_reference(rbtdb, header->node, isc_rwlocktype_write);
 		decrement_reference(rbtdb, header->node, 0,
 				    isc_rwlocktype_write,
 				    tree_locked ? isc_rwlocktype_write :
diff --git a/bind/bind9/lib/dns/rbtdb.h b/bind/bind9/lib/dns/rbtdb.h
index a7cb42b5..cd84b5b4 100644
--- a/bind/bind9/lib/dns/rbtdb.h
+++ b/bind/bind9/lib/dns/rbtdb.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rbtdb64.c b/bind/bind9/lib/dns/rbtdb64.c
index 6f4a659c..0a0fb053 100644
--- a/bind/bind9/lib/dns/rbtdb64.c
+++ b/bind/bind9/lib/dns/rbtdb64.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: rbtdb64.c,v 1.11 2007/06/19 23:47:16 tbox Exp $ */
-
 /*! \file */
 
 #define DNS_RBTDB_VERSION64 1
diff --git a/bind/bind9/lib/dns/rbtdb64.h b/bind/bind9/lib/dns/rbtdb64.h
index faf85e5a..33b01159 100644
--- a/bind/bind9/lib/dns/rbtdb64.h
+++ b/bind/bind9/lib/dns/rbtdb64.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: rbtdb64.h,v 1.17 2007/06/19 23:47:16 tbox Exp $ */
-
 #ifndef DNS_RBTDB64_H
 #define DNS_RBTDB64_H 1
 
diff --git a/bind/bind9/lib/dns/rcode.c b/bind/bind9/lib/dns/rcode.c
index f51f2015..19a283f6 100644
--- a/bind/bind9/lib/dns/rcode.c
+++ b/bind/bind9/lib/dns/rcode.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata.c b/bind/bind9/lib/dns/rdata.c
index 3a4f7694..a255967e 100644
--- a/bind/bind9/lib/dns/rdata.c
+++ b/bind/bind9/lib/dns/rdata.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -82,35 +82,61 @@
 			unsigned int options, isc_buffer_t *target, \
 			dns_rdatacallbacks_t *callbacks
 
-#define ARGS_TOTEXT	dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, \
-			isc_buffer_t *target
+#define CALL_FROMTEXT rdclass, type, lexer, origin, options, target, callbacks
 
-#define ARGS_FROMWIRE	int rdclass, dns_rdatatype_t type, \
-			isc_buffer_t *source, dns_decompress_t *dctx, \
-			unsigned int options, isc_buffer_t *target
+#define ARGS_TOTEXT \
+	dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, isc_buffer_t *target
 
-#define ARGS_TOWIRE	dns_rdata_t *rdata, dns_compress_t *cctx, \
-			isc_buffer_t *target
+#define CALL_TOTEXT rdata, tctx, target
 
-#define ARGS_COMPARE	const dns_rdata_t *rdata1, const dns_rdata_t *rdata2
+#define ARGS_FROMWIRE                                            \
+	int rdclass, dns_rdatatype_t type, isc_buffer_t *source, \
+		dns_decompress_t *dctx, unsigned int options,    \
+		isc_buffer_t *target
 
-#define ARGS_FROMSTRUCT	int rdclass, dns_rdatatype_t type, \
-			void *source, isc_buffer_t *target
+#define CALL_FROMWIRE rdclass, type, source, dctx, options, target
 
-#define ARGS_TOSTRUCT	const dns_rdata_t *rdata, void *target, isc_mem_t *mctx
+#define ARGS_TOWIRE \
+	dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target
+
+#define CALL_TOWIRE rdata, cctx, target
+
+#define ARGS_COMPARE const dns_rdata_t *rdata1, const dns_rdata_t *rdata2
+
+#define CALL_COMPARE rdata1, rdata2
+
+#define ARGS_FROMSTRUCT \
+	int rdclass, dns_rdatatype_t type, void *source, isc_buffer_t *target
+
+#define CALL_FROMSTRUCT rdclass, type, source, target
+
+#define ARGS_TOSTRUCT const dns_rdata_t *rdata, void *target, isc_mem_t *mctx
+
+#define CALL_TOSTRUCT rdata, target, mctx
 
 #define ARGS_FREESTRUCT void *source
 
-#define ARGS_ADDLDATA	dns_rdata_t *rdata, dns_additionaldatafunc_t add, \
-			void *arg
+#define CALL_FREESTRUCT source
+
+#define ARGS_ADDLDATA \
+	dns_rdata_t *rdata, dns_additionaldatafunc_t add, void *arg
+
+#define CALL_ADDLDATA rdata, add, arg
 
-#define ARGS_DIGEST	dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg
+#define ARGS_DIGEST dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg
 
-#define ARGS_CHECKOWNER dns_name_t *name, dns_rdataclass_t rdclass, \
-			dns_rdatatype_t type, bool wildcard
+#define CALL_DIGEST rdata, digest, arg
 
-#define ARGS_CHECKNAMES dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad
+#define ARGS_CHECKOWNER                                   		  \
+	dns_name_t *name, dns_rdataclass_t rdclass, dns_rdatatype_t type, \
+	bool wildcard
 
+#define CALL_CHECKOWNER name, rdclass, type, wildcard
+
+#define ARGS_CHECKNAMES \
+	dns_rdata_t *rdata, const dns_name_t *owner, dns_name_t *bad
+
+#define CALL_CHECKNAMES rdata, owner, bad
 
 /*%
  * Context structure for the totext_ functions.
@@ -149,7 +175,7 @@ static isc_result_t
 str_totext(const char *source, isc_buffer_t *target);
 
 static isc_result_t
-inet_totext(int af, isc_region_t *src, isc_buffer_t *target);
+inet_totext(int af, uint32_t flags, isc_region_t *src, isc_buffer_t *target);
 
 static bool
 buffer_empty(isc_buffer_t *source);
@@ -305,7 +331,7 @@ generic_freestruct_tlsa(ARGS_FREESTRUCT);
 #define NS_LOCATORSZ	8
 
 /*
- * Active Diretory gc._msdcs.<forest> prefix.
+ * Active Directory gc._msdcs.<forest> prefix.
  */
 static unsigned char gc_msdcs_data[]  = "\002gc\006_msdcs";
 static unsigned char gc_msdcs_offset [] = { 0, 3 };
@@ -1207,6 +1233,7 @@ dns_rdata_tostruct(const dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
 
 	REQUIRE(rdata != NULL);
 	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+	REQUIRE((rdata->flags & DNS_RDATA_UPDATE) == 0);
 
 	TOSTRUCTSWITCH
 
@@ -1218,8 +1245,11 @@ dns_rdata_tostruct(const dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
 
 void
 dns_rdata_freestruct(void *source) {
-	dns_rdatacommon_t *common = source;
-	REQUIRE(common != NULL);
+	dns_rdatacommon_t *common;
+
+	REQUIRE(source != NULL);
+
+	common = source;
 
 	FREESTRUCTSWITCH
 }
@@ -1296,8 +1326,9 @@ unsigned int
 dns_rdatatype_attributes(dns_rdatatype_t type)
 {
 	RDATATYPE_ATTRIBUTE_SW
-	if (type >= (dns_rdatatype_t)128 && type < (dns_rdatatype_t)255)
+	if (type >= (dns_rdatatype_t)128 && type <= (dns_rdatatype_t)255) {
 		return (DNS_RDATATYPEATTR_UNKNOWN | DNS_RDATATYPEATTR_META);
+	}
 	return (DNS_RDATATYPEATTR_UNKNOWN);
 }
 
@@ -1722,7 +1753,7 @@ str_totext(const char *source, isc_buffer_t *target) {
 }
 
 static isc_result_t
-inet_totext(int af, isc_region_t *src, isc_buffer_t *target) {
+inet_totext(int af, uint32_t flags, isc_region_t *src, isc_buffer_t *target) {
 	char tmpbuf[64];
 
 	/* Note - inet_ntop doesn't do size checking on its input. */
@@ -1731,6 +1762,23 @@ inet_totext(int af, isc_region_t *src, isc_buffer_t *target) {
 	if (strlen(tmpbuf) > isc_buffer_availablelength(target))
 		return (ISC_R_NOSPACE);
 	isc_buffer_putstr(target, tmpbuf);
+
+	/*
+	 * An IPv6 address ending in "::" breaks YAML
+	 * parsing, so append 0 in that case.
+	 */
+	if (af == AF_INET6 && (flags & DNS_STYLEFLAG_YAML) != 0) {
+		isc_textregion_t tr;
+		isc_buffer_usedregion(target, (isc_region_t *)&tr);
+		if (tr.base[tr.length - 1] == ':') {
+			if (isc_buffer_availablelength(target) == 0) {
+				return (ISC_R_NOSPACE);
+			}
+			isc_buffer_putmem(target, (const unsigned char *)"0",
+					  1);
+		}
+	}
+
 	return (ISC_R_SUCCESS);
 }
 
diff --git a/bind/bind9/lib/dns/rdata/any_255/tsig_250.c b/bind/bind9/lib/dns/rdata/any_255/tsig_250.c
index c83b6c3f..e43fba89 100644
--- a/bind/bind9/lib/dns/rdata/any_255/tsig_250.c
+++ b/bind/bind9/lib/dns/rdata/any_255/tsig_250.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -353,14 +353,16 @@ compare_any_tsig(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_any_tsig(ARGS_FROMSTRUCT) {
-	dns_rdata_any_tsig_t *tsig = source;
+	dns_rdata_any_tsig_t *tsig;
 	isc_region_t tr;
 
 	REQUIRE(type == dns_rdatatype_tsig);
 	REQUIRE(rdclass == dns_rdataclass_any);
-	REQUIRE(tsig != NULL);
-	REQUIRE(tsig->common.rdclass == rdclass);
-	REQUIRE(tsig->common.rdtype == type);
+	REQUIRE(((dns_rdata_any_tsig_t *)source) != NULL);
+	REQUIRE(((dns_rdata_any_tsig_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_any_tsig_t *)source)->common.rdtype == type);
+
+	tsig = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -521,11 +523,13 @@ tostruct_any_tsig(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_any_tsig(ARGS_FREESTRUCT) {
-	dns_rdata_any_tsig_t *tsig = (dns_rdata_any_tsig_t *) source;
+	dns_rdata_any_tsig_t *tsig;
+
+	REQUIRE(((dns_rdata_any_tsig_t *)source) != NULL);
+	REQUIRE(((dns_rdata_any_tsig_t *)source)->common.rdtype == dns_rdatatype_tsig);
+	REQUIRE(((dns_rdata_any_tsig_t *)source)->common.rdclass == dns_rdataclass_any);
 
-	REQUIRE(tsig != NULL);
-	REQUIRE(tsig->common.rdtype == dns_rdatatype_tsig);
-	REQUIRE(tsig->common.rdclass == dns_rdataclass_any);
+	tsig = (dns_rdata_any_tsig_t *) source;
 
 	if (tsig->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/any_255/tsig_250.h b/bind/bind9/lib/dns/rdata/any_255/tsig_250.h
index 6ace1d2f..389b181b 100644
--- a/bind/bind9/lib/dns/rdata/any_255/tsig_250.h
+++ b/bind/bind9/lib/dns/rdata/any_255/tsig_250.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/ch_3/a_1.c b/bind/bind9/lib/dns/rdata/ch_3/a_1.c
index be1b489e..ea69ae58 100644
--- a/bind/bind9/lib/dns/rdata/ch_3/a_1.c
+++ b/bind/bind9/lib/dns/rdata/ch_3/a_1.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -187,13 +187,15 @@ compare_ch_a(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_ch_a(ARGS_FROMSTRUCT) {
-	dns_rdata_ch_a_t *a = source;
+	dns_rdata_ch_a_t *a;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_a);
-	REQUIRE(a != NULL);
-	REQUIRE(a->common.rdtype == type);
-	REQUIRE(a->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_ch_a_t *)source) != NULL);
+	REQUIRE(((dns_rdata_ch_a_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_ch_a_t *)source)->common.rdclass == rdclass);
+
+	a = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -206,7 +208,7 @@ fromstruct_ch_a(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_ch_a(ARGS_TOSTRUCT) {
-	dns_rdata_ch_a_t *a = target;
+	dns_rdata_ch_a_t *a;
 	isc_region_t region;
 	dns_name_t name;
 
@@ -214,6 +216,8 @@ tostruct_ch_a(ARGS_TOSTRUCT) {
 	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
 	REQUIRE(rdata->length != 0);
 
+	a = target;
+
 	a->common.rdclass = rdata->rdclass;
 	a->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&a->common, link);
@@ -233,10 +237,12 @@ tostruct_ch_a(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_ch_a(ARGS_FREESTRUCT) {
-	dns_rdata_ch_a_t *a = source;
+	dns_rdata_ch_a_t *a;
+
+	REQUIRE(((dns_rdata_ch_a_t *)source) != NULL);
+	REQUIRE(((dns_rdata_ch_a_t *)source)->common.rdtype == dns_rdatatype_a);
 
-	REQUIRE(a != NULL);
-	REQUIRE(a->common.rdtype == dns_rdatatype_a);
+	a = source;
 
 	if (a->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/ch_3/a_1.h b/bind/bind9/lib/dns/rdata/ch_3/a_1.h
index a9695349..9df05125 100644
--- a/bind/bind9/lib/dns/rdata/ch_3/a_1.h
+++ b/bind/bind9/lib/dns/rdata/ch_3/a_1.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/afsdb_18.c b/bind/bind9/lib/dns/rdata/generic/afsdb_18.c
index 2c924b9f..64ca5342 100644
--- a/bind/bind9/lib/dns/rdata/generic/afsdb_18.c
+++ b/bind/bind9/lib/dns/rdata/generic/afsdb_18.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -170,13 +170,15 @@ compare_afsdb(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_afsdb(ARGS_FROMSTRUCT) {
-	dns_rdata_afsdb_t *afsdb = source;
+	dns_rdata_afsdb_t *afsdb;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_afsdb);
-	REQUIRE(afsdb != NULL);
-	REQUIRE(afsdb->common.rdclass == rdclass);
-	REQUIRE(afsdb->common.rdtype == type);
+	REQUIRE(((dns_rdata_afsdb_t *)source) != NULL);
+	REQUIRE(((dns_rdata_afsdb_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_afsdb_t *)source)->common.rdtype == type);
+
+	afsdb = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -189,13 +191,15 @@ fromstruct_afsdb(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_afsdb(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_afsdb_t *afsdb = target;
+	dns_rdata_afsdb_t *afsdb;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_afsdb_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_afsdb);
-	REQUIRE(afsdb != NULL);
 	REQUIRE(rdata->length != 0);
 
+	afsdb = target;
+
 	afsdb->common.rdclass = rdata->rdclass;
 	afsdb->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&afsdb->common, link);
@@ -217,10 +221,13 @@ tostruct_afsdb(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_afsdb(ARGS_FREESTRUCT) {
-	dns_rdata_afsdb_t *afsdb = source;
+	dns_rdata_afsdb_t *afsdb;
+
+	REQUIRE(((dns_rdata_afsdb_t *)source) != NULL);
+	REQUIRE(((dns_rdata_afsdb_t *)source)->common.rdtype ==
+		dns_rdatatype_afsdb);
 
-	REQUIRE(afsdb != NULL);
-	REQUIRE(afsdb->common.rdtype == dns_rdatatype_afsdb);
+	afsdb = source;
 
 	if (afsdb->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/afsdb_18.h b/bind/bind9/lib/dns/rdata/generic/afsdb_18.h
index 24da1aab..0a1b059c 100644
--- a/bind/bind9/lib/dns/rdata/generic/afsdb_18.h
+++ b/bind/bind9/lib/dns/rdata/generic/afsdb_18.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/amtrelay_260.c b/bind/bind9/lib/dns/rdata/generic/amtrelay_260.c
index ca266383..208886dc 100644
--- a/bind/bind9/lib/dns/rdata/generic/amtrelay_260.c
+++ b/bind/bind9/lib/dns/rdata/generic/amtrelay_260.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -164,10 +164,10 @@ totext_amtrelay(ARGS_TOTEXT) {
 	case 0:
 		break;
 	case 1:
-		return (inet_totext(AF_INET, &region, target));
+		return (inet_totext(AF_INET, tctx->flags, &region, target));
 
 	case 2:
-		return (inet_totext(AF_INET6, &region, target));
+		return (inet_totext(AF_INET6, tctx->flags, &region, target));
 
 	case 3:
 		dns_name_init(&name, NULL);
@@ -264,14 +264,16 @@ compare_amtrelay(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_amtrelay(ARGS_FROMSTRUCT) {
-	dns_rdata_amtrelay_t *amtrelay = source;
+	dns_rdata_amtrelay_t *amtrelay;
 	isc_region_t region;
 	uint32_t n;
 
 	REQUIRE(type == dns_rdatatype_amtrelay);
-	REQUIRE(amtrelay != NULL);
-	REQUIRE(amtrelay->common.rdtype == type);
-	REQUIRE(amtrelay->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_amtrelay_t *)source) != NULL);
+	REQUIRE(((dns_rdata_amtrelay_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_amtrelay_t *)source)->common.rdclass == rdclass);
+
+	amtrelay = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -305,14 +307,16 @@ fromstruct_amtrelay(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_amtrelay(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_amtrelay_t *amtrelay = target;
+	dns_rdata_amtrelay_t *amtrelay;
 	dns_name_t name;
 	uint32_t n;
 
+	REQUIRE(((dns_rdata_amtrelay_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_amtrelay);
-	REQUIRE(amtrelay != NULL);
 	REQUIRE(rdata->length >= 2);
 
+	amtrelay = target;
+
 	amtrelay->common.rdclass = rdata->rdclass;
 	amtrelay->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&amtrelay->common, link);
@@ -368,10 +372,13 @@ tostruct_amtrelay(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_amtrelay(ARGS_FREESTRUCT) {
-	dns_rdata_amtrelay_t *amtrelay = source;
+	dns_rdata_amtrelay_t *amtrelay;
+
+	REQUIRE(((dns_rdata_amtrelay_t *)source) != NULL);
+	REQUIRE(((dns_rdata_amtrelay_t *)source)->common.rdtype ==
+		dns_rdatatype_amtrelay);
 
-	REQUIRE(amtrelay != NULL);
-	REQUIRE(amtrelay->common.rdtype == dns_rdatatype_amtrelay);
+	amtrelay = source;
 
 	if (amtrelay->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/amtrelay_260.h b/bind/bind9/lib/dns/rdata/generic/amtrelay_260.h
index 1372fe84..c942fd62 100644
--- a/bind/bind9/lib/dns/rdata/generic/amtrelay_260.h
+++ b/bind/bind9/lib/dns/rdata/generic/amtrelay_260.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/avc_258.c b/bind/bind9/lib/dns/rdata/generic/avc_258.c
index e8efa377..1ea4ffc7 100644
--- a/bind/bind9/lib/dns/rdata/generic/avc_258.c
+++ b/bind/bind9/lib/dns/rdata/generic/avc_258.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -19,24 +19,15 @@ fromtext_avc(ARGS_FROMTEXT) {
 
 	REQUIRE(type == dns_rdatatype_avc);
 
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	return (generic_fromtext_txt(rdclass, type, lexer, origin, options,
-				     target, callbacks));
+	return (generic_fromtext_txt(CALL_FROMTEXT));
 }
 
 static inline isc_result_t
 totext_avc(ARGS_TOTEXT) {
-
-	UNUSED(tctx);
-
+	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_avc);
 
-	return (generic_totext_txt(rdata, tctx, target));
+	return (generic_totext_txt(CALL_TOTEXT));
 }
 
 static inline isc_result_t
@@ -44,13 +35,7 @@ fromwire_avc(ARGS_FROMWIRE) {
 
 	REQUIRE(type == dns_rdatatype_avc);
 
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	return (generic_fromwire_txt(rdclass, type, source, dctx, options,
-				     target));
+	return (generic_fromwire_txt(CALL_FROMWIRE));
 }
 
 static inline isc_result_t
@@ -82,29 +67,29 @@ fromstruct_avc(ARGS_FROMSTRUCT) {
 
 	REQUIRE(type == dns_rdatatype_avc);
 
-	return (generic_fromstruct_txt(rdclass, type, source, target));
+	return (generic_fromstruct_txt(CALL_FROMSTRUCT));
 }
 
 static inline isc_result_t
 tostruct_avc(ARGS_TOSTRUCT) {
-	dns_rdata_avc_t *avc = target;
+	dns_rdata_avc_t *avc;
 
+	REQUIRE(((dns_rdata_avc_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_avc);
-	REQUIRE(avc != NULL);
+
+	avc = target;
 
 	avc->common.rdclass = rdata->rdclass;
 	avc->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&avc->common, link);
 
-	return (generic_tostruct_txt(rdata, target, mctx));
+	return (generic_tostruct_txt(CALL_TOSTRUCT));
 }
 
 static inline void
 freestruct_avc(ARGS_FREESTRUCT) {
-	dns_rdata_avc_t *avc = source;
-
-	REQUIRE(avc != NULL);
-	REQUIRE(avc->common.rdtype == dns_rdatatype_avc);
+	REQUIRE(((dns_rdata_avc_t *)source) != NULL);
+	REQUIRE(((dns_rdata_avc_t *)source)->common.rdtype == dns_rdatatype_avc);
 
 	generic_freestruct_txt(source);
 }
diff --git a/bind/bind9/lib/dns/rdata/generic/avc_258.h b/bind/bind9/lib/dns/rdata/generic/avc_258.h
index 88abaddd..b6f63782 100644
--- a/bind/bind9/lib/dns/rdata/generic/avc_258.h
+++ b/bind/bind9/lib/dns/rdata/generic/avc_258.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/caa_257.c b/bind/bind9/lib/dns/rdata/generic/caa_257.c
index 8dd75c04..464e388d 100644
--- a/bind/bind9/lib/dns/rdata/generic/caa_257.c
+++ b/bind/bind9/lib/dns/rdata/generic/caa_257.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -191,16 +191,19 @@ compare_caa(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_caa(ARGS_FROMSTRUCT) {
-	dns_rdata_caa_t *caa = source;
+	dns_rdata_caa_t *caa;
 	isc_region_t region;
 	unsigned int i;
 
 	REQUIRE(type == dns_rdatatype_caa);
-	REQUIRE(caa != NULL);
-	REQUIRE(caa->common.rdtype == type);
-	REQUIRE(caa->common.rdclass == rdclass);
-	REQUIRE(caa->tag != NULL && caa->tag_len != 0);
-	REQUIRE(caa->value != NULL);
+	REQUIRE(((dns_rdata_caa_t *)source) != NULL);
+	REQUIRE(((dns_rdata_caa_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_caa_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_caa_t *)source)->tag != NULL);
+	REQUIRE(((dns_rdata_caa_t *)source)->tag_len != 0);
+	REQUIRE(((dns_rdata_caa_t *)source)->value != NULL);
+
+	caa = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -235,14 +238,16 @@ fromstruct_caa(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_caa(ARGS_TOSTRUCT) {
-	dns_rdata_caa_t *caa = target;
+	dns_rdata_caa_t *caa;
 	isc_region_t sr;
 
+	REQUIRE(((dns_rdata_caa_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_caa);
-	REQUIRE(caa != NULL);
 	REQUIRE(rdata->length >= 3U);
 	REQUIRE(rdata->data != NULL);
 
+	caa = target;
+
 	caa->common.rdclass = rdata->rdclass;
 	caa->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&caa->common, link);
@@ -289,10 +294,13 @@ tostruct_caa(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_caa(ARGS_FREESTRUCT) {
-	dns_rdata_caa_t *caa = (dns_rdata_caa_t *) source;
+	dns_rdata_caa_t *caa;
+
+	REQUIRE(((dns_rdata_caa_t *)source) != NULL);
+	REQUIRE(((dns_rdata_caa_t *)source)->common.rdtype ==
+		dns_rdatatype_caa);
 
-	REQUIRE(caa != NULL);
-	REQUIRE(caa->common.rdtype == dns_rdatatype_caa);
+	caa = source;
 
 	if (caa->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/caa_257.h b/bind/bind9/lib/dns/rdata/generic/caa_257.h
index c16e427d..8af6c17b 100644
--- a/bind/bind9/lib/dns/rdata/generic/caa_257.h
+++ b/bind/bind9/lib/dns/rdata/generic/caa_257.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/cdnskey_60.c b/bind/bind9/lib/dns/rdata/generic/cdnskey_60.c
index afcdbc22..5d2f54b3 100644
--- a/bind/bind9/lib/dns/rdata/generic/cdnskey_60.c
+++ b/bind/bind9/lib/dns/rdata/generic/cdnskey_60.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -23,8 +23,7 @@ fromtext_cdnskey(ARGS_FROMTEXT) {
 
 	REQUIRE(type == dns_rdatatype_cdnskey);
 
-	return (generic_fromtext_key(rdclass, type, lexer, origin,
-				     options, target, callbacks));
+	return (generic_fromtext_key(CALL_FROMTEXT));
 }
 
 static inline isc_result_t
@@ -33,7 +32,7 @@ totext_cdnskey(ARGS_TOTEXT) {
 	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_cdnskey);
 
-	return (generic_totext_key(rdata, tctx, target));
+	return (generic_totext_key(CALL_TOTEXT));
 }
 
 static inline isc_result_t
@@ -41,8 +40,7 @@ fromwire_cdnskey(ARGS_FROMWIRE) {
 
 	REQUIRE(type == dns_rdatatype_cdnskey);
 
-	return (generic_fromwire_key(rdclass, type, source, dctx,
-				     options, target));
+	return (generic_fromwire_key(CALL_FROMWIRE));
 }
 
 static inline isc_result_t
@@ -81,30 +79,31 @@ fromstruct_cdnskey(ARGS_FROMSTRUCT) {
 
 	REQUIRE(type == dns_rdatatype_cdnskey);
 
-	return (generic_fromstruct_key(rdclass, type, source, target));
+	return (generic_fromstruct_key(CALL_FROMSTRUCT));
 }
 
 static inline isc_result_t
 tostruct_cdnskey(ARGS_TOSTRUCT) {
-	dns_rdata_cdnskey_t *dnskey = target;
+	dns_rdata_cdnskey_t *dnskey;
 
-	REQUIRE(dnskey != NULL);
+	REQUIRE(((dns_rdata_cdnskey_t *)target) != NULL);
 	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_cdnskey);
 
+	dnskey = target;
+
 	dnskey->common.rdclass = rdata->rdclass;
 	dnskey->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&dnskey->common, link);
 
-	return (generic_tostruct_key(rdata, target, mctx));
+	return (generic_tostruct_key(CALL_TOSTRUCT));
 }
 
 static inline void
 freestruct_cdnskey(ARGS_FREESTRUCT) {
-	dns_rdata_cdnskey_t *dnskey = (dns_rdata_cdnskey_t *) source;
-
-	REQUIRE(dnskey != NULL);
-	REQUIRE(dnskey->common.rdtype == dns_rdatatype_cdnskey);
+	REQUIRE(((dns_rdata_cdnskey_t *)source) != NULL);
+	REQUIRE(((dns_rdata_cdnskey_t *)source)->common.rdtype ==
+		dns_rdatatype_cdnskey);
 
 	generic_freestruct_key(source);
 }
@@ -162,7 +161,7 @@ static inline int
 casecompare_cdnskey(ARGS_COMPARE) {
 
 	/*
-	 * Treat ALG 253 (private DNS) subtype name case sensistively.
+	 * Treat ALG 253 (private DNS) subtype name case sensitively.
 	 */
 	return (compare_cdnskey(rdata1, rdata2));
 }
diff --git a/bind/bind9/lib/dns/rdata/generic/cdnskey_60.h b/bind/bind9/lib/dns/rdata/generic/cdnskey_60.h
index 541a4c2e..84a6c973 100644
--- a/bind/bind9/lib/dns/rdata/generic/cdnskey_60.h
+++ b/bind/bind9/lib/dns/rdata/generic/cdnskey_60.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/cds_59.c b/bind/bind9/lib/dns/rdata/generic/cds_59.c
index f4f9a944..582a255b 100644
--- a/bind/bind9/lib/dns/rdata/generic/cds_59.c
+++ b/bind/bind9/lib/dns/rdata/generic/cds_59.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -28,16 +28,15 @@ fromtext_cds(ARGS_FROMTEXT) {
 
 	REQUIRE(type == dns_rdatatype_cds);
 
-	return (generic_fromtext_ds(rdclass, type, lexer, origin, options,
-				    target, callbacks));
+	return (generic_fromtext_ds(CALL_FROMTEXT));
 }
 
 static inline isc_result_t
 totext_cds(ARGS_TOTEXT) {
-
+	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_cds);
 
-	return (generic_totext_ds(rdata, tctx, target));
+	return (generic_totext_ds(CALL_TOTEXT));
 }
 
 static inline isc_result_t
@@ -45,8 +44,7 @@ fromwire_cds(ARGS_FROMWIRE) {
 
 	REQUIRE(type == dns_rdatatype_cds);
 
-	return (generic_fromwire_ds(rdclass, type, source, dctx, options,
-				    target));
+	return (generic_fromwire_ds(CALL_FROMWIRE));
 }
 
 static inline isc_result_t
@@ -83,17 +81,19 @@ fromstruct_cds(ARGS_FROMSTRUCT) {
 
 	REQUIRE(type == dns_rdatatype_cds);
 
-	return (generic_fromstruct_ds(rdclass, type, source, target));
+	return (generic_fromstruct_ds(CALL_FROMSTRUCT));
 }
 
 static inline isc_result_t
 tostruct_cds(ARGS_TOSTRUCT) {
-	dns_rdata_cds_t *cds = target;
+	dns_rdata_cds_t *cds;
 
+	REQUIRE(((dns_rdata_cds_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_cds);
-	REQUIRE(cds != NULL);
 	REQUIRE(rdata->length != 0);
 
+	cds = target;
+
 	/*
 	 * Checked by generic_tostruct_ds().
 	 */
@@ -101,15 +101,18 @@ tostruct_cds(ARGS_TOSTRUCT) {
 	cds->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&cds->common, link);
 
-	return (generic_tostruct_ds(rdata, target, mctx));
+	return (generic_tostruct_ds(CALL_TOSTRUCT));
 }
 
 static inline void
 freestruct_cds(ARGS_FREESTRUCT) {
-	dns_rdata_cds_t *cds = source;
+	dns_rdata_cds_t *cds;
+
+	REQUIRE(((dns_rdata_cds_t *)source) != NULL);
+	REQUIRE(((dns_rdata_cds_t *)source)->common.rdtype ==
+		dns_rdatatype_cds);
 
-	REQUIRE(cds != NULL);
-	REQUIRE(cds->common.rdtype == dns_rdatatype_cds);
+	cds = source;
 
 	if (cds->mctx == NULL) {
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/cds_59.h b/bind/bind9/lib/dns/rdata/generic/cds_59.h
index 0797bca0..a248266c 100644
--- a/bind/bind9/lib/dns/rdata/generic/cds_59.h
+++ b/bind/bind9/lib/dns/rdata/generic/cds_59.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/cert_37.c b/bind/bind9/lib/dns/rdata/generic/cert_37.c
index 4b29cabd..7b0a6aaa 100644
--- a/bind/bind9/lib/dns/rdata/generic/cert_37.c
+++ b/bind/bind9/lib/dns/rdata/generic/cert_37.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -121,8 +121,9 @@ fromwire_cert(ARGS_FROMWIRE) {
 	UNUSED(options);
 
 	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 5)
+	if (sr.length < 6) {
 		return (ISC_R_UNEXPECTEDEND);
+	}
 
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
@@ -159,12 +160,14 @@ compare_cert(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_cert(ARGS_FROMSTRUCT) {
-	dns_rdata_cert_t *cert = source;
+	dns_rdata_cert_t *cert;
 
 	REQUIRE(type == dns_rdatatype_cert);
-	REQUIRE(cert != NULL);
-	REQUIRE(cert->common.rdtype == type);
-	REQUIRE(cert->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_cert_t *)source) != NULL);
+	REQUIRE(((dns_rdata_cert_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_cert_t *)source)->common.rdclass == rdclass);
+
+	cert = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -178,13 +181,15 @@ fromstruct_cert(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_cert(ARGS_TOSTRUCT) {
-	dns_rdata_cert_t *cert = target;
+	dns_rdata_cert_t *cert;
 	isc_region_t region;
 
+	REQUIRE(((dns_rdata_cert_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_cert);
-	REQUIRE(cert != NULL);
 	REQUIRE(rdata->length != 0);
 
+	cert = target;
+
 	cert->common.rdclass = rdata->rdclass;
 	cert->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&cert->common, link);
@@ -209,10 +214,13 @@ tostruct_cert(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_cert(ARGS_FREESTRUCT) {
-	dns_rdata_cert_t *cert = source;
+	dns_rdata_cert_t *cert;
+
+	REQUIRE(((dns_rdata_cert_t *)source) != NULL);
+	REQUIRE(((dns_rdata_cert_t *)source)->common.rdtype ==
+		dns_rdatatype_cert);
 
-	REQUIRE(cert != NULL);
-	REQUIRE(cert->common.rdtype == dns_rdatatype_cert);
+	cert = source;
 
 	if (cert->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/cert_37.h b/bind/bind9/lib/dns/rdata/generic/cert_37.h
index db760e1e..39c29ab2 100644
--- a/bind/bind9/lib/dns/rdata/generic/cert_37.h
+++ b/bind/bind9/lib/dns/rdata/generic/cert_37.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/cname_5.c b/bind/bind9/lib/dns/rdata/generic/cname_5.c
index 1c40bcd6..591bbbcf 100644
--- a/bind/bind9/lib/dns/rdata/generic/cname_5.c
+++ b/bind/bind9/lib/dns/rdata/generic/cname_5.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -119,13 +119,15 @@ compare_cname(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_cname(ARGS_FROMSTRUCT) {
-	dns_rdata_cname_t *cname = source;
+	dns_rdata_cname_t *cname;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_cname);
-	REQUIRE(cname != NULL);
-	REQUIRE(cname->common.rdtype == type);
-	REQUIRE(cname->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_cname_t *)source) != NULL);
+	REQUIRE(((dns_rdata_cname_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_cname_t *)source)->common.rdclass == rdclass);
+
+	cname = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -137,13 +139,15 @@ fromstruct_cname(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_cname(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_cname_t *cname = target;
+	dns_rdata_cname_t *cname;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_cname_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_cname);
-	REQUIRE(cname != NULL);
 	REQUIRE(rdata->length != 0);
 
+	cname = target;
+
 	cname->common.rdclass = rdata->rdclass;
 	cname->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&cname->common, link);
@@ -159,9 +163,11 @@ tostruct_cname(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_cname(ARGS_FREESTRUCT) {
-	dns_rdata_cname_t *cname = source;
+	dns_rdata_cname_t *cname;
+
+	REQUIRE(((dns_rdata_cname_t *)source) != NULL);
 
-	REQUIRE(cname != NULL);
+	cname = source;
 
 	if (cname->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/cname_5.h b/bind/bind9/lib/dns/rdata/generic/cname_5.h
index 6a5b6451..d3c2a3fc 100644
--- a/bind/bind9/lib/dns/rdata/generic/cname_5.h
+++ b/bind/bind9/lib/dns/rdata/generic/cname_5.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/csync_62.c b/bind/bind9/lib/dns/rdata/generic/csync_62.c
index 481916d3..621cb08e 100644
--- a/bind/bind9/lib/dns/rdata/generic/csync_62.c
+++ b/bind/bind9/lib/dns/rdata/generic/csync_62.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -136,14 +136,17 @@ compare_csync(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_csync(ARGS_FROMSTRUCT) {
-	dns_rdata_csync_t *csync = source;
+	dns_rdata_csync_t *csync;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_csync);
-	REQUIRE(csync != NULL);
-	REQUIRE(csync->common.rdtype == type);
-	REQUIRE(csync->common.rdclass == rdclass);
-	REQUIRE(csync->typebits != NULL || csync->len == 0);
+	REQUIRE(((dns_rdata_csync_t *)source) != NULL);
+	REQUIRE(((dns_rdata_csync_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_csync_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_csync_t *)source)->typebits != NULL ||
+		((dns_rdata_csync_t *)source)->len == 0);
+
+	csync = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -160,12 +163,14 @@ fromstruct_csync(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_csync(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_csync_t *csync = target;
+	dns_rdata_csync_t *csync;
 
+	REQUIRE(((dns_rdata_csync_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_csync);
-	REQUIRE(csync != NULL);
 	REQUIRE(rdata->length != 0);
 
+	csync = target;
+
 	csync->common.rdclass = rdata->rdclass;
 	csync->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&csync->common, link);
@@ -192,10 +197,13 @@ tostruct_csync(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_csync(ARGS_FREESTRUCT) {
-	dns_rdata_csync_t *csync = source;
+	dns_rdata_csync_t *csync;
+
+	REQUIRE(((dns_rdata_csync_t *)source) != NULL);
+	REQUIRE(((dns_rdata_csync_t *)source)->common.rdtype ==
+		dns_rdatatype_csync);
 
-	REQUIRE(csync != NULL);
-	REQUIRE(csync->common.rdtype == dns_rdatatype_csync);
+	csync = source;
 
 	if (csync->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/csync_62.h b/bind/bind9/lib/dns/rdata/generic/csync_62.h
index a1f63d54..08f378ea 100644
--- a/bind/bind9/lib/dns/rdata/generic/csync_62.h
+++ b/bind/bind9/lib/dns/rdata/generic/csync_62.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/dlv_32769.c b/bind/bind9/lib/dns/rdata/generic/dlv_32769.c
index 89a46d98..3e5c8ba9 100644
--- a/bind/bind9/lib/dns/rdata/generic/dlv_32769.c
+++ b/bind/bind9/lib/dns/rdata/generic/dlv_32769.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -29,16 +29,15 @@ fromtext_dlv(ARGS_FROMTEXT) {
 
 	REQUIRE(type == dns_rdatatype_dlv);
 
-	return (generic_fromtext_ds(rdclass, type, lexer, origin, options,
-				    target, callbacks));
+	return (generic_fromtext_ds(CALL_FROMTEXT));
 }
 
 static inline isc_result_t
 totext_dlv(ARGS_TOTEXT) {
-
+	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_dlv);
 
-	return (generic_totext_ds(rdata, tctx, target));
+	return (generic_totext_ds(CALL_TOTEXT));
 }
 
 static inline isc_result_t
@@ -46,8 +45,7 @@ fromwire_dlv(ARGS_FROMWIRE) {
 
 	REQUIRE(type == dns_rdatatype_dlv);
 
-	return (generic_fromwire_ds(rdclass, type, source, dctx, options,
-				    target));
+	return (generic_fromwire_ds(CALL_FROMWIRE));
 }
 
 static inline isc_result_t
@@ -84,29 +82,34 @@ fromstruct_dlv(ARGS_FROMSTRUCT) {
 
 	REQUIRE(type == dns_rdatatype_dlv);
 
-	return (generic_fromstruct_ds(rdclass, type, source, target));
+	return (generic_fromstruct_ds(CALL_FROMSTRUCT));
 }
 
 static inline isc_result_t
 tostruct_dlv(ARGS_TOSTRUCT) {
-	dns_rdata_dlv_t *dlv = target;
+	dns_rdata_dlv_t *dlv;
 
+	REQUIRE(((dns_rdata_dlv_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_dlv);
-	REQUIRE(dlv != NULL);
+
+	dlv = target;
 
 	dlv->common.rdclass = rdata->rdclass;
 	dlv->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&dlv->common, link);
 
-	return (generic_tostruct_ds(rdata, target, mctx));
+	return (generic_tostruct_ds(CALL_TOSTRUCT));
 }
 
 static inline void
 freestruct_dlv(ARGS_FREESTRUCT) {
-	dns_rdata_dlv_t *dlv = source;
+	dns_rdata_dlv_t *dlv;
+
+	REQUIRE(((dns_rdata_dlv_t *)source) != NULL);
+	REQUIRE(((dns_rdata_dlv_t *)source)->common.rdtype ==
+		dns_rdatatype_dlv);
 
-	REQUIRE(dlv != NULL);
-	REQUIRE(dlv->common.rdtype == dns_rdatatype_dlv);
+	dlv = source;
 
 	if (dlv->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/dlv_32769.h b/bind/bind9/lib/dns/rdata/generic/dlv_32769.h
index b94df712..c0b88f37 100644
--- a/bind/bind9/lib/dns/rdata/generic/dlv_32769.h
+++ b/bind/bind9/lib/dns/rdata/generic/dlv_32769.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/dname_39.c b/bind/bind9/lib/dns/rdata/generic/dname_39.c
index cebd8c7e..a43dfa8b 100644
--- a/bind/bind9/lib/dns/rdata/generic/dname_39.c
+++ b/bind/bind9/lib/dns/rdata/generic/dname_39.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -119,13 +119,15 @@ compare_dname(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_dname(ARGS_FROMSTRUCT) {
-	dns_rdata_dname_t *dname = source;
+	dns_rdata_dname_t *dname;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_dname);
-	REQUIRE(dname != NULL);
-	REQUIRE(dname->common.rdtype == type);
-	REQUIRE(dname->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_dname_t *)source) != NULL);
+	REQUIRE(((dns_rdata_dname_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_dname_t *)source)->common.rdclass == rdclass);
+
+	dname = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -137,13 +139,15 @@ fromstruct_dname(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_dname(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_dname_t *dname = target;
+	dns_rdata_dname_t *dname;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_dname_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_dname);
-	REQUIRE(dname != NULL);
 	REQUIRE(rdata->length != 0);
 
+	dname = target;
+
 	dname->common.rdclass = rdata->rdclass;
 	dname->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&dname->common, link);
@@ -159,10 +163,13 @@ tostruct_dname(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_dname(ARGS_FREESTRUCT) {
-	dns_rdata_dname_t *dname = source;
+	dns_rdata_dname_t *dname;
+
+	REQUIRE(((dns_rdata_dname_t *)source) != NULL);
+	REQUIRE(((dns_rdata_dname_t *)source)->common.rdtype ==
+		dns_rdatatype_dname);
 
-	REQUIRE(dname != NULL);
-	REQUIRE(dname->common.rdtype == dns_rdatatype_dname);
+	dname = source;
 
 	if (dname->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/dname_39.h b/bind/bind9/lib/dns/rdata/generic/dname_39.h
index 12b02e25..2e7dbc17 100644
--- a/bind/bind9/lib/dns/rdata/generic/dname_39.h
+++ b/bind/bind9/lib/dns/rdata/generic/dname_39.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/dnskey_48.c b/bind/bind9/lib/dns/rdata/generic/dnskey_48.c
index f20a8f61..3ba3e1ec 100644
--- a/bind/bind9/lib/dns/rdata/generic/dnskey_48.c
+++ b/bind/bind9/lib/dns/rdata/generic/dnskey_48.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -23,8 +23,7 @@ fromtext_dnskey(ARGS_FROMTEXT) {
 
 	REQUIRE(type == dns_rdatatype_dnskey);
 
-	return (generic_fromtext_key(rdclass, type, lexer, origin,
-				     options, target, callbacks));
+	return (generic_fromtext_key(CALL_FROMTEXT));
 }
 
 static inline isc_result_t
@@ -33,7 +32,7 @@ totext_dnskey(ARGS_TOTEXT) {
 	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_dnskey);
 
-	return (generic_totext_key(rdata, tctx, target));
+	return (generic_totext_key(CALL_TOTEXT));
 }
 
 static inline isc_result_t
@@ -41,8 +40,7 @@ fromwire_dnskey(ARGS_FROMWIRE) {
 
 	REQUIRE(type == dns_rdatatype_dnskey);
 
-	return (generic_fromwire_key(rdclass, type, source, dctx,
-				     options, target));
+	return (generic_fromwire_key(CALL_FROMWIRE));
 }
 
 static inline isc_result_t
@@ -82,30 +80,31 @@ fromstruct_dnskey(ARGS_FROMSTRUCT) {
 
 	REQUIRE(type == dns_rdatatype_dnskey);
 
-	return (generic_fromstruct_key(rdclass, type, source, target));
+	return (generic_fromstruct_key(CALL_FROMSTRUCT));
 }
 
 static inline isc_result_t
 tostruct_dnskey(ARGS_TOSTRUCT) {
-	dns_rdata_dnskey_t *dnskey = target;
+	dns_rdata_dnskey_t *dnskey;
 
-	REQUIRE(dnskey != NULL);
+	REQUIRE(((dns_rdata_dnskey_t *)target) != NULL);
 	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_dnskey);
 
+	dnskey = target;
+
 	dnskey->common.rdclass = rdata->rdclass;
 	dnskey->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&dnskey->common, link);
 
-	return (generic_tostruct_key(rdata, target, mctx));
+	return (generic_tostruct_key(CALL_TOSTRUCT));
 }
 
 static inline void
 freestruct_dnskey(ARGS_FREESTRUCT) {
-	dns_rdata_dnskey_t *dnskey = (dns_rdata_dnskey_t *) source;
-
-	REQUIRE(dnskey != NULL);
-	REQUIRE(dnskey->common.rdtype == dns_rdatatype_dnskey);
+	REQUIRE(((dns_rdata_dnskey_t *)source) != NULL);
+	REQUIRE(((dns_rdata_dnskey_t *)source)->common.rdtype ==
+		dns_rdatatype_dnskey);
 
 	generic_freestruct_key(source);
 }
@@ -164,7 +163,7 @@ static inline int
 casecompare_dnskey(ARGS_COMPARE) {
 
 	/*
-	 * Treat ALG 253 (private DNS) subtype name case sensistively.
+	 * Treat ALG 253 (private DNS) subtype name case sensitively.
 	 */
 	return (compare_dnskey(rdata1, rdata2));
 }
diff --git a/bind/bind9/lib/dns/rdata/generic/dnskey_48.h b/bind/bind9/lib/dns/rdata/generic/dnskey_48.h
index ac4a6dea..a57c9f6f 100644
--- a/bind/bind9/lib/dns/rdata/generic/dnskey_48.h
+++ b/bind/bind9/lib/dns/rdata/generic/dnskey_48.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/doa_259.c b/bind/bind9/lib/dns/rdata/generic/doa_259.c
index 8597e5a5..33585b46 100644
--- a/bind/bind9/lib/dns/rdata/generic/doa_259.c
+++ b/bind/bind9/lib/dns/rdata/generic/doa_259.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -188,12 +188,15 @@ compare_doa(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_doa(ARGS_FROMSTRUCT) {
-	dns_rdata_doa_t *doa = source;
+	dns_rdata_doa_t *doa;
 
 	REQUIRE(type == dns_rdatatype_doa);
-	REQUIRE(doa != NULL);
-	REQUIRE(doa->common.rdtype == dns_rdatatype_doa);
-	REQUIRE(doa->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_doa_t *)source) != NULL);
+	REQUIRE(((dns_rdata_doa_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_doa_t *)source)->common.rdtype ==
+		dns_rdatatype_doa);
+
+	doa = source;
 
 	RETERR(uint32_tobuffer(doa->enterprise, target));
 	RETERR(uint32_tobuffer(doa->type, target));
@@ -205,14 +208,16 @@ fromstruct_doa(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_doa(ARGS_TOSTRUCT) {
-	dns_rdata_doa_t *doa = target;
+	dns_rdata_doa_t *doa;
 	isc_region_t region;
 
+	REQUIRE(((dns_rdata_doa_t *)target) != NULL);
 	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_doa);
-	REQUIRE(doa != NULL);
 	REQUIRE(rdata->length != 0);
 
+	doa = target;
+
 	doa->common.rdclass = rdata->rdclass;
 	doa->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&doa->common, link);
@@ -287,10 +292,13 @@ cleanup:
 
 static inline void
 freestruct_doa(ARGS_FREESTRUCT) {
-	dns_rdata_doa_t *doa = source;
+	dns_rdata_doa_t *doa;
+
+	REQUIRE(((dns_rdata_doa_t *)source) != NULL);
+	REQUIRE(((dns_rdata_doa_t *)source)->common.rdtype ==
+		dns_rdatatype_doa);
 
-	REQUIRE(doa != NULL);
-	REQUIRE(doa->common.rdtype == dns_rdatatype_doa);
+	doa = source;
 
 	if (doa->mctx == NULL) {
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/doa_259.h b/bind/bind9/lib/dns/rdata/generic/doa_259.h
index 5ac5fbbf..a4f99d12 100644
--- a/bind/bind9/lib/dns/rdata/generic/doa_259.h
+++ b/bind/bind9/lib/dns/rdata/generic/doa_259.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/ds_43.c b/bind/bind9/lib/dns/rdata/generic/ds_43.c
index 3e378041..abed138d 100644
--- a/bind/bind9/lib/dns/rdata/generic/ds_43.c
+++ b/bind/bind9/lib/dns/rdata/generic/ds_43.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -93,8 +93,7 @@ fromtext_ds(ARGS_FROMTEXT) {
 
 	REQUIRE(type == dns_rdatatype_ds);
 
-	return (generic_fromtext_ds(rdclass, type, lexer, origin, options,
-				    target, callbacks));
+	return (generic_fromtext_ds(CALL_FROMTEXT));
 }
 
 static inline isc_result_t
@@ -154,10 +153,10 @@ generic_totext_ds(ARGS_TOTEXT) {
 
 static inline isc_result_t
 totext_ds(ARGS_TOTEXT) {
-
+	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_ds);
 
-	return (generic_totext_ds(rdata, tctx, target));
+	return (generic_totext_ds(CALL_TOTEXT));
 }
 
 static inline isc_result_t
@@ -212,8 +211,7 @@ fromwire_ds(ARGS_FROMWIRE) {
 
 	REQUIRE(type == dns_rdatatype_ds);
 
-	return (generic_fromwire_ds(rdclass, type, source, dctx, options,
-				    target));
+	return (generic_fromwire_ds(CALL_FROMWIRE));
 }
 
 static inline isc_result_t
@@ -247,11 +245,13 @@ compare_ds(ARGS_COMPARE) {
 
 static inline isc_result_t
 generic_fromstruct_ds(ARGS_FROMSTRUCT) {
-	dns_rdata_ds_t *ds = source;
+	dns_rdata_ds_t *ds;
+
+	REQUIRE(((dns_rdata_ds_t *)source) != NULL);
+	REQUIRE(((dns_rdata_ds_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_ds_t *)source)->common.rdclass == rdclass);
 
-	REQUIRE(ds != NULL);
-	REQUIRE(ds->common.rdtype == type);
-	REQUIRE(ds->common.rdclass == rdclass);
+	ds = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -285,19 +285,21 @@ fromstruct_ds(ARGS_FROMSTRUCT) {
 
 	REQUIRE(type == dns_rdatatype_ds);
 
-	return (generic_fromstruct_ds(rdclass, type, source, target));
+	return (generic_fromstruct_ds(CALL_FROMSTRUCT));
 }
 
 static inline isc_result_t
 generic_tostruct_ds(ARGS_TOSTRUCT) {
-	dns_rdata_ds_t *ds = target;
+	dns_rdata_ds_t *ds;
 	isc_region_t region;
 
-	REQUIRE(ds != NULL);
 	REQUIRE(rdata->length != 0);
-	REQUIRE(ds->common.rdtype == rdata->type);
-	REQUIRE(ds->common.rdclass == rdata->rdclass);
-	REQUIRE(!ISC_LINK_LINKED(&ds->common, link));
+	REQUIRE(((dns_rdata_ds_t *)target) != NULL);
+	REQUIRE(((dns_rdata_ds_t *)target)->common.rdtype == rdata->type);
+	REQUIRE(((dns_rdata_ds_t *)target)->common.rdclass == rdata->rdclass);
+	REQUIRE(!ISC_LINK_LINKED(&((dns_rdata_ds_t *)target)->common, link));
+
+	ds = target;
 
 	dns_rdata_toregion(rdata, &region);
 
@@ -319,24 +321,28 @@ generic_tostruct_ds(ARGS_TOSTRUCT) {
 
 static inline isc_result_t
 tostruct_ds(ARGS_TOSTRUCT) {
-	dns_rdata_ds_t *ds = target;
+	dns_rdata_ds_t *ds;
 
+	REQUIRE(((dns_rdata_ds_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_ds);
-	REQUIRE(ds != NULL);
+
+	ds = target;
 
 	ds->common.rdclass = rdata->rdclass;
 	ds->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&ds->common, link);
 
-	return (generic_tostruct_ds(rdata, target, mctx));
+	return (generic_tostruct_ds(CALL_TOSTRUCT));
 }
 
 static inline void
 freestruct_ds(ARGS_FREESTRUCT) {
-	dns_rdata_ds_t *ds = source;
+	dns_rdata_ds_t *ds;
+
+	REQUIRE(((dns_rdata_ds_t *)source) != NULL);
+	REQUIRE(((dns_rdata_ds_t *)source)->common.rdtype == dns_rdatatype_ds);
 
-	REQUIRE(ds != NULL);
-	REQUIRE(ds->common.rdtype == dns_rdatatype_ds);
+	ds = source;
 
 	if (ds->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/ds_43.h b/bind/bind9/lib/dns/rdata/generic/ds_43.h
index 9d477388..a9c2706d 100644
--- a/bind/bind9/lib/dns/rdata/generic/ds_43.h
+++ b/bind/bind9/lib/dns/rdata/generic/ds_43.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/eui48_108.c b/bind/bind9/lib/dns/rdata/generic/eui48_108.c
index 7a65eb42..8b4eb966 100644
--- a/bind/bind9/lib/dns/rdata/generic/eui48_108.c
+++ b/bind/bind9/lib/dns/rdata/generic/eui48_108.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -110,12 +110,14 @@ compare_eui48(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_eui48(ARGS_FROMSTRUCT) {
-	dns_rdata_eui48_t *eui48 = source;
+	dns_rdata_eui48_t *eui48;
 
 	REQUIRE(type == dns_rdatatype_eui48);
-	REQUIRE(eui48 != NULL);
-	REQUIRE(eui48->common.rdtype == type);
-	REQUIRE(eui48->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_eui48_t *)source) != NULL);
+	REQUIRE(((dns_rdata_eui48_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_eui48_t *)source)->common.rdclass == rdclass);
+
+	eui48 = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -125,12 +127,14 @@ fromstruct_eui48(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_eui48(ARGS_TOSTRUCT) {
-	dns_rdata_eui48_t *eui48 = target;
+	dns_rdata_eui48_t *eui48;
 
+	REQUIRE(((dns_rdata_eui48_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_eui48);
-	REQUIRE(eui48 != NULL);
 	REQUIRE(rdata->length == 6);
 
+	eui48 = target;
+
 	UNUSED(mctx);
 
 	eui48->common.rdclass = rdata->rdclass;
@@ -143,10 +147,9 @@ tostruct_eui48(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_eui48(ARGS_FREESTRUCT) {
-	dns_rdata_eui48_t *eui48 = source;
-
-	REQUIRE(eui48 != NULL);
-	REQUIRE(eui48->common.rdtype == dns_rdatatype_eui48);
+	REQUIRE(((dns_rdata_eui48_t *)source) != NULL);
+	REQUIRE(((dns_rdata_eui48_t *)source)->common.rdtype ==
+		dns_rdatatype_eui48);
 
 	return;
 }
diff --git a/bind/bind9/lib/dns/rdata/generic/eui48_108.h b/bind/bind9/lib/dns/rdata/generic/eui48_108.h
index 1bb168ab..9da5c89c 100644
--- a/bind/bind9/lib/dns/rdata/generic/eui48_108.h
+++ b/bind/bind9/lib/dns/rdata/generic/eui48_108.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/eui64_109.c b/bind/bind9/lib/dns/rdata/generic/eui64_109.c
index 941f3c37..77953d1d 100644
--- a/bind/bind9/lib/dns/rdata/generic/eui64_109.c
+++ b/bind/bind9/lib/dns/rdata/generic/eui64_109.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -115,12 +115,14 @@ compare_eui64(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_eui64(ARGS_FROMSTRUCT) {
-	dns_rdata_eui64_t *eui64 = source;
+	dns_rdata_eui64_t *eui64;
 
 	REQUIRE(type == dns_rdatatype_eui64);
-	REQUIRE(eui64 != NULL);
-	REQUIRE(eui64->common.rdtype == type);
-	REQUIRE(eui64->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_eui64_t *)source) != NULL);
+	REQUIRE(((dns_rdata_eui64_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_eui64_t *)source)->common.rdclass == rdclass);
+
+	eui64 = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -130,12 +132,14 @@ fromstruct_eui64(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_eui64(ARGS_TOSTRUCT) {
-	dns_rdata_eui64_t *eui64 = target;
+	dns_rdata_eui64_t *eui64;
 
+	REQUIRE(((dns_rdata_eui64_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_eui64);
-	REQUIRE(eui64 != NULL);
 	REQUIRE(rdata->length == 8);
 
+	eui64 = target;
+
 	UNUSED(mctx);
 
 	eui64->common.rdclass = rdata->rdclass;
@@ -148,10 +152,9 @@ tostruct_eui64(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_eui64(ARGS_FREESTRUCT) {
-	dns_rdata_eui64_t *eui64 = source;
-
-	REQUIRE(eui64 != NULL);
-	REQUIRE(eui64->common.rdtype == dns_rdatatype_eui64);
+	REQUIRE(((dns_rdata_eui64_t *)source) != NULL);
+	REQUIRE(((dns_rdata_eui64_t *)source)->common.rdtype ==
+		dns_rdatatype_eui64);
 
 	return;
 }
diff --git a/bind/bind9/lib/dns/rdata/generic/eui64_109.h b/bind/bind9/lib/dns/rdata/generic/eui64_109.h
index 638c72e5..8c93137a 100644
--- a/bind/bind9/lib/dns/rdata/generic/eui64_109.h
+++ b/bind/bind9/lib/dns/rdata/generic/eui64_109.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/gpos_27.c b/bind/bind9/lib/dns/rdata/generic/gpos_27.c
index ead5ca03..a54b8ee0 100644
--- a/bind/bind9/lib/dns/rdata/generic/gpos_27.c
+++ b/bind/bind9/lib/dns/rdata/generic/gpos_27.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -104,12 +104,14 @@ compare_gpos(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_gpos(ARGS_FROMSTRUCT) {
-	dns_rdata_gpos_t *gpos = source;
+	dns_rdata_gpos_t *gpos;
 
 	REQUIRE(type == dns_rdatatype_gpos);
-	REQUIRE(gpos != NULL);
-	REQUIRE(gpos->common.rdtype == type);
-	REQUIRE(gpos->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_gpos_t *)source) != NULL);
+	REQUIRE(((dns_rdata_gpos_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_gpos_t *)source)->common.rdclass == rdclass);
+
+	gpos = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -124,13 +126,15 @@ fromstruct_gpos(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_gpos(ARGS_TOSTRUCT) {
-	dns_rdata_gpos_t *gpos = target;
+	dns_rdata_gpos_t *gpos;
 	isc_region_t region;
 
+	REQUIRE(((dns_rdata_gpos_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_gpos);
-	REQUIRE(gpos != NULL);
 	REQUIRE(rdata->length != 0);
 
+	gpos = target;
+
 	gpos->common.rdclass = rdata->rdclass;
 	gpos->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&gpos->common, link);
@@ -175,10 +179,13 @@ tostruct_gpos(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_gpos(ARGS_FREESTRUCT) {
-	dns_rdata_gpos_t *gpos = source;
+	dns_rdata_gpos_t *gpos;
+
+	REQUIRE(((dns_rdata_gpos_t *)source) != NULL);
+	REQUIRE(((dns_rdata_gpos_t *)source)->common.rdtype ==
+		dns_rdatatype_gpos);
 
-	REQUIRE(gpos != NULL);
-	REQUIRE(gpos->common.rdtype == dns_rdatatype_gpos);
+	gpos = source;
 
 	if (gpos->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/gpos_27.h b/bind/bind9/lib/dns/rdata/generic/gpos_27.h
index fac72cd8..45ceaf80 100644
--- a/bind/bind9/lib/dns/rdata/generic/gpos_27.h
+++ b/bind/bind9/lib/dns/rdata/generic/gpos_27.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/hinfo_13.c b/bind/bind9/lib/dns/rdata/generic/hinfo_13.c
index 0d43a19f..ce1c3c42 100644
--- a/bind/bind9/lib/dns/rdata/generic/hinfo_13.c
+++ b/bind/bind9/lib/dns/rdata/generic/hinfo_13.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -94,12 +94,14 @@ compare_hinfo(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_hinfo(ARGS_FROMSTRUCT) {
-	dns_rdata_hinfo_t *hinfo = source;
+	dns_rdata_hinfo_t *hinfo;
 
 	REQUIRE(type == dns_rdatatype_hinfo);
-	REQUIRE(hinfo != NULL);
-	REQUIRE(hinfo->common.rdtype == type);
-	REQUIRE(hinfo->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_hinfo_t *)source) != NULL);
+	REQUIRE(((dns_rdata_hinfo_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_hinfo_t *)source)->common.rdclass == rdclass);
+
+	hinfo = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -112,13 +114,15 @@ fromstruct_hinfo(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_hinfo(ARGS_TOSTRUCT) {
-	dns_rdata_hinfo_t *hinfo = target;
+	dns_rdata_hinfo_t *hinfo;
 	isc_region_t region;
 
+	REQUIRE(((dns_rdata_hinfo_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_hinfo);
-	REQUIRE(hinfo != NULL);
 	REQUIRE(rdata->length != 0);
 
+	hinfo = target;
+
 	hinfo->common.rdclass = rdata->rdclass;
 	hinfo->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&hinfo->common, link);
@@ -148,9 +152,11 @@ tostruct_hinfo(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_hinfo(ARGS_FREESTRUCT) {
-	dns_rdata_hinfo_t *hinfo = source;
+	dns_rdata_hinfo_t *hinfo;
+
+	REQUIRE(((dns_rdata_hinfo_t *)source) != NULL);
 
-	REQUIRE(hinfo != NULL);
+	hinfo = source;
 
 	if (hinfo->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/hinfo_13.h b/bind/bind9/lib/dns/rdata/generic/hinfo_13.h
index 323be22c..8583c75a 100644
--- a/bind/bind9/lib/dns/rdata/generic/hinfo_13.h
+++ b/bind/bind9/lib/dns/rdata/generic/hinfo_13.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/hip_55.c b/bind/bind9/lib/dns/rdata/generic/hip_55.c
index 7c8f31b1..7228097a 100644
--- a/bind/bind9/lib/dns/rdata/generic/hip_55.c
+++ b/bind/bind9/lib/dns/rdata/generic/hip_55.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -160,7 +160,9 @@ totext_hip(ARGS_TOTEXT) {
 	region.length = key_len;
 	RETERR(isc_base64_totext(&region, 1, "", target));
 	region.length = length - key_len;
-	RETERR(str_totext(tctx->linebreak, target));
+	if (region.length > 0) {
+		RETERR(str_totext(tctx->linebreak, target));
+	}
 
 	/*
 	 * Rendezvous Servers.
@@ -249,18 +251,24 @@ compare_hip(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_hip(ARGS_FROMSTRUCT) {
-	dns_rdata_hip_t *hip = source;
+	dns_rdata_hip_t *hip;
 	dns_rdata_hip_t myhip;
 	isc_result_t result;
 
 	REQUIRE(type == dns_rdatatype_hip);
-	REQUIRE(hip != NULL);
-	REQUIRE(hip->common.rdtype == type);
-	REQUIRE(hip->common.rdclass == rdclass);
-	REQUIRE(hip->hit_len > 0 && hip->hit != NULL);
-	REQUIRE(hip->key_len > 0 && hip->key != NULL);
-	REQUIRE((hip->servers == NULL && hip->servers_len == 0) ||
-		 (hip->servers != NULL && hip->servers_len != 0));
+	REQUIRE(((dns_rdata_hip_t *)source) != NULL);
+	REQUIRE(((dns_rdata_hip_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_hip_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_hip_t *)source)->hit_len > 0);
+	REQUIRE(((dns_rdata_hip_t *)source)->hit != NULL);
+	REQUIRE(((dns_rdata_hip_t *)source)->key_len > 0);
+	REQUIRE(((dns_rdata_hip_t *)source)->key != NULL);
+	REQUIRE((((dns_rdata_hip_t *)source)->servers == NULL &&
+		 ((dns_rdata_hip_t *)source)->servers_len == 0) ||
+		(((dns_rdata_hip_t *)source)->servers != NULL &&
+		 ((dns_rdata_hip_t *)source)->servers_len != 0));
+
+	hip = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -283,12 +291,14 @@ fromstruct_hip(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_hip(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_hip_t *hip = target;
+	dns_rdata_hip_t *hip;
 
+	REQUIRE(((dns_rdata_hip_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_hip);
-	REQUIRE(hip != NULL);
 	REQUIRE(rdata->length != 0);
 
+	hip = target;
+
 	hip->common.rdclass = rdata->rdclass;
 	hip->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&hip->common, link);
@@ -342,9 +352,11 @@ tostruct_hip(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_hip(ARGS_FREESTRUCT) {
-	dns_rdata_hip_t *hip = source;
+	dns_rdata_hip_t *hip;
 
-	REQUIRE(hip != NULL);
+	REQUIRE(((dns_rdata_hip_t *)source) != NULL);
+
+	hip = source;
 
 	if (hip->mctx == NULL)
 		return;
@@ -424,7 +436,7 @@ dns_rdata_hip_next(dns_rdata_hip_t *hip) {
 	dns_name_fromregion(&name, &region);
 	hip->offset += name.length;
 	INSIST(hip->offset <= hip->servers_len);
-	return (ISC_R_SUCCESS);
+	return (hip->offset < hip->servers_len ? ISC_R_SUCCESS : ISC_R_NOMORE);
 }
 
 void
diff --git a/bind/bind9/lib/dns/rdata/generic/hip_55.h b/bind/bind9/lib/dns/rdata/generic/hip_55.h
index 12c195cb..7d88774f 100644
--- a/bind/bind9/lib/dns/rdata/generic/hip_55.h
+++ b/bind/bind9/lib/dns/rdata/generic/hip_55.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/ipseckey_45.c b/bind/bind9/lib/dns/rdata/generic/ipseckey_45.c
index 908f64f3..a02e48cb 100644
--- a/bind/bind9/lib/dns/rdata/generic/ipseckey_45.c
+++ b/bind/bind9/lib/dns/rdata/generic/ipseckey_45.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -164,12 +164,12 @@ totext_ipseckey(ARGS_TOTEXT) {
 		break;
 
 	case 1:
-		RETERR(inet_totext(AF_INET, &region, target));
+		RETERR(inet_totext(AF_INET, tctx->flags, &region, target));
 		isc_region_consume(&region, 4);
 		break;
 
 	case 2:
-		RETERR(inet_totext(AF_INET6, &region, target));
+		RETERR(inet_totext(AF_INET6, tctx->flags, &region, target));
 		isc_region_consume(&region, 16);
 		break;
 
@@ -217,18 +217,23 @@ fromwire_ipseckey(ARGS_FROMWIRE) {
 
 	switch (region.base[1]) {
 	case 0:
+		if (region.length < 4) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
 		isc_buffer_forward(source, region.length);
 		return (mem_tobuffer(target, region.base, region.length));
 
 	case 1:
-		if (region.length < 7)
+		if (region.length < 8) {
 			return (ISC_R_UNEXPECTEDEND);
+		}
 		isc_buffer_forward(source, region.length);
 		return (mem_tobuffer(target, region.base, region.length));
 
 	case 2:
-		if (region.length < 19)
+		if (region.length < 20) {
 			return (ISC_R_UNEXPECTEDEND);
+		}
 		isc_buffer_forward(source, region.length);
 		return (mem_tobuffer(target, region.base, region.length));
 
@@ -238,7 +243,10 @@ fromwire_ipseckey(ARGS_FROMWIRE) {
 		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
 		isc_buffer_activeregion(source, &region);
 		isc_buffer_forward(source, region.length);
-		return(mem_tobuffer(target, region.base, region.length));
+		if (region.length < 1) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		return (mem_tobuffer(target, region.base, region.length));
 
 	default:
 		return (ISC_R_NOTIMPLEMENTED);
@@ -277,14 +285,16 @@ compare_ipseckey(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_ipseckey(ARGS_FROMSTRUCT) {
-	dns_rdata_ipseckey_t *ipseckey = source;
+	dns_rdata_ipseckey_t *ipseckey;
 	isc_region_t region;
 	uint32_t n;
 
 	REQUIRE(type == dns_rdatatype_ipseckey);
-	REQUIRE(ipseckey != NULL);
-	REQUIRE(ipseckey->common.rdtype == type);
-	REQUIRE(ipseckey->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_ipseckey_t *)source) != NULL);
+	REQUIRE(((dns_rdata_ipseckey_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_ipseckey_t *)source)->common.rdclass == rdclass);
+
+	ipseckey = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -321,14 +331,16 @@ fromstruct_ipseckey(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_ipseckey(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_ipseckey_t *ipseckey = target;
+	dns_rdata_ipseckey_t *ipseckey;
 	dns_name_t name;
 	uint32_t n;
 
+	REQUIRE(((dns_rdata_ipseckey_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_ipseckey);
-	REQUIRE(ipseckey != NULL);
 	REQUIRE(rdata->length >= 3);
 
+	ipseckey = target;
+
 	if (rdata->data[1] > 3U)
 		return (ISC_R_NOTIMPLEMENTED);
 
@@ -390,10 +402,13 @@ tostruct_ipseckey(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_ipseckey(ARGS_FREESTRUCT) {
-	dns_rdata_ipseckey_t *ipseckey = source;
+	dns_rdata_ipseckey_t *ipseckey;
+
+	REQUIRE(((dns_rdata_ipseckey_t *)source) != NULL);
+	REQUIRE(((dns_rdata_ipseckey_t *)source)->common.rdtype ==
+		dns_rdatatype_ipseckey);
 
-	REQUIRE(ipseckey != NULL);
-	REQUIRE(ipseckey->common.rdtype == dns_rdatatype_ipseckey);
+	ipseckey = source;
 
 	if (ipseckey->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/ipseckey_45.h b/bind/bind9/lib/dns/rdata/generic/ipseckey_45.h
index e3f58048..642a7baa 100644
--- a/bind/bind9/lib/dns/rdata/generic/ipseckey_45.h
+++ b/bind/bind9/lib/dns/rdata/generic/ipseckey_45.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/isdn_20.c b/bind/bind9/lib/dns/rdata/generic/isdn_20.c
index 586142ec..894d3f12 100644
--- a/bind/bind9/lib/dns/rdata/generic/isdn_20.c
+++ b/bind/bind9/lib/dns/rdata/generic/isdn_20.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -105,12 +105,14 @@ compare_isdn(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_isdn(ARGS_FROMSTRUCT) {
-	dns_rdata_isdn_t *isdn = source;
+	dns_rdata_isdn_t *isdn;
 
 	REQUIRE(type == dns_rdatatype_isdn);
-	REQUIRE(isdn != NULL);
-	REQUIRE(isdn->common.rdtype == type);
-	REQUIRE(isdn->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_isdn_t *)source) != NULL);
+	REQUIRE(((dns_rdata_isdn_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_isdn_t *)source)->common.rdclass == rdclass);
+
+	isdn = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -125,13 +127,15 @@ fromstruct_isdn(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_isdn(ARGS_TOSTRUCT) {
-	dns_rdata_isdn_t *isdn = target;
+	dns_rdata_isdn_t *isdn;
 	isc_region_t r;
 
+	REQUIRE(((dns_rdata_isdn_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_isdn);
-	REQUIRE(isdn != NULL);
 	REQUIRE(rdata->length != 0);
 
+	isdn = target;
+
 	isdn->common.rdclass = rdata->rdclass;
 	isdn->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&isdn->common, link);
@@ -168,9 +172,11 @@ tostruct_isdn(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_isdn(ARGS_FREESTRUCT) {
-	dns_rdata_isdn_t *isdn = source;
+	dns_rdata_isdn_t *isdn;
+
+	REQUIRE(((dns_rdata_isdn_t *)source) != NULL);
 
-	REQUIRE(isdn != NULL);
+	isdn = source;
 
 	if (isdn->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/isdn_20.h b/bind/bind9/lib/dns/rdata/generic/isdn_20.h
index 48758bba..63aa87db 100644
--- a/bind/bind9/lib/dns/rdata/generic/isdn_20.h
+++ b/bind/bind9/lib/dns/rdata/generic/isdn_20.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/key_25.c b/bind/bind9/lib/dns/rdata/generic/key_25.c
index bd64c905..86000a15 100644
--- a/bind/bind9/lib/dns/rdata/generic/key_25.c
+++ b/bind/bind9/lib/dns/rdata/generic/key_25.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -250,8 +250,7 @@ fromtext_key(ARGS_FROMTEXT) {
 
 	REQUIRE(type == dns_rdatatype_key);
 
-	return (generic_fromtext_key(rdclass, type, lexer, origin,
-				     options, target, callbacks));
+	return (generic_fromtext_key(CALL_FROMTEXT));
 }
 
 static inline isc_result_t
@@ -260,7 +259,7 @@ totext_key(ARGS_TOTEXT) {
 	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_key);
 
-	return (generic_totext_key(rdata, tctx, target));
+	return (generic_totext_key(CALL_TOTEXT));
 }
 
 static inline isc_result_t
@@ -268,8 +267,7 @@ fromwire_key(ARGS_FROMWIRE) {
 
 	REQUIRE(type == dns_rdatatype_key);
 
-	return (generic_fromwire_key(rdclass, type, source, dctx,
-				     options, target));
+	return (generic_fromwire_key(CALL_FROMWIRE));
 }
 
 static inline isc_result_t
@@ -306,11 +304,13 @@ compare_key(ARGS_COMPARE) {
 
 static inline isc_result_t
 generic_fromstruct_key(ARGS_FROMSTRUCT) {
-	dns_rdata_key_t *key = source;
+	dns_rdata_key_t *key;
 
-	REQUIRE(key != NULL);
-	REQUIRE(key->common.rdtype == type);
-	REQUIRE(key->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_key_t *)source) != NULL);
+	REQUIRE(((dns_rdata_key_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_key_t *)source)->common.rdclass == rdclass);
+
+	key = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -334,16 +334,16 @@ generic_fromstruct_key(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 generic_tostruct_key(ARGS_TOSTRUCT) {
-	dns_rdata_key_t *key = target;
+	dns_rdata_key_t *key;
 	isc_region_t sr;
 
-	REQUIRE(key != NULL);
 	REQUIRE(rdata->length != 0);
+	REQUIRE(((dns_rdata_key_t *)target) != NULL);
+	REQUIRE(((dns_rdata_key_t *)target)->common.rdclass == rdata->rdclass);
+	REQUIRE(((dns_rdata_key_t *)target)->common.rdtype == rdata->type);
+	REQUIRE(!ISC_LINK_LINKED(&((dns_rdata_key_t *)target)->common, link));
 
-	REQUIRE(key != NULL);
-	REQUIRE(key->common.rdclass == rdata->rdclass);
-	REQUIRE(key->common.rdtype == rdata->type);
-	REQUIRE(!ISC_LINK_LINKED(&key->common, link));
+	key = target;
 
 	dns_rdata_toregion(rdata, &sr);
 
@@ -377,9 +377,11 @@ generic_tostruct_key(ARGS_TOSTRUCT) {
 
 static inline void
 generic_freestruct_key(ARGS_FREESTRUCT) {
-	dns_rdata_key_t *key = (dns_rdata_key_t *) source;
+	dns_rdata_key_t *key;
+
+	REQUIRE(((dns_rdata_key_t *)source) != NULL);
 
-	REQUIRE(key != NULL);
+	key = (dns_rdata_key_t *) source;
 
 	if (key->mctx == NULL)
 		return;
@@ -394,30 +396,31 @@ fromstruct_key(ARGS_FROMSTRUCT) {
 
 	REQUIRE(type == dns_rdatatype_key);
 
-	return (generic_fromstruct_key(rdclass, type, source, target));
+	return (generic_fromstruct_key(CALL_FROMSTRUCT));
 }
 
 static inline isc_result_t
 tostruct_key(ARGS_TOSTRUCT) {
-	dns_rdata_key_t *key = target;
+	dns_rdata_key_t *key;
 
-	REQUIRE(key != NULL);
+	REQUIRE(((dns_rdata_key_t *)target) != NULL);
 	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_key);
 
+	key = target;
+
 	key->common.rdclass = rdata->rdclass;
 	key->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&key->common, link);
 
-	return (generic_tostruct_key(rdata, target, mctx));
+	return (generic_tostruct_key(CALL_TOSTRUCT));
 }
 
 static inline void
 freestruct_key(ARGS_FREESTRUCT) {
-	dns_rdata_key_t *key = (dns_rdata_key_t *) source;
-
-	REQUIRE(key != NULL);
-	REQUIRE(key->common.rdtype == dns_rdatatype_key);
+	REQUIRE(((dns_rdata_key_t *)source) != NULL);
+	REQUIRE(((dns_rdata_key_t *)source)->common.rdtype ==
+		dns_rdatatype_key);
 
 	generic_freestruct_key(source);
 }
diff --git a/bind/bind9/lib/dns/rdata/generic/key_25.h b/bind/bind9/lib/dns/rdata/generic/key_25.h
index 4bcad50b..8b0620b9 100644
--- a/bind/bind9/lib/dns/rdata/generic/key_25.h
+++ b/bind/bind9/lib/dns/rdata/generic/key_25.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/keydata_65533.c b/bind/bind9/lib/dns/rdata/generic/keydata_65533.c
index 575083c8..3a43eee0 100644
--- a/bind/bind9/lib/dns/rdata/generic/keydata_65533.c
+++ b/bind/bind9/lib/dns/rdata/generic/keydata_65533.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -281,12 +281,14 @@ compare_keydata(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_keydata(ARGS_FROMSTRUCT) {
-	dns_rdata_keydata_t *keydata = source;
+	dns_rdata_keydata_t *keydata;
 
 	REQUIRE(type == dns_rdatatype_keydata);
-	REQUIRE(keydata != NULL);
-	REQUIRE(keydata->common.rdtype == type);
-	REQUIRE(keydata->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_keydata_t *)source) != NULL);
+	REQUIRE(((dns_rdata_keydata_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_keydata_t *)source)->common.rdclass == rdclass);
+
+	keydata = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -315,11 +317,13 @@ fromstruct_keydata(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_keydata(ARGS_TOSTRUCT) {
-	dns_rdata_keydata_t *keydata = target;
-	isc_region_t sr;
+	dns_rdata_keydata_t *keydata;
 
 	REQUIRE(rdata->type == dns_rdatatype_keydata);
-	REQUIRE(keydata != NULL);
+	REQUIRE(((dns_rdata_keydata_t *)target) != NULL);
+
+	keydata = target;
+	isc_region_t sr;
 
 	keydata->common.rdclass = rdata->rdclass;
 	keydata->common.rdtype = rdata->type;
@@ -375,10 +379,13 @@ tostruct_keydata(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_keydata(ARGS_FREESTRUCT) {
-	dns_rdata_keydata_t *keydata = (dns_rdata_keydata_t *) source;
+	dns_rdata_keydata_t *keydata;
+
+	REQUIRE(((dns_rdata_keydata_t *)source) != NULL);
+	REQUIRE(((dns_rdata_keydata_t *)source)->common.rdtype ==
+		dns_rdatatype_keydata);
 
-	REQUIRE(keydata != NULL);
-	REQUIRE(keydata->common.rdtype == dns_rdatatype_keydata);
+	keydata = (dns_rdata_keydata_t *) source;
 
 	if (keydata->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/keydata_65533.h b/bind/bind9/lib/dns/rdata/generic/keydata_65533.h
index 45a8fa9e..ba22d742 100644
--- a/bind/bind9/lib/dns/rdata/generic/keydata_65533.h
+++ b/bind/bind9/lib/dns/rdata/generic/keydata_65533.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/l32_105.c b/bind/bind9/lib/dns/rdata/generic/l32_105.c
index 0f44bf9c..8f05b587 100644
--- a/bind/bind9/lib/dns/rdata/generic/l32_105.c
+++ b/bind/bind9/lib/dns/rdata/generic/l32_105.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -70,7 +70,7 @@ totext_l32(ARGS_TOTEXT) {
 
 	RETERR(str_totext(" ", target));
 
-	return (inet_totext(AF_INET, &region, target));
+	return (inet_totext(AF_INET, tctx->flags, &region, target));
 }
 
 static inline isc_result_t
@@ -120,13 +120,15 @@ compare_l32(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_l32(ARGS_FROMSTRUCT) {
-	dns_rdata_l32_t *l32 = source;
+	dns_rdata_l32_t *l32;
 	uint32_t n;
 
 	REQUIRE(type == dns_rdatatype_l32);
-	REQUIRE(l32 != NULL);
-	REQUIRE(l32->common.rdtype == type);
-	REQUIRE(l32->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_l32_t *)source) != NULL);
+	REQUIRE(((dns_rdata_l32_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_l32_t *)source)->common.rdclass == rdclass);
+
+	l32 = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -139,13 +141,15 @@ fromstruct_l32(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_l32(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_l32_t *l32 = target;
+	dns_rdata_l32_t *l32;
 	uint32_t n;
 
+	REQUIRE(((dns_rdata_l32_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_l32);
-	REQUIRE(l32 != NULL);
 	REQUIRE(rdata->length == 6);
 
+	l32 = target;
+
 	UNUSED(mctx);
 
 	l32->common.rdclass = rdata->rdclass;
@@ -161,10 +165,9 @@ tostruct_l32(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_l32(ARGS_FREESTRUCT) {
-	dns_rdata_l32_t *l32 = source;
-
-	REQUIRE(l32 != NULL);
-	REQUIRE(l32->common.rdtype == dns_rdatatype_l32);
+	REQUIRE(((dns_rdata_l32_t *)source) != NULL);
+	REQUIRE(((dns_rdata_l32_t *)source)->common.rdtype ==
+		dns_rdatatype_l32);
 
 	return;
 }
diff --git a/bind/bind9/lib/dns/rdata/generic/l32_105.h b/bind/bind9/lib/dns/rdata/generic/l32_105.h
index 3fca0f27..4b12b941 100644
--- a/bind/bind9/lib/dns/rdata/generic/l32_105.h
+++ b/bind/bind9/lib/dns/rdata/generic/l32_105.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/l64_106.c b/bind/bind9/lib/dns/rdata/generic/l64_106.c
index a3e7ab1b..94d1cfc9 100644
--- a/bind/bind9/lib/dns/rdata/generic/l64_106.c
+++ b/bind/bind9/lib/dns/rdata/generic/l64_106.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -119,12 +119,14 @@ compare_l64(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_l64(ARGS_FROMSTRUCT) {
-	dns_rdata_l64_t *l64 = source;
+	dns_rdata_l64_t *l64;
 
 	REQUIRE(type == dns_rdatatype_l64);
-	REQUIRE(l64 != NULL);
-	REQUIRE(l64->common.rdtype == type);
-	REQUIRE(l64->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_l64_t *)source) != NULL);
+	REQUIRE(((dns_rdata_l64_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_l64_t *)source)->common.rdclass == rdclass);
+
+	l64 = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -136,12 +138,14 @@ fromstruct_l64(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_l64(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_l64_t *l64 = target;
+	dns_rdata_l64_t *l64;
 
+	REQUIRE(((dns_rdata_l64_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_l64);
-	REQUIRE(l64 != NULL);
 	REQUIRE(rdata->length == 10);
 
+	l64 = target;
+
 	UNUSED(mctx);
 
 	l64->common.rdclass = rdata->rdclass;
@@ -156,10 +160,9 @@ tostruct_l64(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_l64(ARGS_FREESTRUCT) {
-	dns_rdata_l64_t *l64 = source;
-
-	REQUIRE(l64 != NULL);
-	REQUIRE(l64->common.rdtype == dns_rdatatype_l64);
+	REQUIRE(((dns_rdata_l64_t *)source) != NULL);
+	REQUIRE(((dns_rdata_l64_t *)source)->common.rdtype ==
+		dns_rdatatype_l64);
 
 	return;
 }
diff --git a/bind/bind9/lib/dns/rdata/generic/l64_106.h b/bind/bind9/lib/dns/rdata/generic/l64_106.h
index 968a1388..4f176acc 100644
--- a/bind/bind9/lib/dns/rdata/generic/l64_106.h
+++ b/bind/bind9/lib/dns/rdata/generic/l64_106.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/loc_29.c b/bind/bind9/lib/dns/rdata/generic/loc_29.c
index 792c8e73..8aa1ac40 100644
--- a/bind/bind9/lib/dns/rdata/generic/loc_29.c
+++ b/bind/bind9/lib/dns/rdata/generic/loc_29.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -16,431 +16,421 @@
 
 #define RRTYPE_LOC_ATTRIBUTES (0)
 
-static inline isc_result_t
-fromtext_loc(ARGS_FROMTEXT) {
-	isc_token_t token;
-	int d1, m1, s1;
-	int d2, m2, s2;
-	unsigned char size;
-	unsigned char hp;
-	unsigned char vp;
-	unsigned char version;
-	bool east = false;
-	bool north = false;
-	long tmp;
-	long m;
-	long cm;
-	long poweroften[8] = { 1, 10, 100, 1000,
-			       10000, 100000, 1000000, 10000000 };
-	int man;
-	int exp;
+static isc_result_t
+loc_getdecimal(const char *str, unsigned long max, size_t precision, char units,
+	       unsigned long *valuep) {
+	bool ok;
 	char *e;
-	int i;
-	unsigned long latitude;
-	unsigned long longitude;
-	unsigned long altitude;
-
-	REQUIRE(type == dns_rdatatype_loc);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-
-	/*
-	 * Defaults.
-	 */
-	m1 = s1 = 0;
-	m2 = s2 = 0;
-	size = 0x12;	/* 1.00m */
-	hp = 0x16;	/* 10000.00 m */
-	vp = 0x13;	/* 10.00 m */
-	version = 0;
-
-	/*
-	 * Degrees.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      false));
-	if (token.value.as_ulong > 90U)
-		RETTOK(ISC_R_RANGE);
-	d1 = (int)token.value.as_ulong;
-	/*
-	 * Minutes.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      false));
-	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
-		north = true;
-	if (north || strcasecmp(DNS_AS_STR(token), "S") == 0)
-		goto getlong;
-	m1 = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	if (m1 < 0 || m1 > 59)
-		RETTOK(ISC_R_RANGE);
-	if (d1 == 90 && m1 != 0)
-		RETTOK(ISC_R_RANGE);
+	size_t i;
+	long tmp;
+	unsigned long value;
 
-	/*
-	 * Seconds.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      false));
-	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
-		north = true;
-	if (north || strcasecmp(DNS_AS_STR(token), "S") == 0)
-		goto getlong;
-	s1 = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.')
-		RETTOK(DNS_R_SYNTAX);
-	if (s1 < 0 || s1 > 59)
-		RETTOK(ISC_R_RANGE);
+	value = strtoul(str, &e, 10);
+	if (*e != 0 && *e != '.' && *e != units) {
+		return (DNS_R_SYNTAX);
+	}
+	if (value > max) {
+		return (ISC_R_RANGE);
+	}
+	ok = e != str;
 	if (*e == '.') {
-		const char *l;
 		e++;
-		for (i = 0; i < 3; i++) {
-			if (*e == 0)
+		for (i = 0; i < precision; i++) {
+			if (*e == 0 || *e == units) {
 				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				RETTOK(DNS_R_SYNTAX);
-			s1 *= 10;
-			s1 += tmp;
+			}
+			if ((tmp = decvalue(*e++)) < 0) {
+				return (DNS_R_SYNTAX);
+			}
+			ok = true;
+			value *= 10;
+			value += tmp;
 		}
-		for (; i < 3; i++)
-			s1 *= 10;
-		l = e;
-		while (*e != 0) {
-			if (decvalue(*e++) < 0)
-				RETTOK(DNS_R_SYNTAX);
+		for (; i < precision; i++) {
+			value *= 10;
 		}
-		if (*l != '\0' && callbacks != NULL) {
-			const char *file = isc_lex_getsourcename(lexer);
-			unsigned long line = isc_lex_getsourceline(lexer);
-
-			if (file == NULL)
-				file = "UNKNOWN";
-			(*callbacks->warn)(callbacks, "%s: %s:%u: '%s' extra "
-					   "precision digits ignored",
-					   "dns_rdata_fromtext", file, line,
-					   DNS_AS_STR(token));
+	} else {
+		for (i = 0; i < precision; i++) {
+			value *= 10;
 		}
-	} else
-		s1 *= 1000;
-	if (d1 == 90 && s1 != 0)
-		RETTOK(ISC_R_RANGE);
-
-	/*
-	 * Direction.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      false));
-	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
-		north = true;
-	if (!north && strcasecmp(DNS_AS_STR(token), "S") != 0)
-		RETTOK(DNS_R_SYNTAX);
-
- getlong:
-	/*
-	 * Degrees.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      false));
-	if (token.value.as_ulong > 180U)
-		RETTOK(ISC_R_RANGE);
-	d2 = (int)token.value.as_ulong;
-
-	/*
-	 * Minutes.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      false));
-	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
-		east = true;
-	if (east || strcasecmp(DNS_AS_STR(token), "W") == 0)
-		goto getalt;
-	m2 = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	if (m2 < 0 || m2 > 59)
-		RETTOK(ISC_R_RANGE);
-	if (d2 == 180 && m2 != 0)
-		RETTOK(ISC_R_RANGE);
-
-	/*
-	 * Seconds.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      false));
-	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
-		east = true;
-	if (east || strcasecmp(DNS_AS_STR(token), "W") == 0)
-		goto getalt;
-	s2 = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.')
-		RETTOK(DNS_R_SYNTAX);
-	if (s2 < 0 || s2 > 59)
-		RETTOK(ISC_R_RANGE);
-	if (*e == '.') {
-		const char *l;
+	}
+	if (*e != 0 && *e == units) {
 		e++;
-		for (i = 0; i < 3; i++) {
-			if (*e == 0)
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				RETTOK(DNS_R_SYNTAX);
-			s2 *= 10;
-			s2 += tmp;
-		}
-		for (; i < 3; i++)
-			s2 *= 10;
-		l = e;
-		while (*e != 0) {
-			if (decvalue(*e++) < 0)
-				RETTOK(DNS_R_SYNTAX);
-		}
-		if (*l != '\0' && callbacks != NULL) {
-			const char *file = isc_lex_getsourcename(lexer);
-			unsigned long line = isc_lex_getsourceline(lexer);
-
-			if (file == NULL)
-				file = "UNKNOWN";
-			(*callbacks->warn)(callbacks, "%s: %s:%u: '%s' extra "
-					   "precision digits ignored",
-					   "dns_rdata_fromtext",
-					   file, line, DNS_AS_STR(token));
-		}
-	} else
-		s2 *= 1000;
-	if (d2 == 180 && s2 != 0)
-		RETTOK(ISC_R_RANGE);
+	}
+	if (!ok || *e != 0) {
+		return (DNS_R_SYNTAX);
+	}
+	*valuep = value;
+	return (ISC_R_SUCCESS);
+}
 
-	/*
-	 * Direction.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      false));
-	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
-		east = true;
-	if (!east && strcasecmp(DNS_AS_STR(token), "W") != 0)
-		RETTOK(DNS_R_SYNTAX);
+static isc_result_t
+loc_getprecision(const char *str, unsigned char *valuep) {
+	unsigned long poweroften[8] = { 1,     10,     100,	1000,
+					10000, 100000, 1000000, 10000000 };
+	unsigned long m, cm;
+	bool ok;
+	char *e;
+	size_t i;
+	long tmp;
+	int man;
+	int exp;
 
- getalt:
-	/*
-	 * Altitude.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      false));
-	m = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.' && *e != 'm')
-		RETTOK(DNS_R_SYNTAX);
-	if (m < -100000 || m > 42849672)
-		RETTOK(ISC_R_RANGE);
-	cm = 0;
-	if (*e == '.') {
-		e++;
-		for (i = 0; i < 2; i++) {
-			if (*e == 0 || *e == 'm')
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				return (DNS_R_SYNTAX);
-			cm *= 10;
-			if (m < 0)
-				cm -= tmp;
-			else
-				cm += tmp;
-		}
-		for (; i < 2; i++)
-			cm *= 10;
+	m = strtoul(str, &e, 10);
+	if (*e != 0 && *e != '.' && *e != 'm') {
+		return (DNS_R_SYNTAX);
 	}
-	if (*e == 'm')
-		e++;
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	if (m == -100000 && cm != 0)
-		RETTOK(ISC_R_RANGE);
-	if (m == 42849672 && cm > 95)
-		RETTOK(ISC_R_RANGE);
-	/*
-	 * Adjust base.
-	 */
-	altitude = m + 100000;
-	altitude *= 100;
-	altitude += cm;
-
-	/*
-	 * Size: optional.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      true));
-	if (token.type == isc_tokentype_eol ||
-	    token.type == isc_tokentype_eof) {
-		isc_lex_ungettoken(lexer, &token);
-		goto encode;
+	if (m > 90000000) {
+		return (ISC_R_RANGE);
 	}
-	m = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.' && *e != 'm')
-		RETTOK(DNS_R_SYNTAX);
-	if (m < 0 || m > 90000000)
-		RETTOK(ISC_R_RANGE);
 	cm = 0;
+	ok = e != str;
 	if (*e == '.') {
 		e++;
 		for (i = 0; i < 2; i++) {
-			if (*e == 0 || *e == 'm')
+			if (*e == 0 || *e == 'm') {
 				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				RETTOK(DNS_R_SYNTAX);
+			}
+			if ((tmp = decvalue(*e++)) < 0) {
+				return (DNS_R_SYNTAX);
+			}
+			ok = true;
 			cm *= 10;
 			cm += tmp;
 		}
-		for (; i < 2; i++)
+		for (; i < 2; i++) {
 			cm *= 10;
+		}
 	}
-	if (*e == 'm')
+	if (*e == 'm') {
 		e++;
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
+	}
+	if (!ok || *e != 0) {
+		return (DNS_R_SYNTAX);
+	}
+
 	/*
 	 * We don't just multiply out as we will overflow.
 	 */
 	if (m > 0) {
-		for (exp = 0; exp < 7; exp++)
-			if (m < poweroften[exp+1])
+		for (exp = 0; exp < 7; exp++) {
+			if (m < poweroften[exp + 1]) {
 				break;
+			}
+		}
 		man = m / poweroften[exp];
 		exp += 2;
+	} else if (cm >= 10) {
+		man = cm / 10;
+		exp = 1;
 	} else {
-		if (cm >= 10) {
-			man = cm / 10;
-			exp = 1;
-		} else {
-			man = cm;
-			exp = 0;
-		}
+		man = cm;
+		exp = 0;
 	}
-	size = (man << 4) + exp;
+	*valuep = (man << 4) + exp;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+get_degrees(isc_lex_t *lexer, isc_token_t *token, unsigned long *d) {
+	RETERR(isc_lex_getmastertoken(lexer, token, isc_tokentype_number,
+				      false));
+	*d = token->value.as_ulong;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+check_coordinate(unsigned long d, unsigned long m, unsigned long s,
+		 unsigned long maxd) {
+	if (d > maxd || m > 59U) {
+		return (ISC_R_RANGE);
+	}
+	if (d == maxd && (m != 0 || s != 0)) {
+		return (ISC_R_RANGE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+get_minutes(isc_lex_t *lexer, isc_token_t *token, unsigned long *m) {
+	RETERR(isc_lex_getmastertoken(lexer, token, isc_tokentype_number,
+				      false));
+
+	*m = token->value.as_ulong;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+get_seconds(isc_lex_t *lexer, isc_token_t *token, unsigned long *s) {
+	RETERR(isc_lex_getmastertoken(lexer, token, isc_tokentype_string,
+				      false));
+	RETERR(loc_getdecimal(DNS_AS_STR(*token), 59, 3, '\0', s));
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+get_direction(isc_lex_t *lexer, isc_token_t *token, const char *directions,
+	      int *direction) {
+	RETERR(isc_lex_getmastertoken(lexer, token, isc_tokentype_string,
+				      false));
+	if (DNS_AS_STR(*token)[0] == directions[1] &&
+	    DNS_AS_STR(*token)[1] == 0) {
+		*direction = DNS_AS_STR(*token)[0];
+		return (ISC_R_SUCCESS);
+	}
+
+	if (DNS_AS_STR(*token)[0] == directions[0] &&
+	    DNS_AS_STR(*token)[1] == 0) {
+		*direction = DNS_AS_STR(*token)[0];
+		return (ISC_R_SUCCESS);
+	}
+
+	*direction = 0;
+	isc_lex_ungettoken(lexer, token);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+loc_getcoordinate(isc_lex_t *lexer, unsigned long *dp, unsigned long *mp,
+		  unsigned long *sp, const char *directions, int *directionp,
+		  unsigned long maxd) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_token_t token;
+	unsigned long d, m, s;
+	int direction = 0;
+
+	m = 0;
+	s = 0;
 
 	/*
-	 * Horizontal precision: optional.
+	 * Degrees.
 	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      true));
-	if (token.type == isc_tokentype_eol ||
-	    token.type == isc_tokentype_eof) {
-		isc_lex_ungettoken(lexer, &token);
-		goto encode;
-	}
-	m = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.' && *e != 'm')
-		RETTOK(DNS_R_SYNTAX);
-	if (m < 0 || m > 90000000)
-		RETTOK(ISC_R_RANGE);
-	cm = 0;
-	if (*e == '.') {
-		e++;
-		for (i = 0; i < 2; i++) {
-			if (*e == 0 || *e == 'm')
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				RETTOK(DNS_R_SYNTAX);
-			cm *= 10;
-			cm += tmp;
-		}
-		for (; i < 2; i++)
-			cm *= 10;
+	RETERR(get_degrees(lexer, &token, &d));
+	RETTOK(check_coordinate(d, m, s, maxd));
+
+	/*
+	 * Minutes.
+	 */
+	RETERR(get_direction(lexer, &token, directions, &direction));
+	if (direction > 0) {
+		goto done;
 	}
-	if (*e == 'm')
-		e++;
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
+
+	RETERR(get_minutes(lexer, &token, &m));
+	RETTOK(check_coordinate(d, m, s, maxd));
+
 	/*
-	 * We don't just multiply out as we will overflow.
+	 * Seconds.
 	 */
-	if (m > 0) {
-		for (exp = 0; exp < 7; exp++)
-			if (m < poweroften[exp+1])
-				break;
-		man = m / poweroften[exp];
-		exp += 2;
-	} else if (cm >= 10) {
-		man = cm / 10;
-		exp = 1;
-	} else  {
-		man = cm;
-		exp = 0;
+	RETERR(get_direction(lexer, &token, directions, &direction));
+	if (direction > 0) {
+		goto done;
+	}
+
+	result = get_seconds(lexer, &token, &s);
+	if (result == ISC_R_RANGE || result == DNS_R_SYNTAX) {
+		RETTOK(result);
 	}
-	hp = (man << 4) + exp;
+	RETERR(result);
+	RETTOK(check_coordinate(d, m, s, maxd));
 
 	/*
-	 * Vertical precision: optional.
+	 * Direction.
 	 */
+	RETERR(get_direction(lexer, &token, directions, &direction));
+	if (direction == 0) {
+		RETERR(DNS_R_SYNTAX);
+	}
+done:
+
+	*directionp = direction;
+	*dp = d;
+	*mp = m;
+	*sp = s;
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+loc_getlatitude(isc_lex_t *lexer, unsigned long *latitude) {
+	unsigned long d1 = 0, m1 = 0, s1 = 0;
+	int direction = 0;
+
+	RETERR(loc_getcoordinate(lexer, &d1, &m1, &s1, "SN", &direction, 90U));
+
+	switch (direction) {
+	case 'N':
+		*latitude = 0x80000000 + (d1 * 3600 + m1 * 60) * 1000 + s1;
+		break;
+	case 'S':
+		*latitude = 0x80000000 - (d1 * 3600 + m1 * 60) * 1000 - s1;
+		break;
+	default:
+		INSIST(0);
+		ISC_UNREACHABLE();
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+loc_getlongitude(isc_lex_t *lexer, unsigned long *longitude) {
+	unsigned long d2 = 0, m2 = 0, s2 = 0;
+	int direction = 0;
+
+	RETERR(loc_getcoordinate(lexer, &d2, &m2, &s2, "WE", &direction, 180U));
+
+	switch (direction) {
+	case 'E':
+		*longitude = 0x80000000 + (d2 * 3600 + m2 * 60) * 1000 + s2;
+		break;
+	case 'W':
+		*longitude = 0x80000000 - (d2 * 3600 + m2 * 60) * 1000 - s2;
+		break;
+	default:
+		INSIST(0);
+		ISC_UNREACHABLE();
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+loc_getaltitude(isc_lex_t *lexer, unsigned long *altitude) {
+	isc_token_t token;
+	unsigned long cm;
+	const char *str;
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	str = DNS_AS_STR(token);
+	if (DNS_AS_STR(token)[0] == '-') {
+		RETTOK(loc_getdecimal(str + 1, 100000, 2, 'm', &cm));
+		if (cm > 10000000UL) {
+			RETTOK(ISC_R_RANGE);
+		}
+		*altitude = 10000000 - cm;
+	} else {
+		RETTOK(loc_getdecimal(str, 42849672, 2, 'm', &cm));
+		if (cm > 4284967295UL) {
+			RETTOK(ISC_R_RANGE);
+		}
+		*altitude = 10000000 + cm;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+loc_getoptionalprecision(isc_lex_t *lexer, unsigned char *valuep) {
+	isc_token_t token;
+
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      true));
-	if (token.type == isc_tokentype_eol ||
-	    token.type == isc_tokentype_eof) {
+	if (token.type == isc_tokentype_eol || token.type == isc_tokentype_eof)
+	{
 		isc_lex_ungettoken(lexer, &token);
+		return (ISC_R_NOMORE);
+	}
+	RETTOK(loc_getprecision(DNS_AS_STR(token), valuep));
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+loc_getsize(isc_lex_t *lexer, unsigned char *sizep) {
+	return (loc_getoptionalprecision(lexer, sizep));
+}
+
+static inline isc_result_t
+loc_gethorizontalprecision(isc_lex_t *lexer, unsigned char *hpp) {
+	return (loc_getoptionalprecision(lexer, hpp));
+}
+
+static inline isc_result_t
+loc_getverticalprecision(isc_lex_t *lexer, unsigned char *vpp) {
+	return (loc_getoptionalprecision(lexer, vpp));
+}
+
+/* The LOC record is expressed in a master file in the following format:
+ *
+ * <owner> <TTL> <class> LOC ( d1 [m1 [s1]] {"N"|"S"} d2 [m2 [s2]]
+ *                             {"E"|"W"} alt["m"] [siz["m"] [hp["m"]
+ *                             [vp["m"]]]] )
+ *
+ * (The parentheses are used for multi-line data as specified in [RFC
+ * 1035] section 5.1.)
+ *
+ * where:
+ *
+ *     d1:     [0 .. 90]            (degrees latitude)
+ *     d2:     [0 .. 180]           (degrees longitude)
+ *     m1, m2: [0 .. 59]            (minutes latitude/longitude)
+ *     s1, s2: [0 .. 59.999]        (seconds latitude/longitude)
+ *     alt:    [-100000.00 .. 42849672.95] BY .01 (altitude in meters)
+ *     siz, hp, vp: [0 .. 90000000.00] (size/precision in meters)
+ *
+ * If omitted, minutes and seconds default to zero, size defaults to 1m,
+ * horizontal precision defaults to 10000m, and vertical precision
+ * defaults to 10m.  These defaults are chosen to represent typical
+ * ZIP/postal code area sizes, since it is often easy to find
+ * approximate geographical location by ZIP/postal code.
+ */
+static inline isc_result_t
+fromtext_loc(ARGS_FROMTEXT) {
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned long latitude = 0;
+	unsigned long longitude = 0;
+	unsigned long altitude = 0;
+	unsigned char size = 0x12; /* Default: 1.00m */
+	unsigned char hp = 0x16;   /* Default: 10000.00 m */
+	unsigned char vp = 0x13;   /* Default: 10.00 m */
+	unsigned char version = 0;
+
+	REQUIRE(type == dns_rdatatype_loc);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	RETERR(loc_getlatitude(lexer, &latitude));
+	RETERR(loc_getlongitude(lexer, &longitude));
+	RETERR(loc_getaltitude(lexer, &altitude));
+	result = loc_getsize(lexer, &size);
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
 		goto encode;
 	}
-	m = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.' && *e != 'm')
-		RETTOK(DNS_R_SYNTAX);
-	if (m < 0 || m > 90000000)
-		RETTOK(ISC_R_RANGE);
-	cm = 0;
-	if (*e == '.') {
-		e++;
-		for (i = 0; i < 2; i++) {
-			if (*e == 0 || *e == 'm')
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				RETTOK(DNS_R_SYNTAX);
-			cm *= 10;
-			cm += tmp;
-		}
-		for (; i < 2; i++)
-			cm *= 10;
+	RETERR(result);
+	result = loc_gethorizontalprecision(lexer, &hp);
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+		goto encode;
 	}
-	if (*e == 'm')
-		e++;
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	/*
-	 * We don't just multiply out as we will overflow.
-	 */
-	if (m > 0) {
-		for (exp = 0; exp < 7; exp++)
-			if (m < poweroften[exp+1])
-				break;
-		man = m / poweroften[exp];
-		exp += 2;
-	} else if (cm >= 10) {
-		man = cm / 10;
-		exp = 1;
-	} else {
-		man = cm;
-		exp = 0;
+	RETERR(result);
+	result = loc_getverticalprecision(lexer, &vp);
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+		goto encode;
 	}
-	vp = (man << 4) + exp;
-
- encode:
+	RETERR(result);
+encode:
 	RETERR(mem_tobuffer(target, &version, 1));
 	RETERR(mem_tobuffer(target, &size, 1));
 	RETERR(mem_tobuffer(target, &hp, 1));
 	RETERR(mem_tobuffer(target, &vp, 1));
-	if (north)
-		latitude = 0x80000000 + ( d1 * 3600 + m1 * 60 ) * 1000 + s1;
-	else
-		latitude = 0x80000000 - ( d1 * 3600 + m1 * 60 ) * 1000 - s1;
-	RETERR(uint32_tobuffer(latitude, target));
 
-	if (east)
-		longitude = 0x80000000 + ( d2 * 3600 + m2 * 60 ) * 1000 + s2;
-	else
-		longitude = 0x80000000 - ( d2 * 3600 + m2 * 60 ) * 1000 - s2;
+	RETERR(uint32_tobuffer(latitude, target));
 	RETERR(uint32_tobuffer(longitude, target));
+	RETERR(uint32_tobuffer(altitude, target));
 
-	return (uint32_tobuffer(altitude, target));
+	return (result);
 }
 
 static inline isc_result_t
@@ -459,9 +449,10 @@ totext_loc(ARGS_TOTEXT) {
 	char vbuf[sizeof("90000000m")];
 	/* "89 59 59.999 N 179 59 59.999 E " */
 	/* "-42849672.95m 90000000m 90000000m 90000000m"; */
-	char buf[8*6 + 12*1 + 2*10 + sizeof(sbuf)+sizeof(hbuf)+sizeof(vbuf)];
+	char buf[8 * 6 + 12 * 1 + 2 * 10 + sizeof(sbuf) + sizeof(hbuf) +
+		 sizeof(vbuf)];
 	unsigned char size, hp, vp;
-	unsigned long poweroften[8] = { 1, 10, 100, 1000,
+	unsigned long poweroften[8] = { 1,     10,     100,	1000,
 					10000, 100000, 1000000, 10000000 };
 
 	UNUSED(tctx);
@@ -471,37 +462,38 @@ totext_loc(ARGS_TOTEXT) {
 
 	dns_rdata_toregion(rdata, &sr);
 
-	if (sr.base[0] != 0)
+	if (sr.base[0] != 0) {
 		return (ISC_R_NOTIMPLEMENTED);
+	}
 
 	REQUIRE(rdata->length == 16);
 
 	size = sr.base[1];
-	INSIST((size&0x0f) < 10 && (size>>4) < 10);
-	if ((size&0x0f)> 1) {
-		snprintf(sbuf, sizeof(sbuf),
-			 "%lum", (size>>4) * poweroften[(size&0x0f)-2]);
+	INSIST((size & 0x0f) < 10 && (size >> 4) < 10);
+	if ((size & 0x0f) > 1) {
+		snprintf(sbuf, sizeof(sbuf), "%lum",
+			 (size >> 4) * poweroften[(size & 0x0f) - 2]);
 	} else {
-		snprintf(sbuf, sizeof(sbuf),
-			 "0.%02lum", (size>>4) * poweroften[(size&0x0f)]);
+		snprintf(sbuf, sizeof(sbuf), "0.%02lum",
+			 (size >> 4) * poweroften[(size & 0x0f)]);
 	}
 	hp = sr.base[2];
-	INSIST((hp&0x0f) < 10 && (hp>>4) < 10);
-	if ((hp&0x0f)> 1) {
-		snprintf(hbuf, sizeof(hbuf),
-			"%lum", (hp>>4) * poweroften[(hp&0x0f)-2]);
+	INSIST((hp & 0x0f) < 10 && (hp >> 4) < 10);
+	if ((hp & 0x0f) > 1) {
+		snprintf(hbuf, sizeof(hbuf), "%lum",
+			 (hp >> 4) * poweroften[(hp & 0x0f) - 2]);
 	} else {
-		snprintf(hbuf, sizeof(hbuf),
-			 "0.%02lum", (hp>>4) * poweroften[(hp&0x0f)]);
+		snprintf(hbuf, sizeof(hbuf), "0.%02lum",
+			 (hp >> 4) * poweroften[(hp & 0x0f)]);
 	}
 	vp = sr.base[3];
-	INSIST((vp&0x0f) < 10 && (vp>>4) < 10);
-	if ((vp&0x0f)> 1) {
-		snprintf(vbuf, sizeof(vbuf),
-			 "%lum", (vp>>4) * poweroften[(vp&0x0f)-2]);
+	INSIST((vp & 0x0f) < 10 && (vp >> 4) < 10);
+	if ((vp & 0x0f) > 1) {
+		snprintf(vbuf, sizeof(vbuf), "%lum",
+			 (vp >> 4) * poweroften[(vp & 0x0f) - 2]);
 	} else {
-		snprintf(vbuf, sizeof(vbuf),
-			 "0.%02lum", (vp>>4) * poweroften[(vp&0x0f)]);
+		snprintf(vbuf, sizeof(vbuf), "0.%02lum",
+			 (vp >> 4) * poweroften[(vp & 0x0f)]);
 	}
 	isc_region_consume(&sr, 4);
 
@@ -547,16 +539,15 @@ totext_loc(ARGS_TOTEXT) {
 		below = true;
 		altitude = 10000000 - altitude;
 	} else {
-		below =false;
+		below = false;
 		altitude -= 10000000;
 	}
 
 	snprintf(buf, sizeof(buf),
-		 "%d %d %d.%03d %s %d %d %d.%03d %s %s%lu.%02lum %s %s %s",
-		 d1, m1, s1, fs1, north ? "N" : "S",
-		 d2, m2, s2, fs2, east ? "E" : "W",
-		 below ? "-" : "", altitude/100, altitude % 100,
-		 sbuf, hbuf, vbuf);
+		 "%d %d %d.%03d %s %d %d %d.%03d %s %s%lu.%02lum %s %s %s", d1,
+		 m1, s1, fs1, north ? "N" : "S", d2, m2, s2, fs2,
+		 east ? "E" : "W", below ? "-" : "", altitude / 100,
+		 altitude % 100, sbuf, hbuf, vbuf);
 
 	return (str_totext(buf, target));
 }
@@ -666,13 +657,15 @@ compare_loc(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_loc(ARGS_FROMSTRUCT) {
-	dns_rdata_loc_t *loc = source;
+	dns_rdata_loc_t *loc;
 	uint8_t c;
 
 	REQUIRE(type == dns_rdatatype_loc);
-	REQUIRE(loc != NULL);
-	REQUIRE(loc->common.rdtype == type);
-	REQUIRE(loc->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_loc_t *)source) != NULL);
+	REQUIRE(((dns_rdata_loc_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_loc_t *)source)->common.rdclass == rdclass);
+
+	loc = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -710,14 +703,16 @@ fromstruct_loc(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_loc(ARGS_TOSTRUCT) {
-	dns_rdata_loc_t *loc = target;
+	dns_rdata_loc_t *loc;
 	isc_region_t r;
 	uint8_t version;
 
+	REQUIRE(((dns_rdata_loc_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_loc);
-	REQUIRE(loc != NULL);
 	REQUIRE(rdata->length != 0);
 
+	loc = target;
+
 	UNUSED(mctx);
 
 	dns_rdata_toregion(rdata, &r);
@@ -748,10 +743,13 @@ tostruct_loc(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_loc(ARGS_FREESTRUCT) {
-	dns_rdata_loc_t *loc = source;
+	dns_rdata_loc_t *loc;
+
+	REQUIRE(((dns_rdata_loc_t *)source) != NULL);
+	REQUIRE(((dns_rdata_loc_t *)source)->common.rdtype ==
+		dns_rdatatype_loc);
 
-	REQUIRE(loc != NULL);
-	REQUIRE(loc->common.rdtype == dns_rdatatype_loc);
+	loc = source;
 
 	UNUSED(source);
 	UNUSED(loc);
diff --git a/bind/bind9/lib/dns/rdata/generic/loc_29.h b/bind/bind9/lib/dns/rdata/generic/loc_29.h
index c879581c..2f379777 100644
--- a/bind/bind9/lib/dns/rdata/generic/loc_29.h
+++ b/bind/bind9/lib/dns/rdata/generic/loc_29.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/lp_107.c b/bind/bind9/lib/dns/rdata/generic/lp_107.c
index 87e268f7..14f5dda3 100644
--- a/bind/bind9/lib/dns/rdata/generic/lp_107.c
+++ b/bind/bind9/lib/dns/rdata/generic/lp_107.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -126,13 +126,15 @@ compare_lp(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_lp(ARGS_FROMSTRUCT) {
-	dns_rdata_lp_t *lp = source;
+	dns_rdata_lp_t *lp;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_lp);
-	REQUIRE(lp != NULL);
-	REQUIRE(lp->common.rdtype == type);
-	REQUIRE(lp->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_lp_t *)source) != NULL);
+	REQUIRE(((dns_rdata_lp_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_lp_t *)source)->common.rdclass == rdclass);
+
+	lp = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -145,13 +147,15 @@ fromstruct_lp(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_lp(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_lp_t *lp = target;
+	dns_rdata_lp_t *lp;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_lp_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_lp);
-	REQUIRE(lp != NULL);
 	REQUIRE(rdata->length != 0);
 
+	lp = target;
+
 	lp->common.rdclass = rdata->rdclass;
 	lp->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&lp->common, link);
@@ -169,10 +173,12 @@ tostruct_lp(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_lp(ARGS_FREESTRUCT) {
-	dns_rdata_lp_t *lp = source;
+	dns_rdata_lp_t *lp;
+
+	REQUIRE(((dns_rdata_lp_t *)source) != NULL);
+	REQUIRE(((dns_rdata_lp_t *)source)->common.rdtype == dns_rdatatype_lp);
 
-	REQUIRE(lp != NULL);
-	REQUIRE(lp->common.rdtype == dns_rdatatype_lp);
+	lp = source;
 
 	if (lp->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/lp_107.h b/bind/bind9/lib/dns/rdata/generic/lp_107.h
index 4ccffaca..392c5450 100644
--- a/bind/bind9/lib/dns/rdata/generic/lp_107.h
+++ b/bind/bind9/lib/dns/rdata/generic/lp_107.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/mb_7.c b/bind/bind9/lib/dns/rdata/generic/mb_7.c
index 93d85e52..ee9cd139 100644
--- a/bind/bind9/lib/dns/rdata/generic/mb_7.c
+++ b/bind/bind9/lib/dns/rdata/generic/mb_7.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -118,13 +118,15 @@ compare_mb(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_mb(ARGS_FROMSTRUCT) {
-	dns_rdata_mb_t *mb = source;
+	dns_rdata_mb_t *mb;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_mb);
-	REQUIRE(mb != NULL);
-	REQUIRE(mb->common.rdtype == type);
-	REQUIRE(mb->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_mb_t *)source) != NULL);
+	REQUIRE(((dns_rdata_mb_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_mb_t *)source)->common.rdclass == rdclass);
+
+	mb = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -136,13 +138,15 @@ fromstruct_mb(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_mb(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_mb_t *mb = target;
+	dns_rdata_mb_t *mb;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_mb_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_mb);
-	REQUIRE(mb != NULL);
 	REQUIRE(rdata->length != 0);
 
+	mb = target;
+
 	mb->common.rdclass = rdata->rdclass;
 	mb->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&mb->common, link);
@@ -158,9 +162,11 @@ tostruct_mb(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_mb(ARGS_FREESTRUCT) {
-	dns_rdata_mb_t *mb = source;
+	dns_rdata_mb_t *mb;
+
+	REQUIRE(((dns_rdata_mb_t *)source) != NULL);
 
-	REQUIRE(mb != NULL);
+	mb = source;
 
 	if (mb->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/mb_7.h b/bind/bind9/lib/dns/rdata/generic/mb_7.h
index 59f4115e..c57497c6 100644
--- a/bind/bind9/lib/dns/rdata/generic/mb_7.h
+++ b/bind/bind9/lib/dns/rdata/generic/mb_7.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/md_3.c b/bind/bind9/lib/dns/rdata/generic/md_3.c
index 8c58d6e8..f9659c5d 100644
--- a/bind/bind9/lib/dns/rdata/generic/md_3.c
+++ b/bind/bind9/lib/dns/rdata/generic/md_3.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -118,13 +118,15 @@ compare_md(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_md(ARGS_FROMSTRUCT) {
-	dns_rdata_md_t *md = source;
+	dns_rdata_md_t *md;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_md);
-	REQUIRE(md != NULL);
-	REQUIRE(md->common.rdtype == type);
-	REQUIRE(md->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_md_t *)source) != NULL);
+	REQUIRE(((dns_rdata_md_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_md_t *)source)->common.rdclass == rdclass);
+
+	md = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -135,14 +137,16 @@ fromstruct_md(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_md(ARGS_TOSTRUCT) {
-	dns_rdata_md_t *md = target;
+	dns_rdata_md_t *md;
 	isc_region_t r;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_md_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_md);
-	REQUIRE(md != NULL);
 	REQUIRE(rdata->length != 0);
 
+	md = target;
+
 	md->common.rdclass = rdata->rdclass;
 	md->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&md->common, link);
@@ -158,10 +162,12 @@ tostruct_md(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_md(ARGS_FREESTRUCT) {
-	dns_rdata_md_t *md = source;
+	dns_rdata_md_t *md;
+
+	REQUIRE(((dns_rdata_md_t *)source) != NULL);
+	REQUIRE(((dns_rdata_md_t *)source)->common.rdtype == dns_rdatatype_md);
 
-	REQUIRE(md != NULL);
-	REQUIRE(md->common.rdtype == dns_rdatatype_md);
+	md = source;
 
 	if (md->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/md_3.h b/bind/bind9/lib/dns/rdata/generic/md_3.h
index 396c3c94..738bf709 100644
--- a/bind/bind9/lib/dns/rdata/generic/md_3.h
+++ b/bind/bind9/lib/dns/rdata/generic/md_3.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/mf_4.c b/bind/bind9/lib/dns/rdata/generic/mf_4.c
index fa653a68..42e3b35c 100644
--- a/bind/bind9/lib/dns/rdata/generic/mf_4.c
+++ b/bind/bind9/lib/dns/rdata/generic/mf_4.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -118,13 +118,15 @@ compare_mf(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_mf(ARGS_FROMSTRUCT) {
-	dns_rdata_mf_t *mf = source;
+	dns_rdata_mf_t *mf;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_mf);
-	REQUIRE(mf != NULL);
-	REQUIRE(mf->common.rdtype == type);
-	REQUIRE(mf->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_mf_t *)source) != NULL);
+	REQUIRE(((dns_rdata_mf_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_mf_t *)source)->common.rdclass == rdclass);
+
+	mf = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -135,14 +137,16 @@ fromstruct_mf(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_mf(ARGS_TOSTRUCT) {
-	dns_rdata_mf_t *mf = target;
+	dns_rdata_mf_t *mf;
 	isc_region_t r;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_mf_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_mf);
-	REQUIRE(mf != NULL);
 	REQUIRE(rdata->length != 0);
 
+	mf = target;
+
 	mf->common.rdclass = rdata->rdclass;
 	mf->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&mf->common, link);
@@ -158,10 +162,12 @@ tostruct_mf(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_mf(ARGS_FREESTRUCT) {
-	dns_rdata_mf_t *mf = source;
+	dns_rdata_mf_t *mf;
+
+	REQUIRE(((dns_rdata_mf_t *)source) != NULL);
+	REQUIRE(((dns_rdata_mf_t *)source)->common.rdtype == dns_rdatatype_mf);
 
-	REQUIRE(mf != NULL);
-	REQUIRE(mf->common.rdtype == dns_rdatatype_mf);
+	mf = source;
 
 	if (mf->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/mf_4.h b/bind/bind9/lib/dns/rdata/generic/mf_4.h
index d8821551..6036d853 100644
--- a/bind/bind9/lib/dns/rdata/generic/mf_4.h
+++ b/bind/bind9/lib/dns/rdata/generic/mf_4.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/mg_8.c b/bind/bind9/lib/dns/rdata/generic/mg_8.c
index c631539d..37aaa874 100644
--- a/bind/bind9/lib/dns/rdata/generic/mg_8.c
+++ b/bind/bind9/lib/dns/rdata/generic/mg_8.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -118,13 +118,15 @@ compare_mg(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_mg(ARGS_FROMSTRUCT) {
-	dns_rdata_mg_t *mg = source;
+	dns_rdata_mg_t *mg;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_mg);
-	REQUIRE(mg != NULL);
-	REQUIRE(mg->common.rdtype == type);
-	REQUIRE(mg->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_mg_t *)source) != NULL);
+	REQUIRE(((dns_rdata_mg_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_mg_t *)source)->common.rdclass == rdclass);
+
+	mg = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -136,13 +138,15 @@ fromstruct_mg(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_mg(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_mg_t *mg = target;
+	dns_rdata_mg_t *mg;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_mg_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_mg);
-	REQUIRE(mg != NULL);
 	REQUIRE(rdata->length != 0);
 
+	mg = target;
+
 	mg->common.rdclass = rdata->rdclass;
 	mg->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&mg->common, link);
@@ -158,10 +162,12 @@ tostruct_mg(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_mg(ARGS_FREESTRUCT) {
-	dns_rdata_mg_t *mg = source;
+	dns_rdata_mg_t *mg;
+
+	REQUIRE(((dns_rdata_mg_t *)source) != NULL);
+	REQUIRE(((dns_rdata_mg_t *)source)->common.rdtype == dns_rdatatype_mg);
 
-	REQUIRE(mg != NULL);
-	REQUIRE(mg->common.rdtype == dns_rdatatype_mg);
+	mg = source;
 
 	if (mg->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/mg_8.h b/bind/bind9/lib/dns/rdata/generic/mg_8.h
index 0e0380eb..cb276243 100644
--- a/bind/bind9/lib/dns/rdata/generic/mg_8.h
+++ b/bind/bind9/lib/dns/rdata/generic/mg_8.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/minfo_14.c b/bind/bind9/lib/dns/rdata/generic/minfo_14.c
index 5b1e8745..7f0a1bfd 100644
--- a/bind/bind9/lib/dns/rdata/generic/minfo_14.c
+++ b/bind/bind9/lib/dns/rdata/generic/minfo_14.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -173,13 +173,15 @@ compare_minfo(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_minfo(ARGS_FROMSTRUCT) {
-	dns_rdata_minfo_t *minfo = source;
+	dns_rdata_minfo_t *minfo;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_minfo);
-	REQUIRE(minfo != NULL);
-	REQUIRE(minfo->common.rdtype == type);
-	REQUIRE(minfo->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_minfo_t *)source) != NULL);
+	REQUIRE(((dns_rdata_minfo_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_minfo_t *)source)->common.rdclass == rdclass);
+
+	minfo = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -192,15 +194,17 @@ fromstruct_minfo(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_minfo(ARGS_TOSTRUCT) {
-	dns_rdata_minfo_t *minfo = target;
+	dns_rdata_minfo_t *minfo;
 	isc_region_t region;
 	dns_name_t name;
 	isc_result_t result;
 
+	REQUIRE(((dns_rdata_minfo_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_minfo);
-	REQUIRE(minfo != NULL);
 	REQUIRE(rdata->length != 0);
 
+	minfo = target;
+
 	minfo->common.rdclass = rdata->rdclass;
 	minfo->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&minfo->common, link);
@@ -228,10 +232,13 @@ tostruct_minfo(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_minfo(ARGS_FREESTRUCT) {
-	dns_rdata_minfo_t *minfo = source;
+	dns_rdata_minfo_t *minfo;
+
+	REQUIRE(((dns_rdata_minfo_t *)source) != NULL);
+	REQUIRE(((dns_rdata_minfo_t *)source)->common.rdtype ==
+		dns_rdatatype_minfo);
 
-	REQUIRE(minfo != NULL);
-	REQUIRE(minfo->common.rdtype == dns_rdatatype_minfo);
+	minfo = source;
 
 	if (minfo->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/minfo_14.h b/bind/bind9/lib/dns/rdata/generic/minfo_14.h
index 10080fb3..7d052c86 100644
--- a/bind/bind9/lib/dns/rdata/generic/minfo_14.h
+++ b/bind/bind9/lib/dns/rdata/generic/minfo_14.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/mr_9.c b/bind/bind9/lib/dns/rdata/generic/mr_9.c
index c39bf540..17ab558d 100644
--- a/bind/bind9/lib/dns/rdata/generic/mr_9.c
+++ b/bind/bind9/lib/dns/rdata/generic/mr_9.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -118,13 +118,15 @@ compare_mr(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_mr(ARGS_FROMSTRUCT) {
-	dns_rdata_mr_t *mr = source;
+	dns_rdata_mr_t *mr;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_mr);
-	REQUIRE(mr != NULL);
-	REQUIRE(mr->common.rdtype == type);
-	REQUIRE(mr->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_mr_t *)source) != NULL);
+	REQUIRE(((dns_rdata_mr_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_mr_t *)source)->common.rdclass == rdclass);
+
+	mr = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -136,13 +138,15 @@ fromstruct_mr(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_mr(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_mr_t *mr = target;
+	dns_rdata_mr_t *mr;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_mr_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_mr);
-	REQUIRE(mr != NULL);
 	REQUIRE(rdata->length != 0);
 
+	mr = target;
+
 	mr->common.rdclass = rdata->rdclass;
 	mr->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&mr->common, link);
@@ -158,10 +162,12 @@ tostruct_mr(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_mr(ARGS_FREESTRUCT) {
-	dns_rdata_mr_t *mr = source;
+	dns_rdata_mr_t *mr;
+
+	REQUIRE(((dns_rdata_mr_t *)source) != NULL);
+	REQUIRE(((dns_rdata_mr_t *)source)->common.rdtype == dns_rdatatype_mr);
 
-	REQUIRE(mr != NULL);
-	REQUIRE(mr->common.rdtype == dns_rdatatype_mr);
+	mr = source;
 
 	if (mr->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/mr_9.h b/bind/bind9/lib/dns/rdata/generic/mr_9.h
index 888a82f0..03142595 100644
--- a/bind/bind9/lib/dns/rdata/generic/mr_9.h
+++ b/bind/bind9/lib/dns/rdata/generic/mr_9.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/mx_15.c b/bind/bind9/lib/dns/rdata/generic/mx_15.c
index 95f37aef..8ab27066 100644
--- a/bind/bind9/lib/dns/rdata/generic/mx_15.c
+++ b/bind/bind9/lib/dns/rdata/generic/mx_15.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -188,13 +188,15 @@ compare_mx(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_mx(ARGS_FROMSTRUCT) {
-	dns_rdata_mx_t *mx = source;
+	dns_rdata_mx_t *mx;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_mx);
-	REQUIRE(mx != NULL);
-	REQUIRE(mx->common.rdtype == type);
-	REQUIRE(mx->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_mx_t *)source) != NULL);
+	REQUIRE(((dns_rdata_mx_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_mx_t *)source)->common.rdclass == rdclass);
+
+	mx = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -207,13 +209,15 @@ fromstruct_mx(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_mx(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_mx_t *mx = target;
+	dns_rdata_mx_t *mx;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_mx_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_mx);
-	REQUIRE(mx != NULL);
 	REQUIRE(rdata->length != 0);
 
+	mx = target;
+
 	mx->common.rdclass = rdata->rdclass;
 	mx->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&mx->common, link);
@@ -231,10 +235,12 @@ tostruct_mx(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_mx(ARGS_FREESTRUCT) {
-	dns_rdata_mx_t *mx = source;
+	dns_rdata_mx_t *mx;
+
+	REQUIRE(((dns_rdata_mx_t *)source) != NULL);
+	REQUIRE(((dns_rdata_mx_t *)source)->common.rdtype == dns_rdatatype_mx);
 
-	REQUIRE(mx != NULL);
-	REQUIRE(mx->common.rdtype == dns_rdatatype_mx);
+	mx = source;
 
 	if (mx->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/mx_15.h b/bind/bind9/lib/dns/rdata/generic/mx_15.h
index ed96beb4..e0e4eeae 100644
--- a/bind/bind9/lib/dns/rdata/generic/mx_15.h
+++ b/bind/bind9/lib/dns/rdata/generic/mx_15.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/naptr_35.c b/bind/bind9/lib/dns/rdata/generic/naptr_35.c
index 4d99e2b2..ecae2c0c 100644
--- a/bind/bind9/lib/dns/rdata/generic/naptr_35.c
+++ b/bind/bind9/lib/dns/rdata/generic/naptr_35.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -20,7 +20,7 @@
 
 /*
  * Check the wire format of the Regexp field.
- * Don't allow embeded NUL's.
+ * Don't allow embedded NUL's.
  */
 static inline isc_result_t
 txt_valid_regex(const unsigned char *txt) {
@@ -398,16 +398,21 @@ compare_naptr(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_naptr(ARGS_FROMSTRUCT) {
-	dns_rdata_naptr_t *naptr = source;
+	dns_rdata_naptr_t *naptr;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_naptr);
-	REQUIRE(naptr != NULL);
-	REQUIRE(naptr->common.rdtype == type);
-	REQUIRE(naptr->common.rdclass == rdclass);
-	REQUIRE(naptr->flags != NULL || naptr->flags_len == 0);
-	REQUIRE(naptr->service != NULL || naptr->service_len == 0);
-	REQUIRE(naptr->regexp != NULL || naptr->regexp_len == 0);
+	REQUIRE(((dns_rdata_naptr_t *)source) != NULL);
+	REQUIRE(((dns_rdata_naptr_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_naptr_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_naptr_t *)source)->flags != NULL ||
+		((dns_rdata_naptr_t *)source)->flags_len == 0);
+	REQUIRE(((dns_rdata_naptr_t *)source)->service != NULL ||
+		((dns_rdata_naptr_t *)source)->service_len == 0);
+	REQUIRE(((dns_rdata_naptr_t *)source)->regexp != NULL ||
+		((dns_rdata_naptr_t *)source)->regexp_len == 0);
+
+	naptr = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -426,15 +431,17 @@ fromstruct_naptr(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_naptr(ARGS_TOSTRUCT) {
-	dns_rdata_naptr_t *naptr = target;
+	dns_rdata_naptr_t *naptr;
 	isc_region_t r;
 	isc_result_t result;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_naptr_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_naptr);
-	REQUIRE(naptr != NULL);
 	REQUIRE(rdata->length != 0);
 
+	naptr = target;
+
 	naptr->common.rdclass = rdata->rdclass;
 	naptr->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&naptr->common, link);
@@ -496,10 +503,13 @@ tostruct_naptr(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_naptr(ARGS_FREESTRUCT) {
-	dns_rdata_naptr_t *naptr = source;
+	dns_rdata_naptr_t *naptr;
+
+	REQUIRE(((dns_rdata_naptr_t *)source) != NULL);
+	REQUIRE(((dns_rdata_naptr_t *)source)->common.rdtype ==
+		dns_rdatatype_naptr);
 
-	REQUIRE(naptr != NULL);
-	REQUIRE(naptr->common.rdtype == dns_rdatatype_naptr);
+	naptr = source;
 
 	if (naptr->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/naptr_35.h b/bind/bind9/lib/dns/rdata/generic/naptr_35.h
index e72b6099..78b66459 100644
--- a/bind/bind9/lib/dns/rdata/generic/naptr_35.h
+++ b/bind/bind9/lib/dns/rdata/generic/naptr_35.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/nid_104.c b/bind/bind9/lib/dns/rdata/generic/nid_104.c
index 44e63b5b..ca4f1823 100644
--- a/bind/bind9/lib/dns/rdata/generic/nid_104.c
+++ b/bind/bind9/lib/dns/rdata/generic/nid_104.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -119,12 +119,14 @@ compare_nid(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_nid(ARGS_FROMSTRUCT) {
-	dns_rdata_nid_t *nid = source;
+	dns_rdata_nid_t *nid;
 
 	REQUIRE(type == dns_rdatatype_nid);
-	REQUIRE(nid != NULL);
-	REQUIRE(nid->common.rdtype == type);
-	REQUIRE(nid->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_nid_t *)source) != NULL);
+	REQUIRE(((dns_rdata_nid_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_nid_t *)source)->common.rdclass == rdclass);
+
+	nid = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -136,12 +138,14 @@ fromstruct_nid(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_nid(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_nid_t *nid = target;
+	dns_rdata_nid_t *nid;
 
+	REQUIRE(((dns_rdata_nid_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_nid);
-	REQUIRE(nid != NULL);
 	REQUIRE(rdata->length == 10);
 
+	nid = target;
+
 	UNUSED(mctx);
 
 	nid->common.rdclass = rdata->rdclass;
@@ -156,10 +160,9 @@ tostruct_nid(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_nid(ARGS_FREESTRUCT) {
-	dns_rdata_nid_t *nid = source;
-
-	REQUIRE(nid != NULL);
-	REQUIRE(nid->common.rdtype == dns_rdatatype_nid);
+	REQUIRE(((dns_rdata_nid_t *)source) != NULL);
+	REQUIRE(((dns_rdata_nid_t *)source)->common.rdtype ==
+		dns_rdatatype_nid);
 
 	return;
 }
diff --git a/bind/bind9/lib/dns/rdata/generic/nid_104.h b/bind/bind9/lib/dns/rdata/generic/nid_104.h
index 9362e2b5..ef041fd0 100644
--- a/bind/bind9/lib/dns/rdata/generic/nid_104.h
+++ b/bind/bind9/lib/dns/rdata/generic/nid_104.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/ninfo_56.c b/bind/bind9/lib/dns/rdata/generic/ninfo_56.c
index 1101ba1a..d9b07009 100644
--- a/bind/bind9/lib/dns/rdata/generic/ninfo_56.c
+++ b/bind/bind9/lib/dns/rdata/generic/ninfo_56.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -19,24 +19,15 @@ fromtext_ninfo(ARGS_FROMTEXT) {
 
 	REQUIRE(type == dns_rdatatype_ninfo);
 
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	return (generic_fromtext_txt(rdclass, type, lexer, origin, options,
-				     target, callbacks));
+	return (generic_fromtext_txt(CALL_FROMTEXT));
 }
 
 static inline isc_result_t
 totext_ninfo(ARGS_TOTEXT) {
-
-	UNUSED(tctx);
-
+	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_ninfo);
 
-	return (generic_totext_txt(rdata, tctx, target));
+	return (generic_totext_txt(CALL_TOTEXT));
 }
 
 static inline isc_result_t
@@ -44,13 +35,7 @@ fromwire_ninfo(ARGS_FROMWIRE) {
 
 	REQUIRE(type == dns_rdatatype_ninfo);
 
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	return (generic_fromwire_txt(rdclass, type, source, dctx, options,
-				     target));
+	return (generic_fromwire_txt(CALL_FROMWIRE));
 }
 
 static inline isc_result_t
@@ -82,29 +67,30 @@ fromstruct_ninfo(ARGS_FROMSTRUCT) {
 
 	REQUIRE(type == dns_rdatatype_ninfo);
 
-	return (generic_fromstruct_txt(rdclass, type, source, target));
+	return (generic_fromstruct_txt(CALL_FROMSTRUCT));
 }
 
 static inline isc_result_t
 tostruct_ninfo(ARGS_TOSTRUCT) {
-	dns_rdata_ninfo_t *ninfo = target;
+	dns_rdata_ninfo_t *ninfo;
 
 	REQUIRE(rdata->type == dns_rdatatype_ninfo);
-	REQUIRE(ninfo != NULL);
+	REQUIRE(((dns_rdata_ninfo_t *)target) != NULL);
+
+	ninfo = target;
 
 	ninfo->common.rdclass = rdata->rdclass;
 	ninfo->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&ninfo->common, link);
 
-	return (generic_tostruct_txt(rdata, target, mctx));
+	return (generic_tostruct_txt(CALL_TOSTRUCT));
 }
 
 static inline void
 freestruct_ninfo(ARGS_FREESTRUCT) {
-	dns_rdata_ninfo_t *ninfo = source;
-
-	REQUIRE(ninfo != NULL);
-	REQUIRE(ninfo->common.rdtype == dns_rdatatype_ninfo);
+	REQUIRE(((dns_rdata_ninfo_t *)source) != NULL);
+	REQUIRE(((dns_rdata_ninfo_t *)source)->common.rdtype ==
+		dns_rdatatype_ninfo);
 
 	generic_freestruct_txt(source);
 }
diff --git a/bind/bind9/lib/dns/rdata/generic/ninfo_56.h b/bind/bind9/lib/dns/rdata/generic/ninfo_56.h
index 68e9212a..26ca2e2f 100644
--- a/bind/bind9/lib/dns/rdata/generic/ninfo_56.h
+++ b/bind/bind9/lib/dns/rdata/generic/ninfo_56.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/ns_2.c b/bind/bind9/lib/dns/rdata/generic/ns_2.c
index ac552529..de9032c6 100644
--- a/bind/bind9/lib/dns/rdata/generic/ns_2.c
+++ b/bind/bind9/lib/dns/rdata/generic/ns_2.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -126,13 +126,15 @@ compare_ns(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_ns(ARGS_FROMSTRUCT) {
-	dns_rdata_ns_t *ns = source;
+	dns_rdata_ns_t *ns;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_ns);
-	REQUIRE(ns != NULL);
-	REQUIRE(ns->common.rdtype == type);
-	REQUIRE(ns->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_ns_t *)source) != NULL);
+	REQUIRE(((dns_rdata_ns_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_ns_t *)source)->common.rdclass == rdclass);
+
+	ns = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -144,13 +146,15 @@ fromstruct_ns(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_ns(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_ns_t *ns = target;
+	dns_rdata_ns_t *ns;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_ns_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_ns);
-	REQUIRE(ns != NULL);
 	REQUIRE(rdata->length != 0);
 
+	ns = target;
+
 	ns->common.rdclass = rdata->rdclass;
 	ns->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&ns->common, link);
@@ -166,9 +170,11 @@ tostruct_ns(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_ns(ARGS_FREESTRUCT) {
-	dns_rdata_ns_t *ns = source;
+	dns_rdata_ns_t *ns;
+
+	REQUIRE(((dns_rdata_ns_t *)source) != NULL);
 
-	REQUIRE(ns != NULL);
+	ns = source;
 
 	if (ns->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/ns_2.h b/bind/bind9/lib/dns/rdata/generic/ns_2.h
index db9b6c07..d1b07759 100644
--- a/bind/bind9/lib/dns/rdata/generic/ns_2.h
+++ b/bind/bind9/lib/dns/rdata/generic/ns_2.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/nsec3_50.c b/bind/bind9/lib/dns/rdata/generic/nsec3_50.c
index b1aee3e6..a4a4afa7 100644
--- a/bind/bind9/lib/dns/rdata/generic/nsec3_50.c
+++ b/bind/bind9/lib/dns/rdata/generic/nsec3_50.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -203,8 +203,9 @@ fromwire_nsec3(ARGS_FROMWIRE) {
 	hashlen = sr.base[0];
 	isc_region_consume(&sr, 1);
 
-	if (sr.length < hashlen)
+	if (hashlen < 1 || sr.length < hashlen) {
 		RETERR(DNS_R_FORMERR);
+	}
 	isc_region_consume(&sr, hashlen);
 
 	RETERR(typemap_test(&sr, true));
@@ -245,15 +246,18 @@ compare_nsec3(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_nsec3(ARGS_FROMSTRUCT) {
-	dns_rdata_nsec3_t *nsec3 = source;
+	dns_rdata_nsec3_t *nsec3;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_nsec3);
-	REQUIRE(nsec3 != NULL);
-	REQUIRE(nsec3->common.rdtype == type);
-	REQUIRE(nsec3->common.rdclass == rdclass);
-	REQUIRE(nsec3->typebits != NULL || nsec3->len == 0);
-	REQUIRE(nsec3->hash == dns_hash_sha1);
+	REQUIRE(((dns_rdata_nsec3_t *)source) != NULL);
+	REQUIRE(((dns_rdata_nsec3_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_nsec3_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_nsec3_t *)source)->typebits != NULL ||
+		((dns_rdata_nsec3_t *)source)->len == 0);
+	REQUIRE(((dns_rdata_nsec3_t *)source)->hash == dns_hash_sha1);
+
+	nsec3 = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -275,12 +279,14 @@ fromstruct_nsec3(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_nsec3(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_nsec3_t *nsec3 = target;
+	dns_rdata_nsec3_t *nsec3;
 
+	REQUIRE(((dns_rdata_nsec3_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_nsec3);
-	REQUIRE(nsec3 != NULL);
 	REQUIRE(rdata->length != 0);
 
+	nsec3 = target;
+
 	nsec3->common.rdclass = rdata->rdclass;
 	nsec3->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&nsec3->common, link);
@@ -320,10 +326,13 @@ tostruct_nsec3(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_nsec3(ARGS_FREESTRUCT) {
-	dns_rdata_nsec3_t *nsec3 = source;
+	dns_rdata_nsec3_t *nsec3;
+
+	REQUIRE(((dns_rdata_nsec3_t *)source) != NULL);
+	REQUIRE(((dns_rdata_nsec3_t *)source)->common.rdtype ==
+		dns_rdatatype_nsec3);
 
-	REQUIRE(nsec3 != NULL);
-	REQUIRE(nsec3->common.rdtype == dns_rdatatype_nsec3);
+	nsec3 = source;
 
 	if (nsec3->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/nsec3_50.h b/bind/bind9/lib/dns/rdata/generic/nsec3_50.h
index 36b9695f..e0372eb9 100644
--- a/bind/bind9/lib/dns/rdata/generic/nsec3_50.h
+++ b/bind/bind9/lib/dns/rdata/generic/nsec3_50.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/nsec3param_51.c b/bind/bind9/lib/dns/rdata/generic/nsec3param_51.c
index 4e7c4c96..a3cf0bc3 100644
--- a/bind/bind9/lib/dns/rdata/generic/nsec3param_51.c
+++ b/bind/bind9/lib/dns/rdata/generic/nsec3param_51.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -156,8 +156,9 @@ fromwire_nsec3param(ARGS_FROMWIRE) {
 	saltlen = sr.base[4];
 	isc_region_consume(&sr, 5);
 
-	if (sr.length < saltlen)
+	if (sr.length != saltlen) {
 		RETERR(DNS_R_FORMERR);
+	}
 	isc_region_consume(&sr, saltlen);
 	RETERR(mem_tobuffer(target, rr.base, rr.length));
 	isc_buffer_forward(source, rr.length);
@@ -195,12 +196,14 @@ compare_nsec3param(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_nsec3param(ARGS_FROMSTRUCT) {
-	dns_rdata_nsec3param_t *nsec3param = source;
+	dns_rdata_nsec3param_t *nsec3param;
 
 	REQUIRE(type == dns_rdatatype_nsec3param);
-	REQUIRE(nsec3param != NULL);
-	REQUIRE(nsec3param->common.rdtype == type);
-	REQUIRE(nsec3param->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_nsec3param_t *)source) != NULL);
+	REQUIRE(((dns_rdata_nsec3param_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_nsec3param_t *)source)->common.rdclass == rdclass);
+
+	nsec3param = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -217,12 +220,14 @@ fromstruct_nsec3param(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_nsec3param(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_nsec3param_t *nsec3param = target;
+	dns_rdata_nsec3param_t *nsec3param;
 
+	REQUIRE(((dns_rdata_nsec3param_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_nsec3param);
-	REQUIRE(nsec3param != NULL);
 	REQUIRE(rdata->length != 0);
 
+	nsec3param = target;
+
 	nsec3param->common.rdclass = rdata->rdclass;
 	nsec3param->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&nsec3param->common, link);
@@ -246,10 +251,13 @@ tostruct_nsec3param(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_nsec3param(ARGS_FREESTRUCT) {
-	dns_rdata_nsec3param_t *nsec3param = source;
+	dns_rdata_nsec3param_t *nsec3param;
+
+	REQUIRE(((dns_rdata_nsec3param_t *)source) != NULL);
+	REQUIRE(((dns_rdata_nsec3param_t *)source)->common.rdtype ==
+		dns_rdatatype_nsec3param);
 
-	REQUIRE(nsec3param != NULL);
-	REQUIRE(nsec3param->common.rdtype == dns_rdatatype_nsec3param);
+	nsec3param = source;
 
 	if (nsec3param->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/nsec3param_51.h b/bind/bind9/lib/dns/rdata/generic/nsec3param_51.h
index b8bc3755..5404fc6a 100644
--- a/bind/bind9/lib/dns/rdata/generic/nsec3param_51.h
+++ b/bind/bind9/lib/dns/rdata/generic/nsec3param_51.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/nsec_47.c b/bind/bind9/lib/dns/rdata/generic/nsec_47.c
index 824d5d3b..d20b6281 100644
--- a/bind/bind9/lib/dns/rdata/generic/nsec_47.c
+++ b/bind/bind9/lib/dns/rdata/generic/nsec_47.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -131,14 +131,17 @@ compare_nsec(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_nsec(ARGS_FROMSTRUCT) {
-	dns_rdata_nsec_t *nsec = source;
+	dns_rdata_nsec_t *nsec;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_nsec);
-	REQUIRE(nsec != NULL);
-	REQUIRE(nsec->common.rdtype == type);
-	REQUIRE(nsec->common.rdclass == rdclass);
-	REQUIRE(nsec->typebits != NULL || nsec->len == 0);
+	REQUIRE(((dns_rdata_nsec_t *)source) != NULL);
+	REQUIRE(((dns_rdata_nsec_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_nsec_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_nsec_t *)source)->typebits != NULL ||
+		((dns_rdata_nsec_t *)source)->len == 0);
+
+	nsec = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -155,13 +158,15 @@ fromstruct_nsec(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_nsec(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_nsec_t *nsec = target;
+	dns_rdata_nsec_t *nsec;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_nsec_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_nsec);
-	REQUIRE(nsec != NULL);
 	REQUIRE(rdata->length != 0);
 
+	nsec = target;
+
 	nsec->common.rdclass = rdata->rdclass;
 	nsec->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&nsec->common, link);
@@ -189,10 +194,13 @@ tostruct_nsec(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_nsec(ARGS_FREESTRUCT) {
-	dns_rdata_nsec_t *nsec = source;
+	dns_rdata_nsec_t *nsec;
+
+	REQUIRE(((dns_rdata_nsec_t *)source) != NULL);
+	REQUIRE(((dns_rdata_nsec_t *)source)->common.rdtype ==
+		dns_rdatatype_nsec);
 
-	REQUIRE(nsec != NULL);
-	REQUIRE(nsec->common.rdtype == dns_rdatatype_nsec);
+	nsec = source;
 
 	if (nsec->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/nsec_47.h b/bind/bind9/lib/dns/rdata/generic/nsec_47.h
index b5978649..b99f92a2 100644
--- a/bind/bind9/lib/dns/rdata/generic/nsec_47.h
+++ b/bind/bind9/lib/dns/rdata/generic/nsec_47.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/null_10.c b/bind/bind9/lib/dns/rdata/generic/null_10.c
index 5ffdb71e..1acccc45 100644
--- a/bind/bind9/lib/dns/rdata/generic/null_10.c
+++ b/bind/bind9/lib/dns/rdata/generic/null_10.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -77,13 +77,16 @@ compare_null(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_null(ARGS_FROMSTRUCT) {
-	dns_rdata_null_t *null = source;
+	dns_rdata_null_t *null;
 
 	REQUIRE(type == dns_rdatatype_null);
-	REQUIRE(null != NULL);
-	REQUIRE(null->common.rdtype == type);
-	REQUIRE(null->common.rdclass == rdclass);
-	REQUIRE(null->data != NULL || null->length == 0);
+	REQUIRE(((dns_rdata_null_t *)source) != NULL);
+	REQUIRE(((dns_rdata_null_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_null_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_null_t *)source)->data != NULL ||
+		((dns_rdata_null_t *)source)->length == 0);
+
+	null = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -93,11 +96,13 @@ fromstruct_null(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_null(ARGS_TOSTRUCT) {
-	dns_rdata_null_t *null = target;
+	dns_rdata_null_t *null;
 	isc_region_t r;
 
 	REQUIRE(rdata->type == dns_rdatatype_null);
-	REQUIRE(null != NULL);
+	REQUIRE(((dns_rdata_null_t *)target) != NULL);
+
+	null = target;
 
 	null->common.rdclass = rdata->rdclass;
 	null->common.rdtype = rdata->type;
@@ -115,10 +120,13 @@ tostruct_null(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_null(ARGS_FREESTRUCT) {
-	dns_rdata_null_t *null = source;
+	dns_rdata_null_t *null;
+
+	REQUIRE(((dns_rdata_null_t *)source) != NULL);
+	REQUIRE(((dns_rdata_null_t *)source)->common.rdtype ==
+		dns_rdatatype_null);
 
-	REQUIRE(null != NULL);
-	REQUIRE(null->common.rdtype == dns_rdatatype_null);
+	null = source;
 
 	if (null->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/null_10.h b/bind/bind9/lib/dns/rdata/generic/null_10.h
index 0b01dd8f..23328a5e 100644
--- a/bind/bind9/lib/dns/rdata/generic/null_10.h
+++ b/bind/bind9/lib/dns/rdata/generic/null_10.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/nxt_30.c b/bind/bind9/lib/dns/rdata/generic/nxt_30.c
index ba8c87bb..07ffedc5 100644
--- a/bind/bind9/lib/dns/rdata/generic/nxt_30.c
+++ b/bind/bind9/lib/dns/rdata/generic/nxt_30.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -134,9 +134,11 @@ fromwire_nxt(ARGS_FROMWIRE) {
 	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
 
 	isc_buffer_activeregion(source, &sr);
-	if (sr.length > 0 && (sr.base[0] & 0x80) == 0 &&
-	    ((sr.length > 16) || sr.base[sr.length - 1] == 0))
+	if (sr.length > 0 && ((sr.base[0] & 0x80) != 0 || sr.length > 16 ||
+			      sr.base[sr.length - 1] == 0))
+	{
 		return (DNS_R_BADBITMAP);
+	}
 	RETERR(mem_tobuffer(target, sr.base, sr.length));
 	isc_buffer_forward(source, sr.length);
 	return (ISC_R_SUCCESS);
@@ -193,14 +195,16 @@ compare_nxt(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_nxt(ARGS_FROMSTRUCT) {
-	dns_rdata_nxt_t *nxt = source;
+	dns_rdata_nxt_t *nxt;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_nxt);
-	REQUIRE(nxt != NULL);
+	REQUIRE(((dns_rdata_nxt_t *)source) != NULL);
+	nxt = source;
 	REQUIRE(nxt->common.rdtype == type);
 	REQUIRE(nxt->common.rdclass == rdclass);
 	REQUIRE(nxt->typebits != NULL || nxt->len == 0);
+
 	if (nxt->typebits != NULL && (nxt->typebits[0] & 0x80) == 0) {
 		REQUIRE(nxt->len <= 16);
 		REQUIRE(nxt->typebits[nxt->len - 1] != 0);
@@ -218,13 +222,15 @@ fromstruct_nxt(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_nxt(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_nxt_t *nxt = target;
+	dns_rdata_nxt_t *nxt;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_nxt_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_nxt);
-	REQUIRE(nxt != NULL);
 	REQUIRE(rdata->length != 0);
 
+	nxt = target;
+
 	nxt->common.rdclass = rdata->rdclass;
 	nxt->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&nxt->common, link);
@@ -252,10 +258,13 @@ tostruct_nxt(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_nxt(ARGS_FREESTRUCT) {
-	dns_rdata_nxt_t *nxt = source;
+	dns_rdata_nxt_t *nxt;
+
+	REQUIRE(((dns_rdata_nxt_t *)source) != NULL);
+	REQUIRE(((dns_rdata_nxt_t *)source)->common.rdtype ==
+		dns_rdatatype_nxt);
 
-	REQUIRE(nxt != NULL);
-	REQUIRE(nxt->common.rdtype == dns_rdatatype_nxt);
+	nxt = source;
 
 	if (nxt->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/nxt_30.h b/bind/bind9/lib/dns/rdata/generic/nxt_30.h
index 63bbc0f5..8fa0d849 100644
--- a/bind/bind9/lib/dns/rdata/generic/nxt_30.h
+++ b/bind/bind9/lib/dns/rdata/generic/nxt_30.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/openpgpkey_61.c b/bind/bind9/lib/dns/rdata/generic/openpgpkey_61.c
index 900d665c..69c36447 100644
--- a/bind/bind9/lib/dns/rdata/generic/openpgpkey_61.c
+++ b/bind/bind9/lib/dns/rdata/generic/openpgpkey_61.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -113,13 +113,16 @@ compare_openpgpkey(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_openpgpkey(ARGS_FROMSTRUCT) {
-	dns_rdata_openpgpkey_t *sig = source;
+	dns_rdata_openpgpkey_t *sig;
 
 	REQUIRE(type == dns_rdatatype_openpgpkey);
-	REQUIRE(sig != NULL);
-	REQUIRE(sig->common.rdtype == type);
-	REQUIRE(sig->common.rdclass == rdclass);
-	REQUIRE(sig->keyring != NULL && sig->length != 0);
+	REQUIRE(((dns_rdata_openpgpkey_t *)source) != NULL);
+	REQUIRE(((dns_rdata_openpgpkey_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_openpgpkey_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_openpgpkey_t *)source)->keyring != NULL);
+	REQUIRE(((dns_rdata_openpgpkey_t *)source)->length != 0);
+
+	sig = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -133,12 +136,14 @@ fromstruct_openpgpkey(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_openpgpkey(ARGS_TOSTRUCT) {
 	isc_region_t sr;
-	dns_rdata_openpgpkey_t *sig = target;
+	dns_rdata_openpgpkey_t *sig;
 
+	REQUIRE(((dns_rdata_openpgpkey_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_openpgpkey);
-	REQUIRE(sig != NULL);
 	REQUIRE(rdata->length != 0);
 
+	sig = target;
+
 	sig->common.rdclass = rdata->rdclass;
 	sig->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&sig->common, link);
@@ -162,10 +167,13 @@ tostruct_openpgpkey(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_openpgpkey(ARGS_FREESTRUCT) {
-	dns_rdata_openpgpkey_t *sig = (dns_rdata_openpgpkey_t *) source;
+	dns_rdata_openpgpkey_t *sig;
+
+	REQUIRE(((dns_rdata_openpgpkey_t *)source) != NULL);
+	REQUIRE(((dns_rdata_openpgpkey_t *)source)->common.rdtype ==
+		dns_rdatatype_openpgpkey);
 
-	REQUIRE(sig != NULL);
-	REQUIRE(sig->common.rdtype == dns_rdatatype_openpgpkey);
+	sig = (dns_rdata_openpgpkey_t *) source;
 
 	if (sig->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/openpgpkey_61.h b/bind/bind9/lib/dns/rdata/generic/openpgpkey_61.h
index 7c68e7ff..11979101 100644
--- a/bind/bind9/lib/dns/rdata/generic/openpgpkey_61.h
+++ b/bind/bind9/lib/dns/rdata/generic/openpgpkey_61.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/opt_41.c b/bind/bind9/lib/dns/rdata/generic/opt_41.c
index d361e13a..40fcbe78 100644
--- a/bind/bind9/lib/dns/rdata/generic/opt_41.c
+++ b/bind/bind9/lib/dns/rdata/generic/opt_41.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -18,6 +18,8 @@
 			       DNS_RDATATYPEATTR_META | \
 			       DNS_RDATATYPEATTR_NOTQUESTION)
 
+#include <isc/utf8.h>
+
 static inline isc_result_t
 fromtext_opt(ARGS_FROMTEXT) {
 	/*
@@ -191,6 +193,10 @@ fromwire_opt(ARGS_FROMWIRE) {
 			isc_region_consume(&sregion, length);
 			break;
 		case DNS_OPT_COOKIE:
+			/*
+			 * Client cookie alone has length 8.
+			 * Client + server cookie is 8 + [8..32].
+			 */
 			if (length != 8 && (length < 16 || length > 40)) {
 				return (DNS_R_OPTERR);
 			}
@@ -202,6 +208,24 @@ fromwire_opt(ARGS_FROMWIRE) {
 			}
 			isc_region_consume(&sregion, length);
 			break;
+		case DNS_OPT_EDE:
+			if (length < 2) {
+				return (DNS_R_OPTERR);
+			}
+			/* UTF-8 Byte Order Mark is not permitted. RFC 5198 */
+			if (isc_utf8_bom(sregion.base + 2, length - 2)) {
+				return (DNS_R_OPTERR);
+			}
+			/*
+			 * The EXTRA-TEXT field is specified as UTF-8, and
+			 * therefore must be validated for correctness
+			 * according to RFC 3269 security considerations.
+			 */
+			if (!isc_utf8_valid(sregion.base + 2, length - 2)) {
+				return (DNS_R_OPTERR);
+			}
+			isc_region_consume(&sregion, length);
+			break;
 		case DNS_OPT_CLIENT_TAG:
 			/* FALLTHROUGH */
 		case DNS_OPT_SERVER_TAG:
@@ -255,15 +279,18 @@ compare_opt(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_opt(ARGS_FROMSTRUCT) {
-	dns_rdata_opt_t *opt = source;
+	dns_rdata_opt_t *opt;
 	isc_region_t region;
 	uint16_t length;
 
 	REQUIRE(type == dns_rdatatype_opt);
-	REQUIRE(opt != NULL);
-	REQUIRE(opt->common.rdtype == type);
-	REQUIRE(opt->common.rdclass == rdclass);
-	REQUIRE(opt->options != NULL || opt->length == 0);
+	REQUIRE(((dns_rdata_opt_t *)source) != NULL);
+	REQUIRE(((dns_rdata_opt_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_opt_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_opt_t *)source)->options != NULL ||
+		((dns_rdata_opt_t *)source)->length == 0);
+
+	opt = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -286,11 +313,13 @@ fromstruct_opt(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_opt(ARGS_TOSTRUCT) {
-	dns_rdata_opt_t *opt = target;
+	dns_rdata_opt_t *opt;
 	isc_region_t r;
 
 	REQUIRE(rdata->type == dns_rdatatype_opt);
-	REQUIRE(opt != NULL);
+	REQUIRE(((dns_rdata_opt_t *)target) != NULL);
+
+	opt = target;
 
 	opt->common.rdclass = rdata->rdclass;
 	opt->common.rdtype = rdata->type;
@@ -309,10 +338,13 @@ tostruct_opt(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_opt(ARGS_FREESTRUCT) {
-	dns_rdata_opt_t *opt = source;
+	dns_rdata_opt_t *opt;
 
-	REQUIRE(opt != NULL);
-	REQUIRE(opt->common.rdtype == dns_rdatatype_opt);
+	REQUIRE(((dns_rdata_opt_t *)source) != NULL);
+	REQUIRE(((dns_rdata_opt_t *)source)->common.rdtype ==
+		dns_rdatatype_opt);
+
+	opt = source;
 
 	if (opt->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/opt_41.h b/bind/bind9/lib/dns/rdata/generic/opt_41.h
index 5b31f4d0..74167285 100644
--- a/bind/bind9/lib/dns/rdata/generic/opt_41.h
+++ b/bind/bind9/lib/dns/rdata/generic/opt_41.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/proforma.c b/bind/bind9/lib/dns/rdata/generic/proforma.c
index 7ed78acb..890c9583 100644
--- a/bind/bind9/lib/dns/rdata/generic/proforma.c
+++ b/bind/bind9/lib/dns/rdata/generic/proforma.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/proforma.h b/bind/bind9/lib/dns/rdata/generic/proforma.h
index cb49ee42..d3cf5afc 100644
--- a/bind/bind9/lib/dns/rdata/generic/proforma.h
+++ b/bind/bind9/lib/dns/rdata/generic/proforma.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/ptr_12.c b/bind/bind9/lib/dns/rdata/generic/ptr_12.c
index 1e405152..4fad2e75 100644
--- a/bind/bind9/lib/dns/rdata/generic/ptr_12.c
+++ b/bind/bind9/lib/dns/rdata/generic/ptr_12.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -128,13 +128,15 @@ compare_ptr(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_ptr(ARGS_FROMSTRUCT) {
-	dns_rdata_ptr_t *ptr = source;
+	dns_rdata_ptr_t *ptr;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_ptr);
-	REQUIRE(ptr != NULL);
-	REQUIRE(ptr->common.rdtype == type);
-	REQUIRE(ptr->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_ptr_t *)source) != NULL);
+	REQUIRE(((dns_rdata_ptr_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_ptr_t *)source)->common.rdclass == rdclass);
+
+	ptr = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -146,13 +148,15 @@ fromstruct_ptr(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_ptr(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_ptr_t *ptr = target;
+	dns_rdata_ptr_t *ptr;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_ptr_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_ptr);
-	REQUIRE(ptr != NULL);
 	REQUIRE(rdata->length != 0);
 
+	ptr = target;
+
 	ptr->common.rdclass = rdata->rdclass;
 	ptr->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&ptr->common, link);
@@ -168,10 +172,13 @@ tostruct_ptr(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_ptr(ARGS_FREESTRUCT) {
-	dns_rdata_ptr_t *ptr = source;
+	dns_rdata_ptr_t *ptr;
+
+	REQUIRE(((dns_rdata_ptr_t *)source) != NULL);
+	REQUIRE(((dns_rdata_ptr_t *)source)->common.rdtype ==
+		dns_rdatatype_ptr);
 
-	REQUIRE(ptr != NULL);
-	REQUIRE(ptr->common.rdtype == dns_rdatatype_ptr);
+	ptr = source;
 
 	if (ptr->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/ptr_12.h b/bind/bind9/lib/dns/rdata/generic/ptr_12.h
index d71ebd92..d049ec15 100644
--- a/bind/bind9/lib/dns/rdata/generic/ptr_12.h
+++ b/bind/bind9/lib/dns/rdata/generic/ptr_12.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/rkey_57.c b/bind/bind9/lib/dns/rdata/generic/rkey_57.c
index 2475a48f..db31b470 100644
--- a/bind/bind9/lib/dns/rdata/generic/rkey_57.c
+++ b/bind/bind9/lib/dns/rdata/generic/rkey_57.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -19,8 +19,7 @@ fromtext_rkey(ARGS_FROMTEXT) {
 
 	REQUIRE(type == dns_rdatatype_rkey);
 
-	return (generic_fromtext_key(rdclass, type, lexer, origin,
-				     options, target, callbacks));
+	return (generic_fromtext_key(CALL_FROMTEXT));
 }
 
 static inline isc_result_t
@@ -29,7 +28,7 @@ totext_rkey(ARGS_TOTEXT) {
 	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_rkey);
 
-	return (generic_totext_key(rdata, tctx, target));
+	return (generic_totext_key(CALL_TOTEXT));
 }
 
 static inline isc_result_t
@@ -37,8 +36,7 @@ fromwire_rkey(ARGS_FROMWIRE) {
 
 	REQUIRE(type == dns_rdatatype_rkey);
 
-	return (generic_fromwire_key(rdclass, type, source, dctx,
-				     options, target));
+	return (generic_fromwire_key(CALL_FROMWIRE));
 }
 
 static inline isc_result_t
@@ -78,30 +76,31 @@ fromstruct_rkey(ARGS_FROMSTRUCT) {
 
 	REQUIRE(type == dns_rdatatype_rkey);
 
-	return (generic_fromstruct_key(rdclass, type, source, target));
+	return (generic_fromstruct_key(CALL_FROMSTRUCT));
 }
 
 static inline isc_result_t
 tostruct_rkey(ARGS_TOSTRUCT) {
-	dns_rdata_rkey_t *rkey = target;
+	dns_rdata_rkey_t *rkey;
 
-	REQUIRE(rkey != NULL);
+	REQUIRE(((dns_rdata_rkey_t *)target) != NULL);
 	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_rkey);
 
+	rkey = target;
+
 	rkey->common.rdclass = rdata->rdclass;
 	rkey->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&rkey->common, link);
 
-	return (generic_tostruct_key(rdata, target, mctx));
+	return (generic_tostruct_key(CALL_TOSTRUCT));
 }
 
 static inline void
 freestruct_rkey(ARGS_FREESTRUCT) {
-	dns_rdata_rkey_t *rkey = (dns_rdata_rkey_t *) source;
-
-	REQUIRE(rkey != NULL);
-	REQUIRE(rkey->common.rdtype == dns_rdatatype_rkey);
+	REQUIRE(((dns_rdata_rkey_t *)source) != NULL);
+	REQUIRE(((dns_rdata_rkey_t *)source)->common.rdtype ==
+		dns_rdatatype_rkey);
 
 	generic_freestruct_key(source);
 }
@@ -160,7 +159,7 @@ static inline int
 casecompare_rkey(ARGS_COMPARE) {
 
 	/*
-	 * Treat ALG 253 (private DNS) subtype name case sensistively.
+	 * Treat ALG 253 (private DNS) subtype name case sensitively.
 	 */
 	return (compare_rkey(rdata1, rdata2));
 }
diff --git a/bind/bind9/lib/dns/rdata/generic/rkey_57.h b/bind/bind9/lib/dns/rdata/generic/rkey_57.h
index 000a725b..8408b3d9 100644
--- a/bind/bind9/lib/dns/rdata/generic/rkey_57.h
+++ b/bind/bind9/lib/dns/rdata/generic/rkey_57.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/rp_17.c b/bind/bind9/lib/dns/rdata/generic/rp_17.c
index ee2eef22..535680bd 100644
--- a/bind/bind9/lib/dns/rdata/generic/rp_17.c
+++ b/bind/bind9/lib/dns/rdata/generic/rp_17.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -173,13 +173,15 @@ compare_rp(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_rp(ARGS_FROMSTRUCT) {
-	dns_rdata_rp_t *rp = source;
+	dns_rdata_rp_t *rp;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_rp);
-	REQUIRE(rp != NULL);
-	REQUIRE(rp->common.rdtype == type);
-	REQUIRE(rp->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_rp_t *)source) != NULL);
+	REQUIRE(((dns_rdata_rp_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_rp_t *)source)->common.rdclass == rdclass);
+
+	rp = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -194,13 +196,15 @@ static inline isc_result_t
 tostruct_rp(ARGS_TOSTRUCT) {
 	isc_result_t result;
 	isc_region_t region;
-	dns_rdata_rp_t *rp = target;
+	dns_rdata_rp_t *rp;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_rp_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_rp);
-	REQUIRE(rp != NULL);
 	REQUIRE(rdata->length != 0);
 
+	rp = target;
+
 	rp->common.rdclass = rdata->rdclass;
 	rp->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&rp->common, link);
@@ -228,10 +232,12 @@ tostruct_rp(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_rp(ARGS_FREESTRUCT) {
-	dns_rdata_rp_t *rp = source;
+	dns_rdata_rp_t *rp;
+
+	REQUIRE(((dns_rdata_rp_t *)source) != NULL);
+	REQUIRE(((dns_rdata_rp_t *)source)->common.rdtype == dns_rdatatype_rp);
 
-	REQUIRE(rp != NULL);
-	REQUIRE(rp->common.rdtype == dns_rdatatype_rp);
+	rp = source;
 
 	if (rp->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/rp_17.h b/bind/bind9/lib/dns/rdata/generic/rp_17.h
index 31b57682..67ff39a7 100644
--- a/bind/bind9/lib/dns/rdata/generic/rp_17.h
+++ b/bind/bind9/lib/dns/rdata/generic/rp_17.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/rrsig_46.c b/bind/bind9/lib/dns/rdata/generic/rrsig_46.c
index 975810f2..0d4df67e 100644
--- a/bind/bind9/lib/dns/rdata/generic/rrsig_46.c
+++ b/bind/bind9/lib/dns/rdata/generic/rrsig_46.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -294,6 +294,9 @@ fromwire_rrsig(ARGS_FROMWIRE) {
 	 * Sig.
 	 */
 	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 1) {
+		return (DNS_R_FORMERR);
+	}
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
 }
@@ -353,13 +356,16 @@ compare_rrsig(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_rrsig(ARGS_FROMSTRUCT) {
-	dns_rdata_rrsig_t *sig = source;
+	dns_rdata_rrsig_t *sig;
 
 	REQUIRE(type == dns_rdatatype_rrsig);
-	REQUIRE(sig != NULL);
-	REQUIRE(sig->common.rdtype == type);
-	REQUIRE(sig->common.rdclass == rdclass);
-	REQUIRE(sig->signature != NULL || sig->siglen == 0);
+	REQUIRE(((dns_rdata_rrsig_t *)source) != NULL);
+	REQUIRE(((dns_rdata_rrsig_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_rrsig_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_rrsig_t *)source)->signature != NULL ||
+		((dns_rdata_rrsig_t *)source)->siglen == 0);
+
+	sig = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -413,13 +419,15 @@ fromstruct_rrsig(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_rrsig(ARGS_TOSTRUCT) {
 	isc_region_t sr;
-	dns_rdata_rrsig_t *sig = target;
+	dns_rdata_rrsig_t *sig;
 	dns_name_t signer;
 
+	REQUIRE(((dns_rdata_rrsig_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_rrsig);
-	REQUIRE(sig != NULL);
 	REQUIRE(rdata->length != 0);
 
+	sig = target;
+
 	sig->common.rdclass = rdata->rdclass;
 	sig->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&sig->common, link);
@@ -494,10 +502,13 @@ tostruct_rrsig(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_rrsig(ARGS_FREESTRUCT) {
-	dns_rdata_rrsig_t *sig = (dns_rdata_rrsig_t *) source;
+	dns_rdata_rrsig_t *sig;
+
+	REQUIRE(((dns_rdata_rrsig_t *)source) != NULL);
+	REQUIRE(((dns_rdata_rrsig_t *)source)->common.rdtype ==
+		dns_rdatatype_rrsig);
 
-	REQUIRE(sig != NULL);
-	REQUIRE(sig->common.rdtype == dns_rdatatype_rrsig);
+	sig = (dns_rdata_rrsig_t *) source;
 
 	if (sig->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/rrsig_46.h b/bind/bind9/lib/dns/rdata/generic/rrsig_46.h
index 6dfbd424..be362c6d 100644
--- a/bind/bind9/lib/dns/rdata/generic/rrsig_46.h
+++ b/bind/bind9/lib/dns/rdata/generic/rrsig_46.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/rt_21.c b/bind/bind9/lib/dns/rdata/generic/rt_21.c
index 43c08628..ddde80e2 100644
--- a/bind/bind9/lib/dns/rdata/generic/rt_21.c
+++ b/bind/bind9/lib/dns/rdata/generic/rt_21.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -166,13 +166,15 @@ compare_rt(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_rt(ARGS_FROMSTRUCT) {
-	dns_rdata_rt_t *rt = source;
+	dns_rdata_rt_t *rt;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_rt);
-	REQUIRE(rt != NULL);
-	REQUIRE(rt->common.rdtype == type);
-	REQUIRE(rt->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_rt_t *)source) != NULL);
+	REQUIRE(((dns_rdata_rt_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_rt_t *)source)->common.rdclass == rdclass);
+
+	rt = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -185,13 +187,15 @@ fromstruct_rt(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_rt(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_rt_t *rt = target;
+	dns_rdata_rt_t *rt;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_rt_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_rt);
-	REQUIRE(rt != NULL);
 	REQUIRE(rdata->length != 0);
 
+	rt = target;
+
 	rt->common.rdclass = rdata->rdclass;
 	rt->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&rt->common, link);
@@ -210,10 +214,12 @@ tostruct_rt(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_rt(ARGS_FREESTRUCT) {
-	dns_rdata_rt_t *rt = source;
+	dns_rdata_rt_t *rt;
+
+	REQUIRE(((dns_rdata_rt_t *)source) != NULL);
+	REQUIRE(((dns_rdata_rt_t *)source)->common.rdtype == dns_rdatatype_rt);
 
-	REQUIRE(rt != NULL);
-	REQUIRE(rt->common.rdtype == dns_rdatatype_rt);
+	rt = source;
 
 	if (rt->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/rt_21.h b/bind/bind9/lib/dns/rdata/generic/rt_21.h
index a9082c71..549a25ba 100644
--- a/bind/bind9/lib/dns/rdata/generic/rt_21.h
+++ b/bind/bind9/lib/dns/rdata/generic/rt_21.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/sig_24.c b/bind/bind9/lib/dns/rdata/generic/sig_24.c
index 47a69e86..89a39ff9 100644
--- a/bind/bind9/lib/dns/rdata/generic/sig_24.c
+++ b/bind/bind9/lib/dns/rdata/generic/sig_24.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -266,6 +266,9 @@ fromwire_sig(ARGS_FROMWIRE) {
 	 * Sig.
 	 */
 	isc_buffer_activeregion(source, &sr);
+	if (sr.length == 0) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
 }
@@ -352,13 +355,16 @@ compare_sig(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_sig(ARGS_FROMSTRUCT) {
-	dns_rdata_sig_t *sig = source;
+	dns_rdata_sig_t *sig;
 
 	REQUIRE(type == dns_rdatatype_sig);
-	REQUIRE(sig != NULL);
-	REQUIRE(sig->common.rdtype == type);
-	REQUIRE(sig->common.rdclass == rdclass);
-	REQUIRE(sig->signature != NULL || sig->siglen == 0);
+	REQUIRE(((dns_rdata_sig_t *)source) != NULL);
+	REQUIRE(((dns_rdata_sig_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_sig_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_sig_t *)source)->signature != NULL ||
+		((dns_rdata_sig_t *)source)->siglen == 0);
+
+	sig = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -412,13 +418,15 @@ fromstruct_sig(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_sig(ARGS_TOSTRUCT) {
 	isc_region_t sr;
-	dns_rdata_sig_t *sig = target;
+	dns_rdata_sig_t *sig;
 	dns_name_t signer;
 
+	REQUIRE(((dns_rdata_sig_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_sig);
-	REQUIRE(sig != NULL);
 	REQUIRE(rdata->length != 0);
 
+	sig = target;
+
 	sig->common.rdclass = rdata->rdclass;
 	sig->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&sig->common, link);
@@ -493,10 +501,13 @@ tostruct_sig(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_sig(ARGS_FREESTRUCT) {
-	dns_rdata_sig_t *sig = (dns_rdata_sig_t *) source;
+	dns_rdata_sig_t *sig;
+
+	REQUIRE(((dns_rdata_sig_t *)source) != NULL);
+	REQUIRE(((dns_rdata_sig_t *)source)->common.rdtype ==
+		dns_rdatatype_sig);
 
-	REQUIRE(sig != NULL);
-	REQUIRE(sig->common.rdtype == dns_rdatatype_sig);
+	sig = (dns_rdata_sig_t *) source;
 
 	if (sig->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/sig_24.h b/bind/bind9/lib/dns/rdata/generic/sig_24.h
index a3882d9a..d9627fb1 100644
--- a/bind/bind9/lib/dns/rdata/generic/sig_24.h
+++ b/bind/bind9/lib/dns/rdata/generic/sig_24.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/sink_40.c b/bind/bind9/lib/dns/rdata/generic/sink_40.c
index 13f8562d..8fd93850 100644
--- a/bind/bind9/lib/dns/rdata/generic/sink_40.c
+++ b/bind/bind9/lib/dns/rdata/generic/sink_40.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -143,12 +143,14 @@ compare_sink(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_sink(ARGS_FROMSTRUCT) {
-	dns_rdata_sink_t *sink = source;
+	dns_rdata_sink_t *sink;
 
 	REQUIRE(type == dns_rdatatype_sink);
-	REQUIRE(sink != NULL);
-	REQUIRE(sink->common.rdtype == type);
-	REQUIRE(sink->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_sink_t *)source) != NULL);
+	REQUIRE(((dns_rdata_sink_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_sink_t *)source)->common.rdclass == rdclass);
+
+	sink = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -168,13 +170,15 @@ fromstruct_sink(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_sink(ARGS_TOSTRUCT) {
-	dns_rdata_sink_t *sink = target;
+	dns_rdata_sink_t *sink;
 	isc_region_t sr;
 
+	REQUIRE(((dns_rdata_sink_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_sink);
-	REQUIRE(sink != NULL);
 	REQUIRE(rdata->length >= 3);
 
+	sink = target;
+
 	sink->common.rdclass = rdata->rdclass;
 	sink->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&sink->common, link);
@@ -211,10 +215,13 @@ tostruct_sink(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_sink(ARGS_FREESTRUCT) {
-	dns_rdata_sink_t *sink = (dns_rdata_sink_t *) source;
+	dns_rdata_sink_t *sink;
+
+	REQUIRE(((dns_rdata_sink_t *)source) != NULL);
+	REQUIRE(((dns_rdata_sink_t *)source)->common.rdtype ==
+		dns_rdatatype_sink);
 
-	REQUIRE(sink != NULL);
-	REQUIRE(sink->common.rdtype == dns_rdatatype_sink);
+	sink = (dns_rdata_sink_t *) source;
 
 	if (sink->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/sink_40.h b/bind/bind9/lib/dns/rdata/generic/sink_40.h
index 4e6e01e2..eecf717d 100644
--- a/bind/bind9/lib/dns/rdata/generic/sink_40.h
+++ b/bind/bind9/lib/dns/rdata/generic/sink_40.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/smimea_53.c b/bind/bind9/lib/dns/rdata/generic/smimea_53.c
index 152ad9cf..239f92e1 100644
--- a/bind/bind9/lib/dns/rdata/generic/smimea_53.c
+++ b/bind/bind9/lib/dns/rdata/generic/smimea_53.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -19,16 +19,15 @@ fromtext_smimea(ARGS_FROMTEXT) {
 
 	REQUIRE(type == dns_rdatatype_smimea);
 
-	return (generic_fromtext_tlsa(rdclass, type, lexer, origin, options,
-				      target, callbacks));
+	return (generic_fromtext_tlsa(CALL_FROMTEXT));
 }
 
 static inline isc_result_t
 totext_smimea(ARGS_TOTEXT) {
-
+	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_smimea);
 
-	return (generic_totext_tlsa(rdata, tctx, target));
+	return (generic_totext_tlsa(CALL_TOTEXT));
 }
 
 static inline isc_result_t
@@ -36,8 +35,7 @@ fromwire_smimea(ARGS_FROMWIRE) {
 
 	REQUIRE(type == dns_rdatatype_smimea);
 
-	return (generic_fromwire_tlsa(rdclass, type, source, dctx, options,
-				      target));
+	return (generic_fromwire_tlsa(CALL_FROMWIRE));
 }
 
 static inline isc_result_t
@@ -74,30 +72,31 @@ fromstruct_smimea(ARGS_FROMSTRUCT) {
 
 	REQUIRE(type == dns_rdatatype_smimea);
 
-	return (generic_fromstruct_tlsa(rdclass, type, source, target));
+	return (generic_fromstruct_tlsa(CALL_FROMSTRUCT));
 }
 
 static inline isc_result_t
 tostruct_smimea(ARGS_TOSTRUCT) {
-	dns_rdata_smimea_t *smimea = target;
+	dns_rdata_smimea_t *smimea;
 
 	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_smimea);
-	REQUIRE(smimea != NULL);
+	REQUIRE(((dns_rdata_smimea_t *)target) != NULL);
+
+	smimea = target;
 
 	smimea->common.rdclass = rdata->rdclass;
 	smimea->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&smimea->common, link);
 
-	return (generic_tostruct_tlsa(rdata, target, mctx));
+	return (generic_tostruct_tlsa(CALL_TOSTRUCT));
 }
 
 static inline void
 freestruct_smimea(ARGS_FREESTRUCT) {
-	dns_rdata_smimea_t *smimea = source;
-
-	REQUIRE(smimea != NULL);
-	REQUIRE(smimea->common.rdtype == dns_rdatatype_smimea);
+	REQUIRE(((dns_rdata_smimea_t *)source) != NULL);
+	REQUIRE(((dns_rdata_smimea_t *)source)->common.rdtype ==
+		dns_rdatatype_smimea);
 
 	generic_freestruct_tlsa(source);
 }
diff --git a/bind/bind9/lib/dns/rdata/generic/smimea_53.h b/bind/bind9/lib/dns/rdata/generic/smimea_53.h
index cabec2be..e23dd3bb 100644
--- a/bind/bind9/lib/dns/rdata/generic/smimea_53.h
+++ b/bind/bind9/lib/dns/rdata/generic/smimea_53.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/soa_6.c b/bind/bind9/lib/dns/rdata/generic/soa_6.c
index 288366ea..8d7df47a 100644
--- a/bind/bind9/lib/dns/rdata/generic/soa_6.c
+++ b/bind/bind9/lib/dns/rdata/generic/soa_6.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -268,13 +268,15 @@ compare_soa(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_soa(ARGS_FROMSTRUCT) {
-	dns_rdata_soa_t *soa = source;
+	dns_rdata_soa_t *soa;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_soa);
-	REQUIRE(soa != NULL);
-	REQUIRE(soa->common.rdtype == type);
-	REQUIRE(soa->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_soa_t *)source) != NULL);
+	REQUIRE(((dns_rdata_soa_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_soa_t *)source)->common.rdclass == rdclass);
+
+	soa = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -293,14 +295,16 @@ fromstruct_soa(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_soa(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_soa_t *soa = target;
+	dns_rdata_soa_t *soa;
 	dns_name_t name;
 	isc_result_t result;
 
+	REQUIRE(((dns_rdata_soa_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_soa);
-	REQUIRE(soa != NULL);
 	REQUIRE(rdata->length != 0);
 
+	soa = target;
+
 	soa->common.rdclass = rdata->rdclass;
 	soa->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&soa->common, link);
@@ -346,10 +350,13 @@ tostruct_soa(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_soa(ARGS_FREESTRUCT) {
-	dns_rdata_soa_t *soa = source;
+	dns_rdata_soa_t *soa;
+
+	REQUIRE(((dns_rdata_soa_t *)source) != NULL);
+	REQUIRE(((dns_rdata_soa_t *)source)->common.rdtype ==
+		dns_rdatatype_soa);
 
-	REQUIRE(soa != NULL);
-	REQUIRE(soa->common.rdtype == dns_rdatatype_soa);
+	soa = source;
 
 	if (soa->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/soa_6.h b/bind/bind9/lib/dns/rdata/generic/soa_6.h
index c9be985d..87269d8e 100644
--- a/bind/bind9/lib/dns/rdata/generic/soa_6.h
+++ b/bind/bind9/lib/dns/rdata/generic/soa_6.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/spf_99.c b/bind/bind9/lib/dns/rdata/generic/spf_99.c
index 3668d9c7..eeb464e3 100644
--- a/bind/bind9/lib/dns/rdata/generic/spf_99.c
+++ b/bind/bind9/lib/dns/rdata/generic/spf_99.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -19,24 +19,15 @@ fromtext_spf(ARGS_FROMTEXT) {
 
 	REQUIRE(type == dns_rdatatype_spf);
 
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	return (generic_fromtext_txt(rdclass, type, lexer, origin, options,
-				     target, callbacks));
+	return (generic_fromtext_txt(CALL_FROMTEXT));
 }
 
 static inline isc_result_t
 totext_spf(ARGS_TOTEXT) {
-
-	UNUSED(tctx);
-
+	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_spf);
 
-	return (generic_totext_txt(rdata, tctx, target));
+	return (generic_totext_txt(CALL_TOTEXT));
 }
 
 static inline isc_result_t
@@ -44,13 +35,7 @@ fromwire_spf(ARGS_FROMWIRE) {
 
 	REQUIRE(type == dns_rdatatype_spf);
 
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	return (generic_fromwire_txt(rdclass, type, source, dctx, options,
-				     target));
+	return (generic_fromwire_txt(CALL_FROMWIRE));
 }
 
 static inline isc_result_t
@@ -82,30 +67,31 @@ fromstruct_spf(ARGS_FROMSTRUCT) {
 
 	REQUIRE(type == dns_rdatatype_spf);
 
-	return (generic_fromstruct_txt(rdclass, type, source, target));
+	return (generic_fromstruct_txt(CALL_FROMSTRUCT));
 }
 
 static inline isc_result_t
 tostruct_spf(ARGS_TOSTRUCT) {
-	dns_rdata_spf_t *spf = target;
+	dns_rdata_spf_t *spf;
 
-	REQUIRE(spf != NULL);
+	REQUIRE(((dns_rdata_spf_t *)target) != NULL);
 	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_spf);
 
+	spf = target;
+
 	spf->common.rdclass = rdata->rdclass;
 	spf->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&spf->common, link);
 
-	return (generic_tostruct_txt(rdata, target, mctx));
+	return (generic_tostruct_txt(CALL_TOSTRUCT));
 }
 
 static inline void
 freestruct_spf(ARGS_FREESTRUCT) {
-	dns_rdata_spf_t *spf = source;
-
-	REQUIRE(spf != NULL);
-	REQUIRE(spf->common.rdtype == dns_rdatatype_spf);
+	REQUIRE(((dns_rdata_spf_t *)source) != NULL);
+	REQUIRE(((dns_rdata_spf_t *)source)->common.rdtype ==
+		dns_rdatatype_spf);
 
 	generic_freestruct_txt(source);
 }
diff --git a/bind/bind9/lib/dns/rdata/generic/spf_99.h b/bind/bind9/lib/dns/rdata/generic/spf_99.h
index f10b790f..c414025c 100644
--- a/bind/bind9/lib/dns/rdata/generic/spf_99.h
+++ b/bind/bind9/lib/dns/rdata/generic/spf_99.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/sshfp_44.c b/bind/bind9/lib/dns/rdata/generic/sshfp_44.c
index 853416eb..3cba0fda 100644
--- a/bind/bind9/lib/dns/rdata/generic/sshfp_44.c
+++ b/bind/bind9/lib/dns/rdata/generic/sshfp_44.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -173,12 +173,14 @@ compare_sshfp(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_sshfp(ARGS_FROMSTRUCT) {
-	dns_rdata_sshfp_t *sshfp = source;
+	dns_rdata_sshfp_t *sshfp;
 
 	REQUIRE(type == dns_rdatatype_sshfp);
-	REQUIRE(sshfp != NULL);
-	REQUIRE(sshfp->common.rdtype == type);
-	REQUIRE(sshfp->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_sshfp_t *)source) != NULL);
+	REQUIRE(((dns_rdata_sshfp_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_sshfp_t *)source)->common.rdclass == rdclass);
+
+	sshfp = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -191,13 +193,15 @@ fromstruct_sshfp(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_sshfp(ARGS_TOSTRUCT) {
-	dns_rdata_sshfp_t *sshfp = target;
+	dns_rdata_sshfp_t *sshfp;
 	isc_region_t region;
 
+	REQUIRE(((dns_rdata_sshfp_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_sshfp);
-	REQUIRE(sshfp != NULL);
 	REQUIRE(rdata->length != 0);
 
+	sshfp = target;
+
 	sshfp->common.rdclass = rdata->rdclass;
 	sshfp->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&sshfp->common, link);
@@ -220,10 +224,13 @@ tostruct_sshfp(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_sshfp(ARGS_FREESTRUCT) {
-	dns_rdata_sshfp_t *sshfp = source;
+	dns_rdata_sshfp_t *sshfp;
+
+	REQUIRE(((dns_rdata_sshfp_t *)source) != NULL);
+	REQUIRE(((dns_rdata_sshfp_t *)source)->common.rdtype ==
+		dns_rdatatype_sshfp);
 
-	REQUIRE(sshfp != NULL);
-	REQUIRE(sshfp->common.rdtype == dns_rdatatype_sshfp);
+	sshfp = source;
 
 	if (sshfp->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/sshfp_44.h b/bind/bind9/lib/dns/rdata/generic/sshfp_44.h
index ba1129ae..f231c822 100644
--- a/bind/bind9/lib/dns/rdata/generic/sshfp_44.h
+++ b/bind/bind9/lib/dns/rdata/generic/sshfp_44.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/ta_32768.c b/bind/bind9/lib/dns/rdata/generic/ta_32768.c
index 0a38619a..729331e1 100644
--- a/bind/bind9/lib/dns/rdata/generic/ta_32768.c
+++ b/bind/bind9/lib/dns/rdata/generic/ta_32768.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -21,8 +21,7 @@ fromtext_ta(ARGS_FROMTEXT) {
 
 	REQUIRE(type == dns_rdatatype_ta);
 
-	return (generic_fromtext_ds(rdclass, type, lexer, origin, options,
-				    target, callbacks));
+	return (generic_fromtext_ds(CALL_FROMTEXT));
 }
 
 static inline isc_result_t
@@ -30,7 +29,7 @@ totext_ta(ARGS_TOTEXT) {
 
 	REQUIRE(rdata->type == dns_rdatatype_ta);
 
-	return (generic_totext_ds(rdata, tctx, target));
+	return (generic_totext_ds(CALL_TOTEXT));
 }
 
 static inline isc_result_t
@@ -38,8 +37,7 @@ fromwire_ta(ARGS_FROMWIRE) {
 
 	REQUIRE(type == dns_rdatatype_ta);
 
-	return (generic_fromwire_ds(rdclass, type, source, dctx, options,
-				    target));
+	return (generic_fromwire_ds(CALL_FROMWIRE));
 }
 
 static inline isc_result_t
@@ -76,15 +74,17 @@ fromstruct_ta(ARGS_FROMSTRUCT) {
 
 	REQUIRE(type == dns_rdatatype_ta);
 
-	return (generic_fromstruct_ds(rdclass, type, source, target));
+	return (generic_fromstruct_ds(CALL_FROMSTRUCT));
 }
 
 static inline isc_result_t
 tostruct_ta(ARGS_TOSTRUCT) {
-	dns_rdata_ds_t *ds = target;
+	dns_rdata_ds_t *ds;
 
 	REQUIRE(rdata->type == dns_rdatatype_ta);
-	REQUIRE(ds != NULL);
+	REQUIRE(((dns_rdata_ds_t *)target) != NULL);
+
+	ds = target;
 
 	/*
 	 * Checked by generic_tostruct_ds().
@@ -93,15 +93,17 @@ tostruct_ta(ARGS_TOSTRUCT) {
 	ds->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&ds->common, link);
 
-	return (generic_tostruct_ds(rdata, target, mctx));
+	return (generic_tostruct_ds(CALL_TOSTRUCT));
 }
 
 static inline void
 freestruct_ta(ARGS_FREESTRUCT) {
-	dns_rdata_ta_t *ds = source;
+	dns_rdata_ta_t *ds;
+
+	REQUIRE(((dns_rdata_ds_t *)source) != NULL);
+	REQUIRE(((dns_rdata_ds_t *)source)->common.rdtype == dns_rdatatype_ta);
 
-	REQUIRE(ds != NULL);
-	REQUIRE(ds->common.rdtype == dns_rdatatype_ta);
+	ds = source;
 
 	if (ds->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/ta_32768.h b/bind/bind9/lib/dns/rdata/generic/ta_32768.h
index 1bd7a286..a25f652e 100644
--- a/bind/bind9/lib/dns/rdata/generic/ta_32768.h
+++ b/bind/bind9/lib/dns/rdata/generic/ta_32768.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/talink_58.c b/bind/bind9/lib/dns/rdata/generic/talink_58.c
index f286982a..af0588a5 100644
--- a/bind/bind9/lib/dns/rdata/generic/talink_58.c
+++ b/bind/bind9/lib/dns/rdata/generic/talink_58.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -140,13 +140,15 @@ compare_talink(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_talink(ARGS_FROMSTRUCT) {
-	dns_rdata_talink_t *talink = source;
+	dns_rdata_talink_t *talink;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_talink);
-	REQUIRE(talink != NULL);
-	REQUIRE(talink->common.rdtype == type);
-	REQUIRE(talink->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_talink_t *)source) != NULL);
+	REQUIRE(((dns_rdata_talink_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_talink_t *)source)->common.rdclass == rdclass);
+
+	talink = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -160,14 +162,16 @@ fromstruct_talink(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_talink(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_talink_t *talink = target;
+	dns_rdata_talink_t *talink;
 	dns_name_t name;
 	isc_result_t result;
 
+	REQUIRE(((dns_rdata_talink_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_talink);
-	REQUIRE(talink != NULL);
 	REQUIRE(rdata->length != 0);
 
+	talink = target;
+
 	talink->common.rdclass = rdata->rdclass;
 	talink->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&talink->common, link);
@@ -198,10 +202,13 @@ tostruct_talink(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_talink(ARGS_FREESTRUCT) {
-	dns_rdata_talink_t *talink = source;
+	dns_rdata_talink_t *talink;
+
+	REQUIRE(((dns_rdata_talink_t *)source) != NULL);
+	REQUIRE(((dns_rdata_talink_t *)source)->common.rdtype ==
+		dns_rdatatype_talink);
 
-	REQUIRE(talink != NULL);
-	REQUIRE(talink->common.rdtype == dns_rdatatype_talink);
+	talink = source;
 
 	if (talink->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/talink_58.h b/bind/bind9/lib/dns/rdata/generic/talink_58.h
index 03166a23..3e9833b8 100644
--- a/bind/bind9/lib/dns/rdata/generic/talink_58.h
+++ b/bind/bind9/lib/dns/rdata/generic/talink_58.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/tkey_249.c b/bind/bind9/lib/dns/rdata/generic/tkey_249.c
index 3a05f9e0..9d8e7a33 100644
--- a/bind/bind9/lib/dns/rdata/generic/tkey_249.c
+++ b/bind/bind9/lib/dns/rdata/generic/tkey_249.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -340,12 +340,14 @@ compare_tkey(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_tkey(ARGS_FROMSTRUCT) {
-	dns_rdata_tkey_t *tkey = source;
+	dns_rdata_tkey_t *tkey;
 
 	REQUIRE(type == dns_rdatatype_tkey);
-	REQUIRE(tkey != NULL);
-	REQUIRE(tkey->common.rdtype == type);
-	REQUIRE(tkey->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_tkey_t *)source) != NULL);
+	REQUIRE(((dns_rdata_tkey_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_tkey_t *)source)->common.rdclass == rdclass);
+
+	tkey = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -398,14 +400,16 @@ fromstruct_tkey(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_tkey(ARGS_TOSTRUCT) {
-	dns_rdata_tkey_t *tkey = target;
+	dns_rdata_tkey_t *tkey;
 	dns_name_t alg;
 	isc_region_t sr;
 
+	REQUIRE(((dns_rdata_tkey_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_tkey);
-	REQUIRE(tkey != NULL);
 	REQUIRE(rdata->length != 0);
 
+	tkey = target;
+
 	tkey->common.rdclass = rdata->rdclass;
 	tkey->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&tkey->common, link);
@@ -487,9 +491,11 @@ tostruct_tkey(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_tkey(ARGS_FREESTRUCT) {
-	dns_rdata_tkey_t *tkey = (dns_rdata_tkey_t *) source;
+	dns_rdata_tkey_t *tkey;
+
+	REQUIRE(((dns_rdata_tkey_t *)source) != NULL);
 
-	REQUIRE(tkey != NULL);
+	tkey = (dns_rdata_tkey_t *) source;
 
 	if (tkey->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/tkey_249.h b/bind/bind9/lib/dns/rdata/generic/tkey_249.h
index 2fab0872..896ff4f9 100644
--- a/bind/bind9/lib/dns/rdata/generic/tkey_249.h
+++ b/bind/bind9/lib/dns/rdata/generic/tkey_249.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/tlsa_52.c b/bind/bind9/lib/dns/rdata/generic/tlsa_52.c
index 1eeb8d26..065e40fe 100644
--- a/bind/bind9/lib/dns/rdata/generic/tlsa_52.c
+++ b/bind/bind9/lib/dns/rdata/generic/tlsa_52.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -122,8 +122,10 @@ generic_fromwire_tlsa(ARGS_FROMWIRE) {
 
 	isc_buffer_activeregion(source, &sr);
 
-	if (sr.length < 3)
+	/* Usage(1), Selector(1), Type(1), Data(1+) */
+	if (sr.length < 4) {
 		return (ISC_R_UNEXPECTEDEND);
+	}
 
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
@@ -134,8 +136,7 @@ fromtext_tlsa(ARGS_FROMTEXT) {
 
 	REQUIRE(type == dns_rdatatype_tlsa);
 
-	return (generic_fromtext_tlsa(rdclass, type, lexer, origin, options,
-				      target, callbacks));
+	return (generic_fromtext_tlsa(CALL_FROMTEXT));
 }
 
 static inline isc_result_t
@@ -143,7 +144,7 @@ totext_tlsa(ARGS_TOTEXT) {
 
 	REQUIRE(rdata->type == dns_rdatatype_tlsa);
 
-	return (generic_totext_tlsa(rdata, tctx, target));
+	return (generic_totext_tlsa(CALL_TOTEXT));
 }
 
 static inline isc_result_t
@@ -151,8 +152,7 @@ fromwire_tlsa(ARGS_FROMWIRE) {
 
 	REQUIRE(type == dns_rdatatype_tlsa);
 
-	return (generic_fromwire_tlsa(rdclass, type, source, dctx, options,
-				      target));
+	return (generic_fromwire_tlsa(CALL_FROMWIRE));
 }
 
 static inline isc_result_t
@@ -186,11 +186,13 @@ compare_tlsa(ARGS_COMPARE) {
 
 static inline isc_result_t
 generic_fromstruct_tlsa(ARGS_FROMSTRUCT) {
-	dns_rdata_tlsa_t *tlsa = source;
+	dns_rdata_tlsa_t *tlsa;
 
-	REQUIRE(tlsa != NULL);
-	REQUIRE(tlsa->common.rdtype == type);
-	REQUIRE(tlsa->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_tlsa_t *)source) != NULL);
+	REQUIRE(((dns_rdata_tlsa_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_tlsa_t *)source)->common.rdclass == rdclass);
+
+	tlsa = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -204,16 +206,16 @@ generic_fromstruct_tlsa(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 generic_tostruct_tlsa(ARGS_TOSTRUCT) {
-	dns_rdata_tlsa_t *tlsa = target;
+	dns_rdata_tlsa_t *tlsa;
 	isc_region_t region;
 
-	REQUIRE(tlsa != NULL);
 	REQUIRE(rdata->length != 0);
+	REQUIRE(((dns_rdata_tlsa_t *)target) != NULL);
+	REQUIRE(((dns_rdata_tlsa_t *)target)->common.rdclass == rdata->rdclass);
+	REQUIRE(((dns_rdata_tlsa_t *)target)->common.rdtype == rdata->type);
+	REQUIRE(!ISC_LINK_LINKED(&((dns_rdata_tlsa_t *)target)->common, link));
 
-	REQUIRE(tlsa != NULL);
-	REQUIRE(tlsa->common.rdclass == rdata->rdclass);
-	REQUIRE(tlsa->common.rdtype == rdata->type);
-	REQUIRE(!ISC_LINK_LINKED(&tlsa->common, link));
+	tlsa = target;
 
 	dns_rdata_toregion(rdata, &region);
 
@@ -235,9 +237,11 @@ generic_tostruct_tlsa(ARGS_TOSTRUCT) {
 
 static inline void
 generic_freestruct_tlsa(ARGS_FREESTRUCT) {
-	dns_rdata_tlsa_t *tlsa = source;
+	dns_rdata_tlsa_t *tlsa;
+
+	REQUIRE(((dns_rdata_tlsa_t *)source) != NULL);
 
-	REQUIRE(tlsa != NULL);
+	tlsa = source;
 
 	if (tlsa->mctx == NULL)
 		return;
@@ -252,29 +256,30 @@ fromstruct_tlsa(ARGS_FROMSTRUCT) {
 
 	REQUIRE(type == dns_rdatatype_tlsa);
 
-	return (generic_fromstruct_tlsa(rdclass, type, source, target));
+	return (generic_fromstruct_tlsa(CALL_FROMSTRUCT));
 }
 
 static inline isc_result_t
 tostruct_tlsa(ARGS_TOSTRUCT) {
-	dns_rdata_tlsa_t *tlsa = target;
+	dns_rdata_tlsa_t *tlsa;
 
 	REQUIRE(rdata->type == dns_rdatatype_tlsa);
-	REQUIRE(tlsa != NULL);
+	REQUIRE(((dns_rdata_tlsa_t *)target) != NULL);
+
+	tlsa = target;
 
 	tlsa->common.rdclass = rdata->rdclass;
 	tlsa->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&tlsa->common, link);
 
-	return (generic_tostruct_tlsa(rdata, target, mctx));
+	return (generic_tostruct_tlsa(CALL_TOSTRUCT));
 }
 
 static inline void
 freestruct_tlsa(ARGS_FREESTRUCT) {
-	dns_rdata_tlsa_t *tlsa = source;
-
-	REQUIRE(tlsa != NULL);
-	REQUIRE(tlsa->common.rdtype == dns_rdatatype_tlsa);
+	REQUIRE(((dns_rdata_tlsa_t *)source) != NULL);
+	REQUIRE(((dns_rdata_tlsa_t *)source)->common.rdtype ==
+		dns_rdatatype_tlsa);
 
 	generic_freestruct_tlsa(source);
 }
diff --git a/bind/bind9/lib/dns/rdata/generic/tlsa_52.h b/bind/bind9/lib/dns/rdata/generic/tlsa_52.h
index 422fd8b9..d5893142 100644
--- a/bind/bind9/lib/dns/rdata/generic/tlsa_52.h
+++ b/bind/bind9/lib/dns/rdata/generic/tlsa_52.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/txt_16.c b/bind/bind9/lib/dns/rdata/generic/txt_16.c
index 21b0e453..3500552d 100644
--- a/bind/bind9/lib/dns/rdata/generic/txt_16.c
+++ b/bind/bind9/lib/dns/rdata/generic/txt_16.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -87,16 +87,15 @@ fromtext_txt(ARGS_FROMTEXT) {
 
 	REQUIRE(type == dns_rdatatype_txt);
 
-	return (generic_fromtext_txt(rdclass, type, lexer, origin, options,
-				     target, callbacks));
+	return (generic_fromtext_txt(CALL_FROMTEXT));
 }
 
 static inline isc_result_t
 totext_txt(ARGS_TOTEXT) {
-
+	REQUIRE(rdata != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_txt);
 
-	return (generic_totext_txt(rdata, tctx, target));
+	return (generic_totext_txt(CALL_TOTEXT));
 }
 
 static inline isc_result_t
@@ -104,8 +103,7 @@ fromwire_txt(ARGS_FROMWIRE) {
 
 	REQUIRE(type == dns_rdatatype_txt);
 
-	return (generic_fromwire_txt(rdclass, type, source, dctx, options,
-				     target));
+	return (generic_fromwire_txt(CALL_FROMWIRE));
 }
 
 static inline isc_result_t
@@ -134,14 +132,17 @@ compare_txt(ARGS_COMPARE) {
 
 static inline isc_result_t
 generic_fromstruct_txt(ARGS_FROMSTRUCT) {
-	dns_rdata_txt_t *txt = source;
+	dns_rdata_txt_t *txt;
 	isc_region_t region;
 	uint8_t length;
 
-	REQUIRE(txt != NULL);
-	REQUIRE(txt->common.rdtype == type);
-	REQUIRE(txt->common.rdclass == rdclass);
-	REQUIRE(txt->txt != NULL && txt->txt_len != 0);
+	REQUIRE(((dns_rdata_txt_t *)source) != NULL);
+	REQUIRE(((dns_rdata_txt_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_txt_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_txt_t *)source)->txt != NULL);
+	REQUIRE(((dns_rdata_txt_t *)source)->txt_len != 0);
+
+	txt = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -161,13 +162,15 @@ generic_fromstruct_txt(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 generic_tostruct_txt(ARGS_TOSTRUCT) {
-	dns_rdata_txt_t *txt = target;
+	dns_rdata_txt_t *txt;
 	isc_region_t r;
 
-	REQUIRE(txt != NULL);
-	REQUIRE(txt->common.rdclass == rdata->rdclass);
-	REQUIRE(txt->common.rdtype == rdata->type);
-	REQUIRE(!ISC_LINK_LINKED(&txt->common, link));
+	REQUIRE(((dns_rdata_txt_t *)target) != NULL);
+	REQUIRE(((dns_rdata_txt_t *)target)->common.rdclass == rdata->rdclass);
+	REQUIRE(((dns_rdata_txt_t *)target)->common.rdtype == rdata->type);
+	REQUIRE(!ISC_LINK_LINKED(&((dns_rdata_txt_t *)target)->common, link));
+
+	txt = target;
 
 	dns_rdata_toregion(rdata, &r);
 	txt->txt_len = r.length;
@@ -182,9 +185,11 @@ generic_tostruct_txt(ARGS_TOSTRUCT) {
 
 static inline void
 generic_freestruct_txt(ARGS_FREESTRUCT) {
-	dns_rdata_txt_t *txt = source;
+	dns_rdata_txt_t *txt;
 
-	REQUIRE(txt != NULL);
+	REQUIRE(((dns_rdata_txt_t *)source) != NULL);
+
+	txt = source;
 
 	if (txt->mctx == NULL)
 		return;
@@ -199,29 +204,30 @@ fromstruct_txt(ARGS_FROMSTRUCT) {
 
 	REQUIRE(type == dns_rdatatype_txt);
 
-	return (generic_fromstruct_txt(rdclass, type, source, target));
+	return (generic_fromstruct_txt(CALL_FROMSTRUCT));
 }
 
 static inline isc_result_t
 tostruct_txt(ARGS_TOSTRUCT) {
-	dns_rdata_txt_t *txt = target;
+	dns_rdata_txt_t *txt;
 
 	REQUIRE(rdata->type == dns_rdatatype_txt);
-	REQUIRE(txt != NULL);
+	REQUIRE(((dns_rdata_txt_t *)target) != NULL);
+
+	txt = target;
 
 	txt->common.rdclass = rdata->rdclass;
 	txt->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&txt->common, link);
 
-	return (generic_tostruct_txt(rdata, target, mctx));
+	return (generic_tostruct_txt(CALL_TOSTRUCT));
 }
 
 static inline void
 freestruct_txt(ARGS_FREESTRUCT) {
-	dns_rdata_txt_t *txt = source;
-
-	REQUIRE(txt != NULL);
-	REQUIRE(txt->common.rdtype == dns_rdatatype_txt);
+	REQUIRE(((dns_rdata_txt_t *)source) != NULL);
+	REQUIRE(((dns_rdata_txt_t *)source)->common.rdtype ==
+		dns_rdatatype_txt);
 
 	generic_freestruct_txt(source);
 }
diff --git a/bind/bind9/lib/dns/rdata/generic/txt_16.h b/bind/bind9/lib/dns/rdata/generic/txt_16.h
index aaf94bf4..cdb0c218 100644
--- a/bind/bind9/lib/dns/rdata/generic/txt_16.h
+++ b/bind/bind9/lib/dns/rdata/generic/txt_16.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/uri_256.c b/bind/bind9/lib/dns/rdata/generic/uri_256.c
index 0a8801a8..36f95bd4 100644
--- a/bind/bind9/lib/dns/rdata/generic/uri_256.c
+++ b/bind/bind9/lib/dns/rdata/generic/uri_256.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -168,13 +168,16 @@ compare_uri(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_uri(ARGS_FROMSTRUCT) {
-	dns_rdata_uri_t *uri = source;
+	dns_rdata_uri_t *uri;
 
 	REQUIRE(type == dns_rdatatype_uri);
-	REQUIRE(uri != NULL);
-	REQUIRE(uri->common.rdtype == type);
-	REQUIRE(uri->common.rdclass == rdclass);
-	REQUIRE(uri->target != NULL && uri->tgt_len != 0);
+	REQUIRE(((dns_rdata_uri_t *)source) != NULL);
+	REQUIRE(((dns_rdata_uri_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_uri_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_uri_t *)source)->target != NULL);
+	REQUIRE(((dns_rdata_uri_t *)source)->tgt_len != 0);
+
+	uri = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -197,13 +200,15 @@ fromstruct_uri(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_uri(ARGS_TOSTRUCT) {
-	dns_rdata_uri_t *uri = target;
+	dns_rdata_uri_t *uri;
 	isc_region_t sr;
 
+	REQUIRE(((dns_rdata_uri_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_uri);
-	REQUIRE(uri != NULL);
 	REQUIRE(rdata->length != 0);
 
+	uri = target;
+
 	uri->common.rdclass = rdata->rdclass;
 	uri->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&uri->common, link);
@@ -240,10 +245,13 @@ tostruct_uri(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_uri(ARGS_FREESTRUCT) {
-	dns_rdata_uri_t *uri = (dns_rdata_uri_t *) source;
+	dns_rdata_uri_t *uri;
+
+	REQUIRE(((dns_rdata_uri_t *)source) != NULL);
+	REQUIRE(((dns_rdata_uri_t *)source)->common.rdtype ==
+		dns_rdatatype_uri);
 
-	REQUIRE(uri != NULL);
-	REQUIRE(uri->common.rdtype == dns_rdatatype_uri);
+	uri = (dns_rdata_uri_t *) source;
 
 	if (uri->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/uri_256.h b/bind/bind9/lib/dns/rdata/generic/uri_256.h
index cea1d226..4b8871e4 100644
--- a/bind/bind9/lib/dns/rdata/generic/uri_256.h
+++ b/bind/bind9/lib/dns/rdata/generic/uri_256.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/x25_19.c b/bind/bind9/lib/dns/rdata/generic/x25_19.c
index 5dc9e2e3..667c37f5 100644
--- a/bind/bind9/lib/dns/rdata/generic/x25_19.c
+++ b/bind/bind9/lib/dns/rdata/generic/x25_19.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -56,6 +56,7 @@ totext_x25(ARGS_TOTEXT) {
 static inline isc_result_t
 fromwire_x25(ARGS_FROMWIRE) {
 	isc_region_t sr;
+	unsigned int i;
 
 	REQUIRE(type == dns_rdatatype_x25);
 
@@ -65,8 +66,14 @@ fromwire_x25(ARGS_FROMWIRE) {
 	UNUSED(options);
 
 	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 5)
+	if (sr.length < 5 || sr.base[0] != (sr.length - 1)) {
 		return (DNS_R_FORMERR);
+	}
+	for (i = 1; i < sr.length; i++) {
+		if (sr.base[i] < 0x30 || sr.base[i] > 0x39) {
+			return (DNS_R_FORMERR);
+		}
+	}
 	return (txt_fromwire(source, target));
 }
 
@@ -98,14 +105,17 @@ compare_x25(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_x25(ARGS_FROMSTRUCT) {
-	dns_rdata_x25_t *x25 = source;
+	dns_rdata_x25_t *x25;
 	uint8_t i;
 
 	REQUIRE(type == dns_rdatatype_x25);
-	REQUIRE(x25 != NULL);
-	REQUIRE(x25->common.rdtype == type);
-	REQUIRE(x25->common.rdclass == rdclass);
-	REQUIRE(x25->x25 != NULL && x25->x25_len != 0);
+	REQUIRE(((dns_rdata_x25_t *)source) != NULL);
+	REQUIRE(((dns_rdata_x25_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_x25_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_x25_t *)source)->x25 != NULL);
+	REQUIRE(((dns_rdata_x25_t *)source)->x25_len != 0);
+
+	x25 = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -123,13 +133,15 @@ fromstruct_x25(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_x25(ARGS_TOSTRUCT) {
-	dns_rdata_x25_t *x25 = target;
+	dns_rdata_x25_t *x25;
 	isc_region_t r;
 
+	REQUIRE(((dns_rdata_x25_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_x25);
-	REQUIRE(x25 != NULL);
 	REQUIRE(rdata->length != 0);
 
+	x25 = target;
+
 	x25->common.rdclass = rdata->rdclass;
 	x25->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&x25->common, link);
@@ -147,10 +159,13 @@ tostruct_x25(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_x25(ARGS_FREESTRUCT) {
-	dns_rdata_x25_t *x25 = source;
+	dns_rdata_x25_t *x25;
+
+	REQUIRE(((dns_rdata_x25_t *)source) != NULL);
+	REQUIRE(((dns_rdata_x25_t *)source)->common.rdtype ==
+		dns_rdatatype_x25);
 
-	REQUIRE(x25 != NULL);
-	REQUIRE(x25->common.rdtype == dns_rdatatype_x25);
+	x25 = source;
 
 	if (x25->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/x25_19.h b/bind/bind9/lib/dns/rdata/generic/x25_19.h
index b10063ce..b308176f 100644
--- a/bind/bind9/lib/dns/rdata/generic/x25_19.h
+++ b/bind/bind9/lib/dns/rdata/generic/x25_19.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/generic/zonemd_63.c b/bind/bind9/lib/dns/rdata/generic/zonemd_63.c
index 0c918063..2f89ad30 100644
--- a/bind/bind9/lib/dns/rdata/generic/zonemd_63.c
+++ b/bind/bind9/lib/dns/rdata/generic/zonemd_63.c
@@ -3,13 +3,13 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* draft-wessels-zone-digest-05 */
+/* RFC 8976 */
 
 #ifndef RDATA_GENERIC_ZONEMD_63_C
 #define RDATA_GENERIC_ZONEMD_63_C
@@ -20,6 +20,8 @@ static inline isc_result_t
 fromtext_zonemd(ARGS_FROMTEXT) {
 	isc_token_t token;
 	int digest_type, length;
+	isc_buffer_t save;
+	isc_result_t result;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -28,26 +30,26 @@ fromtext_zonemd(ARGS_FROMTEXT) {
 	UNUSED(callbacks);
 
 	/*
-	 * Serial.
+	 * Zone Serial.
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
 				      false));
 	RETERR(uint32_tobuffer(token.value.as_ulong, target));
 
 	/*
-	 * Digest type.
+	 * Digest Scheme.
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
 				      false));
-	digest_type = token.value.as_ulong;
-	RETERR(uint8_tobuffer(digest_type, target));
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
 
 	/*
-	 * Reserved.
+	 * Digest Type.
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
 				      false));
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+	digest_type = token.value.as_ulong;
+	RETERR(uint8_tobuffer(digest_type, target));
 
 	/*
 	 * Digest.
@@ -56,12 +58,21 @@ fromtext_zonemd(ARGS_FROMTEXT) {
 	case DNS_ZONEMD_DIGEST_SHA384:
 		length = ISC_SHA384_DIGESTLENGTH;
 		break;
+	case DNS_ZONEMD_DIGEST_SHA512:
+		length = ISC_SHA512_DIGESTLENGTH;
+		break;
 	default:
 		length = -2;
 		break;
 	}
 
-	return (isc_hex_tobuffer(lexer, target, length));
+	save = *target;
+	result = isc_hex_tobuffer(lexer, target, length);
+	/* Minimum length of digest is 12 octets. */
+	if (isc_buffer_usedlength(target) - isc_buffer_usedlength(&save) < 12) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	return (result);
 }
 
 static inline isc_result_t
@@ -77,7 +88,7 @@ totext_zonemd(ARGS_TOTEXT) {
 	dns_rdata_toregion(rdata, &sr);
 
 	/*
-	 * Serial.
+	 * Zone Serial.
 	 */
 	num = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
@@ -87,7 +98,7 @@ totext_zonemd(ARGS_TOTEXT) {
 	RETERR(str_totext(" ", target));
 
 	/*
-	 * Digest type.
+	 * Digest scheme.
 	 */
 	num = uint8_fromregion(&sr);
 	isc_region_consume(&sr, 1);
@@ -95,8 +106,9 @@ totext_zonemd(ARGS_TOTEXT) {
 	RETERR(str_totext(buf, target));
 
 	RETERR(str_totext(" ", target));
+
 	/*
-	 * Reserved.
+	 * Digest type.
 	 */
 	num = uint8_fromregion(&sr);
 	isc_region_consume(&sr, 1);
@@ -127,6 +139,7 @@ totext_zonemd(ARGS_TOTEXT) {
 static inline isc_result_t
 fromwire_zonemd(ARGS_FROMWIRE) {
 	isc_region_t sr;
+	size_t digestlen = 0;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -136,16 +149,28 @@ fromwire_zonemd(ARGS_FROMWIRE) {
 	isc_buffer_activeregion(source, &sr);
 
 	/*
-	 * If we do not recognize the digest type, only ensure that the digest
-	 * is present at all.
+	 * If we do not recognize the digest type, ensure that the digest
+	 * meets minimum length (12).
 	 *
 	 * If we do recognize the digest type, ensure that the digest is of the
 	 * correct length.
 	 */
-	if (sr.length < 7 ||
-	    (sr.base[4] == DNS_ZONEMD_DIGEST_SHA384 &&
-	     sr.length < 6 + ISC_SHA384_DIGESTLENGTH))
-	{
+	if (sr.length < 18) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	switch (sr.base[5]) {
+	case DNS_ZONEMD_DIGEST_SHA384:
+		digestlen = ISC_SHA384_DIGESTLENGTH;
+		break;
+	case DNS_ZONEMD_DIGEST_SHA512:
+		digestlen = ISC_SHA512_DIGESTLENGTH;
+		break;
+	default:
+		break;
+	}
+
+	if (digestlen != 0 && sr.length < 6 + digestlen) {
 		return (ISC_R_UNEXPECTEDEND);
 	}
 
@@ -155,8 +180,8 @@ fromwire_zonemd(ARGS_FROMWIRE) {
 	 *
 	 * If there is extra data, dns_rdata_fromwire() will detect that.
 	 */
-	if (sr.base[4] == DNS_ZONEMD_DIGEST_SHA384) {
-		sr.length = 6 + ISC_SHA384_DIGESTLENGTH;
+	if (digestlen != 0) {
+		sr.length = 6 + digestlen;
 	}
 
 	isc_buffer_forward(source, sr.length);
@@ -194,11 +219,13 @@ compare_zonemd(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_zonemd(ARGS_FROMSTRUCT) {
-	dns_rdata_zonemd_t *zonemd = source;
+	dns_rdata_zonemd_t *zonemd;
+
+	REQUIRE(((dns_rdata_zonemd_t *)source) != NULL);
+	REQUIRE(((dns_rdata_zonemd_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_zonemd_t *)source)->common.rdclass == rdclass);
 
-	REQUIRE(zonemd != NULL);
-	REQUIRE(zonemd->common.rdtype == type);
-	REQUIRE(zonemd->common.rdclass == rdclass);
+	zonemd = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -207,24 +234,29 @@ fromstruct_zonemd(ARGS_FROMSTRUCT) {
 	case DNS_ZONEMD_DIGEST_SHA384:
 		REQUIRE(zonemd->length == ISC_SHA384_DIGESTLENGTH);
 		break;
+	case DNS_ZONEMD_DIGEST_SHA512:
+		REQUIRE(zonemd->length == ISC_SHA512_DIGESTLENGTH);
+		break;
 	}
 
 	RETERR(uint32_tobuffer(zonemd->serial, target));
+	RETERR(uint8_tobuffer(zonemd->scheme, target));
 	RETERR(uint8_tobuffer(zonemd->digest_type, target));
-	RETERR(uint8_tobuffer(zonemd->reserved, target));
 
 	return (mem_tobuffer(target, zonemd->digest, zonemd->length));
 }
 
 static inline isc_result_t
 tostruct_zonemd(ARGS_TOSTRUCT) {
-	dns_rdata_zonemd_t *zonemd = target;
+	dns_rdata_zonemd_t *zonemd;
 	isc_region_t region;
 
+	REQUIRE(((dns_rdata_zonemd_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_zonemd);
-	REQUIRE(zonemd != NULL);
 	REQUIRE(rdata->length != 0);
 
+	zonemd = target;
+
 	zonemd->common.rdclass = rdata->rdclass;
 	zonemd->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&zonemd->common, link);
@@ -233,9 +265,9 @@ tostruct_zonemd(ARGS_TOSTRUCT) {
 
 	zonemd->serial = uint32_fromregion(&region);
 	isc_region_consume(&region, 4);
-	zonemd->digest_type = uint8_fromregion(&region);
+	zonemd->scheme = uint8_fromregion(&region);
 	isc_region_consume(&region, 1);
-	zonemd->reserved = uint8_fromregion(&region);
+	zonemd->digest_type = uint8_fromregion(&region);
 	isc_region_consume(&region, 1);
 	zonemd->length = region.length;
 
@@ -250,10 +282,13 @@ tostruct_zonemd(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_zonemd(ARGS_FREESTRUCT) {
-	dns_rdata_zonemd_t *zonemd = source;
+	dns_rdata_zonemd_t *zonemd;
+
+	REQUIRE(((dns_rdata_zonemd_t *)source) != NULL);
+	REQUIRE(((dns_rdata_zonemd_t *)source)->common.rdtype ==
+		dns_rdatatype_zonemd);
 
-	REQUIRE(zonemd != NULL);
-	REQUIRE(zonemd->common.rdtype == dns_rdatatype_zonemd);
+	zonemd = source;
 
 	if (zonemd->mctx == NULL) {
 		return;
diff --git a/bind/bind9/lib/dns/rdata/generic/zonemd_63.h b/bind/bind9/lib/dns/rdata/generic/zonemd_63.h
index 4eb6c614..592d89f4 100644
--- a/bind/bind9/lib/dns/rdata/generic/zonemd_63.h
+++ b/bind/bind9/lib/dns/rdata/generic/zonemd_63.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -12,20 +12,21 @@
 #ifndef GENERIC_ZONEMD_63_H
 #define GENERIC_ZONEMD_63_H 1
 
-/* Digest type(s). Currently only SHA-384 is defined. */
+/* Known digest type(s). */
 #define DNS_ZONEMD_DIGEST_SHA384 (1)
+#define DNS_ZONEMD_DIGEST_SHA512 (2)
 
 /*
- *  \brief per draft-wessels-zone-digest-05
+ *  \brief per RFC 8976
  */
 typedef struct dns_rdata_zonemd {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	uint32_t		serial;
-	uint8_t			digest_type;
-	uint8_t			reserved;
-	unsigned char		*digest;
-	uint16_t		length;
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint32_t serial;
+	uint8_t scheme;
+	uint8_t digest_type;
+	unsigned char *digest;
+	uint16_t length;
 } dns_rdata_zonemd_t;
 
 #endif /* GENERIC_ZONEMD_63_H */
diff --git a/bind/bind9/lib/dns/rdata/hs_4/a_1.c b/bind/bind9/lib/dns/rdata/hs_4/a_1.c
index b328e898..9a7a2a0f 100644
--- a/bind/bind9/lib/dns/rdata/hs_4/a_1.c
+++ b/bind/bind9/lib/dns/rdata/hs_4/a_1.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -54,7 +54,7 @@ totext_hs_a(ARGS_TOTEXT) {
 	UNUSED(tctx);
 
 	dns_rdata_toregion(rdata, &region);
-	return (inet_totext(AF_INET, &region, target));
+	return (inet_totext(AF_INET, tctx->flags, &region, target));
 }
 
 static inline isc_result_t
@@ -121,14 +121,16 @@ compare_hs_a(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_hs_a(ARGS_FROMSTRUCT) {
-	dns_rdata_hs_a_t *a = source;
+	dns_rdata_hs_a_t *a;
 	uint32_t n;
 
 	REQUIRE(type == dns_rdatatype_a);
 	REQUIRE(rdclass == dns_rdataclass_hs);
-	REQUIRE(a != NULL);
-	REQUIRE(a->common.rdtype == type);
-	REQUIRE(a->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_hs_a_t *)source) != NULL);
+	REQUIRE(((dns_rdata_hs_a_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_hs_a_t *)source)->common.rdclass == rdclass);
+
+	a = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -140,14 +142,16 @@ fromstruct_hs_a(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_hs_a(ARGS_TOSTRUCT) {
-	dns_rdata_hs_a_t *a = target;
+	dns_rdata_hs_a_t *a;
 	uint32_t n;
 	isc_region_t region;
 
 	REQUIRE(rdata->type == dns_rdatatype_a);
 	REQUIRE(rdata->rdclass == dns_rdataclass_hs);
 	REQUIRE(rdata->length == 4);
-	REQUIRE(a != NULL);
+	REQUIRE(((dns_rdata_hs_a_t *)target) != NULL);
+
+	a = target;
 
 	UNUSED(mctx);
 
diff --git a/bind/bind9/lib/dns/rdata/hs_4/a_1.h b/bind/bind9/lib/dns/rdata/hs_4/a_1.h
index c5f69968..270dd165 100644
--- a/bind/bind9/lib/dns/rdata/hs_4/a_1.h
+++ b/bind/bind9/lib/dns/rdata/hs_4/a_1.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/in_1/a6_38.c b/bind/bind9/lib/dns/rdata/in_1/a6_38.c
index 20213f55..ff205e37 100644
--- a/bind/bind9/lib/dns/rdata/in_1/a6_38.c
+++ b/bind/bind9/lib/dns/rdata/in_1/a6_38.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -121,7 +121,7 @@ totext_in_a6(ARGS_TOTEXT) {
 		addr[octets] &= mask;
 		ar.base = addr;
 		ar.length = sizeof(addr);
-		RETERR(inet_totext(AF_INET6, &ar, target));
+		RETERR(inet_totext(AF_INET6, tctx->flags, &ar, target));
 		isc_region_consume(&sr, 16 - octets);
 	}
 
@@ -173,7 +173,9 @@ fromwire_in_a6(ARGS_FROMWIRE) {
 		if (sr.length < octets)
 			return (ISC_R_UNEXPECTEDEND);
 		mask = 0xff >> (prefixlen % 8);
-		sr.base[0] &= mask;	/* Ensure pad bits are zero. */
+		if ((sr.base[0] & ~mask) != 0) {
+			return (DNS_R_FORMERR);
+		}
 		RETERR(mem_tobuffer(target, sr.base, octets));
 		isc_buffer_forward(source, octets);
 	}
@@ -270,7 +272,7 @@ compare_in_a6(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_in_a6(ARGS_FROMSTRUCT) {
-	dns_rdata_in_a6_t *a6 = source;
+	dns_rdata_in_a6_t *a6;
 	isc_region_t region;
 	int octets;
 	uint8_t bits;
@@ -279,9 +281,11 @@ fromstruct_in_a6(ARGS_FROMSTRUCT) {
 
 	REQUIRE(type == dns_rdatatype_a6);
 	REQUIRE(rdclass == dns_rdataclass_in);
-	REQUIRE(a6 != NULL);
-	REQUIRE(a6->common.rdtype == type);
-	REQUIRE(a6->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_in_a6_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_a6_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_in_a6_t *)source)->common.rdclass == rdclass);
+
+	a6 = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -315,16 +319,18 @@ fromstruct_in_a6(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_in_a6(ARGS_TOSTRUCT) {
-	dns_rdata_in_a6_t *a6 = target;
+	dns_rdata_in_a6_t *a6;
 	unsigned char octets;
 	dns_name_t name;
 	isc_region_t r;
 
+	REQUIRE(((dns_rdata_in_a6_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_a6);
 	REQUIRE(rdata->rdclass == dns_rdataclass_in);
-	REQUIRE(a6 != NULL);
 	REQUIRE(rdata->length != 0);
 
+	a6 = target;
+
 	a6->common.rdclass = rdata->rdclass;
 	a6->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&a6->common, link);
@@ -360,11 +366,15 @@ tostruct_in_a6(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_in_a6(ARGS_FREESTRUCT) {
-	dns_rdata_in_a6_t *a6 = source;
+	dns_rdata_in_a6_t *a6;
+
+	REQUIRE(((dns_rdata_in_a6_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_a6_t *)source)->common.rdtype ==
+		dns_rdatatype_a6);
+	REQUIRE(((dns_rdata_in_a6_t *)source)->common.rdclass ==
+		dns_rdataclass_in);
 
-	REQUIRE(a6 != NULL);
-	REQUIRE(a6->common.rdclass == dns_rdataclass_in);
-	REQUIRE(a6->common.rdtype == dns_rdatatype_a6);
+	a6 = source;
 
 	if (a6->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/in_1/a6_38.h b/bind/bind9/lib/dns/rdata/in_1/a6_38.h
index 98116404..901936b3 100644
--- a/bind/bind9/lib/dns/rdata/in_1/a6_38.h
+++ b/bind/bind9/lib/dns/rdata/in_1/a6_38.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/in_1/a_1.c b/bind/bind9/lib/dns/rdata/in_1/a_1.c
index 04b6e9d7..f664d646 100644
--- a/bind/bind9/lib/dns/rdata/in_1/a_1.c
+++ b/bind/bind9/lib/dns/rdata/in_1/a_1.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -56,7 +56,7 @@ totext_in_a(ARGS_TOTEXT) {
 	UNUSED(tctx);
 
 	dns_rdata_toregion(rdata, &region);
-	return (inet_totext(AF_INET, &region, target));
+	return (inet_totext(AF_INET, tctx->flags, &region, target));
 }
 
 static inline isc_result_t
@@ -122,14 +122,16 @@ compare_in_a(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_in_a(ARGS_FROMSTRUCT) {
-	dns_rdata_in_a_t *a = source;
+	dns_rdata_in_a_t *a;
 	uint32_t n;
 
 	REQUIRE(type == dns_rdatatype_a);
 	REQUIRE(rdclass == dns_rdataclass_in);
-	REQUIRE(a != NULL);
-	REQUIRE(a->common.rdtype == type);
-	REQUIRE(a->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_in_a_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_a_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_in_a_t *)source)->common.rdclass == rdclass);
+
+	a = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -142,15 +144,17 @@ fromstruct_in_a(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_in_a(ARGS_TOSTRUCT) {
-	dns_rdata_in_a_t *a = target;
+	dns_rdata_in_a_t *a;
 	uint32_t n;
 	isc_region_t region;
 
-	REQUIRE(a != NULL);
+	REQUIRE(((dns_rdata_in_a_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_a);
 	REQUIRE(rdata->rdclass == dns_rdataclass_in);
 	REQUIRE(rdata->length == 4);
 
+	a = target;
+
 	UNUSED(mctx);
 
 	a->common.rdclass = rdata->rdclass;
@@ -166,11 +170,14 @@ tostruct_in_a(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_in_a(ARGS_FREESTRUCT) {
-	dns_rdata_in_a_t *a = source;
+	dns_rdata_in_a_t *a;
+
+	REQUIRE(((dns_rdata_in_a_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_a_t *)source)->common.rdtype == dns_rdatatype_a);
+	REQUIRE(((dns_rdata_in_a_t *)source)->common.rdclass ==
+		dns_rdataclass_in);
 
-	REQUIRE(a != NULL);
-	REQUIRE(a->common.rdtype == dns_rdatatype_a);
-	REQUIRE(a->common.rdclass == dns_rdataclass_in);
+	a = source;
 
 	UNUSED(a);
 }
@@ -210,7 +217,7 @@ checkowner_in_a(ARGS_CHECKOWNER) {
 	UNUSED(rdclass);
 
 	/*
-	 * Handle Active Diretory gc._msdcs.<forest> name.
+	 * Handle Active Directory gc._msdcs.<forest> name.
 	 */
 	if (dns_name_countlabels(name) > 2U) {
 		dns_name_init(&prefix, NULL);
diff --git a/bind/bind9/lib/dns/rdata/in_1/a_1.h b/bind/bind9/lib/dns/rdata/in_1/a_1.h
index f44809d1..3b5489a6 100644
--- a/bind/bind9/lib/dns/rdata/in_1/a_1.h
+++ b/bind/bind9/lib/dns/rdata/in_1/a_1.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/in_1/aaaa_28.c b/bind/bind9/lib/dns/rdata/in_1/aaaa_28.c
index b82151ed..416c5f67 100644
--- a/bind/bind9/lib/dns/rdata/in_1/aaaa_28.c
+++ b/bind/bind9/lib/dns/rdata/in_1/aaaa_28.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -57,7 +57,7 @@ totext_in_aaaa(ARGS_TOTEXT) {
 	REQUIRE(rdata->length == 16);
 
 	dns_rdata_toregion(rdata, &region);
-	return (inet_totext(AF_INET6, &region, target));
+	return (inet_totext(AF_INET6, tctx->flags, &region, target));
 }
 
 static inline isc_result_t
@@ -123,13 +123,15 @@ compare_in_aaaa(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_in_aaaa(ARGS_FROMSTRUCT) {
-	dns_rdata_in_aaaa_t *aaaa = source;
+	dns_rdata_in_aaaa_t *aaaa;
 
 	REQUIRE(type == dns_rdatatype_aaaa);
 	REQUIRE(rdclass == dns_rdataclass_in);
-	REQUIRE(aaaa != NULL);
-	REQUIRE(aaaa->common.rdtype == type);
-	REQUIRE(aaaa->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_in_aaaa_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_aaaa_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_in_aaaa_t *)source)->common.rdclass == rdclass);
+
+	aaaa = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -139,14 +141,16 @@ fromstruct_in_aaaa(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_in_aaaa(ARGS_TOSTRUCT) {
-	dns_rdata_in_aaaa_t *aaaa = target;
+	dns_rdata_in_aaaa_t *aaaa;
 	isc_region_t r;
 
+	REQUIRE(((dns_rdata_in_aaaa_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_aaaa);
 	REQUIRE(rdata->rdclass == dns_rdataclass_in);
-	REQUIRE(aaaa != NULL);
 	REQUIRE(rdata->length == 16);
 
+	aaaa = target;
+
 	UNUSED(mctx);
 
 	aaaa->common.rdclass = rdata->rdclass;
@@ -162,11 +166,15 @@ tostruct_in_aaaa(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_in_aaaa(ARGS_FREESTRUCT) {
-	dns_rdata_in_aaaa_t *aaaa = source;
+	dns_rdata_in_aaaa_t *aaaa;
+
+	REQUIRE(((dns_rdata_in_aaaa_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_aaaa_t *)source)->common.rdtype ==
+		dns_rdatatype_aaaa);
+	REQUIRE(((dns_rdata_in_aaaa_t *)source)->common.rdclass ==
+		dns_rdataclass_in);
 
-	REQUIRE(aaaa != NULL);
-	REQUIRE(aaaa->common.rdclass == dns_rdataclass_in);
-	REQUIRE(aaaa->common.rdtype == dns_rdatatype_aaaa);
+	aaaa = source;
 
 	UNUSED(aaaa);
 }
@@ -206,7 +214,7 @@ checkowner_in_aaaa(ARGS_CHECKOWNER) {
 	UNUSED(rdclass);
 
 	/*
-	 * Handle Active Diretory gc._msdcs.<forest> name.
+	 * Handle Active Directory gc._msdcs.<forest> name.
 	 */
 	if (dns_name_countlabels(name) > 2U) {
 		dns_name_init(&prefix, NULL);
diff --git a/bind/bind9/lib/dns/rdata/in_1/aaaa_28.h b/bind/bind9/lib/dns/rdata/in_1/aaaa_28.h
index caabf7e0..821a559f 100644
--- a/bind/bind9/lib/dns/rdata/in_1/aaaa_28.h
+++ b/bind/bind9/lib/dns/rdata/in_1/aaaa_28.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/in_1/apl_42.c b/bind/bind9/lib/dns/rdata/in_1/apl_42.c
index f376eba4..82b28411 100644
--- a/bind/bind9/lib/dns/rdata/in_1/apl_42.c
+++ b/bind/bind9/lib/dns/rdata/in_1/apl_42.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -142,7 +142,7 @@ totext_in_apl(ARGS_TOTEXT) {
 			INSIST(prefix <= 32);
 			memset(buf, 0, sizeof(buf));
 			memmove(buf, sr.base, len);
-			RETERR(inet_totext(AF_INET, &ir, target));
+			RETERR(inet_totext(AF_INET, tctx->flags, &ir, target));
 			break;
 
 		case 2:
@@ -150,7 +150,7 @@ totext_in_apl(ARGS_TOTEXT) {
 			INSIST(prefix <= 128);
 			memset(buf, 0, sizeof(buf));
 			memmove(buf, sr.base, len);
-			RETERR(inet_totext(AF_INET6, &ir, target));
+			RETERR(inet_totext(AF_INET6, tctx->flags, &ir, target));
 			break;
 
 		default:
@@ -243,15 +243,18 @@ compare_in_apl(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_in_apl(ARGS_FROMSTRUCT) {
-	dns_rdata_in_apl_t *apl = source;
+	dns_rdata_in_apl_t *apl;
 	isc_buffer_t b;
 
 	REQUIRE(type == dns_rdatatype_apl);
 	REQUIRE(rdclass == dns_rdataclass_in);
-	REQUIRE(apl != NULL);
-	REQUIRE(apl->common.rdtype == type);
-	REQUIRE(apl->common.rdclass == rdclass);
-	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+	REQUIRE(((dns_rdata_in_apl_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_apl_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_in_apl_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_in_apl_t *)source)->apl != NULL ||
+		((dns_rdata_in_apl_t *)source)->apl_len == 0);
+
+	apl = source;
 
 	isc_buffer_init(&b, apl->apl, apl->apl_len);
 	isc_buffer_add(&b, apl->apl_len);
@@ -261,13 +264,15 @@ fromstruct_in_apl(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_in_apl(ARGS_TOSTRUCT) {
-	dns_rdata_in_apl_t *apl = target;
+	dns_rdata_in_apl_t *apl;
 	isc_region_t r;
 
-	REQUIRE(apl != NULL);
+	REQUIRE(((dns_rdata_in_apl_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_apl);
 	REQUIRE(rdata->rdclass == dns_rdataclass_in);
 
+	apl = target;
+
 	apl->common.rdclass = rdata->rdclass;
 	apl->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&apl->common, link);
@@ -285,11 +290,15 @@ tostruct_in_apl(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_in_apl(ARGS_FREESTRUCT) {
-	dns_rdata_in_apl_t *apl = source;
+	dns_rdata_in_apl_t *apl;
 
-	REQUIRE(apl != NULL);
-	REQUIRE(apl->common.rdtype == dns_rdatatype_apl);
-	REQUIRE(apl->common.rdclass == dns_rdataclass_in);
+	REQUIRE(((dns_rdata_in_apl_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_apl_t *)source)->common.rdtype ==
+		dns_rdatatype_apl);
+	REQUIRE(((dns_rdata_in_apl_t *)source)->common.rdclass ==
+		dns_rdataclass_in);
+
+	apl = source;
 
 	if (apl->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/in_1/apl_42.h b/bind/bind9/lib/dns/rdata/in_1/apl_42.h
index 8c17a53e..a6eaeda7 100644
--- a/bind/bind9/lib/dns/rdata/in_1/apl_42.h
+++ b/bind/bind9/lib/dns/rdata/in_1/apl_42.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/in_1/atma_34.c b/bind/bind9/lib/dns/rdata/in_1/atma_34.c
index c232b3fe..28b1f637 100644
--- a/bind/bind9/lib/dns/rdata/in_1/atma_34.c
+++ b/bind/bind9/lib/dns/rdata/in_1/atma_34.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -197,14 +197,17 @@ compare_in_atma(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_in_atma(ARGS_FROMSTRUCT) {
-	dns_rdata_in_atma_t *atma = source;
+	dns_rdata_in_atma_t *atma;
 
 	REQUIRE(type == dns_rdatatype_atma);
 	REQUIRE(rdclass == dns_rdataclass_in);
-	REQUIRE(atma != NULL);
-	REQUIRE(atma->common.rdtype == type);
-	REQUIRE(atma->common.rdclass == rdclass);
-	REQUIRE(atma->atma != NULL || atma->atma_len == 0);
+	REQUIRE(((dns_rdata_in_atma_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_atma_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_in_atma_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_in_atma_t *)source)->atma != NULL ||
+		((dns_rdata_in_atma_t *)source)->atma_len == 0);
+
+	atma = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -215,14 +218,16 @@ fromstruct_in_atma(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_in_atma(ARGS_TOSTRUCT) {
-	dns_rdata_in_atma_t *atma = target;
+	dns_rdata_in_atma_t *atma;
 	isc_region_t r;
 
+	REQUIRE(((dns_rdata_in_atma_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_atma);
 	REQUIRE(rdata->rdclass == dns_rdataclass_in);
-	REQUIRE(atma != NULL);
 	REQUIRE(rdata->length != 0);
 
+	atma = target;
+
 	atma->common.rdclass = rdata->rdclass;
 	atma->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&atma->common, link);
@@ -242,11 +247,15 @@ tostruct_in_atma(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_in_atma(ARGS_FREESTRUCT) {
-	dns_rdata_in_atma_t *atma = source;
+	dns_rdata_in_atma_t *atma;
+
+	REQUIRE(((dns_rdata_in_atma_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_atma_t *)source)->common.rdtype ==
+		dns_rdatatype_atma);
+	REQUIRE(((dns_rdata_in_atma_t *)source)->common.rdclass ==
+		dns_rdataclass_in);
 
-	REQUIRE(atma != NULL);
-	REQUIRE(atma->common.rdclass == dns_rdataclass_in);
-	REQUIRE(atma->common.rdtype == dns_rdatatype_atma);
+	atma = source;
 
 	if (atma->mctx == NULL) {
 		return;
diff --git a/bind/bind9/lib/dns/rdata/in_1/atma_34.h b/bind/bind9/lib/dns/rdata/in_1/atma_34.h
index 80cd3be3..bb5c11d4 100644
--- a/bind/bind9/lib/dns/rdata/in_1/atma_34.h
+++ b/bind/bind9/lib/dns/rdata/in_1/atma_34.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/in_1/dhcid_49.c b/bind/bind9/lib/dns/rdata/in_1/dhcid_49.c
index 7722e466..d6856282 100644
--- a/bind/bind9/lib/dns/rdata/in_1/dhcid_49.c
+++ b/bind/bind9/lib/dns/rdata/in_1/dhcid_49.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -117,14 +117,16 @@ compare_in_dhcid(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_in_dhcid(ARGS_FROMSTRUCT) {
-	dns_rdata_in_dhcid_t *dhcid = source;
+	dns_rdata_in_dhcid_t *dhcid;
 
 	REQUIRE(type == dns_rdatatype_dhcid);
 	REQUIRE(rdclass == dns_rdataclass_in);
-	REQUIRE(dhcid != NULL);
-	REQUIRE(dhcid->common.rdtype == type);
-	REQUIRE(dhcid->common.rdclass == rdclass);
-	REQUIRE(dhcid->length != 0);
+	REQUIRE(((dns_rdata_in_dhcid_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_dhcid_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_in_dhcid_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_in_dhcid_t *)source)->length != 0);
+
+	dhcid = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -134,14 +136,16 @@ fromstruct_in_dhcid(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_in_dhcid(ARGS_TOSTRUCT) {
-	dns_rdata_in_dhcid_t *dhcid = target;
+	dns_rdata_in_dhcid_t *dhcid;
 	isc_region_t region;
 
+	REQUIRE(((dns_rdata_in_dhcid_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_dhcid);
 	REQUIRE(rdata->rdclass == dns_rdataclass_in);
-	REQUIRE(dhcid != NULL);
 	REQUIRE(rdata->length != 0);
 
+	dhcid = target;
+
 	dhcid->common.rdclass = rdata->rdclass;
 	dhcid->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&dhcid->common, link);
@@ -158,11 +162,15 @@ tostruct_in_dhcid(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_in_dhcid(ARGS_FREESTRUCT) {
-	dns_rdata_in_dhcid_t *dhcid = source;
+	dns_rdata_in_dhcid_t *dhcid;
+
+	REQUIRE(((dns_rdata_in_dhcid_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_dhcid_t *)source)->common.rdtype ==
+		dns_rdatatype_dhcid);
+	REQUIRE(((dns_rdata_in_dhcid_t *)source)->common.rdclass ==
+		dns_rdataclass_in);
 
-	REQUIRE(dhcid != NULL);
-	REQUIRE(dhcid->common.rdtype == dns_rdatatype_dhcid);
-	REQUIRE(dhcid->common.rdclass == dns_rdataclass_in);
+	dhcid = source;
 
 	if (dhcid->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/in_1/dhcid_49.h b/bind/bind9/lib/dns/rdata/in_1/dhcid_49.h
index 455eaed9..43e16e42 100644
--- a/bind/bind9/lib/dns/rdata/in_1/dhcid_49.h
+++ b/bind/bind9/lib/dns/rdata/in_1/dhcid_49.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/in_1/eid_31.c b/bind/bind9/lib/dns/rdata/in_1/eid_31.c
index 627d2f1e..6a8176a1 100644
--- a/bind/bind9/lib/dns/rdata/in_1/eid_31.c
+++ b/bind/bind9/lib/dns/rdata/in_1/eid_31.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -108,14 +108,17 @@ compare_in_eid(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_in_eid(ARGS_FROMSTRUCT) {
-	dns_rdata_in_eid_t *eid = source;
+	dns_rdata_in_eid_t *eid;
 
 	REQUIRE(type == dns_rdatatype_eid);
 	REQUIRE(rdclass == dns_rdataclass_in);
-	REQUIRE(eid != NULL);
-	REQUIRE(eid->common.rdtype == type);
-	REQUIRE(eid->common.rdclass == rdclass);
-	REQUIRE(eid->eid != NULL || eid->eid_len == 0);
+	REQUIRE(((dns_rdata_in_eid_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_eid_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_in_eid_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_in_eid_t *)source)->eid != NULL ||
+		((dns_rdata_in_eid_t *)source)->eid_len == 0);
+
+	eid = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -125,14 +128,16 @@ fromstruct_in_eid(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_in_eid(ARGS_TOSTRUCT) {
-	dns_rdata_in_eid_t *eid = target;
+	dns_rdata_in_eid_t *eid;
 	isc_region_t r;
 
+	REQUIRE(((dns_rdata_in_eid_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_eid);
 	REQUIRE(rdata->rdclass == dns_rdataclass_in);
-	REQUIRE(eid != NULL);
 	REQUIRE(rdata->length != 0);
 
+	eid = target;
+
 	eid->common.rdclass = rdata->rdclass;
 	eid->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&eid->common, link);
@@ -150,11 +155,15 @@ tostruct_in_eid(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_in_eid(ARGS_FREESTRUCT) {
-	dns_rdata_in_eid_t *eid = source;
+	dns_rdata_in_eid_t *eid;
+
+	REQUIRE(((dns_rdata_in_eid_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_eid_t *)source)->common.rdtype ==
+		dns_rdatatype_eid);
+	REQUIRE(((dns_rdata_in_eid_t *)source)->common.rdclass ==
+		dns_rdataclass_in);
 
-	REQUIRE(eid != NULL);
-	REQUIRE(eid->common.rdclass == dns_rdataclass_in);
-	REQUIRE(eid->common.rdtype == dns_rdatatype_eid);
+	eid = source;
 
 	if (eid->mctx == NULL) {
 		return;
diff --git a/bind/bind9/lib/dns/rdata/in_1/eid_31.h b/bind/bind9/lib/dns/rdata/in_1/eid_31.h
index 55d414b1..3d8d6252 100644
--- a/bind/bind9/lib/dns/rdata/in_1/eid_31.h
+++ b/bind/bind9/lib/dns/rdata/in_1/eid_31.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/in_1/kx_36.c b/bind/bind9/lib/dns/rdata/in_1/kx_36.c
index 7431b919..c302e652 100644
--- a/bind/bind9/lib/dns/rdata/in_1/kx_36.c
+++ b/bind/bind9/lib/dns/rdata/in_1/kx_36.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -154,14 +154,16 @@ compare_in_kx(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_in_kx(ARGS_FROMSTRUCT) {
-	dns_rdata_in_kx_t *kx = source;
+	dns_rdata_in_kx_t *kx;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_kx);
 	REQUIRE(rdclass == dns_rdataclass_in);
-	REQUIRE(kx != NULL);
-	REQUIRE(kx->common.rdtype == type);
-	REQUIRE(kx->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_in_kx_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_kx_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_in_kx_t *)source)->common.rdclass == rdclass);
+
+	kx = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -174,14 +176,16 @@ fromstruct_in_kx(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_in_kx(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_in_kx_t *kx = target;
+	dns_rdata_in_kx_t *kx;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_in_kx_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_kx);
 	REQUIRE(rdata->rdclass == dns_rdataclass_in);
-	REQUIRE(kx != NULL);
 	REQUIRE(rdata->length != 0);
 
+	kx = target;
+
 	kx->common.rdclass = rdata->rdclass;
 	kx->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&kx->common, link);
@@ -201,11 +205,15 @@ tostruct_in_kx(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_in_kx(ARGS_FREESTRUCT) {
-	dns_rdata_in_kx_t *kx = source;
+	dns_rdata_in_kx_t *kx;
+
+	REQUIRE(((dns_rdata_in_kx_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_kx_t *)source)->common.rdtype ==
+		dns_rdatatype_kx);
+	REQUIRE(((dns_rdata_in_kx_t *)source)->common.rdclass ==
+		dns_rdataclass_in);
 
-	REQUIRE(kx != NULL);
-	REQUIRE(kx->common.rdclass == dns_rdataclass_in);
-	REQUIRE(kx->common.rdtype == dns_rdatatype_kx);
+	kx = source;
 
 	if (kx->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/in_1/kx_36.h b/bind/bind9/lib/dns/rdata/in_1/kx_36.h
index 577a4c49..458a1376 100644
--- a/bind/bind9/lib/dns/rdata/in_1/kx_36.h
+++ b/bind/bind9/lib/dns/rdata/in_1/kx_36.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/in_1/nimloc_32.c b/bind/bind9/lib/dns/rdata/in_1/nimloc_32.c
index aba3481c..d2e7db05 100644
--- a/bind/bind9/lib/dns/rdata/in_1/nimloc_32.c
+++ b/bind/bind9/lib/dns/rdata/in_1/nimloc_32.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -108,14 +108,17 @@ compare_in_nimloc(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_in_nimloc(ARGS_FROMSTRUCT) {
-	dns_rdata_in_nimloc_t *nimloc = source;
+	dns_rdata_in_nimloc_t *nimloc;
 
 	REQUIRE(type == dns_rdatatype_nimloc);
 	REQUIRE(rdclass == dns_rdataclass_in);
-	REQUIRE(nimloc != NULL);
-	REQUIRE(nimloc->common.rdtype == type);
-	REQUIRE(nimloc->common.rdclass == rdclass);
-	REQUIRE(nimloc->nimloc != NULL || nimloc->nimloc_len == 0);
+	REQUIRE(((dns_rdata_in_nimloc_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_nimloc_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_in_nimloc_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_in_nimloc_t *)source)->nimloc != NULL ||
+		((dns_rdata_in_nimloc_t *)source)->nimloc_len == 0);
+
+	nimloc = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -125,14 +128,16 @@ fromstruct_in_nimloc(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_in_nimloc(ARGS_TOSTRUCT) {
-	dns_rdata_in_nimloc_t *nimloc = target;
+	dns_rdata_in_nimloc_t *nimloc;
 	isc_region_t r;
 
+	REQUIRE(((dns_rdata_in_nimloc_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_nimloc);
 	REQUIRE(rdata->rdclass == dns_rdataclass_in);
-	REQUIRE(nimloc != NULL);
 	REQUIRE(rdata->length != 0);
 
+	nimloc = target;
+
 	nimloc->common.rdclass = rdata->rdclass;
 	nimloc->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&nimloc->common, link);
@@ -150,11 +155,15 @@ tostruct_in_nimloc(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_in_nimloc(ARGS_FREESTRUCT) {
-	dns_rdata_in_nimloc_t *nimloc = source;
+	dns_rdata_in_nimloc_t *nimloc;
+
+	REQUIRE(((dns_rdata_in_nimloc_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_nimloc_t *)source)->common.rdtype ==
+		dns_rdatatype_nimloc);
+	REQUIRE(((dns_rdata_in_nimloc_t *)source)->common.rdclass ==
+		dns_rdataclass_in);
 
-	REQUIRE(nimloc != NULL);
-	REQUIRE(nimloc->common.rdclass == dns_rdataclass_in);
-	REQUIRE(nimloc->common.rdtype == dns_rdatatype_nimloc);
+	nimloc = source;
 
 	if (nimloc->mctx == NULL) {
 		return;
diff --git a/bind/bind9/lib/dns/rdata/in_1/nimloc_32.h b/bind/bind9/lib/dns/rdata/in_1/nimloc_32.h
index ea2b3c7d..ed1d5813 100644
--- a/bind/bind9/lib/dns/rdata/in_1/nimloc_32.h
+++ b/bind/bind9/lib/dns/rdata/in_1/nimloc_32.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c b/bind/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
index 98953e4b..10eafc08 100644
--- a/bind/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
+++ b/bind/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -124,14 +124,16 @@ compare_in_nsap_ptr(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_in_nsap_ptr(ARGS_FROMSTRUCT) {
-	dns_rdata_in_nsap_ptr_t *nsap_ptr = source;
+	dns_rdata_in_nsap_ptr_t *nsap_ptr;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_nsap_ptr);
 	REQUIRE(rdclass == dns_rdataclass_in);
-	REQUIRE(nsap_ptr != NULL);
-	REQUIRE(nsap_ptr->common.rdtype == type);
-	REQUIRE(nsap_ptr->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_in_nsap_ptr_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_nsap_ptr_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_in_nsap_ptr_t *)source)->common.rdclass == rdclass);
+
+	nsap_ptr = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -143,14 +145,16 @@ fromstruct_in_nsap_ptr(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_in_nsap_ptr(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_in_nsap_ptr_t *nsap_ptr = target;
+	dns_rdata_in_nsap_ptr_t *nsap_ptr;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_in_nsap_ptr_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_nsap_ptr);
 	REQUIRE(rdata->rdclass == dns_rdataclass_in);
-	REQUIRE(nsap_ptr != NULL);
 	REQUIRE(rdata->length != 0);
 
+	nsap_ptr = target;
+
 	nsap_ptr->common.rdclass = rdata->rdclass;
 	nsap_ptr->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&nsap_ptr->common, link);
@@ -166,11 +170,15 @@ tostruct_in_nsap_ptr(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_in_nsap_ptr(ARGS_FREESTRUCT) {
-	dns_rdata_in_nsap_ptr_t *nsap_ptr = source;
+	dns_rdata_in_nsap_ptr_t *nsap_ptr;
+
+	REQUIRE(((dns_rdata_in_nsap_ptr_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_nsap_ptr_t *)source)->common.rdtype ==
+		dns_rdatatype_nsap_ptr);
+	REQUIRE(((dns_rdata_in_nsap_ptr_t *)source)->common.rdclass ==
+		dns_rdataclass_in);
 
-	REQUIRE(nsap_ptr != NULL);
-	REQUIRE(nsap_ptr->common.rdclass == dns_rdataclass_in);
-	REQUIRE(nsap_ptr->common.rdtype == dns_rdatatype_nsap_ptr);
+	nsap_ptr = source;
 
 	if (nsap_ptr->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h b/bind/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h
index 4880a09e..da776142 100644
--- a/bind/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h
+++ b/bind/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/in_1/nsap_22.c b/bind/bind9/lib/dns/rdata/in_1/nsap_22.c
index c08473e1..9c977ecd 100644
--- a/bind/bind9/lib/dns/rdata/in_1/nsap_22.c
+++ b/bind/bind9/lib/dns/rdata/in_1/nsap_22.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -137,14 +137,17 @@ compare_in_nsap(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_in_nsap(ARGS_FROMSTRUCT) {
-	dns_rdata_in_nsap_t *nsap = source;
+	dns_rdata_in_nsap_t *nsap;
 
 	REQUIRE(type == dns_rdatatype_nsap);
 	REQUIRE(rdclass == dns_rdataclass_in);
-	REQUIRE(nsap != NULL);
-	REQUIRE(nsap->common.rdtype == type);
-	REQUIRE(nsap->common.rdclass == rdclass);
-	REQUIRE(nsap->nsap != NULL || nsap->nsap_len == 0);
+	REQUIRE(((dns_rdata_in_nsap_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_nsap_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_in_nsap_t *)source)->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_in_nsap_t *)source)->nsap != NULL ||
+		((dns_rdata_in_nsap_t *)source)->nsap_len == 0);
+
+	nsap = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -154,14 +157,16 @@ fromstruct_in_nsap(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_in_nsap(ARGS_TOSTRUCT) {
-	dns_rdata_in_nsap_t *nsap = target;
+	dns_rdata_in_nsap_t *nsap;
 	isc_region_t r;
 
+	REQUIRE(((dns_rdata_in_nsap_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_nsap);
 	REQUIRE(rdata->rdclass == dns_rdataclass_in);
-	REQUIRE(nsap != NULL);
 	REQUIRE(rdata->length != 0);
 
+	nsap = target;
+
 	nsap->common.rdclass = rdata->rdclass;
 	nsap->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&nsap->common, link);
@@ -178,11 +183,15 @@ tostruct_in_nsap(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_in_nsap(ARGS_FREESTRUCT) {
-	dns_rdata_in_nsap_t *nsap = source;
+	dns_rdata_in_nsap_t *nsap;
+
+	REQUIRE(((dns_rdata_in_nsap_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_nsap_t *)source)->common.rdclass ==
+		dns_rdataclass_in);
+	REQUIRE(((dns_rdata_in_nsap_t *)source)->common.rdtype ==
+		dns_rdatatype_nsap);
 
-	REQUIRE(nsap != NULL);
-	REQUIRE(nsap->common.rdclass == dns_rdataclass_in);
-	REQUIRE(nsap->common.rdtype == dns_rdatatype_nsap);
+	nsap = source;
 
 	if (nsap->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/in_1/nsap_22.h b/bind/bind9/lib/dns/rdata/in_1/nsap_22.h
index 79599efd..1efb35c6 100644
--- a/bind/bind9/lib/dns/rdata/in_1/nsap_22.h
+++ b/bind/bind9/lib/dns/rdata/in_1/nsap_22.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/in_1/px_26.c b/bind/bind9/lib/dns/rdata/in_1/px_26.c
index bb69223f..d525f711 100644
--- a/bind/bind9/lib/dns/rdata/in_1/px_26.c
+++ b/bind/bind9/lib/dns/rdata/in_1/px_26.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -219,14 +219,16 @@ compare_in_px(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_in_px(ARGS_FROMSTRUCT) {
-	dns_rdata_in_px_t *px = source;
+	dns_rdata_in_px_t *px;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_px);
 	REQUIRE(rdclass == dns_rdataclass_in);
-	REQUIRE(px != NULL);
-	REQUIRE(px->common.rdtype == type);
-	REQUIRE(px->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_in_px_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_px_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_in_px_t *)source)->common.rdclass == rdclass);
+
+	px = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -240,16 +242,18 @@ fromstruct_in_px(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_in_px(ARGS_TOSTRUCT) {
-	dns_rdata_in_px_t *px = target;
+	dns_rdata_in_px_t *px;
 	dns_name_t name;
 	isc_region_t region;
 	isc_result_t result;
 
+	REQUIRE(((dns_rdata_in_px_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_px);
 	REQUIRE(rdata->rdclass == dns_rdataclass_in);
-	REQUIRE(px != NULL);
 	REQUIRE(rdata->length != 0);
 
+	px = target;
+
 	px->common.rdclass = rdata->rdclass;
 	px->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&px->common, link);
@@ -281,11 +285,15 @@ tostruct_in_px(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_in_px(ARGS_FREESTRUCT) {
-	dns_rdata_in_px_t *px = source;
+	dns_rdata_in_px_t *px;
+
+	REQUIRE(((dns_rdata_in_px_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_px_t *)source)->common.rdtype ==
+		dns_rdatatype_px);
+	REQUIRE(((dns_rdata_in_px_t *)source)->common.rdclass ==
+		dns_rdataclass_in);
 
-	REQUIRE(px != NULL);
-	REQUIRE(px->common.rdclass == dns_rdataclass_in);
-	REQUIRE(px->common.rdtype == dns_rdatatype_px);
+	px = source;
 
 	if (px->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/in_1/px_26.h b/bind/bind9/lib/dns/rdata/in_1/px_26.h
index 3cab1f15..ad459242 100644
--- a/bind/bind9/lib/dns/rdata/in_1/px_26.h
+++ b/bind/bind9/lib/dns/rdata/in_1/px_26.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/in_1/srv_33.c b/bind/bind9/lib/dns/rdata/in_1/srv_33.c
index 385bdaa0..b96938d5 100644
--- a/bind/bind9/lib/dns/rdata/in_1/srv_33.c
+++ b/bind/bind9/lib/dns/rdata/in_1/srv_33.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -226,14 +226,16 @@ compare_in_srv(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_in_srv(ARGS_FROMSTRUCT) {
-	dns_rdata_in_srv_t *srv = source;
+	dns_rdata_in_srv_t *srv;
 	isc_region_t region;
 
 	REQUIRE(type == dns_rdatatype_srv);
 	REQUIRE(rdclass == dns_rdataclass_in);
-	REQUIRE(srv != NULL);
-	REQUIRE(srv->common.rdtype == type);
-	REQUIRE(srv->common.rdclass == rdclass);
+	REQUIRE(((dns_rdata_in_srv_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_srv_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_in_srv_t *)source)->common.rdclass == rdclass);
+
+	srv = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -248,14 +250,16 @@ fromstruct_in_srv(ARGS_FROMSTRUCT) {
 static inline isc_result_t
 tostruct_in_srv(ARGS_TOSTRUCT) {
 	isc_region_t region;
-	dns_rdata_in_srv_t *srv = target;
+	dns_rdata_in_srv_t *srv;
 	dns_name_t name;
 
+	REQUIRE(((dns_rdata_in_srv_t *)target) != NULL);
 	REQUIRE(rdata->rdclass == dns_rdataclass_in);
 	REQUIRE(rdata->type == dns_rdatatype_srv);
-	REQUIRE(srv != NULL);
 	REQUIRE(rdata->length != 0);
 
+	srv = target;
+
 	srv->common.rdclass = rdata->rdclass;
 	srv->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&srv->common, link);
@@ -277,11 +281,15 @@ tostruct_in_srv(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_in_srv(ARGS_FREESTRUCT) {
-	dns_rdata_in_srv_t *srv = source;
+	dns_rdata_in_srv_t *srv;
+
+	REQUIRE(((dns_rdata_in_srv_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_srv_t *)source)->common.rdtype ==
+		dns_rdatatype_srv);
+	REQUIRE(((dns_rdata_in_srv_t *)source)->common.rdclass ==
+		dns_rdataclass_in);
 
-	REQUIRE(srv != NULL);
-	REQUIRE(srv->common.rdclass == dns_rdataclass_in);
-	REQUIRE(srv->common.rdtype == dns_rdatatype_srv);
+	srv = source;
 
 	if (srv->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/in_1/srv_33.h b/bind/bind9/lib/dns/rdata/in_1/srv_33.h
index 78d5ba9c..8da1512d 100644
--- a/bind/bind9/lib/dns/rdata/in_1/srv_33.h
+++ b/bind/bind9/lib/dns/rdata/in_1/srv_33.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/in_1/wks_11.c b/bind/bind9/lib/dns/rdata/in_1/wks_11.c
index 13030161..452b4a5f 100644
--- a/bind/bind9/lib/dns/rdata/in_1/wks_11.c
+++ b/bind/bind9/lib/dns/rdata/in_1/wks_11.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -73,7 +73,7 @@ fromtext_in_wks(ARGS_FROMTEXT) {
 	isc_token_t token;
 	isc_region_t region;
 	struct in_addr addr;
-	char *e;
+	char *e = NULL;
 	long proto;
 	unsigned char bm[8*1024]; /* 64k bits */
 	long port;
@@ -115,10 +115,12 @@ fromtext_in_wks(ARGS_FROMTEXT) {
 				      false));
 
 	isc_buffer_availableregion(target, &region);
-	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
+	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1) {
 		CHECKTOK(DNS_R_BADDOTTEDQUAD);
-	if (region.length < 4)
+	}
+	if (region.length < 4) {
 		return (ISC_R_NOSPACE);
+	}
 	memmove(region.base, &addr, 4);
 	isc_buffer_add(target, 4);
 
@@ -129,18 +131,19 @@ fromtext_in_wks(ARGS_FROMTEXT) {
 				      false));
 
 	proto = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e == 0)
-		;
-	else if (!mygetprotobyname(DNS_AS_STR(token), &proto))
+	if (*e != '\0' && !mygetprotobyname(DNS_AS_STR(token), &proto)) {
 		CHECKTOK(DNS_R_UNKNOWNPROTO);
+	}
 
-	if (proto < 0 || proto > 0xff)
+	if (proto < 0 || proto > 0xff) {
 		CHECKTOK(ISC_R_RANGE);
+	}
 
-	if (proto == IPPROTO_TCP)
+	if (proto == IPPROTO_TCP) {
 		ps = "tcp";
-	else if (proto == IPPROTO_UDP)
+	} else if (proto == IPPROTO_UDP) {
 		ps = "udp";
+	}
 
 	CHECK(uint8_tobuffer(proto, target));
 
@@ -148,8 +151,9 @@ fromtext_in_wks(ARGS_FROMTEXT) {
 	do {
 		CHECK(isc_lex_getmastertoken(lexer, &token,
 					      isc_tokentype_string, true));
-		if (token.type != isc_tokentype_string)
+		if (token.type != isc_tokentype_string) {
 			break;
+		}
 
 		/*
 		 * Lowercase the service string as some getservbyname() are
@@ -161,15 +165,18 @@ fromtext_in_wks(ARGS_FROMTEXT) {
 				service[i] = tolower(service[i]&0xff);
 
 		port = strtol(DNS_AS_STR(token), &e, 10);
-		if (*e == 0)
-			;
-		else if (!mygetservbyname(service, ps, &port) &&
-			 !mygetservbyname(DNS_AS_STR(token), ps, &port))
+		if (*e != 0 && !mygetservbyname(service, ps, &port) &&
+		    !mygetservbyname(DNS_AS_STR(token), ps, &port))
+		{
 			CHECKTOK(DNS_R_UNKNOWNSERVICE);
-		if (port < 0 || port > 0xffff)
+		}
+
+		if (port < 0 || port > 0xffff) {
 			CHECKTOK(ISC_R_RANGE);
-		if (port > maxport)
+		}
+		if (port > maxport) {
 			maxport = port;
+		}
 		bm[port / 8] |= (0x80 >> (port % 8));
 	} while (1);
 
@@ -203,7 +210,7 @@ totext_in_wks(ARGS_TOTEXT) {
 	REQUIRE(rdata->length >= 5);
 
 	dns_rdata_toregion(rdata, &sr);
-	RETERR(inet_totext(AF_INET, &sr, target));
+	RETERR(inet_totext(AF_INET, tctx->flags, &sr, target));
 	isc_region_consume(&sr, 4);
 
 	proto = uint8_fromregion(&sr);
@@ -243,12 +250,18 @@ fromwire_in_wks(ARGS_FROMWIRE) {
 	isc_buffer_activeregion(source, &sr);
 	isc_buffer_availableregion(target, &tr);
 
-	if (sr.length < 5)
+	if (sr.length < 5) {
 		return (ISC_R_UNEXPECTEDEND);
-	if (sr.length > 8 * 1024 + 5)
+	}
+	if (sr.length > 8 * 1024 + 5) {
 		return (DNS_R_EXTRADATA);
-	if (tr.length < sr.length)
+	}
+	if (sr.length > 5 && sr.base[sr.length - 1] == 0) {
+		return (DNS_R_FORMERR);
+	}
+	if (tr.length < sr.length) {
 		return (ISC_R_NOSPACE);
+	}
 
 	memmove(tr.base, sr.base, sr.length);
 	isc_buffer_add(target, sr.length);
@@ -290,16 +303,19 @@ compare_in_wks(ARGS_COMPARE) {
 
 static inline isc_result_t
 fromstruct_in_wks(ARGS_FROMSTRUCT) {
-	dns_rdata_in_wks_t *wks = source;
+	dns_rdata_in_wks_t *wks;
 	uint32_t a;
 
 	REQUIRE(type == dns_rdatatype_wks);
 	REQUIRE(rdclass == dns_rdataclass_in);
-	REQUIRE(wks != NULL);
-	REQUIRE(wks->common.rdtype == type);
-	REQUIRE(wks->common.rdclass == rdclass);
-	REQUIRE((wks->map != NULL && wks->map_len <= 8*1024) ||
-		 wks->map_len == 0);
+	REQUIRE(((dns_rdata_in_wks_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_wks_t *)source)->common.rdtype == type);
+	REQUIRE(((dns_rdata_in_wks_t *)source)->common.rdclass == rdclass);
+	REQUIRE((((dns_rdata_in_wks_t *)source)->map != NULL &&
+		 ((dns_rdata_in_wks_t *)source)->map_len <= 8*1024) ||
+		((dns_rdata_in_wks_t *)source)->map_len == 0);
+
+	wks = source;
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -312,15 +328,17 @@ fromstruct_in_wks(ARGS_FROMSTRUCT) {
 
 static inline isc_result_t
 tostruct_in_wks(ARGS_TOSTRUCT) {
-	dns_rdata_in_wks_t *wks = target;
+	dns_rdata_in_wks_t *wks;
 	uint32_t n;
 	isc_region_t region;
 
-	REQUIRE(wks != NULL);
+	REQUIRE(((dns_rdata_in_wks_t *)target) != NULL);
 	REQUIRE(rdata->type == dns_rdatatype_wks);
 	REQUIRE(rdata->rdclass == dns_rdataclass_in);
 	REQUIRE(rdata->length != 0);
 
+	wks = target;
+
 	wks->common.rdclass = rdata->rdclass;
 	wks->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&wks->common, link);
@@ -341,11 +359,15 @@ tostruct_in_wks(ARGS_TOSTRUCT) {
 
 static inline void
 freestruct_in_wks(ARGS_FREESTRUCT) {
-	dns_rdata_in_wks_t *wks = source;
+	dns_rdata_in_wks_t *wks;
+
+	REQUIRE(((dns_rdata_in_wks_t *)source) != NULL);
+	REQUIRE(((dns_rdata_in_wks_t *)source)->common.rdtype ==
+		dns_rdatatype_wks);
+	REQUIRE(((dns_rdata_in_wks_t *)source)->common.rdclass ==
+		dns_rdataclass_in);
 
-	REQUIRE(wks != NULL);
-	REQUIRE(wks->common.rdtype == dns_rdatatype_wks);
-	REQUIRE(wks->common.rdclass == dns_rdataclass_in);
+	wks = source;
 
 	if (wks->mctx == NULL)
 		return;
diff --git a/bind/bind9/lib/dns/rdata/in_1/wks_11.h b/bind/bind9/lib/dns/rdata/in_1/wks_11.h
index d7883ddb..12e4e48f 100644
--- a/bind/bind9/lib/dns/rdata/in_1/wks_11.h
+++ b/bind/bind9/lib/dns/rdata/in_1/wks_11.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/rdatastructpre.h b/bind/bind9/lib/dns/rdata/rdatastructpre.h
index d09cb27a..8d784582 100644
--- a/bind/bind9/lib/dns/rdata/rdatastructpre.h
+++ b/bind/bind9/lib/dns/rdata/rdatastructpre.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdata/rdatastructsuf.h b/bind/bind9/lib/dns/rdata/rdatastructsuf.h
index d3a8e46b..aaa23b05 100644
--- a/bind/bind9/lib/dns/rdata/rdatastructsuf.h
+++ b/bind/bind9/lib/dns/rdata/rdatastructsuf.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdatalist.c b/bind/bind9/lib/dns/rdatalist.c
index c877fbf1..cc2619cd 100644
--- a/bind/bind9/lib/dns/rdatalist.c
+++ b/bind/bind9/lib/dns/rdatalist.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdatalist_p.h b/bind/bind9/lib/dns/rdatalist_p.h
index 5a599fe3..605a2b13 100644
--- a/bind/bind9/lib/dns/rdatalist_p.h
+++ b/bind/bind9/lib/dns/rdatalist_p.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdataset.c b/bind/bind9/lib/dns/rdataset.c
index a2ac36f8..b42dea5c 100644
--- a/bind/bind9/lib/dns/rdataset.c
+++ b/bind/bind9/lib/dns/rdataset.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdatasetiter.c b/bind/bind9/lib/dns/rdatasetiter.c
index c292ef22..c9e670f6 100644
--- a/bind/bind9/lib/dns/rdatasetiter.c
+++ b/bind/bind9/lib/dns/rdatasetiter.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rdataslab.c b/bind/bind9/lib/dns/rdataslab.c
index 930a8220..b0f77b19 100644
--- a/bind/bind9/lib/dns/rdataslab.c
+++ b/bind/bind9/lib/dns/rdataslab.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -120,7 +120,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 			   isc_region_t *region, unsigned int reservelen)
 {
 	/*
-	 * Use &removed as a sentinal pointer for duplicate
+	 * Use &removed as a sentinel pointer for duplicate
 	 * rdata as rdata.data == NULL is valid.
 	 */
 	static unsigned char removed;
@@ -400,12 +400,15 @@ rdataset_next(dns_rdataset_t *rdataset) {
 
 static void
 rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-	unsigned char *raw = rdataset->private5;
+	unsigned char *raw;
 	isc_region_t r;
 	unsigned int length;
 	unsigned int flags = 0;
 
-	REQUIRE(raw != NULL);
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->private5 != NULL);
+
+	raw = rdataset->private5;
 
 	length = raw[0] * 256 + raw[1];
 #if DNS_RDATASET_FIXED
diff --git a/bind/bind9/lib/dns/request.c b/bind/bind9/lib/dns/request.c
index 3f9855e3..58ca40f3 100644
--- a/bind/bind9/lib/dns/request.c
+++ b/bind/bind9/lib/dns/request.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -141,7 +141,6 @@ dns_requestmgr_create(isc_mem_t *mctx,
 		      dns_requestmgr_t **requestmgrp)
 {
 	dns_requestmgr_t *requestmgr;
-	isc_socket_t *sock;
 	isc_result_t result;
 	int i;
 	unsigned int dispattr;
@@ -153,7 +152,7 @@ dns_requestmgr_create(isc_mem_t *mctx,
 	REQUIRE(socketmgr != NULL);
 	REQUIRE(taskmgr != NULL);
 	REQUIRE(dispatchmgr != NULL);
-	UNUSED(sock);
+
 	if (dispatchv4 != NULL) {
 		dispattr = dns_dispatch_getattributes(dispatchv4);
 		REQUIRE((dispattr & DNS_DISPATCHATTR_UDP) != 0);
diff --git a/bind/bind9/lib/dns/resolver.c b/bind/bind9/lib/dns/resolver.c
index e24499e9..b34cb12b 100644
--- a/bind/bind9/lib/dns/resolver.c
+++ b/bind/bind9/lib/dns/resolver.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -169,8 +169,16 @@
 
 /* The default maximum number of iterative queries to allow before giving up. */
 #ifndef DEFAULT_MAX_QUERIES
-#define DEFAULT_MAX_QUERIES 75
-#endif
+#define DEFAULT_MAX_QUERIES 100
+#endif /* ifndef DEFAULT_MAX_QUERIES */
+
+/*
+ * After NS_FAIL_LIMIT attempts to fetch a name server address,
+ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT,
+ * stop trying to fetch, in order to avoid wasting resources.
+ */
+#define NS_FAIL_LIMIT 4
+#define NS_RR_LIMIT   5
 
 /* Number of hash buckets for zone counters */
 #ifndef RES_DOMAIN_BUCKETS
@@ -199,6 +207,7 @@ typedef struct query {
 	/* Locked by task event serialization. */
 	unsigned int			magic;
 	fetchctx_t *			fctx;
+	dns_message_t *			rmessage;
 	isc_mem_t *			mctx;
 	dns_dispatchmgr_t *		dispatchmgr;
 	dns_dispatch_t *		dispatch;
@@ -282,7 +291,6 @@ struct fetchctx {
 	isc_time_t			expires;
 	isc_interval_t			interval;
 	dns_message_t *			qmessage;
-	dns_message_t *			rmessage;
 	ISC_LIST(resquery_t)		queries;
 	dns_adbfindlist_t		finds;
 	dns_adbfind_t *			find;
@@ -370,8 +378,8 @@ struct fetchctx {
 	unsigned int			valfail;
 	bool				timeout;
 	dns_adbaddrinfo_t 		*addrinfo;
-	const isc_sockaddr_t		*client;
 	unsigned int			depth;
+	char clientstr[ISC_SOCKADDR_FORMATSIZE];
 };
 
 #define FCTX_MAGIC			ISC_MAGIC('F', '!', '!', '!')
@@ -404,8 +412,14 @@ struct fetchctx {
 typedef struct {
 	dns_adbaddrinfo_t *		addrinfo;
 	fetchctx_t *			fctx;
+	dns_message_t *			rmessage;
 } dns_valarg_t;
 
+typedef struct {
+	fetchctx_t *			fctx;
+	dns_message_t *			rmessage;
+} dns_chkarg_t;
+
 struct dns_fetch {
 	unsigned int			magic;
 	isc_mem_t *			mctx;
@@ -459,7 +473,7 @@ struct dns_resolver {
 	isc_mutex_t			lock;
 	isc_mutex_t			nlock;
 	isc_mutex_t			primelock;
-	isc_mutex_t			zspill_lock;
+	isc_mutex_t			spill_lock;
 	dns_rdataclass_t		rdclass;
 	isc_socketmgr_t *		socketmgr;
 	isc_timermgr_t *		timermgr;
@@ -572,9 +586,12 @@ static isc_result_t ncache_adderesult(dns_message_t *message,
 				      isc_result_t *eresultp);
 static void validated(isc_task_t *task, isc_event_t *event);
 static bool maybe_destroy(fetchctx_t *fctx, bool locked);
-static void add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
-		    isc_result_t reason, badnstype_t badtype);
-static inline isc_result_t findnoqname(fetchctx_t *fctx, dns_name_t *name,
+static void add_bad(fetchctx_t *fctx, dns_message_t *rmessage,
+		    dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
+		    badnstype_t badtype);
+static inline isc_result_t findnoqname(fetchctx_t *fctx,
+				       dns_message_t *rmessage,
+				       dns_name_t *name,
 				       dns_rdatatype_t type,
 				       dns_name_t **noqname);
 static void fctx_increference(fetchctx_t *fctx);
@@ -596,7 +613,8 @@ dec_stats(dns_resolver_t *res, isc_statscounter_t counter) {
 }
 
 static isc_result_t
-valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
+valcreate(fetchctx_t *fctx, dns_message_t *rmessage,
+	  dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
 	  dns_rdatatype_t type, dns_rdataset_t *rdataset,
 	  dns_rdataset_t *sigrdataset, unsigned int valoptions,
 	  isc_task_t *task)
@@ -611,6 +629,7 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
 
 	valarg->fctx = fctx;
 	valarg->addrinfo = addrinfo;
+	dns_message_attach(rmessage, &valarg->rmessage);
 
 	if (!ISC_LIST_EMPTY(fctx->validators))
 		valoptions |= DNS_VALIDATOR_DEFER;
@@ -618,7 +637,7 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
 		valoptions &= ~DNS_VALIDATOR_DEFER;
 
 	result = dns_validator_create(fctx->res->view, name, type, rdataset,
-				      sigrdataset, fctx->rmessage,
+				      sigrdataset, rmessage,
 				      valoptions, task, validated, valarg,
 				      &validator);
 	if (result == ISC_R_SUCCESS) {
@@ -628,8 +647,10 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
 			fctx->validator = validator;
 		}
 		ISC_LIST_APPEND(fctx->validators, validator, link);
-	} else
+	} else {
+		dns_message_detach(&valarg->rmessage);
 		isc_mem_put(fctx->mctx, valarg, sizeof(*valarg));
+	}
 	return (result);
 }
 
@@ -674,7 +695,7 @@ fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
 	 * zone.  So a response to an explicit query for this type should be
 	 * excluded from delegation-only fixup.
 	 *
-	 * SOA, NS, and DNSKEY can only exist at a zone apex, so a postive
+	 * SOA, NS, and DNSKEY can only exist at a zone apex, so a positive
 	 * response to a query for these types can never violate the
 	 * delegation-only assumption: if the query name is below a
 	 * zone cut, the response should normally be a referral, which should
@@ -885,6 +906,8 @@ resquery_destroy(resquery_t **queryp) {
 	empty = fctx_decreference(query->fctx);
 	UNLOCK(&res->buckets[bucket].lock);
 
+	dns_message_detach(&query->rmessage);
+
 	query->magic = 0;
 	isc_mem_put(query->mctx, query, sizeof(*query));
 	*queryp = NULL;
@@ -982,7 +1005,8 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
 			if (fctx->fwdpolicy == dns_fwdpolicy_first &&
 			    ISFORWARDER(query->addrinfo))
 			{
-				add_bad(fctx, query->addrinfo, ISC_R_TIMEDOUT,
+				add_bad(fctx, query->rmessage,
+					query->addrinfo, ISC_R_TIMEDOUT,
 					badns_forwarder);
 			}
 
@@ -1293,9 +1317,9 @@ fcount_incr(fetchctx_t *fctx, bool force) {
 	} else {
 		unsigned int spill;
 
-		LOCK(&fctx->res->zspill_lock);
+		LOCK(&fctx->res->spill_lock);
 		spill = fctx->res->zspill;
-		UNLOCK(&fctx->res->zspill_lock);
+		UNLOCK(&fctx->res->spill_lock);
 
 		if (!force && spill != 0 && counter->count >= spill) {
 			counter->dropped++;
@@ -1406,10 +1430,10 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
 		count++;
 	}
 
+	LOCK(&fctx->res->spill_lock);
 	if ((fctx->attributes & FCTX_ATTR_HAVEANSWER) != 0 &&
 	    fctx->spilled &&
 	    (count < fctx->res->spillatmax || fctx->res->spillatmax == 0)) {
-		LOCK(&fctx->res->lock);
 		if (count == fctx->res->spillat && !fctx->res->exiting) {
 			old_spillat = fctx->res->spillat;
 			fctx->res->spillat += 5;
@@ -1426,13 +1450,13 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
 						 &i, true);
 			RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		}
-		UNLOCK(&fctx->res->lock);
 		if (logit)
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
 				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
 				      "clients-per-query increased to %u",
 				      new_spillat);
 	}
+	UNLOCK(&fctx->res->spill_lock);
 }
 
 static inline void
@@ -1526,7 +1550,8 @@ process_sendevent(resquery_t *query, isc_event_t *event) {
 			/*
 			 * No route to remote.
 			 */
-			add_bad(fctx, query->addrinfo, sevent->result,
+			add_bad(fctx, query->rmessage, query->addrinfo,
+				sevent->result,
 				badns_unreachable);
 			fctx_cancelquery(&query, NULL, NULL, true,
 					 false);
@@ -1706,13 +1731,17 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 
 	INSIST(ISC_LIST_EMPTY(fctx->validators));
 
-	dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
-
 	query = isc_mem_get(fctx->mctx, sizeof(*query));
 	if (query == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto stop_idle_timer;
 	}
+	query->rmessage = NULL;
+	result = dns_message_create(fctx->mctx, DNS_MESSAGE_INTENTPARSE,
+				   &query->rmessage);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_query;
+	}
 	query->mctx = fctx->mctx;
 	query->options = options;
 	query->attributes = 0;
@@ -1780,7 +1809,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 				break;
 			}
 			if (result != ISC_R_SUCCESS)
-				goto cleanup_query;
+				goto cleanup_rmessage;
 		}
 		isc_sockaddr_setport(&addr, 0);
 		if (query->dscp == -1)
@@ -1790,7 +1819,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 					   isc_sockettype_tcp,
 					   &query->tcpsocket);
 		if (result != ISC_R_SUCCESS)
-			goto cleanup_query;
+			goto cleanup_rmessage;
 
 #ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
 		result = isc_socket_bind(query->tcpsocket, &addr, 0);
@@ -1886,7 +1915,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 		query->connects++;
 		QTRACE("connecting via TCP");
 	} else {
-		if (dns_adbentry_overquota(addrinfo->entry))
+		if (dns_adbentry_overquota(fctx->adb, addrinfo->entry))
 			goto cleanup_dispatch;
 
 		/* Inform the ADB that we're starting a UDP fetch */
@@ -1921,6 +1950,9 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	if (query->dispatch != NULL)
 		dns_dispatch_detach(&query->dispatch);
 
+ cleanup_rmessage:
+	dns_message_detach(&query->rmessage);
+
  cleanup_query:
 	if (query->connects == 0) {
 		query->magic = 0;
@@ -2058,7 +2090,12 @@ add_serveraddr(uint8_t *buf, const size_t bufsize, const resquery_t *query)
 	return (addr2buf(buf, bufsize, &query->addrinfo->sockaddr));
 }
 
+/*
+ * Client cookie is 8 octets.
+ * Server cookie is [8..32] octets.
+ */
 #define CLIENT_COOKIE_SIZE 8U
+#define COOKIE_BUFFER_SIZE (8U + 32U)
 
 static void
 compute_cc(const resquery_t *query, uint8_t *cookie, const size_t len) {
@@ -2335,7 +2372,7 @@ resquery_send(resquery_t *query) {
 			unsigned int flags = query->addrinfo->flags;
 			bool reqnsid = res->view->requestnsid;
 			bool sendcookie = res->view->sendcookie;
-			unsigned char cookie[64];
+			unsigned char cookie[COOKIE_BUFFER_SIZE];
 
 			if ((flags & FCTX_ADDRINFO_EDNSOK) != 0 &&
 			    (query->options & DNS_FETCHOPT_EDNS512) == 0) {
@@ -2400,7 +2437,7 @@ resquery_send(resquery_t *query) {
 #if DNS_EDNS_VERSION > 0
 			/*
 			 * Some EDNS(0) servers don't ignore unknown options
-			 * as it was not a explict requirement of RFC 2671.
+			 * as it was not a explicit requirement of RFC 2671.
 			 * Only send COOKIE to EDNS(1) servers.
 			 */
 			if (version < 1)
@@ -2419,9 +2456,11 @@ resquery_send(resquery_t *query) {
 					inc_stats(fctx->res,
 						dns_resstatscounter_cookieout);
 				} else {
-					compute_cc(query, cookie, 8);
+					compute_cc(query, cookie,
+						   CLIENT_COOKIE_SIZE);
 					ednsopts[ednsopt].value = cookie;
-					ednsopts[ednsopt].length = 8;
+					ednsopts[ednsopt].length =
+						   CLIENT_COOKIE_SIZE;
 					inc_stats(fctx->res,
 						dns_resstatscounter_cookienew);
 				}
@@ -2455,7 +2494,7 @@ resquery_send(resquery_t *query) {
 		query->ednsversion = -1;
 
 	/*
-	 * Record the UDP EDNS size choosen.
+	 * Record the UDP EDNS size chosen.
 	 */
 	query->udpsize = udpsize;
 
@@ -2771,7 +2810,8 @@ resquery_connected(isc_task_t *task, isc_event_t *event) {
 			 * exceeds 512 bytes from broken servers.
 			 */
 			if ((query->options & DNS_FETCHOPT_EDNS512) != 0) {
-				add_bad(fctx, query->addrinfo, sevent->result,
+				add_bad(fctx, query->rmessage,
+					query->addrinfo, sevent->result,
 					badns_unreachable);
 			}
 			fctx_cancelquery(&query, NULL, NULL, true, false);
@@ -2964,8 +3004,8 @@ mark_bad(fetchctx_t *fctx) {
 }
 
 static void
-add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
-	badnstype_t badtype)
+add_bad(fetchctx_t *fctx, dns_message_t *rmessage, dns_adbaddrinfo_t *addrinfo,
+	isc_result_t reason, badnstype_t badtype)
 {
 	char namebuf[DNS_NAME_FORMATSIZE];
 	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
@@ -3022,18 +3062,18 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
 		return;
 
 	if (reason == DNS_R_UNEXPECTEDRCODE &&
-	    fctx->rmessage->rcode == dns_rcode_servfail &&
+	    rmessage->rcode == dns_rcode_servfail &&
 	    ISFORWARDER(addrinfo))
 		return;
 
 	if (reason == DNS_R_UNEXPECTEDRCODE) {
 		isc_buffer_init(&b, code, sizeof(code) - 1);
-		dns_rcode_totext(fctx->rmessage->rcode, &b);
+		dns_rcode_totext(rmessage->rcode, &b);
 		code[isc_buffer_usedlength(&b)] = '\0';
 		spc = " ";
 	} else if (reason == DNS_R_UNEXPECTEDOPCODE) {
 		isc_buffer_init(&b, code, sizeof(code) - 1);
-		dns_opcode_totext((dns_opcode_t)fctx->rmessage->opcode, &b);
+		dns_opcode_totext((dns_opcode_t)rmessage->opcode, &b);
 		code[isc_buffer_usedlength(&b)] = '\0';
 		spc = " ";
 	} else {
@@ -3130,8 +3170,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
 static void
 findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
 	 unsigned int options, unsigned int flags, isc_stdtime_t now,
-	 bool *overquota, bool *need_alternate)
-{
+	 bool *overquota, bool *need_alternate, unsigned int *no_addresses) {
 	dns_adbaddrinfo_t *ai;
 	dns_adbfind_t *find;
 	dns_resolver_t *res;
@@ -3219,7 +3258,12 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
 			      find->result_v6 != DNS_R_NXDOMAIN) ||
 			     (res->dispatches6 == NULL &&
 			      find->result_v4 != DNS_R_NXDOMAIN)))
+			{
 				*need_alternate = true;
+			}
+			if (no_addresses != NULL) {
+				(*no_addresses)++;
+			}
 		} else {
 			if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
 				if (overquota != NULL)
@@ -3270,6 +3314,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
 	dns_rdata_ns_t ns;
 	bool need_alternate = false;
 	bool all_spilled = true;
+	unsigned int no_addresses = 0;
 
 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
 
@@ -3437,20 +3482,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
 		 * Extract the name from the NS record.
 		 */
 		result = dns_rdata_tostruct(&rdata, &ns, NULL);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			continue;
+		}
 
-		findname(fctx, &ns.name, 0, stdoptions, 0, now,
-			 &overquota, &need_alternate);
+		if (no_addresses > NS_FAIL_LIMIT &&
+		    dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT)
+		{
+			stdoptions |= DNS_ADBFIND_NOFETCH;
+		}
+		findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota,
+			 &need_alternate, &no_addresses);
 
-		if (!overquota)
+		if (!overquota) {
 			all_spilled = false;
+		}
 
 		dns_rdata_reset(&rdata);
 		dns_rdata_freestruct(&ns);
 	}
-	if (result != ISC_R_NOMORE)
+	if (result != ISC_R_NOMORE) {
 		return (result);
+	}
 
 	/*
 	 * Do we need to use 6 to 4?
@@ -3465,7 +3518,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
 			if (!a->isaddress) {
 				findname(fctx, &a->_u._n.name, a->_u._n.port,
 					 stdoptions, FCTX_ADDRINFO_FORWARDER,
-					 now, NULL, NULL);
+					 now, NULL, NULL, NULL);
 				continue;
 			}
 			if (isc_sockaddr_pf(&a->_u.addr) != family)
@@ -3788,7 +3841,7 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
 	addrinfo = fctx_nextaddress(fctx);
 
 	/* Try to find an address that isn't over quota */
-	while (addrinfo != NULL && dns_adbentry_overquota(addrinfo->entry))
+	while (addrinfo != NULL && dns_adbentry_overquota(fctx->adb, addrinfo->entry))
 		addrinfo = fctx_nextaddress(fctx);
 
 	if (addrinfo == NULL) {
@@ -3814,7 +3867,7 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
 		addrinfo = fctx_nextaddress(fctx);
 
 		while (addrinfo != NULL &&
-		       dns_adbentry_overquota(addrinfo->entry))
+		       dns_adbentry_overquota(fctx->adb, addrinfo->entry))
 			addrinfo = fctx_nextaddress(fctx);
 
 		/*
@@ -3827,16 +3880,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
 		}
 	}
 
-	if (dns_name_countlabels(&fctx->domain) > 2) {
-		result = isc_counter_increment(fctx->qc);
-		if (result != ISC_R_SUCCESS) {
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-				      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
-				      "exceeded max queries resolving '%s'",
-				      fctx->info);
-			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-			return;
-		}
+	result = isc_counter_increment(fctx->qc);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+			      "exceeded max queries resolving '%s'",
+			      fctx->info);
+		fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+		return;
 	}
 
 	bucketnum = fctx->bucketnum;
@@ -3947,8 +3998,7 @@ fctx_destroy(fetchctx_t *fctx) {
 	isc_counter_detach(&fctx->qc);
 	fcount_decr(fctx);
 	isc_timer_detach(&fctx->timer);
-	dns_message_destroy(&fctx->rmessage);
-	dns_message_destroy(&fctx->qmessage);
+	dns_message_detach(&fctx->qmessage);
 	if (dns_name_countlabels(&fctx->domain) > 0)
 		dns_name_free(&fctx->domain, fctx->mctx);
 	if (dns_rdataset_isassociated(&fctx->nameservers))
@@ -4206,7 +4256,7 @@ fctx_start(isc_task_t *task, isc_event_t *event) {
 }
 
 /*
- * Fetch Creation, Joining, and Cancelation.
+ * Fetch Creation, Joining, and Cancellation.
  */
 
 static inline isc_result_t
@@ -4390,7 +4440,12 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	fctx->rand_bits = 0;
 	fctx->timeout = false;
 	fctx->addrinfo = NULL;
-	fctx->client = client;
+	if (client != NULL) {
+		isc_sockaddr_format(client, fctx->clientstr,
+				    sizeof(fctx->clientstr));
+	} else {
+		strlcpy(fctx->clientstr, "<unknown>", sizeof(fctx->clientstr));
+	}
 	fctx->ns_ttl = 0;
 	fctx->ns_ttl_ok = false;
 
@@ -4484,13 +4539,6 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_fcount;
 
-	fctx->rmessage = NULL;
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE,
-				    &fctx->rmessage);
-
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_qmessage;
-
 	/*
 	 * Compute an expiration time for the entire fetch.
 	 */
@@ -4501,7 +4549,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 				 "isc_time_nowplusinterval: %s",
 				 isc_result_totext(iresult));
 		result = ISC_R_UNEXPECTED;
-		goto cleanup_rmessage;
+		goto cleanup_qmessage;
 	}
 
 	/*
@@ -4525,7 +4573,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 				 "isc_timer_create: %s",
 				 isc_result_totext(iresult));
 		result = ISC_R_UNEXPECTED;
-		goto cleanup_rmessage;
+		goto cleanup_qmessage;
 	}
 
 	/*
@@ -4553,11 +4601,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 
 	return (ISC_R_SUCCESS);
 
- cleanup_rmessage:
-	dns_message_destroy(&fctx->rmessage);
-
  cleanup_qmessage:
-	dns_message_destroy(&fctx->qmessage);
+	dns_message_detach(&fctx->qmessage);
 
  cleanup_fcount:
 	fcount_decr(fctx);
@@ -4589,8 +4634,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
  * Handle Responses
  */
 static inline bool
-is_lame(fetchctx_t *fctx) {
-	dns_message_t *message = fctx->rmessage;
+is_lame(fetchctx_t *fctx, dns_message_t *message) {
 	dns_name_t *name;
 	dns_rdataset_t *rdataset;
 	isc_result_t result;
@@ -4651,8 +4695,6 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
 static inline void
 log_formerr(fetchctx_t *fctx, const char *format, ...) {
 	char nsbuf[ISC_SOCKADDR_FORMATSIZE];
-	char clbuf[ISC_SOCKADDR_FORMATSIZE];
-	const char *clmsg = "";
 	char msgbuf[2048];
 	va_list args;
 
@@ -4662,23 +4704,15 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
 
 	isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
 
-	if (fctx->client != NULL) {
-		clmsg = " for client ";
-		isc_sockaddr_format(fctx->client, clbuf, sizeof(clbuf));
-	} else {
-		clbuf[0] = '\0';
-	}
-
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
 		      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
-		      "DNS format error from %s resolving %s%s%s: %s",
-		      nsbuf, fctx->info, clmsg, clbuf, msgbuf);
+		      "DNS format error from %s resolving %s for %s: %s",
+		      nsbuf, fctx->info, fctx->clientstr, msgbuf);
 }
 
 static isc_result_t
-same_question(fetchctx_t *fctx) {
+same_question(fetchctx_t *fctx, dns_message_t *message) {
 	isc_result_t result;
-	dns_message_t *message = fctx->rmessage;
 	dns_name_t *name;
 	dns_rdataset_t *rdataset;
 
@@ -4872,6 +4906,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 	uint32_t ttl;
 	unsigned options;
 	uint32_t bucketnum;
+	dns_message_t *rmessage = NULL;
 
 	UNUSED(task); /* for now */
 
@@ -4882,6 +4917,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 	res = fctx->res;
 	addrinfo = valarg->addrinfo;
 	REQUIRE(!ISC_LIST_EMPTY(fctx->validators));
+	dns_message_attach(valarg->rmessage, &rmessage);
 
 	vevent = (dns_validatorevent_t *)event;
 	fctx->vresult = vevent->result;
@@ -4893,16 +4929,19 @@ validated(isc_task_t *task, isc_event_t *event) {
 
 	ISC_LIST_UNLINK(fctx->validators, vevent->validator, link);
 	fctx->validator = NULL;
+	UNLOCK(&res->buckets[bucketnum].lock);
 
 	/*
 	 * Destroy the validator early so that we can
 	 * destroy the fctx if necessary.
 	 */
 	dns_validator_destroy(&vevent->validator);
+	dns_message_detach(&valarg->rmessage);
 	isc_mem_put(fctx->mctx, valarg, sizeof(*valarg));
 
 	negative = (vevent->rdataset == NULL);
 
+	LOCK(&res->buckets[bucketnum].lock);
 	sentresponse = ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0);
 
 	/*
@@ -5011,7 +5050,8 @@ validated(isc_task_t *task, isc_event_t *event) {
 				dns_db_detachnode(fctx->cache, &node);
 		}
 		result = fctx->vresult;
-		add_bad(fctx, addrinfo, result, badns_validation);
+		add_bad(fctx, rmessage, addrinfo, result,
+			badns_validation);
 		isc_event_free(&event);
 		UNLOCK(&res->buckets[bucketnum].lock);
 		INSIST(fctx->validator == NULL);
@@ -5035,9 +5075,10 @@ validated(isc_task_t *task, isc_event_t *event) {
 				dns_resolver_addbadcache(res, &fctx->name,
 							 fctx->type, &expire);
 			fctx_done(fctx, result, __LINE__); /* Locks bucket. */
-		} else
+		} else {
 			fctx_try(fctx, true, true); /* Locks bucket. */
-		return;
+		}
+		goto cleanup_rmessage;
 	}
 
 
@@ -5048,9 +5089,9 @@ validated(isc_task_t *task, isc_event_t *event) {
 		inc_stats(res, dns_resstatscounter_valnegsuccess);
 
 		/*
-		 * Cache DS NXDOMAIN seperately to other types.
+		 * Cache DS NXDOMAIN separately to other types.
 		 */
-		if (fctx->rmessage->rcode == dns_rcode_nxdomain &&
+		if (rmessage->rcode == dns_rcode_nxdomain &&
 		    fctx->type != dns_rdatatype_ds)
 			covers = dns_rdatatype_any;
 		else
@@ -5071,7 +5112,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 		    covers == dns_rdatatype_any && res->zero_no_soa_ttl)
 			ttl = 0;
 
-		result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
+		result = ncache_adderesult(rmessage, fctx->cache, node,
 					   covers, now, ttl, vevent->optout,
 					   vevent->secure, ardataset, &eresult);
 		if (result != ISC_R_SUCCESS)
@@ -5098,7 +5139,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 	{
 		isc_result_t tresult;
 		dns_name_t *noqname = NULL;
-		tresult = findnoqname(fctx, vevent->name,
+		tresult = findnoqname(fctx, rmessage, vevent->name,
 				      vevent->rdataset->type, &noqname);
 		if (tresult == ISC_R_SUCCESS && noqname != NULL) {
 			tresult = dns_rdataset_addnoqname(vevent->rdataset,
@@ -5176,10 +5217,10 @@ validated(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Cache any NS/NSEC records that happened to be validated.
 	 */
-	result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY);
+	result = dns_message_firstname(rmessage, DNS_SECTION_AUTHORITY);
 	while (result == ISC_R_SUCCESS) {
 		name = NULL;
-		dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY,
+		dns_message_currentname(rmessage, DNS_SECTION_AUTHORITY,
 					&name);
 		for (rdataset = ISC_LIST_HEAD(name->list);
 		     rdataset != NULL;
@@ -5215,7 +5256,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 			if (result != ISC_R_SUCCESS)
 				continue;
 		}
-		result = dns_message_nextname(fctx->rmessage,
+		result = dns_message_nextname(rmessage,
 					      DNS_SECTION_AUTHORITY);
 	}
 
@@ -5257,6 +5298,8 @@ validated(isc_task_t *task, isc_event_t *event) {
  cleanup_event:
 	INSIST(node == NULL);
 	isc_event_free(&event);
+ cleanup_rmessage:
+	dns_message_detach(&rmessage);
 }
 
 static void
@@ -5275,7 +5318,8 @@ fctx_log(void *arg, int level, const char *fmt, ...) {
 }
 
 static inline isc_result_t
-findnoqname(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
+findnoqname(fetchctx_t *fctx, dns_message_t *rmessage,
+	    dns_name_t *name, dns_rdatatype_t type,
 	    dns_name_t **noqnamep)
 {
 	dns_rdataset_t *nrdataset, *next, *sigrdataset;
@@ -5337,11 +5381,11 @@ findnoqname(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
 #define NXND(x) ((x) == ISC_R_SUCCESS)
 
 	section = DNS_SECTION_AUTHORITY;
-	for (result = dns_message_firstname(fctx->rmessage, section);
+	for (result = dns_message_firstname(rmessage, section);
 	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(fctx->rmessage, section)) {
+	     result = dns_message_nextname(rmessage, section)) {
 		dns_name_t *nsec = NULL;
-		dns_message_currentname(fctx->rmessage, section, &nsec);
+		dns_message_currentname(rmessage, section, &nsec);
 		for (nrdataset = ISC_LIST_HEAD(nsec->list);
 		      nrdataset != NULL; nrdataset = next) {
 			bool data = false, exists = false;
@@ -5400,7 +5444,8 @@ findnoqname(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
 }
 
 static inline isc_result_t
-cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+cache_name(fetchctx_t *fctx, dns_message_t *rmessage,
+	   dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 	   isc_stdtime_t now)
 {
 	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
@@ -5635,7 +5680,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 				{
 					isc_result_t tresult;
 					dns_name_t *noqname = NULL;
-					tresult = findnoqname(fctx, name,
+					tresult = findnoqname(fctx, rmessage,
+							      name,
 							      rdataset->type,
 							      &noqname);
 					if (tresult == ISC_R_SUCCESS &&
@@ -5736,8 +5782,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 					 * having to remember which
 					 * rdatasets needed validation.
 					 */
-					result = valcreate(fctx, addrinfo,
-							   name, rdataset->type,
+					result = valcreate(fctx, rmessage,
+							   addrinfo, name,
+							   rdataset->type,
 							   rdataset,
 							   sigrdataset,
 							   valoptions, task);
@@ -5796,7 +5843,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 			{
 				isc_result_t tresult;
 				dns_name_t *noqname = NULL;
-				tresult = findnoqname(fctx, name,
+				tresult = findnoqname(fctx, rmessage, name,
 						      rdataset->type, &noqname);
 				if (tresult == ISC_R_SUCCESS &&
 				    noqname != NULL)
@@ -5848,8 +5895,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 				vtype = dns_rdatatype_dname;
 			}
 		}
-		result = valcreate(fctx, addrinfo, name, vtype, valrdataset,
-				   valsigrdataset, valoptions, task);
+		result = valcreate(fctx, rmessage, addrinfo, name, vtype,
+				   valrdataset, valsigrdataset, valoptions,
+				   task);
 	}
 
 	if (result == ISC_R_SUCCESS && have_answer) {
@@ -5885,7 +5933,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 }
 
 static inline isc_result_t
-cache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now)
+cache_message(fetchctx_t *fctx, dns_message_t *rmessage,
+	      dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now)
 {
 	isc_result_t result;
 	dns_section_t section;
@@ -5900,17 +5949,18 @@ cache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now)
 	for (section = DNS_SECTION_ANSWER;
 	     section <= DNS_SECTION_ADDITIONAL;
 	     section++) {
-		result = dns_message_firstname(fctx->rmessage, section);
+		result = dns_message_firstname(rmessage, section);
 		while (result == ISC_R_SUCCESS) {
 			name = NULL;
-			dns_message_currentname(fctx->rmessage, section,
+			dns_message_currentname(rmessage, section,
 						&name);
 			if ((name->attributes & DNS_NAMEATTR_CACHE) != 0) {
-				result = cache_name(fctx, name, addrinfo, now);
+				result = cache_name(fctx, rmessage, name,
+						    addrinfo, now);
 				if (result != ISC_R_SUCCESS)
 					break;
 			}
-			result = dns_message_nextname(fctx->rmessage, section);
+			result = dns_message_nextname(rmessage, section);
 		}
 		if (result != ISC_R_NOMORE)
 			break;
@@ -5980,8 +6030,9 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 }
 
 static inline isc_result_t
-ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
-	       dns_rdatatype_t covers, isc_stdtime_t now)
+ncache_message(fetchctx_t *fctx, dns_message_t *rmessage,
+	       dns_adbaddrinfo_t *addrinfo, dns_rdatatype_t covers,
+	       isc_stdtime_t now)
 {
 	isc_result_t result, eresult;
 	dns_name_t *name;
@@ -6012,7 +6063,7 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	 * XXXMPA remove when we follow cnames and adjust the setting
 	 * of FCTX_ATTR_WANTNCACHE in noanswer_response().
 	 */
-	INSIST(fctx->rmessage->counts[DNS_SECTION_ANSWER] == 0);
+	INSIST(rmessage->counts[DNS_SECTION_ANSWER] == 0);
 
 	/*
 	 * Is DNSSEC validation required for this name?
@@ -6049,18 +6100,18 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 		dns_rdataset_t *trdataset;
 		dns_name_t *tname;
 
-		result = dns_message_firstname(fctx->rmessage,
+		result = dns_message_firstname(rmessage,
 					       DNS_SECTION_AUTHORITY);
 		while (result == ISC_R_SUCCESS) {
 			tname = NULL;
-			dns_message_currentname(fctx->rmessage,
+			dns_message_currentname(rmessage,
 						DNS_SECTION_AUTHORITY,
 						&tname);
 			for (trdataset = ISC_LIST_HEAD(tname->list);
 			     trdataset != NULL;
 			     trdataset = ISC_LIST_NEXT(trdataset, link))
 				trdataset->trust = dns_trust_pending_answer;
-			result = dns_message_nextname(fctx->rmessage,
+			result = dns_message_nextname(rmessage,
 						      DNS_SECTION_AUTHORITY);
 		}
 		if (result != ISC_R_NOMORE)
@@ -6072,7 +6123,7 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 		/*
 		 * Do negative response validation.
 		 */
-		result = valcreate(fctx, addrinfo, name, fctx->type,
+		result = valcreate(fctx, rmessage, addrinfo, name, fctx->type,
 				   NULL, NULL, valoptions,
 				   res->buckets[fctx->bucketnum].task);
 		/*
@@ -6118,7 +6169,7 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	    fctx->res->zero_no_soa_ttl)
 		ttl = 0;
 
-	result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
+	result = ncache_adderesult(rmessage, fctx->cache, node,
 				   covers, now, ttl, false,
 				   false, ardataset, &eresult);
 	if (result != ISC_R_SUCCESS)
@@ -6179,7 +6230,9 @@ static isc_result_t
 check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
 	      dns_section_t section)
 {
-	fetchctx_t *fctx = arg;
+	dns_chkarg_t *chkarg = arg;
+	fetchctx_t *fctx = chkarg->fctx;
+	dns_message_t *rmessage = chkarg->rmessage;
 	isc_result_t result;
 	dns_name_t *name = NULL;
 	dns_rdataset_t *rdataset = NULL;
@@ -6198,7 +6251,7 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
 		  (fctx->type == dns_rdatatype_ns &&
 		   dns_name_equal(&fctx->name, dns_rootname)));
 
-	result = dns_message_findname(fctx->rmessage, section, addname,
+	result = dns_message_findname(rmessage, section, addname,
 				      dns_rdatatype_any, 0, &name, NULL);
 	if (result == ISC_R_SUCCESS) {
 		external = !dns_name_issubdomain(name, &fctx->domain);
@@ -6253,7 +6306,7 @@ check_answer(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
 #endif
 
 static void
-chase_additional(fetchctx_t *fctx) {
+chase_additional(fetchctx_t *fctx, dns_message_t *rmessage) {
 	bool rescan;
 	dns_section_t section = DNS_SECTION_ADDITIONAL;
 	isc_result_t result;
@@ -6261,12 +6314,12 @@ chase_additional(fetchctx_t *fctx) {
  again:
 	rescan = false;
 
-	for (result = dns_message_firstname(fctx->rmessage, section);
+	for (result = dns_message_firstname(rmessage, section);
 	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(fctx->rmessage, section)) {
+	     result = dns_message_nextname(rmessage, section)) {
 		dns_name_t *name = NULL;
 		dns_rdataset_t *rdataset;
-		dns_message_currentname(fctx->rmessage, DNS_SECTION_ADDITIONAL,
+		dns_message_currentname(rmessage, DNS_SECTION_ADDITIONAL,
 					&name);
 		if ((name->attributes & DNS_NAMEATTR_CHASE) == 0)
 			continue;
@@ -6275,10 +6328,13 @@ chase_additional(fetchctx_t *fctx) {
 		     rdataset != NULL;
 		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
 			if (CHASE(rdataset)) {
+				dns_chkarg_t chkarg;
+				chkarg.fctx = fctx;
+				chkarg.rmessage = rmessage;
 				rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
 				(void)dns_rdataset_additionaldata(rdataset,
 								  check_related,
-								  fctx);
+								  &chkarg);
 				rescan = true;
 			}
 		}
@@ -6447,9 +6503,16 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
 
 	/*
 	 * If the target name is a subdomain of the search domain, allow it.
+	 *
+	 * Note that if BIND is configured as a forwarding DNS server, the
+	 * search domain will always match the root domain ("."), so we
+	 * must also check whether forwarding is enabled so that filters
+	 * can be applied; see GL #1574.
 	 */
-	if (dns_name_issubdomain(tname, &fctx->domain))
+	if ((fctx->fwdpolicy == dns_fwdpolicy_none) &&
+		dns_name_issubdomain(tname, &fctx->domain)) {
 		return (true);
+	}
 
 	/*
 	 * Otherwise, apply filters.
@@ -6503,11 +6566,10 @@ trim_ns_ttl(fetchctx_t *fctx, dns_name_t *name, dns_rdataset_t *rdataset) {
 #define LOOK_FOR_GLUE_IN_ANSWER 0x2
 
 static isc_result_t
-noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
-		  unsigned int look_in_options)
+noanswer_response(fetchctx_t *fctx, dns_message_t *message,
+		  dns_name_t *oqname, unsigned int look_in_options)
 {
 	isc_result_t result;
-	dns_message_t *message;
 	dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name, *save_name;
 	dns_rdataset_t *rdataset, *ns_rdataset;
 	bool aa, negative_response;
@@ -6522,8 +6584,6 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 	} else
 		section = DNS_SECTION_AUTHORITY;
 
-	message = fctx->rmessage;
-
 	/*
 	 * Setup qname.
 	 */
@@ -6876,6 +6936,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 	 * we're not following a chain.)
 	 */
 	if (!negative_response && ns_name != NULL && oqname == NULL) {
+		dns_chkarg_t chkarg;
 		/*
 		 * We already know ns_name is a subdomain of fctx->domain.
 		 * If ns_name is equal to fctx->domain, we're not making
@@ -6905,8 +6966,10 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 		 */
 		INSIST(ns_rdataset != NULL);
 		FCTX_ATTR_SET(fctx, FCTX_ATTR_GLUING);
+		chkarg.fctx = fctx;
+		chkarg.rmessage = message;
 		(void)dns_rdataset_additionaldata(ns_rdataset, check_related,
-						  fctx);
+						  &chkarg);
 #if CHECK_FOR_GLUE_IN_ANSWER
 		/*
 		 * Look in the answer section for "glue" that is incorrectly
@@ -6917,9 +6980,13 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 		 */
 		if ((look_in_options & LOOK_FOR_GLUE_IN_ANSWER) != 0 &&
 		    (fctx->type == dns_rdatatype_aaaa ||
-		     fctx->type == dns_rdatatype_a))
+		     fctx->type == dns_rdatatype_a)) {
+			dns_chkarg_t chkarg;
+			chkarg.fcx = fctx;
+			chkarg.rmessage = message;
 			(void)dns_rdataset_additionaldata(ns_rdataset,
-							  check_answer, fctx);
+							  check_answer, &chkarg);
+		}
 #endif
 		FCTX_ATTR_CLR(fctx, FCTX_ATTR_GLUING);
 		/*
@@ -6994,9 +7061,8 @@ validinanswer(dns_rdataset_t *rdataset, fetchctx_t *fctx) {
 }
 
 static isc_result_t
-answer_response(fetchctx_t *fctx) {
+answer_response(fetchctx_t *fctx, dns_message_t *message) {
 	isc_result_t result;
-	dns_message_t *message = NULL;
 	dns_name_t *name = NULL, *qname = NULL, *ns_name = NULL;
 	dns_name_t *aname = NULL, *cname = NULL, *dname = NULL;
 	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
@@ -7013,7 +7079,6 @@ answer_response(fetchctx_t *fctx) {
 
 	FCTXTRACE("answer_response");
 
-	message = fctx->rmessage;
 	qname = &fctx->name;
 	view = fctx->res->view;
 	type = fctx->type;
@@ -7122,6 +7187,7 @@ answer_response(fetchctx_t *fctx) {
 		     rdataset != NULL;
 		     rdataset = ISC_LIST_NEXT(rdataset, link))
 		{
+			dns_chkarg_t chkarg;
 			if (!validinanswer(rdataset, fctx)) {
 				return (DNS_R_FORMERR);
 			}
@@ -7149,11 +7215,15 @@ answer_response(fetchctx_t *fctx) {
 			rdataset->attributes |= DNS_RDATASETATTR_ANSWER;
 			rdataset->attributes |= DNS_RDATASETATTR_CACHE;
 			rdataset->trust = trust;
+			rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
+			chkarg.fctx = fctx;
+			chkarg.rmessage = message;
 			(void)dns_rdataset_additionaldata(rdataset,
 							  check_related,
-							  fctx);
+							  &chkarg);
 		}
 	} else if (aname != NULL) {
+		dns_chkarg_t chkarg;
 		if (!validinanswer(ardataset, fctx))
 			return (DNS_R_FORMERR);
 		if ((ardataset->type == dns_rdatatype_a ||
@@ -7175,8 +7245,10 @@ answer_response(fetchctx_t *fctx) {
 		ardataset->attributes |= DNS_RDATASETATTR_ANSWER;
 		ardataset->attributes |= DNS_RDATASETATTR_CACHE;
 		ardataset->trust = trust;
+		chkarg.fctx = fctx;
+		chkarg.rmessage = message;
 		(void)dns_rdataset_additionaldata(ardataset, check_related,
-						  fctx);
+						  &chkarg);
 		for (sigrdataset = ISC_LIST_HEAD(aname->list);
 		     sigrdataset != NULL;
 		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
@@ -7314,6 +7386,7 @@ answer_response(fetchctx_t *fctx) {
 				if (rdataset->type == dns_rdatatype_ns ||
 				    (rdataset->type == dns_rdatatype_rrsig &&
 				     rdataset->covers == dns_rdatatype_ns)) {
+					dns_chkarg_t chkarg;
 					name->attributes |=
 						DNS_NAMEATTR_CACHE;
 					rdataset->attributes |=
@@ -7335,10 +7408,12 @@ answer_response(fetchctx_t *fctx) {
 					 * Mark any additional data related
 					 * to this rdataset.
 					 */
+					chkarg.fctx = fctx;
+					chkarg.rmessage = message;
 					(void)dns_rdataset_additionaldata(
 							rdataset,
 							check_related,
-							fctx);
+							&chkarg);
 					done = true;
 				}
 			}
@@ -7650,21 +7725,20 @@ log_nsid(isc_buffer_t *opt, size_t nsid_len, resquery_t *query,
 }
 
 static bool
-iscname(fetchctx_t *fctx) {
+iscname(fetchctx_t *fctx, dns_message_t *rmessage) {
 	isc_result_t result;
 
-	result = dns_message_findname(fctx->rmessage, DNS_SECTION_ANSWER,
+	result = dns_message_findname(rmessage, DNS_SECTION_ANSWER,
 				      &fctx->name, dns_rdatatype_cname, 0,
 				      NULL, NULL);
 	return (result == ISC_R_SUCCESS ? true : false);
 }
 
 static bool
-betterreferral(fetchctx_t *fctx) {
+betterreferral(fetchctx_t *fctx, dns_message_t *message) {
 	isc_result_t result;
 	dns_name_t *name;
 	dns_rdataset_t *rdataset;
-	dns_message_t *message = fctx->rmessage;
 
 	for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
 	     result == ISC_R_SUCCESS;
@@ -7691,7 +7765,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
 	uint16_t optlen;
 	unsigned char *optvalue;
 	dns_adbaddrinfo_t *addrinfo;
-	unsigned char cookie[8];
+	unsigned char cookie[CLIENT_COOKIE_SIZE];
 	bool seen_cookie = false;
 	bool seen_nsid = false;
 
@@ -7725,11 +7799,13 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
 				}
 				optvalue = isc_buffer_current(&optbuf);
 				compute_cc(query, cookie, sizeof(cookie));
-				INSIST(query->fctx->rmessage->cc_bad == 0 &&
-				       query->fctx->rmessage->cc_ok == 0);
-				if (optlen >= 8U &&
-				    memcmp(cookie, optvalue, 8) == 0) {
-					query->fctx->rmessage->cc_ok = 1;
+				INSIST(query->rmessage->cc_bad == 0 &&
+				       query->rmessage->cc_ok == 0);
+				if (optlen >= CLIENT_COOKIE_SIZE &&
+				    memcmp(cookie, optvalue,
+					   CLIENT_COOKIE_SIZE) == 0)
+				{
+					query->rmessage->cc_ok = 1;
 					inc_stats(query->fctx->res,
 						  dns_resstatscounter_cookieok);
 					addrinfo = query->addrinfo;
@@ -7737,7 +7813,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
 							  addrinfo, optvalue,
 							  optlen);
 				} else
-					query->fctx->rmessage->cc_bad = 1;
+					query->rmessage->cc_bad = 1;
 				isc_buffer_forward(&optbuf, optlen);
 				inc_stats(query->fctx->res,
 					  dns_resstatscounter_cookiein);
@@ -7759,7 +7835,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
 	bool keep_trying, get_nameservers, resend, nextitem;
 	bool truncated;
-	dns_message_t *message;
+	dns_message_t *rmessage = NULL;
 	dns_rdataset_t *opt;
 	fetchctx_t *fctx;
 	dns_name_t *fname;
@@ -7790,6 +7866,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	options = query->options;
 	REQUIRE(VALID_FCTX(fctx));
 	REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
+	dns_message_attach(query->rmessage, &rmessage);
 
 	QTRACE("response");
 
@@ -7871,10 +7948,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		goto done;
 	}
 
-	message = fctx->rmessage;
-
 	if (query->tsig != NULL) {
-		result = dns_message_setquerytsig(message, query->tsig);
+		result = dns_message_setquerytsig(rmessage, query->tsig);
 		if (result != ISC_R_SUCCESS) {
 			FCTXTRACE3("unable to set query tsig", result);
 			goto done;
@@ -7882,14 +7957,14 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	}
 
 	if (query->tsigkey) {
-		result = dns_message_settsigkey(message, query->tsigkey);
+		result = dns_message_settsigkey(rmessage, query->tsigkey);
 		if (result != ISC_R_SUCCESS) {
 			FCTXTRACE3("unable to set tsig key", result);
 			goto done;
 		}
 	}
 
-	dns_message_setclass(message, res->rdclass);
+	dns_message_setclass(rmessage, res->rdclass);
 
 	if ((options & DNS_FETCHOPT_TCP) == 0) {
 		if ((options & DNS_FETCHOPT_NOEDNS0) == 0)
@@ -7898,16 +7973,16 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		else
 			dns_adb_plainresponse(fctx->adb, query->addrinfo);
 	}
-	result = dns_message_parse(message, &devent->buffer, 0);
+	result = dns_message_parse(rmessage, &devent->buffer, 0);
 	if (result != ISC_R_SUCCESS) {
 		FCTXTRACE3("message failed to parse", result);
 		switch (result) {
 		case ISC_R_UNEXPECTEDEND:
-			if (!message->question_ok ||
-			    (message->flags & DNS_MESSAGEFLAG_TC) == 0 ||
+			if (!rmessage->question_ok ||
+			    (rmessage->flags & DNS_MESSAGEFLAG_TC) == 0 ||
 			    (options & DNS_FETCHOPT_TCP) != 0) {
 				/*
-				 * Either the message ended prematurely,
+				 * Either the rmessage ended prematurely,
 				 * and/or wasn't marked as being truncated,
 				 * and/or this is a response to a query we
 				 * sent over TCP.  In all of these cases,
@@ -7936,7 +8011,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			}
 			/*
 			 * We defer retrying via TCP for a bit so we can
-			 * check out this message further.
+			 * check out this rmessage further.
 			 */
 			truncated = true;
 			break;
@@ -7967,7 +8042,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Log the incoming packet.
 	 */
-	dns_message_logfmtpacket2(message, "received packet from",
+	dns_message_logfmtpacket2(rmessage, "received packet from",
 				  &query->addrinfo->sockaddr,
 				  DNS_LOGCATEGORY_RESOLVER,
 				  DNS_LOGMODULE_PACKETS,
@@ -8013,7 +8088,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		    &zr, &query->start, NULL, &devent->buffer);
 #endif /* HAVE_DNSTAP */
 
-	if (message->rdclass != res->rdclass) {
+	if (rmessage->rdclass != res->rdclass) {
 		resend = true;
 		FCTXTRACE("bad class");
 		goto done;
@@ -8022,11 +8097,11 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Process receive opt record.
 	 */
-	opt = dns_message_getopt(message);
+	opt = dns_message_getopt(rmessage);
 	if (opt != NULL)
 		process_opt(query, opt);
 
-	if (message->cc_bad && (options & DNS_FETCHOPT_TCP) == 0) {
+	if (rmessage->cc_bad && (options & DNS_FETCHOPT_TCP) == 0) {
 		/*
 		 * If the COOKIE is bad, assume it is an attack and
 		 * keep listening for a good answer.
@@ -8049,10 +8124,10 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	 * the same question.
 	 * FORMERR/NOTIMP if they have a question section then it must match.
 	 */
-	switch (message->rcode) {
+	switch (rmessage->rcode) {
 	case dns_rcode_notimp:
 	case dns_rcode_formerr:
-		if (message->counts[DNS_SECTION_QUESTION] == 0)
+		if (rmessage->counts[DNS_SECTION_QUESTION] == 0)
 			break;
 		/* FALLTHROUGH */
 	case dns_rcode_nxrrset:	/* Not expected. */
@@ -8063,7 +8138,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	case dns_rcode_refused:
 	case dns_rcode_servfail:
 	default:
-		result = same_question(fctx);
+		result = same_question(fctx, rmessage);
 		if (result != ISC_R_SUCCESS) {
 			FCTXTRACE3("response did not match question", result);
 			nextitem = true;
@@ -8073,40 +8148,77 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	}
 
 	/*
-	 * If the message is signed, check the signature.  If not, this
+	 * If the rmessage is signed, check the signature.  If not, this
 	 * returns success anyway.
 	 */
-	result = dns_message_checksig(message, res->view);
+	result = dns_message_checksig(rmessage, res->view);
 	if (result != ISC_R_SUCCESS) {
 		FCTXTRACE3("signature check failed", result);
+		if (result == DNS_R_UNEXPECTEDTSIG ||
+		    result == DNS_R_EXPECTEDTSIG) {
+			nextitem = true;
+		}
 		goto done;
 	}
 
 	/*
 	 * The dispatcher should ensure we only get responses with QR set.
 	 */
-	INSIST((message->flags & DNS_MESSAGEFLAG_QR) != 0);
+	INSIST((rmessage->flags & DNS_MESSAGEFLAG_QR) != 0);
 	/*
-	 * INSIST() that the message comes from the place we sent it to,
+	 * INSIST() that the rmessage comes from the place we sent it to,
 	 * since the dispatch code should ensure this.
 	 *
-	 * INSIST() that the message id is correct (this should also be
+	 * INSIST() that the rmessage id is correct (this should also be
 	 * ensured by the dispatch code).
 	 */
 
 	/*
+	 * If we have had a server cookie and don't get one retry over TCP.
+	 * This may be a misconfigured anycast server or an attempt to send
+	 * a spoofed response.  Skip if we have a valid tsig.
+	 */
+	if (dns_message_gettsig(rmessage, NULL) == NULL &&
+	    !rmessage->cc_ok && !rmessage->cc_bad &&
+	    (options & DNS_FETCHOPT_TCP) == 0)
+	{
+		unsigned char cookie[COOKIE_BUFFER_SIZE];
+		if (dns_adb_getcookie(fctx->adb, query->addrinfo, cookie,
+				      sizeof(cookie)) > CLIENT_COOKIE_SIZE)
+		{
+			if (isc_log_wouldlog(dns_lctx, ISC_LOG_INFO)) {
+				char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+				isc_sockaddr_format(&query->addrinfo->sockaddr,
+						    addrbuf, sizeof(addrbuf));
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+					DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+					"missing expected cookie from %s",
+					addrbuf);
+			}
+			options |= DNS_FETCHOPT_TCP;
+			resend = true;
+			goto done;
+		}
+		/*
+		 * XXXMPA When support for DNS COOKIE becomes ubiquitous, fall
+		 * back to TCP for all non-COOKIE responses.
+		 */
+	}
+
+	/*
 	 * We have an affirmative response to the query and we have
 	 * previously got a response from this server which indicated
 	 * EDNS may not be supported so we can now cache the lack of
 	 * EDNS support.
 	 */
 	if (opt == NULL && !EDNSOK(query->addrinfo) &&
-	    (message->rcode == dns_rcode_noerror ||
-	     message->rcode == dns_rcode_nxdomain ||
-	     message->rcode == dns_rcode_refused ||
-	     message->rcode == dns_rcode_yxdomain) &&
+	    (rmessage->rcode == dns_rcode_noerror ||
+	     rmessage->rcode == dns_rcode_nxdomain ||
+	     rmessage->rcode == dns_rcode_refused ||
+	     rmessage->rcode == dns_rcode_yxdomain) &&
 	     bad_edns(fctx, &query->addrinfo->sockaddr)) {
-		dns_message_logpacket2(message,
+		dns_message_logpacket2(rmessage,
 				       "received packet (bad edns) from",
 				       &query->addrinfo->sockaddr,
 				       DNS_LOGCATEGORY_RESOLVER,
@@ -8116,10 +8228,10 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		dns_adb_changeflags(fctx->adb, query->addrinfo,
 				    DNS_FETCHOPT_NOEDNS0,
 				    DNS_FETCHOPT_NOEDNS0);
-	} else if (opt == NULL && (message->flags & DNS_MESSAGEFLAG_TC) == 0 &&
+	} else if (opt == NULL && (rmessage->flags & DNS_MESSAGEFLAG_TC) == 0 &&
 		   !EDNSOK(query->addrinfo) &&
-		   (message->rcode == dns_rcode_noerror ||
-		    message->rcode == dns_rcode_nxdomain) &&
+		   (rmessage->rcode == dns_rcode_noerror ||
+		    rmessage->rcode == dns_rcode_nxdomain) &&
 		   (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
 		/*
 		 * We didn't get a OPT record in response to a EDNS query.
@@ -8132,7 +8244,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		 * should be safe to do for any rcode we limit it to NOERROR
 		 * and NXDOMAIN.
 		 */
-		dns_message_logpacket2(message, "received packet (no opt) from",
+		dns_message_logpacket2(rmessage, "received packet (no opt) from",
 				       &query->addrinfo->sockaddr,
 				       DNS_LOGCATEGORY_RESOLVER,
 				       DNS_LOGMODULE_RESOLVER,
@@ -8148,10 +8260,10 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	 */
 	if (opt != NULL && !EDNSOK(query->addrinfo) &&
 	    (query->options & DNS_FETCHOPT_NOEDNS0) == 0 &&
-	    (message->rcode == dns_rcode_noerror ||
-	     message->rcode == dns_rcode_nxdomain ||
-	     message->rcode == dns_rcode_refused ||
-	     message->rcode == dns_rcode_yxdomain)) {
+	    (rmessage->rcode == dns_rcode_noerror ||
+	     rmessage->rcode == dns_rcode_nxdomain ||
+	     rmessage->rcode == dns_rcode_refused ||
+	     rmessage->rcode == dns_rcode_yxdomain)) {
 		dns_adb_changeflags(fctx->adb, query->addrinfo,
 				    FCTX_ADDRINFO_EDNSOK,
 				    FCTX_ADDRINFO_EDNSOK);
@@ -8160,7 +8272,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Deal with truncated responses by retrying using TCP.
 	 */
-	if ((message->flags & DNS_MESSAGEFLAG_TC) != 0)
+	if ((rmessage->flags & DNS_MESSAGEFLAG_TC) != 0)
 		truncated = true;
 
 	if (truncated) {
@@ -8179,19 +8291,19 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Is it a query response?
 	 */
-	if (message->opcode != dns_opcode_query) {
+	if (rmessage->opcode != dns_opcode_query) {
 		/* XXXRTH Log */
 		broken_server = DNS_R_UNEXPECTEDOPCODE;
 		keep_trying = true;
-		FCTXTRACE("invalid message opcode");
+		FCTXTRACE("invalid rmessage opcode");
 		goto done;
 	}
 
 	/*
 	 * Update statistics about erroneous responses.
 	 */
-	if (message->rcode != dns_rcode_noerror) {
-		switch (message->rcode) {
+	if (rmessage->rcode != dns_rcode_noerror) {
+		switch (rmessage->rcode) {
 		case dns_rcode_nxdomain:
 			inc_stats(res, dns_resstatscounter_nxdomain);
 			break;
@@ -8219,30 +8331,30 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Is the remote server broken, or does it dislike us?
 	 */
-	if (message->rcode != dns_rcode_noerror &&
-	    message->rcode != dns_rcode_yxdomain &&
-	    message->rcode != dns_rcode_nxdomain) {
+	if (rmessage->rcode != dns_rcode_noerror &&
+	    rmessage->rcode != dns_rcode_yxdomain &&
+	    rmessage->rcode != dns_rcode_nxdomain) {
 		isc_buffer_t b;
 		char code[64];
-		unsigned char cookie[64];
+		unsigned char cookie[COOKIE_BUFFER_SIZE];
 
 		/*
 		 * Some servers do not ignore unknown EDNS options.
 		 */
 		if (!NOCOOKIE(query->addrinfo) &&
-		    (message->rcode == dns_rcode_formerr ||
-		     message->rcode == dns_rcode_notimp ||
-		     message->rcode == dns_rcode_refused) &&
+		    (rmessage->rcode == dns_rcode_formerr ||
+		     rmessage->rcode == dns_rcode_notimp ||
+		     rmessage->rcode == dns_rcode_refused) &&
 		     dns_adb_getcookie(fctx->adb, query->addrinfo,
 				       cookie, sizeof(cookie)) == 0U) {
 			dns_adb_changeflags(fctx->adb, query->addrinfo,
 					    FCTX_ADDRINFO_NOCOOKIE,
 					    FCTX_ADDRINFO_NOCOOKIE);
 			resend = true;
-		} else if ((message->rcode == dns_rcode_formerr ||
-			    message->rcode == dns_rcode_notimp ||
-			    (message->rcode == dns_rcode_servfail &&
-			     dns_message_getopt(message) == NULL)) &&
+		} else if ((rmessage->rcode == dns_rcode_formerr ||
+			    rmessage->rcode == dns_rcode_notimp ||
+			    (rmessage->rcode == dns_rcode_servfail &&
+			     dns_message_getopt(rmessage) == NULL)) &&
 			   (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
 			/*
 			 * It's very likely they don't like EDNS0.
@@ -8262,7 +8374,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			 */
 			add_bad_edns(fctx, &query->addrinfo->sockaddr);
 			inc_stats(res, dns_resstatscounter_edns0fail);
-		} else if (message->rcode == dns_rcode_formerr) {
+		} else if (rmessage->rcode == dns_rcode_formerr) {
 			if (ISFORWARDER(query->addrinfo)) {
 				/*
 				 * This forwarder doesn't understand us,
@@ -8282,7 +8394,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 				log_formerr(fctx, "server sent FORMERR");
 				result = DNS_R_FORMERR;
 			}
-		} else if (message->rcode == dns_rcode_badvers) {
+		} else if (rmessage->rcode == dns_rcode_badvers) {
 			unsigned int version;
 			bool setnocookie = false;
 #if DNS_EDNS_VERSION > 0
@@ -8349,8 +8461,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 				keep_trying = true;
 			}
 #endif
-		} else if (message->rcode == dns_rcode_badcookie &&
-			   message->cc_ok) {
+		} else if (rmessage->rcode == dns_rcode_badcookie &&
+			   rmessage->cc_ok) {
 			/*
 			 * We have recorded the new cookie.
 			 */
@@ -8368,7 +8480,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		}
 
 		isc_buffer_init(&b, code, sizeof(code) - 1);
-		dns_rcode_totext(fctx->rmessage->rcode, &b);
+		dns_rcode_totext(rmessage->rcode, &b);
 		code[isc_buffer_usedlength(&b)] = '\0';
 		FCTXTRACE2("remote server broken: returned ", code);
 		goto done;
@@ -8377,18 +8489,20 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Is the server lame?
 	 */
-	if (res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
-	    is_lame(fctx)) {
+	if (!ISFORWARDER(query->addrinfo) && is_lame(fctx, rmessage)) {
 		inc_stats(res, dns_resstatscounter_lame);
 		log_lame(fctx, query->addrinfo);
-		result = dns_adb_marklame(fctx->adb, query->addrinfo,
-					  &fctx->name, fctx->type,
-					  now + res->lame_ttl);
-		if (result != ISC_R_SUCCESS)
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-				      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
-				      "could not mark server as lame: %s",
-				      isc_result_totext(result));
+		if (res->lame_ttl != 0) {
+			result = dns_adb_marklame(fctx->adb, query->addrinfo,
+						  &fctx->name, fctx->type,
+						  now + res->lame_ttl);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+					      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+					      "could not mark server as lame: %s",
+					      isc_result_totext(result));
+			}
+		}
 		broken_server = DNS_R_LAME;
 		keep_trying = true;
 		FCTXTRACE("lame server");
@@ -8401,7 +8515,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	if (!ISFORWARDER(query->addrinfo) &&
 	    dns_view_isdelegationonly(res->view, &fctx->domain) &&
 	    !dns_name_equal(&fctx->domain, &fctx->name) &&
-	    fix_mustbedelegationornxdomain(message, fctx)) {
+	    fix_mustbedelegationornxdomain(rmessage, fctx)) {
 		char namebuf[DNS_NAME_FORMATSIZE];
 		char domainbuf[DNS_NAME_FORMATSIZE];
 		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
@@ -8424,7 +8538,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	}
 
 	if ((res->options & DNS_RESOLVER_CHECKNAMES) != 0)
-		checknames(message);
+		checknames(rmessage);
 
 	/*
 	 * Clear cache bits.
@@ -8434,22 +8548,22 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Did we get any answers?
 	 */
-	if (message->counts[DNS_SECTION_ANSWER] > 0 &&
-	    (message->rcode == dns_rcode_noerror ||
-	     message->rcode == dns_rcode_yxdomain ||
-	     message->rcode == dns_rcode_nxdomain)) {
+	if (rmessage->counts[DNS_SECTION_ANSWER] > 0 &&
+	    (rmessage->rcode == dns_rcode_noerror ||
+	     rmessage->rcode == dns_rcode_yxdomain ||
+	     rmessage->rcode == dns_rcode_nxdomain)) {
 		/*
 		 * [normal case]
 		 * We've got answers.  If it has an authoritative answer or an
 		 * answer from a forwarder, we're done.
 		 */
-		if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 ||
+		if ((rmessage->flags & DNS_MESSAGEFLAG_AA) != 0 ||
 		    ISFORWARDER(query->addrinfo))
 		{
-			result = answer_response(fctx);
+			result = answer_response(fctx, rmessage);
 			if (result != ISC_R_SUCCESS)
 				FCTXTRACE3("answer_response (AA/fwd)", result);
-		} else if (iscname(fctx) &&
+		} else if (iscname(fctx, rmessage) &&
 			 fctx->type != dns_rdatatype_any &&
 			 fctx->type != dns_rdatatype_cname)
 		{
@@ -8458,16 +8572,16 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			 * answer when a CNAME is followed.  We should treat
 			 * it as a valid answer.
 			 */
-			result = answer_response(fctx);
+			result = answer_response(fctx, rmessage);
 			if (result != ISC_R_SUCCESS)
 				FCTXTRACE3("answer_response (!ANY/!CNAME)",
 					   result);
 		} else if (fctx->type != dns_rdatatype_ns &&
-			   !betterreferral(fctx)) {
+			   !betterreferral(fctx, rmessage)) {
 			/*
 			 * Lame response !!!.
 			 */
-			result = answer_response(fctx);
+			result = answer_response(fctx, rmessage);
 			if (result != ISC_R_SUCCESS)
 				FCTXTRACE3("answer_response (!NS)", result);
 		} else {
@@ -8480,8 +8594,10 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 				 * validation, we must invoke the following
 				 * special kludge to treat it as a referral.
 				 */
-				result = noanswer_response(fctx, NULL,
-						   LOOK_FOR_NS_IN_ANSWER);
+				result = noanswer_response(fctx,
+							   rmessage,
+							   NULL,
+						  LOOK_FOR_NS_IN_ANSWER);
 				if (result != ISC_R_SUCCESS)
 					FCTXTRACE3("noanswer_response (NS)",
 						   result);
@@ -8498,7 +8614,9 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 				 * record.  LOOK_FOR_GLUE_IN_ANSWER will handle
 				 * such a corner case.
 				 */
-				result = noanswer_response(fctx, NULL,
+				result = noanswer_response(fctx,
+							   rmessage,
+							   NULL,
 						   LOOK_FOR_GLUE_IN_ANSWER);
 				if (result != ISC_R_SUCCESS)
 					FCTXTRACE3("noanswer_response", result);
@@ -8522,13 +8640,13 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 				keep_trying = true;
 			goto done;
 		}
-	} else if (message->counts[DNS_SECTION_AUTHORITY] > 0 ||
-		   message->rcode == dns_rcode_noerror ||
-		   message->rcode == dns_rcode_nxdomain) {
+	} else if (rmessage->counts[DNS_SECTION_AUTHORITY] > 0 ||
+		   rmessage->rcode == dns_rcode_noerror ||
+		   rmessage->rcode == dns_rcode_nxdomain) {
 		/*
 		 * NXDOMAIN, NXRDATASET, or referral.
 		 */
-		result = noanswer_response(fctx, NULL, 0);
+		result = noanswer_response(fctx, rmessage, NULL, 0);
 		switch (result) {
 		case ISC_R_SUCCESS:
 		case DNS_R_CHASEDSSERVERS:
@@ -8584,14 +8702,15 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Follow additional section data chains.
 	 */
-	chase_additional(fctx);
+	chase_additional(fctx, rmessage);
 
 	/*
-	 * Cache the cacheable parts of the message.  This may also cause
+	 * Cache the cacheable parts of the rmessage.  This may also cause
 	 * work to be queued to the DNSSEC validator.
 	 */
 	if (WANTCACHE(fctx)) {
-		result = cache_message(fctx, query->addrinfo, now);
+		result = cache_message(fctx, rmessage, query->addrinfo,
+				       now);
 		if (result != ISC_R_SUCCESS) {
 			FCTXTRACE3("cache_message complete", result);
 			goto done;
@@ -8599,25 +8718,25 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	}
 
 	/*
-	 * Ncache the negatively cacheable parts of the message.  This may
+	 * Ncache the negatively cacheable parts of the rmessage.  This may
 	 * also cause work to be queued to the DNSSEC validator.
 	 */
 	if (WANTNCACHE(fctx)) {
 		dns_rdatatype_t covers;
 
 		/*
-		 * Cache DS NXDOMAIN seperately to other types.
+		 * Cache DS NXDOMAIN separately to other types.
 		 */
-		if (message->rcode == dns_rcode_nxdomain &&
+		if (rmessage->rcode == dns_rcode_nxdomain &&
 		    fctx->type != dns_rdatatype_ds)
 			covers = dns_rdatatype_any;
 		else
 			covers = fctx->type;
 
 		/*
-		 * Cache any negative cache entries in the message.
+		 * Cache any negative cache entries in the rmessage.
 		 */
-		result = ncache_message(fctx, query->addrinfo, covers, now);
+		result = ncache_message(fctx, rmessage, query->addrinfo, covers, now);
 		if (result != ISC_R_SUCCESS)
 			FCTXTRACE3("ncache_message complete", result);
 	}
@@ -8645,7 +8764,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 #ifdef ENABLE_AFL
 	if (dns_fuzzing_resolver && (keep_trying || resend)) {
 		fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-		return;
+		goto cleanup_rmessage;
 	} else
 #endif
 	if (keep_trying) {
@@ -8656,7 +8775,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			 * Add this server to the list of bad servers for
 			 * this fctx.
 			 */
-			add_bad(fctx, addrinfo, broken_server, broken_type);
+			add_bad(fctx, rmessage, addrinfo,
+				broken_server, broken_type);
 		}
 
 		if (get_nameservers) {
@@ -8664,7 +8784,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			fname = dns_fixedname_initname(&foundname);
 			if (result != ISC_R_SUCCESS) {
 				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-				return;
+				goto detach_rmessage;
 			}
 			findoptions = 0;
 			if (dns_rdatatype_atparent(fctx->type))
@@ -8682,7 +8802,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			if (result != ISC_R_SUCCESS) {
 				FCTXTRACE("couldn't find a zonecut");
 				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-				return;
+				goto detach_rmessage;
 			}
 			if (!dns_name_issubdomain(fname, &fctx->domain)) {
 				/*
@@ -8691,7 +8811,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 				 */
 				FCTXTRACE("nameservers now above QDOMAIN");
 				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-				return;
+				goto detach_rmessage;
 			}
 
 			fcount_decr(fctx);
@@ -8700,12 +8820,12 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			result = dns_name_dup(fname, fctx->mctx, &fctx->domain);
 			if (result != ISC_R_SUCCESS) {
 				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-				return;
+				goto detach_rmessage;
 			}
 			result = fcount_incr(fctx, true);
 			if (result != ISC_R_SUCCESS) {
 				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-				return;
+				goto detach_rmessage;
 			}
 			fctx->ns_ttl = fctx->nameservers.ttl;
 			fctx->ns_ttl_ok = true;
@@ -8743,7 +8863,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		FCTXTRACE("nextitem");
 		inc_stats(fctx->res, dns_resstatscounter_nextitem);
 		INSIST(query->dispentry != NULL);
-		dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
+		dns_message_reset(query->rmessage, DNS_MESSAGE_INTENTPARSE);
 		result = dns_dispatch_getnext(query->dispentry, &devent);
 		if (result != ISC_R_SUCCESS)
 			fctx_done(fctx, result, __LINE__);
@@ -8763,7 +8883,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			fctx_done(fctx, result, __LINE__);
 	} else if (result == DNS_R_CHASEDSSERVERS) {
 		unsigned int n;
-		add_bad(fctx, addrinfo, result, broken_type);
+		add_bad(fctx, rmessage, addrinfo, result, broken_type);
 		fctx_cancelqueries(fctx, true, false);
 		fctx_cleanupfinds(fctx);
 		fctx_cleanupforwaddrs(fctx);
@@ -8794,6 +8914,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		 */
 		fctx_done(fctx, result, __LINE__);
 	}
+detach_rmessage:
+	dns_message_detach(&rmessage);
 }
 
 /***
@@ -8812,7 +8934,7 @@ destroy(dns_resolver_t *res) {
 
 	INSIST(res->nfctx == 0);
 
-	DESTROYLOCK(&res->zspill_lock);
+	DESTROYLOCK(&res->spill_lock);
 	DESTROYLOCK(&res->primelock);
 	DESTROYLOCK(&res->nlock);
 	DESTROYLOCK(&res->lock);
@@ -8904,6 +9026,7 @@ spillattimer_countdown(isc_task_t *task, isc_event_t *event) {
 
 	LOCK(&res->lock);
 	INSIST(!res->exiting);
+	LOCK(&res->spill_lock);
 	if (res->spillat > res->spillatmin) {
 		res->spillat--;
 		logit = true;
@@ -8915,6 +9038,7 @@ spillattimer_countdown(isc_task_t *task, isc_event_t *event) {
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	}
 	count = res->spillat;
+	UNLOCK(&res->spill_lock);
 	UNLOCK(&res->lock);
 	if (logit)
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
@@ -9089,14 +9213,14 @@ dns_resolver_create(dns_view_t *view,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_nlock;
 
-	result = isc_mutex_init(&res->zspill_lock);
+	result = isc_mutex_init(&res->spill_lock);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_primelock;
 
 	task = NULL;
 	result = isc_task_create(taskmgr, 0, &task);
 	if (result != ISC_R_SUCCESS)
-		goto cleanup_zspill_lock;
+		goto cleanup_spill_lock;
 	isc_task_setname(task, "resolver_task", NULL);
 
 	result = isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL,
@@ -9104,7 +9228,7 @@ dns_resolver_create(dns_view_t *view,
 				  &res->spillattimer);
 	isc_task_detach(&task);
 	if (result != ISC_R_SUCCESS)
-		goto cleanup_zspill_lock;
+		goto cleanup_spill_lock;
 
 #if USE_ALGLOCK
 	result = isc_rwlock_init(&res->alglock, 0, 0);
@@ -9137,8 +9261,8 @@ dns_resolver_create(dns_view_t *view,
 	isc_timer_detach(&res->spillattimer);
 #endif
 
- cleanup_zspill_lock:
-	DESTROYLOCK(&res->zspill_lock);
+ cleanup_spill_lock:
+	DESTROYLOCK(&res->spill_lock);
 
  cleanup_primelock:
 	DESTROYLOCK(&res->primelock);
@@ -9554,10 +9678,10 @@ dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name,
 
 	bucketnum = dns_name_fullhash(name, false) % res->nbuckets;
 
-	LOCK(&res->lock);
+	LOCK(&res->spill_lock);
 	spillat = res->spillat;
 	spillatmin = res->spillatmin;
-	UNLOCK(&res->lock);
+	UNLOCK(&res->spill_lock);
 	LOCK(&res->buckets[bucketnum].lock);
 
 	if (res->buckets[bucketnum].exiting) {
@@ -10255,14 +10379,14 @@ dns_resolver_getclientsperquery(dns_resolver_t *resolver, uint32_t *cur,
 {
 	REQUIRE(VALID_RESOLVER(resolver));
 
-	LOCK(&resolver->lock);
+	LOCK(&resolver->spill_lock);
 	if (cur != NULL)
 		*cur = resolver->spillat;
 	if (min != NULL)
 		*min = resolver->spillatmin;
 	if (max != NULL)
 		*max = resolver->spillatmax;
-	UNLOCK(&resolver->lock);
+	UNLOCK(&resolver->spill_lock);
 }
 
 void
@@ -10271,10 +10395,10 @@ dns_resolver_setclientsperquery(dns_resolver_t *resolver, uint32_t min,
 {
 	REQUIRE(VALID_RESOLVER(resolver));
 
-	LOCK(&resolver->lock);
+	LOCK(&resolver->spill_lock);
 	resolver->spillatmin = resolver->spillat = min;
 	resolver->spillatmax = max;
-	UNLOCK(&resolver->lock);
+	UNLOCK(&resolver->spill_lock);
 }
 
 void
@@ -10282,9 +10406,9 @@ dns_resolver_setfetchesperzone(dns_resolver_t *resolver, uint32_t clients)
 {
 	REQUIRE(VALID_RESOLVER(resolver));
 
-	LOCK(&resolver->zspill_lock);
+	LOCK(&resolver->spill_lock);
 	resolver->zspill = clients;
-	UNLOCK(&resolver->zspill_lock);
+	UNLOCK(&resolver->spill_lock);
 }
 
 
diff --git a/bind/bind9/lib/dns/result.c b/bind/bind9/lib/dns/result.c
index 9bfc9598..24aa01eb 100644
--- a/bind/bind9/lib/dns/result.c
+++ b/bind/bind9/lib/dns/result.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -165,6 +165,17 @@ static const char *text[DNS_R_NRESULTS] = {
 	"TSIG in wrong location",	       /*%< 115 DNS_R_BADTSIG */
 	"SIG(0) in wrong location",	       /*%< 116 DNS_R_BADSIG0 */
 	"too many records",	               /*%< 117 DNS_R_TOOMANYRECORDS */
+	"verify failure",	               /*%< 118 DNS_R_VERIFYFAILURE */
+	"at top of zone",	               /*%< 119 DNS_R_ATZONETOP */
+
+	"no matching key found",	       /*%< 120 DNS_R_NOKEYMATCH */
+	"too many keys matching",	       /*%< 121 DNS_R_TOOMANYKEYS */
+	"key is not actively signing",	       /*%< 122 DNS_R_KEYNOTACTIVE */
+	"NSEC3 iterations out of range",       /*%< 123 DNS_R_NSEC3ITERRANGE */
+	"NSEC3 salt length too high",	       /*%< 124 DNS_R_NSEC3SALTRANGE */
+
+	"cannot use NSEC3 with key algorithm", /*%< 125 DNS_R_NSEC3BADALG */
+	"NSEC3 resalt",	                       /*%< 126 DNS_R_NSEC3RESALT */
 };
 
 static const char *ids[DNS_R_NRESULTS] = {
@@ -290,6 +301,15 @@ static const char *ids[DNS_R_NRESULTS] = {
 	"DNS_R_BADTSIG",
 	"DNS_R_BADSIG0",
 	"DNS_R_TOOMANYRECORDS",
+	"DNS_R_VERIFYFAILURE",
+	"DNS_R_ATZONETOP",
+	"DNS_R_NOKEYMATCH",
+	"DNS_R_TOOMANYKEYS",
+	"DNS_R_KEYNOTACTIVE",
+	"DNS_R_NSEC3ITERRANGE",
+	"DNS_R_NSEC3SALTRANGE",
+	"DNS_R_NSEC3BADALG",
+	"DNS_R_NSEC3RESALT",
 };
 
 static const char *rcode_text[DNS_R_NRCODERESULTS] = {
diff --git a/bind/bind9/lib/dns/rootns.c b/bind/bind9/lib/dns/rootns.c
index 70b2b7df..9653f3ba 100644
--- a/bind/bind9/lib/dns/rootns.c
+++ b/bind/bind9/lib/dns/rootns.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rpz.c b/bind/bind9/lib/dns/rpz.c
index ec8dc376..8cb07815 100644
--- a/bind/bind9/lib/dns/rpz.c
+++ b/bind/bind9/lib/dns/rpz.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -696,13 +696,14 @@ ip2name(const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix,
 			       (tgt_ip->w[3]>>8) & 0xffU,
 			       (tgt_ip->w[3]>>16) & 0xffU,
 			       (tgt_ip->w[3]>>24) & 0xffU);
-		if (len < 0 || len > (int)sizeof(str)) {
+		if (len < 0 || (size_t)len >= sizeof(str)) {
 			return (ISC_R_FAILURE);
 		}
 	} else {
 		len = snprintf(str, sizeof(str), "%d", tgt_prefix);
-		if (len == -1)
+		if (len < 0 || (size_t)len >= sizeof(str)) {
 			return (ISC_R_FAILURE);
+		}
 		for (i = 0; i < DNS_RPZ_CIDR_WORDS; i++) {
 			w[i*2+1] = ((tgt_ip->w[DNS_RPZ_CIDR_WORDS-1-i] >> 16)
 				    & 0xffff);
@@ -732,15 +733,19 @@ ip2name(const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix,
 		}
 
 		for (n = 0; n <= 7; ++n) {
-			INSIST(len < (int)sizeof(str));
+			INSIST(len > 0 && (size_t)len < sizeof(str));
 			if (n == best_first) {
-				len += snprintf(str + len, sizeof(str) - len,
-						".zz");
+				i = snprintf(str + len, sizeof(str) - len,
+					     ".zz");
 				n += best_len - 1;
 			} else {
-				len += snprintf(str + len, sizeof(str) - len,
-						".%x", w[n]);
+				i = snprintf(str + len, sizeof(str) - len,
+					     ".%x", w[n]);
+			}
+			if (i < 0 || (size_t)i >= (size_t)(sizeof(str) - len)) {
+				return (ISC_R_FAILURE);
 			}
+			len += i;
 		}
 	}
 
@@ -1081,7 +1086,8 @@ trim_zbits(dns_rpz_zbits_t zbits, dns_rpz_zbits_t found) {
 	x = zbits & found;
 	x &= (~x + 1);
 	x = (x << 1) - 1;
-	return (zbits &= x);
+	zbits &= x;
+	return (zbits);
 }
 
 /*
@@ -2320,7 +2326,40 @@ dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
 
 	case DNS_R_PARTIALMATCH:
 		i = chain.level_matches;
-		while (i >= 0 && (nmnode = chain.levels[i]) != NULL) {
+		nmnode = chain.levels[chain.level_matches];
+
+		/* Whenever an exact match is found by dns_rbt_findnode(),
+		 * the highest level node in the chain will not be put into
+		 * chain->levels[] array, but instead the chain->end
+		 * pointer will be adjusted to point to that node.
+		 *
+		 * Suppose we have the following entries in a rpz zone:
+		 *   example.com     CNAME rpz-passthru.
+		 *   *.example.com   CNAME rpz-passthru.
+		 *
+		 * A query for www.example.com would result in the
+		 * following chain object returned by dns_rbt_findnode():
+		 *   chain->level_count = 2
+		 *   chain->level_matches = 2
+		 *   chain->levels[0] = .
+		 *   chain->levels[1] = example.com
+		 *   chain->levels[2] = NULL
+		 *   chain->end = www
+		 *
+		 * Since exact matches only care for testing rpz set bits,
+		 * we need to test for rpz wild bits through iterating the
+		 * nodechain, and that includes testing the rpz wild bits in the
+		 * highest level node found. In the case of an exact match,
+		 * chain->levels[chain->level_matches] will be NULL, to address
+		 * that we must use chain->end as the start
+		 * point, then iterate over the remaining levels in the chain.
+		 */
+		if (nmnode == NULL) {
+			--i;
+			nmnode = chain.end;
+		}
+
+		while (nmnode != NULL) {
 			nm_data = nmnode->data;
 			if (nm_data != NULL) {
 				if (rpz_type == DNS_RPZ_TYPE_QNAME) {
@@ -2329,7 +2368,13 @@ dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
 					found_zbits |= nm_data->wild.ns;
 				}
 			}
-			i--;
+
+			if (i >= 0) {
+				nmnode = chain.levels[i];
+				--i;
+			} else {
+				break;
+			}
 		}
 		break;
 
diff --git a/bind/bind9/lib/dns/rriterator.c b/bind/bind9/lib/dns/rriterator.c
index 3a6b9a17..fb4eb34f 100644
--- a/bind/bind9/lib/dns/rriterator.c
+++ b/bind/bind9/lib/dns/rriterator.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/rrl.c b/bind/bind9/lib/dns/rrl.c
index d4280515..98fc83a3 100644
--- a/bind/bind9/lib/dns/rrl.c
+++ b/bind/bind9/lib/dns/rrl.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -539,7 +539,7 @@ get_entry(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr,
 		}
 
 		/*
-		 * Discard prevous hash table when all of its entries are old.
+		 * Discard previous hash table when all of its entries are old.
 		 */
 		age = delta_rrl_time(rrl->old_hash->check_time, now);
 		if (age > rrl->window)
@@ -1184,7 +1184,7 @@ dns_rrl(dns_view_t *view,
 	}
 
 	/*
-	 * Log occassionally in the rate-limit category.
+	 * Log occasionally in the rate-limit category.
 	 */
 	if ((!e->logged || e->log_secs >= DNS_RRL_MAX_LOG_SECS) &&
 	    isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP)) {
diff --git a/bind/bind9/lib/dns/sdb.c b/bind/bind9/lib/dns/sdb.c
index d4c8c673..477bb74c 100644
--- a/bind/bind9/lib/dns/sdb.c
+++ b/bind/bind9/lib/dns/sdb.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -1141,11 +1141,13 @@ createiterator(dns_db_t *db, unsigned int options, dns_dbiterator_t **iteratorp)
 {
 	dns_sdb_t *sdb = (dns_sdb_t *)db;
 	sdb_dbiterator_t *sdbiter;
-	dns_sdbimplementation_t *imp = sdb->implementation;
+	dns_sdbimplementation_t *imp;
 	isc_result_t result;
 
 	REQUIRE(VALID_SDB(sdb));
 
+	imp = sdb->implementation;
+
 	if (imp->methods->allnodes == NULL)
 		return (ISC_R_NOTIMPLEMENTED);
 
@@ -1193,7 +1195,7 @@ findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	dns_rdatalist_t *list;
 	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *)node;
 
-	REQUIRE(VALID_SDBNODE(node));
+	REQUIRE(VALID_SDBNODE(sdbnode));
 
 	UNUSED(db);
 	UNUSED(version);
diff --git a/bind/bind9/lib/dns/sdlz.c b/bind/bind9/lib/dns/sdlz.c
index 0b9620c7..037d74a1 100644
--- a/bind/bind9/lib/dns/sdlz.c
+++ b/bind/bind9/lib/dns/sdlz.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/soa.c b/bind/bind9/lib/dns/soa.c
index 9be3467b..99f85a86 100644
--- a/bind/bind9/lib/dns/soa.c
+++ b/bind/bind9/lib/dns/soa.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/spnego.asn1 b/bind/bind9/lib/dns/spnego.asn1
deleted file mode 100644
index abf9b76b..00000000
--- a/bind/bind9/lib/dns/spnego.asn1
+++ /dev/null
@@ -1,50 +0,0 @@
--- Copyright (C) The Internet Society 2005.  This version of
--- this module is part of RFC 4178; see the RFC itself for
--- full legal notices.
-
--- (The above copyright notice is per RFC 3978 5.6 (a), q.v.)
-
--- This is the SPNEGO ASN.1 module from RFC 4178, tweaked
--- to get the Heimdal ASN.1 compiler to accept it.
-
-SPNEGOASNOneSpec DEFINITIONS ::= BEGIN
-
-MechType ::= OBJECT IDENTIFIER
-
-MechTypeList ::= SEQUENCE OF MechType
-
-ContextFlags ::= BIT STRING {
-    delegFlag       (0),
-    mutualFlag      (1),
-    replayFlag      (2),
-    sequenceFlag    (3),
-    anonFlag        (4),
-    confFlag        (5),
-    integFlag       (6)
-}
-
-NegTokenInit ::= SEQUENCE {
-    mechTypes       [0] MechTypeList,
-    reqFlags        [1] ContextFlags  OPTIONAL,
-    mechToken       [2] OCTET STRING  OPTIONAL,
-    mechListMIC     [3] OCTET STRING  OPTIONAL
-}
-
-NegTokenResp ::= SEQUENCE {
-    negState       [0] ENUMERATED {
-	accept-completed    (0),
-	accept-incomplete   (1),
-	reject              (2),
-	request-mic         (3)
-    }                                 OPTIONAL,
-    supportedMech   [1] MechType      OPTIONAL,
-    responseToken   [2] OCTET STRING  OPTIONAL,
-    mechListMIC     [3] OCTET STRING  OPTIONAL
-}
-
-NegotiationToken ::= CHOICE {
-    negTokenInit    [0] NegTokenInit,
-    negTokenResp    [1] NegTokenResp
-}
-
-END
diff --git a/bind/bind9/lib/dns/spnego.c b/bind/bind9/lib/dns/spnego.c
deleted file mode 100644
index ad77f242..00000000
--- a/bind/bind9/lib/dns/spnego.c
+++ /dev/null
@@ -1,1825 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file
- * \brief
- * Portable SPNEGO implementation.
- *
- * This is part of a portable implementation of the SPNEGO protocol
- * (RFCs 2478 and 4178).  This implementation uses the RFC 4178 ASN.1
- * module but is not a full implementation of the RFC 4178 protocol;
- * at the moment, we only support GSS-TSIG with Kerberos
- * authentication, so we only need enough of the SPNEGO protocol to
- * support that.
- *
- * The files that make up this portable SPNEGO implementation are:
- * \li	spnego.c	(this file)
- * \li	spnego.h	(API SPNEGO exports to the rest of lib/dns)
- * \li	spnego.asn1	(SPNEGO ASN.1 module)
- * \li	spnego_asn1.c	(routines generated from spngo.asn1)
- * \li	spnego_asn1.pl	(perl script to generate spnego_asn1.c)
- *
- * Everything but the functions exported in spnego.h is static, to
- * avoid possible conflicts with other libraries (particularly Heimdal,
- * since much of this code comes from Heimdal by way of mod_auth_kerb).
- *
- * spnego_asn1.c is shipped as part of lib/dns because generating it
- * requires both Perl and the Heimdal ASN.1 compiler.  See
- * spnego_asn1.pl for further details.  We've tried to eliminate all
- * compiler warnings from the generated code, but you may see a few
- * when using a compiler version we haven't tested yet.
- */
-
-/*
- * Portions of this code were derived from mod_auth_kerb and Heimdal.
- * These packages are available from:
- *
- *   http://modauthkerb.sourceforge.net/
- *   http://www.pdc.kth.se/heimdal/
- *
- * and were released under the following licenses:
- *
- * ----------------------------------------------------------------
- *
- * Copyright (c) 2004 Masarykova universita
- * (Masaryk University, Brno, Czech Republic)
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the University nor the names of its contributors may
- *    be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- *
- * ----------------------------------------------------------------
- *
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * XXXSRA We should omit this file entirely in Makefile.in via autoconf,
- * but this will keep it from generating errors until that's written.
- */
-
-#ifdef GSSAPI
-
-/*
- * XXXSRA Some of the following files are almost certainly unnecessary,
- * but using this list (borrowed from gssapictx.c) gets rid of some
- * whacky compilation errors when building with MSVC and should be
- * harmless in any case.
- */
-
-#include <config.h>
-
-#include <inttypes.h>
-#include <stdbool.h>
-#include <stdlib.h>
-#include <errno.h>
-
-#include <isc/buffer.h>
-#include <isc/dir.h>
-#include <isc/entropy.h>
-#include <isc/lex.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/random.h>
-#include <isc/safe.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/result.h>
-#include <dns/types.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-
-#include <dst/gssapi.h>
-#include <dst/result.h>
-
-#include "dst_internal.h"
-
-/*
- * The API we export
- */
-#include "spnego.h"
-
-/* asn1_err.h */
-/* Generated from ../../../lib/asn1/asn1_err.et */
-
-#ifndef ERROR_TABLE_BASE_asn1
-/* these may be brought in already via gssapi_krb5.h */
-typedef enum asn1_error_number {
-	ASN1_BAD_TIMEFORMAT = 1859794432,
-	ASN1_MISSING_FIELD = 1859794433,
-	ASN1_MISPLACED_FIELD = 1859794434,
-	ASN1_TYPE_MISMATCH = 1859794435,
-	ASN1_OVERFLOW = 1859794436,
-	ASN1_OVERRUN = 1859794437,
-	ASN1_BAD_ID = 1859794438,
-	ASN1_BAD_LENGTH = 1859794439,
-	ASN1_BAD_FORMAT = 1859794440,
-	ASN1_PARSE_ERROR = 1859794441
-} asn1_error_number;
-
-#define ERROR_TABLE_BASE_asn1 1859794432
-#endif
-
-#define __asn1_common_definitions__
-
-typedef struct octet_string {
-	size_t length;
-	void *data;
-} octet_string;
-
-typedef char *general_string;
-
-typedef char *utf8_string;
-
-typedef struct oid {
-	size_t length;
-	unsigned *components;
-} oid;
-
-/* der.h */
-
-typedef enum {
-	ASN1_C_UNIV = 0, ASN1_C_APPL = 1,
-	ASN1_C_CONTEXT = 2, ASN1_C_PRIVATE = 3
-} Der_class;
-
-typedef enum {
-	PRIM = 0, CONS = 1
-} Der_type;
-
-/* Universal tags */
-
-enum {
-	UT_Boolean = 1,
-	UT_Integer = 2,
-	UT_BitString = 3,
-	UT_OctetString = 4,
-	UT_Null = 5,
-	UT_OID = 6,
-	UT_Enumerated = 10,
-	UT_Sequence = 16,
-	UT_Set = 17,
-	UT_PrintableString = 19,
-	UT_IA5String = 22,
-	UT_UTCTime = 23,
-	UT_GeneralizedTime = 24,
-	UT_VisibleString = 26,
-	UT_GeneralString = 27
-};
-
-#define ASN1_INDEFINITE 0xdce0deed
-
-static int
-der_get_length(const unsigned char *p, size_t len,
-	       size_t * val, size_t * size);
-
-static int
-der_get_octet_string(const unsigned char *p, size_t len,
-		     octet_string * data, size_t * size);
-static int
-der_get_oid(const unsigned char *p, size_t len,
-	    oid * data, size_t * size);
-static int
-der_get_tag(const unsigned char *p, size_t len,
-	    Der_class * xclass, Der_type * type,
-	    int *tag, size_t * size);
-
-static int
-der_match_tag(const unsigned char *p, size_t len,
-	      Der_class xclass, Der_type type,
-	      int tag, size_t * size);
-static int
-der_match_tag_and_length(const unsigned char *p, size_t len,
-			 Der_class xclass, Der_type type, int tag,
-			 size_t * length_ret, size_t * size);
-
-static int
-decode_oid(const unsigned char *p, size_t len,
-	   oid * k, size_t * size);
-
-static int
-decode_enumerated(const unsigned char *p, size_t len, void *num, size_t *size);
-
-static int
-decode_octet_string(const unsigned char *, size_t, octet_string *, size_t *);
-
-static int
-der_put_int(unsigned char *p, size_t len, int val, size_t *);
-
-static int
-der_put_length(unsigned char *p, size_t len, size_t val, size_t *);
-
-static int
-der_put_octet_string(unsigned char *p, size_t len,
-		     const octet_string * data, size_t *);
-static int
-der_put_oid(unsigned char *p, size_t len,
-	    const oid * data, size_t * size);
-static int
-der_put_tag(unsigned char *p, size_t len, Der_class xclass, Der_type type,
-	    int tag, size_t *);
-static int
-der_put_length_and_tag(unsigned char *, size_t, size_t,
-		       Der_class, Der_type, int, size_t *);
-
-static int
-encode_enumerated(unsigned char *p, size_t len, const void *data, size_t *);
-
-static int
-encode_octet_string(unsigned char *p, size_t len,
-		    const octet_string * k, size_t *);
-static int
-encode_oid(unsigned char *p, size_t len,
-	   const oid * k, size_t *);
-
-static void
-free_octet_string(octet_string * k);
-
-static void
-free_oid  (oid * k);
-
-static size_t
-length_len(size_t len);
-
-static int
-fix_dce(size_t reallen, size_t * len);
-
-/*
- * Include stuff generated by the ASN.1 compiler.
- */
-
-#include "spnego_asn1.c"
-
-/*
- * Force the oid arrays to be uint64_t aligned to silence warnings
- * about the arrays not being properly aligned for (void *).
- */
-typedef union { unsigned char b[8]; uint64_t _align; } aligned8;
-typedef union { unsigned char b[16]; uint64_t _align[2]; } aligned16;
-
-static aligned16 gss_krb5_mech_oid_bytes = {
-	{ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02 }
-};
-
-static gss_OID_desc gss_krb5_mech_oid_desc = {
-	9, gss_krb5_mech_oid_bytes.b
-};
-
-static gss_OID GSS_KRB5_MECH = &gss_krb5_mech_oid_desc;
-
-static aligned16 gss_mskrb5_mech_oid_bytes = {
-	{ 0x2a, 0x86, 0x48, 0x82, 0xf7, 0x12, 0x01, 0x02, 0x02 }
-};
-
-static gss_OID_desc gss_mskrb5_mech_oid_desc = {
-	9, gss_mskrb5_mech_oid_bytes.b
-};
-
-static gss_OID GSS_MSKRB5_MECH = &gss_mskrb5_mech_oid_desc;
-
-static aligned8 gss_spnego_mech_oid_bytes = {
-	{ 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02 }
-};
-
-static gss_OID_desc gss_spnego_mech_oid_desc = {
-	6, gss_spnego_mech_oid_bytes.b
-};
-
-static gss_OID GSS_SPNEGO_MECH = &gss_spnego_mech_oid_desc;
-
-/* spnegokrb5_locl.h */
-
-static OM_uint32
-gssapi_spnego_encapsulate(OM_uint32 *,
-			  unsigned char *,
-			  size_t,
-			  gss_buffer_t,
-			  const gss_OID);
-
-static OM_uint32
-gssapi_spnego_decapsulate(OM_uint32 *,
-			  gss_buffer_t,
-			  unsigned char **,
-			  size_t *,
-			  const gss_OID);
-
-/* mod_auth_kerb.c */
-
-static int
-cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
-{
-	unsigned char *p;
-	size_t len;
-
-	if (token->length == 0U)
-		return (GSS_S_DEFECTIVE_TOKEN);
-
-	p = token->value;
-	if (*p++ != 0x60)
-		return (GSS_S_DEFECTIVE_TOKEN);
-	len = *p++;
-	if (len & 0x80) {
-		if ((len & 0x7f) > 4U)
-			return (GSS_S_DEFECTIVE_TOKEN);
-		p += len & 0x7f;
-	}
-	if (*p++ != 0x06)
-		return (GSS_S_DEFECTIVE_TOKEN);
-
-	if (((OM_uint32) *p++) != gssoid->length)
-		return (GSS_S_DEFECTIVE_TOKEN);
-
-	return (isc_safe_memcompare(p, gssoid->elements, gssoid->length));
-}
-
-/* accept_sec_context.c */
-/*
- * SPNEGO wrapper for Kerberos5 GSS-API kouril@ics.muni.cz, 2003 (mostly
- * based on Heimdal code)
- */
-
-static OM_uint32
-code_NegTokenArg(OM_uint32 * minor_status,
-		 const NegTokenResp * resp,
-		 unsigned char **outbuf,
-		 size_t * outbuf_size)
-{
-	OM_uint32 ret;
-	u_char *buf;
-	size_t buf_size, buf_len = 0;
-
-	buf_size = 1024;
-	buf = malloc(buf_size);
-	if (buf == NULL) {
-		*minor_status = ENOMEM;
-		return (GSS_S_FAILURE);
-	}
-	do {
-		ret = encode_NegTokenResp(buf + buf_size - 1,
-					  buf_size,
-					  resp, &buf_len);
-		if (ret == 0) {
-			size_t tmp;
-
-			ret = der_put_length_and_tag(buf + buf_size - buf_len - 1,
-						     buf_size - buf_len,
-						     buf_len,
-						     ASN1_C_CONTEXT,
-						     CONS,
-						     1,
-						     &tmp);
-			if (ret == 0)
-				buf_len += tmp;
-		}
-		if (ret) {
-			if (ret == ASN1_OVERFLOW) {
-				u_char *tmp;
-
-				buf_size *= 2;
-				tmp = realloc(buf, buf_size);
-				if (tmp == NULL) {
-					*minor_status = ENOMEM;
-					free(buf);
-					return (GSS_S_FAILURE);
-				}
-				buf = tmp;
-			} else {
-				*minor_status = ret;
-				free(buf);
-				return (GSS_S_FAILURE);
-			}
-		}
-	} while (ret == ASN1_OVERFLOW);
-
-	*outbuf = malloc(buf_len);
-	if (*outbuf == NULL) {
-		*minor_status = ENOMEM;
-		free(buf);
-		return (GSS_S_FAILURE);
-	}
-	memmove(*outbuf, buf + buf_size - buf_len, buf_len);
-	*outbuf_size = buf_len;
-
-	free(buf);
-
-	return (GSS_S_COMPLETE);
-}
-
-static OM_uint32
-send_reject(OM_uint32 * minor_status,
-	    gss_buffer_t output_token)
-{
-	NegTokenResp resp;
-	OM_uint32 ret;
-
-	resp.negState = malloc(sizeof(*resp.negState));
-	if (resp.negState == NULL) {
-		*minor_status = ENOMEM;
-		return (GSS_S_FAILURE);
-	}
-	*(resp.negState) = reject;
-
-	resp.supportedMech = NULL;
-	resp.responseToken = NULL;
-	resp.mechListMIC = NULL;
-
-	ret = code_NegTokenArg(minor_status, &resp,
-			       (unsigned char **)&output_token->value,
-			       &output_token->length);
-	free_NegTokenResp(&resp);
-	if (ret)
-		return (ret);
-
-	return (GSS_S_BAD_MECH);
-}
-
-static OM_uint32
-send_accept(OM_uint32 * minor_status,
-	    gss_buffer_t output_token,
-	    gss_buffer_t mech_token,
-	    const gss_OID pref)
-{
-	NegTokenResp resp;
-	OM_uint32 ret;
-
-	memset(&resp, 0, sizeof(resp));
-	resp.negState = malloc(sizeof(*resp.negState));
-	if (resp.negState == NULL) {
-		*minor_status = ENOMEM;
-		return (GSS_S_FAILURE);
-	}
-	*(resp.negState) = accept_completed;
-
-	resp.supportedMech = malloc(sizeof(*resp.supportedMech));
-	if (resp.supportedMech == NULL) {
-		free_NegTokenResp(&resp);
-		*minor_status = ENOMEM;
-		return (GSS_S_FAILURE);
-	}
-	ret = der_get_oid(pref->elements,
-			  pref->length,
-			  resp.supportedMech,
-			  NULL);
-	if (ret) {
-		free_NegTokenResp(&resp);
-		*minor_status = ENOMEM;
-		return (GSS_S_FAILURE);
-	}
-	if (mech_token != NULL && mech_token->length != 0U) {
-		resp.responseToken = malloc(sizeof(*resp.responseToken));
-		if (resp.responseToken == NULL) {
-			free_NegTokenResp(&resp);
-			*minor_status = ENOMEM;
-			return (GSS_S_FAILURE);
-		}
-		resp.responseToken->length = mech_token->length;
-		resp.responseToken->data = mech_token->value;
-	}
-
-	ret = code_NegTokenArg(minor_status, &resp,
-			       (unsigned char **)&output_token->value,
-			       &output_token->length);
-	if (resp.responseToken != NULL) {
-		free(resp.responseToken);
-		resp.responseToken = NULL;
-	}
-	free_NegTokenResp(&resp);
-	if (ret)
-		return (ret);
-
-	return (GSS_S_COMPLETE);
-}
-
-OM_uint32
-gss_accept_sec_context_spnego(OM_uint32 *minor_status,
-			      gss_ctx_id_t *context_handle,
-			      const gss_cred_id_t acceptor_cred_handle,
-			      const gss_buffer_t input_token_buffer,
-			      const gss_channel_bindings_t input_chan_bindings,
-			      gss_name_t *src_name,
-			      gss_OID *mech_type,
-			      gss_buffer_t output_token,
-			      OM_uint32 *ret_flags,
-			      OM_uint32 *time_rec,
-			      gss_cred_id_t *delegated_cred_handle)
-{
-	NegTokenInit init_token;
-	OM_uint32 major_status = GSS_S_COMPLETE;
-	OM_uint32 minor_status2;
-	gss_buffer_desc ibuf, obuf;
-	gss_buffer_t ot = NULL;
-	gss_OID pref = GSS_KRB5_MECH;
-	unsigned char *buf;
-	size_t buf_size;
-	size_t len, taglen, ni_len;
-	int found = 0;
-	int ret;
-	unsigned i;
-
-	/*
-	 * Before doing anything else, see whether this is a SPNEGO
-	 * PDU.  If not, dispatch to the GSSAPI library and get out.
-	 */
-
-	if (cmp_gss_type(input_token_buffer, GSS_SPNEGO_MECH))
-		return (gss_accept_sec_context(minor_status,
-					       context_handle,
-					       acceptor_cred_handle,
-					       input_token_buffer,
-					       input_chan_bindings,
-					       src_name,
-					       mech_type,
-					       output_token,
-					       ret_flags,
-					       time_rec,
-					       delegated_cred_handle));
-
-	/*
-	 * If we get here, it's SPNEGO.
-	 */
-
-	memset(&init_token, 0, sizeof(init_token));
-
-	ret = gssapi_spnego_decapsulate(minor_status, input_token_buffer,
-					&buf, &buf_size, GSS_SPNEGO_MECH);
-	if (ret)
-		return (ret);
-
-	ret = der_match_tag_and_length(buf, buf_size, ASN1_C_CONTEXT, CONS,
-				       0, &len, &taglen);
-	if (ret)
-		return (ret);
-
-	ret = decode_NegTokenInit(buf + taglen, len, &init_token, &ni_len);
-	if (ret) {
-		*minor_status = EINVAL;	/* XXX */
-		return (GSS_S_DEFECTIVE_TOKEN);
-	}
-
-	for (i = 0; !found && i < init_token.mechTypes.len; ++i) {
-		unsigned char mechbuf[17];
-		size_t mech_len;
-
-		ret = der_put_oid(mechbuf + sizeof(mechbuf) - 1,
-				  sizeof(mechbuf),
-				  &init_token.mechTypes.val[i],
-				  &mech_len);
-		if (ret) {
-			free_NegTokenInit(&init_token);
-			return (GSS_S_DEFECTIVE_TOKEN);
-		}
-		if (mech_len == GSS_KRB5_MECH->length &&
-		    isc_safe_memequal(GSS_KRB5_MECH->elements,
-				      mechbuf + sizeof(mechbuf) - mech_len,
-				      mech_len))
-		{
-			found = 1;
-			break;
-		}
-		if (mech_len == GSS_MSKRB5_MECH->length &&
-		    isc_safe_memequal(GSS_MSKRB5_MECH->elements,
-				      mechbuf + sizeof(mechbuf) - mech_len,
-				      mech_len))
-		{
-			found = 1;
-			if (i == 0)
-				pref = GSS_MSKRB5_MECH;
-			break;
-		}
-	}
-
-	if (!found) {
-		free_NegTokenInit(&init_token);
-		return (send_reject(minor_status, output_token));
-	}
-
-	if (i == 0 && init_token.mechToken != NULL) {
-		ibuf.length = init_token.mechToken->length;
-		ibuf.value = init_token.mechToken->data;
-
-		major_status = gss_accept_sec_context(minor_status,
-						      context_handle,
-						      acceptor_cred_handle,
-						      &ibuf,
-						      input_chan_bindings,
-						      src_name,
-						      mech_type,
-						      &obuf,
-						      ret_flags,
-						      time_rec,
-						      delegated_cred_handle);
-		if (GSS_ERROR(major_status)) {
-			free_NegTokenInit(&init_token);
-			send_reject(&minor_status2, output_token);
-			return (major_status);
-		}
-		ot = &obuf;
-	}
-	ret = send_accept(&minor_status2, output_token, ot, pref);
-	free_NegTokenInit(&init_token);
-	if (ot != NULL && ot->length != 0U)
-		gss_release_buffer(&minor_status2, ot);
-
-	return (ret != GSS_S_COMPLETE ? (OM_uint32) ret : major_status);
-}
-
-/* decapsulate.c */
-
-static OM_uint32
-gssapi_verify_mech_header(u_char ** str,
-			  size_t total_len,
-			  const gss_OID mech)
-{
-	size_t len, len_len, mech_len, foo;
-	int e;
-	u_char *p = *str;
-
-	if (total_len < 1U)
-		return (GSS_S_DEFECTIVE_TOKEN);
-	if (*p++ != 0x60)
-		return (GSS_S_DEFECTIVE_TOKEN);
-	e = der_get_length(p, total_len - 1, &len, &len_len);
-	if (e || 1 + len_len + len != total_len)
-		return (GSS_S_DEFECTIVE_TOKEN);
-	p += len_len;
-	if (*p++ != 0x06)
-		return (GSS_S_DEFECTIVE_TOKEN);
-	e = der_get_length(p, total_len - 1 - len_len - 1,
-			   &mech_len, &foo);
-	if (e)
-		return (GSS_S_DEFECTIVE_TOKEN);
-	p += foo;
-	if (mech_len != mech->length)
-		return (GSS_S_BAD_MECH);
-	if (!isc_safe_memequal(p, mech->elements, mech->length))
-		return (GSS_S_BAD_MECH);
-	p += mech_len;
-	*str = p;
-	return (GSS_S_COMPLETE);
-}
-
-/*
- * Remove the GSS-API wrapping from `in_token' giving `buf and buf_size' Does
- * not copy data, so just free `in_token'.
- */
-
-static OM_uint32
-gssapi_spnego_decapsulate(OM_uint32 *minor_status,
-			  gss_buffer_t input_token_buffer,
-			  unsigned char **buf,
-			  size_t *buf_len,
-			  const gss_OID mech)
-{
-	u_char *p;
-	OM_uint32 ret;
-
-	p = input_token_buffer->value;
-	ret = gssapi_verify_mech_header(&p,
-					input_token_buffer->length,
-					mech);
-	if (ret) {
-		*minor_status = ret;
-		return (GSS_S_FAILURE);
-	}
-	*buf_len = input_token_buffer->length -
-		(p - (u_char *) input_token_buffer->value);
-	*buf = p;
-	return (GSS_S_COMPLETE);
-}
-
-/* der_free.c */
-
-static void
-free_octet_string(octet_string *k)
-{
-	free(k->data);
-	k->data = NULL;
-}
-
-static void
-free_oid(oid *k)
-{
-	free(k->components);
-	k->components = NULL;
-}
-
-/* der_get.c */
-
-/*
- * All decoding functions take a pointer `p' to first position in which to
- * read, from the left, `len' which means the maximum number of characters we
- * are able to read, `ret' were the value will be returned and `size' where
- * the number of used bytes is stored. Either 0 or an error code is returned.
- */
-
-static int
-der_get_unsigned(const unsigned char *p, size_t len,
-		 unsigned *ret, size_t *size)
-{
-	unsigned val = 0;
-	size_t oldlen = len;
-
-	while (len--)
-		val = val * 256 + *p++;
-	*ret = val;
-	if (size)
-		*size = oldlen;
-	return (0);
-}
-
-static int
-der_get_int(const unsigned char *p, size_t len,
-	    int *ret, size_t *size)
-{
-	int val = 0;
-	size_t oldlen = len;
-
-	if (len > 0U) {
-		val = (signed char)*p++;
-		while (--len)
-			val = val * 256 + *p++;
-	}
-	*ret = val;
-	if (size)
-		*size = oldlen;
-	return (0);
-}
-
-static int
-der_get_length(const unsigned char *p, size_t len,
-	       size_t *val, size_t *size)
-{
-	size_t v;
-
-	if (len <= 0U)
-		return (ASN1_OVERRUN);
-	--len;
-	v = *p++;
-	if (v < 128U) {
-		*val = v;
-		if (size)
-			*size = 1;
-	} else {
-		int e;
-		size_t l;
-		unsigned tmp;
-
-		if (v == 0x80U) {
-			*val = ASN1_INDEFINITE;
-			if (size)
-				*size = 1;
-			return (0);
-		}
-		v &= 0x7F;
-		if (len < v)
-			return (ASN1_OVERRUN);
-		e = der_get_unsigned(p, v, &tmp, &l);
-		if (e)
-			return (e);
-		*val = tmp;
-		if (size)
-			*size = l + 1;
-	}
-	return (0);
-}
-
-static int
-der_get_octet_string(const unsigned char *p, size_t len,
-		     octet_string *data, size_t *size)
-{
-	data->length = len;
-	if (len != 0U) {
-		data->data = malloc(len);
-		if (data->data == NULL)
-			return (ENOMEM);
-		memmove(data->data, p, len);
-	} else
-		data->data = NULL;
-	if (size)
-		*size = len;
-	return (0);
-}
-
-static int
-der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
-	int n;
-	size_t oldlen = len;
-
-	data->components = NULL;
-	data->length = 0;
-	if (len < 1U) {
-		return (ASN1_OVERRUN);
-	}
-
-	data->components = malloc(len * sizeof(*data->components));
-	if (data->components == NULL) {
-		return (ENOMEM);
-	}
-	data->components[0] = (*p) / 40;
-	data->components[1] = (*p) % 40;
-	--len;
-	++p;
-	for (n = 2; len > 0U; ++n) {
-		unsigned u = 0;
-
-		do {
-			--len;
-			u = u * 128 + (*p++ % 128);
-		} while (len > 0U && p[-1] & 0x80);
-		data->components[n] = u;
-	}
-	if (p[-1] & 0x80) {
-		free_oid(data);
-		return (ASN1_OVERRUN);
-	}
-	data->length = n;
-	if (size) {
-		*size = oldlen;
-	}
-	return (0);
-}
-
-static int
-der_get_tag(const unsigned char *p, size_t len,
-	    Der_class *xclass, Der_type *type,
-	    int *tag, size_t *size)
-{
-	if (len < 1U)
-		return (ASN1_OVERRUN);
-	*xclass = (Der_class) (((*p) >> 6) & 0x03);
-	*type = (Der_type) (((*p) >> 5) & 0x01);
-	*tag = (*p) & 0x1F;
-	if (size)
-		*size = 1;
-	return (0);
-}
-
-static int
-der_match_tag(const unsigned char *p, size_t len,
-	      Der_class xclass, Der_type type,
-	      int tag, size_t *size)
-{
-	size_t l;
-	Der_class thisclass;
-	Der_type thistype;
-	int thistag;
-	int e;
-
-	e = der_get_tag(p, len, &thisclass, &thistype, &thistag, &l);
-	if (e)
-		return (e);
-	if (xclass != thisclass || type != thistype)
-		return (ASN1_BAD_ID);
-	if (tag > thistag)
-		return (ASN1_MISPLACED_FIELD);
-	if (tag < thistag)
-		return (ASN1_MISSING_FIELD);
-	if (size)
-		*size = l;
-	return (0);
-}
-
-static int
-der_match_tag_and_length(const unsigned char *p, size_t len,
-			 Der_class xclass, Der_type type, int tag,
-			 size_t *length_ret, size_t *size)
-{
-	size_t l, ret = 0;
-	int e;
-
-	e = der_match_tag(p, len, xclass, type, tag, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	ret += l;
-	e = der_get_length(p, len, length_ret, &l);
-	if (e)
-		return (e);
-	/* p += l; */
-	len -= l;
-	POST(len);
-	ret += l;
-	if (size)
-		*size = ret;
-	return (0);
-}
-
-static int
-decode_enumerated(const unsigned char *p, size_t len, void *num, size_t *size)
-{
-	size_t ret = 0;
-	size_t l, reallen;
-	int e;
-
-	e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_Enumerated, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	ret += l;
-	e = der_get_length(p, len, &reallen, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	ret += l;
-	e = der_get_int(p, reallen, num, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	POST(p); POST(len);
-	ret += l;
-	if (size)
-		*size = ret;
-	return (0);
-}
-
-static int
-decode_octet_string(const unsigned char *p, size_t len,
-		    octet_string *k, size_t *size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-	size_t slen;
-
-	k->data = NULL;
-	k->length = 0;
-
-	e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_OctetString, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	ret += l;
-
-	e = der_get_length(p, len, &slen, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	ret += l;
-	if (len < slen)
-		return (ASN1_OVERRUN);
-
-	e = der_get_octet_string(p, slen, k, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	POST(p); POST(len);
-	ret += l;
-	if (size)
-		*size = ret;
-	return (0);
-}
-
-static int
-decode_oid(const unsigned char *p, size_t len,
-	   oid *k, size_t *size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-	size_t slen;
-
-	e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_OID, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	ret += l;
-
-	e = der_get_length(p, len, &slen, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	ret += l;
-	if (len < slen)
-		return (ASN1_OVERRUN);
-
-	e = der_get_oid(p, slen, k, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	POST(p); POST(len);
-	ret += l;
-	if (size)
-		*size = ret;
-	return (0);
-}
-
-static int
-fix_dce(size_t reallen, size_t *len)
-{
-	if (reallen == ASN1_INDEFINITE)
-		return (1);
-	if (*len < reallen)
-		return (-1);
-	*len = reallen;
-	return (0);
-}
-
-/* der_length.c */
-
-static size_t
-len_unsigned(unsigned val)
-{
-	size_t ret = 0;
-
-	do {
-		++ret;
-		val /= 256;
-	} while (val);
-	return (ret);
-}
-
-static size_t
-length_len(size_t len)
-{
-	if (len < 128U)
-		return (1);
-	else
-		return (len_unsigned((unsigned int)len) + 1);
-}
-
-
-/* der_put.c */
-
-/*
- * All encoding functions take a pointer `p' to first position in which to
- * write, from the right, `len' which means the maximum number of characters
- * we are able to write.  The function returns the number of characters
- * written in `size' (if non-NULL). The return value is 0 or an error.
- */
-
-static int
-der_put_unsigned(unsigned char *p, size_t len, unsigned val, size_t *size)
-{
-	unsigned char *base = p;
-
-	if (val) {
-		while (len > 0U && val) {
-			*p-- = val % 256;
-			val /= 256;
-			--len;
-		}
-		if (val != 0)
-			return (ASN1_OVERFLOW);
-		else {
-			*size = base - p;
-			return (0);
-		}
-	} else if (len < 1U)
-		return (ASN1_OVERFLOW);
-	else {
-		*p = 0;
-		*size = 1;
-		return (0);
-	}
-}
-
-static int
-der_put_int(unsigned char *p, size_t len, int val, size_t *size)
-{
-	unsigned char *base = p;
-
-	if (val >= 0) {
-		do {
-			if (len < 1U)
-				return (ASN1_OVERFLOW);
-			*p-- = val % 256;
-			len--;
-			val /= 256;
-		} while (val);
-		if (p[1] >= 128) {
-			if (len < 1U)
-				return (ASN1_OVERFLOW);
-			*p-- = 0;
-			len--;
-			POST(len);
-		}
-	} else {
-		val = ~val;
-		do {
-			if (len < 1U)
-				return (ASN1_OVERFLOW);
-			*p-- = ~(val % 256);
-			len--;
-			val /= 256;
-		} while (val);
-		if (p[1] < 128) {
-			if (len < 1U)
-				return (ASN1_OVERFLOW);
-			*p-- = 0xff;
-			len--;
-			POST(len);
-		}
-	}
-	*size = base - p;
-	return (0);
-}
-
-static int
-der_put_length(unsigned char *p, size_t len, size_t val, size_t *size)
-{
-	if (len < 1U)
-		return (ASN1_OVERFLOW);
-	if (val < 128U) {
-		*p = (unsigned char)val;
-		*size = 1;
-		return (0);
-	} else {
-		size_t l;
-		int e;
-
-		e = der_put_unsigned(p, len - 1, (unsigned int)val, &l);
-		if (e)
-			return (e);
-		p -= l;
-		*p = 0x80 | (unsigned char)l;
-		*size = l + 1;
-		return (0);
-	}
-}
-
-static int
-der_put_octet_string(unsigned char *p, size_t len,
-		     const octet_string *data, size_t *size)
-{
-	if (len < data->length)
-		return (ASN1_OVERFLOW);
-	p -= data->length;
-	len -= data->length;
-	POST(len);
-	memmove(p + 1, data->data, data->length);
-	*size = data->length;
-	return (0);
-}
-
-static int
-der_put_oid(unsigned char *p, size_t len,
-	    const oid *data, size_t *size)
-{
-	unsigned char *base = p;
-	size_t n;
-
-	for (n = data->length; n >= 3u; --n) {
-		unsigned	u = data->components[n - 1];
-
-		if (len < 1U)
-			return (ASN1_OVERFLOW);
-		*p-- = u % 128;
-		u /= 128;
-		--len;
-		while (u > 0) {
-			if (len < 1U)
-				return (ASN1_OVERFLOW);
-			*p-- = 128 + u % 128;
-			u /= 128;
-			--len;
-		}
-	}
-	if (len < 1U)
-		return (ASN1_OVERFLOW);
-	*p-- = 40 * data->components[0] + data->components[1];
-	*size = base - p;
-	return (0);
-}
-
-static int
-der_put_tag(unsigned char *p, size_t len, Der_class xclass, Der_type type,
-	    int tag, size_t *size)
-{
-	if (len < 1U)
-		return (ASN1_OVERFLOW);
-	*p = (xclass << 6) | (type << 5) | tag;	/* XXX */
-	*size = 1;
-	return (0);
-}
-
-static int
-der_put_length_and_tag(unsigned char *p, size_t len, size_t len_val,
-		       Der_class xclass, Der_type type, int tag, size_t *size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	e = der_put_length(p, len, len_val, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	ret += l;
-	e = der_put_tag(p, len, xclass, type, tag, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	POST(p); POST(len);
-	ret += l;
-	*size = ret;
-	return (0);
-}
-
-static int
-encode_enumerated(unsigned char *p, size_t len, const void *data, size_t *size)
-{
-	unsigned num = *(const unsigned *)data;
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	e = der_put_int(p, len, num, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	ret += l;
-	e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_Enumerated, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	POST(p); POST(len);
-	ret += l;
-	*size = ret;
-	return (0);
-}
-
-static int
-encode_octet_string(unsigned char *p, size_t len,
-		    const octet_string *k, size_t *size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	e = der_put_octet_string(p, len, k, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	ret += l;
-	e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_OctetString, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	POST(p); POST(len);
-	ret += l;
-	*size = ret;
-	return (0);
-}
-
-static int
-encode_oid(unsigned char *p, size_t len,
-	   const oid *k, size_t *size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	e = der_put_oid(p, len, k, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	ret += l;
-	e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_OID, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	POST(p); POST(len);
-	ret += l;
-	*size = ret;
-	return (0);
-}
-
-
-/* encapsulate.c */
-
-static void
-gssapi_encap_length(size_t data_len,
-		    size_t *len,
-		    size_t *total_len,
-		    const gss_OID mech)
-{
-	size_t len_len;
-
-	*len = 1 + 1 + mech->length + data_len;
-
-	len_len = length_len(*len);
-
-	*total_len = 1 + len_len + *len;
-}
-
-static u_char *
-gssapi_mech_make_header(u_char *p,
-			size_t len,
-			const gss_OID mech)
-{
-	int e;
-	size_t len_len, foo;
-
-	*p++ = 0x60;
-	len_len = length_len(len);
-	e = der_put_length(p + len_len - 1, len_len, len, &foo);
-	if (e || foo != len_len)
-		return (NULL);
-	p += len_len;
-	*p++ = 0x06;
-	*p++ = mech->length;
-	memmove(p, mech->elements, mech->length);
-	p += mech->length;
-	return (p);
-}
-
-/*
- * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings.
- */
-
-static OM_uint32
-gssapi_spnego_encapsulate(OM_uint32 * minor_status,
-			  unsigned char *buf,
-			  size_t buf_size,
-			  gss_buffer_t output_token,
-			  const gss_OID mech)
-{
-	size_t len, outer_len;
-	u_char *p;
-
-	gssapi_encap_length(buf_size, &len, &outer_len, mech);
-
-	output_token->length = outer_len;
-	output_token->value = malloc(outer_len);
-	if (output_token->value == NULL) {
-		*minor_status = ENOMEM;
-		return (GSS_S_FAILURE);
-	}
-	p = gssapi_mech_make_header(output_token->value, len, mech);
-	if (p == NULL) {
-		if (output_token->length != 0U)
-			gss_release_buffer(minor_status, output_token);
-		return (GSS_S_FAILURE);
-	}
-	memmove(p, buf, buf_size);
-	return (GSS_S_COMPLETE);
-}
-
-/* init_sec_context.c */
-/*
- * SPNEGO wrapper for Kerberos5 GSS-API kouril@ics.muni.cz, 2003 (mostly
- * based on Heimdal code)
- */
-
-static int
-add_mech(MechTypeList * mech_list, gss_OID mech)
-{
-	MechType *tmp;
-	int ret;
-
-	tmp = realloc(mech_list->val, (mech_list->len + 1) * sizeof(*tmp));
-	if (tmp == NULL)
-		return (ENOMEM);
-	mech_list->val = tmp;
-
-	ret = der_get_oid(mech->elements, mech->length,
-			  &mech_list->val[mech_list->len], NULL);
-	if (ret)
-		return (ret);
-
-	mech_list->len++;
-	return (0);
-}
-
-/*
- * return the length of the mechanism in token or -1
- * (which implies that the token was bad - GSS_S_DEFECTIVE_TOKEN
- */
-
-static ssize_t
-gssapi_krb5_get_mech(const u_char *ptr,
-		     size_t total_len,
-		     const u_char **mech_ret)
-{
-	size_t len, len_len, mech_len, foo;
-	const u_char *p = ptr;
-	int e;
-
-	if (total_len < 1U)
-		return (-1);
-	if (*p++ != 0x60)
-		return (-1);
-	e = der_get_length (p, total_len - 1, &len, &len_len);
-	if (e || 1 + len_len + len != total_len)
-		return (-1);
-	p += len_len;
-	if (*p++ != 0x06)
-		return (-1);
-	e = der_get_length (p, total_len - 1 - len_len - 1,
-			    &mech_len, &foo);
-	if (e)
-		return (-1);
-	p += foo;
-	*mech_ret = p;
-	return (mech_len);
-}
-
-static OM_uint32
-spnego_initial(OM_uint32 *minor_status,
-	       const gss_cred_id_t initiator_cred_handle,
-	       gss_ctx_id_t *context_handle,
-	       const gss_name_t target_name,
-	       const gss_OID mech_type,
-	       OM_uint32 req_flags,
-	       OM_uint32 time_req,
-	       const gss_channel_bindings_t input_chan_bindings,
-	       const gss_buffer_t input_token,
-	       gss_OID *actual_mech_type,
-	       gss_buffer_t output_token,
-	       OM_uint32 *ret_flags,
-	       OM_uint32 *time_rec)
-{
-	NegTokenInit token_init;
-	OM_uint32 major_status, minor_status2;
-	gss_buffer_desc	krb5_output_token = GSS_C_EMPTY_BUFFER;
-	unsigned char *buf = NULL;
-	size_t buf_size;
-	size_t len;
-	int ret;
-
-	(void)mech_type;
-
-	memset(&token_init, 0, sizeof(token_init));
-
-	ret = add_mech(&token_init.mechTypes, GSS_KRB5_MECH);
-	if (ret) {
-		*minor_status = ret;
-		ret = GSS_S_FAILURE;
-		goto end;
-	}
-
-	major_status = gss_init_sec_context(minor_status,
-					    initiator_cred_handle,
-					    context_handle,
-					    target_name,
-					    GSS_KRB5_MECH,
-					    req_flags,
-					    time_req,
-					    input_chan_bindings,
-					    input_token,
-					    actual_mech_type,
-					    &krb5_output_token,
-					    ret_flags,
-					    time_rec);
-	if (GSS_ERROR(major_status)) {
-		ret = major_status;
-		goto end;
-	}
-	if (krb5_output_token.length > 0U) {
-		token_init.mechToken = malloc(sizeof(*token_init.mechToken));
-		if (token_init.mechToken == NULL) {
-			*minor_status = ENOMEM;
-			ret = GSS_S_FAILURE;
-			goto end;
-		}
-		token_init.mechToken->data = krb5_output_token.value;
-		token_init.mechToken->length = krb5_output_token.length;
-	}
-	/*
-	 * The MS implementation of SPNEGO seems to not like the mechListMIC
-	 * field, so we omit it (it's optional anyway)
-	 */
-
-	buf_size = 1024;
-	buf = malloc(buf_size);
-	if (buf == NULL) {
-		*minor_status = ENOMEM;
-		ret = GSS_S_FAILURE;
-		goto end;
-	}
-
-	do {
-		ret = encode_NegTokenInit(buf + buf_size - 1,
-					  buf_size,
-					  &token_init, &len);
-		if (ret == 0) {
-			size_t tmp;
-
-			ret = der_put_length_and_tag(buf + buf_size - len - 1,
-						     buf_size - len,
-						     len,
-						     ASN1_C_CONTEXT,
-						     CONS,
-						     0,
-						     &tmp);
-			if (ret == 0)
-				len += tmp;
-		}
-		if (ret) {
-			if (ret == ASN1_OVERFLOW) {
-				u_char *tmp;
-
-				buf_size *= 2;
-				tmp = realloc(buf, buf_size);
-				if (tmp == NULL) {
-					*minor_status = ENOMEM;
-					ret = GSS_S_FAILURE;
-					goto end;
-				}
-				buf = tmp;
-			} else {
-				*minor_status = ret;
-				ret = GSS_S_FAILURE;
-				goto end;
-			}
-		}
-	} while (ret == ASN1_OVERFLOW);
-
-	ret = gssapi_spnego_encapsulate(minor_status,
-					buf + buf_size - len, len,
-					output_token, GSS_SPNEGO_MECH);
-	if (ret == GSS_S_COMPLETE)
-		ret = major_status;
-
-end:
-	if (token_init.mechToken != NULL) {
-		free(token_init.mechToken);
-		token_init.mechToken = NULL;
-	}
-	free_NegTokenInit(&token_init);
-	if (krb5_output_token.length != 0U)
-		gss_release_buffer(&minor_status2, &krb5_output_token);
-	if (buf)
-		free(buf);
-
-	return (ret);
-}
-
-static OM_uint32
-spnego_reply(OM_uint32 *minor_status,
-	     const gss_cred_id_t initiator_cred_handle,
-	     gss_ctx_id_t *context_handle,
-	     const gss_name_t target_name,
-	     const gss_OID mech_type,
-	     OM_uint32 req_flags,
-	     OM_uint32 time_req,
-	     const gss_channel_bindings_t input_chan_bindings,
-	     const gss_buffer_t input_token,
-	     gss_OID *actual_mech_type,
-	     gss_buffer_t output_token,
-	     OM_uint32 *ret_flags,
-	     OM_uint32 *time_rec)
-{
-	OM_uint32 ret;
-	NegTokenResp resp;
-	unsigned char *buf;
-	size_t buf_size;
-	u_char oidbuf[17];
-	size_t oidlen;
-	gss_buffer_desc sub_token;
-	ssize_t mech_len;
-	const u_char *p;
-	size_t len, taglen;
-
-	(void)mech_type;
-
-	output_token->length = 0;
-	output_token->value  = NULL;
-
-	/*
-	 * SPNEGO doesn't include gss wrapping on SubsequentContextToken
-	 * like the Kerberos 5 mech does. But lets check for it anyway.
-	 */
-
-	mech_len = gssapi_krb5_get_mech(input_token->value,
-					input_token->length,
-					&p);
-
-	if (mech_len < 0) {
-		buf = input_token->value;
-		buf_size = input_token->length;
-	} else if ((size_t)mech_len == GSS_KRB5_MECH->length &&
-		   isc_safe_memequal(GSS_KRB5_MECH->elements, p, mech_len))
-		return (gss_init_sec_context(minor_status,
-					     initiator_cred_handle,
-					     context_handle,
-					     target_name,
-					     GSS_KRB5_MECH,
-					     req_flags,
-					     time_req,
-					     input_chan_bindings,
-					     input_token,
-					     actual_mech_type,
-					     output_token,
-					     ret_flags,
-					     time_rec));
-	else if ((size_t)mech_len == GSS_SPNEGO_MECH->length &&
-		 isc_safe_memequal(GSS_SPNEGO_MECH->elements, p, mech_len)) {
-		ret = gssapi_spnego_decapsulate(minor_status,
-						input_token,
-						&buf,
-						&buf_size,
-						GSS_SPNEGO_MECH);
-		if (ret)
-			return (ret);
-	} else
-		return (GSS_S_BAD_MECH);
-
-	ret = der_match_tag_and_length(buf, buf_size,
-				       ASN1_C_CONTEXT, CONS, 1, &len, &taglen);
-	if (ret)
-		return (ret);
-
-	if(len > buf_size - taglen)
-		return (ASN1_OVERRUN);
-
-	ret = decode_NegTokenResp(buf + taglen, len, &resp, NULL);
-	if (ret) {
-		free_NegTokenResp(&resp);
-		*minor_status = ENOMEM;
-		return (GSS_S_FAILURE);
-	}
-
-	if (resp.negState == NULL ||
-	    *(resp.negState) == reject ||
-	    resp.supportedMech == NULL) {
-		free_NegTokenResp(&resp);
-		return (GSS_S_BAD_MECH);
-	}
-
-	ret = der_put_oid(oidbuf + sizeof(oidbuf) - 1,
-			  sizeof(oidbuf),
-			  resp.supportedMech,
-			  &oidlen);
-	if (ret || oidlen != GSS_KRB5_MECH->length ||
-	    !isc_safe_memequal(oidbuf + sizeof(oidbuf) - oidlen,
-			      GSS_KRB5_MECH->elements, oidlen))
-	{
-		free_NegTokenResp(&resp);
-		return GSS_S_BAD_MECH;
-	}
-
-	if (resp.responseToken != NULL) {
-		sub_token.length = resp.responseToken->length;
-		sub_token.value  = resp.responseToken->data;
-	} else {
-		sub_token.length = 0;
-		sub_token.value  = NULL;
-	}
-
-	ret = gss_init_sec_context(minor_status,
-				   initiator_cred_handle,
-				   context_handle,
-				   target_name,
-				   GSS_KRB5_MECH,
-				   req_flags,
-				   time_req,
-				   input_chan_bindings,
-				   &sub_token,
-				   actual_mech_type,
-				   output_token,
-				   ret_flags,
-				   time_rec);
-	if (ret) {
-		free_NegTokenResp(&resp);
-		return (ret);
-	}
-
-	/*
-	 * XXXSRA I don't think this limited implementation ever needs
-	 * to check the MIC -- our preferred mechanism (Kerberos)
-	 * authenticates its own messages and is the only mechanism
-	 * we'll accept, so if the mechanism negotiation completes
-	 * successfully, we don't need the MIC.  See RFC 4178.
-	 */
-
-	free_NegTokenResp(&resp);
-	return (ret);
-}
-
-
-
-OM_uint32
-gss_init_sec_context_spnego(OM_uint32 *minor_status,
-			    const gss_cred_id_t initiator_cred_handle,
-			    gss_ctx_id_t *context_handle,
-			    const gss_name_t target_name,
-			    const gss_OID mech_type,
-			    OM_uint32 req_flags,
-			    OM_uint32 time_req,
-			    const gss_channel_bindings_t input_chan_bindings,
-			    const gss_buffer_t input_token,
-			    gss_OID *actual_mech_type,
-			    gss_buffer_t output_token,
-			    OM_uint32 *ret_flags,
-			    OM_uint32 *time_rec)
-{
-	/* Dirty trick to suppress compiler warnings */
-
-	/* Figure out whether we're starting over or processing a reply */
-
-	if (input_token == GSS_C_NO_BUFFER || input_token->length == 0U)
-		return (spnego_initial(minor_status,
-				       initiator_cred_handle,
-				       context_handle,
-				       target_name,
-				       mech_type,
-				       req_flags,
-				       time_req,
-				       input_chan_bindings,
-				       input_token,
-				       actual_mech_type,
-				       output_token,
-				       ret_flags,
-				       time_rec));
-	else
-		return (spnego_reply(minor_status,
-				     initiator_cred_handle,
-				     context_handle,
-				     target_name,
-				     mech_type,
-				     req_flags,
-				     time_req,
-				     input_chan_bindings,
-				     input_token,
-				     actual_mech_type,
-				     output_token,
-				     ret_flags,
-				     time_rec));
-}
-
-#endif /* GSSAPI */
diff --git a/bind/bind9/lib/dns/spnego.h b/bind/bind9/lib/dns/spnego.h
deleted file mode 100644
index 31187209..00000000
--- a/bind/bind9/lib/dns/spnego.h
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-
-/*! \file
- * \brief
- * Entry points into portable SPNEGO implementation.
- * See spnego.c for information on the SPNEGO implementation itself.
- */
-
-#ifndef _SPNEGO_H_
-#define _SPNEGO_H_
-
-/*%
- * Wrapper for GSSAPI gss_init_sec_context(), using portable SPNEGO
- * implementation instead of the one that's part of the GSSAPI
- * library.  Takes arguments identical to the standard GSSAPI
- * function, uses standard gss_init_sec_context() to handle
- * everything inside the SPNEGO wrapper.
- */
-OM_uint32
-gss_init_sec_context_spnego(OM_uint32 *,
-			    const gss_cred_id_t,
-			    gss_ctx_id_t *,
-			    const gss_name_t,
-			    const gss_OID,
-			    OM_uint32,
-			    OM_uint32,
-			    const gss_channel_bindings_t,
-			    const gss_buffer_t,
-			    gss_OID *,
-			    gss_buffer_t,
-			    OM_uint32 *,
-			    OM_uint32 *);
-
-/*%
- * Wrapper for GSSAPI gss_accept_sec_context(), using portable SPNEGO
- * implementation instead of the one that's part of the GSSAPI
- * library.  Takes arguments identical to the standard GSSAPI
- * function.  Checks the OID of the input token to see if it's SPNEGO;
- * if so, processes it, otherwise hands the call off to the standard
- * gss_accept_sec_context() function.
- */
-OM_uint32 gss_accept_sec_context_spnego(OM_uint32 *,
-					gss_ctx_id_t *,
-					const gss_cred_id_t,
-					const gss_buffer_t,
-					const gss_channel_bindings_t,
-					gss_name_t *,
-					gss_OID *,
-					gss_buffer_t,
-					OM_uint32 *,
-					OM_uint32 *,
-					gss_cred_id_t *);
-
-
-#endif
diff --git a/bind/bind9/lib/dns/spnego_asn1.c b/bind/bind9/lib/dns/spnego_asn1.c
deleted file mode 100644
index ec6447b5..00000000
--- a/bind/bind9/lib/dns/spnego_asn1.c
+++ /dev/null
@@ -1,874 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-
-/*! \file
- * \brief Method routines generated from SPNEGO ASN.1 module.
- * See spnego_asn1.pl for details.  Do not edit.
- */
-
-/* Generated from spnego.asn1 */
-/* Do not edit */
-
-#ifndef __asn1_h__
-#define __asn1_h__
-
-
-#ifndef __asn1_common_definitions__
-#define __asn1_common_definitions__
-
-typedef struct octet_string {
-	size_t length;
-	void *data;
-} octet_string;
-
-typedef char *general_string;
-
-typedef char *utf8_string;
-
-typedef struct oid {
-	size_t length;
-	unsigned *components;
-} oid;
-
-#define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R)                  \
-  do {                                                         \
-    (BL) = length_##T((S));                                    \
-    (B) = malloc((BL));                                        \
-    if((B) == NULL) {                                          \
-      (R) = ENOMEM;                                            \
-    } else {                                                   \
-      (R) = encode_##T(((unsigned char*)(B)) + (BL) - 1, (BL), \
-		       (S), (L));                              \
-      if((R) != 0) {                                           \
-	free((B));                                             \
-	(B) = NULL;                                            \
-      }                                                        \
-    }                                                          \
-  } while (0)
-
-#endif
-
-/*
- * MechType ::= OBJECT IDENTIFIER
- */
-
-typedef oid MechType;
-
-static int encode_MechType(unsigned char *, size_t, const MechType *, size_t *);
-static int decode_MechType(const unsigned char *, size_t, MechType *, size_t *);
-static void free_MechType(MechType *);
-/* unused declaration: length_MechType */
-/* unused declaration: copy_MechType */
-
-
-/*
- * MechTypeList ::= SEQUENCE OF MechType
- */
-
-typedef struct MechTypeList {
-	unsigned int len;
-	MechType *val;
-} MechTypeList;
-
-static int encode_MechTypeList(unsigned char *, size_t, const MechTypeList *, size_t *);
-static int decode_MechTypeList(const unsigned char *, size_t, MechTypeList *, size_t *);
-static void free_MechTypeList(MechTypeList *);
-/* unused declaration: length_MechTypeList */
-/* unused declaration: copy_MechTypeList */
-
-
-/*
- * ContextFlags ::= BIT STRING { delegFlag(0), mutualFlag(1), replayFlag(2),
- * sequenceFlag(3), anonFlag(4), confFlag(5), integFlag(6) }
- */
-
-typedef struct ContextFlags {
-	unsigned int delegFlag:1;
-	unsigned int mutualFlag:1;
-	unsigned int replayFlag:1;
-	unsigned int sequenceFlag:1;
-	unsigned int anonFlag:1;
-	unsigned int confFlag:1;
-	unsigned int integFlag:1;
-} ContextFlags;
-
-
-static int encode_ContextFlags(unsigned char *, size_t, const ContextFlags *, size_t *);
-static int decode_ContextFlags(const unsigned char *, size_t, ContextFlags *, size_t *);
-static void free_ContextFlags(ContextFlags *);
-/* unused declaration: length_ContextFlags */
-/* unused declaration: copy_ContextFlags */
-/* unused declaration: ContextFlags2int */
-/* unused declaration: int2ContextFlags */
-/* unused declaration: asn1_ContextFlags_units */
-
-/*
- * NegTokenInit ::= SEQUENCE { mechTypes[0]    MechTypeList, reqFlags[1]
- * ContextFlags OPTIONAL, mechToken[2]    OCTET STRING OPTIONAL,
- * mechListMIC[3]  OCTET STRING OPTIONAL }
- */
-
-typedef struct NegTokenInit {
-	MechTypeList mechTypes;
-	ContextFlags *reqFlags;
-	octet_string *mechToken;
-	octet_string *mechListMIC;
-} NegTokenInit;
-
-static int encode_NegTokenInit(unsigned char *, size_t, const NegTokenInit *, size_t *);
-static int decode_NegTokenInit(const unsigned char *, size_t, NegTokenInit *, size_t *);
-static void free_NegTokenInit(NegTokenInit *);
-/* unused declaration: length_NegTokenInit */
-/* unused declaration: copy_NegTokenInit */
-
-
-/*
- * NegTokenResp ::= SEQUENCE { negState[0]       ENUMERATED {
- * accept-completed(0), accept-incomplete(1), reject(2), request-mic(3) }
- * OPTIONAL, supportedMech[1]  MechType OPTIONAL, responseToken[2]  OCTET
- * STRING OPTIONAL, mechListMIC[3]    OCTET STRING OPTIONAL }
- */
-
-typedef struct NegTokenResp {
-	enum {
-		accept_completed = 0,
-		accept_incomplete = 1,
-		reject = 2,
-		request_mic = 3
-	} *negState;
-
-	MechType *supportedMech;
-	octet_string *responseToken;
-	octet_string *mechListMIC;
-} NegTokenResp;
-
-static int encode_NegTokenResp(unsigned char *, size_t, const NegTokenResp *, size_t *);
-static int decode_NegTokenResp(const unsigned char *, size_t, NegTokenResp *, size_t *);
-static void free_NegTokenResp(NegTokenResp *);
-/* unused declaration: length_NegTokenResp */
-/* unused declaration: copy_NegTokenResp */
-
-
-
-
-#endif				/* __asn1_h__ */
-/* Generated from spnego.asn1 */
-/* Do not edit */
-
-
-#define BACK if (e) return e; p -= l; len -= l; ret += l; POST(p); POST(len); POST(ret)
-
-static int
-encode_MechType(unsigned char *p, size_t len, const MechType * data, size_t * size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	e = encode_oid(p, len, data, &l);
-	BACK;
-	*size = ret;
-	return 0;
-}
-
-#define FORW if(e) goto fail; p += l; len -= l; ret += l; POST(p); POST(len); POST(ret)
-
-static int
-decode_MechType(const unsigned char *p, size_t len, MechType * data, size_t * size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	memset(data, 0, sizeof(*data));
-	e = decode_oid(p, len, data, &l);
-	FORW;
-	if (size)
-		*size = ret;
-	return 0;
-fail:
-	free_MechType(data);
-	return e;
-}
-
-static void
-free_MechType(MechType * data)
-{
-	free_oid(data);
-}
-
-/* unused function: length_MechType */
-
-
-/* unused function: copy_MechType */
-
-/* Generated from spnego.asn1 */
-/* Do not edit */
-
-
-static int
-encode_MechTypeList(unsigned char *p, size_t len, const MechTypeList * data, size_t * size)
-{
-	size_t ret = 0;
-	size_t l;
-	int i, e;
-
-	for (i = (data)->len - 1; i >= 0; --i) {
-		size_t oldret = ret;
-		ret = 0;
-		e = encode_MechType(p, len, &(data)->val[i], &l);
-		BACK;
-		ret += oldret;
-	}
-	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);
-	BACK;
-	*size = ret;
-	return 0;
-}
-
-static int
-decode_MechTypeList(const unsigned char *p, size_t len, MechTypeList * data, size_t * size)
-{
-	size_t ret = 0, reallen;
-	size_t l;
-	int e;
-
-	memset(data, 0, sizeof(*data));
-	reallen = 0;
-	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, CONS, UT_Sequence, &reallen, &l);
-	FORW;
-	if (len < reallen)
-		return ASN1_OVERRUN;
-	len = reallen;
-	{
-		size_t origlen = len;
-		size_t oldret = ret;
-		ret = 0;
-		(data)->len = 0;
-		(data)->val = NULL;
-		while (ret < origlen) {
-			void *old = (data)->val;
-			(data)->len++;
-			(data)->val = realloc((data)->val, sizeof(*((data)->val)) * (data)->len);
-			if ((data)->val == NULL) {
-				(data)->val = old;
-				(data)->len--;
-				return ENOMEM;
-			}
-			e = decode_MechType(p, len, &(data)->val[(data)->len - 1], &l);
-			FORW;
-			len = origlen - ret;
-		}
-		ret += oldret;
-	}
-	if (size)
-		*size = ret;
-	return 0;
-fail:
-	free_MechTypeList(data);
-	return e;
-}
-
-static void
-free_MechTypeList(MechTypeList * data)
-{
-	while ((data)->len) {
-		free_MechType(&(data)->val[(data)->len - 1]);
-		(data)->len--;
-	}
-	free((data)->val);
-	(data)->val = NULL;
-}
-
-/* unused function: length_MechTypeList */
-
-
-/* unused function: copy_MechTypeList */
-
-/* Generated from spnego.asn1 */
-/* Do not edit */
-
-
-static int
-encode_ContextFlags(unsigned char *p, size_t len, const ContextFlags * data, size_t * size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	{
-		unsigned char c = 0;
-		*p-- = c;
-		len--;
-		ret++;
-		c = 0;
-		*p-- = c;
-		len--;
-		ret++;
-		c = 0;
-		*p-- = c;
-		len--;
-		ret++;
-		c = 0;
-		if (data->integFlag)
-			c |= 1 << 1;
-		if (data->confFlag)
-			c |= 1 << 2;
-		if (data->anonFlag)
-			c |= 1 << 3;
-		if (data->sequenceFlag)
-			c |= 1 << 4;
-		if (data->replayFlag)
-			c |= 1 << 5;
-		if (data->mutualFlag)
-			c |= 1 << 6;
-		if (data->delegFlag)
-			c |= 1 << 7;
-		*p-- = c;
-		*p-- = 0;
-		len -= 2;
-		ret += 2;
-	}
-
-	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, PRIM, UT_BitString, &l);
-	BACK;
-	*size = ret;
-	return 0;
-}
-
-static int
-decode_ContextFlags(const unsigned char *p, size_t len, ContextFlags * data, size_t * size)
-{
-	size_t ret = 0, reallen;
-	size_t l;
-	int e;
-
-	memset(data, 0, sizeof(*data));
-	reallen = 0;
-	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, PRIM, UT_BitString, &reallen, &l);
-	FORW;
-	if (len < reallen)
-		return ASN1_OVERRUN;
-	p++;
-	len--;
-	POST(len);
-	reallen--;
-	ret++;
-	data->delegFlag = (*p >> 7) & 1;
-	data->mutualFlag = (*p >> 6) & 1;
-	data->replayFlag = (*p >> 5) & 1;
-	data->sequenceFlag = (*p >> 4) & 1;
-	data->anonFlag = (*p >> 3) & 1;
-	data->confFlag = (*p >> 2) & 1;
-	data->integFlag = (*p >> 1) & 1;
-	ret += reallen;
-	if (size)
-		*size = ret;
-	return 0;
-fail:
-	free_ContextFlags(data);
-	return e;
-}
-
-static void
-free_ContextFlags(ContextFlags * data)
-{
-	(void)data;
-}
-
-/* unused function: length_ContextFlags */
-
-
-/* unused function: copy_ContextFlags */
-
-
-/* unused function: ContextFlags2int */
-
-
-/* unused function: int2ContextFlags */
-
-
-/* unused variable: ContextFlags_units */
-
-/* unused function: asn1_ContextFlags_units */
-
-/* Generated from spnego.asn1 */
-/* Do not edit */
-
-
-static int
-encode_NegTokenInit(unsigned char *p, size_t len, const NegTokenInit * data, size_t * size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	if ((data)->mechListMIC) {
-		size_t oldret = ret;
-		ret = 0;
-		e = encode_octet_string(p, len, (data)->mechListMIC, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 3, &l);
-		BACK;
-		ret += oldret;
-	}
-	if ((data)->mechToken) {
-		size_t oldret = ret;
-		ret = 0;
-		e = encode_octet_string(p, len, (data)->mechToken, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 2, &l);
-		BACK;
-		ret += oldret;
-	}
-	if ((data)->reqFlags) {
-		size_t oldret = ret;
-		ret = 0;
-		e = encode_ContextFlags(p, len, (data)->reqFlags, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 1, &l);
-		BACK;
-		ret += oldret;
-	} {
-		size_t oldret = ret;
-		ret = 0;
-		e = encode_MechTypeList(p, len, &(data)->mechTypes, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 0, &l);
-		BACK;
-		ret += oldret;
-	}
-	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);
-	BACK;
-	*size = ret;
-	return 0;
-}
-
-static int
-decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, size_t * size)
-{
-	size_t ret = 0, reallen;
-	size_t l;
-	int e;
-
-	memset(data, 0, sizeof(*data));
-	reallen = 0;
-	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, CONS, UT_Sequence, &reallen, &l);
-	FORW;
-	{
-		int dce_fix;
-		if ((dce_fix = fix_dce(reallen, &len)) < 0) {
-			e = ASN1_BAD_FORMAT;
-			goto fail;
-		}
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 0, &l);
-			FORW;
-			{
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int mydce_fix;
-					oldlen = len;
-					if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
-						e = ASN1_BAD_FORMAT;
-						goto fail;
-					}
-					e = decode_MechTypeList(p, len, &(data)->mechTypes, &l);
-					FORW;
-					if (mydce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 1, &l);
-			if (e)
-				(data)->reqFlags = NULL;
-			else {
-				p += l;
-				len -= l;
-				ret += l;
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int mydce_fix;
-					oldlen = len;
-					if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
-						e = ASN1_BAD_FORMAT;
-						goto fail;
-					}
-					(data)->reqFlags = malloc(sizeof(*(data)->reqFlags));
-					if ((data)->reqFlags == NULL) {
-						e = ENOMEM;
-						goto fail;
-					}
-					e = decode_ContextFlags(p, len, (data)->reqFlags, &l);
-					FORW;
-					if (mydce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 2, &l);
-			if (e)
-				(data)->mechToken = NULL;
-			else {
-				p += l;
-				len -= l;
-				ret += l;
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int mydce_fix;
-					oldlen = len;
-					if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
-						e = ASN1_BAD_FORMAT;
-						goto fail;
-					}
-					(data)->mechToken = malloc(sizeof(*(data)->mechToken));
-					if ((data)->mechToken == NULL) {
-						e = ENOMEM;
-						goto fail;
-					}
-					e = decode_octet_string(p, len, (data)->mechToken, &l);
-					FORW;
-					if (mydce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 3, &l);
-			if (e)
-				(data)->mechListMIC = NULL;
-			else {
-				p += l;
-				len -= l;
-				ret += l;
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int mydce_fix;
-					oldlen = len;
-					if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
-						e = ASN1_BAD_FORMAT;
-						goto fail;
-					}
-					(data)->mechListMIC = malloc(sizeof(*(data)->mechListMIC));
-					if ((data)->mechListMIC == NULL) {
-						e = ENOMEM;
-						goto fail;
-					}
-					e = decode_octet_string(p, len, (data)->mechListMIC, &l);
-					FORW;
-					if (mydce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		if (dce_fix) {
-			e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-			FORW;
-		}
-	}
-	if (size)
-		*size = ret;
-	return 0;
-fail:
-	free_NegTokenInit(data);
-	return e;
-}
-
-static void
-free_NegTokenInit(NegTokenInit * data)
-{
-	free_MechTypeList(&(data)->mechTypes);
-	if ((data)->reqFlags) {
-		free_ContextFlags((data)->reqFlags);
-		free((data)->reqFlags);
-		(data)->reqFlags = NULL;
-	}
-	if ((data)->mechToken) {
-		free_octet_string((data)->mechToken);
-		free((data)->mechToken);
-		(data)->mechToken = NULL;
-	}
-	if ((data)->mechListMIC) {
-		free_octet_string((data)->mechListMIC);
-		free((data)->mechListMIC);
-		(data)->mechListMIC = NULL;
-	}
-}
-
-/* unused function: length_NegTokenInit */
-
-
-/* unused function: copy_NegTokenInit */
-
-/* Generated from spnego.asn1 */
-/* Do not edit */
-
-
-static int
-encode_NegTokenResp(unsigned char *p, size_t len, const NegTokenResp * data, size_t * size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	if ((data)->mechListMIC) {
-		size_t oldret = ret;
-		ret = 0;
-		e = encode_octet_string(p, len, (data)->mechListMIC, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 3, &l);
-		BACK;
-		ret += oldret;
-	}
-	if ((data)->responseToken) {
-		size_t oldret = ret;
-		ret = 0;
-		e = encode_octet_string(p, len, (data)->responseToken, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 2, &l);
-		BACK;
-		ret += oldret;
-	}
-	if ((data)->supportedMech) {
-		size_t oldret = ret;
-		ret = 0;
-		e = encode_MechType(p, len, (data)->supportedMech, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 1, &l);
-		BACK;
-		ret += oldret;
-	}
-	if ((data)->negState) {
-		size_t oldret = ret;
-		ret = 0;
-		e = encode_enumerated(p, len, (data)->negState, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 0, &l);
-		BACK;
-		ret += oldret;
-	}
-	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);
-	BACK;
-	*size = ret;
-	return 0;
-}
-
-static int
-decode_NegTokenResp(const unsigned char *p, size_t len, NegTokenResp * data, size_t * size)
-{
-	size_t ret = 0, reallen;
-	size_t l;
-	int e;
-
-	memset(data, 0, sizeof(*data));
-	reallen = 0;
-	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, CONS, UT_Sequence, &reallen, &l);
-	FORW;
-	{
-		int dce_fix;
-		if ((dce_fix = fix_dce(reallen, &len)) < 0)
-			return ASN1_BAD_FORMAT;
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 0, &l);
-			if (e)
-				(data)->negState = NULL;
-			else {
-				p += l;
-				len -= l;
-				ret += l;
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int mydce_fix;
-					oldlen = len;
-					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
-						return ASN1_BAD_FORMAT;
-					(data)->negState = malloc(sizeof(*(data)->negState));
-					if ((data)->negState == NULL)
-						return ENOMEM;
-					e = decode_enumerated(p, len, (data)->negState, &l);
-					FORW;
-					if (mydce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 1, &l);
-			if (e)
-				(data)->supportedMech = NULL;
-			else {
-				p += l;
-				len -= l;
-				ret += l;
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int mydce_fix;
-					oldlen = len;
-					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
-						return ASN1_BAD_FORMAT;
-					(data)->supportedMech = malloc(sizeof(*(data)->supportedMech));
-					if ((data)->supportedMech == NULL)
-						return ENOMEM;
-					e = decode_MechType(p, len, (data)->supportedMech, &l);
-					FORW;
-					if (mydce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 2, &l);
-			if (e)
-				(data)->responseToken = NULL;
-			else {
-				p += l;
-				len -= l;
-				ret += l;
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int mydce_fix;
-					oldlen = len;
-					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
-						return ASN1_BAD_FORMAT;
-					(data)->responseToken = malloc(sizeof(*(data)->responseToken));
-					if ((data)->responseToken == NULL)
-						return ENOMEM;
-					e = decode_octet_string(p, len, (data)->responseToken, &l);
-					FORW;
-					if (mydce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 3, &l);
-			if (e)
-				(data)->mechListMIC = NULL;
-			else {
-				p += l;
-				len -= l;
-				ret += l;
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int mydce_fix;
-					oldlen = len;
-					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
-						return ASN1_BAD_FORMAT;
-					(data)->mechListMIC = malloc(sizeof(*(data)->mechListMIC));
-					if ((data)->mechListMIC == NULL)
-						return ENOMEM;
-					e = decode_octet_string(p, len, (data)->mechListMIC, &l);
-					FORW;
-					if (mydce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		if (dce_fix) {
-			e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-			FORW;
-		}
-	}
-	if (size)
-		*size = ret;
-	return 0;
-fail:
-	free_NegTokenResp(data);
-	return e;
-}
-
-static void
-free_NegTokenResp(NegTokenResp * data)
-{
-	if ((data)->negState) {
-		free((data)->negState);
-		(data)->negState = NULL;
-	}
-	if ((data)->supportedMech) {
-		free_MechType((data)->supportedMech);
-		free((data)->supportedMech);
-		(data)->supportedMech = NULL;
-	}
-	if ((data)->responseToken) {
-		free_octet_string((data)->responseToken);
-		free((data)->responseToken);
-		(data)->responseToken = NULL;
-	}
-	if ((data)->mechListMIC) {
-		free_octet_string((data)->mechListMIC);
-		free((data)->mechListMIC);
-		(data)->mechListMIC = NULL;
-	}
-}
-
-/* unused function: length_NegTokenResp */
-
-
-/* unused function: copy_NegTokenResp */
-
-/* Generated from spnego.asn1 */
-/* Do not edit */
-
-
-/* CHOICE */
-/* unused variable: asn1_NegotiationToken_dummy_holder */
diff --git a/bind/bind9/lib/dns/spnego_asn1.pl b/bind/bind9/lib/dns/spnego_asn1.pl
deleted file mode 100644
index 66f7b731..00000000
--- a/bind/bind9/lib/dns/spnego_asn1.pl
+++ /dev/null
@@ -1,193 +0,0 @@
-#!/bin/bin/perl -w
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-# Our SPNEGO implementation uses some functions generated by the
-# Heimdal ASN.1 compiler, which this script then whacks a bit to make
-# them work properly in this stripped down implementation.  We don't
-# want to require our users to have a copy of the compiler, so we ship
-# the output of this script, but we need to keep the script around in
-# any case to cope with future changes to the SPNEGO ASN.1 code, so we
-# might as well supply the script for users who want it.
-
-# Overall plan: run the ASN.1 compiler, run each of its output files
-# through indent, fix up symbols and whack everything to be static.
-# We use indent for two reasons: (1) to whack the Heimdal compiler's
-# output into something closer to ISC's coding standard, and (2) to
-# make it easier for this script to parse the result.
-
-# Output from this script is C code which we expect to be #included
-# into another C file, which is why everything generated by this
-# script is marked "static".  The intent is to minimize the number of
-# extern symbols exported by the SPNEGO implementation, to avoid
-# potential conflicts with the GSSAPI libraries.
-
-###
-
-# Filename of the ASN.1 specification.  Hardcoded for the moment
-# since this script is intended for compiling exactly one module.
-
-my $asn1_source = $ENV{ASN1_SOURCE} || "spnego.asn1";
-
-# Heimdal ASN.1 compiler.  This script was written using the version
-# from Heimdal 0.7.1.  To build this, download a copy of
-# heimdal-0.7.1.tar.gz, configure and build with the default options,
-# then look for the compiler in heimdal-0.7.1/lib/asn1/asn1_compile.
-
-my $asn1_compile = $ENV{ASN1_COMPILE} || "asn1_compile";
-
-# BSD indent program.  This script was written using the version of
-# indent that comes with FreeBSD 4.11-STABLE.  The GNU project, as
-# usual, couldn't resist the temptation to monkey with indent's
-# command line syntax, so this probably won't work with GNU indent.
-
-my $indent = $ENV{INDENT} || "indent";
-
-###
-
-# Step 1: run the compiler.  Input is the ASN.1 file.  Outputs are a
-# header file (name specified on command line without the .h suffix),
-# a file called "asn1_files" listing the names of the other output
-# files, and a set of files containing C code generated by the
-# compiler for each data type that the compiler found.
-
-if (! -r $asn1_source || system($asn1_compile, $asn1_source, "asn1")) {
-    die("Couldn't compile ASN.1 source file $asn1_source\n");
-}
-
-my @files = ("asn1.h");
-
-open(F, "asn1_files")
-    or die("Couldn't open asn1_files: $!\n");
-push(@files, split)
-    while (<F>);
-close(F);
-
-unlink("asn1_files");
-
-###
-
-# Step 2: generate header block.
-
-print(q~/*
- * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: spnego_asn1.pl,v 1.4 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file
- * \brief Method routines generated from SPNEGO ASN.1 module.
- * See spnego_asn1.pl for details.  Do not edit.
- */
-
-~);
-
-###
-
-# Step 3: read and process each generated file, then delete it.
-
-my $output;
-
-for my $file (@files) {
-
-    my $is_static = 0;
-
-    system($indent, "-di1", "-ldi1", $file) == 0
-	or die("Couldn't indent $file");
-
-    unlink("$file.BAK");
-
-    open(F, $file)
-	or die("Couldn't open $file: $!");
-
-    while (<F>) {
-
-	# Symbol name fixups
-
-	s/heim_general_string/general_string/g;
-	s/heim_octet_string/octet_string/g;
-	s/heim_oid/oid/g;
-	s/heim_utf8_string/utf8_string/g;
-
-	# Convert all externs to statics
-
-	if (/^static/) {
-	    $is_static = 1;
-	}
-
-	if (!/^typedef/ &&
-	    !$is_static &&
-	    /^[A-Za-z_][0-9A-Za-z_]*[ \t]*($|[^:0-9A-Za-z_])/) {
-	    $_ = "static " . $_;
-	    $is_static = 1;
-	}
-
-	if (/[{};]/) {
-	    $is_static = 0;
-	}
-
-	# Suppress file inclusion, pass anything else through
-
-	if (!/#include/) {
-	    $output .= $_;
-	}
-    }
-
-    close(F);
-    unlink($file);
-}
-
-# Step 4: Delete unused stuff to avoid code bloat and compiler warnings.
-
-my @unused_functions = qw(ContextFlags2int
-			  int2ContextFlags
-			  asn1_ContextFlags_units
-			  length_NegTokenInit
-			  copy_NegTokenInit
-			  length_NegTokenResp
-			  copy_NegTokenResp
-			  length_MechTypeList
-			  length_MechType
-			  copy_MechTypeList
-			  length_ContextFlags
-			  copy_ContextFlags
-			  copy_MechType);
-
-$output =~ s<^static [^\n]+\n$_\(.+?^}></* unused function: $_ */\n>ms
-    foreach (@unused_functions);
-
-$output =~ s<^static .+$_\(.*\);$></* unused declaration: $_ */>m
-    foreach (@unused_functions);
-
-$output =~ s<^static struct units ContextFlags_units\[\].+?^};>
-            </* unused variable: ContextFlags_units */>ms;
-
-$output =~ s<^static int asn1_NegotiationToken_dummy_holder = 1;>
-            </* unused variable: asn1_NegotiationToken_dummy_holder */>ms;
-
-$output =~ s<^static void\nfree_ContextFlags\(ContextFlags \* data\)\n{\n>
-            <$&\t(void)data;\n>ms;
-
-# Step 5: Write the result.
-
-print($output);
-
diff --git a/bind/bind9/lib/dns/ssu.c b/bind/bind9/lib/dns/ssu.c
index 4f9c0bf0..700bb652 100644
--- a/bind/bind9/lib/dns/ssu.c
+++ b/bind/bind9/lib/dns/ssu.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/ssu_external.c b/bind/bind9/lib/dns/ssu_external.c
index a1b638ee..10d679d3 100644
--- a/bind/bind9/lib/dns/ssu_external.c
+++ b/bind/bind9/lib/dns/ssu_external.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/stats.c b/bind/bind9/lib/dns/stats.c
index 617ed3bf..a0184ecf 100644
--- a/bind/bind9/lib/dns/stats.c
+++ b/bind/bind9/lib/dns/stats.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -104,6 +104,7 @@ dns_stats_attach(dns_stats_t *stats, dns_stats_t **statsp) {
 
 void
 dns_stats_detach(dns_stats_t **statsp) {
+	unsigned int references;
 	dns_stats_t *stats;
 
 	REQUIRE(statsp != NULL && DNS_STATS_VALID(*statsp));
@@ -112,10 +113,10 @@ dns_stats_detach(dns_stats_t **statsp) {
 	*statsp = NULL;
 
 	LOCK(&stats->lock);
-	stats->references--;
+	references = --stats->references;
 	UNLOCK(&stats->lock);
 
-	if (stats->references == 0) {
+	if (references == 0) {
 		isc_stats_detach(&stats->counters);
 		DESTROYLOCK(&stats->lock);
 		isc_mem_putanddetach(&stats->mctx, stats, sizeof(*stats));
diff --git a/bind/bind9/lib/dns/tcpmsg.c b/bind/bind9/lib/dns/tcpmsg.c
index bb2a5d91..ac20ff2d 100644
--- a/bind/bind9/lib/dns/tcpmsg.c
+++ b/bind/bind9/lib/dns/tcpmsg.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -50,7 +50,9 @@ recv_length(isc_task_t *task, isc_event_t *ev_in) {
 	INSIST(VALID_TCPMSG(tcpmsg));
 
 	dev = &tcpmsg->event;
+	/* cppcheck-suppress nullPointerRedundantCheck */
 	tcpmsg->address = ev->address;
+	/* cppcheck-suppress nullPointerRedundantCheck */
 
 	if (ev->result != ISC_R_SUCCESS) {
 		tcpmsg->result = ev->result;
@@ -98,13 +100,16 @@ recv_length(isc_task_t *task, isc_event_t *ev_in) {
 
 static void
 recv_message(isc_task_t *task, isc_event_t *ev_in) {
-	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	isc_socketevent_t *ev;;
 	isc_event_t *dev;
-	dns_tcpmsg_t *tcpmsg = ev_in->ev_arg;
+	dns_tcpmsg_t *tcpmsg;
 
-	(void)task;
+	REQUIRE(VALID_TCPMSG(ev_in->ev_arg));
 
-	INSIST(VALID_TCPMSG(tcpmsg));
+	ev = (isc_socketevent_t *)ev_in;
+	tcpmsg = ev_in->ev_arg;
+
+	(void)task;
 
 	dev = &tcpmsg->event;
 	tcpmsg->address = ev->address;
diff --git a/bind/bind9/lib/dns/tests/Makefile.in b/bind/bind9/lib/dns/tests/Makefile.in
index 90dc3a69..4126372e 100644
--- a/bind/bind9/lib/dns/tests/Makefile.in
+++ b/bind/bind9/lib/dns/tests/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -16,7 +16,7 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
-		@DST_OPENSSL_INC@
+		@DST_OPENSSL_INC@ ${MAXMINDDB_CFLAGS}
 CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
 
 ISCLIBS =	../../isc/libisc.@A@
diff --git a/bind/bind9/lib/dns/tests/acl_test.c b/bind/bind9/lib/dns/tests/acl_test.c
index d0759ee7..b898ca16 100644
--- a/bind/bind9/lib/dns/tests/acl_test.c
+++ b/bind/bind9/lib/dns/tests/acl_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/db_test.c b/bind/bind9/lib/dns/tests/db_test.c
index 35cf21d0..bc1cc3f3 100644
--- a/bind/bind9/lib/dns/tests/db_test.c
+++ b/bind/bind9/lib/dns/tests/db_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -184,7 +184,7 @@ version_test(void **state) {
 	result = dns_db_newversion(db, &new);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
-	/* Delete the rdataset from the new verison */
+	/* Delete the rdataset from the new version */
 	result = dns_db_deleterdataset(db, node, new, dns_rdatatype_a, 0);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
diff --git a/bind/bind9/lib/dns/tests/dbdiff_test.c b/bind/bind9/lib/dns/tests/dbdiff_test.c
index e2759a39..90456d5a 100644
--- a/bind/bind9/lib/dns/tests/dbdiff_test.c
+++ b/bind/bind9/lib/dns/tests/dbdiff_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/dbiterator_test.c b/bind/bind9/lib/dns/tests/dbiterator_test.c
index a3e9a503..a7dbbc41 100644
--- a/bind/bind9/lib/dns/tests/dbiterator_test.c
+++ b/bind/bind9/lib/dns/tests/dbiterator_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/dbversion_test.c b/bind/bind9/lib/dns/tests/dbversion_test.c
index 6cdfd93f..e3b07b30 100644
--- a/bind/bind9/lib/dns/tests/dbversion_test.c
+++ b/bind/bind9/lib/dns/tests/dbversion_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -51,7 +51,7 @@ static dns_dbversion_t *v1 = NULL, *v2 = NULL;
  * The code below enables us to trap assertion failures for testing
  * purposes. local_callback() is set as the callback function for
  * isc_assertion_failed(). It calls mock_assert() so that CMOCKA
- * will be able to see it, then returns to the calling functon via
+ * will be able to see it, then returns to the calling function via
  * longjmp() so that the abort() call in isc_assertion_failed() will
  * never be reached. Use check_assertion() to check for assertions
  * instead of expect_assert_failure().
diff --git a/bind/bind9/lib/dns/tests/dh_test.c b/bind/bind9/lib/dns/tests/dh_test.c
index a5bf46c9..17491e73 100644
--- a/bind/bind9/lib/dns/tests/dh_test.c
+++ b/bind/bind9/lib/dns/tests/dh_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/dispatch_test.c b/bind/bind9/lib/dns/tests/dispatch_test.c
index ddc8bf16..5bca3fdb 100644
--- a/bind/bind9/lib/dns/tests/dispatch_test.c
+++ b/bind/bind9/lib/dns/tests/dispatch_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -134,10 +134,10 @@ dispatchset_get(void **state) {
 	d4 = dns_dispatchset_get(dset);
 	d5 = dns_dispatchset_get(dset);
 
-	assert_int_equal(d1, d2);
-	assert_int_equal(d2, d3);
-	assert_int_equal(d3, d4);
-	assert_int_equal(d4, d5);
+	assert_ptr_equal(d1, d2);
+	assert_ptr_equal(d2, d3);
+	assert_ptr_equal(d3, d4);
+	assert_ptr_equal(d4, d5);
 
 	reset();
 
@@ -150,11 +150,11 @@ dispatchset_get(void **state) {
 	d4 = dns_dispatchset_get(dset);
 	d5 = dns_dispatchset_get(dset);
 
-	assert_int_equal(d1, d5);
-	assert_true(d1 != d2);
-	assert_true(d2 != d3);
-	assert_true(d3 != d4);
-	assert_true(d4 != d5);
+	assert_ptr_equal(d1, d5);
+	assert_ptr_not_equal(d1, d2);
+	assert_ptr_not_equal(d2, d3);
+	assert_ptr_not_equal(d3, d4);
+	assert_ptr_not_equal(d4, d5);
 
 	reset();
 }
@@ -324,7 +324,9 @@ dispatch_getnext(void **state) {
 	result = isc_app_run();
 	assert_int_equal(result, ISC_R_SUCCESS);
 
+	LOCK(&lock);
 	assert_int_equal(responses, 2);
+	UNLOCK(&lock);
 
 	/*
 	 * Shutdown nameserver.
@@ -338,6 +340,12 @@ dispatch_getnext(void **state) {
 	 */
 	dns_dispatch_detach(&dispatch);
 	dns_dispatchmgr_destroy(&dispatchmgr);
+
+	/*
+	 * Destroy the mutex.
+	 */
+	result = isc_mutex_destroy(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
 }
 
 int
diff --git a/bind/bind9/lib/dns/tests/dnstap_test.c b/bind/bind9/lib/dns/tests/dnstap_test.c
index b2eee80d..3604ff44 100644
--- a/bind/bind9/lib/dns/tests/dnstap_test.c
+++ b/bind/bind9/lib/dns/tests/dnstap_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/dnstest.c b/bind/bind9/lib/dns/tests/dnstest.c
index 01ce15d1..e239b0af 100644
--- a/bind/bind9/lib/dns/tests/dnstest.c
+++ b/bind/bind9/lib/dns/tests/dnstest.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/dnstest.h b/bind/bind9/lib/dns/tests/dnstest.h
index 56d1a86c..a5dbd9cd 100644
--- a/bind/bind9/lib/dns/tests/dnstest.h
+++ b/bind/bind9/lib/dns/tests/dnstest.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/dst_test.c b/bind/bind9/lib/dns/tests/dst_test.c
index 7d563a60..5e23664e 100644
--- a/bind/bind9/lib/dns/tests/dst_test.c
+++ b/bind/bind9/lib/dns/tests/dst_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -26,6 +26,7 @@
 #include <cmocka.h>
 
 #include <isc/file.h>
+#include <isc/hex.h>
 #include <isc/print.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
@@ -208,14 +209,50 @@ check_sig(const char *datapath, const char *sigpath, const char *keyname,
 	assert_int_equal(result, ISC_R_SUCCESS);
 	result = dst_context_verify(ctx, &sigreg);
 
-	assert_true((expect && (result == ISC_R_SUCCESS)) ||
-		    (!expect && (result != ISC_R_SUCCESS)));
+	/*
+	 * Compute the expected signature and emit it
+	 * so the precomputed signature can be updated.
+	 * This should only be done if the covered data
+	 * is updated.
+	 */
+	if (expect && result != ISC_R_SUCCESS) {
+		isc_result_t result2;
+
+		dst_context_destroy(&ctx);
+		result2 = dst_context_create3(key, mctx,
+					      DNS_LOGCATEGORY_GENERAL, false,
+					      &ctx);
+		assert_int_equal(result2, ISC_R_SUCCESS);
+
+		result2 = dst_context_adddata(ctx, &datareg);
+		assert_int_equal(result2, ISC_R_SUCCESS);
+
+		char sigbuf2[4096];
+		isc_buffer_t sigb;
+		isc_buffer_init(&sigb, sigbuf2, sizeof(sigbuf2));
+
+		result2 = dst_context_sign(ctx, &sigb);
+		assert_int_equal(result2, ISC_R_SUCCESS);
 
+		isc_region_t r;
+		isc_buffer_usedregion(&sigb, &r);
+
+		char hexbuf[4096] = { 0 };
+		isc_buffer_t hb;
+		isc_buffer_init(&hb, hexbuf, sizeof(hexbuf));
+
+		isc_hex_totext(&r, 0, "", &hb);
+
+		fprintf(stderr, "# %s:\n# %s\n", sigpath, hexbuf);
+	}
 
 	isc_mem_put(mctx, data, size + 1);
 	dst_context_destroy(&ctx);
 	dst_key_free(&key);
 
+	assert_true((expect && (result == ISC_R_SUCCESS)) ||
+		    (!expect && (result != ISC_R_SUCCESS)));
+
 	return;
 }
 
diff --git a/bind/bind9/lib/dns/tests/geoip_test.c b/bind/bind9/lib/dns/tests/geoip_test.c
index 9db70527..dcf0ec5d 100644
--- a/bind/bind9/lib/dns/tests/geoip_test.c
+++ b/bind/bind9/lib/dns/tests/geoip_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -305,8 +305,10 @@ do_lookup_string(const char *addr, uint8_t *scope,
 	dns_geoip_elem_t elt;
 	struct in_addr in4;
 	isc_netaddr_t na;
+	int n;
 
-	inet_pton(AF_INET, addr, &in4);
+	n = inet_pton(AF_INET, addr, &in4);
+	assert_int_equal(n, 1);
 	isc_netaddr_fromin(&na, &in4);
 
 	elt.subtype = subtype;
@@ -322,8 +324,10 @@ do_lookup_string_v6(const char *addr, uint8_t *scope,
 	dns_geoip_elem_t elt;
 	struct in6_addr in6;
 	isc_netaddr_t na;
+	int n;
 
-	inet_pton(AF_INET6, addr, &in6);
+	n = inet_pton(AF_INET6, addr, &in6);
+	assert_int_equal(n, 1);
 	isc_netaddr_fromin6(&na, &in6);
 
 	elt.subtype = subtype;
@@ -629,7 +633,7 @@ netspeed(void **state) {
 
 /*
  * GeoIP best-database matching
- * (With no specified databse and a city database available, answers
+ * (With no specified database and a city database available, answers
  * should come from city database.  With city database unavailable, region
  * database.  Region database unavailable, country database.)
  */
diff --git a/bind/bind9/lib/dns/tests/gost_test.c b/bind/bind9/lib/dns/tests/gost_test.c
index 6c378145..93824f1b 100644
--- a/bind/bind9/lib/dns/tests/gost_test.c
+++ b/bind/bind9/lib/dns/tests/gost_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -88,7 +88,7 @@ int i = 0;
  *
  * 'out' MUST point to an array of at least len * 2 + 1
  *
- * Return values: ISC_R_SUCCESS if the operation is sucessful
+ * Return values: ISC_R_SUCCESS if the operation is successful
  */
 static isc_result_t
 tohexstr(unsigned char *d, unsigned int len, char *out, size_t out_size) {
diff --git a/bind/bind9/lib/dns/tests/keytable_test.c b/bind/bind9/lib/dns/tests/keytable_test.c
index 18a7a560..56f87495 100644
--- a/bind/bind9/lib/dns/tests/keytable_test.c
+++ b/bind/bind9/lib/dns/tests/keytable_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -248,7 +248,7 @@ add_test(void **state) {
 	assert_int_equal(dns_keytable_find(keytable, str2name("null.example"),
 					   &keynode),
 			 ISC_R_SUCCESS);
-	assert_int_equal(keynode, null_keynode); /* should be the same node */
+	assert_ptr_equal(keynode, null_keynode); /* should be the same node */
 	assert_non_null(dns_keynode_key(keynode)); /* now have a key */
 	dns_keytable_detachkeynode(keytable, &null_keynode);
 
@@ -265,7 +265,7 @@ add_test(void **state) {
 	assert_int_equal(dns_keytable_find(keytable, str2name("null.example"),
 					   &null_keynode),
 			 ISC_R_SUCCESS);
-	assert_int_equal(keynode, null_keynode);
+	assert_ptr_equal(keynode, null_keynode);
 	assert_non_null(dns_keynode_key(keynode));
 	assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
 						  &next_keynode),
@@ -394,7 +394,7 @@ find_test(void **state) {
 					   str2name("null.example"),
 					   &keynode),
 			 ISC_R_SUCCESS);
-	assert_int_equal(dns_keynode_key(keynode), NULL);
+	assert_null(dns_keynode_key(keynode));
 	dns_keytable_detachkeynode(keytable, &keynode);
 
 	/*
diff --git a/bind/bind9/lib/dns/tests/master_test.c b/bind/bind9/lib/dns/tests/master_test.c
index 40b1f8e0..4f91e465 100644
--- a/bind/bind9/lib/dns/tests/master_test.c
+++ b/bind/bind9/lib/dns/tests/master_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/mkraw.pl b/bind/bind9/lib/dns/tests/mkraw.pl
index 9791adc1..b05d7983 100644
--- a/bind/bind9/lib/dns/tests/mkraw.pl
+++ b/bind/bind9/lib/dns/tests/mkraw.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/name_test.c b/bind/bind9/lib/dns/tests/name_test.c
index f04744d3..04e7be0d 100644
--- a/bind/bind9/lib/dns/tests/name_test.c
+++ b/bind/bind9/lib/dns/tests/name_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -358,7 +358,7 @@ init_test(void **state) {
 	assert_int_equal(name.length, 0);
 	assert_int_equal(name.labels, 0);
 	assert_int_equal(name.attributes, 0);
-	assert_int_equal(name.offsets, offsets);
+	assert_ptr_equal(name.offsets, offsets);
 	assert_null(name.buffer);
 }
 
@@ -393,7 +393,7 @@ buffer_test(void **state) {
 	isc_buffer_init(&b, buf, BUFSIZ);
 	dns_name_init(&name, NULL);
 	dns_name_setbuffer(&name, &b);
-	assert_int_equal(name.buffer, &b);
+	assert_ptr_equal(name.buffer, &b);
 	assert_true(dns_name_hasbuffer(&name));
 }
 
diff --git a/bind/bind9/lib/dns/tests/nsec3_test.c b/bind/bind9/lib/dns/tests/nsec3_test.c
index 289b65f2..9bed0e5d 100644
--- a/bind/bind9/lib/dns/tests/nsec3_test.c
+++ b/bind/bind9/lib/dns/tests/nsec3_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -65,8 +65,7 @@ iteration_test(const char *file, unsigned int expected) {
 	result = dns_test_loaddb(&db, dns_dbtype_zone, "test", file);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
-	result = dns_nsec3_maxiterations(db, NULL, mctx, &iterations);
-	assert_int_equal(result, ISC_R_SUCCESS);
+	iterations = dns_nsec3_maxiterations();
 
 	assert_int_equal(iterations, expected);
 
@@ -144,10 +143,10 @@ max_iterations(void **state) {
 	UNUSED(state);
 
 	iteration_test("testdata/nsec3/1024.db", 150);
-	iteration_test("testdata/nsec3/2048.db", 500);
-	iteration_test("testdata/nsec3/4096.db", 2500);
+	iteration_test("testdata/nsec3/2048.db", 150);
+	iteration_test("testdata/nsec3/4096.db", 150);
 	iteration_test("testdata/nsec3/min-1024.db", 150);
-	iteration_test("testdata/nsec3/min-2048.db", 500);
+	iteration_test("testdata/nsec3/min-2048.db", 150);
 }
 
 /* check dns_nsec3param_salttotext() */
diff --git a/bind/bind9/lib/dns/tests/peer_test.c b/bind/bind9/lib/dns/tests/peer_test.c
index 3e8f765f..36a0edfc 100644
--- a/bind/bind9/lib/dns/tests/peer_test.c
+++ b/bind/bind9/lib/dns/tests/peer_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/private_test.c b/bind/bind9/lib/dns/tests/private_test.c
index 0405511c..fde132c9 100644
--- a/bind/bind9/lib/dns/tests/private_test.c
+++ b/bind/bind9/lib/dns/tests/private_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/rbt_serialize_test.c b/bind/bind9/lib/dns/tests/rbt_serialize_test.c
index ffb44e20..089a2448 100644
--- a/bind/bind9/lib/dns/tests/rbt_serialize_test.c
+++ b/bind/bind9/lib/dns/tests/rbt_serialize_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -134,7 +134,7 @@ static isc_result_t
 write_data(FILE *file, unsigned char *datap, void *arg, uint64_t *crc) {
 	isc_result_t result;
 	size_t ret = 0;
-	data_holder_t *data = (data_holder_t *)datap;
+	data_holder_t *data;
 	data_holder_t temp;
 	off_t where;
 
@@ -142,7 +142,8 @@ write_data(FILE *file, unsigned char *datap, void *arg, uint64_t *crc) {
 
 	REQUIRE(file != NULL);
 	REQUIRE(crc != NULL);
-	REQUIRE(data != NULL);
+	REQUIRE(datap != NULL);
+	data = (data_holder_t *)datap;
 	REQUIRE((data->len == 0 && data->data == NULL) ||
 		(data->len != 0 && data->data != NULL));
 
@@ -408,7 +409,9 @@ deserialize_corrupt_test(void **state) {
 
 		/* Randomly fuzz a portion of the memory */
 		isc_random_get(&r);
+		/* cppcheck-suppress nullPointerArithmeticRedundantCheck */
 		p = base + (r % filesize);
+		/* cppcheck-suppress nullPointerArithmeticRedundantCheck */
 		q = base + filesize;
 		isc_random_get(&r);
 		q -= (r % (q - p));
diff --git a/bind/bind9/lib/dns/tests/rbt_test.c b/bind/bind9/lib/dns/tests/rbt_test.c
index 208a6ae5..f318aae8 100644
--- a/bind/bind9/lib/dns/tests/rbt_test.c
+++ b/bind/bind9/lib/dns/tests/rbt_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -921,9 +921,11 @@ remove_nodes(dns_rbt_t *mytree, char **names,
 
 		isc_mem_free(mctx, names[node]);
 
-		names[node] = names[*names_count - 1];
-		names[*names_count - 1] = NULL;
-		*names_count -= 1;
+		if (*names_count > 0) {
+			names[node] = names[*names_count - 1];
+			names[*names_count - 1] = NULL;
+			*names_count -= 1;
+		}
 	}
 }
 
@@ -971,6 +973,7 @@ rbt_insert_and_remove(void **state) {
 	char *names[1024];
 	size_t names_count;
 	int i;
+	isc_time_t start, now;
 
 	UNUSED(state);
 
@@ -987,8 +990,11 @@ rbt_insert_and_remove(void **state) {
 	memset(names, 0, sizeof(names));
 	names_count = 0;
 
-	/* Repeat the insert/remove test some 4096 times */
-	for (i = 0; i < 4096; i++) {
+	/* Repeat the insert/remove test for some 4096 times or 180 seconds. */
+	result = isc_time_now(&start);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	now = start;
+	for (i = 0; i < 4096 && isc_time_microdiff(&now, &start) < 180000000; i++) {
 		uint32_t num_names;
 		isc_random_get(&num_names);
 
@@ -1012,6 +1018,8 @@ rbt_insert_and_remove(void **state) {
 
 		remove_nodes(mytree, names, &names_count, num_names);
 		check_tree(mytree, names, names_count);
+		result = isc_time_now(&now);
+		assert_int_equal(result, ISC_R_SUCCESS);
 	}
 
 	/* Remove the rest of the nodes */
diff --git a/bind/bind9/lib/dns/tests/rdata_test.c b/bind/bind9/lib/dns/tests/rdata_test.c
index 94fc73b2..fe01e48f 100644
--- a/bind/bind9/lib/dns/tests/rdata_test.c
+++ b/bind/bind9/lib/dns/tests/rdata_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -24,8 +24,9 @@
 #include <unistd.h>
 
 #define UNIT_TESTING
-#include <cmocka.h>
 
+#include <isc/cmocka.h>
+#include <isc/commandline.h>
 #include <isc/hex.h>
 #include <isc/lex.h>
 #include <isc/print.h>
@@ -77,18 +78,20 @@ _teardown(void **state) {
  * An array of these structures is passed to check_text_ok().
  */
 typedef struct text_ok {
-	const char *text_in;		/* text passed to fromtext_*() */
-	const char *text_out;		/* text expected from totext_*();
-					   NULL indicates text_in is invalid */
+	const char *text_in;  /* text passed to fromtext_*() */
+	const char *text_out; /* text expected from totext_*();
+			       * NULL indicates text_in is invalid */
+	unsigned int loop;
 } text_ok_t;
 
 /*
  * An array of these structures is passed to check_wire_ok().
  */
 typedef struct wire_ok {
-	unsigned char data[512];	/* RDATA in wire format */
-	size_t len;			/* octets of data to parse */
-	bool ok;			/* is this RDATA valid? */
+	unsigned char data[512]; /* RDATA in wire format */
+	size_t len;		 /* octets of data to parse */
+	bool ok;		 /* is this RDATA valid? */
+	unsigned int loop;
 } wire_ok_t;
 
 #define COMPARE(r1, r2, answer) \
@@ -97,26 +100,42 @@ typedef struct wire_ok {
 	{ NULL, NULL, 0, __LINE__ }
 
 #define TEXT_VALID_CHANGED(data_in, data_out) \
-				{ data_in, data_out }
-#define TEXT_VALID(data)	{ data, data }
-#define TEXT_INVALID(data)	{ data, NULL }
-#define TEXT_SENTINEL()		TEXT_INVALID(NULL)
-
-#define VARGC(...)		(sizeof((unsigned char[]){ __VA_ARGS__ }))
-#define WIRE_TEST(ok, ...)	{					      \
-					{ __VA_ARGS__ }, VARGC(__VA_ARGS__),  \
-					ok				      \
-				}
-#define WIRE_VALID(...)		WIRE_TEST(true, __VA_ARGS__)
+	{                                     \
+		data_in, data_out, 0          \
+	}
+#define TEXT_VALID(data)      \
+	{                     \
+		data, data, 0 \
+	}
+#define TEXT_VALID_LOOP(loop, data) \
+	{                           \
+		data, data, loop    \
+	}
+#define TEXT_VALID_LOOPCHG(loop, data_in, data_out) \
+	{                                           \
+		data_in, data_out, loop             \
+	}
+#define TEXT_INVALID(data)    \
+	{                     \
+		data, NULL, 0 \
+	}
+#define TEXT_SENTINEL() TEXT_INVALID(NULL)
+
+#define VARGC(...) (sizeof((unsigned char[]){ __VA_ARGS__ }))
+#define WIRE_TEST(ok, loop, ...)                              \
+	{                                                     \
+		{ __VA_ARGS__ }, VARGC(__VA_ARGS__), ok, loop \
+	}
+#define WIRE_VALID(...)		   WIRE_TEST(true, 0, __VA_ARGS__)
+#define WIRE_VALID_LOOP(loop, ...) WIRE_TEST(true, loop, __VA_ARGS__)
 /*
  * WIRE_INVALID() test cases must always have at least one octet specified to
  * distinguish them from WIRE_SENTINEL().  Use the 'empty_ok' parameter passed
  * to check_wire_ok() for indicating whether empty RDATA is allowed for a given
  * RR type or not.
  */
-#define WIRE_INVALID(FIRST, ...) \
-				WIRE_TEST(false, FIRST, __VA_ARGS__)
-#define WIRE_SENTINEL()		WIRE_TEST(false)
+#define WIRE_INVALID(FIRST, ...) WIRE_TEST(false, 0, FIRST, __VA_ARGS__)
+#define WIRE_SENTINEL()		 WIRE_TEST(false, 0)
 
 /*
  * Call dns_rdata_fromwire() for data in 'src', which is 'srclen' octets in
@@ -207,7 +226,7 @@ rdata_additionadata(dns_rdata_t *rdata) {
  * We are currently only checking that the calls do not trigger
  * assertion failures.
  *
- * XXXMPA A future extention could be to record the expected
+ * XXXMPA A future extension could be to record the expected
  * result and the expected value of 'bad'.
  */
 static void
@@ -248,13 +267,15 @@ rdata_checknames(dns_rdata_t *rdata) {
  * check_text_ok_single() and check_wire_ok_single().
  */
 static void
-check_struct_conversions(dns_rdata_t *rdata, size_t structsize) {
+check_struct_conversions(dns_rdata_t *rdata, size_t structsize,
+			 unsigned int loop) {
 	dns_rdataclass_t rdclass = rdata->rdclass;
 	dns_rdatatype_t type = rdata->type;
 	isc_result_t result;
 	isc_buffer_t target;
 	void *rdata_struct;
 	char buf[1024];
+	unsigned int count = 0;
 
 	rdata_struct = isc_mem_allocate(mctx, structsize);
 	assert_non_null(rdata_struct);
@@ -280,6 +301,29 @@ check_struct_conversions(dns_rdata_t *rdata, size_t structsize) {
 
 	assert_memory_equal(buf, rdata->data, rdata->length);
 
+	/*
+	 * Check that one can walk hip rendezvous servers.
+	 */
+	switch (type) {
+	case dns_rdatatype_hip: {
+		dns_rdata_hip_t *hip = rdata_struct;
+
+		for (result = dns_rdata_hip_first(hip); result == ISC_R_SUCCESS;
+		     result = dns_rdata_hip_next(hip))
+		{
+			dns_name_t name;
+			dns_name_init(&name, NULL);
+			dns_rdata_hip_current(hip, &name);
+			assert_int_not_equal(dns_name_countlabels(&name), 0);
+			assert_true(dns_name_isabsolute(&name));
+			count++;
+		}
+		assert_int_equal(result, ISC_R_NOMORE);
+		assert_int_equal(count, loop);
+		break;
+	}
+	}
+
 	isc_mem_free(mctx, rdata_struct);
 }
 
@@ -379,7 +423,7 @@ check_text_ok_single(const text_ok_t *text_ok, dns_rdataclass_t rdclass,
 	 * Perform two-way conversion checks between uncompressed wire form and
 	 * type-specific struct.
 	 */
-	check_struct_conversions(&rdata, structsize);
+	check_struct_conversions(&rdata, structsize, text_ok->loop);
 }
 
 /*
@@ -519,7 +563,7 @@ check_wire_ok_single(const wire_ok_t *wire_ok, dns_rdataclass_t rdclass,
 	 *   - uncompressed wire form and text form,
 	 *   - uncompressed wire form and multi-line text form.
 	 */
-	check_struct_conversions(&rdata, structsize);
+	check_struct_conversions(&rdata, structsize, wire_ok->loop);
 	if (!dns_rdatatype_ismeta(rdata.type)) {
 		check_text_conversions(&rdata);
 		check_multiline_text_conversions(&rdata);
@@ -573,17 +617,19 @@ check_text_ok(const text_ok_t *text_ok, dns_rdataclass_t rdclass,
  * for given RR class and type behaves as expected.
  */
 static void
-check_wire_ok(const wire_ok_t *wire_ok, bool empty_ok,
-	      dns_rdataclass_t rdclass, dns_rdatatype_t type,
-	      size_t structsize)
-{
-	wire_ok_t empty_wire = WIRE_TEST(empty_ok);
+check_wire_ok(const wire_ok_t *wire_ok, bool empty_ok, dns_rdataclass_t rdclass,
+	      dns_rdatatype_t type, size_t structsize) {
+	wire_ok_t empty_wire = WIRE_TEST(empty_ok, 0);
 	size_t i;
 
 	/*
 	 * Check all entries in the supplied array.
 	 */
 	for (i = 0; wire_ok[i].len != 0; i++) {
+		if (debug) {
+			fprintf(stderr, "calling check_wire_ok_single on %zu\n",
+				i);
+		}
 		check_wire_ok_single(&wire_ok[i], rdclass, type, structsize);
 	}
 
@@ -899,27 +945,27 @@ amtrelay(void **state) {
 		TEXT_INVALID(""),
 		TEXT_INVALID("0"),
 		TEXT_INVALID("0 0"),
-		/* gatway type 0 */
+		/* gateway type 0 */
 		TEXT_VALID("0 0 0"),
 		TEXT_VALID("0 1 0"),
 		TEXT_INVALID("0 2 0"),		/* discovery out of range */
-		TEXT_VALID("255 1 0"),		/* max precendence */
+		TEXT_VALID("255 1 0"),		/* max precedence */
 		TEXT_INVALID("256 1 0"),	/* precedence out of range */
 
 		/* IPv4 gateway */
-		TEXT_INVALID("0 0 1"),		/* no addresss */
+		TEXT_INVALID("0 0 1"),		/* no address */
 		TEXT_VALID("0 0 1 0.0.0.0"),
 		TEXT_INVALID("0 0 1 0.0.0.0 x"), /* extra */
-		TEXT_INVALID("0 0 1 0.0.0.0.0"), /* bad addresss */
-		TEXT_INVALID("0 0 1 ::"),	/* bad addresss */
-		TEXT_INVALID("0 0 1 ."),	/* bad addresss */
+		TEXT_INVALID("0 0 1 0.0.0.0.0"), /* bad address */
+		TEXT_INVALID("0 0 1 ::"),	/* bad address */
+		TEXT_INVALID("0 0 1 ."),	/* bad address */
 
 		/* IPv6 gateway */
-		TEXT_INVALID("0 0 2"),		/* no addresss */
+		TEXT_INVALID("0 0 2"),		/* no address */
 		TEXT_VALID("0 0 2 ::"),
 		TEXT_INVALID("0 0 2 :: xx"),	/* extra */
-		TEXT_INVALID("0 0 2 0.0.0.0"),	/* bad addresss */
-		TEXT_INVALID("0 0 2 ."),	/* bad addresss */
+		TEXT_INVALID("0 0 2 0.0.0.0"),	/* bad address */
+		TEXT_INVALID("0 0 2 ."),	/* bad address */
 
 		/* hostname gateway */
 		TEXT_INVALID("0 0 3"),		/* no name */
@@ -1852,10 +1898,37 @@ eid(void **state) {
  */
 static void
 hip(void **state) {
-	unsigned char hipwire[DNS_RDATA_MAXLENGTH] = {
-				    0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
-				    0x04, 0x41, 0x42, 0x43, 0x44, 0x00 };
-	unsigned char buf[1024*1024];
+	text_ok_t text_ok[] = {
+		/* RFC 8005 examples. */
+		TEXT_VALID_LOOP(0, "2 200100107B1A74DF365639CC39F1D578 "
+				   "AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cI"
+				   "vM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbW"
+				   "Iy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+b"
+				   "SRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWx"
+				   "Z48AWkskmdHaVDP4BcelrTI3rMXdXF5D"),
+		TEXT_VALID_LOOP(1, "2 200100107B1A74DF365639CC39F1D578 "
+				   "AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cI"
+				   "vM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbW"
+				   "Iy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+b"
+				   "SRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWx"
+				   "Z48AWkskmdHaVDP4BcelrTI3rMXdXF5D "
+				   "rvs1.example.com."),
+		TEXT_VALID_LOOP(2, "2 200100107B1A74DF365639CC39F1D578 "
+				   "AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cI"
+				   "vM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbW"
+				   "Iy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+b"
+				   "SRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWx"
+				   "Z48AWkskmdHaVDP4BcelrTI3rMXdXF5D "
+				   "rvs1.example.com. rvs2.example.com."),
+		/*
+		 * Sentinel.
+		 */
+		TEXT_SENTINEL()
+	};
+	unsigned char hipwire[DNS_RDATA_MAXLENGTH] = { 0x01, 0x00, 0x00, 0x01,
+						       0x00, 0x00, 0x04, 0x41,
+						       0x42, 0x43, 0x44, 0x00 };
+	unsigned char buf[1024 * 1024];
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_result_t result;
 	size_t i;
@@ -1873,6 +1946,8 @@ hip(void **state) {
 	result = wire_to_rdata(hipwire, sizeof(hipwire), dns_rdataclass_in,
 			       dns_rdatatype_hip, buf, sizeof(buf), &rdata);
 	assert_int_equal(result, DNS_R_FORMERR);
+	check_text_ok(text_ok, dns_rdataclass_in, dns_rdatatype_hip,
+		      sizeof(dns_rdata_hip_t));
 }
 
 /*
@@ -2003,6 +2078,71 @@ key(void **state) {
 }
 
 /*
+ * LOC tests.
+ */
+static void
+loc(void **state) {
+	text_ok_t text_ok[] = {
+		TEXT_VALID_CHANGED("0 N 0 E 0", "0 0 0.000 N 0 0 0.000 E 0.00m "
+						"1m 10000m 10m"),
+		TEXT_VALID_CHANGED("0 S 0 W 0", "0 0 0.000 N 0 0 0.000 E 0.00m "
+						"1m 10000m 10m"),
+		TEXT_VALID_CHANGED("0 0 N 0 0 E 0", "0 0 0.000 N 0 0 0.000 E "
+						    "0.00m 1m 10000m 10m"),
+		TEXT_VALID_CHANGED("0 0 0 N 0 0 0 E 0",
+				   "0 0 0.000 N 0 0 0.000 E 0.00m 1m 10000m "
+				   "10m"),
+		TEXT_VALID_CHANGED("0 0 0 N 0 0 0 E 0",
+				   "0 0 0.000 N 0 0 0.000 E 0.00m 1m 10000m "
+				   "10m"),
+		TEXT_VALID_CHANGED("0 0 0. N 0 0 0. E 0",
+				   "0 0 0.000 N 0 0 0.000 E 0.00m 1m 10000m "
+				   "10m"),
+		TEXT_VALID_CHANGED("0 0 .0 N 0 0 .0 E 0",
+				   "0 0 0.000 N 0 0 0.000 E 0.00m 1m 10000m "
+				   "10m"),
+		TEXT_INVALID("0 North 0 East 0"),
+		TEXT_INVALID("0 South 0 West 0"),
+		TEXT_INVALID("0 0 . N 0 0 0. E 0"),
+		TEXT_INVALID("0 0 0. N 0 0 . E 0"),
+		TEXT_INVALID("0 0 0. N 0 0 0. E m"),
+		TEXT_INVALID("0 0 0. N 0 0 0. E 0 ."),
+		TEXT_INVALID("0 0 0. N 0 0 0. E 0 m"),
+		TEXT_INVALID("0 0 0. N 0 0 0. E 0 0 ."),
+		TEXT_INVALID("0 0 0. N 0 0 0. E 0 0 m"),
+		TEXT_INVALID("0 0 0. N 0 0 0. E 0 0 0 ."),
+		TEXT_INVALID("0 0 0. N 0 0 0. E 0 0 0 m"),
+		TEXT_VALID_CHANGED("90 N 180 E 0", "90 0 0.000 N 180 0 0.000 E "
+						   "0.00m 1m 10000m 10m"),
+		TEXT_INVALID("90 1 N 180 E 0"),
+		TEXT_INVALID("90 0 1 N 180 E 0"),
+		TEXT_INVALID("90 N 180 1 E 0"),
+		TEXT_INVALID("90 N 180 0 1 E 0"),
+		TEXT_VALID_CHANGED("90 S 180 W 0", "90 0 0.000 S 180 0 0.000 W "
+						   "0.00m 1m 10000m 10m"),
+		TEXT_INVALID("90 1 S 180 W 0"),
+		TEXT_INVALID("90 0 1 S 180 W 0"),
+		TEXT_INVALID("90 S 180 1 W 0"),
+		TEXT_INVALID("90 S 180 0 1 W 0"),
+		TEXT_INVALID("0 0 0.000 E 0 0 0.000 E -0.95m 1m 10000m 10m"),
+		TEXT_VALID("0 0 0.000 N 0 0 0.000 E -0.95m 1m 10000m 10m"),
+		TEXT_VALID("0 0 0.000 N 0 0 0.000 E -0.05m 1m 10000m 10m"),
+		TEXT_VALID("0 0 0.000 N 0 0 0.000 E -100000.00m 1m 10000m 10m"),
+		TEXT_VALID("0 0 0.000 N 0 0 0.000 E 42849672.95m 1m 10000m "
+			   "10m"),
+		/*
+		 * Sentinel.
+		 */
+		TEXT_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(text_ok, 0, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_loc, sizeof(dns_rdata_loc_t));
+}
+
+/*
  * http://ana-3.lcs.mit.edu/~jnc/nimrod/dns.txt
  *
  * The RDATA portion of both the NIMLOC and EID records contains
@@ -2365,7 +2505,7 @@ wks(void **state) {
 /*
  * ZONEMD tests.
  *
- * Excerpted from draft-wessels-dns-zone-digest:
+ * Excerpted from RFC 8976:
  *
  * The ZONEMD RDATA wire format is encoded as follows:
  *
@@ -2374,55 +2514,129 @@ wks(void **state) {
  *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *    |                             Serial                            |
  *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *    |  Digest Type  |   Reserved    |                               |
+ *    |    Scheme     |Hash Algorithm |                               |
  *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
  *    |                             Digest                            |
  *    /                                                               /
  *    /                                                               /
  *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *
- * 2.1.1.  The Serial Field
+ * 2.2.1.  The Serial Field
+ *
+ *    The Serial field is a 32-bit unsigned integer in network byte order.
+ *    It is the serial number from the zone's SOA record ([RFC1035],
+ *    Section 3.3.13) for which the zone digest was generated.
+ *
+ *    It is included here to clearly bind the ZONEMD RR to a particular
+ *    version of the zone's content.  Without the serial number, a stand-
+ *    alone ZONEMD digest has no obvious association to any particular
+ *    instance of a zone.
  *
- *    The Serial field is a 32-bit unsigned integer in network order.  It
- *    is equal to the serial number from the zone's SOA record
+ * 2.2.2.  The Scheme Field
  *
- * 2.1.2.  The Digest Type Field
+ *    The Scheme field is an 8-bit unsigned integer that identifies the
+ *    methods by which data is collated and presented as input to the
+ *    hashing function.
  *
- *    The Digest Type field is an 8-bit unsigned integer that identifies
- *    the algorithm used to construct the digest.
+ *    Herein, SIMPLE, with Scheme value 1, is the only standardized Scheme
+ *    defined for ZONEMD records and it MUST be supported by
+ *    implementations.  The "ZONEMD Schemes" registry is further described
+ *    in Section 5.
  *
- *    At the time of this writing, SHA384, with value 1, is the only Digest
- *    Type defined for ZONEMD records.
+ *    Scheme values 240-254 are allocated for Private Use.
  *
- * 2.1.3.  The Reserved Field
+ * 2.2.3.  The Hash Algorithm Field
  *
- *    The Reserved field is an 8-bit unsigned integer, which is always set
- *    to zero.
+ *    The Hash Algorithm field is an 8-bit unsigned integer that identifies
+ *    the cryptographic hash algorithm used to construct the digest.
  *
- * 2.1.4.  The Digest Field
+ *    Herein, SHA384 ([RFC6234]), with Hash Algorithm value 1, is the only
+ *    standardized Hash Algorithm defined for ZONEMD records that MUST be
+ *    supported by implementations.  When SHA384 is used, the size of the
+ *    Digest field is 48 octets.  The result of the SHA384 digest algorithm
+ *    MUST NOT be truncated, and the entire 48-octet digest is published in
+ *    the ZONEMD record.
+ *
+ *    SHA512 ([RFC6234]), with Hash Algorithm value 2, is also defined for
+ *    ZONEMD records and SHOULD be supported by implementations.  When
+ *    SHA512 is used, the size of the Digest field is 64 octets.  The
+ *    result of the SHA512 digest algorithm MUST NOT be truncated, and the
+ *    entire 64-octet digest is published in the ZONEMD record.
+ *
+ *    Hash Algorithm values 240-254 are allocated for Private Use.
+ *
+ *    The "ZONEMD Hash Algorithms" registry is further described in
+ *    Section 5.
+ *
+ * 2.2.4.  The Digest Field
  *
  *    The Digest field is a variable-length sequence of octets containing
- *    the message digest.
+ *    the output of the hash algorithm.  The length of the Digest field is
+ *    determined by deducting the fixed size of the Serial, Scheme, and
+ *    Hash Algorithm fields from the RDATA size in the ZONEMD RR header.
+ *
+ *    The Digest field MUST NOT be shorter than 12 octets.  Digests for the
+ *    SHA384 and SHA512 hash algorithms specified herein are never
+ *    truncated.  Digests for future hash algorithms MAY be truncated but
+ *    MUST NOT be truncated to a length that results in less than 96 bits
+ *    (12 octets) of equivalent strength.
+ *
+ *    Section 3 describes how to calculate the digest for a zone.
+ *    Section 4 describes how to use the digest to verify the contents of a
+ *    zone.
+ *
  */
 
 static void
 zonemd(void **state) {
 	text_ok_t text_ok[] = {
 		TEXT_INVALID(""),
+		/* No digest scheme or digest type*/
 		TEXT_INVALID("0"),
+		/* No digest type */
 		TEXT_INVALID("0 0"),
+		/* No digest */
 		TEXT_INVALID("0 0 0"),
+		/* No digest */
 		TEXT_INVALID("99999999 0 0"),
+		/* No digest */
 		TEXT_INVALID("2019020700 0 0"),
-		TEXT_INVALID("2019020700 1 0 DEADBEEF"),
-		TEXT_VALID("2019020700 2 0 DEADBEEF"),
-		TEXT_VALID("2019020700 255 0 DEADBEEF"),
-		TEXT_INVALID("2019020700 256 0 DEADBEEF"),
-		TEXT_VALID("2019020700 2 255 DEADBEEF"),
-		TEXT_INVALID("2019020700 2 256 DEADBEEF"),
-		TEXT_VALID("2019020700 1 0 7162D2BB75C047A53DE98767C9192BEB"
-					  "14DB01E7E2267135DAF0230A 19BA4A31"
-					  "6AF6BF64AA5C7BAE24B2992850300509"),
+		/* Digest too short */
+		TEXT_INVALID("2019020700 1 1 DEADBEEF"),
+		/* Digest too short */
+		TEXT_INVALID("2019020700 1 2 DEADBEEF"),
+		/* Digest too short */
+		TEXT_INVALID("2019020700 1 3 DEADBEEFDEADBEEFDEADBE"),
+		/* Digest type unknown */
+		TEXT_VALID("2019020700 1 3 DEADBEEFDEADBEEFDEADBEEF"),
+		/* Digest type max */
+		TEXT_VALID("2019020700 1 255 DEADBEEFDEADBEEFDEADBEEF"),
+		/* Digest type too big */
+		TEXT_INVALID("2019020700 0 256 DEADBEEFDEADBEEFDEADBEEF"),
+		/* Scheme max */
+		TEXT_VALID("2019020700 255 3 DEADBEEFDEADBEEFDEADBEEF"),
+		/* Scheme too big */
+		TEXT_INVALID("2019020700 256 3 DEADBEEFDEADBEEFDEADBEEF"),
+		/* SHA384 */
+		TEXT_VALID("2019020700 1 1 "
+			   "7162D2BB75C047A53DE98767C9192BEB"
+			   "14DB01E7E2267135DAF0230A 19BA4A31"
+			   "6AF6BF64AA5C7BAE24B2992850300509"),
+		/* SHA512 */
+		TEXT_VALID("2019020700 1 2 "
+			   "08CFA1115C7B948C4163A901270395EA"
+			   "226A930CD2CBCF2FA9A5E6EB 85F37C8A"
+			   "4E114D884E66F176EAB121CB02DB7D65"
+			   "2E0CC4827E7A3204 F166B47E5613FD27"),
+		/* SHA384 too short and with private scheme */
+		TEXT_INVALID("2021042801 0 1 "
+			     "7162D2BB75C047A53DE98767C9192BEB"
+			     "6AF6BF64AA5C7BAE24B2992850300509"),
+		/* SHA512 too short and with private scheme */
+		TEXT_INVALID("2021042802 5 2 "
+			     "A897B40072ECAE9E4CA3F1F227DE8F5E"
+			     "480CDEBB16DFC64C1C349A7B5F6C71AB"
+			     "E8A88B76EF0BA1604EC25752E946BF98"),
 		TEXT_SENTINEL()
 	};
 	wire_ok_t wire_ok[] = {
@@ -2451,51 +2665,89 @@ zonemd(void **state) {
 		 */
 		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
 		/*
-		 * Minimal, one-octet hash for an undefined digest type.
+		 * Short 11-octet digest.
 		 */
-		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+			     0x00),
+		/*
+		 * Minimal, 12-octet hash for an undefined digest type.
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+			   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+			   0x00),
 		/*
 		 * SHA-384 is defined, so we insist there be a digest of
 		 * the expected length.
 		 */
-		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00),
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00),
 		/*
 		 * 48-octet digest, valid for SHA-384.
 		 */
-		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce),
+		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa,
+			   0xce),
 		/*
 		 * 56-octet digest, too long for SHA-384.
 		 */
-		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
-			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+			     0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+			     0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce),
+		/*
+		 * 56-octet digest, too short for SHA-512
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+			     0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+			     0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad),
+		/*
+		 * 64-octet digest, just right for SHA-512
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef),
+		/*
+		 * 72-octet digest, too long for SHA-512
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+			     0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+			     0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+			     0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
 			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce),
 		/*
 		 * 56-octet digest, valid for an undefined digest type.
 		 */
-		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
-			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
 			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce),
 		/*
 		 * Sentinel.
@@ -2610,6 +2862,7 @@ main(int argc, char **argv) {
 		cmocka_unit_test_setup_teardown(hip, _setup, _teardown),
 		cmocka_unit_test_setup_teardown(isdn, _setup, _teardown),
 		cmocka_unit_test_setup_teardown(key, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(loc, _setup, _teardown),
 		cmocka_unit_test_setup_teardown(nimloc, _setup, _teardown),
 		cmocka_unit_test_setup_teardown(nsec, _setup, _teardown),
 		cmocka_unit_test_setup_teardown(nsec3, _setup, _teardown),
@@ -2622,14 +2875,46 @@ main(int argc, char **argv) {
 		cmocka_unit_test_setup_teardown(atparent, NULL, NULL),
 		cmocka_unit_test_setup_teardown(iszonecutauth, NULL, NULL),
 	};
+	struct CMUnitTest selected[sizeof(tests) / sizeof(tests[0])];
+	size_t i;
+	int c;
 
-	UNUSED(argv);
+	memset(selected, 0, sizeof(selected));
 
-	if (argc > 1) {
-		debug = true;
+	while ((c = isc_commandline_parse(argc, argv, "dlt:")) != -1) {
+		switch (c) {
+		case 'd':
+			debug = true;
+			break;
+		case 'l':
+			for (i = 0; i < (sizeof(tests) / sizeof(tests[0])); i++)
+			{
+				if (tests[i].name != NULL) {
+					fprintf(stdout, "%s\n", tests[i].name);
+				}
+			}
+			return (0);
+		case 't':
+			if (!cmocka_add_test_byname(
+				    tests, isc_commandline_argument, selected))
+			{
+				fprintf(stderr, "unknown test '%s'\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+		default:
+			break;
+		}
 	}
 
-	return (cmocka_run_group_tests(tests, dns_test_init, dns_test_final));
+	if (selected[0].name != NULL) {
+		return (cmocka_run_group_tests(tests, dns_test_init,
+					       dns_test_final));
+	} else {
+		return (cmocka_run_group_tests(tests, dns_test_init,
+					       dns_test_final));
+	}
 }
 
 #else /* HAVE_CMOCKA */
diff --git a/bind/bind9/lib/dns/tests/rdataset_test.c b/bind/bind9/lib/dns/tests/rdataset_test.c
index 7c810d15..1134ffc3 100644
--- a/bind/bind9/lib/dns/tests/rdataset_test.c
+++ b/bind/bind9/lib/dns/tests/rdataset_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/rdatasetstats_test.c b/bind/bind9/lib/dns/tests/rdatasetstats_test.c
index c9696087..08c93561 100644
--- a/bind/bind9/lib/dns/tests/rdatasetstats_test.c
+++ b/bind/bind9/lib/dns/tests/rdatasetstats_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/resolver_test.c b/bind/bind9/lib/dns/tests/resolver_test.c
index a3cefa4f..44d1b169 100644
--- a/bind/bind9/lib/dns/tests/resolver_test.c
+++ b/bind/bind9/lib/dns/tests/resolver_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/result_test.c b/bind/bind9/lib/dns/tests/result_test.c
index 1df2e632..61fdcb6d 100644
--- a/bind/bind9/lib/dns/tests/result_test.c
+++ b/bind/bind9/lib/dns/tests/result_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/rsa_test.c b/bind/bind9/lib/dns/tests/rsa_test.c
index f9ac6d04..ce172586 100644
--- a/bind/bind9/lib/dns/tests/rsa_test.c
+++ b/bind/bind9/lib/dns/tests/rsa_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/sigs_test.c b/bind/bind9/lib/dns/tests/sigs_test.c
index 7b92b1a0..e093bbdd 100644
--- a/bind/bind9/lib/dns/tests/sigs_test.c
+++ b/bind/bind9/lib/dns/tests/sigs_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/testdata/db/data.db b/bind/bind9/lib/dns/tests/testdata/db/data.db
index 9ac043eb..dddc3d44 100644
--- a/bind/bind9/lib/dns/tests/testdata/db/data.db
+++ b/bind/bind9/lib/dns/tests/testdata/db/data.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/testdata/dbiterator/zone1.data b/bind/bind9/lib/dns/tests/testdata/dbiterator/zone1.data
index 81c0abec..c380d39c 100644
--- a/bind/bind9/lib/dns/tests/testdata/dbiterator/zone1.data
+++ b/bind/bind9/lib/dns/tests/testdata/dbiterator/zone1.data
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/testdata/diff/zone1.data b/bind/bind9/lib/dns/tests/testdata/diff/zone1.data
index 6eb87abc..8ddf6697 100644
--- a/bind/bind9/lib/dns/tests/testdata/diff/zone1.data
+++ b/bind/bind9/lib/dns/tests/testdata/diff/zone1.data
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/testdata/diff/zone2.data b/bind/bind9/lib/dns/tests/testdata/diff/zone2.data
index d57d5867..363af421 100644
--- a/bind/bind9/lib/dns/tests/testdata/diff/zone2.data
+++ b/bind/bind9/lib/dns/tests/testdata/diff/zone2.data
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/testdata/diff/zone3.data b/bind/bind9/lib/dns/tests/testdata/diff/zone3.data
index 65f12dd3..ae3a60e4 100644
--- a/bind/bind9/lib/dns/tests/testdata/diff/zone3.data
+++ b/bind/bind9/lib/dns/tests/testdata/diff/zone3.data
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/testdata/dst/test1.data b/bind/bind9/lib/dns/tests/testdata/dst/test1.data
index b1a9bf5a..cf84e9f8 100644
--- a/bind/bind9/lib/dns/tests/testdata/dst/test1.data
+++ b/bind/bind9/lib/dns/tests/testdata/dst/test1.data
@@ -1120,7 +1120,7 @@ RFC 1035        Domain Implementation and Specification    November 1987
 
 A records cause no additional section processing.  The RDATA section of
 an A line in a master file is an Internet address expressed as four
-decimal numbers separated by dots without any imbedded spaces (e.g.,
+decimal numbers separated by dots without any embedded spaces (e.g.,
 "10.2.0.52" or "192.0.5.6").
 
 3.4.2. WKS RDATA format
@@ -1636,7 +1636,7 @@ RDATA           a variable length string of octets that describes the
 In order to reduce the size of messages, the domain system utilizes a
 compression scheme which eliminates the repetition of domain names in a
 message.  In this scheme, an entire domain name or a list of labels at
-the end of a domain name is replaced with a pointer to a prior occurance
+the end of a domain name is replaced with a pointer to a prior occurrence
 of the same name.
 
 The pointer takes the form of a two octet sequence:
@@ -1662,7 +1662,7 @@ represented as either:
 
    - a sequence of labels ending with a pointer
 
-Pointers can only be used for occurances of a domain name where the
+Pointers can only be used for occurrences of a domain name where the
 format is not class specific.  If this were not the case, a name server
 or resolver would be required to know the format of all RRs it handled.
 As yet, there are no such cases, but they may occur in future RDATA
@@ -2825,13 +2825,13 @@ RFC 1035        Domain Implementation and Specification    November 1987
                 Facilities," RFC-882, USC/Information Sciences
                 Institute, November 1983.
 
-                Superceeded by this memo.
+                Superseded by this memo.
 
 [RFC-883]       P. Mockapetris, "Domain names - Implementation and
                 Specification," RFC-883, USC/Information Sciences
                 Institute, November 1983.
 
-                Superceeded by this memo.
+                Superseded by this memo.
 
 [RFC-920]       J. Postel and J. Reynolds, "Domain Requirements",
                 RFC-920, USC/Information Sciences Institute,
diff --git a/bind/bind9/lib/dns/tests/testdata/dst/test1.dsasig b/bind/bind9/lib/dns/tests/testdata/dst/test1.dsasig
index 5dd12e13..8696498a 100644
--- a/bind/bind9/lib/dns/tests/testdata/dst/test1.dsasig
+++ b/bind/bind9/lib/dns/tests/testdata/dst/test1.dsasig
@@ -1,3 +1,3 @@
-0009B55FDB62034326278C9371F32D92
-3D0E1161A32D491BEC38546FC452D903
-A91D806345B2F7F22E
+001BA6238EE0DEE7569819CAD3C0D68D
+634DDBFDB7D3BF1CB37E1E4CCF474593
+D22AEBEE633E0938BF
diff --git a/bind/bind9/lib/dns/tests/testdata/dst/test1.rsasig b/bind/bind9/lib/dns/tests/testdata/dst/test1.rsasig
index 5ba62b4a..cf344131 100644
--- a/bind/bind9/lib/dns/tests/testdata/dst/test1.rsasig
+++ b/bind/bind9/lib/dns/tests/testdata/dst/test1.rsasig
@@ -1,5 +1,5 @@
-A8A20D2F26F792B3CE76DD0E12A85DFE
-FF66AB866EF0BDB0F515001E234E699B
-F5CD6FB41FB15D4213705ABE9B563896
-2196228648E0F8AA7F2F4EED3C19165C
-1B4C70C9D69B93A1F2BE5B2F948CE023
+7287CAF8866F575E8FD4CF544E5101A2
+C9594E1BBD9FF104D147EB298335ED5D
+0D2A64FD9E65D13FB90AB1DCA97ED506
+F1DA5F1FC6159857DDC0A8EFB1EE53FC
+CB390015E5873FF6F3BCF64758485FC2
diff --git a/bind/bind9/lib/dns/tests/testdata/dst/test2.data b/bind/bind9/lib/dns/tests/testdata/dst/test2.data
index 7b0e35d1..a323bb3b 100644
--- a/bind/bind9/lib/dns/tests/testdata/dst/test2.data
+++ b/bind/bind9/lib/dns/tests/testdata/dst/test2.data
@@ -1120,7 +1120,7 @@ RFC 1035        Domain Implementation and Specification    November 1987
 
 A records cause no additional section processing.  The RDATA section of
 an A line in a master file is an Internet address expressed as four
-decimal numbers separated by dots without any imbedded spaces (e.g.,
+decimal numbers separated by dots without any embedded spaces (e.g.,
 "10.2.0.52" or "192.0.5.6").
 
 3.4.2. WKS RDATA format
@@ -1636,7 +1636,7 @@ RDATA           a variable length string of octets that describes the
 In order to reduce the size of messages, the domain system utilizes a
 compression scheme which eliminates the repetition of domain names in a
 message.  In this scheme, an entire domain name or a list of labels at
-the end of a domain name is replaced with a pointer to a prior occurance
+the end of a domain name is replaced with a pointer to a prior occurrence
 of the same name.
 
 The pointer takes the form of a two octet sequence:
@@ -1662,7 +1662,7 @@ represented as either:
 
    - a sequence of labels ending with a pointer
 
-Pointers can only be used for occurances of a domain name where the
+Pointers can only be used for occurrences of a domain name where the
 format is not class specific.  If this were not the case, a name server
 or resolver would be required to know the format of all RRs it handled.
 As yet, there are no such cases, but they may occur in future RDATA
@@ -2825,13 +2825,13 @@ RFC 1035        Domain Implementation and Specification    November 1987
                 Facilities," RFC-882, USC/Information Sciences
                 Institute, November 1983.
 
-                Superceeded by this memo.
+                Superseded by this memo.
 
 [RFC-883]       P. Mockapetris, "Domain names - Implementation and
                 Specification," RFC-883, USC/Information Sciences
                 Institute, November 1983.
 
-                Superceeded by this memo.
+                Superseded by this memo.
 
 [RFC-920]       J. Postel and J. Reynolds, "Domain Requirements",
                 RFC-920, USC/Information Sciences Institute,
diff --git a/bind/bind9/lib/dns/tests/testdata/nsec3/1024.db b/bind/bind9/lib/dns/tests/testdata/nsec3/1024.db
index 2e7f1821..963132a9 100644
--- a/bind/bind9/lib/dns/tests/testdata/nsec3/1024.db
+++ b/bind/bind9/lib/dns/tests/testdata/nsec3/1024.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/testdata/nsec3/2048.db b/bind/bind9/lib/dns/tests/testdata/nsec3/2048.db
index eed399af..84641660 100644
--- a/bind/bind9/lib/dns/tests/testdata/nsec3/2048.db
+++ b/bind/bind9/lib/dns/tests/testdata/nsec3/2048.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/testdata/nsec3/4096.db b/bind/bind9/lib/dns/tests/testdata/nsec3/4096.db
index b5c8b7e4..75b482de 100644
--- a/bind/bind9/lib/dns/tests/testdata/nsec3/4096.db
+++ b/bind/bind9/lib/dns/tests/testdata/nsec3/4096.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/testdata/nsec3/min-1024.db b/bind/bind9/lib/dns/tests/testdata/nsec3/min-1024.db
index 7d0f95c5..b66fb28c 100644
--- a/bind/bind9/lib/dns/tests/testdata/nsec3/min-1024.db
+++ b/bind/bind9/lib/dns/tests/testdata/nsec3/min-1024.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/testdata/nsec3/min-2048.db b/bind/bind9/lib/dns/tests/testdata/nsec3/min-2048.db
index 027c0b9b..03c6215e 100644
--- a/bind/bind9/lib/dns/tests/testdata/nsec3/min-2048.db
+++ b/bind/bind9/lib/dns/tests/testdata/nsec3/min-2048.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/testdata/zt/zone1.db b/bind/bind9/lib/dns/tests/testdata/zt/zone1.db
index 8286d883..42791dc2 100644
--- a/bind/bind9/lib/dns/tests/testdata/zt/zone1.db
+++ b/bind/bind9/lib/dns/tests/testdata/zt/zone1.db
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/time_test.c b/bind/bind9/lib/dns/tests/time_test.c
index e0293eca..015a17fc 100644
--- a/bind/bind9/lib/dns/tests/time_test.c
+++ b/bind/bind9/lib/dns/tests/time_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/tsig_test.c b/bind/bind9/lib/dns/tests/tsig_test.c
index 11d011aa..ff0c99f7 100644
--- a/bind/bind9/lib/dns/tests/tsig_test.c
+++ b/bind/bind9/lib/dns/tests/tsig_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -261,7 +261,7 @@ render(isc_buffer_t *buf, unsigned flags, dns_tsigkey_t *key,
 	}
 
 	dns_compress_invalidate(&cctx);
-	dns_message_destroy(&msg);
+	dns_message_detach(&msg);
 }
 
 /*
@@ -318,6 +318,7 @@ tsig_tcp_test(void **state) {
 	result = isc_buffer_allocate(mctx, &buf, 65535);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	render(buf, DNS_MESSAGEFLAG_QR, key, &querytsig, &tsigout, NULL);
+	assert_non_null(tsigout);
 
 	/*
 	 * Process response message 1.
@@ -353,7 +354,7 @@ tsig_tcp_test(void **state) {
 	tsigctx = msg->tsigctx;
 	msg->tsigctx = NULL;
 	isc_buffer_free(&buf);
-	dns_message_destroy(&msg);
+	dns_message_detach(&msg);
 
 	result = dst_context_create3(key->key, mctx, DNS_LOGCATEGORY_DNSSEC,
 				     false, &outctx);
@@ -411,7 +412,7 @@ tsig_tcp_test(void **state) {
 	tsigctx = msg->tsigctx;
 	msg->tsigctx = NULL;
 	isc_buffer_free(&buf);
-	dns_message_destroy(&msg);
+	dns_message_detach(&msg);
 
 	/*
 	 * Create response message 3.
@@ -463,7 +464,7 @@ tsig_tcp_test(void **state) {
 	assert_int_equal(result, ISC_R_SUCCESS);
 
 	isc_buffer_free(&buf);
-	dns_message_destroy(&msg);
+	dns_message_detach(&msg);
 
 	if (outctx != NULL) {
 		dst_context_destroy(&outctx);
diff --git a/bind/bind9/lib/dns/tests/update_test.c b/bind/bind9/lib/dns/tests/update_test.c
index 4cf6f8f6..bb351a73 100644
--- a/bind/bind9/lib/dns/tests/update_test.c
+++ b/bind/bind9/lib/dns/tests/update_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/zonemgr_test.c b/bind/bind9/lib/dns/tests/zonemgr_test.c
index 4cc5aa2d..5ef69944 100644
--- a/bind/bind9/lib/dns/tests/zonemgr_test.c
+++ b/bind/bind9/lib/dns/tests/zonemgr_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tests/zt_test.c b/bind/bind9/lib/dns/tests/zt_test.c
index f183c0f0..3f1e812d 100644
--- a/bind/bind9/lib/dns/tests/zt_test.c
+++ b/bind/bind9/lib/dns/tests/zt_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -28,6 +28,7 @@
 
 #include <isc/app.h>
 #include <isc/buffer.h>
+#include <isc/mutex.h>
 #include <isc/print.h>
 #include <isc/task.h>
 #include <isc/timer.h>
@@ -41,6 +42,8 @@
 
 #include "dnstest.h"
 
+static isc_mutex_t done_lock;
+
 struct args {
 	void *arg1;
 	void *arg2;
@@ -86,7 +89,9 @@ load_done(dns_zt_t *zt, dns_zone_t *zone, isc_task_t *task) {
 	UNUSED(zone);
 	UNUSED(task);
 
+	LOCK(&done_lock);
 	*done = true;
+	UNLOCK(&done_lock);
 	isc_app_shutdown();
 	return (ISC_R_SUCCESS);
 }
@@ -95,7 +100,9 @@ static isc_result_t
 all_done(void *arg) {
 	bool *done = (bool *) arg;
 
+	LOCK(&done_lock);
 	*done = true;
+	UNLOCK(&done_lock);
 	isc_app_shutdown();
 	return (ISC_R_SUCCESS);
 }
@@ -171,6 +178,9 @@ asyncload_zone(void **state) {
 
 	UNUSED(state);
 
+	result = isc_mutex_init(&done_lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
 	result = dns_test_makezone("foo", &zone, NULL, true);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
@@ -183,7 +193,9 @@ asyncload_zone(void **state) {
 	assert_non_null(view->zonetable);
 
 	assert_false(dns__zone_loadpending(zone));
+	LOCK(&done_lock);
 	assert_false(done);
+	UNLOCK(&done_lock);
 	zonefile = fopen("./zone.data", "wb");
 	assert_non_null(zonefile);
 	origfile = fopen("./testdata/zt/zone1.db", "r+b");
@@ -203,7 +215,9 @@ asyncload_zone(void **state) {
 	isc_app_run();
 	while (dns__zone_loadpending(zone) && i++ < 5000)
 		dns_test_nap(1000);
+	LOCK(&done_lock);
 	assert_true(done);
+	UNLOCK(&done_lock);
 	/* The zone should now be loaded; test it */
 	result = dns_zone_getdb(zone, &db);
 	assert_int_equal(result, ISC_R_SUCCESS);
@@ -225,7 +239,9 @@ asyncload_zone(void **state) {
 
 	while (dns__zone_loadpending(zone) && i++ < 5000)
 		dns_test_nap(1000);
+	LOCK(&done_lock);
 	assert_true(done);
+	UNLOCK(&done_lock);
 	/* The zone should now be loaded; test it */
 	result = dns_zone_getdb(zone, &db);
 	assert_int_equal(result, ISC_R_SUCCESS);
@@ -241,7 +257,9 @@ asyncload_zone(void **state) {
 
 	while (dns__zone_loadpending(zone) && i++ < 5000)
 		dns_test_nap(1000);
+	LOCK(&done_lock);
 	assert_true(done);
+	UNLOCK(&done_lock);
 	/* The zone should now be loaded; test it */
 	result = dns_zone_getdb(zone, &db);
 	assert_int_equal(result, ISC_R_SUCCESS);
@@ -255,6 +273,9 @@ asyncload_zone(void **state) {
 
 	dns_zone_detach(&zone);
 	dns_view_detach(&view);
+
+	result = isc_mutex_destroy(&done_lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
 }
 
 /* asynchronous zone table load */
@@ -271,6 +292,9 @@ asyncload_zt(void **state) {
 
 	UNUSED(state);
 
+	result = isc_mutex_init(&done_lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
 	result = dns_test_makezone("foo", &zone1, NULL, true);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	dns_zone_setfile(zone1, "testdata/zt/zone1.db");
@@ -299,16 +323,23 @@ asyncload_zt(void **state) {
 
 	assert_false(dns__zone_loadpending(zone1));
 	assert_false(dns__zone_loadpending(zone2));
+	LOCK(&done_lock);
 	assert_false(done);
+	UNLOCK(&done_lock);
 
 	args.arg1 = zt;
 	args.arg2 = &done;
 	isc_app_onrun(mctx, maintask, start_zt_asyncload, &args);
 
 	isc_app_run();
-	while (!done && i++ < 5000)
+	LOCK(&done_lock);
+	while (!done && i++ < 5000) {
+		UNLOCK(&done_lock);
 		dns_test_nap(1000);
+		LOCK(&done_lock);
+	}
 	assert_true(done);
+	UNLOCK(&done_lock);
 
 	/* Both zones should now be loaded; test them */
 	result = dns_zone_getdb(zone1, &db);
@@ -332,6 +363,9 @@ asyncload_zt(void **state) {
 	dns_zone_detach(&zone2);
 	dns_zone_detach(&zone3);
 	dns_view_detach(&view);
+
+	result = isc_mutex_destroy(&done_lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
 }
 
 int
diff --git a/bind/bind9/lib/dns/time.c b/bind/bind9/lib/dns/time.c
index dedd5184..eb72ab03 100644
--- a/bind/bind9/lib/dns/time.c
+++ b/bind/bind9/lib/dns/time.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/timer.c b/bind/bind9/lib/dns/timer.c
index 8c5a328e..86436f4c 100644
--- a/bind/bind9/lib/dns/timer.c
+++ b/bind/bind9/lib/dns/timer.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tkey.c b/bind/bind9/lib/dns/tkey.c
index 3fa794fd..fdd54efb 100644
--- a/bind/bind9/lib/dns/tkey.c
+++ b/bind/bind9/lib/dns/tkey.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tsec.c b/bind/bind9/lib/dns/tsec.c
index 9d8ead44..1830c478 100644
--- a/bind/bind9/lib/dns/tsec.c
+++ b/bind/bind9/lib/dns/tsec.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/tsig.c b/bind/bind9/lib/dns/tsig.c
index 2a9f5111..540b03f8 100644
--- a/bind/bind9/lib/dns/tsig.c
+++ b/bind/bind9/lib/dns/tsig.c
@@ -3,15 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/*
- * $Id$
- */
 /*! \file */
 #include <config.h>
 
@@ -22,11 +19,12 @@
 #include <isc/buffer.h>
 #include <isc/mem.h>
 #include <isc/print.h>
+#include <isc/print.h>
 #include <isc/refcount.h>
 #include <isc/serial.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
 #include <isc/time.h>
+#include <isc/util.h>
 
 #include <pk11/site.h>
 
@@ -193,7 +191,7 @@ adjust_lru(dns_tsigkey_t *tkey) {
 		RWLOCK(&tkey->ring->lock, isc_rwlocktype_write);
 		/*
 		 * We may have been removed from the LRU list between
-		 * removing the read lock and aquiring the write lock.
+		 * removing the read lock and acquiring the write lock.
 		 */
 		if (ISC_LINK_LINKED(tkey, link) &&
 		    tkey->ring->lru.tail != tkey)
@@ -370,8 +368,9 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 	if (ring != NULL)
 		refs++;
 	ret = isc_refcount_init(&tkey->refs, refs);
-	if (ret != ISC_R_SUCCESS)
+	if (ret != ISC_R_SUCCESS) {
 		goto cleanup_creator;
+	}
 
 	tkey->generated = generated;
 	tkey->inception = inception;
@@ -409,8 +408,9 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 
  cleanup_refs:
 	tkey->magic = 0;
-	while (refs-- > 0)
+	while (refs-- > 0) {
 		isc_refcount_decrement(&tkey->refs, NULL);
+	}
 	isc_refcount_destroy(&tkey->refs);
  cleanup_creator:
 	if (tkey->key != NULL)
@@ -627,14 +627,10 @@ dns_tsigkeyring_dumpanddetach(dns_tsig_keyring_t **ringp, FILE *fp) {
 	ring = *ringp;
 	*ringp = NULL;
 
-	RWLOCK(&ring->lock, isc_rwlocktype_write);
-	INSIST(ring->references > 0);
-	ring->references--;
-	references = ring->references;
-	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
-
-	if (references != 0)
+	isc_refcount_decrement(&ring->references, &references);
+	if (references > 0) {
 		return (DNS_R_CONTINUE);
+	}
 
 	isc_stdtime_get(&now);
 	dns_name_init(&foundname, NULL);
@@ -832,12 +828,11 @@ dns_tsigkey_detach(dns_tsigkey_t **keyp) {
 	REQUIRE(VALID_TSIG_KEY(*keyp));
 
 	key = *keyp;
-	isc_refcount_decrement(&key->refs, &refs);
+	*keyp = NULL;
 
+	isc_refcount_decrement(&key->refs, &refs);
 	if (refs == 0)
 		tsigkey_free(key);
-
-	*keyp = NULL;
 }
 
 void
@@ -1427,8 +1422,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 			goto cleanup_context;
 		}
 		msg->verified_sig = 1;
-	} else if (tsig.error != dns_tsigerror_badsig &&
-		   tsig.error != dns_tsigerror_badkey) {
+	} else if (!response || (tsig.error != dns_tsigerror_badsig &&
+				 tsig.error != dns_tsigerror_badkey))
+	{
 		tsig_log(msg->tsigkey, 2, "signature was empty");
 		return (DNS_R_TSIGVERIFYFAILURE);
 	}
@@ -1484,7 +1480,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		}
 	}
 
-	if (tsig.error != dns_rcode_noerror) {
+	if (response && tsig.error != dns_rcode_noerror) {
 		msg->tsigstatus = tsig.error;
 		if (tsig.error == dns_tsigerror_badtime)
 			ret = DNS_R_CLOCKSKEW;
@@ -1934,7 +1930,7 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
 	ring->maxgenerated = DNS_TSIG_MAXGENERATEDKEYS;
 	ISC_LIST_INIT(ring->lru);
 	isc_mem_attach(mctx, &ring->mctx);
-	ring->references = 1;
+	isc_refcount_init(&ring->references, 1);
 
 	*ringp = ring;
 	return (ISC_R_SUCCESS);
@@ -1947,8 +1943,9 @@ dns_tsigkeyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
 	isc_result_t result;
 
 	result = keyring_add(ring, name, tkey);
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
 		isc_refcount_increment(&tkey->refs, NULL);
+	}
 
 	return (result);
 }
@@ -1959,12 +1956,9 @@ dns_tsigkeyring_attach(dns_tsig_keyring_t *source, dns_tsig_keyring_t **target)
 	REQUIRE(source != NULL);
 	REQUIRE(target != NULL && *target == NULL);
 
-	RWLOCK(&source->lock, isc_rwlocktype_write);
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references > 0);
+	isc_refcount_increment(&source->references, NULL);
+
 	*target = source;
-	RWUNLOCK(&source->lock, isc_rwlocktype_write);
 }
 
 void
@@ -1978,14 +1972,10 @@ dns_tsigkeyring_detach(dns_tsig_keyring_t **ringp) {
 	ring = *ringp;
 	*ringp = NULL;
 
-	RWLOCK(&ring->lock, isc_rwlocktype_write);
-	INSIST(ring->references > 0);
-	ring->references--;
-	references = ring->references;
-	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
-
-	if (references == 0)
+	isc_refcount_decrement(&ring->references, &references);
+	if (references == 0) {
 		destroyring(ring);
+	}
 }
 
 void
diff --git a/bind/bind9/lib/dns/ttl.c b/bind/bind9/lib/dns/ttl.c
index de2f9dc4..3bb0a878 100644
--- a/bind/bind9/lib/dns/ttl.c
+++ b/bind/bind9/lib/dns/ttl.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/update.c b/bind/bind9/lib/dns/update.c
index c48c0fd8..6f001a20 100644
--- a/bind/bind9/lib/dns/update.c
+++ b/bind/bind9/lib/dns/update.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -1374,7 +1374,7 @@ struct dns_update_state {
 	dns_diff_t work;
 	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
 	unsigned int nkeys;
-	isc_stdtime_t inception, expire;
+	isc_stdtime_t inception, expire, soaexpire;
 	dns_ttl_t nsecttl;
 	bool check_ksk, keyset_kskonly, build_nsec3;
 	enum { sign_updates, remove_orphaned, build_chain, process_nsec,
@@ -1455,7 +1455,9 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 
 		isc_stdtime_get(&now);
 		state->inception = now - 3600; /* Allow for some clock skew. */
-		state->expire = now + dns__jitter_expire(zone, sigvalidityinterval);
+		state->expire = now +
+				dns__jitter_expire(zone, sigvalidityinterval);
+		state->soaexpire = now + sigvalidityinterval;
 
 		/*
 		 * Do we look at the KSK flag on the DNSKEY to determining which
@@ -1553,13 +1555,19 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 				CHECK(rrset_visible(db, newver, name, type,
 						   &flag));
 				if (flag) {
+					isc_stdtime_t exp;
+
+					if (type == dns_rdatatype_soa) {
+						exp = state->soaexpire;
+					} else {
+						exp = state->expire;
+					}
 					CHECK(add_sigs(log, zone, db, newver,
 						       name, type,
 						       &state->sig_diff,
 						       state->zone_keys,
 						       state->nkeys,
-						       state->inception,
-						       state->expire,
+						       state->inception, exp,
 						       state->check_ksk,
 						       state->keyset_kskonly));
 					sigs++;
@@ -2063,7 +2071,7 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 	for (i = 0; i < state->nkeys; i++)
 		dst_key_free(&state->zone_keys[i]);
 
-	if (state != &mystate && state != NULL) {
+	if (state != &mystate) {
 		*statep = NULL;
 		state->magic = 0;
 		isc_mem_put(diff->mctx, state, sizeof(*state));
@@ -2074,16 +2082,12 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 
 static isc_stdtime_t
 epoch_to_yyyymmdd(time_t when) {
-	struct tm *tm;
-
-#if defined(ISC_PLATFORM_USETHREADS) && !defined(WIN32)
-	struct tm tm0;
-	tm = localtime_r(&when, &tm0);
-#else
-	tm = localtime(&when);
-#endif
-	return (((tm->tm_year + 1900) * 10000) +
-		((tm->tm_mon + 1) * 100) + tm->tm_mday);
+	struct tm t, *tm = localtime_r(&when, &t);
+	if (tm == NULL) {
+		return (0);
+	}
+	return (((tm->tm_year + 1900) * 10000) + ((tm->tm_mon + 1) * 100) +
+		tm->tm_mday);
 }
 
 uint32_t
diff --git a/bind/bind9/lib/dns/validator.c b/bind/bind9/lib/dns/validator.c
index 31ec897b..2a5c3caa 100644
--- a/bind/bind9/lib/dns/validator.c
+++ b/bind/bind9/lib/dns/validator.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -418,17 +418,24 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
 	val->fetch = NULL;
 	if (CANCELED(val)) {
 		validator_done(val, ISC_R_CANCELED);
-	} else if (eresult == ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "keyset with trust %s",
+	} else if (eresult == ISC_R_SUCCESS || eresult == DNS_R_NCACHENXRRSET) {
+		/*
+		 * We have an answer to our DNSKEY query.  Either the DNSKEY
+		 * RRset or a NODATA response.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3), "%s with trust %s",
+			      eresult == ISC_R_SUCCESS ? "keyset"
+						       : "NCACHENXRRSET",
 			      dns_trust_totext(rdataset->trust));
 		/*
-		 * Only extract the dst key if the keyset is secure.
+		 * Only extract the dst key if the keyset exists and is secure.
 		 */
-		if (rdataset->trust >= dns_trust_secure) {
+		if (eresult == ISC_R_SUCCESS &&
+		    rdataset->trust >= dns_trust_secure) {
 			result = get_dst_key(val, val->siginfo, rdataset);
-			if (result == ISC_R_SUCCESS)
+			if (result == ISC_R_SUCCESS) {
 				val->keyset = &val->frdataset;
+			}
 		}
 		result = validate(val, true);
 		if (result == DNS_R_NOVALIDSIG &&
@@ -743,7 +750,7 @@ dsvalidated(isc_task_t *task, isc_event_t *event) {
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "%s with trust %s",
 			      val->frdataset.type == dns_rdatatype_ds ?
-			      "dsset" : "ds non-existance",
+			      "dsset" : "ds non-existence",
 			      dns_trust_totext(val->frdataset.trust));
 		have_dsset = (val->frdataset.type == dns_rdatatype_ds);
 		name = dns_fixedname_name(&val->fname);
@@ -916,7 +923,7 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
 				/*
 				 * If we are validating a wildcard response
 				 * clabels will not be zero.  We then need
-				 * to check if the generated wilcard from
+				 * to check if the generated wildcard from
 				 * dns_nsec_noexistnodata is consistent with
 				 * the wildcard used to generate the response.
 				 */
@@ -1229,26 +1236,25 @@ get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
 		INSIST(val->key == NULL);
 		result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
 					 val->view->mctx, &val->key);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-		if (siginfo->algorithm ==
-		    (dns_secalg_t)dst_key_alg(val->key) &&
-		    siginfo->keyid ==
-		    (dns_keytag_t)dst_key_id(val->key) &&
-		    dst_key_iszonekey(val->key))
-		{
-			if (foundold)
-				/*
-				 * This is the key we're looking for.
-				 */
-				return (ISC_R_SUCCESS);
-			else if (dst_key_compare(oldkey, val->key) == true)
+		if (result == ISC_R_SUCCESS) {
+			if (siginfo->algorithm ==
+				    (dns_secalg_t)dst_key_alg(val->key) &&
+			    siginfo->keyid ==
+				    (dns_keytag_t)dst_key_id(val->key) &&
+			    dst_key_iszonekey(val->key))
 			{
-				foundold = true;
-				dst_key_free(&oldkey);
+				if (foundold) {
+					/*
+					 * This is the key we're looking for.
+					 */
+					return (ISC_R_SUCCESS);
+				} else if (dst_key_compare(oldkey, val->key)) {
+					foundold = true;
+					dst_key_free(&oldkey);
+				}
 			}
+			dst_key_free(&val->key);
 		}
-		dst_key_free(&val->key);
 		dns_rdata_reset(&rdata);
 		result = dns_rdataset_next(rdataset);
 	} while (result == ISC_R_SUCCESS);
@@ -2575,6 +2581,28 @@ findnsec3proofs(dns_validator_t *val) {
 						 nearest, validator_log, val);
 		if (unknown)
 			val->attributes |= VALATTR_FOUNDUNKNOWN;
+
+		if (result == DNS_R_NSEC3ITERRANGE) {
+			/*
+			 * We don't really know which NSEC3 record provides
+			 * which proof.  Just populate them.
+			 */
+			if (NEEDNOQNAME(val) &&
+			    proofs[DNS_VALIDATOR_NOQNAMEPROOF] == NULL) {
+				proofs[DNS_VALIDATOR_NOQNAMEPROOF] = name;
+			} else if (setclosest) {
+				proofs[DNS_VALIDATOR_CLOSESTENCLOSER] = name;
+			} else if (NEEDNODATA(val) &&
+				   proofs[DNS_VALIDATOR_NODATAPROOF] == NULL) {
+				proofs[DNS_VALIDATOR_NODATAPROOF] = name;
+			} else if (NEEDNOWILDCARD(val) &&
+				   proofs[DNS_VALIDATOR_NOWILDCARDPROOF] ==
+					   NULL) {
+				proofs[DNS_VALIDATOR_NOWILDCARDPROOF] = name;
+			}
+			return (result);
+		}
+
 		if (result != ISC_R_SUCCESS)
 			continue;
 		if (setclosest)
@@ -2819,8 +2847,16 @@ nsecvalidate(dns_validator_t *val, bool resume) {
 	 * had a secure wildcard answer.
 	 */
 	if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
-		if (!FOUNDNOQNAME(val))
-			findnsec3proofs(val);
+		if (!FOUNDNOQNAME(val)) {
+			result = findnsec3proofs(val);
+			if (result == DNS_R_NSEC3ITERRANGE) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "too many iterations");
+				markanswer(val, "validate_nx (3)");
+				return (ISC_R_SUCCESS);
+			}
+		}
+
 		if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
 		    !FOUNDOPTOUT(val)) {
 			validator_log(val, ISC_LOG_DEBUG(3),
@@ -2846,8 +2882,15 @@ nsecvalidate(dns_validator_t *val, bool resume) {
 		return (DNS_R_NOVALIDNSEC);
 	}
 
-	if (!FOUNDNOQNAME(val) && !FOUNDNODATA(val))
-		findnsec3proofs(val);
+	if (!FOUNDNOQNAME(val) && !FOUNDNODATA(val)) {
+		result = findnsec3proofs(val);
+		if (result == DNS_R_NSEC3ITERRANGE) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "too many iterations");
+			markanswer(val, "validate_nx (4)");
+			return (ISC_R_SUCCESS);
+		}
+	}
 
 	/*
 	 * Do we need to check for the wildcard?
@@ -3908,6 +3951,7 @@ dns_validator_destroy(dns_validator_t **validatorp) {
 
 	REQUIRE(validatorp != NULL);
 	val = *validatorp;
+	*validatorp = NULL;
 	REQUIRE(VALID_VALIDATOR(val));
 
 	LOCK(&val->lock);
@@ -3921,8 +3965,6 @@ dns_validator_destroy(dns_validator_t **validatorp) {
 
 	if (want_destroy)
 		destroy(val);
-
-	*validatorp = NULL;
 }
 
 static void
diff --git a/bind/bind9/lib/dns/version.c b/bind/bind9/lib/dns/version.c
index 68ae7fe2..2abed70f 100644
--- a/bind/bind9/lib/dns/version.c
+++ b/bind/bind9/lib/dns/version.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/view.c b/bind/bind9/lib/dns/view.c
index a1a4301b..f01b4dea 100644
--- a/bind/bind9/lib/dns/view.c
+++ b/bind/bind9/lib/dns/view.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -201,6 +201,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->transfer_format = dns_one_answer;
 	view->cacheacl = NULL;
 	view->cacheonacl = NULL;
+	view->checknames = false;
 	view->queryacl = NULL;
 	view->queryonacl = NULL;
 	view->recursionacl = NULL;
@@ -362,9 +363,11 @@ destroy(dns_view_t *view) {
 	dns_dlzdb_t *dlzdb;
 
 	REQUIRE(!ISC_LINK_LINKED(view, link));
+	LOCK(&view->lock);
 	REQUIRE(RESSHUTDOWN(view));
 	REQUIRE(ADBSHUTDOWN(view));
 	REQUIRE(REQSHUTDOWN(view));
+	UNLOCK(&view->lock);
 
 	isc_refcount_destroy(&view->references);
 	isc_refcount_destroy(&view->weakrefs);
@@ -597,12 +600,21 @@ view_flushanddetach(dns_view_t **viewp, bool flush) {
 		dns_zone_t *mkzone = NULL, *rdzone = NULL;
 
 		LOCK(&view->lock);
-		if (!RESSHUTDOWN(view))
+		if (!RESSHUTDOWN(view)) {
+			UNLOCK(&view->lock);
 			dns_resolver_shutdown(view->resolver);
-		if (!ADBSHUTDOWN(view))
+			LOCK(&view->lock);
+		}
+		if (!ADBSHUTDOWN(view)) {
+			UNLOCK(&view->lock);
 			dns_adb_shutdown(view->adb);
-		if (!REQSHUTDOWN(view))
+			LOCK(&view->lock);
+		}
+		if (!REQSHUTDOWN(view)) {
+			UNLOCK(&view->lock);
 			dns_requestmgr_shutdown(view->requestmgr);
+			LOCK(&view->lock);
+		}
 		if (view->acache != NULL)
 			dns_acache_shutdown(view->acache);
 		if (view->zonetable != NULL) {
@@ -626,6 +638,9 @@ view_flushanddetach(dns_view_t **viewp, bool flush) {
 		if (view->catzs != NULL) {
 			dns_catz_catzs_detach(&view->catzs);
 		}
+		if (view->ntatable_priv != NULL) {
+			dns_ntatable_shutdown(view->ntatable_priv);
+		}
 		UNLOCK(&view->lock);
 
 		/* Need to detach zones outside view lock */
@@ -1298,8 +1313,9 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 			ztoptions |= DNS_ZTFIND_NOEXACT;
 		result = dns_zt_find(view->zonetable, name, ztoptions,
 				     NULL, &zone);
-	} else
+	} else {
 		result = ISC_R_NOTFOUND;
+	}
 	UNLOCK(&view->lock);
 	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
 		result = dns_zone_getdb(zone, &db);
@@ -1314,12 +1330,15 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 			 * We have a cache; try it.
 			 */
 			dns_db_attach(view->cachedb, &db);
-		} else {
+		} else if (use_hints && view->hints != NULL) {
 			/*
 			 * Maybe we have hints...
 			 */
 			try_hints = true;
 			goto finish;
+		} else {
+			result = DNS_R_NXDOMAIN;
+			goto cleanup;
 		}
 	} else if (result != ISC_R_SUCCESS) {
 		/*
@@ -1340,6 +1359,7 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 			result = ISC_R_SUCCESS;
 		else if (result != ISC_R_SUCCESS)
 			goto cleanup;
+
 		if (use_cache && view->cachedb != NULL && db != view->hints) {
 			/*
 			 * We found an answer, but the cache may be better.
@@ -1381,11 +1401,15 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 				 * have a zone delegation, so use it.
 				 */
 				use_zone = true;
-			} else {
+				result = ISC_R_SUCCESS;
+			} else if (use_hints && view->hints != NULL) {
 				/*
 				 * Maybe we have hints...
 				 */
 				try_hints = true;
+				result = ISC_R_SUCCESS;
+			} else {
+				result = DNS_R_NXDOMAIN;
 			}
 		} else {
 			/*
@@ -1410,7 +1434,7 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 		if (sigrdataset != NULL &&
 		    dns_rdataset_isassociated(&zrdataset))
 			dns_rdataset_clone(&zsigrdataset, sigrdataset);
-	} else if (try_hints && use_hints && view->hints != NULL) {
+	} else if (try_hints) {
 		/*
 		 * We've found nothing so far, but we have hints.
 		 */
@@ -2363,25 +2387,37 @@ dns_view_loadnta(dns_view_t *view) {
 
 void
 dns_view_setviewcommit(dns_view_t *view) {
+	dns_zone_t *redirect = NULL, *managed_keys = NULL;
+
 	REQUIRE(DNS_VIEW_VALID(view));
 
 	LOCK(&view->lock);
 
 	if (view->redirect != NULL) {
-		dns_zone_setviewcommit(view->redirect);
+		dns_zone_attach(view->redirect, &redirect);
 	}
 	if (view->managed_keys != NULL) {
-		dns_zone_setviewcommit(view->managed_keys);
+		dns_zone_attach(view->managed_keys, &managed_keys);
 	}
 	if (view->zonetable != NULL) {
 		dns_zt_setviewcommit(view->zonetable);
 	}
 
 	UNLOCK(&view->lock);
+
+	if (redirect != NULL) {
+		dns_zone_setviewcommit(redirect);
+		dns_zone_detach(&redirect);
+	}
+	if (managed_keys != NULL) {
+		dns_zone_setviewcommit(managed_keys);
+		dns_zone_detach(&managed_keys);
+	}
 }
 
 void
 dns_view_setviewrevert(dns_view_t *view) {
+	dns_zone_t *redirect = NULL, *managed_keys = NULL;
 	dns_zt_t *zonetable;
 
 	REQUIRE(DNS_VIEW_VALID(view));
@@ -2392,14 +2428,22 @@ dns_view_setviewrevert(dns_view_t *view) {
 	 */
 	LOCK(&view->lock);
 	if (view->redirect != NULL) {
-		dns_zone_setviewrevert(view->redirect);
+		dns_zone_attach(view->redirect, &redirect);
 	}
 	if (view->managed_keys != NULL) {
-		dns_zone_setviewrevert(view->managed_keys);
+		dns_zone_attach(view->managed_keys, &managed_keys);
 	}
 	zonetable = view->zonetable;
 	UNLOCK(&view->lock);
 
+	if (redirect != NULL) {
+		dns_zone_setviewrevert(redirect);
+		dns_zone_detach(&redirect);
+	}
+	if (managed_keys != NULL) {
+		dns_zone_setviewrevert(managed_keys);
+		dns_zone_detach(&managed_keys);
+	}
 	if (zonetable != NULL) {
 		dns_zt_setviewrevert(zonetable);
 	}
diff --git a/bind/bind9/lib/dns/win32/DLLMain.c b/bind/bind9/lib/dns/win32/DLLMain.c
index 8ff10175..f442c2f8 100644
--- a/bind/bind9/lib/dns/win32/DLLMain.c
+++ b/bind/bind9/lib/dns/win32/DLLMain.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/win32/gen.vcxproj.in b/bind/bind9/lib/dns/win32/gen.vcxproj.in
index 67c06d0e..ea3adc30 100644
--- a/bind/bind9/lib/dns/win32/gen.vcxproj.in
+++ b/bind/bind9/lib/dns/win32/gen.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@BUILD_PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@BUILD_PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <AdditionalIncludeDirectories>.\;..\..\..\;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
@@ -83,7 +86,8 @@ gen -s . &gt; code.h
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@BUILD_PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/lib/dns/win32/libdns.def.in b/bind/bind9/lib/dns/win32/libdns.def.in
index 63be9734..9c2ef794 100644
--- a/bind/bind9/lib/dns/win32/libdns.def.in
+++ b/bind/bind9/lib/dns/win32/libdns.def.in
@@ -514,11 +514,12 @@ dns_master_stylecreate2
 dns_master_styledestroy
 dns_master_styleflags
 dns_message_addname
+dns_message_attach
 dns_message_buildopt
 dns_message_checksig
 dns_message_create
 dns_message_currentname
-dns_message_destroy
+dns_message_detach
 dns_message_find
 dns_message_findname
 dns_message_findtype
@@ -668,6 +669,7 @@ dns_ntatable_delete
 dns_ntatable_detach
 dns_ntatable_dump
 dns_ntatable_save
+dns_ntatable_shutdown
 dns_ntatable_totext
 dns_opcode_totext
 dns_opcodestats_create
diff --git a/bind/bind9/lib/dns/win32/libdns.dsp.in b/bind/bind9/lib/dns/win32/libdns.dsp.in
index cc960fe8..46ddf852 100644
--- a/bind/bind9/lib/dns/win32/libdns.dsp.in
+++ b/bind/bind9/lib/dns/win32/libdns.dsp.in
@@ -43,7 +43,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "BIND9" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @LIBXML2_INC@ @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @LIBXML2_INC@ @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@  /D "LIBDNS_EXPORTS" @COPTY@ /FD /c
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
@@ -70,7 +70,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@  /D "LIBDNS_EXPORTS" /FR @COPTY@ /FD /GZ /c
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
diff --git a/bind/bind9/lib/dns/win32/libdns.mak.in b/bind/bind9/lib/dns/win32/libdns.mak.in
index df8666a4..aaf53ad6 100644
--- a/bind/bind9/lib/dns/win32/libdns.mak.in
+++ b/bind/bind9/lib/dns/win32/libdns.mak.in
@@ -239,7 +239,7 @@ CLEAN :
 
 LIBXML=@LIBXML2_LIB@
 CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@  /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -653,7 +653,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@  /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -1217,7 +1217,7 @@ SOURCE=..\dispatch.c
 
 !IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
 
-CPP_SWITCHES=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_SWITCHES=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@  /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 
 "$(INTDIR)\dispatch.obj" : $(SOURCE) "$(INTDIR)"
 	$(CPP) @<<
@@ -1227,7 +1227,7 @@ CPP_SWITCHES=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "incl
 
 !ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
 
-CPP_SWITCHES=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_SWITCHES=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@  /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 
 "$(INTDIR)\dispatch.obj"	"$(INTDIR)\dispatch.sbr" : $(SOURCE) "$(INTDIR)"
 	$(CPP) @<<
diff --git a/bind/bind9/lib/dns/win32/libdns.vcxproj.filters.in b/bind/bind9/lib/dns/win32/libdns.vcxproj.filters.in
index 6124247e..c20c281e 100644
--- a/bind/bind9/lib/dns/win32/libdns.vcxproj.filters.in
+++ b/bind/bind9/lib/dns/win32/libdns.vcxproj.filters.in
@@ -350,9 +350,6 @@
       <Filter>Dst Source Files</Filter>
     </ClCompile>
 @END PKCS11
-    <ClCompile Include="..\spnego.c">
-      <Filter>Dst Source Files</Filter>
-    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="..\code.h">
@@ -693,8 +690,5 @@
       <Filter>Dst Header Files</Filter>
     </ClInclude>
 @END PKCS11
-    <ClInclude Include="..\spnego.h">
-      <Filter>Dst Header Files</Filter>
-    </ClInclude>
   </ItemGroup>
 </Project>
diff --git a/bind/bind9/lib/dns/win32/libdns.vcxproj.in b/bind/bind9/lib/dns/win32/libdns.vcxproj.in
index 2aec65c2..c6dce7ea 100644
--- a/bind/bind9/lib/dns/win32/libdns.vcxproj.in
+++ b/bind/bind9/lib/dns/win32/libdns.vcxproj.in
@@ -44,19 +44,22 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>BIND9;WIN32;USE_MD5;@CRYPTO@@USE_GSSAPI@@USE_ISC_SPNEGO@_DEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>BIND9;WIN32;USE_MD5;@CRYPTO@@USE_GSSAPI@_DEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
@@ -78,13 +81,14 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>BIND9;WIN32;USE_MD5;@CRYPTO@@USE_GSSAPI@@USE_ISC_SPNEGO@NDEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>BIND9;WIN32;USE_MD5;@CRYPTO@@USE_GSSAPI@NDEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <StringPooling>true</StringPooling>
@@ -207,7 +211,6 @@
     <ClCompile Include="..\sdb.c" />
     <ClCompile Include="..\sdlz.c" />
     <ClCompile Include="..\soa.c" />
-    <ClCompile Include="..\spnego.c" />
     <ClCompile Include="..\ssu.c" />
     <ClCompile Include="..\ssu_external.c" />
     <ClCompile Include="..\stats.c" />
@@ -347,7 +350,6 @@
     <ClInclude Include="..\rbtdb.h" />
     <ClInclude Include="..\rbtdb64.h" />
     <ClInclude Include="..\rdatalist_p.h" />
-    <ClInclude Include="..\spnego.h" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
diff --git a/bind/bind9/lib/dns/win32/version.c b/bind/bind9/lib/dns/win32/version.c
index 852f70e8..8a207435 100644
--- a/bind/bind9/lib/dns/win32/version.c
+++ b/bind/bind9/lib/dns/win32/version.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/xfrin.c b/bind/bind9/lib/dns/xfrin.c
index ccc9aed1..0ba82e49 100644
--- a/bind/bind9/lib/dns/xfrin.c
+++ b/bind/bind9/lib/dns/xfrin.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -110,7 +110,7 @@ struct dns_xfrin_ctx {
 	dns_name_t 		name; 		/*%< Name of zone to transfer */
 	dns_rdataclass_t 	rdclass;
 
-	bool		checkid;
+	bool			checkid, logit;
 	dns_messageid_t		id;
 
 	/*%
@@ -477,6 +477,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,
 	    dns_rdatatype_ismeta(rdata->type))
 		FAIL(DNS_R_FORMERR);
 
+	/*
+	 * Immediately reject the entire transfer if the RR that is currently
+	 * being processed is an SOA record that is not placed at the zone
+	 * apex.
+	 */
+	if (rdata->type == dns_rdatatype_soa &&
+	    !dns_name_equal(&xfr->name, name)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
+			  namebuf);
+		FAIL(DNS_R_NOTZONETOP);
+	}
+
  redo:
 	switch (xfr->state) {
 	case XFRST_SOAQUERY:
@@ -852,6 +866,7 @@ xfrin_create(isc_mem_t *mctx,
 	isc_random_get(&tmp);
 	xfr->checkid = true;
 	xfr->id	= (uint16_t)(tmp & 0xffff);
+	xfr->logit = true;
 	xfr->reqtype = reqtype;
 	xfr->dscp = dscp;
 
@@ -912,7 +927,7 @@ xfrin_create(isc_mem_t *mctx,
 	isc_sockaddr_setport(&xfr->sourceaddr, 0);
 
 	/*
-	 * Reserve 2 bytes for TCP length at the begining of the buffer.
+	 * Reserve 2 bytes for TCP length at the beginning of the buffer.
 	 */
 	isc_buffer_init(&xfr->qbuffer, &xfr->qbuffer_data[2],
 			sizeof(xfr->qbuffer_data) - 2);
@@ -1153,6 +1168,7 @@ xfrin_send_request(dns_xfrin_ctx_t *xfr) {
 					  &xfr->ixfr.request_serial));
 
 	xfr->checkid = true;
+	xfr->logit = true;
 	xfr->id++;
 	xfr->nmsg = 0;
 	xfr->nrecs = 0;
@@ -1196,7 +1212,7 @@ xfrin_send_request(dns_xfrin_ctx_t *xfr) {
 	if (qrdataset != NULL)
 		dns_message_puttemprdataset(msg, &qrdataset);
 	if (msg != NULL)
-		dns_message_destroy(&msg);
+		dns_message_detach(&msg);
 	if (soatuple != NULL)
 		dns_difftuple_free(&soatuple);
 	if (ver != NULL)
@@ -1305,12 +1321,18 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 		xfrin_log(xfr, ISC_LOG_DEBUG(3), "got %s, retrying with AXFR",
 		       isc_result_totext(result));
  try_axfr:
-		dns_message_destroy(&msg);
+		dns_message_detach(&msg);
 		xfrin_reset(xfr);
 		xfr->reqtype = dns_rdatatype_soa;
 		xfr->state = XFRST_SOAQUERY;
 		(void)xfrin_start(xfr);
 		return;
+	} else if (!xfr->checkid && msg->id != xfr->id && xfr->logit) {
+		xfrin_log(xfr, ISC_LOG_WARNING,
+			  "detected message ID mismatch on incoming AXFR "
+			  "stream, transfer will fail in BIND 9.17.2 and "
+			  "later if AXFR source is not fixed");
+		xfr->logit = false;
 	}
 
 	/*
@@ -1411,7 +1433,7 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 	xfr->tsigctx = msg->tsigctx;
 	msg->tsigctx = NULL;
 
-	dns_message_destroy(&msg);
+	dns_message_detach(&msg);
 
 	switch (xfr->state) {
 	case XFRST_GOTSOA:
@@ -1456,7 +1478,7 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 
  failure:
 	if (msg != NULL)
-		dns_message_destroy(&msg);
+		dns_message_detach(&msg);
 	if (result != ISC_R_SUCCESS)
 		xfrin_fail(xfr, result, "failed while receiving responses");
 }
diff --git a/bind/bind9/lib/dns/zone.c b/bind/bind9/lib/dns/zone.c
index 918b8130..c711f2e2 100644
--- a/bind/bind9/lib/dns/zone.c
+++ b/bind/bind9/lib/dns/zone.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -12,6 +12,7 @@
 /*! \file */
 
 #include <config.h>
+
 #include <errno.h>
 #include <stdbool.h>
 
@@ -55,6 +56,7 @@
 #include <dns/name.h>
 #include <dns/nsec.h>
 #include <dns/nsec3.h>
+#include <dns/opcode.h>
 #include <dns/peer.h>
 #include <dns/private.h>
 #include <dns/rcode.h>
@@ -470,7 +472,7 @@ struct dns_zone {
 #define DNS_ZONEFLG_EXPIRED	0x00000080U	/*%< zone has expired */
 #define DNS_ZONEFLG_NEEDREFRESH	0x00000100U	/*%< refresh check needed */
 #define DNS_ZONEFLG_UPTODATE	0x00000200U	/*%< zone contents are
-						 * uptodate */
+						 * up-to-date */
 #define DNS_ZONEFLG_NEEDNOTIFY	0x00000400U	/*%< need to send out notify
 						 * messages */
 #define DNS_ZONEFLG_DIFFONRELOAD 0x00000800U	/*%< generate a journal diff on
@@ -488,7 +490,7 @@ struct dns_zone {
 #define DNS_ZONEFLG_DIALNOTIFY	0x00020000U
 #define DNS_ZONEFLG_DIALREFRESH	0x00040000U
 #define DNS_ZONEFLG_SHUTDOWN	0x00080000U
-#define DNS_ZONEFLAG_NOIXFR	0x00100000U	/*%< IXFR failed, force AXFR */
+#define DNS_ZONEFLG_NOIXFR	0x00100000U	/*%< IXFR failed, force AXFR */
 #define DNS_ZONEFLG_FLUSH	0x00200000U
 #define DNS_ZONEFLG_NOEDNS	0x00400000U
 #define DNS_ZONEFLG_USEALTXFRSRC 0x00800000U
@@ -600,11 +602,12 @@ struct dns_notify {
  */
 
 struct dns_stub {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	dns_zone_t		*zone;
-	dns_db_t		*db;
-	dns_dbversion_t		*version;
+	unsigned int magic;
+	isc_mem_t *mctx;
+	dns_zone_t *zone;
+	dns_db_t *db;
+	dns_dbversion_t *version;
+	isc_refcount_t pending_requests;
 };
 
 /*%
@@ -886,6 +889,22 @@ struct ssevent {
 	uint32_t serial;
 };
 
+struct stub_cb_args {
+	dns_stub_t *stub;
+	dns_tsigkey_t *tsig_key;
+	isc_dscp_t dscp;
+	uint16_t udpsize;
+	int timeout;
+	bool reqnsid;
+};
+
+struct stub_glue_request {
+	dns_request_t *request;
+	dns_name_t name;
+	struct stub_cb_args *args;
+	bool ipv4;
+};
+
 /*%
  * Increment resolver-related statistics counters.  Zone must be locked.
  */
@@ -2303,9 +2322,14 @@ dns_zone_asyncload2(dns_zone_t *zone, dns_zt_zoneloaded_t done, void * arg,
 
 bool
 dns__zone_loadpending(dns_zone_t *zone) {
+	bool result;
+
 	REQUIRE(DNS_ZONE_VALID(zone));
 
-	return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING));
+	LOCK_ZONE(zone);
+	result = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING) != 0;
+	UNLOCK_ZONE(zone);
+	return (result);
 }
 
 isc_result_t
@@ -2463,6 +2487,7 @@ zone_gotwritehandle(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result = ISC_R_SUCCESS;
 	dns_dbversion_t *version = NULL;
 	dns_masterrawheader_t rawdata;
+	dns_db_t *db = NULL;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 	INSIST(task == zone->task);
@@ -2478,9 +2503,12 @@ zone_gotwritehandle(isc_task_t *task, isc_event_t *event) {
 	INSIST(zone != zone->raw);
 	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
 	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db != NULL) {
 		const dns_master_style_t *output_style;
-
-		dns_db_currentversion(zone->db, &version);
+		dns_db_currentversion(db, &version);
 		dns_master_initrawheader(&rawdata);
 		if (inline_secure(zone))
 			get_raw_serial(zone->raw, &rawdata);
@@ -2490,14 +2518,18 @@ zone_gotwritehandle(isc_task_t *task, isc_event_t *event) {
 			output_style = zone->masterstyle;
 		else
 			output_style = &dns_master_style_default;
-		result = dns_master_dumpinc3(zone->mctx, zone->db, version,
+		result = dns_master_dumpinc3(zone->mctx, db, version,
 					     output_style, zone->masterfile,
-					     zone->task, dump_done, zone,						     &zone->dctx, zone->masterformat,
+					     zone->task, dump_done, zone,
+					     &zone->dctx, zone->masterformat,
 					     &rawdata);
-		dns_db_closeversion(zone->db, &version, false);
-	} else
+		dns_db_closeversion(db, &version, false);
+	} else {
 		result = ISC_R_CANCELED;
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
 	UNLOCK_ZONE(zone);
 	if (result != DNS_R_CONTINUE)
 		goto fail;
@@ -3642,6 +3674,8 @@ set_resigntime(dns_zone_t *zone) {
 	uint32_t nanosecs;
 	dns_db_t *db = NULL;
 
+	INSIST(LOCKED_ZONE(zone));
+
 	/* We only re-sign zones that can be dynamically updated */
 	if (zone->update_disabled)
 		return;
@@ -3682,13 +3716,12 @@ set_resigntime(dns_zone_t *zone) {
 
 static isc_result_t
 check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
+	bool ok = false;
 	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
 	dns_dbversion_t *version = NULL;
 	dns_rdata_nsec3param_t nsec3param;
-	bool ok = false;
+	dns_rdataset_t rdataset;
 	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
 	bool dynamic = (zone->type == dns_zone_master) ?
 				dns_zone_isdynamic(zone, false) : false;
 
@@ -3718,19 +3751,22 @@ check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
 		goto cleanup;
 	}
 
-	/*
-	 * For dynamic zones we must support every algorithm so we can
-	 * regenerate all the NSEC3 chains.
-	 * For non-dynamic zones we only need to find a supported algorithm.
-	 */
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset))
 	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
 		dns_rdataset_current(&rdataset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
-		dns_rdata_reset(&rdata);
-		INSIST(result == ISC_R_SUCCESS);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		/*
+		 * For dynamic zones we must support every algorithm so we
+		 * can regenerate all the NSEC3 chains.
+		 * For non-dynamic zones we only need to find a supported
+		 * algorithm.
+		 */
 		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NSEC3TESTZONE) &&
 		    nsec3param.hash == DNS_NSEC3_UNKNOWNALG && !dynamic)
 		{
@@ -3752,8 +3788,19 @@ check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
 				dns_zone_log(zone, ISC_LOG_WARNING,
 				     "unsupported nsec3 hash algorithm: %u",
 					     nsec3param.hash);
-		} else
+		} else {
 			ok = true;
+		}
+
+		/*
+		 * Warn if the zone has excessive NSEC3 iterations.
+		 */
+		if (nsec3param.iterations > dns_nsec3_maxiterations()) {
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				   "excessive NSEC3PARAM iterations %u > %u",
+				   nsec3param.iterations,
+				   dns_nsec3_maxiterations());
+		}
 	}
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;
@@ -4336,9 +4383,14 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
 			goto failure;
 		}
 
-		if (rdataset->type != dns_rdatatype_keydata)
+		if (rdataset->type != dns_rdatatype_keydata) {
 			continue;
-
+		}
+		/*
+		 * Release db wrlock to prevent LOR reports against
+		 * dns_keytable_forall() call below.
+		 */
+		dns_rriterator_pause(&rrit);
 		result = dns_keytable_find(sr, rrname, &keynode);
 		if ((result != ISC_R_SUCCESS &&
 		     result != DNS_R_PARTIALMATCH) ||
@@ -4999,6 +5051,14 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	    DNS_ZONE_FLAG(zone->secure, DNS_ZONEFLG_LOADED))
 	{
 		DNS_ZONE_CLRFLAG(zone->secure, DNS_ZONEFLG_LOADPENDING);
+		/*
+		 * Re-start zone maintenance if it had been stalled
+		 * due to DNS_ZONEFLG_LOADPENDING being set when
+		 * zone_maintenance was called.
+		 */
+		if (zone->secure->task != NULL) {
+			zone_settimer(zone->secure, &now);
+		}
 	}
 
 	return (result);
@@ -6067,7 +6127,7 @@ dns_zone_setdb(dns_zone_t *zone, dns_db_t *db) {
 }
 
 /*
- * Co-ordinates the starting of routine jobs.
+ * Coordinates the starting of routine jobs.
  */
 void
 dns_zone_maintenance(dns_zone_t *zone) {
@@ -6749,14 +6809,15 @@ zone_resigninc(dns_zone_t *zone) {
 	if (version != NULL) {
 		dns_db_closeversion(db, &version, false);
 		dns_db_detach(&db);
-	} else if (db != NULL)
+	} else if (db != NULL) {
 		dns_db_detach(&db);
+	}
+
+	LOCK_ZONE(zone);
 	if (result == ISC_R_SUCCESS) {
 		set_resigntime(zone);
-		LOCK_ZONE(zone);
 		zone_needdump(zone, DNS_DUMP_DELAY);
 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
-		UNLOCK_ZONE(zone);
 	} else {
 		/*
 		 * Something failed.  Retry in 5 minutes.
@@ -6765,6 +6826,7 @@ zone_resigninc(dns_zone_t *zone) {
 		isc_interval_set(&ival, 300, 0);
 		isc_time_nowplusinterval(&zone->resigntime, &ival);
 	}
+	UNLOCK_ZONE(zone);
 
 	INSIST(version == NULL);
 }
@@ -7699,6 +7761,8 @@ zone_nsec3chain(dns_zone_t *zone) {
 	 * generated by dns__zone_updatesigs() calls later in this function.
 	 */
 	while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) {
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+
 		LOCK_ZONE(zone);
 		nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link);
 
@@ -7745,7 +7809,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 					     DNS_DBFIND_NOWILD, 0, NULL, found,
 					     NULL, NULL);
 			if ((result == DNS_R_DELEGATION ||
-			    result == DNS_R_DNAME) &&
+			     result == DNS_R_DNAME) &&
 			    !dns_name_equal(name, found)) {
 				/*
 				 * Remember the obscuring name so that
@@ -7914,6 +7978,8 @@ zone_nsec3chain(dns_zone_t *zone) {
 	first = true;
 	buildnsecchain = false;
 	while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) {
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+
 		LOCK_ZONE(zone);
 		nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link);
 		UNLOCK_ZONE(zone);
@@ -7948,6 +8014,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 				     "buildnsecchain = %u\n", buildnsecchain);
 
 		dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
+		dns_dbiterator_pause(nsec3chain->dbiterator);
 		delegation = false;
 
 		if (!buildnsecchain) {
@@ -8065,12 +8132,12 @@ zone_nsec3chain(dns_zone_t *zone) {
 				goto same_removechain;
 			}
 			if (result == ISC_R_NOMORE) {
+				dns_dbiterator_pause(nsec3chain->dbiterator);
 				LOCK_ZONE(zone);
 				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
 						link);
 				UNLOCK_ZONE(zone);
 				ISC_LIST_APPEND(cleanup, nsec3chain, link);
-				dns_dbiterator_pause(nsec3chain->dbiterator);
 				result = fixup_nsec3param(db, version,
 							  nsec3chain, false,
 							  privatetype,
@@ -8300,7 +8367,9 @@ zone_nsec3chain(dns_zone_t *zone) {
 		nsec3chain = ISC_LIST_HEAD(cleanup);
 	}
 
+	LOCK_ZONE(zone);
 	set_resigntime(zone);
+	UNLOCK_ZONE(zone);
 
  failure:
 	if (result != ISC_R_SUCCESS)
@@ -8618,6 +8687,8 @@ zone_sign(dns_zone_t *zone) {
 
 	while (signing != NULL && nodes-- > 0 && signatures > 0) {
 		bool has_alg = false;
+
+		dns_dbiterator_pause(signing->dbiterator);
 		nextsigning = ISC_LIST_NEXT(signing, link);
 
 		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
@@ -8971,14 +9042,13 @@ zone_sign(dns_zone_t *zone) {
 		signing = ISC_LIST_HEAD(cleanup);
 	}
 
+	LOCK_ZONE(zone);
 	set_resigntime(zone);
-
 	if (commit) {
-		LOCK_ZONE(zone);
 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
 		zone_needdump(zone, DNS_DUMP_DELAY);
-		UNLOCK_ZONE(zone);
 	}
+	UNLOCK_ZONE(zone);
 
  failure:
 	if (result != ISC_R_SUCCESS) {
@@ -9021,6 +9091,7 @@ zone_sign(dns_zone_t *zone) {
 	} else if (db != NULL)
 		dns_db_detach(&db);
 
+	LOCK_ZONE(zone);
 	if (ISC_LIST_HEAD(zone->signing) != NULL) {
 		isc_interval_t interval;
 		if (zone->update_disabled || result != ISC_R_SUCCESS)
@@ -9028,8 +9099,10 @@ zone_sign(dns_zone_t *zone) {
 		else
 			isc_interval_set(&interval, 0, 10000000); /* 10 ms */
 		isc_time_nowplusinterval(&zone->signingtime, &interval);
-	} else
+	} else {
 		isc_time_settoepoch(&zone->signingtime);
+	}
+	UNLOCK_ZONE(zone);
 
 	INSIST(version == NULL);
 }
@@ -9972,6 +10045,7 @@ zone_refreshkeys(dns_zone_t *zone) {
 
 			/* Removal timer expired? */
 			if (kd.removehd != 0 && kd.removehd < now) {
+				dns_rriterator_pause(&rrit);
 				CHECK(update_one_rr(db, ver, &diff,
 						    DNS_DIFFOP_DEL, name, ttl,
 						    &rdata));
@@ -9986,6 +10060,7 @@ zone_refreshkeys(dns_zone_t *zone) {
 			if (timer > kd.refresh)
 				timer = kd.refresh;
 
+			dns_rriterator_pause(&rrit);
 			set_refreshkeytimer(zone, &kd, now, false);
 			timerset = true;
 		}
@@ -9993,18 +10068,27 @@ zone_refreshkeys(dns_zone_t *zone) {
 		if (timer > now)
 			continue;
 
+		dns_rriterator_pause(&rrit);
+
 		kfetch = isc_mem_get(zone->mctx, sizeof(dns_keyfetch_t));
 		if (kfetch == NULL) {
 			fetch_err = true;
 			goto failure;
 		}
 
+		kname = dns_fixedname_initname(&kfetch->name);
+		result = dns_name_dup(name, zone->mctx, kname);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(zone->mctx, kfetch, sizeof(dns_keyfetch_t));
+			fetch_err = true;
+			goto failure;
+		}
+
 		zone->refreshkeycount++;
 		kfetch->zone = zone;
 		zone->irefs++;
 		INSIST(zone->irefs != 0);
-		kname = dns_fixedname_initname(&kfetch->name);
-		dns_name_dup(name, zone->mctx, kname);
+
 		dns_rdataset_init(&kfetch->dnskeyset);
 		dns_rdataset_init(&kfetch->dnskeysigset);
 		dns_rdataset_init(&kfetch->keydataset);
@@ -10116,7 +10200,8 @@ zone_maintenance(dns_zone_t *zone) {
 	const char me[] = "zone_maintenance";
 	isc_time_t now;
 	isc_result_t result;
-	bool dumping, load_pending;
+	bool dumping, load_pending, viewok, start_refresh;
+	bool need_notify;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 	ENTER;
@@ -10139,8 +10224,12 @@ zone_maintenance(dns_zone_t *zone) {
 	 * adb or resolver will be NULL, and we had better not try
 	 * to do further maintenance on it.
 	 */
-	if (zone->view == NULL || zone->view->adb == NULL)
+	LOCK_ZONE(zone);
+	viewok = (zone->view != NULL && zone->view->adb != NULL);
+	UNLOCK_ZONE(zone);
+	if (!viewok) {
 		return;
+	}
 
 	TIME_NOW(&now);
 
@@ -10176,9 +10265,16 @@ zone_maintenance(dns_zone_t *zone) {
 		/* FALLTHROUGH */
 	case dns_zone_slave:
 	case dns_zone_stub:
+		start_refresh = false;
+		LOCK_ZONE(zone);
 		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH) &&
-		    isc_time_compare(&now, &zone->refreshtime) >= 0)
+		    isc_time_compare(&now, &zone->refreshtime) >= 0) {
+			start_refresh = true;
+		}
+		UNLOCK_ZONE(zone);
+		if (start_refresh) {
 			dns_zone_refresh(zone);
+		}
 		break;
 	default:
 		break;
@@ -10187,11 +10283,16 @@ zone_maintenance(dns_zone_t *zone) {
 	/*
 	 * Slaves send notifies before backing up to disk, masters after.
 	 */
-	if (zone->type == dns_zone_slave &&
-	    (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
-	     DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) &&
-	    isc_time_compare(&now, &zone->notifytime) >= 0)
+	LOCK_ZONE(zone);
+	need_notify = zone->type == dns_zone_slave &&
+		      (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
+		       DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) &&
+		      (isc_time_compare(&now, &zone->notifytime) >= 0);
+	UNLOCK_ZONE(zone);
+
+	if (need_notify) {
 		zone_notify(zone, &now);
+	}
 
 	/*
 	 * Do we need to consolidate the backing store?
@@ -10338,8 +10439,14 @@ dns_zone_markdirty(dns_zone_t *zone) {
 		}
 
 		/* XXXMPA make separate call back */
-		if (result == ISC_R_SUCCESS)
+		if (result == ISC_R_SUCCESS) {
 			set_resigntime(zone);
+			if (zone->task != NULL) {
+				isc_time_t now;
+				TIME_NOW(&now);
+				zone_settimer(zone, &now);
+			}
+		}
 	}
 	if (secure != NULL)
 		UNLOCK_ZONE(secure);
@@ -10382,15 +10489,17 @@ dns_zone_refresh(dns_zone_t *zone) {
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
+	LOCK_ZONE(zone);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		UNLOCK_ZONE(zone);
 		return;
+	}
 
 	/*
 	 * Set DNS_ZONEFLG_REFRESH so that there is only one refresh operation
 	 * in progress at a time.
 	 */
 
-	LOCK_ZONE(zone);
 	oldflags = zone->flags;
 	if (zone->masterscnt == 0) {
 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOMASTERS);
@@ -11276,7 +11385,7 @@ notify_send_toaddr(isc_task_t *task, isc_event_t *event) {
 	if (key != NULL)
 		dns_tsigkey_detach(&key);
  cleanup_message:
-	dns_message_destroy(&message);
+	dns_message_detach(&message);
  cleanup:
 	UNLOCK_ZONE(notify->zone);
 	isc_event_free(&event);
@@ -11569,17 +11678,458 @@ zone_notify(dns_zone_t *zone, isc_time_t *now) {
 /***
  *** Private
  ***/
+static inline isc_result_t
+create_query(dns_zone_t *zone, dns_rdatatype_t rdtype, dns_name_t *name,
+	     dns_message_t **messagep) {
+	dns_message_t *message = NULL;
+	dns_name_t *qname = NULL;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_result_t result;
+
+	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER, &message);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	message->opcode = dns_opcode_query;
+	message->rdclass = zone->rdclass;
+
+	result = dns_message_gettempname(message, &qname);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/*
+	 * Make question.
+	 */
+	dns_name_init(qname, NULL);
+	dns_name_clone(name, qname);
+	dns_rdataset_makequestion(qrdataset, zone->rdclass, rdtype);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+
+	*messagep = message;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (qname != NULL) {
+		dns_message_puttempname(message, &qname);
+	}
+	if (qrdataset != NULL) {
+		dns_message_puttemprdataset(message, &qrdataset);
+	}
+	dns_message_detach(&message);
+	return (result);
+}
+
+static isc_result_t
+add_opt(dns_message_t *message, uint16_t udpsize, bool reqnsid,
+	bool reqexpire) {
+	isc_result_t result;
+	dns_rdataset_t *rdataset = NULL;
+	dns_ednsopt_t ednsopts[DNS_EDNSOPTIONS];
+	int count = 0;
+
+	/* Set EDNS options if applicable. */
+	if (reqnsid) {
+		INSIST(count < DNS_EDNSOPTIONS);
+		ednsopts[count].code = DNS_OPT_NSID;
+		ednsopts[count].length = 0;
+		ednsopts[count].value = NULL;
+		count++;
+	}
+	if (reqexpire) {
+		INSIST(count < DNS_EDNSOPTIONS);
+		ednsopts[count].code = DNS_OPT_EXPIRE;
+		ednsopts[count].length = 0;
+		ednsopts[count].value = NULL;
+		count++;
+	}
+	result = dns_message_buildopt(message, &rdataset, 0, udpsize, 0,
+				      ednsopts, count);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	return (dns_message_setopt(message, rdataset));
+}
+
+/*
+ * Called when stub zone update is finished.
+ * Update zone refresh, retry, expire values accordingly with
+ * SOA received from master, sync database to file, restart
+ * zone management timer.
+ */
+static void
+stub_finish_zone_update(dns_stub_t *stub, isc_time_t now) {
+	uint32_t refresh, retry, expire;
+	isc_result_t result;
+	isc_interval_t i;
+	unsigned int soacount;
+	dns_zone_t *zone = stub->zone;
+
+	/*
+	 * Tidy up.
+	 */
+	dns_db_closeversion(stub->db, &stub->version, true);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
+	if (zone->db == NULL) {
+		zone_attachdb(zone, stub->db);
+	}
+	result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL,
+				  &refresh, &retry, &expire, NULL, NULL);
+	if (result == ISC_R_SUCCESS && soacount > 0U) {
+		zone->refresh = RANGE(refresh, zone->minrefresh,
+				      zone->maxrefresh);
+		zone->retry = RANGE(retry, zone->minretry, zone->maxretry);
+		zone->expire = RANGE(expire, zone->refresh + zone->retry,
+				     DNS_MAX_EXPIRE);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+	dns_db_detach(&stub->db);
+
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+	DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
+	isc_interval_set(&i, zone->expire, 0);
+	DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
+
+	if (zone->masterfile != NULL) {
+		zone_needdump(zone, 0);
+	}
+
+	zone_settimer(zone, &now);
+}
+
+/*
+ * Process answers for A and AAAA queries when
+ * resolving nameserver addresses for which glue
+ * was missing in a previous answer for a NS query.
+ */
+static void
+stub_glue_response_cb(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "stub_glue_response_cb";
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
+	dns_stub_t *stub = NULL;
+	dns_message_t *msg = NULL;
+	dns_zone_t *zone = NULL;
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	char source[ISC_SOCKADDR_FORMATSIZE];
+	uint32_t addr_count, cnamecnt;
+	isc_result_t result;
+	isc_time_t now;
+	struct stub_glue_request *request;
+	struct stub_cb_args *cb_args;
+	dns_rdataset_t *addr_rdataset = NULL;
+	dns_dbnode_t *node = NULL;
+	unsigned int pending_requests = 0;
+
+	UNUSED(task);
+
+	request = revent->ev_arg;
+	cb_args = request->args;
+	stub = cb_args->stub;
+	INSIST(DNS_STUB_VALID(stub));
+
+	zone = stub->zone;
+
+	ENTER;
+
+	TIME_NOW(&now);
+
+	LOCK_ZONE(zone);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		zone_debuglog(zone, me, 1, "exiting");
+		goto cleanup;
+	}
+
+	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
+	isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
+
+	if (revent->result != ISC_R_SUCCESS) {
+		dns_zonemgr_unreachableadd(zone->zmgr, &zone->masteraddr,
+					   &zone->sourceaddr, &now);
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "could not refresh stub from master %s"
+			     " (source %s): %s",
+			     master, source, dns_result_totext(revent->result));
+		goto cleanup;
+	}
+
+	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: unable to create message: (%s)",
+			     isc_result_totext(result));
+		goto cleanup;
+	}
+
+	result = dns_request_getresponse(revent->request, msg, 0);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: unable to parse response (%s)",
+			     isc_result_totext(result));
+		goto cleanup;
+	}
+
+	/*
+	 * Unexpected opcode.
+	 */
+	if (msg->opcode != dns_opcode_query) {
+		char opcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, opcode, sizeof(opcode));
+		(void)dns_opcode_totext(msg->rcode, &rb);
+
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "unexpected opcode (%.*s) from %s (source %s)",
+			     (int)rb.used, opcode, master, source);
+		goto cleanup;
+	}
+
+	/*
+	 * Unexpected rcode.
+	 */
+	if (msg->rcode != dns_rcode_noerror) {
+		char rcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, rcode, sizeof(rcode));
+		(void)dns_rcode_totext(msg->rcode, &rb);
+
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "unexpected rcode (%.*s) from %s (source %s)",
+			     (int)rb.used, rcode, master, source);
+		goto cleanup;
+	}
+
+	/*
+	 * We need complete messages.
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+		if (dns_request_usedtcp(revent->request)) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refreshing stub: truncated TCP "
+				     "response from master %s (source %s)",
+				     master, source);
+		}
+		goto cleanup;
+	}
+
+	/*
+	 * If non-auth log.
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "non-authoritative answer from "
+			     "master %s (source %s)",
+			     master, source);
+		goto cleanup;
+	}
+
+	/*
+	 * Sanity checks.
+	 */
+	cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
+	addr_count = message_count(msg, DNS_SECTION_ANSWER,
+				   request->ipv4 ? dns_rdatatype_a
+						 : dns_rdatatype_aaaa);
+
+	if (cnamecnt != 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: unexpected CNAME response "
+			     "from master %s (source %s)",
+			     master, source);
+		goto cleanup;
+	}
+
+	if (addr_count == 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: no %s records in response "
+			     "from master %s (source %s)",
+			     request->ipv4 ? "A" : "AAAA", master, source);
+		goto cleanup;
+	}
+	/*
+	 * Extract A or AAAA RRset from message.
+	 */
+	result = dns_message_findname(msg, DNS_SECTION_ANSWER, &request->name,
+				      request->ipv4 ? dns_rdatatype_a
+						    : dns_rdatatype_aaaa,
+				      dns_rdatatype_none, NULL, &addr_rdataset);
+	if (result != ISC_R_SUCCESS) {
+		if (result != DNS_R_NXDOMAIN && result != DNS_R_NXRRSET) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(&request->name, namebuf,
+					sizeof(namebuf));
+			dns_zone_log(
+				zone, ISC_LOG_INFO,
+				"refreshing stub: dns_message_findname(%s/%s) "
+				"failed (%s)",
+				namebuf, request->ipv4 ? "A" : "AAAA",
+				isc_result_totext(result));
+		}
+		goto cleanup;
+	}
+
+	result = dns_db_findnode(stub->db, &request->name, true, &node);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "dns_db_findnode() failed: %s",
+			     dns_result_totext(result));
+		goto cleanup;
+	}
+
+	result = dns_db_addrdataset(stub->db, node, stub->version, 0,
+				    addr_rdataset, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "dns_db_addrdataset() failed: %s",
+			     dns_result_totext(result));
+	}
+	dns_db_detachnode(stub->db, &node);
+
+cleanup:
+	if (msg != NULL) {
+		dns_message_detach(&msg);
+	}
+	isc_event_free(&event);
+	dns_name_free(&request->name, zone->mctx);
+	dns_request_destroy(&request->request);
+	isc_mem_put(zone->mctx, request, sizeof(*request));
+
+	/* If last request, release all related resources. */
+	isc_refcount_decrement(&stub->pending_requests, &pending_requests);
+	if (pending_requests == 0) {
+		isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
+		stub_finish_zone_update(stub, now);
+		UNLOCK_ZONE(zone);
+		stub->magic = 0;
+		dns_zone_idetach(&stub->zone);
+		INSIST(stub->db == NULL);
+		INSIST(stub->version == NULL);
+		isc_refcount_destroy(&stub->pending_requests);
+		isc_mem_put(stub->mctx, stub, sizeof(*stub));
+	} else {
+		UNLOCK_ZONE(zone);
+	}
+}
+
+/*
+ * Create and send an A or AAAA query to the master
+ * server of the stub zone given.
+ */
+static isc_result_t
+stub_request_nameserver_address(struct stub_cb_args *args, bool ipv4,
+				const dns_name_t *name) {
+	dns_message_t *message = NULL;
+	dns_zone_t *zone;
+	isc_result_t result;
+	struct stub_glue_request *request;
+	unsigned int pending_requests = 0;
+
+	zone = args->stub->zone;
+	request = isc_mem_get(zone->mctx, sizeof(*request));
+	if (request == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	request->request = NULL;
+	request->args = args;
+	request->name = (dns_name_t)DNS_NAME_INITEMPTY;
+	request->ipv4 = ipv4;
+
+	result = dns_name_dup(name, zone->mctx, &request->name);
+	if (result != ISC_R_SUCCESS) {
+		zone_debuglog(zone, "stub_send_query", 1,
+			      "dns_name_dup() failed: %s",
+			      dns_result_totext(result));
+			goto fail;
+	}
+	result = create_query(zone, ipv4 ? dns_rdatatype_a : dns_rdatatype_aaaa,
+			      &request->name, &message);
+	if (result != ISC_R_SUCCESS) {
+		zone_debuglog(zone, "stub_send_query", 1,
+			      "create_query() failed: %s",
+			      dns_result_totext(result));
+			goto fail;
+	}
+
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+		result = add_opt(message, args->udpsize, args->reqnsid, false);
+		if (result != ISC_R_SUCCESS) {
+			zone_debuglog(zone, "stub_send_query", 1,
+				      "unable to add opt record: %s",
+				      dns_result_totext(result));
+			goto fail;
+		}
+	}
+
+	isc_refcount_increment(&args->stub->pending_requests, NULL);
+
+	result = dns_request_createvia4(
+		zone->view->requestmgr, message, &zone->sourceaddr,
+		&zone->masteraddr, args->dscp, DNS_REQUESTOPT_TCP,
+		args->tsig_key, args->timeout * 3, args->timeout, 0, zone->task,
+		stub_glue_response_cb, request, &request->request);
+
+	if (result != ISC_R_SUCCESS) {
+		isc_refcount_decrement(&args->stub->pending_requests,
+				       &pending_requests);
+		INSIST(pending_requests > 0);
+		zone_debuglog(zone, "stub_send_query", 1,
+			      "dns_request_createvia() failed: %s",
+			      dns_result_totext(result));
+		goto fail;
+	}
+
+	dns_message_detach(&message);
+
+	return (ISC_R_SUCCESS);
+
+fail:
+	if (dns_name_dynamic(&request->name)) {
+		dns_name_free(&request->name, zone->mctx);
+	}
+	isc_mem_put(zone->mctx, request, sizeof(*request));
+
+	if (message != NULL) {
+		dns_message_detach(&message);
+	}
+
+	return (result);
+}
 
 static inline isc_result_t
 save_nsrrset(dns_message_t *message, dns_name_t *name,
-	     dns_db_t *db, dns_dbversion_t *version)
-{
+	     struct stub_cb_args *cb_args, dns_db_t *db,
+	     dns_dbversion_t *version) {
 	dns_rdataset_t *nsrdataset = NULL;
 	dns_rdataset_t *rdataset = NULL;
 	dns_dbnode_t *node = NULL;
 	dns_rdata_ns_t ns;
 	isc_result_t result;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
+	bool has_glue = false;
+	dns_name_t *ns_name;
+	/*
+	 * List of NS entries in answer, keep names that will be used
+	 * to resolve missing A/AAAA glue for each entry.
+	 */
+	dns_namelist_t ns_list;
+	ISC_LIST_INIT(ns_list);
 
 	/*
 	 * Extract NS RRset from message.
@@ -11588,19 +12138,19 @@ save_nsrrset(dns_message_t *message, dns_name_t *name,
 				      dns_rdatatype_ns, dns_rdatatype_none,
 				      NULL, &nsrdataset);
 	if (result != ISC_R_SUCCESS)
-		goto fail;
+		goto done;
 
 	/*
 	 * Add NS rdataset.
 	 */
 	result = dns_db_findnode(db, name, true, &node);
 	if (result != ISC_R_SUCCESS)
-		goto fail;
+		goto done;
 	result = dns_db_addrdataset(db, node, version, 0,
 				    nsrdataset, 0, NULL);
 	dns_db_detachnode(db, &node);
 	if (result != ISC_R_SUCCESS)
-		goto fail;
+		goto done;
 	/*
 	 * Add glue rdatasets.
 	 */
@@ -11619,39 +12169,97 @@ save_nsrrset(dns_message_t *message, dns_name_t *name,
 					      dns_rdatatype_none, NULL,
 					      &rdataset);
 		if (result == ISC_R_SUCCESS) {
+			has_glue = true;
 			result = dns_db_findnode(db, &ns.name,
 						 true, &node);
 			if (result != ISC_R_SUCCESS)
-				goto fail;
+				goto done;
 			result = dns_db_addrdataset(db, node, version, 0,
 						    rdataset, 0, NULL);
 			dns_db_detachnode(db, &node);
 			if (result != ISC_R_SUCCESS)
-				goto fail;
+				goto done;
 		}
+
 		rdataset = NULL;
 		result = dns_message_findname(message, DNS_SECTION_ADDITIONAL,
 					      &ns.name, dns_rdatatype_a,
 					      dns_rdatatype_none, NULL,
 					      &rdataset);
 		if (result == ISC_R_SUCCESS) {
+			has_glue = true;
 			result = dns_db_findnode(db, &ns.name,
 						 true, &node);
 			if (result != ISC_R_SUCCESS)
-				goto fail;
+				goto done;
 			result = dns_db_addrdataset(db, node, version, 0,
 						    rdataset, 0, NULL);
 			dns_db_detachnode(db, &node);
 			if (result != ISC_R_SUCCESS)
-				goto fail;
+				goto done;
+		}
+
+		/*
+		 * If no glue is found so far, we add the name to the list to
+		 * resolve the A/AAAA glue later. If any glue is found in any
+		 * iteration step, this list will be discarded and only the glue
+		 * provided in this message will be used.
+		 */
+		if (!has_glue && dns_name_issubdomain(&ns.name, name)) {
+			dns_name_t *tmp_name;
+			tmp_name = isc_mem_get(cb_args->stub->mctx,
+					       sizeof(*tmp_name));
+			if (tmp_name == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto done;
+			}
+			dns_name_init(tmp_name, NULL);
+			result = dns_name_dup(&ns.name, cb_args->stub->mctx,
+					      tmp_name);
+			if (result != ISC_R_SUCCESS) {
+				goto done;
+			}
+			ISC_LIST_APPEND(ns_list, tmp_name, link);
 		}
 	}
 	if (result != ISC_R_NOMORE)
-		goto fail;
+		goto done;
 
-	return (ISC_R_SUCCESS);
+	/*
+	 * If no glue records were found, we attempt to resolve A/AAAA
+	 * for each NS entry found in the answer.
+	 */
+	if (!has_glue) {
+		for (ns_name = ISC_LIST_HEAD(ns_list); ns_name != NULL;
+		     ns_name = ISC_LIST_NEXT(ns_name, link))
+		{
+			/*
+			 * Resolve NS IPv4 address/A.
+			 */
+			result = stub_request_nameserver_address(cb_args, true,
+								 ns_name);
+			if (result != ISC_R_SUCCESS) {
+				goto done;
+			}
+			/*
+			 * Resolve NS IPv6 address/AAAA.
+			 */
+			result = stub_request_nameserver_address(cb_args, false,
+								 ns_name);
+			if (result != ISC_R_SUCCESS) {
+				goto done;
+			}
+		}
+	}
 
-fail:
+	result = ISC_R_SUCCESS;
+
+done:
+	while ((ns_name = ISC_LIST_HEAD(ns_list)) != NULL) {
+		ISC_LIST_UNLINK(ns_list, ns_name, link);
+		dns_name_free(ns_name, cb_args->stub->mctx);
+		isc_mem_put(cb_args->stub->mctx, ns_name, sizeof(*ns_name));
+	}
 	return (result);
 }
 
@@ -11664,14 +12272,16 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 	dns_zone_t *zone = NULL;
 	char master[ISC_SOCKADDR_FORMATSIZE];
 	char source[ISC_SOCKADDR_FORMATSIZE];
-	uint32_t nscnt, cnamecnt, refresh, retry, expire;
+	uint32_t nscnt, cnamecnt;
 	isc_result_t result;
 	isc_time_t now;
 	bool exiting = false;
-	isc_interval_t i;
-	unsigned int j, soacount;
+	unsigned int j;
+	struct stub_cb_args *cb_args;
+	unsigned int pending_requests = 0;
 
-	stub = revent->ev_arg;
+	cb_args = revent->ev_arg;
+	stub = cb_args->stub;
 	INSIST(DNS_STUB_VALID(stub));
 
 	UNUSED(task);
@@ -11721,6 +12331,23 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 		goto next_master;
 
 	/*
+	 * Unexpected opcode.
+	 */
+	if (msg->opcode != dns_opcode_query) {
+		char opcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, opcode, sizeof(opcode));
+		(void)dns_opcode_totext(msg->rcode, &rb);
+
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "unexpected opcode (%.*s) from %s (source %s)",
+			     (int)rb.used, opcode, master, source);
+		goto next_master;
+	}
+
+	/*
 	 * Unexpected rcode.
 	 */
 	if (msg->rcode != dns_rcode_noerror) {
@@ -11794,10 +12421,13 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 		goto next_master;
 	}
 
+	isc_refcount_increment0(&stub->pending_requests, NULL);
+
 	/*
 	 * Save answer.
 	 */
-	result = save_nsrrset(msg, &zone->origin, stub->db, stub->version);
+	result = save_nsrrset(msg, &zone->origin, cb_args, stub->db,
+			      stub->version);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refreshing stub: unable to save NS records "
@@ -11805,49 +12435,32 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 		goto next_master;
 	}
 
-	/*
-	 * Tidy up.
-	 */
-	dns_db_closeversion(stub->db, &stub->version, true);
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
-	if (zone->db == NULL)
-		zone_attachdb(zone, stub->db);
-	result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL,
-				  &refresh, &retry, &expire, NULL, NULL);
-	if (result == ISC_R_SUCCESS && soacount > 0U) {
-		zone->refresh = RANGE(refresh, zone->minrefresh,
-				      zone->maxrefresh);
-		zone->retry = RANGE(retry, zone->minretry, zone->maxretry);
-		zone->expire = RANGE(expire, zone->refresh + zone->retry,
-				     DNS_MAX_EXPIRE);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
-	}
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
-	dns_db_detach(&stub->db);
-
-	dns_message_destroy(&msg);
+	dns_message_detach(&msg);
 	isc_event_free(&event);
 	dns_request_destroy(&zone->request);
 
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
-	DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
-	isc_interval_set(&i, zone->expire, 0);
-	DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
-
-	if (zone->masterfile != NULL)
-		zone_needdump(zone, 0);
+	/*
+	 * Check to see if there are no outstanding requests and
+	 * finish off if that is so.
+	 */
+	isc_refcount_decrement(&stub->pending_requests, &pending_requests);
+	if (pending_requests == 0) {
+		isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
+		stub_finish_zone_update(stub, now);
+		goto free_stub;
+	}
 
-	zone_settimer(zone, &now);
-	goto free_stub;
+	UNLOCK_ZONE(zone);
+	return;
 
- next_master:
+next_master:
+	isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
 	if (stub->version != NULL)
 		dns_db_closeversion(stub->db, &stub->version, false);
 	if (stub->db != NULL)
 		dns_db_detach(&stub->db);
 	if (msg != NULL)
-		dns_message_destroy(&msg);
+		dns_message_detach(&msg);
 	isc_event_free(&event);
 	dns_request_destroy(&zone->request);
 	/*
@@ -11892,9 +12505,10 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 	queue_soa_query(zone);
 	goto free_stub;
 
- same_master:
+same_master:
+	isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
 	if (msg != NULL)
-		dns_message_destroy(&msg);
+		dns_message_detach(&msg);
 	isc_event_free(&event);
 	dns_request_destroy(&zone->request);
 	ns_query(zone, NULL, stub);
@@ -11907,6 +12521,7 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 	dns_zone_idetach(&stub->zone);
 	INSIST(stub->db == NULL);
 	INSIST(stub->version == NULL);
+	isc_refcount_destroy(&stub->pending_requests);
 	isc_mem_put(stub->mctx, stub, sizeof(*stub));
 
  done:
@@ -12098,6 +12713,23 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	}
 
 	/*
+	 * Unexpected opcode.
+	 */
+	if (msg->opcode != dns_opcode_query) {
+		char opcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, opcode, sizeof(opcode));
+		(void)dns_opcode_totext(msg->rcode, &rb);
+
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: "
+			     "unexpected opcode (%.*s) from %s (source %s)",
+			     (int)rb.used, opcode, master, source);
+		goto next_master;
+	}
+
+	/*
 	 * Unexpected rcode.
 	 */
 	if (msg->rcode != dns_rcode_noerror) {
@@ -12290,7 +12922,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 			ns_query(zone, rdataset, NULL);
 		}
 		if (msg != NULL)
-			dns_message_destroy(&msg);
+			dns_message_detach(&msg);
 	} else if (isc_serial_eq(soa.serial, oldserial)) {
 		isc_time_t expiretime;
 		uint32_t expire;
@@ -12325,12 +12957,12 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 		goto next_master;
 	}
 	if (msg != NULL)
-		dns_message_destroy(&msg);
+		dns_message_detach(&msg);
 	goto detach;
 
  next_master:
 	if (msg != NULL)
-		dns_message_destroy(&msg);
+		dns_message_detach(&msg);
 	isc_event_free(&event);
 	dns_request_destroy(&zone->request);
 	/*
@@ -12382,7 +13014,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 
  same_master:
 	if (msg != NULL)
-		dns_message_destroy(&msg);
+		dns_message_detach(&msg);
 	isc_event_free(&event);
 	dns_request_destroy(&zone->request);
 	queue_soa_query(zone);
@@ -12436,85 +13068,6 @@ queue_soa_query(dns_zone_t *zone) {
 	}
 }
 
-static inline isc_result_t
-create_query(dns_zone_t *zone, dns_rdatatype_t rdtype,
-	     dns_message_t **messagep)
-{
-	dns_message_t *message = NULL;
-	dns_name_t *qname = NULL;
-	dns_rdataset_t *qrdataset = NULL;
-	isc_result_t result;
-
-	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER,
-				    &message);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	message->opcode = dns_opcode_query;
-	message->rdclass = zone->rdclass;
-
-	result = dns_message_gettempname(message, &qname);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_message_gettemprdataset(message, &qrdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/*
-	 * Make question.
-	 */
-	dns_name_init(qname, NULL);
-	dns_name_clone(&zone->origin, qname);
-	dns_rdataset_makequestion(qrdataset, zone->rdclass, rdtype);
-	ISC_LIST_APPEND(qname->list, qrdataset, link);
-	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
-
-	*messagep = message;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (qname != NULL)
-		dns_message_puttempname(message, &qname);
-	if (qrdataset != NULL)
-		dns_message_puttemprdataset(message, &qrdataset);
-	if (message != NULL)
-		dns_message_destroy(&message);
-	return (result);
-}
-
-static isc_result_t
-add_opt(dns_message_t *message, uint16_t udpsize, bool reqnsid,
-	bool reqexpire)
-{
-	isc_result_t result;
-	dns_rdataset_t *rdataset = NULL;
-	dns_ednsopt_t ednsopts[DNS_EDNSOPTIONS];
-	int count = 0;
-
-	/* Set EDNS options if applicable */
-	if (reqnsid) {
-		INSIST(count < DNS_EDNSOPTIONS);
-		ednsopts[count].code = DNS_OPT_NSID;
-		ednsopts[count].length = 0;
-		ednsopts[count].value = NULL;
-		count++;
-	}
-	if (reqexpire) {
-		INSIST(count < DNS_EDNSOPTIONS);
-		ednsopts[count].code = DNS_OPT_EXPIRE;
-		ednsopts[count].length = 0;
-		ednsopts[count].value = NULL;
-		count++;
-	}
-	result = dns_message_buildopt(message, &rdataset, 0, udpsize, 0,
-				      ednsopts, count);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	return (dns_message_setopt(message, rdataset));
-}
-
 static void
 soa_query(isc_task_t *task, isc_event_t *event) {
 	const char me[] = "soa_query";
@@ -12546,8 +13099,8 @@ soa_query(isc_task_t *task, isc_event_t *event) {
 		goto cleanup;
 	}
 
- again:
-	result = create_query(zone, dns_rdatatype_soa, &message);
+again:
+	result = create_query(zone, dns_rdatatype_soa, &zone->origin, &message);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -12689,7 +13242,7 @@ soa_query(isc_task_t *task, isc_event_t *event) {
 	if (result != ISC_R_SUCCESS)
 		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
 	if (message != NULL)
-		dns_message_destroy(&message);
+		dns_message_detach(&message);
 	if (cancel)
 		cancel_refresh(zone);
 	isc_event_free(&event);
@@ -12700,7 +13253,7 @@ soa_query(isc_task_t *task, isc_event_t *event) {
  skip_master:
 	if (key != NULL)
 		dns_tsigkey_detach(&key);
-	dns_message_destroy(&message);
+	dns_message_detach(&message);
 	/*
 	 * Skip to next failed / untried master.
 	 */
@@ -12727,6 +13280,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 	bool reqnsid;
 	uint16_t udpsize = SEND_BUFFER_SIZE;
 	isc_dscp_t dscp = -1;
+	struct stub_cb_args *cb_args;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(LOCKED_ZONE(zone));
@@ -12745,6 +13299,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 		stub->zone = NULL;
 		stub->db = NULL;
 		stub->version = NULL;
+		isc_refcount_init(&stub->pending_requests, 0);
 
 		/*
 		 * Attach so that the zone won't disappear from under us.
@@ -12816,7 +13371,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 	/*
 	 * XXX Optimisation: Create message when zone is setup and reuse.
 	 */
-	result = create_query(zone, dns_rdatatype_ns, &message);
+	result = create_query(zone, dns_rdatatype_ns, &zone->origin, &message);
 	INSIST(result == ISC_R_SUCCESS);
 
 	INSIST(zone->masterscnt > 0);
@@ -12910,18 +13465,28 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 	timeout = 15;
 	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
 		timeout = 30;
-	result = dns_request_createvia4(zone->view->requestmgr, message,
-					&zone->sourceaddr, &zone->masteraddr,
-					dscp, DNS_REQUESTOPT_TCP, key,
-					timeout * 3, timeout, 0, zone->task,
-					stub_callback, stub, &zone->request);
+
+	/* Save request parameters so we can reuse them later on
+	   for resolving missing glue A/AAAA records. */
+	cb_args = isc_mem_get(zone->mctx, sizeof(*cb_args));
+	cb_args->stub = stub;
+	cb_args->tsig_key = key;
+	cb_args->dscp = dscp;
+	cb_args->udpsize = udpsize;
+	cb_args->timeout = timeout;
+	cb_args->reqnsid = reqnsid;
+
+	result = dns_request_createvia4(
+		zone->view->requestmgr, message, &zone->sourceaddr,
+		&zone->masteraddr, dscp, DNS_REQUESTOPT_TCP, key, timeout * 3,
+		timeout, 0, zone->task, stub_callback, cb_args, &zone->request);
 	if (result != ISC_R_SUCCESS) {
 		zone_debuglog(zone, me, 1,
 			      "dns_request_createvia() failed: %s",
 			      dns_result_totext(result));
 		goto cleanup;
 	}
-	dns_message_destroy(&message);
+	dns_message_detach(&message);
 	goto unlock;
 
  cleanup:
@@ -12935,10 +13500,11 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 			dns_db_detach(&stub->db);
 		if (stub->zone != NULL)
 			zone_idetach(&stub->zone);
+		isc_refcount_destroy(&stub->pending_requests);
 		isc_mem_put(stub->mctx, stub, sizeof(*stub));
 	}
 	if (message != NULL)
-		dns_message_destroy(&message);
+		dns_message_detach(&message);
  unlock:
 	if (key != NULL)
 		dns_tsigkey_detach(&key);
@@ -13374,7 +13940,7 @@ notify_createmessage(dns_zone_t *zone, unsigned int flags,
 		dns_message_puttempname(message, &tempname);
 	if (temprdataset != NULL)
 		dns_message_puttemprdataset(message, &temprdataset);
-	dns_message_destroy(&message);
+	dns_message_detach(&message);
 	return (result);
 }
 
@@ -13933,7 +14499,10 @@ void
 dns_zone_name(dns_zone_t *zone, char *buf, size_t length) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(buf != NULL);
+
+	LOCK_ZONE(zone);
 	zone_namerd_tostr(zone, buf, length);
+	UNLOCK_ZONE(zone);
 }
 
 void
@@ -14189,7 +14758,7 @@ notify_done(isc_task_t *task, isc_event_t *event) {
 		notify_destroy(notify, false);
 	}
 	if (message != NULL)
-		dns_message_destroy(&message);
+		dns_message_detach(&message);
 }
 
 struct secure_event {
@@ -14571,6 +15140,11 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) {
 	zone->sourceserialset = true;
 	zone_needdump(zone, DNS_DUMP_DELAY);
 
+	/*
+	 * Set resign time to make sure it is set to the earliest
+	 * signature expiration.
+	 */
+	set_resigntime(zone);
 	TIME_NOW(&timenow);
 	zone_settimer(zone, &timenow);
 	UNLOCK_ZONE(zone);
@@ -14591,6 +15165,11 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) {
 		dns_zone_detach(&zone->rss_raw);
 	}
 	if (result != ISC_R_SUCCESS) {
+		LOCK_ZONE(zone);
+		set_resigntime(zone);
+		TIME_NOW(&timenow);
+		zone_settimer(zone, &timenow);
+		UNLOCK_ZONE(zone);
 		dns_zone_log(zone, level, "receive_secure_serial: %s",
 			     dns_result_totext(result));
 	}
@@ -14751,7 +15330,7 @@ save_nsec3param(dns_zone_t *zone, nsec3paramlist_t *nsec3list) {
 	/*
 	 * walk nsec3param rdataset making a list of parameters (note that
 	 * multiple simultaneous nsec3 chains are annoyingly legal -- this
-	 * is why we use an nsec3list, even tho we will usually only have
+	 * is why we use an nsec3list, even though we will usually only have
 	 * one)
 	 */
 	for (result = dns_rdataset_first(&rdataset);
@@ -14932,6 +15511,8 @@ copy_non_dnssec_records(dns_db_t *db, dns_db_t *version, dns_db_t *rawdb,
 		return (ISC_R_SUCCESS);
 	}
 
+	dns_dbiterator_pause(dbiterator);
+
 	result = dns_db_findnode(db, name, true, &node);
 	if (result != ISC_R_SUCCESS) {
 		goto cleanup;
@@ -15471,11 +16052,20 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 					  &retry, &expire, &minimum, NULL);
 		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
 		if (result == ISC_R_SUCCESS) {
-			if (soacount != 1)
+			if (soacount != 1) {
 				dns_zone_log(zone, ISC_LOG_ERROR,
 					     "transferred zone "
-					     "has %d SOA record%s", soacount,
-					     (soacount != 0) ? "s" : "");
+					     "has %d SOA records",
+					     soacount);
+				if (DNS_ZONE_FLAG(zone,
+						  DNS_ZONEFLG_HAVETIMERS)) {
+					zone->refresh = DNS_ZONE_DEFAULTREFRESH;
+					zone->retry = DNS_ZONE_DEFAULTRETRY;
+				}
+				DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+				zone_unload(zone);
+				goto next_master;
+			}
 			if (nscount == 0) {
 				dns_zone_log(zone, ISC_LOG_ERROR,
 					     "transferred zone "
@@ -15568,7 +16158,7 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 
 	case DNS_R_BADIXFR:
 		/* Force retry with AXFR. */
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLAG_NOIXFR);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOIXFR);
 		goto same_master;
 
 	case DNS_R_TOOMANYRECORDS:
@@ -15896,13 +16486,13 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 			     "forced reload, requesting AXFR of "
 			     "initial version from %s", master);
 		xfrtype = dns_rdatatype_axfr;
-	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLAG_NOIXFR)) {
+	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOIXFR)) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1),
 			     "retrying with AXFR from %s due to "
 			     "previous IXFR failure", master);
 		xfrtype = dns_rdatatype_axfr;
 		LOCK_ZONE(zone);
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLAG_NOIXFR);
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOIXFR);
 		UNLOCK_ZONE(zone);
 	} else {
 		bool use_ixfr = true;
@@ -16117,6 +16707,23 @@ forward_callback(isc_task_t *task, isc_event_t *event) {
 	if (result != ISC_R_SUCCESS)
 		goto next_master;
 
+	/*
+	 * Unexpected opcode.
+	 */
+	if (msg->opcode != dns_opcode_update) {
+		char opcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, opcode, sizeof(opcode));
+		(void)dns_opcode_totext(msg->rcode, &rb);
+
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "forwarding dynamic update: "
+			     "unexpected opcode (%.*s) from %s",
+			     (int)rb.used, opcode, master);
+		goto next_master;
+	}
+
 	switch (msg->rcode) {
 	/*
 	 * Pass these rcodes back to client.
@@ -16173,7 +16780,7 @@ forward_callback(isc_task_t *task, isc_event_t *event) {
 
  next_master:
 	if (msg != NULL)
-		dns_message_destroy(&msg);
+		dns_message_detach(&msg);
 	isc_event_free(&event);
 	forward->which++;
 	dns_request_destroy(&forward->request);
@@ -17124,7 +17731,7 @@ dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value) {
 	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
 
 	setrl(zmgr->refreshrl, &zmgr->serialqueryrate, value);
-	/* XXXMPA seperate out once we have the code to support this. */
+	/* XXXMPA separate out once we have the code to support this. */
 	setrl(zmgr->startuprefreshrl, &zmgr->startupserialqueryrate, value);
 }
 
@@ -17486,9 +18093,13 @@ dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state) {
 	case DNS_ZONESTATE_SOAQUERY:
 		for (zone = ISC_LIST_HEAD(zmgr->zones);
 		     zone != NULL;
-		     zone = ISC_LIST_NEXT(zone, link))
-			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH))
+		     zone = ISC_LIST_NEXT(zone, link)) {
+			LOCK_ZONE(zone);
+			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) {
 				count++;
+			}
+			UNLOCK_ZONE(zone);
+		}
 		break;
 	case DNS_ZONESTATE_ANY:
 		for (zone = ISC_LIST_HEAD(zmgr->zones);
@@ -18317,10 +18928,11 @@ zone_rekey(dns_zone_t *zone) {
 
 	dns_db_closeversion(db, &ver, true);
 
+	LOCK_ZONE(zone);
+
 	if (commit) {
 		dns_difftuple_t *tuple;
 
-		LOCK_ZONE(zone);
 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
 
 		zone_needdump(zone, DNS_DUMP_DELAY);
@@ -18438,10 +19050,8 @@ zone_rekey(dns_zone_t *zone) {
 		 * Schedule the next resigning event
 		 */
 		set_resigntime(zone);
-		UNLOCK_ZONE(zone);
 	}
 
-	LOCK_ZONE(zone);
 	isc_time_settoepoch(&zone->refreshkeytime);
 
 	/*
@@ -18512,8 +19122,10 @@ zone_rekey(dns_zone_t *zone) {
 	 * Something went wrong; try again in ten minutes or
 	 * after a key refresh interval, whichever is shorter.
 	 */
+	LOCK_ZONE(zone);
 	isc_interval_set(&ival, ISC_MIN(zone->refreshkeyinterval, 600), 0);
 	isc_time_nowplusinterval(&zone->refreshkeytime, &ival);
+	UNLOCK_ZONE(zone);
 	goto done;
 }
 
@@ -18563,11 +19175,14 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
 	unsigned char algorithms[256];
 	unsigned int i;
 
+	enum { notexpected = 0, expected = 1, found = 2 };
+
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	result = dns_db_getoriginnode(db, &node);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		return (result);
+	}
 
 	dns_rdataset_init(&cds);
 	dns_rdataset_init(&dnskey);
@@ -18575,16 +19190,19 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
 
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_cds,
 				     dns_rdatatype_none, 0, &cds, NULL);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
 		goto failure;
+	}
 
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_cdnskey,
 				     dns_rdatatype_none, 0, &cdnskey, NULL);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
 		goto failure;
+	}
 
 	if (!dns_rdataset_isassociated(&cds) &&
-	    !dns_rdataset_isassociated(&cdnskey)) {
+	    !dns_rdataset_isassociated(&cdnskey))
+	{
 		result = ISC_R_SUCCESS;
 		goto failure;
 	}
@@ -18592,21 +19210,25 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
 				     dns_rdatatype_none, 0, &dnskey, NULL);
 	if (result == ISC_R_NOTFOUND) {
-		if (dns_rdataset_isassociated(&cds))
+		if (dns_rdataset_isassociated(&cds)) {
 			result = DNS_R_BADCDS;
-		else
+		} else {
 			result = DNS_R_BADCDNSKEY;
+		}
 		goto failure;
 	}
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		goto failure;
+	}
 
 	/*
 	 * For each DNSSEC algorithm in the CDS RRset there must be
-	 * a matching DNSKEY record.
+	 * a matching DNSKEY record with the exception of a CDS deletion
+	 * record which must be by itself.
 	 */
 	if (dns_rdataset_isassociated(&cds)) {
-		memset(algorithms, 0, sizeof(algorithms));
+		bool delete = false;
+		memset(algorithms, notexpected, sizeof(algorithms));
 		for (result = dns_rdataset_first(&cds);
 		     result == ISC_R_SUCCESS;
 		     result = dns_rdataset_next(&cds)) {
@@ -18614,9 +19236,21 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
 			dns_rdata_cds_t structcds;
 
 			dns_rdataset_current(&cds, &crdata);
+			/*
+			 * CDS deletion record has this form "0 0 0 00" which
+			 * is 5 zero octets.
+			 */
+			if (crdata.length == 5U &&
+			    memcmp(crdata.data,
+				   (unsigned char[5]){ 0, 0, 0, 0, 0 }, 5) == 0)
+			{
+				delete = true;
+				continue;
+			}
 			CHECK(dns_rdata_tostruct(&crdata, &structcds, NULL));
-			if (algorithms[structcds.algorithm] == 0)
-				algorithms[structcds.algorithm] = 1;
+			if (algorithms[structcds.algorithm] == 0) {
+				algorithms[structcds.algorithm] = expected;
+			}
 			for (result = dns_rdataset_first(&dnskey);
 			     result == ISC_R_SUCCESS;
 			     result = dns_rdataset_next(&dnskey)) {
@@ -18629,16 +19263,23 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
 							buffer, &dsrdata));
 				if (crdata.length == dsrdata.length &&
 				    memcmp(crdata.data, dsrdata.data,
-					   dsrdata.length) == 0) {
-					algorithms[structcds.algorithm] = 2;
+					   dsrdata.length) == 0)
+				{
+					algorithms[structcds.algorithm] = found;
 				}
 			}
-			if (result != ISC_R_NOMORE)
+			if (result != ISC_R_NOMORE) {
 				goto failure;
+			}
 		}
 		for (i = 0; i < sizeof(algorithms); i++) {
-			if (algorithms[i] == 1) {
-				result = DNS_R_BADCDNSKEY;
+			if (delete) {
+				if (algorithms[i] != notexpected) {
+					result = DNS_R_BADCDS;
+					goto failure;
+				}
+			} else if (algorithms[i] == expected) {
+				result = DNS_R_BADCDS;
 				goto failure;
 			}
 		}
@@ -18646,10 +19287,12 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
 
 	/*
 	 * For each DNSSEC algorithm in the CDNSKEY RRset there must be
-	 * a matching DNSKEY record.
+	 * a matching DNSKEY record with the exception of a CDNSKEY deletion
+	 * record which must be by itself.
 	 */
 	if (dns_rdataset_isassociated(&cdnskey)) {
-		memset(algorithms, 0, sizeof(algorithms));
+		bool delete = false;
+		memset(algorithms, notexpected, sizeof(algorithms));
 		for (result = dns_rdataset_first(&cdnskey);
 		     result == ISC_R_SUCCESS;
 		     result = dns_rdataset_next(&cdnskey)) {
@@ -18657,10 +19300,23 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
 			dns_rdata_cdnskey_t structcdnskey;
 
 			dns_rdataset_current(&cdnskey, &crdata);
+			/*
+			 * CDNSKEY deletion record has this form
+			 * "0 3 0 AA==" which is 2 zero octets, a 3,
+			 * and 2 zero octets.
+			 */
+			if (crdata.length == 5U &&
+			    memcmp(crdata.data,
+				   (unsigned char[5]){ 0, 0, 3, 0, 0 }, 5) == 0)
+			{
+				delete = true;
+				continue;
+			}
 			CHECK(dns_rdata_tostruct(&crdata, &structcdnskey,
 						 NULL));
-			if (algorithms[structcdnskey.algorithm] == 0)
-				algorithms[structcdnskey.algorithm] = 1;
+			if (algorithms[structcdnskey.algorithm] == 0) {
+				algorithms[structcdnskey.algorithm] = expected;
+			}
 			for (result = dns_rdataset_first(&dnskey);
 			     result == ISC_R_SUCCESS;
 			     result = dns_rdataset_next(&dnskey)) {
@@ -18669,16 +19325,24 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
 				dns_rdataset_current(&dnskey, &rdata);
 				if (crdata.length == rdata.length &&
 				    memcmp(crdata.data, rdata.data,
-					   rdata.length) == 0) {
-					algorithms[structcdnskey.algorithm] = 2;
+					   rdata.length) == 0)
+				{
+					algorithms[structcdnskey.algorithm] =
+							 found;
 				}
 			}
-			if (result != ISC_R_NOMORE)
+			if (result != ISC_R_NOMORE) {
 				goto failure;
+			}
 		}
 		for (i = 0; i < sizeof(algorithms); i++) {
-			if (algorithms[i] == 1) {
-				result = DNS_R_BADCDS;
+			if (delete) {
+				if (algorithms[i] != notexpected) {
+					result = DNS_R_BADCDNSKEY;
+					goto failure;
+				}
+			} else if (algorithms[i] == expected) {
+				result = DNS_R_BADCDNSKEY;
 				goto failure;
 			}
 		}
@@ -18686,12 +19350,15 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
 	result = ISC_R_SUCCESS;
 
  failure:
-	if (dns_rdataset_isassociated(&cds))
+	if (dns_rdataset_isassociated(&cds)) {
 		dns_rdataset_disassociate(&cds);
-	if (dns_rdataset_isassociated(&dnskey))
+	}
+	if (dns_rdataset_isassociated(&dnskey)) {
 		dns_rdataset_disassociate(&dnskey);
-	if (dns_rdataset_isassociated(&cdnskey))
+	}
+	if (dns_rdataset_isassociated(&cdnskey)) {
 		dns_rdataset_disassociate(&cdnskey);
+	}
 	dns_db_detachnode(db, &node);
 	return (result);
 }
@@ -18996,7 +19663,8 @@ keydone(isc_task_t *task, isc_event_t *event) {
 		commit = true;
 
 		LOCK_ZONE(zone);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED|
+				 DNS_ZONEFLG_NEEDNOTIFY);
 		zone_needdump(zone, 30);
 		UNLOCK_ZONE(zone);
 	}
@@ -19161,7 +19829,6 @@ rss_post(dns_zone_t *zone, isc_event_t *event) {
 	dns_db_currentversion(db, &oldver);
 	result = dns_db_newversion(db, &newver);
 	if (result != ISC_R_SUCCESS) {
-		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
 		dns_zone_log(zone, ISC_LOG_ERROR,
 			     "setnsec3param:dns_db_newversion -> %s",
 			     dns_result_totext(result));
diff --git a/bind/bind9/lib/dns/zone_p.h b/bind/bind9/lib/dns/zone_p.h
index 1f4432a2..0ccbfb44 100644
--- a/bind/bind9/lib/dns/zone_p.h
+++ b/bind/bind9/lib/dns/zone_p.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/zonekey.c b/bind/bind9/lib/dns/zonekey.c
index ca555203..fb1b35c9 100644
--- a/bind/bind9/lib/dns/zonekey.c
+++ b/bind/bind9/lib/dns/zonekey.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/dns/zt.c b/bind/bind9/lib/dns/zt.c
index 04d7823d..3f12e247 100644
--- a/bind/bind9/lib/dns/zt.c
+++ b/bind/bind9/lib/dns/zt.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -41,9 +41,10 @@ struct dns_zt {
 	isc_rwlock_t		rwlock;
 	dns_zt_allloaded_t	loaddone;
 	void *			loaddone_arg;
+	isc_refcount_t		references;
+
 	/* Locked by lock. */
-	bool		flush;
-	uint32_t		references;
+	bool			flush;
 	unsigned int		loads_pending;
 	dns_rbt_t		*table;
 };
@@ -97,7 +98,7 @@ dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp) {
 
 	zt->mctx = NULL;
 	isc_mem_attach(mctx, &zt->mctx);
-	zt->references = 1;
+	isc_refcount_init(&zt->references, 1);
 	zt->flush = false;
 	zt->rdclass = rdclass;
 	zt->magic = ZTMAGIC;
@@ -187,13 +188,7 @@ dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp) {
 	REQUIRE(VALID_ZT(zt));
 	REQUIRE(ztp != NULL && *ztp == NULL);
 
-	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	INSIST(zt->references > 0);
-	zt->references++;
-	INSIST(zt->references != 0);
-
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
+	isc_refcount_increment(&zt->references, NULL);
 
 	*ztp = zt;
 }
@@ -206,8 +201,10 @@ flush(dns_zone_t *zone, void *uap) {
 
 static void
 zt_destroy(dns_zt_t *zt) {
-	if (zt->flush)
+	if (zt->flush) {
 		(void)dns_zt_apply(zt, false, flush, NULL);
+	}
+	isc_refcount_destroy(&zt->references);
 	dns_rbt_destroy(&zt->table);
 	isc_rwlock_destroy(&zt->rwlock);
 	zt->magic = 0;
@@ -216,28 +213,24 @@ zt_destroy(dns_zt_t *zt) {
 
 static void
 zt_flushanddetach(dns_zt_t **ztp, bool need_flush) {
-	bool destroy = false;
+	unsigned int refs;
 	dns_zt_t *zt;
 
 	REQUIRE(ztp != NULL && VALID_ZT(*ztp));
 
 	zt = *ztp;
+	*ztp = NULL;
 
-	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	INSIST(zt->references > 0);
-	zt->references--;
-	if (zt->references == 0)
-		destroy = true;
-	if (need_flush)
+	if (need_flush) {
+		RWLOCK(&zt->rwlock, isc_rwlocktype_write);
 		zt->flush = true;
+		RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
+	}
 
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	if (destroy)
+	isc_refcount_decrement(&zt->references, &refs);
+	if (refs == 0) {
 		zt_destroy(zt);
-
-	*ztp = NULL;
+	}
 }
 
 void
@@ -296,14 +289,16 @@ dns_zt_asyncload2(dns_zt_t *zt, dns_zt_allloaded_t alldone, void *arg,
 	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
 
 	INSIST(zt->loads_pending == 0);
+	/*
+	 * Prevent loads_pending going to zero while kicking off the loads.
+	 */
+	zt->loads_pending++;
 	result = dns_zt_apply2(zt, false, NULL, asyncload, &params);
-
-	pending = zt->loads_pending;
+	pending = --zt->loads_pending;
 	if (pending != 0) {
 		zt->loaddone = alldone;
 		zt->loaddone_arg = arg;
 	}
-
 	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
 
 	if (pending == 0)
@@ -325,18 +320,18 @@ asyncload(dns_zone_t *zone, void *paramsv) {
 	dns_zt_t *zt;
 
 	REQUIRE(zone != NULL);
-	zt = dns_zone_getview(zone)->zonetable;
+	zt = params->zt;
 	INSIST(VALID_ZT(zt));
 
-	INSIST(zt->references > 0);
-	zt->references++;
+	isc_refcount_increment(&zt->references, NULL);
 	zt->loads_pending++;
 
 	result = dns_zone_asyncload2(zone, *params->dl, zt, params->newonly);
 	if (result != ISC_R_SUCCESS) {
-		zt->references--;
+		unsigned int refs;
 		zt->loads_pending--;
-		INSIST(zt->references > 0);
+		isc_refcount_decrement(&zt->references, &refs);
+		INSIST(refs > 0);
 	}
 	return (ISC_R_SUCCESS);
 }
@@ -556,7 +551,7 @@ dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
  */
 static isc_result_t
 doneloading(dns_zt_t *zt, dns_zone_t *zone, isc_task_t *task) {
-	bool destroy = false;
+	unsigned int refs;
 	dns_zt_allloaded_t alldone = NULL;
 	void *arg = NULL;
 
@@ -567,10 +562,6 @@ doneloading(dns_zt_t *zt, dns_zone_t *zone, isc_task_t *task) {
 
 	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
 	INSIST(zt->loads_pending != 0);
-	INSIST(zt->references != 0);
-	zt->references--;
-	if (zt->references == 0)
-		destroy = true;
 	zt->loads_pending--;
 	if (zt->loads_pending == 0) {
 		alldone = zt->loaddone;
@@ -583,8 +574,10 @@ doneloading(dns_zt_t *zt, dns_zone_t *zone, isc_task_t *task) {
 	if (alldone != NULL)
 		alldone(arg);
 
-	if (destroy)
+	isc_refcount_decrement(&zt->references, &refs);
+	if (refs == 0) {
 		zt_destroy(zt);
+	}
 
 	return (ISC_R_SUCCESS);
 }
diff --git a/bind/bind9/lib/irs/Makefile.in b/bind/bind9/lib/irs/Makefile.in
index fc114472..c062b689 100644
--- a/bind/bind9/lib/irs/Makefile.in
+++ b/bind/bind9/lib/irs/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/api b/bind/bind9/lib/irs/api
index 79bb9ebf..060936fe 100644
--- a/bind/bind9/lib/irs/api
+++ b/bind/bind9/lib/irs/api
@@ -9,5 +9,5 @@
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
 LIBINTERFACE = 161
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0
diff --git a/bind/bind9/lib/irs/context.c b/bind/bind9/lib/irs/context.c
index b6446938..70327797 100644
--- a/bind/bind9/lib/irs/context.c
+++ b/bind/bind9/lib/irs/context.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/dnsconf.c b/bind/bind9/lib/irs/dnsconf.c
index ee89af01..f911c3be 100644
--- a/bind/bind9/lib/irs/dnsconf.c
+++ b/bind/bind9/lib/irs/dnsconf.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -238,8 +238,9 @@ irs_dnsconf_destroy(irs_dnsconf_t **confp) {
 	irs_dnsconf_dnskey_t *keyent;
 
 	REQUIRE(confp != NULL);
+	REQUIRE(IRS_DNSCONF_VALID((*confp)));
+
 	conf = *confp;
-	REQUIRE(IRS_DNSCONF_VALID(conf));
 
 	while ((keyent = ISC_LIST_HEAD(conf->trusted_keylist)) != NULL) {
 		ISC_LIST_UNLINK(conf->trusted_keylist, keyent, link);
diff --git a/bind/bind9/lib/irs/gai_strerror.c b/bind/bind9/lib/irs/gai_strerror.c
index 76a561ee..6cb7306b 100644
--- a/bind/bind9/lib/irs/gai_strerror.c
+++ b/bind/bind9/lib/irs/gai_strerror.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/getaddrinfo.c b/bind/bind9/lib/irs/getaddrinfo.c
index 63d93cf9..31911a6a 100644
--- a/bind/bind9/lib/irs/getaddrinfo.c
+++ b/bind/bind9/lib/irs/getaddrinfo.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: getaddrinfo.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
-
 /*! \file */
 
 /**
@@ -1246,7 +1244,7 @@ get_local(const char *name, int socktype, struct addrinfo **res) {
 
 /*!
  * Allocate an addrinfo structure, and a sockaddr structure
- * of the specificed length.  We initialize:
+ * of the specified length.  We initialize:
  *	ai_addrlen
  *	ai_family
  *	ai_addr
diff --git a/bind/bind9/lib/irs/getnameinfo.c b/bind/bind9/lib/irs/getnameinfo.c
index 343a65e8..e05502f0 100644
--- a/bind/bind9/lib/irs/getnameinfo.c
+++ b/bind/bind9/lib/irs/getnameinfo.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/include/Makefile.in b/bind/bind9/lib/irs/include/Makefile.in
index 36013315..17373910 100644
--- a/bind/bind9/lib/irs/include/Makefile.in
+++ b/bind/bind9/lib/irs/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/include/irs/Makefile.in b/bind/bind9/lib/irs/include/irs/Makefile.in
index b0c5e141..7eea12e1 100644
--- a/bind/bind9/lib/irs/include/irs/Makefile.in
+++ b/bind/bind9/lib/irs/include/irs/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/include/irs/context.h b/bind/bind9/lib/irs/include/irs/context.h
index 94e55c61..9c52f764 100644
--- a/bind/bind9/lib/irs/include/irs/context.h
+++ b/bind/bind9/lib/irs/include/irs/context.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/include/irs/dnsconf.h b/bind/bind9/lib/irs/include/irs/dnsconf.h
index 89898baf..fb6123af 100644
--- a/bind/bind9/lib/irs/include/irs/dnsconf.h
+++ b/bind/bind9/lib/irs/include/irs/dnsconf.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/include/irs/netdb.h.in b/bind/bind9/lib/irs/include/irs/netdb.h.in
index 93fe47df..427fef82 100644
--- a/bind/bind9/lib/irs/include/irs/netdb.h.in
+++ b/bind/bind9/lib/irs/include/irs/netdb.h.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/include/irs/platform.h.in b/bind/bind9/lib/irs/include/irs/platform.h.in
index 78c91ce1..1954a0e2 100644
--- a/bind/bind9/lib/irs/include/irs/platform.h.in
+++ b/bind/bind9/lib/irs/include/irs/platform.h.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/include/irs/resconf.h b/bind/bind9/lib/irs/include/irs/resconf.h
index 6c0a8cce..923da940 100644
--- a/bind/bind9/lib/irs/include/irs/resconf.h
+++ b/bind/bind9/lib/irs/include/irs/resconf.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/include/irs/types.h b/bind/bind9/lib/irs/include/irs/types.h
index 1251e68b..5ea10a5f 100644
--- a/bind/bind9/lib/irs/include/irs/types.h
+++ b/bind/bind9/lib/irs/include/irs/types.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/include/irs/version.h b/bind/bind9/lib/irs/include/irs/version.h
index a0493746..f53bd010 100644
--- a/bind/bind9/lib/irs/include/irs/version.h
+++ b/bind/bind9/lib/irs/include/irs/version.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/resconf.c b/bind/bind9/lib/irs/resconf.c
index 7288c727..ea445b6b 100644
--- a/bind/bind9/lib/irs/resconf.c
+++ b/bind/bind9/lib/irs/resconf.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -606,8 +606,9 @@ irs_resconf_destroy(irs_resconf_t **confp) {
 	unsigned int i;
 
 	REQUIRE(confp != NULL);
+	REQUIRE(IRS_RESCONF_VALID((*confp)));
+
 	conf = *confp;
-	REQUIRE(IRS_RESCONF_VALID(conf));
 
 	while ((searchentry = ISC_LIST_HEAD(conf->searchlist)) != NULL) {
 		ISC_LIST_UNLINK(conf->searchlist, searchentry, link);
diff --git a/bind/bind9/lib/irs/tests/Makefile.in b/bind/bind9/lib/irs/tests/Makefile.in
index 536fa592..222b45ec 100644
--- a/bind/bind9/lib/irs/tests/Makefile.in
+++ b/bind/bind9/lib/irs/tests/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/resconf_test.c b/bind/bind9/lib/irs/tests/resconf_test.c
index 8342a923..ad790451 100644
--- a/bind/bind9/lib/irs/tests/resconf_test.c
+++ b/bind/bind9/lib/irs/tests/resconf_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/domain.conf b/bind/bind9/lib/irs/tests/testdata/domain.conf
index 6aef4738..d24e1825 100644
--- a/bind/bind9/lib/irs/tests/testdata/domain.conf
+++ b/bind/bind9/lib/irs/tests/testdata/domain.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/nameserver-v4.conf b/bind/bind9/lib/irs/tests/testdata/nameserver-v4.conf
index 871d0114..dd6aa907 100644
--- a/bind/bind9/lib/irs/tests/testdata/nameserver-v4.conf
+++ b/bind/bind9/lib/irs/tests/testdata/nameserver-v4.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/nameserver-v6.conf b/bind/bind9/lib/irs/tests/testdata/nameserver-v6.conf
index 91474627..68c8da38 100644
--- a/bind/bind9/lib/irs/tests/testdata/nameserver-v6.conf
+++ b/bind/bind9/lib/irs/tests/testdata/nameserver-v6.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/options-bad-ndots.conf b/bind/bind9/lib/irs/tests/testdata/options-bad-ndots.conf
index 5c104c74..f827c2eb 100644
--- a/bind/bind9/lib/irs/tests/testdata/options-bad-ndots.conf
+++ b/bind/bind9/lib/irs/tests/testdata/options-bad-ndots.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/options-debug.conf b/bind/bind9/lib/irs/tests/testdata/options-debug.conf
index b6e14c70..f3f0f24a 100644
--- a/bind/bind9/lib/irs/tests/testdata/options-debug.conf
+++ b/bind/bind9/lib/irs/tests/testdata/options-debug.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/options-empty.conf b/bind/bind9/lib/irs/tests/testdata/options-empty.conf
index e8b902ea..84bcb2b8 100644
--- a/bind/bind9/lib/irs/tests/testdata/options-empty.conf
+++ b/bind/bind9/lib/irs/tests/testdata/options-empty.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/options-ndots.conf b/bind/bind9/lib/irs/tests/testdata/options-ndots.conf
index 2f143e11..ff4c7e99 100644
--- a/bind/bind9/lib/irs/tests/testdata/options-ndots.conf
+++ b/bind/bind9/lib/irs/tests/testdata/options-ndots.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/options-timeout.conf b/bind/bind9/lib/irs/tests/testdata/options-timeout.conf
index e211bba1..7fd6550c 100644
--- a/bind/bind9/lib/irs/tests/testdata/options-timeout.conf
+++ b/bind/bind9/lib/irs/tests/testdata/options-timeout.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/options-unknown.conf b/bind/bind9/lib/irs/tests/testdata/options-unknown.conf
index f5df6bf3..d6748808 100644
--- a/bind/bind9/lib/irs/tests/testdata/options-unknown.conf
+++ b/bind/bind9/lib/irs/tests/testdata/options-unknown.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/options.conf b/bind/bind9/lib/irs/tests/testdata/options.conf
index 0d4dfa00..fc9e7ae8 100644
--- a/bind/bind9/lib/irs/tests/testdata/options.conf
+++ b/bind/bind9/lib/irs/tests/testdata/options.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/port.conf b/bind/bind9/lib/irs/tests/testdata/port.conf
index 04ed3e7d..6282f9e9 100644
--- a/bind/bind9/lib/irs/tests/testdata/port.conf
+++ b/bind/bind9/lib/irs/tests/testdata/port.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/resolv.conf b/bind/bind9/lib/irs/tests/testdata/resolv.conf
index ddf93ff4..5b60b3b5 100644
--- a/bind/bind9/lib/irs/tests/testdata/resolv.conf
+++ b/bind/bind9/lib/irs/tests/testdata/resolv.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/search.conf b/bind/bind9/lib/irs/tests/testdata/search.conf
index 5717006b..a07d2960 100644
--- a/bind/bind9/lib/irs/tests/testdata/search.conf
+++ b/bind/bind9/lib/irs/tests/testdata/search.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/sortlist-v4.conf b/bind/bind9/lib/irs/tests/testdata/sortlist-v4.conf
index e903e374..cba44781 100644
--- a/bind/bind9/lib/irs/tests/testdata/sortlist-v4.conf
+++ b/bind/bind9/lib/irs/tests/testdata/sortlist-v4.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/timeout.conf b/bind/bind9/lib/irs/tests/testdata/timeout.conf
index 2b87b252..9b13aa5e 100644
--- a/bind/bind9/lib/irs/tests/testdata/timeout.conf
+++ b/bind/bind9/lib/irs/tests/testdata/timeout.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/tests/testdata/unknown.conf b/bind/bind9/lib/irs/tests/testdata/unknown.conf
index bfb9d7fe..4f868e17 100644
--- a/bind/bind9/lib/irs/tests/testdata/unknown.conf
+++ b/bind/bind9/lib/irs/tests/testdata/unknown.conf
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/version.c b/bind/bind9/lib/irs/version.c
index 4e33c771..91edd477 100644
--- a/bind/bind9/lib/irs/version.c
+++ b/bind/bind9/lib/irs/version.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/win32/DLLMain.c b/bind/bind9/lib/irs/win32/DLLMain.c
index 8ff10175..f442c2f8 100644
--- a/bind/bind9/lib/irs/win32/DLLMain.c
+++ b/bind/bind9/lib/irs/win32/DLLMain.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/win32/Makefile.in b/bind/bind9/lib/irs/win32/Makefile.in
index 419cf9f8..8d1b6f1c 100644
--- a/bind/bind9/lib/irs/win32/Makefile.in
+++ b/bind/bind9/lib/irs/win32/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/win32/include/Makefile.in b/bind/bind9/lib/irs/win32/include/Makefile.in
index 36013315..17373910 100644
--- a/bind/bind9/lib/irs/win32/include/Makefile.in
+++ b/bind/bind9/lib/irs/win32/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/win32/include/irs/Makefile.in b/bind/bind9/lib/irs/win32/include/irs/Makefile.in
index f73058fb..cb6e6469 100644
--- a/bind/bind9/lib/irs/win32/include/irs/Makefile.in
+++ b/bind/bind9/lib/irs/win32/include/irs/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/win32/include/irs/netdb.h b/bind/bind9/lib/irs/win32/include/irs/netdb.h
index 9e0fc72a..4abab6f4 100644
--- a/bind/bind9/lib/irs/win32/include/irs/netdb.h
+++ b/bind/bind9/lib/irs/win32/include/irs/netdb.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/win32/include/irs/platform.h b/bind/bind9/lib/irs/win32/include/irs/platform.h
index 78c91ce1..1954a0e2 100644
--- a/bind/bind9/lib/irs/win32/include/irs/platform.h
+++ b/bind/bind9/lib/irs/win32/include/irs/platform.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/irs/win32/libirs.vcxproj.in b/bind/bind9/lib/irs/win32/libirs.vcxproj.in
index 88051eb2..5e89bd07 100644
--- a/bind/bind9/lib/irs/win32/libirs.vcxproj.in
+++ b/bind/bind9/lib/irs/win32/libirs.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBIRS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\isccfg\include;..\..\dns\include;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/lib/irs/win32/version.c b/bind/bind9/lib/irs/win32/version.c
index 198e12d5..55e6ffa4 100644
--- a/bind/bind9/lib/irs/win32/version.c
+++ b/bind/bind9/lib/irs/win32/version.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/Makefile.in b/bind/bind9/lib/isc/Makefile.in
index 0fd08379..7e3e9ce2 100644
--- a/bind/bind9/lib/isc/Makefile.in
+++ b/bind/bind9/lib/isc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -62,7 +62,7 @@ OBJS =		@ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
 		rwlock.@O@ \
 		safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
 		string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
-		tm.@O@ timer.@O@ version.@O@ \
+		tm.@O@ timer.@O@ utf8.@O@ version.@O@ \
 		${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
 SYMTBLOBJS =	backtrace-emptytbl.@O@
 
@@ -81,7 +81,7 @@ SRCS =		@ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
 		ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
 		safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
 		strtoul.c symtab.c task.c taskpool.c timer.c \
-		tm.c version.c
+		tm.c utf8.c version.c
 
 LIBS =		@ISC_OPENSSL_LIBS@ @LIBS@
 
diff --git a/bind/bind9/lib/isc/aes.c b/bind/bind9/lib/isc/aes.c
index 2ca07f6a..54dc245d 100644
--- a/bind/bind9/lib/isc/aes.c
+++ b/bind/bind9/lib/isc/aes.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/alpha/Makefile.in b/bind/bind9/lib/isc/alpha/Makefile.in
index 419cf9f8..8d1b6f1c 100644
--- a/bind/bind9/lib/isc/alpha/Makefile.in
+++ b/bind/bind9/lib/isc/alpha/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/alpha/include/Makefile.in b/bind/bind9/lib/isc/alpha/include/Makefile.in
index d33c0fcb..f87423b4 100644
--- a/bind/bind9/lib/isc/alpha/include/Makefile.in
+++ b/bind/bind9/lib/isc/alpha/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/alpha/include/isc/Makefile.in b/bind/bind9/lib/isc/alpha/include/isc/Makefile.in
index 97b6b417..452877db 100644
--- a/bind/bind9/lib/isc/alpha/include/isc/Makefile.in
+++ b/bind/bind9/lib/isc/alpha/include/isc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/alpha/include/isc/atomic.h b/bind/bind9/lib/isc/alpha/include/isc/atomic.h
index e704fef0..1fea8c23 100644
--- a/bind/bind9/lib/isc/alpha/include/isc/atomic.h
+++ b/bind/bind9/lib/isc/alpha/include/isc/atomic.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/api b/bind/bind9/lib/isc/api
index d94b0e60..4237de11 100644
--- a/bind/bind9/lib/isc/api
+++ b/bind/bind9/lib/isc/api
@@ -8,6 +8,6 @@
 # 9.10-sub: 180-189
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
-LIBINTERFACE = 1104
-LIBREVISION = 2
+LIBINTERFACE = 1107
+LIBREVISION = 7
 LIBAGE = 0
diff --git a/bind/bind9/lib/isc/app_api.c b/bind/bind9/lib/isc/app_api.c
index 4fcd2ec9..f3e62504 100644
--- a/bind/bind9/lib/isc/app_api.c
+++ b/bind/bind9/lib/isc/app_api.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/assertions.c b/bind/bind9/lib/isc/assertions.c
index b52342eb..ece5a587 100644
--- a/bind/bind9/lib/isc/assertions.c
+++ b/bind/bind9/lib/isc/assertions.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -86,7 +86,7 @@ isc_assertion_typetotext(isc_assertiontype_t type) {
 		result = "INVARIANT";
 		break;
 	default:
-		result = NULL;
+		result = "UNKNOWN";
 	}
 	return (result);
 }
diff --git a/bind/bind9/lib/isc/backtrace-emptytbl.c b/bind/bind9/lib/isc/backtrace-emptytbl.c
index 5822cfb1..6e648d33 100644
--- a/bind/bind9/lib/isc/backtrace-emptytbl.c
+++ b/bind/bind9/lib/isc/backtrace-emptytbl.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/backtrace.c b/bind/bind9/lib/isc/backtrace.c
index 0ea14551..08c0689b 100644
--- a/bind/bind9/lib/isc/backtrace.c
+++ b/bind/bind9/lib/isc/backtrace.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -43,7 +43,7 @@
  */
 #ifdef HAVE_LIBCTRACE
 #define BACKTRACE_LIBC
-#elif defined(__GNUC__) && (defined(__x86_64__) || defined(__ia64__))
+#elif defined(HAVE_UNWIND_BACKTRACE)
 #define BACKTRACE_GCC
 #elif defined(WIN32)
 #define BACKTRACE_WIN32
@@ -135,7 +135,9 @@ isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
 #ifdef __x86_64__
 static unsigned long
 getrbp(void) {
-	__asm("movq %rbp, %rax\n");
+	unsigned long rbp;
+	__asm("movq %%rbp, %0\n" : "=r"(rbp));
+	return rbp;
 }
 #endif
 
diff --git a/bind/bind9/lib/isc/base32.c b/bind/bind9/lib/isc/base32.c
index 557b543e..2e639371 100644
--- a/bind/bind9/lib/isc/base32.c
+++ b/bind/bind9/lib/isc/base32.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -169,65 +169,75 @@ base32_decode_char(base32_decode_ctx_t *ctx, int c) {
 	const char *s;
 	unsigned int last;
 
-	if (ctx->seen_end)
+	if (ctx->seen_end) {
 		return (ISC_R_BADBASE32);
-	if ((s = strchr(ctx->base, c)) == NULL)
+	}
+	if ((s = strchr(ctx->base, c)) == NULL) {
 		return (ISC_R_BADBASE32);
+	}
 	last = (unsigned int)(s - ctx->base);
 
 	/*
 	 * Handle lower case.
 	 */
-	if (last > 32)
+	if (last > 32) {
 		last -= 33;
+	}
 
 	/*
 	 * Check that padding is contiguous.
 	 */
-	if (last != 32 && ctx->seen_32 != 0)
+	if (last != 32 && ctx->seen_32 != 0) {
 		return (ISC_R_BADBASE32);
+	}
 
 	/*
 	 * If padding is not permitted flag padding as a error.
 	 */
-	if (last == 32 && !ctx->pad)
+	if (last == 32 && !ctx->pad) {
 		return (ISC_R_BADBASE32);
+	}
 
 	/*
 	 * Check that padding starts at the right place and that
 	 * bits that should be zero are.
 	 * Record how many significant bytes in answer (seen_32).
 	 */
-	if (last == 32 && ctx->seen_32 == 0)
+	if (last == 32 && ctx->seen_32 == 0) {
 		switch (ctx->digits) {
 		case 0:
 		case 1:
 			return (ISC_R_BADBASE32);
 		case 2:
-			if ((ctx->val[1]&0x03) != 0)
+			if ((ctx->val[1]&0x03) != 0) {
 				return (ISC_R_BADBASE32);
+			}
 			ctx->seen_32 = 1;
 			break;
 		case 3:
 			return (ISC_R_BADBASE32);
 		case 4:
-			if ((ctx->val[3]&0x0f) != 0)
+			if ((ctx->val[3]&0x0f) != 0) {
 				return (ISC_R_BADBASE32);
-			ctx->seen_32 = 3;
+			}
+			ctx->seen_32 = 2;
 			break;
 		case 5:
-			if ((ctx->val[4]&0x01) != 0)
+			if ((ctx->val[4]&0x01) != 0) {
 				return (ISC_R_BADBASE32);
+			}
 			ctx->seen_32 = 3;
 			break;
 		case 6:
 			return (ISC_R_BADBASE32);
 		case 7:
-			if ((ctx->val[6]&0x07) != 0)
+			if ((ctx->val[6]&0x07) != 0) {
 				return (ISC_R_BADBASE32);
+			}
 			ctx->seen_32 = 4;
 			break;
 		}
+	}
 
 	/*
 	 * Zero fill pad values.
@@ -249,10 +259,11 @@ base32_decode_char(base32_decode_ctx_t *ctx, int c) {
 		buf[4] = (ctx->val[6]<<5)|(ctx->val[7]);
 		RETERR(mem_tobuffer(ctx->target, buf, n));
 		if (ctx->length >= 0) {
-			if (n > ctx->length)
+			if (n > ctx->length) {
 				return (ISC_R_BADBASE32);
-			else
+			} else {
 				ctx->length -= n;
+			}
 		}
 		ctx->digits = 0;
 	}
diff --git a/bind/bind9/lib/isc/base64.c b/bind/bind9/lib/isc/base64.c
index 1eaf0141..9fb20b2c 100644
--- a/bind/bind9/lib/isc/base64.c
+++ b/bind/bind9/lib/isc/base64.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/bind9.c b/bind/bind9/lib/isc/bind9.c
index e5b2fefc..a9bfdfd8 100644
--- a/bind/bind9/lib/isc/bind9.c
+++ b/bind/bind9/lib/isc/bind9.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/buffer.c b/bind/bind9/lib/isc/buffer.c
index 337f50c0..fe809b23 100644
--- a/bind/bind9/lib/isc/buffer.c
+++ b/bind/bind9/lib/isc/buffer.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/bufferlist.c b/bind/bind9/lib/isc/bufferlist.c
index f6ebdea6..e373685b 100644
--- a/bind/bind9/lib/isc/bufferlist.c
+++ b/bind/bind9/lib/isc/bufferlist.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/commandline.c b/bind/bind9/lib/isc/commandline.c
index efee967a..e79fb2ef 100644
--- a/bind/bind9/lib/isc/commandline.c
+++ b/bind/bind9/lib/isc/commandline.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/counter.c b/bind/bind9/lib/isc/counter.c
index 8c700518..317c96e1 100644
--- a/bind/bind9/lib/isc/counter.c
+++ b/bind/bind9/lib/isc/counter.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -77,9 +77,15 @@ isc_counter_increment(isc_counter_t *counter) {
 
 unsigned int
 isc_counter_used(isc_counter_t *counter) {
+	unsigned int used;
+
 	REQUIRE(VALID_COUNTER(counter));
 
-	return (counter->used);
+	LOCK(&counter->lock);
+	used = counter->used;
+	UNLOCK(&counter->lock);
+
+	return (used);
 }
 
 void
diff --git a/bind/bind9/lib/isc/crc64.c b/bind/bind9/lib/isc/crc64.c
index 1db2d5d5..9e85df75 100644
--- a/bind/bind9/lib/isc/crc64.c
+++ b/bind/bind9/lib/isc/crc64.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/entropy.c b/bind/bind9/lib/isc/entropy.c
index ab2f6170..0c1f3edf 100644
--- a/bind/bind9/lib/isc/entropy.c
+++ b/bind/bind9/lib/isc/entropy.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -527,7 +527,7 @@ get_from_callback(isc_entropysource_t *source, unsigned int desired,
  * Extract some number of bytes from the random pool, decreasing the
  * estimate of randomness as each byte is extracted.
  *
- * Do this by stiring the pool and returning a part of hash as randomness.
+ * Do this by stirring the pool and returning a part of hash as randomness.
  * Note that no secrets are given away here since parts of the hash are
  * xored together before returned.
  *
diff --git a/bind/bind9/lib/isc/error.c b/bind/bind9/lib/isc/error.c
index b0fe500a..34a36678 100644
--- a/bind/bind9/lib/isc/error.c
+++ b/bind/bind9/lib/isc/error.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/event.c b/bind/bind9/lib/isc/event.c
index 500b6fdc..abe923b8 100644
--- a/bind/bind9/lib/isc/event.c
+++ b/bind/bind9/lib/isc/event.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -89,8 +89,9 @@ isc_event_free(isc_event_t **eventp) {
 	isc_event_t *event;
 
 	REQUIRE(eventp != NULL);
+	REQUIRE((*eventp) != NULL);
+
 	event = *eventp;
-	REQUIRE(event != NULL);
 
 	REQUIRE(!ISC_LINK_LINKED(event, ev_link));
 	REQUIRE(!ISC_LINK_LINKED(event, ev_ratelink));
diff --git a/bind/bind9/lib/isc/fsaccess.c b/bind/bind9/lib/isc/fsaccess.c
index deaffd8b..178c819b 100644
--- a/bind/bind9/lib/isc/fsaccess.c
+++ b/bind/bind9/lib/isc/fsaccess.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/hash.c b/bind/bind9/lib/isc/hash.c
index 54be2fa8..e137f9be 100644
--- a/bind/bind9/lib/isc/hash.c
+++ b/bind/bind9/lib/isc/hash.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/heap.c b/bind/bind9/lib/isc/heap.c
index 22fa81ca..fa4a4ed7 100644
--- a/bind/bind9/lib/isc/heap.c
+++ b/bind/bind9/lib/isc/heap.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -115,8 +115,9 @@ isc_heap_destroy(isc_heap_t **heapp) {
 	isc_heap_t *heap;
 
 	REQUIRE(heapp != NULL);
+	REQUIRE(VALID_HEAP((*heapp)));
+
 	heap = *heapp;
-	REQUIRE(VALID_HEAP(heap));
 
 	if (heap->array != NULL)
 		isc_mem_put(heap->mctx, heap->array,
diff --git a/bind/bind9/lib/isc/hex.c b/bind/bind9/lib/isc/hex.c
index d19dc154..358ef293 100644
--- a/bind/bind9/lib/isc/hex.c
+++ b/bind/bind9/lib/isc/hex.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/hmacmd5.c b/bind/bind9/lib/isc/hmacmd5.c
index 2e72c4db..f7319675 100644
--- a/bind/bind9/lib/isc/hmacmd5.c
+++ b/bind/bind9/lib/isc/hmacmd5.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/hmacsha.c b/bind/bind9/lib/isc/hmacsha.c
index 2839f4f1..0b95249a 100644
--- a/bind/bind9/lib/isc/hmacsha.c
+++ b/bind/bind9/lib/isc/hmacsha.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id$ */
-
 /*
  * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384
  * and HMAC-SHA512 keyed hash algorithm described in RFC 2104 and
diff --git a/bind/bind9/lib/isc/ht.c b/bind/bind9/lib/isc/ht.c
index 0b85c819..3234ea80 100644
--- a/bind/bind9/lib/isc/ht.c
+++ b/bind/bind9/lib/isc/ht.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -93,10 +93,9 @@ isc_ht_destroy(isc_ht_t **htp) {
 	size_t i;
 
 	REQUIRE(htp != NULL);
+	REQUIRE(ISC_HT_VALID((*htp)));
 
 	ht = *htp;
-	REQUIRE(ISC_HT_VALID(ht));
-
 	ht->magic = 0;
 
 	for (i = 0; i < ht->size; i++) {
diff --git a/bind/bind9/lib/isc/httpd.c b/bind/bind9/lib/isc/httpd.c
index ecd322a6..1a5520b2 100644
--- a/bind/bind9/lib/isc/httpd.c
+++ b/bind/bind9/lib/isc/httpd.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -22,6 +22,7 @@
 #include <isc/httpd.h>
 #include <isc/mem.h>
 #include <isc/print.h>
+#include <isc/refcount.h>
 #include <isc/socket.h>
 #include <isc/string.h>
 #include <isc/task.h>
@@ -35,9 +36,6 @@
 /*%
  * TODO:
  *
- *  o  Put in better checks to make certain things are passed in correctly.
- *     This includes a magic number for externally-visible structures,
- *     checking for NULL-ness before dereferencing, etc.
  *  o  Make the URL processing external functions which will fill-in a buffer
  *     structure we provide, or return an error and we will render a generic
  *     page and close the client.
@@ -46,16 +44,6 @@
 #define MSHUTTINGDOWN(cm) ((cm->flags & ISC_HTTPDMGR_FLAGSHUTTINGDOWN) != 0)
 #define MSETSHUTTINGDOWN(cm) (cm->flags |= ISC_HTTPDMGR_FLAGSHUTTINGDOWN)
 
-#ifdef DEBUG_HTTPD
-#define ENTER(x) do { fprintf(stderr, "ENTER %s\n", (x)); } while (0)
-#define EXIT(x) do { fprintf(stderr, "EXIT %s\n", (x)); } while (0)
-#define NOTICE(x) do { fprintf(stderr, "NOTICE %s\n", (x)); } while (0)
-#else
-#define ENTER(x) do { } while(0)
-#define EXIT(x) do { } while(0)
-#define NOTICE(x) do { } while(0)
-#endif
-
 #define HTTP_RECVLEN			1024
 #define HTTP_SENDGROW			1024
 #define HTTP_SEND_MAXLEN		10240
@@ -63,10 +51,19 @@
 #define HTTPD_CLOSE		0x0001 /* Got a Connection: close header */
 #define HTTPD_FOUNDHOST		0x0002 /* Got a Host: header */
 #define HTTPD_KEEPALIVE		0x0004 /* Got a Connection: Keep-Alive */
-#define HTTPD_ACCEPT_DEFLATE   0x0008
+#define HTTPD_ACCEPT_DEFLATE	0x0008
+
+#define HTTPD_MAGIC		ISC_MAGIC('H', 't', 'p', 'd')
+#define VALID_HTTPD(m)		ISC_MAGIC_VALID(m, HTTPD_MAGIC)
+
+#define HTTPDMGR_MAGIC		ISC_MAGIC('H', 'p', 'd', 'm')
+#define VALID_HTTPDMGR(m)	ISC_MAGIC_VALID(m, HTTPDMGR_MAGIC)
+
 
 /*% http client */
 struct isc_httpd {
+	unsigned int		magic;		/* HTTPD_MAGIC */
+	isc_refcount_t		references;
 	isc_httpdmgr_t	       *mgr;		/*%< our parent */
 	ISC_LINK(isc_httpd_t)	link;
 	unsigned int		state;
@@ -98,8 +95,8 @@ struct isc_httpd {
 	 * to the client.
 	 *
 	 * The bufflist is the list of buffers we are currently transmitting.
-	 * The headerbuffer is where we render our headers to.  If we run out of
-	 * space when rendering a header, we will change the size of our
+	 * The headerbuffer is where we render our headers to.  If we run out
+	 * of space when rendering a header, we will change the size of our
 	 * buffer.  We will not free it until we are finished, and will
 	 * allocate an additional HTTP_SENDGROW bytes per header space grow.
 	 *
@@ -128,6 +125,8 @@ struct isc_httpd {
 
 /*% lightweight socket manager for httpd output */
 struct isc_httpdmgr {
+	unsigned int		magic;		/* HTTPDMGR_MAGIC */
+	isc_refcount_t		references;
 	isc_mem_t	       *mctx;
 	isc_socket_t	       *sock;		/*%< listening socket */
 	isc_task_t	       *task;		/*%< owning task */
@@ -205,48 +204,132 @@ struct isc_httpdmgr {
 static void isc_httpd_accept(isc_task_t *, isc_event_t *);
 static void isc_httpd_recvdone(isc_task_t *, isc_event_t *);
 static void isc_httpd_senddone(isc_task_t *, isc_event_t *);
-static void destroy_client(isc_httpd_t **);
 static isc_result_t process_request(isc_httpd_t *, int);
-static void httpdmgr_destroy(isc_httpdmgr_t *);
 static isc_result_t grow_headerspace(isc_httpd_t *);
 static void reset_client(isc_httpd_t *httpd);
 
 static isc_httpdaction_t render_404;
 static isc_httpdaction_t render_500;
 
+#if ENABLE_AFL
 static void (*finishhook)(void) = NULL;
+#endif /* ENABLE_AFL */
+
+static void maybe_destroy_httpd(isc_httpd_t *);
+static void destroy_httpd(isc_httpd_t *);
+static void maybe_destroy_httpdmgr(isc_httpdmgr_t *);
+static void destroy_httpdmgr(isc_httpdmgr_t *);
 
 static void
-destroy_client(isc_httpd_t **httpdp) {
-	isc_httpd_t *httpd = *httpdp;
-	isc_httpdmgr_t *httpdmgr = httpd->mgr;
+isc_httpdmgr_attach(isc_httpdmgr_t *, isc_httpdmgr_t **);
+static void
+isc_httpdmgr_detach(isc_httpdmgr_t **);
+
+static void
+maybe_destroy_httpd(isc_httpd_t *httpd) {
+	unsigned int refs;
+
+	isc_refcount_decrement(&httpd->references, &refs);
+	if (refs == 0) {
+		destroy_httpd(httpd);
+	}
+}
+
+static inline void
+free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) {
 	isc_region_t r;
 
-	*httpdp = NULL;
+	isc_buffer_region(buffer, &r);
+	if (r.length > 0) {
+		isc_mem_put(mctx, r.base, r.length);
+	}
+}
+
+static void
+destroy_httpd(isc_httpd_t *httpd) {
+	isc_httpdmgr_t *httpdmgr;
+
+	REQUIRE(VALID_HTTPD(httpd));
+
+	httpdmgr = httpd->mgr;
+	REQUIRE(VALID_HTTPDMGR(httpdmgr));
 
+	/*
+	 * Unlink before calling isc_socket_detach so
+	 * isc_httpdmgr_shutdown does not dereference a NULL pointer
+	 * when calling isc_socket_cancel().
+	 */
 	LOCK(&httpdmgr->lock);
+	ISC_LIST_UNLINK(httpdmgr->running, httpd, link);
+	UNLOCK(&httpdmgr->lock);
 
+	httpd->magic = 0;
+	isc_refcount_destroy(&httpd->references);
 	isc_socket_detach(&httpd->sock);
-	ISC_LIST_UNLINK(httpdmgr->running, httpd, link);
 
-	isc_buffer_region(&httpd->headerbuffer, &r);
-	if (r.length > 0) {
-		isc_mem_put(httpdmgr->mctx, r.base, r.length);
+
+	free_buffer(httpdmgr->mctx, &httpd->headerbuffer);
+	free_buffer(httpdmgr->mctx, &httpd->compbuffer);
+
+	isc_mem_put(httpdmgr->mctx, httpd, sizeof(isc_httpd_t));
+
+#if ENABLE_AFL
+	if (finishhook != NULL) {
+		finishhook();
 	}
+#endif /* ENABLE_AFL */
 
-	isc_buffer_region(&httpd->compbuffer, &r);
-	if (r.length > 0) {
-		isc_mem_put(httpdmgr->mctx, r.base, r.length);
+	isc_httpdmgr_detach(&httpdmgr);
+}
+
+static inline isc_result_t
+httpdmgr_socket_accept(isc_task_t *task, isc_httpdmgr_t* httpdmgr)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+
+	/* decremented in isc_httpd_accept */
+	isc_refcount_increment(&httpdmgr->references, NULL);
+	result = isc_socket_accept(httpdmgr->sock, task, isc_httpd_accept,
+				   httpdmgr);
+	if (result != ISC_R_SUCCESS) {
+		unsigned int refs;
+		isc_refcount_decrement(&httpdmgr->references, &refs);
+		INSIST(refs > 0);
 	}
+	return (result);
+}
 
-	isc_mem_put(httpdmgr->mctx, httpd, sizeof(isc_httpd_t));
+static inline void
+httpd_socket_recv(isc_httpd_t *httpd, isc_region_t *region, isc_task_t *task)
+{
+	isc_result_t result = ISC_R_SUCCESS;
 
-	UNLOCK(&httpdmgr->lock);
+	/* decremented in isc_httpd_recvdone */
+	isc_refcount_increment(&httpd->references, NULL);
+	result = isc_socket_recv(httpd->sock, region, 1, task,
+				 isc_httpd_recvdone, httpd);
+	if (result != ISC_R_SUCCESS) {
+		unsigned int refs;
+		isc_refcount_decrement(&httpd->references, &refs);
+		INSIST(refs > 0);
+	}
+}
 
-	if (finishhook != NULL)
-		finishhook();
+static inline isc_result_t
+httpd_socket_send(isc_httpd_t *httpd, isc_task_t *task)
+{
+	isc_result_t result = ISC_R_SUCCESS;
 
-	httpdmgr_destroy(httpdmgr);
+	/* decremented in isc_httpd_senddone */
+	isc_refcount_increment(&httpd->references, NULL);
+	result = isc_socket_sendv(httpd->sock, &httpd->bufflist, task,
+				 isc_httpd_senddone, httpd);
+	if (result != ISC_R_SUCCESS) {
+		unsigned int refs;
+		isc_refcount_decrement(&httpd->references, &refs);
+		INSIST(refs > 0);
+	}
+	return (result);
 }
 
 isc_result_t
@@ -257,6 +340,7 @@ isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
 {
 	isc_result_t result;
 	isc_httpdmgr_t *httpdmgr;
+	unsigned int refs;
 
 	REQUIRE(mctx != NULL);
 	REQUIRE(sock != NULL);
@@ -268,26 +352,29 @@ isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
 	if (httpdmgr == NULL)
 		return (ISC_R_NOMEMORY);
 
+	*httpdmgr = (isc_httpdmgr_t){
+		.timermgr = tmgr, /* XXXMLG no attach function? */
+		.client_ok = client_ok,
+		.ondestroy = ondestroy,
+		.cb_arg = cb_arg,
+		.render_404 = render_404,
+		.render_500 = render_500
+	};
+
 	result = isc_mutex_init(&httpdmgr->lock);
 	if (result != ISC_R_SUCCESS) {
 		isc_mem_put(mctx, httpdmgr, sizeof(isc_httpdmgr_t));
 		return (result);
 	}
-	httpdmgr->mctx = NULL;
 	isc_mem_attach(mctx, &httpdmgr->mctx);
-	httpdmgr->sock = NULL;
 	isc_socket_attach(sock, &httpdmgr->sock);
-	httpdmgr->task = NULL;
 	isc_task_attach(task, &httpdmgr->task);
-	httpdmgr->timermgr = tmgr; /* XXXMLG no attach function? */
-	httpdmgr->client_ok = client_ok;
-	httpdmgr->ondestroy = ondestroy;
-	httpdmgr->cb_arg = cb_arg;
-	httpdmgr->flags = 0;
 
 	ISC_LIST_INIT(httpdmgr->running);
 	ISC_LIST_INIT(httpdmgr->urls);
 
+	isc_refcount_init(&httpdmgr->references, 1);
+
 	/* XXXMLG ignore errors on isc_socket_listen() */
 	result = isc_socket_listen(sock, SOMAXCONN);
 	if (result != ISC_R_SUCCESS) {
@@ -299,17 +386,21 @@ isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
 
 	(void)isc_socket_filter(sock, "httpready");
 
-	result = isc_socket_accept(sock, task, isc_httpd_accept, httpdmgr);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
+	httpdmgr->magic = HTTPDMGR_MAGIC;
 
-	httpdmgr->render_404 = render_404;
-	httpdmgr->render_500 = render_500;
+	result = httpdmgr_socket_accept(task, httpdmgr);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
 
 	*httpdmgrp = httpdmgr;
 	return (ISC_R_SUCCESS);
 
   cleanup:
+	httpdmgr->magic = 0;
+	isc_refcount_decrement(&httpdmgr->references, &refs);
+	INSIST(refs == 0);
+	isc_refcount_destroy(&httpdmgr->references);
 	isc_task_detach(&httpdmgr->task);
 	isc_socket_detach(&httpdmgr->sock);
 	isc_mem_detach(&httpdmgr->mctx);
@@ -319,30 +410,47 @@ isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
 }
 
 static void
-httpdmgr_destroy(isc_httpdmgr_t *httpdmgr) {
-	isc_mem_t *mctx;
-	isc_httpdurl_t *url;
+isc_httpdmgr_attach(isc_httpdmgr_t *source, isc_httpdmgr_t **targetp) {
+	REQUIRE(VALID_HTTPDMGR(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
 
-	ENTER("httpdmgr_destroy");
+	isc_refcount_increment(&source->references, NULL);
 
-	LOCK(&httpdmgr->lock);
+	*targetp = source;
+}
 
-	if (!MSHUTTINGDOWN(httpdmgr)) {
-		NOTICE("httpdmgr_destroy not shutting down yet");
-		UNLOCK(&httpdmgr->lock);
-		return;
-	}
+static void
+isc_httpdmgr_detach(isc_httpdmgr_t **httpdmgrp) {
+	isc_httpdmgr_t *httpdmgr;
+	REQUIRE(httpdmgrp != NULL && VALID_HTTPDMGR(*httpdmgrp));
+	httpdmgr = *httpdmgrp;
+	*httpdmgrp = NULL;
 
-	/*
-	 * If all clients are not shut down, don't do anything yet.
-	 */
-	if (!ISC_LIST_EMPTY(httpdmgr->running)) {
-		NOTICE("httpdmgr_destroy clients still active");
-		UNLOCK(&httpdmgr->lock);
-		return;
+	maybe_destroy_httpdmgr(httpdmgr);
+}
+
+static void
+maybe_destroy_httpdmgr(isc_httpdmgr_t *httpdmgr) {
+	unsigned int refs;
+
+	isc_refcount_decrement(&httpdmgr->references, &refs);
+	if (refs == 0) {
+		destroy_httpdmgr(httpdmgr);
 	}
+}
+
+static void
+destroy_httpdmgr(isc_httpdmgr_t *httpdmgr) {
+	isc_httpdurl_t *url;
 
-	NOTICE("httpdmgr_destroy detaching socket, task, and timermgr");
+	isc_refcount_destroy(&httpdmgr->references);
+
+	LOCK(&httpdmgr->lock);
+
+	httpdmgr->magic = 0;
+
+	INSIST(MSHUTTINGDOWN(httpdmgr));
+	INSIST(ISC_LIST_EMPTY(httpdmgr->running));
 
 	isc_socket_detach(&httpdmgr->sock);
 	isc_task_detach(&httpdmgr->task);
@@ -363,13 +471,10 @@ httpdmgr_destroy(isc_httpdmgr_t *httpdmgr) {
 	UNLOCK(&httpdmgr->lock);
 	(void)isc_mutex_destroy(&httpdmgr->lock);
 
-	if (httpdmgr->ondestroy != NULL)
+	if (httpdmgr->ondestroy != NULL) {
 		(httpdmgr->ondestroy)(httpdmgr->cb_arg);
-
-	mctx = httpdmgr->mctx;
-	isc_mem_putanddetach(&mctx, httpdmgr, sizeof(isc_httpdmgr_t));
-
-	EXIT("httpdmgr_destroy");
+	}
+	isc_mem_putanddetach(&httpdmgr->mctx, httpdmgr, sizeof(isc_httpdmgr_t));
 }
 
 #define LENGTHOK(s) (httpd->recvbuf - (s) < (int)httpd->recvlen)
@@ -448,8 +553,6 @@ process_request(isc_httpd_t *httpd, int length) {
 	char *p;
 	int delim;
 
-	ENTER("request");
-
 	httpd->recvlen += length;
 
 	httpd->recvbuf[httpd->recvlen] = 0;
@@ -599,37 +702,80 @@ process_request(isc_httpd_t *httpd, int length) {
 	    && ((httpd->flags & HTTPD_FOUNDHOST) == 0))
 		return (ISC_R_RANGE);
 
-	EXIT("request");
-
 	return (ISC_R_SUCCESS);
 }
 
 static void
+isc_httpd_create(isc_httpdmgr_t *httpdmgr, isc_socket_t *sock,
+		 isc_httpd_t **httpdp)
+{
+	isc_httpd_t *httpd;
+	char *headerdata;
+
+	REQUIRE(VALID_HTTPDMGR(httpdmgr));
+	REQUIRE(httpdp != NULL && *httpdp == NULL);
+
+	httpd = isc_mem_get(httpdmgr->mctx, sizeof(isc_httpd_t));
+	if (httpd == NULL) {
+		return;
+	}
+
+	*httpd = (isc_httpd_t){
+		.sock = sock
+	};
+
+	isc_httpdmgr_attach(httpdmgr, &httpd->mgr);
+
+	isc_refcount_init(&httpd->references, 1);
+	ISC_HTTPD_SETRECV(httpd);
+	isc_socket_setname(httpd->sock, "httpd", NULL);
+
+	/*
+	 * Initialize the buffer for our headers.
+	 */
+	headerdata = isc_mem_get(httpdmgr->mctx, HTTP_SENDGROW);
+	if (headerdata == NULL) {
+		maybe_destroy_httpdmgr(httpd->mgr);
+		isc_refcount_decrement(&httpd->references, NULL);
+		isc_refcount_destroy(&httpd->references);
+		isc_mem_put(httpdmgr->mctx, httpd, sizeof(isc_httpd_t));
+		return;
+	}
+	isc_buffer_init(&httpd->headerbuffer, headerdata, HTTP_SENDGROW);
+
+	isc_buffer_initnull(&httpd->compbuffer);
+	isc_buffer_initnull(&httpd->bodybuffer);
+	reset_client(httpd);
+
+	ISC_LINK_INIT(httpd, link);
+	ISC_LIST_APPEND(httpdmgr->running, httpd, link);
+
+	httpd->magic = HTTPD_MAGIC;
+
+	*httpdp = httpd;
+}
+
+static void
 isc_httpd_accept(isc_task_t *task, isc_event_t *ev) {
-	isc_result_t result;
 	isc_httpdmgr_t *httpdmgr = ev->ev_arg;
-	isc_httpd_t *httpd;
+	isc_httpd_t *httpd = NULL;
 	isc_region_t r;
 	isc_socket_newconnev_t *nev = (isc_socket_newconnev_t *)ev;
 	isc_sockaddr_t peeraddr;
-	char *headerdata;
 
-	ENTER("accept");
+	REQUIRE(VALID_HTTPDMGR(httpdmgr));
 
 	LOCK(&httpdmgr->lock);
 	if (MSHUTTINGDOWN(httpdmgr)) {
-		NOTICE("accept shutting down, goto out");
 		goto out;
 	}
 
 	if (nev->result == ISC_R_CANCELED) {
-		NOTICE("accept canceled, goto out");
 		goto out;
 	}
 
 	if (nev->result != ISC_R_SUCCESS) {
 		/* XXXMLG log failure */
-		NOTICE("accept returned failure, goto requeue");
 		goto requeue;
 	}
 
@@ -640,63 +786,29 @@ isc_httpd_accept(isc_task_t *task, isc_event_t *ev) {
 		goto requeue;
 	}
 
-	httpd = isc_mem_get(httpdmgr->mctx, sizeof(isc_httpd_t));
+	isc_httpd_create(httpdmgr, nev->newsocket, &httpd);
 	if (httpd == NULL) {
-		/* XXXMLG log failure */
-		NOTICE("accept failed to allocate memory, goto requeue");
-		isc_socket_detach(&nev->newsocket);
-		goto requeue;
-	}
-
-	httpd->mgr = httpdmgr;
-	ISC_LINK_INIT(httpd, link);
-	ISC_LIST_APPEND(httpdmgr->running, httpd, link);
-	ISC_HTTPD_SETRECV(httpd);
-	httpd->sock = nev->newsocket;
-	isc_socket_setname(httpd->sock, "httpd", NULL);
-	httpd->flags = 0;
-
-	/*
-	 * Initialize the buffer for our headers.
-	 */
-	headerdata = isc_mem_get(httpdmgr->mctx, HTTP_SENDGROW);
-	if (headerdata == NULL) {
-		isc_mem_put(httpdmgr->mctx, httpd, sizeof(isc_httpd_t));
 		isc_socket_detach(&nev->newsocket);
 		goto requeue;
 	}
-	isc_buffer_init(&httpd->headerbuffer, headerdata, HTTP_SENDGROW);
-
-	ISC_LIST_INIT(httpd->bufflist);
-
-	isc_buffer_initnull(&httpd->compbuffer);
-	isc_buffer_initnull(&httpd->bodybuffer);
-	reset_client(httpd);
 
 	r.base = (unsigned char *)httpd->recvbuf;
 	r.length = HTTP_RECVLEN - 1;
-	result = isc_socket_recv(httpd->sock, &r, 1, task, isc_httpd_recvdone,
-				 httpd);
-	/* FIXME!!! */
-	POST(result);
-	NOTICE("accept queued recv on socket");
+
+	httpd_socket_recv(httpd, &r, task);
 
  requeue:
-	result = isc_socket_accept(httpdmgr->sock, task, isc_httpd_accept,
-				   httpdmgr);
-	if (result != ISC_R_SUCCESS) {
-		/* XXXMLG what to do?  Log failure... */
-		NOTICE("accept could not reaccept due to failure");
-	}
+	(void)httpdmgr_socket_accept(task, httpdmgr);
 
  out:
 	UNLOCK(&httpdmgr->lock);
 
-	httpdmgr_destroy(httpdmgr);
+	if (httpd != NULL) {
+		maybe_destroy_httpd(httpd);
+	}
+	maybe_destroy_httpdmgr(httpdmgr);
 
 	isc_event_free(&ev);
-
-	EXIT("accept");
 }
 
 static isc_result_t
@@ -849,30 +961,25 @@ isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev) {
 	bool is_compressed = false;
 	char datebuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
 
-	ENTER("recv");
+	REQUIRE(VALID_HTTPD(httpd));
 
 	INSIST(ISC_HTTPD_ISRECV(httpd));
 
 	if (sev->result != ISC_R_SUCCESS) {
-		NOTICE("recv destroying client");
-		destroy_client(&httpd);
 		goto out;
 	}
 
 	result = process_request(httpd, sev->n);
 	if (result == ISC_R_NOTFOUND) {
 		if (httpd->recvlen >= HTTP_RECVLEN - 1) {
-			destroy_client(&httpd);
 			goto out;
 		}
 		r.base = (unsigned char *)httpd->recvbuf + httpd->recvlen;
 		r.length = HTTP_RECVLEN - httpd->recvlen - 1;
-		/* check return code? */
-		(void)isc_socket_recv(httpd->sock, &r, 1, task,
-				      isc_httpd_recvdone, httpd);
+
+		httpd_socket_recv(httpd, &r, task);
 		goto out;
 	} else if (result != ISC_R_SUCCESS) {
-		destroy_client(&httpd);
 		goto out;
 	}
 
@@ -885,13 +992,16 @@ isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev) {
 	isc_buffer_initnull(&httpd->bodybuffer);
 	isc_time_now(&now);
 	isc_time_formathttptimestamp(&now, datebuf, sizeof(datebuf));
+	LOCK(&httpd->mgr->lock);
 	url = ISC_LIST_HEAD(httpd->mgr->urls);
 	while (url != NULL) {
 		if (strcmp(httpd->url, url->url) == 0)
 			break;
 		url = ISC_LIST_NEXT(url, link);
 	}
-	if (url == NULL)
+	UNLOCK(&httpd->mgr->lock);
+
+	if (url == NULL) {
 		result = httpd->mgr->render_404(httpd->url, NULL,
 						httpd->querystring,
 						NULL, NULL,
@@ -901,7 +1011,7 @@ isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev) {
 						&httpd->bodybuffer,
 						&httpd->freecb,
 						&httpd->freecb_arg);
-	else
+	} else {
 		result = url->action(httpd->url, url,
 				     httpd->querystring,
 				     httpd->headers,
@@ -909,6 +1019,7 @@ isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev) {
 				     &httpd->retcode, &httpd->retmsg,
 				     &httpd->mimetype, &httpd->bodybuffer,
 				     &httpd->freecb, &httpd->freecb_arg);
+	}
 	if (result != ISC_R_SUCCESS) {
 		result = httpd->mgr->render_500(httpd->url, url,
 						httpd->querystring,
@@ -932,8 +1043,9 @@ isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev) {
 #endif
 
 	isc_httpd_response(httpd);
-	if ((httpd->flags & HTTPD_KEEPALIVE) != 0)
+	if ((httpd->flags & HTTPD_KEEPALIVE) != 0) {
 		isc_httpd_addheader(httpd, "Connection", "Keep-Alive");
+	}
 	isc_httpd_addheader(httpd, "Content-Type", httpd->mimetype);
 	isc_httpd_addheader(httpd, "Date", datebuf);
 	isc_httpd_addheader(httpd, "Expires", datebuf);
@@ -955,7 +1067,7 @@ isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev) {
 	if (is_compressed == true) {
 		isc_httpd_addheader(httpd, "Content-Encoding", "deflate");
 		isc_httpd_addheaderuint(httpd, "Content-Length",
-					isc_buffer_usedlength(&httpd->compbuffer));
+				    isc_buffer_usedlength(&httpd->compbuffer));
 	} else {
 		isc_httpd_addheaderuint(httpd, "Content-Length",
 		isc_buffer_usedlength(&httpd->bodybuffer));
@@ -973,27 +1085,27 @@ isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev) {
 		ISC_LIST_APPEND(httpd->bufflist, &httpd->compbuffer, link);
 	} else {
 		if (isc_buffer_length(&httpd->bodybuffer) > 0) {
-				ISC_LIST_APPEND(httpd->bufflist, &httpd->bodybuffer, link);
+			ISC_LIST_APPEND(httpd->bufflist, &httpd->bodybuffer,
+					link);
 		}
 	}
 
-	/* check return code? */
-	(void)isc_socket_sendv(httpd->sock, &httpd->bufflist, task,
-			       isc_httpd_senddone, httpd);
+	httpd_socket_send(httpd, task);
 
  out:
+	maybe_destroy_httpd(httpd);
 	isc_event_free(&ev);
-	EXIT("recv");
 }
 
 void
 isc_httpdmgr_shutdown(isc_httpdmgr_t **httpdmgrp) {
 	isc_httpdmgr_t *httpdmgr;
 	isc_httpd_t *httpd;
+
+	REQUIRE(httpdmgrp != NULL);
 	httpdmgr = *httpdmgrp;
 	*httpdmgrp = NULL;
-
-	ENTER("isc_httpdmgr_shutdown");
+	REQUIRE(VALID_HTTPDMGR(httpdmgr));
 
 	LOCK(&httpdmgr->lock);
 
@@ -1010,7 +1122,8 @@ isc_httpdmgr_shutdown(isc_httpdmgr_t **httpdmgrp) {
 
 	UNLOCK(&httpdmgr->lock);
 
-	EXIT("isc_httpdmgr_shutdown");
+	maybe_destroy_httpdmgr(httpdmgr);
+
 }
 
 static isc_result_t
@@ -1040,6 +1153,8 @@ isc_httpd_response(isc_httpd_t *httpd) {
 	isc_result_t result;
 	unsigned int needlen;
 
+	REQUIRE(VALID_HTTPD(httpd));
+
 	needlen = strlen(httpd->protocol) + 1; /* protocol + space */
 	needlen += 3 + 1;  /* room for response code, always 3 bytes */
 	needlen += strlen(httpd->retmsg) + 2;  /* return msg + CRLF */
@@ -1060,15 +1175,16 @@ isc_httpd_response(isc_httpd_t *httpd) {
 }
 
 isc_result_t
-isc_httpd_addheader(isc_httpd_t *httpd, const char *name,
-		    const char *val)
-{
+isc_httpd_addheader(isc_httpd_t *httpd, const char *name, const char *val) {
 	isc_result_t result;
 	unsigned int needlen;
 
+	REQUIRE(VALID_HTTPD(httpd));
+
 	needlen = strlen(name); /* name itself */
-	if (val != NULL)
+	if (val != NULL) {
 		needlen += 2 + strlen(val); /* :<space> and val */
+	}
 	needlen += 2; /* CRLF */
 
 	while (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
@@ -1095,6 +1211,8 @@ isc_result_t
 isc_httpd_endheaders(isc_httpd_t *httpd) {
 	isc_result_t result;
 
+	REQUIRE(VALID_HTTPD(httpd));
+
 	while (isc_buffer_availablelength(&httpd->headerbuffer) < 2) {
 		result = grow_headerspace(httpd);
 		if (result != ISC_R_SUCCESS)
@@ -1114,6 +1232,8 @@ isc_httpd_addheaderuint(isc_httpd_t *httpd, const char *name, int val) {
 	unsigned int needlen;
 	char buf[sizeof "18446744073709551616"];
 
+	REQUIRE(VALID_HTTPD(httpd));
+
 	snprintf(buf, sizeof(buf), "%d", val);
 
 	needlen = strlen(name); /* name itself */
@@ -1141,7 +1261,8 @@ isc_httpd_senddone(isc_task_t *task, isc_event_t *ev) {
 	isc_region_t r;
 	isc_socketevent_t *sev = (isc_socketevent_t *)ev;
 
-	ENTER("senddone");
+	REQUIRE(VALID_HTTPD(httpd));
+
 	INSIST(ISC_HTTPD_ISSEND(httpd));
 
 	/*
@@ -1149,7 +1270,6 @@ isc_httpd_senddone(isc_task_t *task, isc_event_t *ev) {
 	 * is sort of an evil hack, since we know our buffer will be there,
 	 * and we know it's address, so we can just remove it directly.
 	 */
-	NOTICE("senddone unlinked header");
 	ISC_LIST_UNLINK(sev->bufferlist, &httpd->headerbuffer, link);
 
 	/*
@@ -1165,41 +1285,33 @@ isc_httpd_senddone(isc_task_t *task, isc_event_t *ev) {
 			b = &httpd->bodybuffer;
 			httpd->freecb(b, httpd->freecb_arg);
 		}
-		NOTICE("senddone free callback performed");
 	}
 	if (ISC_LINK_LINKED(&httpd->bodybuffer, link)) {
 		ISC_LIST_UNLINK(sev->bufferlist, &httpd->bodybuffer, link);
-		NOTICE("senddone body buffer unlinked");
 	} else if (ISC_LINK_LINKED(&httpd->compbuffer, link)) {
 		ISC_LIST_UNLINK(sev->bufferlist, &httpd->compbuffer, link);
-		NOTICE("senddone compressed data unlinked and freed");
 	}
 
 	if (sev->result != ISC_R_SUCCESS) {
-		destroy_client(&httpd);
 		goto out;
 	}
 
 	if ((httpd->flags & HTTPD_CLOSE) != 0) {
-		destroy_client(&httpd);
 		goto out;
 	}
 
 	ISC_HTTPD_SETRECV(httpd);
 
-	NOTICE("senddone restarting recv on socket");
-
 	reset_client(httpd);
 
 	r.base = (unsigned char *)httpd->recvbuf;
 	r.length = HTTP_RECVLEN - 1;
-	/* check return code? */
-	(void)isc_socket_recv(httpd->sock, &r, 1, task,
-			      isc_httpd_recvdone, httpd);
+
+	httpd_socket_recv(httpd, &r, task);
 
 out:
+	maybe_destroy_httpd(httpd);
 	isc_event_free(&ev);
-	EXIT("senddone");
 }
 
 static void
@@ -1230,6 +1342,8 @@ isc_result_t
 isc_httpdmgr_addurl(isc_httpdmgr_t *httpdmgr, const char *url,
 		    isc_httpdaction_t *func, void *arg)
 {
+	/* REQUIRE(VALID_HTTPDMGR(httpdmgr)); Dummy function */
+
 	return (isc_httpdmgr_addurl2(httpdmgr, url, false, func, arg));
 }
 
@@ -1240,6 +1354,8 @@ isc_httpdmgr_addurl2(isc_httpdmgr_t *httpdmgr, const char *url,
 {
 	isc_httpdurl_t *item;
 
+	REQUIRE(VALID_HTTPDMGR(httpdmgr));
+
 	if (url == NULL) {
 		httpdmgr->render_404 = func;
 		return (ISC_R_SUCCESS);
@@ -1261,7 +1377,10 @@ isc_httpdmgr_addurl2(isc_httpdmgr_t *httpdmgr, const char *url,
 	isc_time_now(&item->loadtime);
 
 	ISC_LINK_INIT(item, link);
+
+	LOCK(&httpdmgr->lock);
 	ISC_LIST_APPEND(httpdmgr->urls, item, link);
+	UNLOCK(&httpdmgr->lock);
 
 	return (ISC_R_SUCCESS);
 }
@@ -1269,5 +1388,9 @@ isc_httpdmgr_addurl2(isc_httpdmgr_t *httpdmgr, const char *url,
 void
 isc_httpd_setfinishhook(void (*fn)(void))
 {
+#if ENABLE_AFL
 	finishhook = fn;
+#else /* ENABLE_AFL */
+	UNUSED(fn);
+#endif /* ENABLE_AFL */
 }
diff --git a/bind/bind9/lib/isc/ia64/Makefile.in b/bind/bind9/lib/isc/ia64/Makefile.in
index 419cf9f8..8d1b6f1c 100644
--- a/bind/bind9/lib/isc/ia64/Makefile.in
+++ b/bind/bind9/lib/isc/ia64/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/ia64/include/Makefile.in b/bind/bind9/lib/isc/ia64/include/Makefile.in
index d33c0fcb..f87423b4 100644
--- a/bind/bind9/lib/isc/ia64/include/Makefile.in
+++ b/bind/bind9/lib/isc/ia64/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/ia64/include/isc/Makefile.in b/bind/bind9/lib/isc/ia64/include/isc/Makefile.in
index 97b6b417..452877db 100644
--- a/bind/bind9/lib/isc/ia64/include/isc/Makefile.in
+++ b/bind/bind9/lib/isc/ia64/include/isc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/ia64/include/isc/atomic.h b/bind/bind9/lib/isc/ia64/include/isc/atomic.h
index e2f4331d..f3572b28 100644
--- a/bind/bind9/lib/isc/ia64/include/isc/atomic.h
+++ b/bind/bind9/lib/isc/ia64/include/isc/atomic.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/Makefile.in b/bind/bind9/lib/isc/include/Makefile.in
index 3b21e6e0..1e62514e 100644
--- a/bind/bind9/lib/isc/include/Makefile.in
+++ b/bind/bind9/lib/isc/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/Makefile.in b/bind/bind9/lib/isc/include/isc/Makefile.in
index 46dfd39d..3f4d39c3 100644
--- a/bind/bind9/lib/isc/include/isc/Makefile.in
+++ b/bind/bind9/lib/isc/include/isc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@
 # install target below.
 #
 HEADERS =	aes.h app.h assertions.h boolean.h backtrace.h base32.h base64.h \
-		bind9.h buffer.h bufferlist.h commandline.h \
+		bind9.h buffer.h bufferlist.h cmocka.h commandline.h \
 		counter.h crc64.h deprecated.h entropy.h errno.h \
 		endian.h error.h event.h eventclass.h file.h formatcheck.h \
 		fsaccess.h hash.h heap.h hex.h hmacmd5.h hmacsha.h \
@@ -31,8 +31,8 @@ HEADERS =	aes.h app.h assertions.h boolean.h backtrace.h base32.h base64.h \
 		radix.h random.h ratelimiter.h refcount.h regex.h \
 		region.h resource.h result.h resultclass.h rwlock.h \
 		safe.h serial.h siphash.h sha1.h sha2.h sockaddr.h socket.h \
-		stats.h stdio.h stdlib.h string.h symtab.h task.h \
-		taskpool.h timer.h tm.h types.h util.h version.h \
+		stats.h stdatomic.h stdio.h stdlib.h string.h symtab.h task.h \
+		taskpool.h timer.h tm.h types.h utf8.h util.h version.h \
 		xml.h
 
 SUBDIRS =
diff --git a/bind/bind9/lib/isc/include/isc/aes.h b/bind/bind9/lib/isc/include/isc/aes.h
index 75f2a2b5..f864c75a 100644
--- a/bind/bind9/lib/isc/include/isc/aes.h
+++ b/bind/bind9/lib/isc/include/isc/aes.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/app.h b/bind/bind9/lib/isc/include/isc/app.h
index 5ed27502..cde37d48 100644
--- a/bind/bind9/lib/isc/include/isc/app.h
+++ b/bind/bind9/lib/isc/include/isc/app.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/assertions.h b/bind/bind9/lib/isc/include/isc/assertions.h
index 62e883d1..e9fa2e68 100644
--- a/bind/bind9/lib/isc/include/isc/assertions.h
+++ b/bind/bind9/lib/isc/include/isc/assertions.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/backtrace.h b/bind/bind9/lib/isc/include/isc/backtrace.h
index 27ab9da6..088680d0 100644
--- a/bind/bind9/lib/isc/include/isc/backtrace.h
+++ b/bind/bind9/lib/isc/include/isc/backtrace.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/base32.h b/bind/bind9/lib/isc/include/isc/base32.h
index 6ac9fcf2..a12d911f 100644
--- a/bind/bind9/lib/isc/include/isc/base32.h
+++ b/bind/bind9/lib/isc/include/isc/base32.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/base64.h b/bind/bind9/lib/isc/include/isc/base64.h
index 108bdae0..d6f0eb39 100644
--- a/bind/bind9/lib/isc/include/isc/base64.h
+++ b/bind/bind9/lib/isc/include/isc/base64.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/bind9.h b/bind/bind9/lib/isc/include/isc/bind9.h
index 5a2837fa..194dfddf 100644
--- a/bind/bind9/lib/isc/include/isc/bind9.h
+++ b/bind/bind9/lib/isc/include/isc/bind9.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/boolean.h b/bind/bind9/lib/isc/include/isc/boolean.h
index 2eebefa4..2dc8e596 100644
--- a/bind/bind9/lib/isc/include/isc/boolean.h
+++ b/bind/bind9/lib/isc/include/isc/boolean.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/buffer.h b/bind/bind9/lib/isc/include/isc/buffer.h
index caaac575..dd52a157 100644
--- a/bind/bind9/lib/isc/include/isc/buffer.h
+++ b/bind/bind9/lib/isc/include/isc/buffer.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -127,7 +127,7 @@ ISC_LANG_BEGINDECLS
 /*@}*/
 
 /*!
- * Size granularity for dynamically resizeable buffers; when reserving
+ * Size granularity for dynamically resizable buffers; when reserving
  * space in a buffer, we round the allocated buffer length up to the
  * nearest * multiple of this value.
  */
diff --git a/bind/bind9/lib/isc/include/isc/bufferlist.h b/bind/bind9/lib/isc/include/isc/bufferlist.h
index ffb4986f..878e3b2d 100644
--- a/bind/bind9/lib/isc/include/isc/bufferlist.h
+++ b/bind/bind9/lib/isc/include/isc/bufferlist.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/cmocka.h b/bind/bind9/lib/isc/include/isc/cmocka.h
new file mode 100644
index 00000000..aadfcada
--- /dev/null
+++ b/bind/bind9/lib/isc/include/isc/cmocka.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file isc/cmocka.h */
+
+#pragma once
+
+#include <cmocka.h>
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * Copy the test identified by 'name' from 'tests' to 'selected'.
+ */
+#define cmocka_add_test_byname(tests, name, selected)                          \
+	_cmocka_add_test_byname(tests, sizeof(tests) / sizeof(tests[0]), name, \
+				selected,                                      \
+				sizeof(selected) / sizeof(selected[0]))
+
+static inline bool
+_cmocka_add_test_byname(const struct CMUnitTest *tests, size_t ntests,
+			const char *name, struct CMUnitTest *selected,
+			size_t nselected) {
+	size_t i, j;
+
+	for (i = 0; i < ntests && tests[i].name != NULL; i++) {
+		if (strcmp(tests[i].name, name) != 0) {
+			continue;
+		}
+		for (j = 0; j < nselected && selected[j].name != NULL; j++) {
+			if (strcmp(tests[j].name, name) == 0) {
+				break;
+			}
+		}
+		if (j < nselected && selected[j].name == NULL) {
+			selected[j] = tests[i];
+		}
+		return (true);
+	}
+	return (false);
+}
+
+ISC_LANG_ENDDECLS
diff --git a/bind/bind9/lib/isc/include/isc/commandline.h b/bind/bind9/lib/isc/include/isc/commandline.h
index a1a256ed..74b7f592 100644
--- a/bind/bind9/lib/isc/include/isc/commandline.h
+++ b/bind/bind9/lib/isc/include/isc/commandline.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/counter.h b/bind/bind9/lib/isc/include/isc/counter.h
index 28d9c794..d994f36c 100644
--- a/bind/bind9/lib/isc/include/isc/counter.h
+++ b/bind/bind9/lib/isc/include/isc/counter.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/crc64.h b/bind/bind9/lib/isc/include/isc/crc64.h
index ed5860b7..3e35f71f 100644
--- a/bind/bind9/lib/isc/include/isc/crc64.h
+++ b/bind/bind9/lib/isc/include/isc/crc64.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/deprecated.h b/bind/bind9/lib/isc/include/isc/deprecated.h
index d485e20c..d8569fa8 100644
--- a/bind/bind9/lib/isc/include/isc/deprecated.h
+++ b/bind/bind9/lib/isc/include/isc/deprecated.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/endian.h b/bind/bind9/lib/isc/include/isc/endian.h
index 54421d55..364d78c0 100644
--- a/bind/bind9/lib/isc/include/isc/endian.h
+++ b/bind/bind9/lib/isc/include/isc/endian.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/entropy.h b/bind/bind9/lib/isc/include/isc/entropy.h
index 4bba8e16..b5bc956c 100644
--- a/bind/bind9/lib/isc/include/isc/entropy.h
+++ b/bind/bind9/lib/isc/include/isc/entropy.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */
-
 #ifndef ISC_ENTROPY_H
 #define ISC_ENTROPY_H 1
 
@@ -237,7 +235,7 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
  * \brief Extract data from the entropy pool.  This may load the pool from various
  * sources.
  *
- * Do this by stiring the pool and returning a part of hash as randomness.
+ * Do this by stirring the pool and returning a part of hash as randomness.
  * Note that no secrets are given away here since parts of the hash are
  * xored together before returned.
  *
diff --git a/bind/bind9/lib/isc/include/isc/errno.h b/bind/bind9/lib/isc/include/isc/errno.h
index 7777b8d3..d0584561 100644
--- a/bind/bind9/lib/isc/include/isc/errno.h
+++ b/bind/bind9/lib/isc/include/isc/errno.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/error.h b/bind/bind9/lib/isc/include/isc/error.h
index 87bb6bae..88c5dd57 100644
--- a/bind/bind9/lib/isc/include/isc/error.h
+++ b/bind/bind9/lib/isc/include/isc/error.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/event.h b/bind/bind9/lib/isc/include/isc/event.h
index 22f735d8..ce44fb84 100644
--- a/bind/bind9/lib/isc/include/isc/event.h
+++ b/bind/bind9/lib/isc/include/isc/event.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/eventclass.h b/bind/bind9/lib/isc/include/isc/eventclass.h
index 15ad3456..5ee704da 100644
--- a/bind/bind9/lib/isc/include/isc/eventclass.h
+++ b/bind/bind9/lib/isc/include/isc/eventclass.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/file.h b/bind/bind9/lib/isc/include/isc/file.h
index 0797f027..0b0af383 100644
--- a/bind/bind9/lib/isc/include/isc/file.h
+++ b/bind/bind9/lib/isc/include/isc/file.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/formatcheck.h b/bind/bind9/lib/isc/include/isc/formatcheck.h
index 162c16e3..f696db04 100644
--- a/bind/bind9/lib/isc/include/isc/formatcheck.h
+++ b/bind/bind9/lib/isc/include/isc/formatcheck.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/fsaccess.h b/bind/bind9/lib/isc/include/isc/fsaccess.h
index d842aaf1..86524e8d 100644
--- a/bind/bind9/lib/isc/include/isc/fsaccess.h
+++ b/bind/bind9/lib/isc/include/isc/fsaccess.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -94,7 +94,7 @@
  * probable that something could be cobbled together in NT 5 with inheritance,
  * it can't really be done in NT 4 as a single property that you could
  * set on a directory.  You'd need to coordinate something with file creation
- * so that every file created had DELETE set for the owner but noone else.
+ * so that every file created had DELETE set for the owner but no one else.
  *
  * On Unix systems, setting #ISC_FSACCESS_LISTDIRECTORY sets READ.
  * ... setting either #ISC_FSACCESS_CREATECHILD or #ISC_FSACCESS_DELETECHILD
diff --git a/bind/bind9/lib/isc/include/isc/hash.h b/bind/bind9/lib/isc/include/isc/hash.h
index fd558f7a..39da02e7 100644
--- a/bind/bind9/lib/isc/include/isc/hash.h
+++ b/bind/bind9/lib/isc/include/isc/hash.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -229,7 +229,7 @@ isc_hash_function_reverse(const void *data, size_t length,
  * useful in incremental hashing; for example, a previously hashed
  * value for 'com' can be used as input when hashing 'example.com'.
  *
- * This is a new variant of isc_hash_calc() and will supercede
+ * This is a new variant of isc_hash_calc() and will supersede
  * isc_hash_calc() eventually.
  *
  * 'data' is the data to be hashed.
diff --git a/bind/bind9/lib/isc/include/isc/heap.h b/bind/bind9/lib/isc/include/isc/heap.h
index 747287b3..288b29bf 100644
--- a/bind/bind9/lib/isc/include/isc/heap.h
+++ b/bind/bind9/lib/isc/include/isc/heap.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/hex.h b/bind/bind9/lib/isc/include/isc/hex.h
index b021e051..185aeade 100644
--- a/bind/bind9/lib/isc/include/isc/hex.h
+++ b/bind/bind9/lib/isc/include/isc/hex.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/hmacmd5.h b/bind/bind9/lib/isc/include/isc/hmacmd5.h
index ca2ec564..52634c50 100644
--- a/bind/bind9/lib/isc/include/isc/hmacmd5.h
+++ b/bind/bind9/lib/isc/include/isc/hmacmd5.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/hmacsha.h b/bind/bind9/lib/isc/include/isc/hmacsha.h
index 3c80fbab..71645c68 100644
--- a/bind/bind9/lib/isc/include/isc/hmacsha.h
+++ b/bind/bind9/lib/isc/include/isc/hmacsha.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/ht.h b/bind/bind9/lib/isc/include/isc/ht.h
index e1f42d91..a1315b0c 100644
--- a/bind/bind9/lib/isc/include/isc/ht.h
+++ b/bind/bind9/lib/isc/include/isc/ht.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/httpd.h b/bind/bind9/lib/isc/include/isc/httpd.h
index b02b33e8..ea6d5f67 100644
--- a/bind/bind9/lib/isc/include/isc/httpd.h
+++ b/bind/bind9/lib/isc/include/isc/httpd.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -35,7 +35,7 @@ struct isc_httpdurl {
 	char			       *url;
 	isc_httpdaction_t	       *action;
 	void			       *action_arg;
-	bool			isstatic;
+	bool				isstatic;
 	isc_time_t			loadtime;
 	ISC_LINK(isc_httpdurl_t)	link;
 };
diff --git a/bind/bind9/lib/isc/include/isc/int.h b/bind/bind9/lib/isc/include/isc/int.h
index 9bf3066e..cf9720f0 100644
--- a/bind/bind9/lib/isc/include/isc/int.h
+++ b/bind/bind9/lib/isc/include/isc/int.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/interfaceiter.h b/bind/bind9/lib/isc/include/isc/interfaceiter.h
index 2ef82a3f..fece9f3d 100644
--- a/bind/bind9/lib/isc/include/isc/interfaceiter.h
+++ b/bind/bind9/lib/isc/include/isc/interfaceiter.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/ipv6.h b/bind/bind9/lib/isc/include/isc/ipv6.h
index 93852d0d..9cf62074 100644
--- a/bind/bind9/lib/isc/include/isc/ipv6.h
+++ b/bind/bind9/lib/isc/include/isc/ipv6.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: ipv6.h,v 1.24 2007/06/19 23:47:18 tbox Exp $ */
-
 #ifndef ISC_IPV6_H
 #define ISC_IPV6_H 1
 
diff --git a/bind/bind9/lib/isc/include/isc/iterated_hash.h b/bind/bind9/lib/isc/include/isc/iterated_hash.h
index a43ae69d..a978397d 100644
--- a/bind/bind9/lib/isc/include/isc/iterated_hash.h
+++ b/bind/bind9/lib/isc/include/isc/iterated_hash.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/json.h b/bind/bind9/lib/isc/include/isc/json.h
index 52295e61..d564a109 100644
--- a/bind/bind9/lib/isc/include/isc/json.h
+++ b/bind/bind9/lib/isc/include/isc/json.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/lang.h b/bind/bind9/lib/isc/include/isc/lang.h
index bffcbac0..74966398 100644
--- a/bind/bind9/lib/isc/include/isc/lang.h
+++ b/bind/bind9/lib/isc/include/isc/lang.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/lex.h b/bind/bind9/lib/isc/include/isc/lex.h
index d1e36c0a..cfc7715c 100644
--- a/bind/bind9/lib/isc/include/isc/lex.h
+++ b/bind/bind9/lib/isc/include/isc/lex.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -177,7 +177,7 @@ isc_lex_getcomments(isc_lex_t *lex);
  *\li	'lex' is a valid lexer.
  *
  * Returns:
- *\li	The commenting sytles which are currently allowed.
+ *\li	The commenting styles which are currently allowed.
  */
 
 void
diff --git a/bind/bind9/lib/isc/include/isc/lfsr.h b/bind/bind9/lib/isc/include/isc/lfsr.h
index 3f2cfb4b..3d051fcf 100644
--- a/bind/bind9/lib/isc/include/isc/lfsr.h
+++ b/bind/bind9/lib/isc/include/isc/lfsr.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/lib.h b/bind/bind9/lib/isc/include/isc/lib.h
index 55ef20a4..682ba9d9 100644
--- a/bind/bind9/lib/isc/include/isc/lib.h
+++ b/bind/bind9/lib/isc/include/isc/lib.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/likely.h b/bind/bind9/lib/isc/include/isc/likely.h
index 6c77957e..78f7d404 100644
--- a/bind/bind9/lib/isc/include/isc/likely.h
+++ b/bind/bind9/lib/isc/include/isc/likely.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -15,6 +15,10 @@
 /*%
  * Performance
  */
+#ifdef CPPCHECK
+#define ISC_LIKELY(x)            (x)
+#define ISC_UNLIKELY(x)          (x)
+#else
 #ifdef HAVE_BUILTIN_EXPECT
 #define ISC_LIKELY(x)            __builtin_expect((x), 1)
 #define ISC_UNLIKELY(x)          __builtin_expect((x), 0)
@@ -22,5 +26,6 @@
 #define ISC_LIKELY(x)            (x)
 #define ISC_UNLIKELY(x)          (x)
 #endif
+#endif
 
 #endif /* ISC_LIKELY_H */
diff --git a/bind/bind9/lib/isc/include/isc/list.h b/bind/bind9/lib/isc/include/isc/list.h
index ab476caf..b951c090 100644
--- a/bind/bind9/lib/isc/include/isc/list.h
+++ b/bind/bind9/lib/isc/include/isc/list.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/log.h b/bind/bind9/lib/isc/include/isc/log.h
index fd0443f6..e0ab9aec 100644
--- a/bind/bind9/lib/isc/include/isc/log.h
+++ b/bind/bind9/lib/isc/include/isc/log.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -524,7 +524,7 @@ isc_log_usechannel(isc_logconfig_t *lcfg, const char *name,
  *\li	#ISC_R_NOMEMORY	Resource limit: Out of memory
  */
 
-/* Attention: next four comments PRECEED code */
+/* Attention: next four comments PRECEDE code */
 /*!
  *   \brief
  * Write a message to the log channels.
diff --git a/bind/bind9/lib/isc/include/isc/magic.h b/bind/bind9/lib/isc/include/isc/magic.h
index c342d0cd..a9e8fe6d 100644
--- a/bind/bind9/lib/isc/include/isc/magic.h
+++ b/bind/bind9/lib/isc/include/isc/magic.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/md5.h b/bind/bind9/lib/isc/include/isc/md5.h
index 4d293983..426816a5 100644
--- a/bind/bind9/lib/isc/include/isc/md5.h
+++ b/bind/bind9/lib/isc/include/isc/md5.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/mem.h b/bind/bind9/lib/isc/include/isc/mem.h
index 8f018563..8d094ff2 100644
--- a/bind/bind9/lib/isc/include/isc/mem.h
+++ b/bind/bind9/lib/isc/include/isc/mem.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/meminfo.h b/bind/bind9/lib/isc/include/isc/meminfo.h
index c2c7e57b..71225d76 100644
--- a/bind/bind9/lib/isc/include/isc/meminfo.h
+++ b/bind/bind9/lib/isc/include/isc/meminfo.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/msgcat.h b/bind/bind9/lib/isc/include/isc/msgcat.h
index 3b533d6e..60ed5ab1 100644
--- a/bind/bind9/lib/isc/include/isc/msgcat.h
+++ b/bind/bind9/lib/isc/include/isc/msgcat.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/msgs.h b/bind/bind9/lib/isc/include/isc/msgs.h
index 01e3b481..85f51895 100644
--- a/bind/bind9/lib/isc/include/isc/msgs.h
+++ b/bind/bind9/lib/isc/include/isc/msgs.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/mutexblock.h b/bind/bind9/lib/isc/include/isc/mutexblock.h
index f00088db..a6365785 100644
--- a/bind/bind9/lib/isc/include/isc/mutexblock.h
+++ b/bind/bind9/lib/isc/include/isc/mutexblock.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/netaddr.h b/bind/bind9/lib/isc/include/isc/netaddr.h
index 2d6b12b7..0f3a3f4a 100644
--- a/bind/bind9/lib/isc/include/isc/netaddr.h
+++ b/bind/bind9/lib/isc/include/isc/netaddr.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -166,7 +166,7 @@ isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s);
 isc_result_t
 isc_netaddr_prefixok(const isc_netaddr_t *na, unsigned int prefixlen);
 /*
- * Test whether the netaddr 'na' and 'prefixlen' are consistant.
+ * Test whether the netaddr 'na' and 'prefixlen' are consistent.
  * e.g. prefixlen within range.
  *      na does not have bits set which are not covered by the prefixlen.
  *
diff --git a/bind/bind9/lib/isc/include/isc/netscope.h b/bind/bind9/lib/isc/include/isc/netscope.h
index 22224a15..8535610b 100644
--- a/bind/bind9/lib/isc/include/isc/netscope.h
+++ b/bind/bind9/lib/isc/include/isc/netscope.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/ondestroy.h b/bind/bind9/lib/isc/include/isc/ondestroy.h
index ad1aa618..2ce68249 100644
--- a/bind/bind9/lib/isc/include/isc/ondestroy.h
+++ b/bind/bind9/lib/isc/include/isc/ondestroy.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: ondestroy.h,v 1.14 2007/06/19 23:47:18 tbox Exp $ */
-
 #ifndef ISC_ONDESTROY_H
 #define ISC_ONDESTROY_H 1
 
@@ -100,7 +98,7 @@ isc_ondestroy_notify(isc_ondestroy_t *ondest, void *sender);
  * Dispatches the event(s) to the task(s) that were given in
  * isc_ondestroy_register call(s) (done via calls to
  * isc_task_sendanddetach()).  Before dispatch, the sender value of each
- * event structure is set to the value of the sender paramater. The
+ * event structure is set to the value of the sender parameter. The
  * internal structures of the ondest parameter are cleaned out, so no other
  * cleanup is needed.
  */
diff --git a/bind/bind9/lib/isc/include/isc/os.h b/bind/bind9/lib/isc/include/isc/os.h
index eb8223e9..3c0578b0 100644
--- a/bind/bind9/lib/isc/include/isc/os.h
+++ b/bind/bind9/lib/isc/include/isc/os.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/parseint.h b/bind/bind9/lib/isc/include/isc/parseint.h
index 41e8a6ce..eb33346f 100644
--- a/bind/bind9/lib/isc/include/isc/parseint.h
+++ b/bind/bind9/lib/isc/include/isc/parseint.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/platform.h.in b/bind/bind9/lib/isc/include/isc/platform.h.in
index f923f815..6c3c875d 100644
--- a/bind/bind9/lib/isc/include/isc/platform.h.in
+++ b/bind/bind9/lib/isc/include/isc/platform.h.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -239,7 +239,7 @@
 @ISC_PLATFORM_USETHREADS@
 
 /*
- * Defined if unistd.h does not cause fd_set to be delared.
+ * Defined if unistd.h does not cause fd_set to be declared.
  */
 @ISC_PLATFORM_NEEDSYSSELECTH@
 
diff --git a/bind/bind9/lib/isc/include/isc/pool.h b/bind/bind9/lib/isc/include/isc/pool.h
index a648312a..e0fcc538 100644
--- a/bind/bind9/lib/isc/include/isc/pool.h
+++ b/bind/bind9/lib/isc/include/isc/pool.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/portset.h b/bind/bind9/lib/isc/include/isc/portset.h
index 1f0d928c..9fa5feb1 100644
--- a/bind/bind9/lib/isc/include/isc/portset.h
+++ b/bind/bind9/lib/isc/include/isc/portset.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/print.h b/bind/bind9/lib/isc/include/isc/print.h
index e4fa76ca..1448abf2 100644
--- a/bind/bind9/lib/isc/include/isc/print.h
+++ b/bind/bind9/lib/isc/include/isc/print.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/queue.h b/bind/bind9/lib/isc/include/isc/queue.h
index 210f302c..bda63426 100644
--- a/bind/bind9/lib/isc/include/isc/queue.h
+++ b/bind/bind9/lib/isc/include/isc/queue.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -93,12 +93,8 @@
 	do { \
 		bool headlocked = false; \
 		ISC_QLINK_INSIST(!ISC_QLINK_LINKED(elt, link)); \
-		if ((queue).head == NULL) { \
-			LOCK(&(queue).headlock); \
-			headlocked = true; \
-		} \
 		LOCK(&(queue).taillock); \
-		if ((queue).tail == NULL && !headlocked) { \
+		if ((queue).tail == NULL) { \
 			UNLOCK(&(queue).taillock); \
 			LOCK(&(queue).headlock); \
 			LOCK(&(queue).taillock); \
@@ -158,4 +154,23 @@
 		(elt)->link.next = (elt)->link.prev = (void *)(-1); \
 	} while(0)
 
+#define ISC_QUEUE_UNLINKIFLINKED(queue, elt, link) \
+	do { \
+		LOCK(&(queue).headlock); \
+		LOCK(&(queue).taillock); \
+		if (ISC_QLINK_LINKED(elt, link)) { \
+			if ((elt)->link.prev == NULL) \
+				(queue).head = (elt)->link.next; \
+			else \
+				(elt)->link.prev->link.next = (elt)->link.next; \
+			if ((elt)->link.next == NULL) \
+				(queue).tail = (elt)->link.prev; \
+			else \
+				(elt)->link.next->link.prev = (elt)->link.prev; \
+		} \
+		UNLOCK(&(queue).taillock); \
+		UNLOCK(&(queue).headlock); \
+		(elt)->link.next = (elt)->link.prev = (void *)(-1); \
+	} while(0)
+
 #endif /* ISC_QUEUE_H */
diff --git a/bind/bind9/lib/isc/include/isc/quota.h b/bind/bind9/lib/isc/include/isc/quota.h
index 6a523581..db2bee42 100644
--- a/bind/bind9/lib/isc/include/isc/quota.h
+++ b/bind/bind9/lib/isc/include/isc/quota.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/radix.h b/bind/bind9/lib/isc/include/isc/radix.h
index c201d573..cf8475db 100644
--- a/bind/bind9/lib/isc/include/isc/radix.h
+++ b/bind/bind9/lib/isc/include/isc/radix.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/random.h b/bind/bind9/lib/isc/include/isc/random.h
index f8aed349..f38e80da 100644
--- a/bind/bind9/lib/isc/include/isc/random.h
+++ b/bind/bind9/lib/isc/include/isc/random.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: random.h,v 1.20 2009/01/17 23:47:43 tbox Exp $ */
-
 #ifndef ISC_RANDOM_H
 #define ISC_RANDOM_H 1
 
diff --git a/bind/bind9/lib/isc/include/isc/ratelimiter.h b/bind/bind9/lib/isc/include/isc/ratelimiter.h
index f6320b20..9403fb17 100644
--- a/bind/bind9/lib/isc/include/isc/ratelimiter.h
+++ b/bind/bind9/lib/isc/include/isc/ratelimiter.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/refcount.h b/bind/bind9/lib/isc/include/isc/refcount.h
index f9d6ea03..1c9696fc 100644
--- a/bind/bind9/lib/isc/include/isc/refcount.h
+++ b/bind/bind9/lib/isc/include/isc/refcount.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -123,7 +123,7 @@ typedef struct isc_refcount {
 
 #define isc_refcount_current(rp)					\
 	((unsigned int)(atomic_load_explicit(&(rp)->refs,		\
-					     memory_order_relaxed)))
+					     memory_order_acquire)))
 #define isc_refcount_destroy(rp) ISC_REQUIRE(isc_refcount_current(rp) == 0)
 
 #define isc_refcount_increment0(rp, tp)				\
@@ -152,7 +152,7 @@ typedef struct isc_refcount {
 		unsigned int *_tmp = (unsigned int *)(tp);	\
 		int32_t prev;				\
 		prev = atomic_fetch_sub_explicit		\
-			(&(rp)->refs, 1, memory_order_relaxed); \
+			(&(rp)->refs, 1, memory_order_acq_rel); \
 		ISC_REQUIRE(prev > 0);				\
 		if (_tmp != NULL)				\
 			*_tmp = prev - 1;			\
@@ -211,7 +211,7 @@ typedef struct isc_refcount {
 		ISC_ERROR_RUNTIMECHECK(_result == ISC_R_SUCCESS);	\
 	} while (0)
 
-#define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
+unsigned int isc_refcount_current(isc_refcount_t *rp);
 
 /*%
  * Increments the reference count, returning the new value in
diff --git a/bind/bind9/lib/isc/include/isc/regex.h b/bind/bind9/lib/isc/include/isc/regex.h
index cab10c1f..3b303b52 100644
--- a/bind/bind9/lib/isc/include/isc/regex.h
+++ b/bind/bind9/lib/isc/include/isc/regex.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/region.h b/bind/bind9/lib/isc/include/isc/region.h
index ee013547..73eb1bcd 100644
--- a/bind/bind9/lib/isc/include/isc/region.h
+++ b/bind/bind9/lib/isc/include/isc/region.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/resource.h b/bind/bind9/lib/isc/include/isc/resource.h
index 01792345..4742bf8f 100644
--- a/bind/bind9/lib/isc/include/isc/resource.h
+++ b/bind/bind9/lib/isc/include/isc/resource.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/result.h b/bind/bind9/lib/isc/include/isc/result.h
index 0389efa2..916641fb 100644
--- a/bind/bind9/lib/isc/include/isc/result.h
+++ b/bind/bind9/lib/isc/include/isc/result.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/resultclass.h b/bind/bind9/lib/isc/include/isc/resultclass.h
index 08135f41..ff2ecd9a 100644
--- a/bind/bind9/lib/isc/include/isc/resultclass.h
+++ b/bind/bind9/lib/isc/include/isc/resultclass.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/rwlock.h b/bind/bind9/lib/isc/include/isc/rwlock.h
index c7849cd6..e72b926d 100644
--- a/bind/bind9/lib/isc/include/isc/rwlock.h
+++ b/bind/bind9/lib/isc/include/isc/rwlock.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -52,7 +52,6 @@ struct isc_rwlock {
 	/* Unlocked. */
 	unsigned int		magic;
 	isc_mutex_t		lock;
-	int32_t		spins;
 
 #if defined(ISC_RWLOCK_USEATOMIC)
 	/*
@@ -70,13 +69,17 @@ struct isc_rwlock {
 
 	/* Read or modified atomically. */
 #if defined(ISC_RWLOCK_USESTDATOMIC)
+	atomic_int_fast32_t	spins;
 	atomic_int_fast32_t	write_requests;
 	atomic_int_fast32_t	write_completions;
 	atomic_int_fast32_t	cnt_and_flag;
+	atomic_int_fast32_t	write_granted;
 #else
+	int32_t		spins;
 	int32_t		write_requests;
 	int32_t		write_completions;
 	int32_t		cnt_and_flag;
+	int32_t		write_granted;
 #endif
 
 	/* Locked by lock. */
@@ -84,9 +87,6 @@ struct isc_rwlock {
 	isc_condition_t		writeable;
 	unsigned int		readers_waiting;
 
-	/* Locked by rwlock itself. */
-	unsigned int		write_granted;
-
 	/* Unlocked. */
 	unsigned int		write_quota;
 
@@ -107,6 +107,7 @@ struct isc_rwlock {
 	 */
 	unsigned int		granted;
 
+	unsigned int		spins;
 	unsigned int		readers_waiting;
 	unsigned int		writers_waiting;
 	unsigned int		read_quota;
diff --git a/bind/bind9/lib/isc/include/isc/safe.h b/bind/bind9/lib/isc/include/isc/safe.h
index 66ed08b6..a4ff77aa 100644
--- a/bind/bind9/lib/isc/include/isc/safe.h
+++ b/bind/bind9/lib/isc/include/isc/safe.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/serial.h b/bind/bind9/lib/isc/include/isc/serial.h
index 2c6923fb..6025b06b 100644
--- a/bind/bind9/lib/isc/include/isc/serial.h
+++ b/bind/bind9/lib/isc/include/isc/serial.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/sha1.h b/bind/bind9/lib/isc/include/isc/sha1.h
index 02bca125..d3eab4c5 100644
--- a/bind/bind9/lib/isc/include/isc/sha1.h
+++ b/bind/bind9/lib/isc/include/isc/sha1.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/sha2.h b/bind/bind9/lib/isc/include/isc/sha2.h
index f9e1be3e..a022916a 100644
--- a/bind/bind9/lib/isc/include/isc/sha2.h
+++ b/bind/bind9/lib/isc/include/isc/sha2.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/siphash.h b/bind/bind9/lib/isc/include/isc/siphash.h
index 1dd5318a..ea9ee2e9 100644
--- a/bind/bind9/lib/isc/include/isc/siphash.h
+++ b/bind/bind9/lib/isc/include/isc/siphash.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/sockaddr.h b/bind/bind9/lib/isc/include/isc/sockaddr.h
index 478e77c7..06f49fd1 100644
--- a/bind/bind9/lib/isc/include/isc/sockaddr.h
+++ b/bind/bind9/lib/isc/include/isc/sockaddr.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/socket.h b/bind/bind9/lib/isc/include/isc/socket.h
index c755fd4d..06b87466 100644
--- a/bind/bind9/lib/isc/include/isc/socket.h
+++ b/bind/bind9/lib/isc/include/isc/socket.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -547,7 +547,7 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task,
  *
  * \li	"task" is NULL or a valid task
  *
- * "how" is a bitmask describing the type of cancelation to perform.
+ * "how" is a bitmask describing the type of cancellation to perform.
  * The type ISC_SOCKCANCEL_ALL will cancel all pending I/O on this
  * socket.
  *
diff --git a/bind/bind9/lib/isc/include/isc/stats.h b/bind/bind9/lib/isc/include/isc/stats.h
index d127dbdf..2f290b94 100644
--- a/bind/bind9/lib/isc/include/isc/stats.h
+++ b/bind/bind9/lib/isc/include/isc/stats.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -116,7 +116,7 @@ void
 isc_stats_set(isc_stats_t *stats, uint64_t val,
 	      isc_statscounter_t counter);
 /*%<
- * Set the given counter to the specfied value.
+ * Set the given counter to the specified value.
  *
  * Requires:
  *\li	'stats' is a valid isc_stats_t.
@@ -126,7 +126,7 @@ void
 isc_stats_set(isc_stats_t *stats, uint64_t val,
 	      isc_statscounter_t counter);
 /*%<
- * Set the given counter to the specfied value.
+ * Set the given counter to the specified value.
  *
  * Requires:
  *\li	'stats' is a valid isc_stats_t.
diff --git a/bind/bind9/lib/isc/include/isc/stdatomic.h b/bind/bind9/lib/isc/include/isc/stdatomic.h
index 1f01a4e6..43fa4c35 100644
--- a/bind/bind9/lib/isc/include/isc/stdatomic.h
+++ b/bind/bind9/lib/isc/include/isc/stdatomic.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/stdio.h b/bind/bind9/lib/isc/include/isc/stdio.h
index 1f44b5ac..ae10fb59 100644
--- a/bind/bind9/lib/isc/include/isc/stdio.h
+++ b/bind/bind9/lib/isc/include/isc/stdio.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/stdlib.h b/bind/bind9/lib/isc/include/isc/stdlib.h
index c44b0ea6..13841bd1 100644
--- a/bind/bind9/lib/isc/include/isc/stdlib.h
+++ b/bind/bind9/lib/isc/include/isc/stdlib.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/string.h b/bind/bind9/lib/isc/include/isc/string.h
index 5323aa7d..4755b4ce 100644
--- a/bind/bind9/lib/isc/include/isc/string.h
+++ b/bind/bind9/lib/isc/include/isc/string.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: string.h,v 1.23 2007/09/13 04:48:16 each Exp $ */
-
 #ifndef ISC_STRING_H
 #define ISC_STRING_H 1
 
diff --git a/bind/bind9/lib/isc/include/isc/symtab.h b/bind/bind9/lib/isc/include/isc/symtab.h
index 0f53b5e2..373b37e9 100644
--- a/bind/bind9/lib/isc/include/isc/symtab.h
+++ b/bind/bind9/lib/isc/include/isc/symtab.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/task.h b/bind/bind9/lib/isc/include/isc/task.h
index 69203956..28e5e25f 100644
--- a/bind/bind9/lib/isc/include/isc/task.h
+++ b/bind/bind9/lib/isc/include/isc/task.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/taskpool.h b/bind/bind9/lib/isc/include/isc/taskpool.h
index 32ca594b..f83d2d6d 100644
--- a/bind/bind9/lib/isc/include/isc/taskpool.h
+++ b/bind/bind9/lib/isc/include/isc/taskpool.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/timer.h b/bind/bind9/lib/isc/include/isc/timer.h
index 40aa5a67..07bd50d1 100644
--- a/bind/bind9/lib/isc/include/isc/timer.h
+++ b/bind/bind9/lib/isc/include/isc/timer.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/tm.h b/bind/bind9/lib/isc/include/isc/tm.h
index b6f520cf..ab970924 100644
--- a/bind/bind9/lib/isc/include/isc/tm.h
+++ b/bind/bind9/lib/isc/include/isc/tm.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/types.h b/bind/bind9/lib/isc/include/isc/types.h
index da9d66f6..3bdd54f5 100644
--- a/bind/bind9/lib/isc/include/isc/types.h
+++ b/bind/bind9/lib/isc/include/isc/types.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id$ */
-
 #ifndef ISC_TYPES_H
 #define ISC_TYPES_H 1
 
diff --git a/bind/bind9/lib/isc/include/isc/utf8.h b/bind/bind9/lib/isc/include/isc/utf8.h
new file mode 100644
index 00000000..42bc0ab4
--- /dev/null
+++ b/bind/bind9/lib/isc/include/isc/utf8.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file isc/utf8.h */
+
+#pragma once
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+bool
+isc_utf8_bom(const unsigned char *buf, size_t len);
+/*<
+ * Returns 'true' if the string of bytes in 'buf' starts
+ * with an UTF-8 Byte Order Mark.
+ *
+ * Requires:
+ *\li 	'buf' != NULL
+ */
+
+bool
+isc_utf8_valid(const unsigned char *buf, size_t len);
+/*<
+ * Returns 'true' if the string of bytes in 'buf' is a valid UTF-8
+ * byte sequence otherwise 'false' is returned.
+ *
+ * Requires:
+ *\li 	'buf' != NULL
+ */
+
+ISC_LANG_ENDDECLS
diff --git a/bind/bind9/lib/isc/include/isc/util.h b/bind/bind9/lib/isc/include/isc/util.h
index 973c3486..9111c2a0 100644
--- a/bind/bind9/lib/isc/include/isc/util.h
+++ b/bind/bind9/lib/isc/include/isc/util.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -67,6 +67,8 @@
 		var = _u.v; \
 	} while (0)
 
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof(x[0]))
+
 /*%
  * Use this in translation units that would otherwise be empty, to
  * suppress compiler warnings.
@@ -219,6 +221,19 @@
 #define __SANITIZE_ADDRESS__ 1
 #endif
 
+/* GCC defines __SANITIZE_THREAD__, so reuse the macro for clang */
+#if __has_feature(thread_sanitizer)
+#define __SANITIZE_THREAD__ 1
+#endif
+
+#if __SANITIZE_THREAD__
+#define ISC_NO_SANITIZE_THREAD __attribute__((no_sanitize("thread"))) __attribute__((noinline))
+#define ISC_NO_SANITIZE_INLINE
+#else /* if __SANITIZE_THREAD__ */
+#define ISC_NO_SANITIZE_THREAD
+#define ISC_NO_SANITIZE_INLINE inline
+#endif /* if __SANITIZE_THREAD__ */
+
 #ifdef UNIT_TESTING
 extern void mock_assert(const int result, const char* const expression,
 			const char * const file, const int line);
@@ -247,6 +262,9 @@ extern void mock_assert(const int result, const char* const expression,
 #define _assert_int_not_equal(a, b, f, l) \
 	(((a) != (b)) ? (void)0 : (_assert_int_not_equal(a, b, f, l), abort()))
 #else /* UNIT_TESTING */
+
+#ifndef CPPCHECK
+
 /*
  * Assertions
  */
@@ -261,6 +279,19 @@ extern void mock_assert(const int result, const char* const expression,
 /*% Invariant Assertion */
 #define INVARIANT(e)			ISC_INVARIANT(e)
 
+#else /* CPPCHECK */
+
+/*% Require Assertion */
+#define REQUIRE(e)			if (!(e)) abort()
+/*% Ensure Assertion */
+#define ENSURE(e)			if (!(e)) abort()
+/*% Insist Assertion */
+#define INSIST(e)			if (!(e)) abort()
+/*% Invariant Assertion */
+#define INVARIANT(e)			if (!(e)) abort()
+
+#endif /* CPPCHECK */
+
 #endif /* UNIT_TESTING */
 
 /*
@@ -276,12 +307,17 @@ extern void mock_assert(const int result, const char* const expression,
 #ifdef UNIT_TESTING
 
 #define RUNTIME_CHECK(expression)					\
-	mock_assert((int)(expression), #expression, __FILE__, __LINE__)
+	((!(expression)) ?						\
+	(mock_assert(0, #expression, __FILE__, __LINE__), abort()) : (void)0)
 
 #else /* UNIT_TESTING */
 
+#ifndef CPPCHECK
 /*% Runtime Check */
 #define RUNTIME_CHECK(cond)		ISC_ERROR_RUNTIMECHECK(cond)
+#else
+#define RUNTIME_CHECK(e)		if (!(e)) abort()
+#endif
 
 #endif /* UNIT_TESTING */
 
diff --git a/bind/bind9/lib/isc/include/isc/version.h b/bind/bind9/lib/isc/include/isc/version.h
index d371e0d3..a21687da 100644
--- a/bind/bind9/lib/isc/include/isc/version.h
+++ b/bind/bind9/lib/isc/include/isc/version.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/isc/xml.h b/bind/bind9/lib/isc/include/isc/xml.h
index a091d301..3aed247b 100644
--- a/bind/bind9/lib/isc/include/isc/xml.h
+++ b/bind/bind9/lib/isc/include/isc/xml.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/pk11/Makefile.in b/bind/bind9/lib/isc/include/pk11/Makefile.in
index 395c9243..2f765851 100644
--- a/bind/bind9/lib/isc/include/pk11/Makefile.in
+++ b/bind/bind9/lib/isc/include/pk11/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/pk11/README.site b/bind/bind9/lib/isc/include/pk11/README.site
index 6c49891c..208864ae 100644
--- a/bind/bind9/lib/isc/include/pk11/README.site
+++ b/bind/bind9/lib/isc/include/pk11/README.site
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
 How to use site.h for the PKCS#11 provider of your HSM
 ------------------------------------------------------
diff --git a/bind/bind9/lib/isc/include/pk11/constants.h b/bind/bind9/lib/isc/include/pk11/constants.h
index 961ce8e6..d8256c57 100644
--- a/bind/bind9/lib/isc/include/pk11/constants.h
+++ b/bind/bind9/lib/isc/include/pk11/constants.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -16,7 +16,7 @@
 /*! \file pk11/constants.h */
 
 /*%
- * Static arrays of data used for key template initalization
+ * Static arrays of data used for key template initialization
  */
 #ifdef WANT_ECC_CURVES
 #if HAVE_PKCS11_ECDSA
diff --git a/bind/bind9/lib/isc/include/pk11/internal.h b/bind/bind9/lib/isc/include/pk11/internal.h
index aa8907ab..36a2ef90 100644
--- a/bind/bind9/lib/isc/include/pk11/internal.h
+++ b/bind/bind9/lib/isc/include/pk11/internal.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -25,7 +25,8 @@ void pk11_mem_put(void *ptr, size_t size);
 
 CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype);
 
-unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt);
+isc_result_t
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits);
 
 CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj);
 
diff --git a/bind/bind9/lib/isc/include/pk11/pk11.h b/bind/bind9/lib/isc/include/pk11/pk11.h
index 2ff21fba..85f30601 100644
--- a/bind/bind9/lib/isc/include/pk11/pk11.h
+++ b/bind/bind9/lib/isc/include/pk11/pk11.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/pk11/result.h b/bind/bind9/lib/isc/include/pk11/result.h
index cce91503..50b0f3b0 100644
--- a/bind/bind9/lib/isc/include/pk11/result.h
+++ b/bind/bind9/lib/isc/include/pk11/result.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/pk11/site.h b/bind/bind9/lib/isc/include/pk11/site.h
index f27691ed..79b2de9f 100644
--- a/bind/bind9/lib/isc/include/pk11/site.h
+++ b/bind/bind9/lib/isc/include/pk11/site.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/pkcs11/Makefile.in b/bind/bind9/lib/isc/include/pkcs11/Makefile.in
index 8b442b46..2372180d 100644
--- a/bind/bind9/lib/isc/include/pkcs11/Makefile.in
+++ b/bind/bind9/lib/isc/include/pkcs11/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -18,7 +18,7 @@ VERSION=@BIND9_VERSION@
 # machine generated.  The latter are handled specially in the
 # install target below.
 #
-HEADERS =	pkcs11f.h pkcs11.h pkcs11t.h eddsa.h
+HEADERS =	pkcs11.h eddsa.h
 SUBDIRS =
 TARGETS =
 
diff --git a/bind/bind9/lib/isc/include/pkcs11/eddsa.h b/bind/bind9/lib/isc/include/pkcs11/eddsa.h
index c0b2e9cd..2e2e5ed7 100644
--- a/bind/bind9/lib/isc/include/pkcs11/eddsa.h
+++ b/bind/bind9/lib/isc/include/pkcs11/eddsa.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/include/pkcs11/pkcs11.h b/bind/bind9/lib/isc/include/pkcs11/pkcs11.h
index c66b0bca..3e368376 100644
--- a/bind/bind9/lib/isc/include/pkcs11/pkcs11.h
+++ b/bind/bind9/lib/isc/include/pkcs11/pkcs11.h
@@ -1,264 +1,1749 @@
-/*
- * PKCS #11 Cryptographic Token Interface Base Specification Version 2.40 Errata 01
- * Committee Specification Draft 01 / Public Review Draft 01
- * 09 December 2015
- * Copyright (c) OASIS Open 2015. All Rights Reserved.
- * Source: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/csprd01/include/pkcs11-v2.40/
- * Latest version of the specification: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
- * https://www.oasis-open.org/policies-guidelines/ipr
- */
-
-#ifndef _PKCS11_H_
-#define _PKCS11_H_ 1
-
-#ifdef __cplusplus
+/* pkcs11.h
+   Copyright 2006, 2007 g10 Code GmbH
+   Copyright 2006 Andreas Jellinghaus
+   Copyright 2017 Red Hat, Inc.
+
+   This file is free software; as a special exception the author gives
+   unlimited permission to copy and/or distribute it, with or without
+   modifications, as long as this notice is preserved.
+
+   This file is distributed in the hope that it will be useful, but
+   WITHOUT ANY WARRANTY, to the extent permitted by law; without even
+   the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+   PURPOSE.  */
+
+/* Please submit any changes back to the p11-kit project at
+   https://github.com/p11-glue/p11-kit/, so that
+   they can be picked up by other projects from there as well.  */
+
+/* This file is a modified implementation of the PKCS #11 standard by
+   OASIS group.  It is mostly a drop-in replacement, with the
+   following change:
+
+   This header file does not require any macro definitions by the user
+   (like CK_DEFINE_FUNCTION etc).  In fact, it defines those macros
+   for you (if useful, some are missing, let me know if you need
+   more).
+
+   There is an additional API available that does comply better to the
+   GNU coding standard.  It can be switched on by defining
+   CRYPTOKI_GNU before including this header file.  For this, the
+   following changes are made to the specification:
+
+   All structure types are changed to a "struct ck_foo" where CK_FOO
+   is the type name in PKCS #11.
+
+   All non-structure types are changed to ck_foo_t where CK_FOO is the
+   lowercase version of the type name in PKCS #11.  The basic types
+   (CK_ULONG et al.) are removed without substitute.
+
+   All members of structures are modified in the following way: Type
+   indication prefixes are removed, and underscore characters are
+   inserted before words.  Then the result is lowercased.
+
+   Note that function names are still in the original case, as they
+   need for ABI compatibility.
+
+   CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute.  Use
+   <stdbool.h>.
+
+   If CRYPTOKI_COMPAT is defined before including this header file,
+   then none of the API changes above take place, and the API is the
+   one defined by the PKCS #11 standard.  */
+
+#ifndef PKCS11_H
+#define PKCS11_H 1
+
+#if defined(__cplusplus)
 extern "C" {
 #endif
 
-/* Before including this file (pkcs11.h) (or pkcs11t.h by
- * itself), 5 platform-specific macros must be defined.  These
- * macros are described below, and typical definitions for them
- * are also given.  Be advised that these definitions can depend
- * on both the platform and the compiler used (and possibly also
- * on whether a Cryptoki library is linked statically or
- * dynamically).
- *
- * In addition to defining these 5 macros, the packing convention
- * for Cryptoki structures should be set.  The Cryptoki
- * convention on packing is that structures should be 1-byte
- * aligned.
- *
- * If you're using Microsoft Developer Studio 5.0 to produce
- * Win32 stuff, this might be done by using the following
- * preprocessor directive before including pkcs11.h or pkcs11t.h:
- *
- * #pragma pack(push, cryptoki, 1)
- *
- * and using the following preprocessor directive after including
- * pkcs11.h or pkcs11t.h:
- *
- * #pragma pack(pop, cryptoki)
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to produce Win16 stuff, this might be done by using
- * the following preprocessor directive before including
- * pkcs11.h or pkcs11t.h:
- *
- * #pragma pack(1)
- *
- * In a UNIX environment, you're on your own for this.  You might
- * not need to do (or be able to do!) anything.
- *
- *
- * Now for the macros:
- *
- *
- * 1. CK_PTR: The indirection string for making a pointer to an
- * object.  It can be used like this:
- *
- * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
- *
- * If you're using Microsoft Developer Studio 5.0 to produce
- * Win32 stuff, it might be defined by:
- *
- * #define CK_PTR *
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to produce Win16 stuff, it might be defined by:
- *
- * #define CK_PTR far *
- *
- * In a typical UNIX environment, it might be defined by:
- *
- * #define CK_PTR *
- *
- *
- * 2. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
- * an importable Cryptoki library function declaration out of a
- * return type and a function name.  It should be used in the
- * following fashion:
- *
- * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
- *   CK_VOID_PTR pReserved
- * );
- *
- * If you're using Microsoft Developer Studio 5.0 to declare a
- * function in a Win32 Cryptoki .dll, it might be defined by:
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType __declspec(dllimport) name
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to declare a function in a Win16 Cryptoki .dll, it
- * might be defined by:
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType __export _far _pascal name
- *
- * In a UNIX environment, it might be defined by:
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType name
- *
- *
- * 3. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
- * which makes a Cryptoki API function pointer declaration or
- * function pointer type declaration out of a return type and a
- * function name.  It should be used in the following fashion:
- *
- * // Define funcPtr to be a pointer to a Cryptoki API function
- * // taking arguments args and returning CK_RV.
- * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
- *
- * or
- *
- * // Define funcPtrType to be the type of a pointer to a
- * // Cryptoki API function taking arguments args and returning
- * // CK_RV, and then define funcPtr to be a variable of type
- * // funcPtrType.
- * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
- * funcPtrType funcPtr;
- *
- * If you're using Microsoft Developer Studio 5.0 to access
- * functions in a Win32 Cryptoki .dll, in might be defined by:
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType __declspec(dllimport) (* name)
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to access functions in a Win16 Cryptoki .dll, it might
- * be defined by:
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType __export _far _pascal (* name)
- *
- * In a UNIX environment, it might be defined by:
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType (* name)
- *
- *
- * 4. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
- * a function pointer type for an application callback out of
- * a return type for the callback and a name for the callback.
- * It should be used in the following fashion:
- *
- * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
- *
- * to declare a function pointer, myCallback, to a callback
- * which takes arguments args and returns a CK_RV.  It can also
- * be used like this:
- *
- * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
- * myCallbackType myCallback;
- *
- * If you're using Microsoft Developer Studio 5.0 to do Win32
- * Cryptoki development, it might be defined by:
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType (* name)
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to do Win16 development, it might be defined by:
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType _far _pascal (* name)
- *
- * In a UNIX environment, it might be defined by:
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType (* name)
- *
- *
- * 5. NULL_PTR: This macro is the value of a NULL pointer.
- *
- * In any ANSI/ISO C environment (and in many others as well),
- * this should best be defined by
- *
- * #ifndef NULL_PTR
- * #define NULL_PTR 0
- * #endif
- */
-
-
-/* All the various Cryptoki types and #define'd values are in the
- * file pkcs11t.h.
- */
-#include "pkcs11t.h"
-
-#define __PASTE(x,y)      x##y
-
-
-/* ==============================================================
- * Define the "extern" form of all the entry points.
- * ==============================================================
- */
-
-#define CK_NEED_ARG_LIST  1
-#define CK_PKCS11_FUNCTION_INFO(name) \
-  extern CK_DECLARE_FUNCTION(CK_RV, name)
-
-/* pkcs11f.h has all the information about the Cryptoki
- * function prototypes.
- */
-#include "pkcs11f.h"
-
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-/* ==============================================================
- * Define the typedef form of all the entry points.  That is, for
- * each Cryptoki function C_XXX, define a type CK_C_XXX which is
- * a pointer to that kind of function.
- * ==============================================================
- */
-
-#define CK_NEED_ARG_LIST  1
-#define CK_PKCS11_FUNCTION_INFO(name) \
-  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
-
-/* pkcs11f.h has all the information about the Cryptoki
- * function prototypes.
- */
-#include "pkcs11f.h"
-
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-/* ==============================================================
- * Define structed vector of entry points.  A CK_FUNCTION_LIST
- * contains a CK_VERSION indicating a library's Cryptoki version
- * and then a whole slew of function pointers to the routines in
- * the library.  This type was declared, but not defined, in
- * pkcs11t.h.
- * ==============================================================
- */
-
-#define CK_PKCS11_FUNCTION_INFO(name) \
-  __PASTE(CK_,name) name;
-
-struct CK_FUNCTION_LIST {
-
-  CK_VERSION    version;  /* Cryptoki version */
-
-/* Pile all the function pointers into the CK_FUNCTION_LIST. */
-/* pkcs11f.h has all the information about the Cryptoki
- * function prototypes.
- */
-#include "pkcs11f.h"
 
+/* The version of cryptoki we implement.  The revision is changed with
+   each modification of this file.  */
+#define CRYPTOKI_VERSION_MAJOR		2
+#define CRYPTOKI_VERSION_MINOR		40
+#define P11_KIT_CRYPTOKI_VERSION_REVISION	0
+
+
+/* Compatibility interface is default, unless CRYPTOKI_GNU is
+   given.  */
+#ifndef CRYPTOKI_GNU
+#ifndef CRYPTOKI_COMPAT
+#define CRYPTOKI_COMPAT 1
+#endif
+#endif
+
+/* System dependencies.  */
+
+#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
+
+/* There is a matching pop below.  */
+#pragma pack(push, cryptoki, 1)
+
+#ifdef CRYPTOKI_EXPORTS
+#define CK_SPEC __declspec(dllexport)
+#else
+#define CK_SPEC __declspec(dllimport)
+#endif
+
+#else
+
+#define CK_SPEC
+
+#endif
+
+
+#ifdef CRYPTOKI_COMPAT
+  /* If we are in compatibility mode, switch all exposed names to the
+     PKCS #11 variant.  There are corresponding #undefs below.  */
+
+#define ck_flags_t CK_FLAGS
+#define ck_version _CK_VERSION
+
+#define ck_info _CK_INFO
+#define cryptoki_version cryptokiVersion
+#define manufacturer_id manufacturerID
+#define library_description libraryDescription
+#define library_version libraryVersion
+
+#define ck_notification_t CK_NOTIFICATION
+#define ck_slot_id_t CK_SLOT_ID
+
+#define ck_slot_info _CK_SLOT_INFO
+#define slot_description slotDescription
+#define hardware_version hardwareVersion
+#define firmware_version firmwareVersion
+
+#define ck_token_info _CK_TOKEN_INFO
+#define serial_number serialNumber
+#define max_session_count ulMaxSessionCount
+#define session_count ulSessionCount
+#define max_rw_session_count ulMaxRwSessionCount
+#define rw_session_count ulRwSessionCount
+#define max_pin_len ulMaxPinLen
+#define min_pin_len ulMinPinLen
+#define total_public_memory ulTotalPublicMemory
+#define free_public_memory ulFreePublicMemory
+#define total_private_memory ulTotalPrivateMemory
+#define free_private_memory ulFreePrivateMemory
+#define utc_time utcTime
+
+#define ck_session_handle_t CK_SESSION_HANDLE
+#define ck_user_type_t CK_USER_TYPE
+#define ck_state_t CK_STATE
+
+#define ck_session_info _CK_SESSION_INFO
+#define slot_id slotID
+#define device_error ulDeviceError
+
+#define ck_object_handle_t CK_OBJECT_HANDLE
+#define ck_object_class_t CK_OBJECT_CLASS
+#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE
+#define ck_key_type_t CK_KEY_TYPE
+#define ck_certificate_type_t CK_CERTIFICATE_TYPE
+#define ck_attribute_type_t CK_ATTRIBUTE_TYPE
+
+#define ck_attribute _CK_ATTRIBUTE
+#define value pValue
+#define value_len ulValueLen
+
+#define count ulCount
+
+#define ck_date _CK_DATE
+
+#define ck_mechanism_type_t CK_MECHANISM_TYPE
+
+#define ck_mechanism _CK_MECHANISM
+#define parameter pParameter
+#define parameter_len ulParameterLen
+
+#define params pParams
+
+#define ck_mechanism_info _CK_MECHANISM_INFO
+#define min_key_size ulMinKeySize
+#define max_key_size ulMaxKeySize
+
+#define ck_param_type CK_PARAM_TYPE
+#define ck_otp_param CK_OTP_PARAM
+#define ck_otp_params CK_OTP_PARAMS
+#define ck_otp_signature_info CK_OTP_SIGNATURE_INFO
+
+#define ck_rv_t CK_RV
+#define ck_notify_t CK_NOTIFY
+
+#define ck_function_list _CK_FUNCTION_LIST
+
+#define ck_createmutex_t CK_CREATEMUTEX
+#define ck_destroymutex_t CK_DESTROYMUTEX
+#define ck_lockmutex_t CK_LOCKMUTEX
+#define ck_unlockmutex_t CK_UNLOCKMUTEX
+
+#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS
+#define create_mutex CreateMutex
+#define destroy_mutex DestroyMutex
+#define lock_mutex LockMutex
+#define unlock_mutex UnlockMutex
+#define reserved pReserved
+
+#define ck_rsa_pkcs_mgf_type_t CK_RSA_PKCS_MGF_TYPE
+#define ck_rsa_pkcs_oaep_source_type_t CK_RSA_PKCS_OAEP_SOURCE_TYPE
+#define hash_alg hashAlg
+#define s_len sLen
+#define source_data pSourceData
+#define source_data_len ulSourceDataLen
+
+#define counter_bits ulCounterBits
+#define iv_ptr pIv
+#define iv_len ulIvLen
+#define iv_bits ulIvBits
+#define aad_ptr pAAD
+#define aad_len ulAADLen
+#define tag_bits ulTagBits
+#define shared_data_len ulSharedDataLen
+#define shared_data pSharedData
+#define public_data_len ulPublicDataLen
+#define public_data pPublicData
+#define string_data pData
+#define string_data_len ulLen
+#define data_params pData
+#endif	/* CRYPTOKI_COMPAT */
+
+
+
+typedef unsigned long ck_flags_t;
+
+struct ck_version
+{
+  unsigned char major;
+  unsigned char minor;
 };
 
-#undef CK_PKCS11_FUNCTION_INFO
 
+struct ck_info
+{
+  struct ck_version cryptoki_version;
+  unsigned char manufacturer_id[32];
+  ck_flags_t flags;
+  unsigned char library_description[32];
+  struct ck_version library_version;
+};
 
-#undef __PASTE
 
-#ifdef __cplusplus
-}
+typedef unsigned long ck_notification_t;
+
+#define CKN_SURRENDER	(0UL)
+
+
+typedef unsigned long ck_slot_id_t;
+
+
+struct ck_slot_info
+{
+  unsigned char slot_description[64];
+  unsigned char manufacturer_id[32];
+  ck_flags_t flags;
+  struct ck_version hardware_version;
+  struct ck_version firmware_version;
+};
+
+
+#define CKF_TOKEN_PRESENT	(1UL << 0)
+#define CKF_REMOVABLE_DEVICE	(1UL << 1)
+#define CKF_HW_SLOT		(1UL << 2)
+#define CKF_ARRAY_ATTRIBUTE	(1UL << 30)
+
+
+struct ck_token_info
+{
+  unsigned char label[32];
+  unsigned char manufacturer_id[32];
+  unsigned char model[16];
+  unsigned char serial_number[16];
+  ck_flags_t flags;
+  unsigned long max_session_count;
+  unsigned long session_count;
+  unsigned long max_rw_session_count;
+  unsigned long rw_session_count;
+  unsigned long max_pin_len;
+  unsigned long min_pin_len;
+  unsigned long total_public_memory;
+  unsigned long free_public_memory;
+  unsigned long total_private_memory;
+  unsigned long free_private_memory;
+  struct ck_version hardware_version;
+  struct ck_version firmware_version;
+  unsigned char utc_time[16];
+};
+
+
+#define CKF_RNG					(1UL << 0)
+#define CKF_WRITE_PROTECTED			(1UL << 1)
+#define CKF_LOGIN_REQUIRED			(1UL << 2)
+#define CKF_USER_PIN_INITIALIZED		(1UL << 3)
+#define CKF_RESTORE_KEY_NOT_NEEDED		(1UL << 5)
+#define CKF_CLOCK_ON_TOKEN			(1UL << 6)
+#define CKF_PROTECTED_AUTHENTICATION_PATH	(1UL << 8)
+#define CKF_DUAL_CRYPTO_OPERATIONS		(1UL << 9)
+#define CKF_TOKEN_INITIALIZED			(1UL << 10)
+#define CKF_SECONDARY_AUTHENTICATION		(1UL << 11)
+#define CKF_USER_PIN_COUNT_LOW			(1UL << 16)
+#define CKF_USER_PIN_FINAL_TRY			(1UL << 17)
+#define CKF_USER_PIN_LOCKED			(1UL << 18)
+#define CKF_USER_PIN_TO_BE_CHANGED		(1UL << 19)
+#define CKF_SO_PIN_COUNT_LOW			(1UL << 20)
+#define CKF_SO_PIN_FINAL_TRY			(1UL << 21)
+#define CKF_SO_PIN_LOCKED			(1UL << 22)
+#define CKF_SO_PIN_TO_BE_CHANGED		(1UL << 23)
+
+#define CK_UNAVAILABLE_INFORMATION	((unsigned long)-1L)
+#define CK_EFFECTIVELY_INFINITE		(0UL)
+
+
+typedef unsigned long ck_session_handle_t;
+
+#define CK_INVALID_HANDLE	(0UL)
+
+
+typedef unsigned long ck_user_type_t;
+
+#define CKU_SO			(0UL)
+#define CKU_USER		(1UL)
+#define CKU_CONTEXT_SPECIFIC	(2UL)
+
+
+typedef unsigned long ck_state_t;
+
+#define CKS_RO_PUBLIC_SESSION	(0UL)
+#define CKS_RO_USER_FUNCTIONS	(1UL)
+#define CKS_RW_PUBLIC_SESSION	(2UL)
+#define CKS_RW_USER_FUNCTIONS	(3UL)
+#define CKS_RW_SO_FUNCTIONS	(4UL)
+
+
+struct ck_session_info
+{
+  ck_slot_id_t slot_id;
+  ck_state_t state;
+  ck_flags_t flags;
+  unsigned long device_error;
+};
+
+#define CKF_RW_SESSION		(1UL << 1)
+#define CKF_SERIAL_SESSION	(1UL << 2)
+
+
+typedef unsigned long ck_object_handle_t;
+
+
+typedef unsigned long ck_object_class_t;
+
+#define CKO_DATA		(0UL)
+#define CKO_CERTIFICATE		(1UL)
+#define CKO_PUBLIC_KEY		(2UL)
+#define CKO_PRIVATE_KEY		(3UL)
+#define CKO_SECRET_KEY		(4UL)
+#define CKO_HW_FEATURE		(5UL)
+#define CKO_DOMAIN_PARAMETERS	(6UL)
+#define CKO_MECHANISM		(7UL)
+#define CKO_OTP_KEY		(8UL)
+#define CKO_VENDOR_DEFINED	((unsigned long) (1UL << 31))
+
+
+typedef unsigned long ck_hw_feature_type_t;
+
+#define CKH_MONOTONIC_COUNTER	(1UL)
+#define CKH_CLOCK		(2UL)
+#define CKH_USER_INTERFACE	(3UL)
+#define CKH_VENDOR_DEFINED	((unsigned long) (1UL << 31))
+
+
+typedef unsigned long ck_key_type_t;
+
+#define CKK_RSA			(0UL)
+#define CKK_DSA			(1UL)
+#define CKK_DH			(2UL)
+#define CKK_ECDSA		(3UL)
+#define CKK_EC			(3UL)
+#define CKK_X9_42_DH		(4UL)
+#define CKK_KEA			(5UL)
+#define CKK_GENERIC_SECRET	(0x10UL)
+#define CKK_RC2			(0x11UL)
+#define CKK_RC4			(0x12UL)
+#define CKK_DES			(0x13UL)
+#define CKK_DES2		(0x14UL)
+#define CKK_DES3		(0x15UL)
+#define CKK_CAST		(0x16UL)
+#define CKK_CAST3		(0x17UL)
+#define CKK_CAST128		(0x18UL)
+#define CKK_RC5			(0x19UL)
+#define CKK_IDEA		(0x1aUL)
+#define CKK_SKIPJACK		(0x1bUL)
+#define CKK_BATON		(0x1cUL)
+#define CKK_JUNIPER		(0x1dUL)
+#define CKK_CDMF		(0x1eUL)
+#define CKK_AES			(0x1fUL)
+#define CKK_BLOWFISH		(0x20UL)
+#define CKK_TWOFISH		(0x21UL)
+#define CKK_SECURID		(0x22UL)
+#define CKK_HOTP		(0x23UL)
+#define CKK_ACTI		(0x24UL)
+#define CKK_CAMELLIA		(0x25UL)
+#define CKK_ARIA		(0x26UL)
+#define CKK_MD5_HMAC		(0x27UL)
+#define CKK_SHA_1_HMAC		(0x28UL)
+#define CKK_RIPEMD128_HMAC	(0x29UL)
+#define CKK_RIPEMD160_HMAC	(0x2aUL)
+#define CKK_SHA256_HMAC		(0x2bUL)
+#define CKK_SHA384_HMAC		(0x2cUL)
+#define CKK_SHA512_HMAC		(0x2dUL)
+#define CKK_SHA224_HMAC		(0x2eUL)
+#define CKK_SEED		(0x2fUL)
+#define CKK_GOSTR3410		(0x30UL)
+#define CKK_GOSTR3411		(0x31UL)
+#define CKK_GOST28147		(0x32UL)
+#define CKK_EC_EDWARDS		(0x40UL)
+#define CKK_VENDOR_DEFINED	((unsigned long) (1UL << 31))
+
+
+typedef unsigned long ck_certificate_type_t;
+
+#define CKC_X_509		(0UL)
+#define CKC_X_509_ATTR_CERT	(1UL)
+#define CKC_WTLS		(2UL)
+#define CKC_VENDOR_DEFINED	((unsigned long) (1UL << 31))
+
+#define CKC_OPENPGP		(CKC_VENDOR_DEFINED|0x504750UL)
+
+typedef unsigned long ck_attribute_type_t;
+
+#define CKA_CLASS			(0UL)
+#define CKA_TOKEN			(1UL)
+#define CKA_PRIVATE			(2UL)
+#define CKA_LABEL			(3UL)
+#define CKA_APPLICATION			(0x10UL)
+#define CKA_VALUE			(0x11UL)
+#define CKA_OBJECT_ID			(0x12UL)
+#define CKA_CERTIFICATE_TYPE		(0x80UL)
+#define CKA_ISSUER			(0x81UL)
+#define CKA_SERIAL_NUMBER		(0x82UL)
+#define CKA_AC_ISSUER			(0x83UL)
+#define CKA_OWNER			(0x84UL)
+#define CKA_ATTR_TYPES			(0x85UL)
+#define CKA_TRUSTED			(0x86UL)
+#define CKA_CERTIFICATE_CATEGORY	(0x87UL)
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN	(0x88UL)
+#define CKA_URL				(0x89UL)
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY	(0x8aUL)
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY	(0x8bUL)
+#define CKA_NAME_HASH_ALGORITHM         (0x8cUL)
+#define CKA_CHECK_VALUE			(0x90UL)
+#define CKA_KEY_TYPE			(0x100UL)
+#define CKA_SUBJECT			(0x101UL)
+#define CKA_ID				(0x102UL)
+#define CKA_SENSITIVE			(0x103UL)
+#define CKA_ENCRYPT			(0x104UL)
+#define CKA_DECRYPT			(0x105UL)
+#define CKA_WRAP			(0x106UL)
+#define CKA_UNWRAP			(0x107UL)
+#define CKA_SIGN			(0x108UL)
+#define CKA_SIGN_RECOVER		(0x109UL)
+#define CKA_VERIFY			(0x10aUL)
+#define CKA_VERIFY_RECOVER		(0x10bUL)
+#define CKA_DERIVE			(0x10cUL)
+#define CKA_START_DATE			(0x110UL)
+#define CKA_END_DATE			(0x111UL)
+#define CKA_MODULUS			(0x120UL)
+#define CKA_MODULUS_BITS		(0x121UL)
+#define CKA_PUBLIC_EXPONENT		(0x122UL)
+#define CKA_PRIVATE_EXPONENT		(0x123UL)
+#define CKA_PRIME_1			(0x124UL)
+#define CKA_PRIME_2			(0x125UL)
+#define CKA_EXPONENT_1			(0x126UL)
+#define CKA_EXPONENT_2			(0x127UL)
+#define CKA_COEFFICIENT			(0x128UL)
+#define CKA_PUBLIC_KEY_INFO		(0x129UL)
+#define CKA_PRIME			(0x130UL)
+#define CKA_SUBPRIME			(0x131UL)
+#define CKA_BASE			(0x132UL)
+#define CKA_PRIME_BITS			(0x133UL)
+#define CKA_SUB_PRIME_BITS		(0x134UL)
+#define CKA_VALUE_BITS			(0x160UL)
+#define CKA_VALUE_LEN			(0x161UL)
+#define CKA_EXTRACTABLE			(0x162UL)
+#define CKA_LOCAL			(0x163UL)
+#define CKA_NEVER_EXTRACTABLE		(0x164UL)
+#define CKA_ALWAYS_SENSITIVE		(0x165UL)
+#define CKA_KEY_GEN_MECHANISM		(0x166UL)
+#define CKA_MODIFIABLE			(0x170UL)
+#define CKA_COPYABLE			(0x171UL)
+#define CKA_DESTROYABLE			(0x172UL)
+#define CKA_ECDSA_PARAMS		(0x180UL)
+#define CKA_EC_PARAMS			(0x180UL)
+#define CKA_EC_POINT			(0x181UL)
+#define CKA_SECONDARY_AUTH		(0x200UL)
+#define CKA_AUTH_PIN_FLAGS		(0x201UL)
+#define CKA_ALWAYS_AUTHENTICATE		(0x202UL)
+#define CKA_WRAP_WITH_TRUSTED		(0x210UL)
+#define CKA_OTP_FORMAT			(0x220UL)
+#define CKA_OTP_LENGTH			(0x221UL)
+#define CKA_OTP_TIME_INTERVAL		(0x222UL)
+#define CKA_OTP_USER_FRIENDLY_MODE	(0x223UL)
+#define CKA_OTP_CHALLENGE_REQUIREMENT	(0x224UL)
+#define CKA_OTP_TIME_REQUIREMENT	(0x225UL)
+#define CKA_OTP_COUNTER_REQUIREMENT	(0x226UL)
+#define CKA_OTP_PIN_REQUIREMENT		(0x227UL)
+#define CKA_OTP_USER_IDENTIFIER		(0x22AUL)
+#define CKA_OTP_SERVICE_IDENTIFIER	(0x22BUL)
+#define CKA_OTP_SERVICE_LOGO		(0x22CUL)
+#define CKA_OTP_SERVICE_LOGO_TYPE	(0x22DUL)
+#define CKA_OTP_COUNTER			(0x22EUL)
+#define CKA_OTP_TIME                    (0x22FUL)
+#define CKA_GOSTR3410_PARAMS		(0x250UL)
+#define CKA_GOSTR3411_PARAMS		(0x251UL)
+#define CKA_GOST28147_PARAMS		(0x252UL)
+#define CKA_HW_FEATURE_TYPE		(0x300UL)
+#define CKA_RESET_ON_INIT		(0x301UL)
+#define CKA_HAS_RESET			(0x302UL)
+#define CKA_PIXEL_X			(0x400UL)
+#define CKA_PIXEL_Y			(0x401UL)
+#define CKA_RESOLUTION			(0x402UL)
+#define CKA_CHAR_ROWS			(0x403UL)
+#define CKA_CHAR_COLUMNS		(0x404UL)
+#define CKA_COLOR			(0x405UL)
+#define CKA_BITS_PER_PIXEL		(0x406UL)
+#define CKA_CHAR_SETS			(0x480UL)
+#define CKA_ENCODING_METHODS		(0x481UL)
+#define CKA_MIME_TYPES			(0x482UL)
+#define CKA_MECHANISM_TYPE		(0x500UL)
+#define CKA_REQUIRED_CMS_ATTRIBUTES	(0x501UL)
+#define CKA_DEFAULT_CMS_ATTRIBUTES	(0x502UL)
+#define CKA_SUPPORTED_CMS_ATTRIBUTES	(0x503UL)
+#define CKA_WRAP_TEMPLATE		(CKF_ARRAY_ATTRIBUTE | 0x211UL)
+#define CKA_UNWRAP_TEMPLATE		(CKF_ARRAY_ATTRIBUTE | 0x212UL)
+#define CKA_DERIVE_TEMPLATE		(CKF_ARRAY_ATTRIBUTE | 0x213UL)
+#define CKA_ALLOWED_MECHANISMS		(CKF_ARRAY_ATTRIBUTE | 0x600UL)
+#define CKA_VENDOR_DEFINED		((unsigned long) (1UL << 31))
+
+
+struct ck_attribute
+{
+  ck_attribute_type_t type;
+  void *value;
+  unsigned long value_len;
+};
+
+
+struct ck_date
+{
+  unsigned char year[4];
+  unsigned char month[2];
+  unsigned char day[2];
+};
+
+
+typedef unsigned long ck_mechanism_type_t;
+
+#define CKM_RSA_PKCS_KEY_PAIR_GEN	(0UL)
+#define CKM_RSA_PKCS			(1UL)
+#define CKM_RSA_9796			(2UL)
+#define CKM_RSA_X_509			(3UL)
+#define CKM_MD2_RSA_PKCS		(4UL)
+#define CKM_MD5_RSA_PKCS		(5UL)
+#define CKM_SHA1_RSA_PKCS		(6UL)
+#define CKM_RIPEMD128_RSA_PKCS		(7UL)
+#define CKM_RIPEMD160_RSA_PKCS		(8UL)
+#define CKM_RSA_PKCS_OAEP		(9UL)
+#define CKM_RSA_X9_31_KEY_PAIR_GEN	(0xaUL)
+#define CKM_RSA_X9_31			(0xbUL)
+#define CKM_SHA1_RSA_X9_31		(0xcUL)
+#define CKM_RSA_PKCS_PSS		(0xdUL)
+#define CKM_SHA1_RSA_PKCS_PSS		(0xeUL)
+#define CKM_DSA_KEY_PAIR_GEN		(0x10UL)
+#define	CKM_DSA				(0x11UL)
+#define CKM_DSA_SHA1			(0x12UL)
+#define CKM_DSA_SHA224			(0x13UL)
+#define CKM_DSA_SHA256			(0x14UL)
+#define CKM_DSA_SHA384			(0x15UL)
+#define CKM_DSA_SHA512			(0x16UL)
+#define CKM_DH_PKCS_KEY_PAIR_GEN	(0x20UL)
+#define CKM_DH_PKCS_DERIVE		(0x21UL)
+#define	CKM_X9_42_DH_KEY_PAIR_GEN	(0x30UL)
+#define CKM_X9_42_DH_DERIVE		(0x31UL)
+#define CKM_X9_42_DH_HYBRID_DERIVE	(0x32UL)
+#define CKM_X9_42_MQV_DERIVE		(0x33UL)
+#define CKM_SHA256_RSA_PKCS		(0x40UL)
+#define CKM_SHA384_RSA_PKCS		(0x41UL)
+#define CKM_SHA512_RSA_PKCS		(0x42UL)
+#define CKM_SHA256_RSA_PKCS_PSS		(0x43UL)
+#define CKM_SHA384_RSA_PKCS_PSS		(0x44UL)
+#define CKM_SHA512_RSA_PKCS_PSS		(0x45UL)
+#define CKM_SHA512_224			(0x48UL)
+#define CKM_SHA512_224_HMAC		(0x49UL)
+#define CKM_SHA512_224_HMAC_GENERAL	(0x4aUL)
+#define CKM_SHA512_224_KEY_DERIVATION	(0x4bUL)
+#define CKM_SHA512_256			(0x4cUL)
+#define CKM_SHA512_256_HMAC		(0x4dUL)
+#define CKM_SHA512_256_HMAC_GENERAL	(0x4eUL)
+#define CKM_SHA512_256_KEY_DERIVATION	(0x4fUL)
+#define CKM_SHA512_T			(0x50UL)
+#define CKM_SHA512_T_HMAC		(0x51UL)
+#define CKM_SHA512_T_HMAC_GENERAL	(0x52UL)
+#define CKM_SHA512_T_KEY_DERIVATION	(0x53UL)
+#define CKM_RC2_KEY_GEN			(0x100UL)
+#define CKM_RC2_ECB			(0x101UL)
+#define	CKM_RC2_CBC			(0x102UL)
+#define	CKM_RC2_MAC			(0x103UL)
+#define CKM_RC2_MAC_GENERAL		(0x104UL)
+#define CKM_RC2_CBC_PAD			(0x105UL)
+#define CKM_RC4_KEY_GEN			(0x110UL)
+#define CKM_RC4				(0x111UL)
+#define CKM_DES_KEY_GEN			(0x120UL)
+#define CKM_DES_ECB			(0x121UL)
+#define CKM_DES_CBC			(0x122UL)
+#define CKM_DES_MAC			(0x123UL)
+#define CKM_DES_MAC_GENERAL		(0x124UL)
+#define CKM_DES_CBC_PAD			(0x125UL)
+#define CKM_DES2_KEY_GEN		(0x130UL)
+#define CKM_DES3_KEY_GEN		(0x131UL)
+#define CKM_DES3_ECB			(0x132UL)
+#define CKM_DES3_CBC			(0x133UL)
+#define CKM_DES3_MAC			(0x134UL)
+#define CKM_DES3_MAC_GENERAL		(0x135UL)
+#define CKM_DES3_CBC_PAD		(0x136UL)
+#define CKM_DES3_CMAC_GENERAL		(0x137UL)
+#define CKM_DES3_CMAC			(0x138UL)
+#define CKM_CDMF_KEY_GEN		(0x140UL)
+#define CKM_CDMF_ECB			(0x141UL)
+#define CKM_CDMF_CBC			(0x142UL)
+#define CKM_CDMF_MAC			(0x143UL)
+#define CKM_CDMF_MAC_GENERAL		(0x144UL)
+#define CKM_CDMF_CBC_PAD		(0x145UL)
+#define CKM_DES_OFB64			(0x150UL)
+#define CKM_DES_OFB8			(0x151UL)
+#define CKM_DES_CFB64			(0x152UL)
+#define CKM_DES_CFB8			(0x153UL)
+#define CKM_MD2				(0x200UL)
+#define CKM_MD2_HMAC			(0x201UL)
+#define CKM_MD2_HMAC_GENERAL		(0x202UL)
+#define CKM_MD5				(0x210UL)
+#define CKM_MD5_HMAC			(0x211UL)
+#define CKM_MD5_HMAC_GENERAL		(0x212UL)
+#define CKM_SHA_1			(0x220UL)
+#define CKM_SHA_1_HMAC			(0x221UL)
+#define CKM_SHA_1_HMAC_GENERAL		(0x222UL)
+#define CKM_RIPEMD128			(0x230UL)
+#define CKM_RIPEMD128_HMAC		(0x231UL)
+#define CKM_RIPEMD128_HMAC_GENERAL	(0x232UL)
+#define CKM_RIPEMD160			(0x240UL)
+#define CKM_RIPEMD160_HMAC		(0x241UL)
+#define CKM_RIPEMD160_HMAC_GENERAL	(0x242UL)
+#define CKM_SHA256			(0x250UL)
+#define CKM_SHA256_HMAC			(0x251UL)
+#define CKM_SHA256_HMAC_GENERAL		(0x252UL)
+#define CKM_SHA384			(0x260UL)
+#define CKM_SHA384_HMAC			(0x261UL)
+#define CKM_SHA384_HMAC_GENERAL		(0x262UL)
+#define CKM_SHA512			(0x270UL)
+#define CKM_SHA512_HMAC			(0x271UL)
+#define CKM_SHA512_HMAC_GENERAL		(0x272UL)
+#define CKM_SECURID_KEY_GEN             (0x280UL)
+#define CKM_SECURID                     (0x282UL)
+#define CKM_HOTP_KEY_GEN                (0x290UL)
+#define CKM_HOTP                        (0x291UL)
+#define CKM_ACTI                        (0x2a0UL)
+#define CKM_ACTI_KEY_GEN                (0x2a1UL)
+#define CKM_CAST_KEY_GEN		(0x300UL)
+#define CKM_CAST_ECB			(0x301UL)
+#define CKM_CAST_CBC			(0x302UL)
+#define CKM_CAST_MAC			(0x303UL)
+#define CKM_CAST_MAC_GENERAL		(0x304UL)
+#define CKM_CAST_CBC_PAD		(0x305UL)
+#define CKM_CAST3_KEY_GEN		(0x310UL)
+#define CKM_CAST3_ECB			(0x311UL)
+#define CKM_CAST3_CBC			(0x312UL)
+#define CKM_CAST3_MAC			(0x313UL)
+#define CKM_CAST3_MAC_GENERAL		(0x314UL)
+#define CKM_CAST3_CBC_PAD		(0x315UL)
+#define CKM_CAST5_KEY_GEN		(0x320UL)
+#define CKM_CAST128_KEY_GEN		(0x320UL)
+#define CKM_CAST5_ECB			(0x321UL)
+#define CKM_CAST128_ECB			(0x321UL)
+#define CKM_CAST5_CBC			(0x322UL)
+#define CKM_CAST128_CBC			(0x322UL)
+#define CKM_CAST5_MAC			(0x323UL)
+#define	CKM_CAST128_MAC			(0x323UL)
+#define CKM_CAST5_MAC_GENERAL		(0x324UL)
+#define CKM_CAST128_MAC_GENERAL		(0x324UL)
+#define CKM_CAST5_CBC_PAD		(0x325UL)
+#define CKM_CAST128_CBC_PAD		(0x325UL)
+#define CKM_RC5_KEY_GEN			(0x330UL)
+#define CKM_RC5_ECB			(0x331UL)
+#define CKM_RC5_CBC			(0x332UL)
+#define CKM_RC5_MAC			(0x333UL)
+#define CKM_RC5_MAC_GENERAL		(0x334UL)
+#define CKM_RC5_CBC_PAD			(0x335UL)
+#define CKM_IDEA_KEY_GEN		(0x340UL)
+#define CKM_IDEA_ECB			(0x341UL)
+#define	CKM_IDEA_CBC			(0x342UL)
+#define CKM_IDEA_MAC			(0x343UL)
+#define CKM_IDEA_MAC_GENERAL		(0x344UL)
+#define CKM_IDEA_CBC_PAD		(0x345UL)
+#define CKM_GENERIC_SECRET_KEY_GEN	(0x350UL)
+#define CKM_CONCATENATE_BASE_AND_KEY	(0x360UL)
+#define CKM_CONCATENATE_BASE_AND_DATA	(0x362UL)
+#define CKM_CONCATENATE_DATA_AND_BASE	(0x363UL)
+#define CKM_XOR_BASE_AND_DATA		(0x364UL)
+#define CKM_EXTRACT_KEY_FROM_KEY	(0x365UL)
+#define CKM_SSL3_PRE_MASTER_KEY_GEN	(0x370UL)
+#define CKM_SSL3_MASTER_KEY_DERIVE	(0x371UL)
+#define CKM_SSL3_KEY_AND_MAC_DERIVE	(0x372UL)
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH	(0x373UL)
+#define CKM_TLS_PRE_MASTER_KEY_GEN	(0x374UL)
+#define CKM_TLS_MASTER_KEY_DERIVE	(0x375UL)
+#define CKM_TLS_KEY_AND_MAC_DERIVE	(0x376UL)
+#define CKM_TLS_MASTER_KEY_DERIVE_DH	(0x377UL)
+#define CKM_TLS_PRF			(0x378UL)
+#define CKM_SSL3_MD5_MAC		(0x380UL)
+#define CKM_SSL3_SHA1_MAC		(0x381UL)
+#define CKM_MD5_KEY_DERIVATION		(0x390UL)
+#define CKM_MD2_KEY_DERIVATION		(0x391UL)
+#define CKM_SHA1_KEY_DERIVATION		(0x392UL)
+#define CKM_SHA256_KEY_DERIVATION	(0x393UL)
+#define CKM_SHA384_KEY_DERIVATION	(0x394UL)
+#define CKM_SHA512_KEY_DERIVATION	(0x395UL)
+#define CKM_PBE_MD2_DES_CBC		(0x3a0UL)
+#define CKM_PBE_MD5_DES_CBC		(0x3a1UL)
+#define CKM_PBE_MD5_CAST_CBC		(0x3a2UL)
+#define CKM_PBE_MD5_CAST3_CBC		(0x3a3UL)
+#define CKM_PBE_MD5_CAST5_CBC		(0x3a4UL)
+#define CKM_PBE_MD5_CAST128_CBC		(0x3a4UL)
+#define CKM_PBE_SHA1_CAST5_CBC		(0x3a5UL)
+#define CKM_PBE_SHA1_CAST128_CBC	(0x3a5UL)
+#define CKM_PBE_SHA1_RC4_128		(0x3a6UL)
+#define CKM_PBE_SHA1_RC4_40		(0x3a7UL)
+#define CKM_PBE_SHA1_DES3_EDE_CBC	(0x3a8UL)
+#define CKM_PBE_SHA1_DES2_EDE_CBC	(0x3a9UL)
+#define CKM_PBE_SHA1_RC2_128_CBC	(0x3aaUL)
+#define CKM_PBE_SHA1_RC2_40_CBC		(0x3abUL)
+#define CKM_PKCS5_PBKD2			(0x3b0UL)
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC	(0x3c0UL)
+#define CKM_WTLS_PRE_MASTER_KEY_GEN	(0x3d0UL)
+#define CKM_WTLS_MASTER_KEY_DERIVE	(0x3d1UL)
+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC (0x3d2UL)
+#define CKM_WTLS_PRF			(0x3d3UL)
+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE (0x3d4UL)
+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE (0x3d5UL)
+#define CKM_TLS10_MAC_SERVER		(0x3d6UL)
+#define CKM_TLS10_MAC_CLIENT		(0x3d7UL)
+#define CKM_TLS12_MAC			(0x3d8UL)
+#define CKM_TLS12_KDF			(0x3d9UL)
+#define CKM_TLS12_MASTER_KEY_DERIVE	(0x3e0UL)
+#define CKM_TLS12_KEY_AND_MAC_DERIVE	(0x3e1UL)
+#define CKM_TLS12_MASTER_KEY_DERIVE_DH	(0x3e2UL)
+#define CKM_TLS12_KEY_SAFE_DERIVE	(0x3e3UL)
+#define CKM_TLS_MAC			(0x3e4UL)
+#define CKM_TLS_KDF			(0x3e5UL)
+#define CKM_KEY_WRAP_LYNKS		(0x400UL)
+#define CKM_KEY_WRAP_SET_OAEP		(0x401UL)
+#define CKM_CMS_SIG			(0x500UL)
+#define CKM_KIP_DERIVE			(0x510UL)
+#define CKM_KIP_WRAP			(0x511UL)
+#define CKM_KIP_MAC			(0x512UL)
+#define CKM_ARIA_KEY_GEN		(0x560UL)
+#define CKM_ARIA_ECB			(0x561UL)
+#define CKM_ARIA_CBC			(0x562UL)
+#define CKM_ARIA_MAC			(0x563UL)
+#define CKM_ARIA_MAC_GENERAL		(0x564UL)
+#define CKM_ARIA_CBC_PAD		(0x565UL)
+#define CKM_ARIA_ECB_ENCRYPT_DATA	(0x566UL)
+#define CKM_ARIA_CBC_ENCRYPT_DATA	(0x567UL)
+#define CKM_SEED_KEY_GEN		(0x650UL)
+#define CKM_SEED_ECB			(0x651UL)
+#define CKM_SEED_CBC			(0x652UL)
+#define CKM_SEED_MAC			(0x653UL)
+#define CKM_SEED_MAC_GENERAL		(0x654UL)
+#define CKM_SEED_CBC_PAD		(0x655UL)
+#define CKM_SEED_ECB_ENCRYPT_DATA	(0x656UL)
+#define CKM_SEED_CBC_ENCRYPT_DATA	(0x657UL)
+#define CKM_SKIPJACK_KEY_GEN		(0x1000UL)
+#define CKM_SKIPJACK_ECB64		(0x1001UL)
+#define CKM_SKIPJACK_CBC64		(0x1002UL)
+#define CKM_SKIPJACK_OFB64		(0x1003UL)
+#define CKM_SKIPJACK_CFB64		(0x1004UL)
+#define CKM_SKIPJACK_CFB32		(0x1005UL)
+#define CKM_SKIPJACK_CFB16		(0x1006UL)
+#define CKM_SKIPJACK_CFB8		(0x1007UL)
+#define CKM_SKIPJACK_WRAP		(0x1008UL)
+#define CKM_SKIPJACK_PRIVATE_WRAP	(0x1009UL)
+#define CKM_SKIPJACK_RELAYX		(0x100aUL)
+#define CKM_KEA_KEY_PAIR_GEN		(0x1010UL)
+#define CKM_KEA_KEY_DERIVE		(0x1011UL)
+#define CKM_FORTEZZA_TIMESTAMP		(0x1020UL)
+#define CKM_BATON_KEY_GEN		(0x1030UL)
+#define CKM_BATON_ECB128		(0x1031UL)
+#define CKM_BATON_ECB96			(0x1032UL)
+#define CKM_BATON_CBC128		(0x1033UL)
+#define CKM_BATON_COUNTER		(0x1034UL)
+#define CKM_BATON_SHUFFLE		(0x1035UL)
+#define CKM_BATON_WRAP			(0x1036UL)
+#define CKM_ECDSA_KEY_PAIR_GEN		(0x1040UL)
+#define CKM_EC_KEY_PAIR_GEN		(0x1040UL)
+#define CKM_ECDSA			(0x1041UL)
+#define CKM_ECDSA_SHA1			(0x1042UL)
+#define CKM_ECDSA_SHA224		(0x1043UL)
+#define CKM_ECDSA_SHA256		(0x1044UL)
+#define CKM_ECDSA_SHA384		(0x1045UL)
+#define CKM_ECDSA_SHA512		(0x1046UL)
+#define CKM_ECDH1_DERIVE		(0x1050UL)
+#define CKM_ECDH1_COFACTOR_DERIVE	(0x1051UL)
+#define CKM_ECMQV_DERIVE		(0x1052UL)
+#define CKM_ECDH_AES_KEY_WRAP		(0x1053UL)
+#define CKM_RSA_AES_KEY_WRAP		(0x1054UL)
+#define CKM_JUNIPER_KEY_GEN		(0x1060UL)
+#define CKM_JUNIPER_ECB128		(0x1061UL)
+#define CKM_JUNIPER_CBC128		(0x1062UL)
+#define CKM_JUNIPER_COUNTER		(0x1063UL)
+#define CKM_JUNIPER_SHUFFLE		(0x1064UL)
+#define CKM_JUNIPER_WRAP		(0x1065UL)
+#define CKM_FASTHASH			(0x1070UL)
+#define CKM_AES_KEY_GEN			(0x1080UL)
+#define CKM_AES_ECB			(0x1081UL)
+#define CKM_AES_CBC			(0x1082UL)
+#define CKM_AES_MAC			(0x1083UL)
+#define CKM_AES_MAC_GENERAL		(0x1084UL)
+#define CKM_AES_CBC_PAD			(0x1085UL)
+#define CKM_AES_CTR			(0x1086UL)
+#define CKM_AES_GCM			(0x1087UL)
+#define CKM_AES_CCM			(0x1088UL)
+#define CKM_AES_CTS			(0x1089UL)
+#define CKM_AES_CMAC			(0x108aUL)
+#define CKM_AES_CMAC_GENERAL		(0x108bUL)
+#define CKM_AES_XCBC_MAC		(0x108cUL)
+#define CKM_AES_XCBC_MAC_96		(0x108dUL)
+#define CKM_AES_GMAC			(0x108eUL)
+#define CKM_BLOWFISH_KEY_GEN		(0x1090UL)
+#define CKM_BLOWFISH_CBC		(0x1091UL)
+#define CKM_TWOFISH_KEY_GEN		(0x1092UL)
+#define CKM_TWOFISH_CBC			(0x1093UL)
+#define CKM_BLOWFISH_CBC_PAD		(0x1094UL)
+#define CKM_TWOFISH_CBC_PAD		(0x1095UL)
+#define CKM_DES_ECB_ENCRYPT_DATA	(0x1100UL)
+#define CKM_DES_CBC_ENCRYPT_DATA	(0x1101UL)
+#define CKM_DES3_ECB_ENCRYPT_DATA	(0x1102UL)
+#define CKM_DES3_CBC_ENCRYPT_DATA	(0x1103UL)
+#define CKM_AES_ECB_ENCRYPT_DATA	(0x1104UL)
+#define CKM_AES_CBC_ENCRYPT_DATA	(0x1105UL)
+#define CKM_GOSTR3410_KEY_PAIR_GEN	(0x1200UL)
+#define CKM_GOSTR3410			(0x1201UL)
+#define CKM_GOSTR3410_WITH_GOSTR3411	(0x1202UL)
+#define CKM_GOSTR3410_KEY_WRAP		(0x1203UL)
+#define CKM_GOSTR3410_DERIVE		(0x1204UL)
+#define CKM_GOSTR3411			(0x1210UL)
+#define CKM_GOSTR3411_HMAC		(0x1211UL)
+#define CKM_GOST28147_KEY_GEN		(0x1220UL)
+#define CKM_GOST28147_ECB		(0x1221UL)
+#define CKM_GOST28147			(0x1222UL)
+#define CKM_GOST28147_MAC		(0x1223UL)
+#define CKM_GOST28147_KEY_WRAP		(0x1224UL)
+#define CKM_DSA_PARAMETER_GEN		(0x2000UL)
+#define CKM_DH_PKCS_PARAMETER_GEN	(0x2001UL)
+#define CKM_X9_42_DH_PARAMETER_GEN	(0x2002UL)
+#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN	(0x2003UL)
+#define CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN	(0x2004UL)
+#define CKM_AES_OFB			(0x2104UL)
+#define CKM_AES_CFB64			(0x2105UL)
+#define CKM_AES_CFB8			(0x2106UL)
+#define CKM_AES_CFB128			(0x2107UL)
+#define CKM_AES_CFB1			(0x2108UL)
+
+#define CKM_VENDOR_DEFINED		((unsigned long) (1UL << 31))
+
+/* Amendments */
+#define CKM_SHA224			(0x255UL)
+#define CKM_SHA224_HMAC			(0x256UL)
+#define CKM_SHA224_HMAC_GENERAL		(0x257UL)
+#define CKM_SHA224_RSA_PKCS		(0x46UL)
+#define CKM_SHA224_RSA_PKCS_PSS		(0x47UL)
+#define CKM_SHA224_KEY_DERIVATION	(0x396UL)
+
+#define CKM_CAMELLIA_KEY_GEN		(0x550UL)
+#define CKM_CAMELLIA_ECB		(0x551UL)
+#define CKM_CAMELLIA_CBC		(0x552UL)
+#define CKM_CAMELLIA_MAC		(0x553UL)
+#define CKM_CAMELLIA_MAC_GENERAL	(0x554UL)
+#define CKM_CAMELLIA_CBC_PAD		(0x555UL)
+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA	(0x556UL)
+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA	(0x557UL)
+#define CKM_CAMELLIA_CTR		(0x558UL)
+
+#define CKM_AES_KEY_WRAP		(0x2109UL)
+#define CKM_AES_KEY_WRAP_PAD		(0x210aUL)
+
+#define CKM_RSA_PKCS_TPM_1_1		(0x4001UL)
+#define CKM_RSA_PKCS_OAEP_TPM_1_1	(0x4002UL)
+
+/* From version 3.0 */
+#define CKM_EC_EDWARDS_KEY_PAIR_GEN	(0x1055UL)
+#define CKM_EDDSA			(0x1057UL)
+
+/* Attribute and other constants related to OTP */
+#define CK_OTP_FORMAT_DECIMAL		(0UL)
+#define CK_OTP_FORMAT_HEXADECIMAL	(1UL)
+#define CK_OTP_FORMAT_ALPHANUMERIC	(2UL)
+#define CK_OTP_FORMAT_BINARY		(3UL)
+#define CK_OTP_PARAM_IGNORED		(0UL)
+#define CK_OTP_PARAM_OPTIONAL		(1UL)
+#define CK_OTP_PARAM_MANDATORY		(2UL)
+
+#define CK_OTP_VALUE			(0UL)
+#define CK_OTP_PIN			(1UL)
+#define CK_OTP_CHALLENGE		(2UL)
+#define CK_OTP_TIME			(3UL)
+#define CK_OTP_COUNTER			(4UL)
+#define CK_OTP_FLAGS			(5UL)
+#define CK_OTP_OUTPUT_LENGTH		(6UL)
+#define CK_OTP_FORMAT			(7UL)
+
+/* OTP mechanism flags */
+#define CKF_NEXT_OTP			(0x01UL)
+#define CKF_EXCLUDE_TIME		(0x02UL)
+#define CKF_EXCLUDE_COUNTER		(0x04UL)
+#define CKF_EXCLUDE_CHALLENGE		(0x08UL)
+#define CKF_EXCLUDE_PIN			(0x10UL)
+#define CKF_USER_FRIENDLY_OTP		(0x20UL)
+
+#define CKN_OTP_CHANGED			(0x01UL)
+
+struct ck_mechanism
+{
+  ck_mechanism_type_t mechanism;
+  void *parameter;
+  unsigned long parameter_len;
+};
+
+
+struct ck_mechanism_info
+{
+  unsigned long min_key_size;
+  unsigned long max_key_size;
+  ck_flags_t flags;
+};
+
+typedef unsigned long ck_param_type;
+
+typedef struct ck_otp_param {
+   ck_param_type type;
+   void *value;
+   unsigned long value_len;
+} ck_otp_param;
+
+typedef struct ck_otp_params {
+   struct ck_otp_param *params;
+   unsigned long count;
+} ck_otp_params;
+
+typedef struct ck_otp_signature_info
+{
+  struct ck_otp_param *params;
+  unsigned long count;
+} ck_otp_signature_info;
+
+#define CKG_MGF1_SHA1 0x00000001UL
+#define CKG_MGF1_SHA224 0x00000005UL
+#define CKG_MGF1_SHA256 0x00000002UL
+#define CKG_MGF1_SHA384 0x00000003UL
+#define CKG_MGF1_SHA512 0x00000004UL
+
+typedef unsigned long ck_rsa_pkcs_mgf_type_t;
+
+struct ck_rsa_pkcs_pss_params {
+  ck_mechanism_type_t hash_alg;
+  ck_rsa_pkcs_mgf_type_t mgf;
+  unsigned long s_len;
+};
+
+typedef unsigned long ck_rsa_pkcs_oaep_source_type_t;
+
+struct ck_rsa_pkcs_oaep_params {
+  ck_mechanism_type_t hash_alg;
+  ck_rsa_pkcs_mgf_type_t mgf;
+  ck_rsa_pkcs_oaep_source_type_t source;
+  void *source_data;
+  unsigned long source_data_len;
+};
+
+struct ck_aes_ctr_params {
+  unsigned long counter_bits;
+  unsigned char cb[16];
+};
+
+struct ck_gcm_params {
+  unsigned char *iv_ptr;
+  unsigned long iv_len;
+  unsigned long iv_bits;
+  unsigned char *aad_ptr;
+  unsigned long aad_len;
+  unsigned long tag_bits;
+};
+
+
+/* The following EC Key Derivation Functions are defined */
+#define CKD_NULL			(0x01UL)
+#define CKD_SHA1_KDF			(0x02UL)
+
+/* The following X9.42 DH key derivation functions are defined */
+#define CKD_SHA1_KDF_ASN1		(0x03UL)
+#define CKD_SHA1_KDF_CONCATENATE	(0x04UL)
+#define CKD_SHA224_KDF			(0x05UL)
+#define CKD_SHA256_KDF			(0x06UL)
+#define CKD_SHA384_KDF			(0x07UL)
+#define CKD_SHA512_KDF			(0x08UL)
+#define CKD_CPDIVERSIFY_KDF		(0x09UL)
+
+typedef unsigned long ck_ec_kdf_t;
+
+struct ck_ecdh1_derive_params {
+  ck_ec_kdf_t kdf;
+  unsigned long shared_data_len;
+  unsigned char *shared_data;
+  unsigned long public_data_len;
+  unsigned char *public_data;
+};
+
+struct ck_key_derivation_string_data {
+  unsigned char *string_data;
+  unsigned long string_data_len;
+};
+
+struct ck_des_cbc_encrypt_data_params {
+  unsigned char iv[8];
+  unsigned char *data_params;
+  unsigned long length;
+};
+
+struct ck_aes_cbc_encrypt_data_params {
+  unsigned char iv[16];
+  unsigned char *data_params;
+  unsigned long length;
+};
+
+#define CKF_HW			(1UL << 0)
+#define CKF_ENCRYPT		(1UL << 8)
+#define CKF_DECRYPT		(1UL << 9)
+#define CKF_DIGEST		(1UL << 10)
+#define CKF_SIGN		(1UL << 11)
+#define CKF_SIGN_RECOVER	(1UL << 12)
+#define CKF_VERIFY		(1UL << 13)
+#define CKF_VERIFY_RECOVER	(1UL << 14)
+#define CKF_GENERATE		(1UL << 15)
+#define CKF_GENERATE_KEY_PAIR	(1UL << 16)
+#define CKF_WRAP		(1UL << 17)
+#define CKF_UNWRAP		(1UL << 18)
+#define CKF_DERIVE		(1UL << 19)
+#define CKF_EXTENSION		((unsigned long) (1UL << 31))
+
+#define CKF_EC_F_P		(1UL << 20)
+#define CKF_EC_NAMEDCURVE	(1UL << 23)
+#define CKF_EC_UNCOMPRESS	(1UL << 24)
+#define CKF_EC_COMPRESS		(1UL << 25)
+
+
+/* Flags for C_WaitForSlotEvent.  */
+#define CKF_DONT_BLOCK				(1UL)
+
+
+typedef unsigned long ck_rv_t;
+
+
+typedef ck_rv_t (*ck_notify_t) (ck_session_handle_t session,
+				ck_notification_t event, void *application);
+
+/* Forward reference.  */
+struct ck_function_list;
+
+#define _CK_DECLARE_FUNCTION(name, args)	\
+typedef ck_rv_t (*CK_ ## name) args;		\
+ck_rv_t CK_SPEC name args
+
+_CK_DECLARE_FUNCTION (C_Initialize, (void *init_args));
+_CK_DECLARE_FUNCTION (C_Finalize, (void *reserved));
+_CK_DECLARE_FUNCTION (C_GetInfo, (struct ck_info *info));
+_CK_DECLARE_FUNCTION (C_GetFunctionList,
+		      (struct ck_function_list **function_list));
+
+_CK_DECLARE_FUNCTION (C_GetSlotList,
+		      (unsigned char token_present, ck_slot_id_t *slot_list,
+		       unsigned long *count));
+_CK_DECLARE_FUNCTION (C_GetSlotInfo,
+		      (ck_slot_id_t slot_id, struct ck_slot_info *info));
+_CK_DECLARE_FUNCTION (C_GetTokenInfo,
+		      (ck_slot_id_t slot_id, struct ck_token_info *info));
+_CK_DECLARE_FUNCTION (C_WaitForSlotEvent,
+		      (ck_flags_t flags, ck_slot_id_t *slot, void *reserved));
+_CK_DECLARE_FUNCTION (C_GetMechanismList,
+		      (ck_slot_id_t slot_id,
+		       ck_mechanism_type_t *mechanism_list,
+		       unsigned long *count));
+_CK_DECLARE_FUNCTION (C_GetMechanismInfo,
+		      (ck_slot_id_t slot_id, ck_mechanism_type_t type,
+		       struct ck_mechanism_info *info));
+_CK_DECLARE_FUNCTION (C_InitToken,
+		      (ck_slot_id_t slot_id, unsigned char *pin,
+		       unsigned long pin_len, unsigned char *label));
+_CK_DECLARE_FUNCTION (C_InitPIN,
+		      (ck_session_handle_t session, unsigned char *pin,
+		       unsigned long pin_len));
+_CK_DECLARE_FUNCTION (C_SetPIN,
+		      (ck_session_handle_t session, unsigned char *old_pin,
+		       unsigned long old_len, unsigned char *new_pin,
+		       unsigned long new_len));
+
+_CK_DECLARE_FUNCTION (C_OpenSession,
+		      (ck_slot_id_t slot_id, ck_flags_t flags,
+		       void *application, ck_notify_t notify,
+		       ck_session_handle_t *session));
+_CK_DECLARE_FUNCTION (C_CloseSession, (ck_session_handle_t session));
+_CK_DECLARE_FUNCTION (C_CloseAllSessions, (ck_slot_id_t slot_id));
+_CK_DECLARE_FUNCTION (C_GetSessionInfo,
+		      (ck_session_handle_t session,
+		       struct ck_session_info *info));
+_CK_DECLARE_FUNCTION (C_GetOperationState,
+		      (ck_session_handle_t session,
+		       unsigned char *operation_state,
+		       unsigned long *operation_state_len));
+_CK_DECLARE_FUNCTION (C_SetOperationState,
+		      (ck_session_handle_t session,
+		       unsigned char *operation_state,
+		       unsigned long operation_state_len,
+		       ck_object_handle_t encryption_key,
+		       ck_object_handle_t authentiation_key));
+_CK_DECLARE_FUNCTION (C_Login,
+		      (ck_session_handle_t session, ck_user_type_t user_type,
+		       unsigned char *pin, unsigned long pin_len));
+_CK_DECLARE_FUNCTION (C_Logout, (ck_session_handle_t session));
+
+_CK_DECLARE_FUNCTION (C_CreateObject,
+		      (ck_session_handle_t session,
+		       struct ck_attribute *templ,
+		       unsigned long count, ck_object_handle_t *object));
+_CK_DECLARE_FUNCTION (C_CopyObject,
+		      (ck_session_handle_t session, ck_object_handle_t object,
+		       struct ck_attribute *templ, unsigned long count,
+		       ck_object_handle_t *new_object));
+_CK_DECLARE_FUNCTION (C_DestroyObject,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object));
+_CK_DECLARE_FUNCTION (C_GetObjectSize,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object,
+		       unsigned long *size));
+_CK_DECLARE_FUNCTION (C_GetAttributeValue,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object,
+		       struct ck_attribute *templ,
+		       unsigned long count));
+_CK_DECLARE_FUNCTION (C_SetAttributeValue,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object,
+		       struct ck_attribute *templ,
+		       unsigned long count));
+_CK_DECLARE_FUNCTION (C_FindObjectsInit,
+		      (ck_session_handle_t session,
+		       struct ck_attribute *templ,
+		       unsigned long count));
+_CK_DECLARE_FUNCTION (C_FindObjects,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t *object,
+		       unsigned long max_object_count,
+		       unsigned long *object_count));
+_CK_DECLARE_FUNCTION (C_FindObjectsFinal,
+		      (ck_session_handle_t session));
+
+_CK_DECLARE_FUNCTION (C_EncryptInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Encrypt,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *encrypted_data,
+		       unsigned long *encrypted_data_len));
+_CK_DECLARE_FUNCTION (C_EncryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len,
+		       unsigned char *encrypted_part,
+		       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_EncryptFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *last_encrypted_part,
+		       unsigned long *last_encrypted_part_len));
+
+_CK_DECLARE_FUNCTION (C_DecryptInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Decrypt,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_data,
+		       unsigned long encrypted_data_len,
+		       unsigned char *data, unsigned long *data_len));
+_CK_DECLARE_FUNCTION (C_DecryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_part,
+		       unsigned long encrypted_part_len,
+		       unsigned char *part, unsigned long *part_len));
+_CK_DECLARE_FUNCTION (C_DecryptFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *last_part,
+		       unsigned long *last_part_len));
+
+_CK_DECLARE_FUNCTION (C_DigestInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism));
+_CK_DECLARE_FUNCTION (C_Digest,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *digest,
+		       unsigned long *digest_len));
+_CK_DECLARE_FUNCTION (C_DigestUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_DigestKey,
+		      (ck_session_handle_t session, ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_DigestFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *digest,
+		       unsigned long *digest_len));
+
+_CK_DECLARE_FUNCTION (C_SignInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Sign,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *signature,
+		       unsigned long *signature_len));
+_CK_DECLARE_FUNCTION (C_SignUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_SignFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *signature,
+		       unsigned long *signature_len));
+_CK_DECLARE_FUNCTION (C_SignRecoverInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_SignRecover,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *signature,
+		       unsigned long *signature_len));
+
+_CK_DECLARE_FUNCTION (C_VerifyInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Verify,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *signature,
+		       unsigned long signature_len));
+_CK_DECLARE_FUNCTION (C_VerifyUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_VerifyFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *signature,
+		       unsigned long signature_len));
+_CK_DECLARE_FUNCTION (C_VerifyRecoverInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_VerifyRecover,
+		      (ck_session_handle_t session,
+		       unsigned char *signature,
+		       unsigned long signature_len,
+		       unsigned char *data,
+		       unsigned long *data_len));
+
+_CK_DECLARE_FUNCTION (C_DigestEncryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len,
+		       unsigned char *encrypted_part,
+		       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_DecryptDigestUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_part,
+		       unsigned long encrypted_part_len,
+		       unsigned char *part,
+		       unsigned long *part_len));
+_CK_DECLARE_FUNCTION (C_SignEncryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len,
+		       unsigned char *encrypted_part,
+		       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_DecryptVerifyUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_part,
+		       unsigned long encrypted_part_len,
+		       unsigned char *part,
+		       unsigned long *part_len));
+
+_CK_DECLARE_FUNCTION (C_GenerateKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       struct ck_attribute *templ,
+		       unsigned long count,
+		       ck_object_handle_t *key));
+_CK_DECLARE_FUNCTION (C_GenerateKeyPair,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       struct ck_attribute *public_key_template,
+		       unsigned long public_key_attribute_count,
+		       struct ck_attribute *private_key_template,
+		       unsigned long private_key_attribute_count,
+		       ck_object_handle_t *public_key,
+		       ck_object_handle_t *private_key));
+_CK_DECLARE_FUNCTION (C_WrapKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t wrapping_key,
+		       ck_object_handle_t key,
+		       unsigned char *wrapped_key,
+		       unsigned long *wrapped_key_len));
+_CK_DECLARE_FUNCTION (C_UnwrapKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t unwrapping_key,
+		       unsigned char *wrapped_key,
+		       unsigned long wrapped_key_len,
+		       struct ck_attribute *templ,
+		       unsigned long attribute_count,
+		       ck_object_handle_t *key));
+_CK_DECLARE_FUNCTION (C_DeriveKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t base_key,
+		       struct ck_attribute *templ,
+		       unsigned long attribute_count,
+		       ck_object_handle_t *key));
+
+_CK_DECLARE_FUNCTION (C_SeedRandom,
+		      (ck_session_handle_t session, unsigned char *seed,
+		       unsigned long seed_len));
+_CK_DECLARE_FUNCTION (C_GenerateRandom,
+		      (ck_session_handle_t session,
+		       unsigned char *random_data,
+		       unsigned long random_len));
+
+_CK_DECLARE_FUNCTION (C_GetFunctionStatus, (ck_session_handle_t session));
+_CK_DECLARE_FUNCTION (C_CancelFunction, (ck_session_handle_t session));
+
+
+struct ck_function_list
+{
+  struct ck_version version;
+  CK_C_Initialize C_Initialize;
+  CK_C_Finalize C_Finalize;
+  CK_C_GetInfo C_GetInfo;
+  CK_C_GetFunctionList C_GetFunctionList;
+  CK_C_GetSlotList C_GetSlotList;
+  CK_C_GetSlotInfo C_GetSlotInfo;
+  CK_C_GetTokenInfo C_GetTokenInfo;
+  CK_C_GetMechanismList C_GetMechanismList;
+  CK_C_GetMechanismInfo C_GetMechanismInfo;
+  CK_C_InitToken C_InitToken;
+  CK_C_InitPIN C_InitPIN;
+  CK_C_SetPIN C_SetPIN;
+  CK_C_OpenSession C_OpenSession;
+  CK_C_CloseSession C_CloseSession;
+  CK_C_CloseAllSessions C_CloseAllSessions;
+  CK_C_GetSessionInfo C_GetSessionInfo;
+  CK_C_GetOperationState C_GetOperationState;
+  CK_C_SetOperationState C_SetOperationState;
+  CK_C_Login C_Login;
+  CK_C_Logout C_Logout;
+  CK_C_CreateObject C_CreateObject;
+  CK_C_CopyObject C_CopyObject;
+  CK_C_DestroyObject C_DestroyObject;
+  CK_C_GetObjectSize C_GetObjectSize;
+  CK_C_GetAttributeValue C_GetAttributeValue;
+  CK_C_SetAttributeValue C_SetAttributeValue;
+  CK_C_FindObjectsInit C_FindObjectsInit;
+  CK_C_FindObjects C_FindObjects;
+  CK_C_FindObjectsFinal C_FindObjectsFinal;
+  CK_C_EncryptInit C_EncryptInit;
+  CK_C_Encrypt C_Encrypt;
+  CK_C_EncryptUpdate C_EncryptUpdate;
+  CK_C_EncryptFinal C_EncryptFinal;
+  CK_C_DecryptInit C_DecryptInit;
+  CK_C_Decrypt C_Decrypt;
+  CK_C_DecryptUpdate C_DecryptUpdate;
+  CK_C_DecryptFinal C_DecryptFinal;
+  CK_C_DigestInit C_DigestInit;
+  CK_C_Digest C_Digest;
+  CK_C_DigestUpdate C_DigestUpdate;
+  CK_C_DigestKey C_DigestKey;
+  CK_C_DigestFinal C_DigestFinal;
+  CK_C_SignInit C_SignInit;
+  CK_C_Sign C_Sign;
+  CK_C_SignUpdate C_SignUpdate;
+  CK_C_SignFinal C_SignFinal;
+  CK_C_SignRecoverInit C_SignRecoverInit;
+  CK_C_SignRecover C_SignRecover;
+  CK_C_VerifyInit C_VerifyInit;
+  CK_C_Verify C_Verify;
+  CK_C_VerifyUpdate C_VerifyUpdate;
+  CK_C_VerifyFinal C_VerifyFinal;
+  CK_C_VerifyRecoverInit C_VerifyRecoverInit;
+  CK_C_VerifyRecover C_VerifyRecover;
+  CK_C_DigestEncryptUpdate C_DigestEncryptUpdate;
+  CK_C_DecryptDigestUpdate C_DecryptDigestUpdate;
+  CK_C_SignEncryptUpdate C_SignEncryptUpdate;
+  CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate;
+  CK_C_GenerateKey C_GenerateKey;
+  CK_C_GenerateKeyPair C_GenerateKeyPair;
+  CK_C_WrapKey C_WrapKey;
+  CK_C_UnwrapKey C_UnwrapKey;
+  CK_C_DeriveKey C_DeriveKey;
+  CK_C_SeedRandom C_SeedRandom;
+  CK_C_GenerateRandom C_GenerateRandom;
+  CK_C_GetFunctionStatus C_GetFunctionStatus;
+  CK_C_CancelFunction C_CancelFunction;
+  CK_C_WaitForSlotEvent C_WaitForSlotEvent;
+};
+
+
+typedef ck_rv_t (*ck_createmutex_t) (void **mutex);
+typedef ck_rv_t (*ck_destroymutex_t) (void *mutex);
+typedef ck_rv_t (*ck_lockmutex_t) (void *mutex);
+typedef ck_rv_t (*ck_unlockmutex_t) (void *mutex);
+
+
+struct ck_c_initialize_args
+{
+  ck_createmutex_t create_mutex;
+  ck_destroymutex_t destroy_mutex;
+  ck_lockmutex_t lock_mutex;
+  ck_unlockmutex_t unlock_mutex;
+  ck_flags_t flags;
+  void *reserved;
+};
+
+
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS	(1UL << 0)
+#define CKF_OS_LOCKING_OK			(1UL << 1)
+
+#define CKR_OK					(0UL)
+#define CKR_CANCEL				(1UL)
+#define CKR_HOST_MEMORY				(2UL)
+#define CKR_SLOT_ID_INVALID			(3UL)
+#define CKR_GENERAL_ERROR			(5UL)
+#define CKR_FUNCTION_FAILED			(6UL)
+#define CKR_ARGUMENTS_BAD			(7UL)
+#define CKR_NO_EVENT				(8UL)
+#define CKR_NEED_TO_CREATE_THREADS		(9UL)
+#define CKR_CANT_LOCK				(0xaUL)
+#define CKR_ATTRIBUTE_READ_ONLY			(0x10UL)
+#define CKR_ATTRIBUTE_SENSITIVE			(0x11UL)
+#define CKR_ATTRIBUTE_TYPE_INVALID		(0x12UL)
+#define CKR_ATTRIBUTE_VALUE_INVALID		(0x13UL)
+#define CKR_ACTION_PROHIBITED			(0x1BUL)
+#define CKR_DATA_INVALID			(0x20UL)
+#define CKR_DATA_LEN_RANGE			(0x21UL)
+#define CKR_DEVICE_ERROR			(0x30UL)
+#define CKR_DEVICE_MEMORY			(0x31UL)
+#define CKR_DEVICE_REMOVED			(0x32UL)
+#define CKR_ENCRYPTED_DATA_INVALID		(0x40UL)
+#define CKR_ENCRYPTED_DATA_LEN_RANGE		(0x41UL)
+#define CKR_FUNCTION_CANCELED			(0x50UL)
+#define CKR_FUNCTION_NOT_PARALLEL		(0x51UL)
+#define CKR_FUNCTION_NOT_SUPPORTED		(0x54UL)
+#define CKR_KEY_HANDLE_INVALID			(0x60UL)
+#define CKR_KEY_SIZE_RANGE			(0x62UL)
+#define CKR_KEY_TYPE_INCONSISTENT		(0x63UL)
+#define CKR_KEY_NOT_NEEDED			(0x64UL)
+#define CKR_KEY_CHANGED				(0x65UL)
+#define CKR_KEY_NEEDED				(0x66UL)
+#define CKR_KEY_INDIGESTIBLE			(0x67UL)
+#define CKR_KEY_FUNCTION_NOT_PERMITTED		(0x68UL)
+#define CKR_KEY_NOT_WRAPPABLE			(0x69UL)
+#define CKR_KEY_UNEXTRACTABLE			(0x6aUL)
+#define CKR_MECHANISM_INVALID			(0x70UL)
+#define CKR_MECHANISM_PARAM_INVALID		(0x71UL)
+#define CKR_OBJECT_HANDLE_INVALID		(0x82UL)
+#define CKR_OPERATION_ACTIVE			(0x90UL)
+#define CKR_OPERATION_NOT_INITIALIZED		(0x91UL)
+#define CKR_PIN_INCORRECT			(0xa0UL)
+#define CKR_PIN_INVALID				(0xa1UL)
+#define CKR_PIN_LEN_RANGE			(0xa2UL)
+#define CKR_PIN_EXPIRED				(0xa3UL)
+#define CKR_PIN_LOCKED				(0xa4UL)
+#define CKR_SESSION_CLOSED			(0xb0UL)
+#define CKR_SESSION_COUNT			(0xb1UL)
+#define CKR_SESSION_HANDLE_INVALID		(0xb3UL)
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED	(0xb4UL)
+#define CKR_SESSION_READ_ONLY			(0xb5UL)
+#define CKR_SESSION_EXISTS			(0xb6UL)
+#define CKR_SESSION_READ_ONLY_EXISTS		(0xb7UL)
+#define CKR_SESSION_READ_WRITE_SO_EXISTS	(0xb8UL)
+#define CKR_SIGNATURE_INVALID			(0xc0UL)
+#define CKR_SIGNATURE_LEN_RANGE			(0xc1UL)
+#define CKR_TEMPLATE_INCOMPLETE			(0xd0UL)
+#define CKR_TEMPLATE_INCONSISTENT		(0xd1UL)
+#define CKR_TOKEN_NOT_PRESENT			(0xe0UL)
+#define CKR_TOKEN_NOT_RECOGNIZED		(0xe1UL)
+#define CKR_TOKEN_WRITE_PROTECTED		(0xe2UL)
+#define	CKR_UNWRAPPING_KEY_HANDLE_INVALID	(0xf0UL)
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE		(0xf1UL)
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT	(0xf2UL)
+#define CKR_USER_ALREADY_LOGGED_IN		(0x100UL)
+#define CKR_USER_NOT_LOGGED_IN			(0x101UL)
+#define CKR_USER_PIN_NOT_INITIALIZED		(0x102UL)
+#define CKR_USER_TYPE_INVALID			(0x103UL)
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN	(0x104UL)
+#define CKR_USER_TOO_MANY_TYPES			(0x105UL)
+#define CKR_WRAPPED_KEY_INVALID			(0x110UL)
+#define CKR_WRAPPED_KEY_LEN_RANGE		(0x112UL)
+#define CKR_WRAPPING_KEY_HANDLE_INVALID		(0x113UL)
+#define CKR_WRAPPING_KEY_SIZE_RANGE		(0x114UL)
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT	(0x115UL)
+#define CKR_RANDOM_SEED_NOT_SUPPORTED		(0x120UL)
+#define CKR_RANDOM_NO_RNG			(0x121UL)
+#define CKR_DOMAIN_PARAMS_INVALID		(0x130UL)
+#define CKR_BUFFER_TOO_SMALL			(0x150UL)
+#define CKR_SAVED_STATE_INVALID			(0x160UL)
+#define CKR_INFORMATION_SENSITIVE		(0x170UL)
+#define CKR_STATE_UNSAVEABLE			(0x180UL)
+#define CKR_CRYPTOKI_NOT_INITIALIZED		(0x190UL)
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED	(0x191UL)
+#define CKR_MUTEX_BAD				(0x1a0UL)
+#define CKR_MUTEX_NOT_LOCKED			(0x1a1UL)
+#define CKR_NEW_PIN_MODE			(0x1b0UL)
+#define CKR_NEXT_OTP				(0x1b1UL)
+#define CKR_EXCEEDED_MAX_ITERATIONS		(0x1c0UL)
+#define CKR_FIPS_SELF_TEST_FAILED		(0x1c1UL)
+#define CKR_LIBRARY_LOAD_FAILED			(0x1c2UL)
+#define CKR_PIN_TOO_WEAK			(0x1c3UL)
+#define CKR_PUBLIC_KEY_INVALID			(0x1c4UL)
+#define CKR_FUNCTION_REJECTED			(0x200UL)
+#define CKR_VENDOR_DEFINED			((unsigned long) (1UL << 31))
+
+
+#define CKZ_DATA_SPECIFIED			(0x01UL)
+
+
+
+/* Compatibility layer.  */
+
+#ifdef CRYPTOKI_COMPAT
+
+#undef CK_DEFINE_FUNCTION
+#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name
+
+/* For NULL.  */
+#include <stddef.h>
+
+typedef unsigned char CK_BYTE;
+typedef unsigned char CK_CHAR;
+typedef unsigned char CK_UTF8CHAR;
+typedef unsigned char CK_BBOOL;
+typedef unsigned long int CK_ULONG;
+typedef long int CK_LONG;
+typedef CK_BYTE *CK_BYTE_PTR;
+typedef CK_CHAR *CK_CHAR_PTR;
+typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR;
+typedef CK_ULONG *CK_ULONG_PTR;
+typedef void *CK_VOID_PTR;
+typedef void **CK_VOID_PTR_PTR;
+#define CK_FALSE 0
+#define CK_TRUE 1
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE 0
+#endif
+#ifndef TRUE
+#define TRUE 1
+#endif
+#endif
+
+typedef struct ck_version CK_VERSION;
+typedef struct ck_version *CK_VERSION_PTR;
+
+typedef struct ck_info CK_INFO;
+typedef struct ck_info *CK_INFO_PTR;
+
+typedef ck_slot_id_t *CK_SLOT_ID_PTR;
+
+typedef struct ck_slot_info CK_SLOT_INFO;
+typedef struct ck_slot_info *CK_SLOT_INFO_PTR;
+
+typedef struct ck_token_info CK_TOKEN_INFO;
+typedef struct ck_token_info *CK_TOKEN_INFO_PTR;
+
+typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR;
+
+typedef struct ck_session_info CK_SESSION_INFO;
+typedef struct ck_session_info *CK_SESSION_INFO_PTR;
+
+typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR;
+
+typedef ck_object_class_t *CK_OBJECT_CLASS_PTR;
+
+typedef struct ck_attribute CK_ATTRIBUTE;
+typedef struct ck_attribute *CK_ATTRIBUTE_PTR;
+
+typedef struct ck_date CK_DATE;
+typedef struct ck_date *CK_DATE_PTR;
+
+typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR;
+
+typedef struct ck_mechanism CK_MECHANISM;
+typedef struct ck_mechanism *CK_MECHANISM_PTR;
+
+typedef struct ck_mechanism_info CK_MECHANISM_INFO;
+typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR;
+
+typedef struct ck_otp_mechanism_info CK_OTP_MECHANISM_INFO;
+typedef struct ck_otp_mechanism_info *CK_OTP_MECHANISM_INFO_PTR;
+
+typedef struct ck_function_list CK_FUNCTION_LIST;
+typedef struct ck_function_list *CK_FUNCTION_LIST_PTR;
+typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR;
+
+typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS;
+typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR;
+
+typedef struct ck_rsa_pkcs_pss_params CK_RSA_PKCS_PSS_PARAMS;
+typedef struct ck_rsa_pkcs_pss_params *CK_RSA_PKCS_PSS_PARAMS_PTR;
+
+typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS;
+typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+typedef struct ck_aes_ctr_params CK_AES_CTR_PARAMS;
+typedef struct ck_aes_ctr_params *CK_AES_CTR_PARAMS_PTR;
+
+typedef struct ck_gcm_params CK_GCM_PARAMS;
+typedef struct ck_gcm_params *CK_GCM_PARAMS_PTR;
+
+typedef struct ck_ecdh1_derive_params CK_ECDH1_DERIVE_PARAMS;
+typedef struct ck_ecdh1_derive_params *CK_ECDH1_DERIVE_PARAMS_PTR;
+
+typedef struct ck_key_derivation_string_data CK_KEY_DERIVATION_STRING_DATA;
+typedef struct ck_key_derivation_string_data *CK_KEY_DERIVATION_STRING_DATA_PTR;
+
+typedef struct ck_des_cbc_encrypt_data_params CK_DES_CBC_ENCRYPT_DATA_PARAMS;
+typedef struct ck_des_cbc_encrypt_data_params *CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct ck_aes_cbc_encrypt_data_params CK_AES_CBC_ENCRYPT_DATA_PARAMS;
+typedef struct ck_aes_cbc_encrypt_data_params *CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+#ifndef NULL_PTR
+#define NULL_PTR NULL
 #endif
 
-#endif /* _PKCS11_H_ */
+/* Delete the helper macros defined at the top of the file.  */
+#undef ck_flags_t
+#undef ck_version
+
+#undef ck_info
+#undef cryptoki_version
+#undef manufacturer_id
+#undef library_description
+#undef library_version
+
+#undef ck_notification_t
+#undef ck_slot_id_t
+
+#undef ck_slot_info
+#undef slot_description
+#undef hardware_version
+#undef firmware_version
+
+#undef ck_token_info
+#undef serial_number
+#undef max_session_count
+#undef session_count
+#undef max_rw_session_count
+#undef rw_session_count
+#undef max_pin_len
+#undef min_pin_len
+#undef total_public_memory
+#undef free_public_memory
+#undef total_private_memory
+#undef free_private_memory
+#undef utc_time
+
+#undef ck_session_handle_t
+#undef ck_user_type_t
+#undef ck_state_t
+
+#undef ck_session_info
+#undef slot_id
+#undef device_error
+
+#undef ck_object_handle_t
+#undef ck_object_class_t
+#undef ck_hw_feature_type_t
+#undef ck_key_type_t
+#undef ck_certificate_type_t
+#undef ck_attribute_type_t
+
+#undef ck_attribute
+#undef value
+#undef value_len
+
+#undef params
+#undef count
+
+#undef ck_date
+
+#undef ck_mechanism_type_t
+
+#undef ck_mechanism
+#undef parameter
+#undef parameter_len
+
+#undef ck_mechanism_info
+
+#undef ck_param_type
+#undef ck_otp_param
+#undef ck_otp_params
+#undef ck_otp_signature_info
+
+#undef min_key_size
+#undef max_key_size
+
+#undef ck_rv_t
+#undef ck_notify_t
+
+#undef ck_function_list
+
+#undef ck_createmutex_t
+#undef ck_destroymutex_t
+#undef ck_lockmutex_t
+#undef ck_unlockmutex_t
+
+#undef ck_c_initialize_args
+#undef create_mutex
+#undef destroy_mutex
+#undef lock_mutex
+#undef unlock_mutex
+#undef reserved
+
+#endif	/* CRYPTOKI_COMPAT */
+
+
+/* System dependencies.  */
+#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
+#pragma pack(pop, cryptoki)
+#endif
+
+#if defined(__cplusplus)
+}
+#endif
 
+#endif	/* PKCS11_H */
diff --git a/bind/bind9/lib/isc/include/pkcs11/pkcs11f.h b/bind/bind9/lib/isc/include/pkcs11/pkcs11f.h
deleted file mode 100644
index 48ba5726..00000000
--- a/bind/bind9/lib/isc/include/pkcs11/pkcs11f.h
+++ /dev/null
@@ -1,938 +0,0 @@
-/*
- * PKCS #11 Cryptographic Token Interface Base Specification Version 2.40 Errata 01
- * Committee Specification Draft 01 / Public Review Draft 01
- * 09 December 2015
- * Copyright (c) OASIS Open 2015. All Rights Reserved.
- * Source: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/csprd01/include/pkcs11-v2.40/
- * Latest version of the specification: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
- * https://www.oasis-open.org/policies-guidelines/ipr
- */
-
-/* This header file contains pretty much everything about all the
- * Cryptoki function prototypes.  Because this information is
- * used for more than just declaring function prototypes, the
- * order of the functions appearing herein is important, and
- * should not be altered.
- */
-
-/* General-purpose */
-
-/* C_Initialize initializes the Cryptoki library. */
-CK_PKCS11_FUNCTION_INFO(C_Initialize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
-                            * cast to CK_C_INITIALIZE_ARGS_PTR
-                            * and dereferenced
-                            */
-);
-#endif
-
-
-/* C_Finalize indicates that an application is done with the
- * Cryptoki library.
- */
-CK_PKCS11_FUNCTION_INFO(C_Finalize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
-);
-#endif
-
-
-/* C_GetInfo returns general information about Cryptoki. */
-CK_PKCS11_FUNCTION_INFO(C_GetInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_INFO_PTR   pInfo  /* location that receives information */
-);
-#endif
-
-
-/* C_GetFunctionList returns the function list. */
-CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
-                                            * function list
-                                            */
-);
-#endif
-
-
-
-/* Slot and token management */
-
-/* C_GetSlotList obtains a list of slots in the system. */
-CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_BBOOL       tokenPresent,  /* only slots with tokens */
-  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
-  CK_ULONG_PTR   pulCount       /* receives number of slots */
-);
-#endif
-
-
-/* C_GetSlotInfo obtains information about a particular slot in
- * the system.
- */
-CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID       slotID,  /* the ID of the slot */
-  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
-);
-#endif
-
-
-/* C_GetTokenInfo obtains information about a particular token
- * in the system.
- */
-CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID        slotID,  /* ID of the token's slot */
-  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
-);
-#endif
-
-
-/* C_GetMechanismList obtains a list of mechanism types
- * supported by a token.
- */
-CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,          /* ID of token's slot */
-  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
-  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
-);
-#endif
-
-
-/* C_GetMechanismInfo obtains information about a particular
- * mechanism possibly supported by a token.
- */
-CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,  /* ID of the token's slot */
-  CK_MECHANISM_TYPE     type,    /* type of mechanism */
-  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
-);
-#endif
-
-
-/* C_InitToken initializes a token. */
-CK_PKCS11_FUNCTION_INFO(C_InitToken)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID      slotID,    /* ID of the token's slot */
-  CK_UTF8CHAR_PTR pPin,      /* the SO's initial PIN */
-  CK_ULONG        ulPinLen,  /* length in bytes of the PIN */
-  CK_UTF8CHAR_PTR pLabel     /* 32-byte token label (blank padded) */
-);
-#endif
-
-
-/* C_InitPIN initializes the normal user's PIN. */
-CK_PKCS11_FUNCTION_INFO(C_InitPIN)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
-  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
-);
-#endif
-
-
-/* C_SetPIN modifies the PIN of the user who is logged in. */
-CK_PKCS11_FUNCTION_INFO(C_SetPIN)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
-  CK_ULONG          ulOldLen,  /* length of the old PIN */
-  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
-  CK_ULONG          ulNewLen   /* length of the new PIN */
-);
-#endif
-
-
-
-/* Session management */
-
-/* C_OpenSession opens a session between an application and a
- * token.
- */
-CK_PKCS11_FUNCTION_INFO(C_OpenSession)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,        /* the slot's ID */
-  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
-  CK_VOID_PTR           pApplication,  /* passed to callback */
-  CK_NOTIFY             Notify,        /* callback function */
-  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
-);
-#endif
-
-
-/* C_CloseSession closes a session between an application and a
- * token.
- */
-CK_PKCS11_FUNCTION_INFO(C_CloseSession)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-/* C_CloseAllSessions closes all sessions with a token. */
-CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID     slotID  /* the token's slot */
-);
-#endif
-
-
-/* C_GetSessionInfo obtains information about the session. */
-CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE   hSession,  /* the session's handle */
-  CK_SESSION_INFO_PTR pInfo      /* receives session info */
-);
-#endif
-
-
-/* C_GetOperationState obtains the state of the cryptographic operation
- * in a session.
- */
-CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,             /* session's handle */
-  CK_BYTE_PTR       pOperationState,      /* gets state */
-  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
-);
-#endif
-
-
-/* C_SetOperationState restores the state of the cryptographic
- * operation in a session.
- */
-CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR      pOperationState,      /* holds state */
-  CK_ULONG         ulOperationStateLen,  /* holds state length */
-  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
-  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
-);
-#endif
-
-
-/* C_Login logs a user into a token. */
-CK_PKCS11_FUNCTION_INFO(C_Login)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_USER_TYPE      userType,  /* the user type */
-  CK_UTF8CHAR_PTR   pPin,      /* the user's PIN */
-  CK_ULONG          ulPinLen   /* the length of the PIN */
-);
-#endif
-
-
-/* C_Logout logs a user out from a token. */
-CK_PKCS11_FUNCTION_INFO(C_Logout)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Object management */
-
-/* C_CreateObject creates a new object. */
-CK_PKCS11_FUNCTION_INFO(C_CreateObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
-  CK_ULONG          ulCount,     /* attributes in template */
-  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
-);
-#endif
-
-
-/* C_CopyObject copies an object, creating a new object for the
- * copy.
- */
-CK_PKCS11_FUNCTION_INFO(C_CopyObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
-  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
-  CK_ULONG             ulCount,     /* attributes in template */
-  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
-);
-#endif
-
-
-/* C_DestroyObject destroys an object. */
-CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hObject    /* the object's handle */
-);
-#endif
-
-
-/* C_GetObjectSize gets the size of an object in bytes. */
-CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
-  CK_ULONG_PTR      pulSize    /* receives size of object */
-);
-#endif
-
-
-/* C_GetAttributeValue obtains the value of one or more object
- * attributes.
- */
-CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
-  CK_ULONG          ulCount     /* attributes in template */
-);
-#endif
-
-
-/* C_SetAttributeValue modifies the value of one or more object
- * attributes.
- */
-CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
-  CK_ULONG          ulCount     /* attributes in template */
-);
-#endif
-
-
-/* C_FindObjectsInit initializes a search for token and session
- * objects that match a template.
- */
-CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
-  CK_ULONG          ulCount     /* attrs in search template */
-);
-#endif
-
-
-/* C_FindObjects continues a search for token and session
- * objects that match a template, obtaining additional object
- * handles.
- */
-CK_PKCS11_FUNCTION_INFO(C_FindObjects)
-#ifdef CK_NEED_ARG_LIST
-(
- CK_SESSION_HANDLE    hSession,          /* session's handle */
- CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
- CK_ULONG             ulMaxObjectCount,  /* max handles to get */
- CK_ULONG_PTR         pulObjectCount     /* actual # returned */
-);
-#endif
-
-
-/* C_FindObjectsFinal finishes a search for token and session
- * objects.
- */
-CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Encryption and decryption */
-
-/* C_EncryptInit initializes an encryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
-);
-#endif
-
-
-/* C_Encrypt encrypts single-part data. */
-CK_PKCS11_FUNCTION_INFO(C_Encrypt)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pData,               /* the plaintext data */
-  CK_ULONG          ulDataLen,           /* bytes of plaintext */
-  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
-);
-#endif
-
-
-/* C_EncryptUpdate continues a multiple-part encryption
- * operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,           /* session's handle */
-  CK_BYTE_PTR       pPart,              /* the plaintext data */
-  CK_ULONG          ulPartLen,          /* plaintext data len */
-  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
-);
-#endif
-
-
-/* C_EncryptFinal finishes a multiple-part encryption
- * operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,                /* session handle */
-  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
-  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
-);
-#endif
-
-
-/* C_DecryptInit initializes a decryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
-);
-#endif
-
-
-/* C_Decrypt decrypts encrypted data in a single part. */
-CK_PKCS11_FUNCTION_INFO(C_Decrypt)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,           /* session's handle */
-  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
-  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
-  CK_BYTE_PTR       pData,              /* gets plaintext */
-  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
-);
-#endif
-
-
-/* C_DecryptUpdate continues a multiple-part decryption
- * operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
-  CK_ULONG          ulEncryptedPartLen,  /* input length */
-  CK_BYTE_PTR       pPart,               /* gets plaintext */
-  CK_ULONG_PTR      pulPartLen           /* p-text size */
-);
-#endif
-
-
-/* C_DecryptFinal finishes a multiple-part decryption
- * operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
-  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
-);
-#endif
-
-
-
-/* Message digesting */
-
-/* C_DigestInit initializes a message-digesting operation. */
-CK_PKCS11_FUNCTION_INFO(C_DigestInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
-);
-#endif
-
-
-/* C_Digest digests data in a single part. */
-CK_PKCS11_FUNCTION_INFO(C_Digest)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_BYTE_PTR       pData,        /* data to be digested */
-  CK_ULONG          ulDataLen,    /* bytes of data to digest */
-  CK_BYTE_PTR       pDigest,      /* gets the message digest */
-  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
-);
-#endif
-
-
-/* C_DigestUpdate continues a multiple-part message-digesting
- * operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* data to be digested */
-  CK_ULONG          ulPartLen  /* bytes of data to be digested */
-);
-#endif
-
-
-/* C_DigestKey continues a multi-part message-digesting
- * operation, by digesting the value of a secret key as part of
- * the data already digested.
- */
-CK_PKCS11_FUNCTION_INFO(C_DigestKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
-);
-#endif
-
-
-/* C_DigestFinal finishes a multiple-part message-digesting
- * operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_BYTE_PTR       pDigest,      /* gets the message digest */
-  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
-);
-#endif
-
-
-
-/* Signing and MACing */
-
-/* C_SignInit initializes a signature (private key encryption)
- * operation, where the signature is (will be) an appendix to
- * the data, and plaintext cannot be recovered from the
- * signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_SignInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
-);
-#endif
-
-
-/* C_Sign signs (encrypts with private key) data in a single
- * part, where the signature is (will be) an appendix to the
- * data, and plaintext cannot be recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_Sign)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pData,           /* the data to sign */
-  CK_ULONG          ulDataLen,       /* count of bytes to sign */
-  CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-);
-#endif
-
-
-/* C_SignUpdate continues a multiple-part signature operation,
- * where the signature is (will be) an appendix to the data,
- * and plaintext cannot be recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* the data to sign */
-  CK_ULONG          ulPartLen  /* count of bytes to sign */
-);
-#endif
-
-
-/* C_SignFinal finishes a multiple-part signature operation,
- * returning the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_SignFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-);
-#endif
-
-
-/* C_SignRecoverInit initializes a signature operation, where
- * the data can be recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
-  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
-);
-#endif
-
-
-/* C_SignRecover signs data in a single operation, where the
- * data can be recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_SignRecover)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pData,           /* the data to sign */
-  CK_ULONG          ulDataLen,       /* count of bytes to sign */
-  CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-);
-#endif
-
-
-
-/* Verifying signatures and MACs */
-
-/* C_VerifyInit initializes a verification operation, where the
- * signature is an appendix to the data, and plaintext cannot
- * cannot be recovered from the signature (e.g. DSA).
- */
-CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-  CK_OBJECT_HANDLE  hKey         /* verification key */
-);
-#endif
-
-
-/* C_Verify verifies a signature in a single-part operation,
- * where the signature is an appendix to the data, and plaintext
- * cannot be recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_Verify)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pData,          /* signed data */
-  CK_ULONG          ulDataLen,      /* length of signed data */
-  CK_BYTE_PTR       pSignature,     /* signature */
-  CK_ULONG          ulSignatureLen  /* signature length*/
-);
-#endif
-
-
-/* C_VerifyUpdate continues a multiple-part verification
- * operation, where the signature is an appendix to the data,
- * and plaintext cannot be recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* signed data */
-  CK_ULONG          ulPartLen  /* length of signed data */
-);
-#endif
-
-
-/* C_VerifyFinal finishes a multiple-part verification
- * operation, checking the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pSignature,     /* signature to verify */
-  CK_ULONG          ulSignatureLen  /* signature length */
-);
-#endif
-
-
-/* C_VerifyRecoverInit initializes a signature verification
- * operation, where the data is recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-  CK_OBJECT_HANDLE  hKey         /* verification key */
-);
-#endif
-
-
-/* C_VerifyRecover verifies a signature in a single-part
- * operation, where the data is recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pSignature,      /* signature to verify */
-  CK_ULONG          ulSignatureLen,  /* signature length */
-  CK_BYTE_PTR       pData,           /* gets signed data */
-  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
-);
-#endif
-
-
-
-/* Dual-function cryptographic operations */
-
-/* C_DigestEncryptUpdate continues a multiple-part digesting
- * and encryption operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pPart,               /* the plaintext data */
-  CK_ULONG          ulPartLen,           /* plaintext length */
-  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
-);
-#endif
-
-
-/* C_DecryptDigestUpdate continues a multiple-part decryption and
- * digesting operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
-  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
-  CK_BYTE_PTR       pPart,               /* gets plaintext */
-  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
-);
-#endif
-
-
-/* C_SignEncryptUpdate continues a multiple-part signing and
- * encryption operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pPart,               /* the plaintext data */
-  CK_ULONG          ulPartLen,           /* plaintext length */
-  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
-);
-#endif
-
-
-/* C_DecryptVerifyUpdate continues a multiple-part decryption and
- * verify operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
-  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
-  CK_BYTE_PTR       pPart,               /* gets plaintext */
-  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
-);
-#endif
-
-
-
-/* Key management */
-
-/* C_GenerateKey generates a secret key, creating a new key
- * object.
- */
-CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
-  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
-  CK_ULONG             ulCount,     /* # of attrs in template */
-  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
-);
-#endif
-
-
-/* C_GenerateKeyPair generates a public-key/private-key pair,
- * creating new key objects.
- */
-CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,                    /* session handle */
-  CK_MECHANISM_PTR     pMechanism,                  /* key-gen mech. */
-  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template for pub. key */
-  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub. attrs. */
-  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template for priv. key */
-  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.  attrs. */
-  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub. key handle */
-  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets priv. key handle */
-);
-#endif
-
-
-/* C_WrapKey wraps (i.e., encrypts) a key. */
-CK_PKCS11_FUNCTION_INFO(C_WrapKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
-  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
-  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
-  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
-  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
-);
-#endif
-
-
-/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
- * key object.
- */
-CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,          /* session's handle */
-  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
-  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
-  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
-  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
-  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
-  CK_ULONG             ulAttributeCount,  /* template length */
-  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
-);
-#endif
-
-
-/* C_DeriveKey derives a key from a base key, creating a new key
- * object.
- */
-CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,          /* session's handle */
-  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
-  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
-  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
-  CK_ULONG             ulAttributeCount,  /* template length */
-  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
-);
-#endif
-
-
-
-/* Random number generation */
-
-/* C_SeedRandom mixes additional seed material into the token's
- * random number generator.
- */
-CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pSeed,     /* the seed material */
-  CK_ULONG          ulSeedLen  /* length of seed material */
-);
-#endif
-
-
-/* C_GenerateRandom generates random data. */
-CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_BYTE_PTR       RandomData,  /* receives the random data */
-  CK_ULONG          ulRandomLen  /* # of bytes to generate */
-);
-#endif
-
-
-
-/* Parallel function management */
-
-/* C_GetFunctionStatus is a legacy function; it obtains an
- * updated status of a function running in parallel with an
- * application.
- */
-CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-/* C_CancelFunction is a legacy function; it cancels a function
- * running in parallel.
- */
-CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-/* C_WaitForSlotEvent waits for a slot event (token insertion,
- * removal, etc.) to occur.
- */
-CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_FLAGS flags,        /* blocking/nonblocking flag */
-  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
-  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
-);
-#endif
-
diff --git a/bind/bind9/lib/isc/include/pkcs11/pkcs11t.h b/bind/bind9/lib/isc/include/pkcs11/pkcs11t.h
deleted file mode 100644
index ed83ed37..00000000
--- a/bind/bind9/lib/isc/include/pkcs11/pkcs11t.h
+++ /dev/null
@@ -1,2006 +0,0 @@
-/*
- * PKCS #11 Cryptographic Token Interface Base Specification Version 2.40 Errata 01
- * Committee Specification Draft 01 / Public Review Draft 01
- * 09 December 2015
- * Copyright (c) OASIS Open 2015. All Rights Reserved.
- * Source: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/csprd01/include/pkcs11-v2.40/
- * Latest version of the specification: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
- * https://www.oasis-open.org/policies-guidelines/ipr
- */
-
-/* See top of pkcs11.h for information about the macros that
- * must be defined and the structure-packing conventions that
- * must be set before including this file.
- */
-
-#ifndef _PKCS11T_H_
-#define _PKCS11T_H_ 1
-
-#define CRYPTOKI_VERSION_MAJOR          2
-#define CRYPTOKI_VERSION_MINOR          40
-#define CRYPTOKI_VERSION_AMENDMENT      0
-
-#define CK_TRUE         1
-#define CK_FALSE        0
-
-#ifndef CK_DISABLE_TRUE_FALSE
-#ifndef FALSE
-#define FALSE CK_FALSE
-#endif
-#ifndef TRUE
-#define TRUE CK_TRUE
-#endif
-#endif
-
-/* an unsigned 8-bit value */
-typedef unsigned char     CK_BYTE;
-
-/* an unsigned 8-bit character */
-typedef CK_BYTE           CK_CHAR;
-
-/* an 8-bit UTF-8 character */
-typedef CK_BYTE           CK_UTF8CHAR;
-
-/* a BYTE-sized Boolean flag */
-typedef CK_BYTE           CK_BBOOL;
-
-/* an unsigned value, at least 32 bits long */
-typedef unsigned long int CK_ULONG;
-
-/* a signed value, the same size as a CK_ULONG */
-typedef long int          CK_LONG;
-
-/* at least 32 bits; each bit is a Boolean flag */
-typedef CK_ULONG          CK_FLAGS;
-
-
-/* some special values for certain CK_ULONG variables */
-#define CK_UNAVAILABLE_INFORMATION      (~0UL)
-#define CK_EFFECTIVELY_INFINITE         0UL
-
-
-typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
-typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
-typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
-typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
-typedef void        CK_PTR   CK_VOID_PTR;
-
-/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
-typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
-
-
-/* The following value is always invalid if used as a session
- * handle or object handle
- */
-#define CK_INVALID_HANDLE       0UL
-
-
-typedef struct CK_VERSION {
-  CK_BYTE       major;  /* integer portion of version number */
-  CK_BYTE       minor;  /* 1/100ths portion of version number */
-} CK_VERSION;
-
-typedef CK_VERSION CK_PTR CK_VERSION_PTR;
-
-
-typedef struct CK_INFO {
-  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
-  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
-  CK_FLAGS      flags;               /* must be zero */
-  CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
-  CK_VERSION    libraryVersion;          /* version of library */
-} CK_INFO;
-
-typedef CK_INFO CK_PTR    CK_INFO_PTR;
-
-
-/* CK_NOTIFICATION enumerates the types of notifications that
- * Cryptoki provides to an application
- */
-typedef CK_ULONG CK_NOTIFICATION;
-#define CKN_SURRENDER           0UL
-#define CKN_OTP_CHANGED         1UL
-
-typedef CK_ULONG          CK_SLOT_ID;
-
-typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
-
-
-/* CK_SLOT_INFO provides information about a slot */
-typedef struct CK_SLOT_INFO {
-  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
-  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
-  CK_FLAGS      flags;
-
-  CK_VERSION    hardwareVersion;  /* version of hardware */
-  CK_VERSION    firmwareVersion;  /* version of firmware */
-} CK_SLOT_INFO;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag              Mask        Meaning
- */
-#define CKF_TOKEN_PRESENT     0x00000001UL  /* a token is there */
-#define CKF_REMOVABLE_DEVICE  0x00000002UL  /* removable devices*/
-#define CKF_HW_SLOT           0x00000004UL  /* hardware slot */
-
-typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
-
-
-/* CK_TOKEN_INFO provides information about a token */
-typedef struct CK_TOKEN_INFO {
-  CK_UTF8CHAR   label[32];           /* blank padded */
-  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
-  CK_UTF8CHAR   model[16];           /* blank padded */
-  CK_CHAR       serialNumber[16];    /* blank padded */
-  CK_FLAGS      flags;               /* see below */
-
-  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
-  CK_ULONG      ulSessionCount;        /* sess. now open */
-  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
-  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
-  CK_ULONG      ulMaxPinLen;           /* in bytes */
-  CK_ULONG      ulMinPinLen;           /* in bytes */
-  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
-  CK_ULONG      ulFreePublicMemory;    /* in bytes */
-  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
-  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
-  CK_VERSION    hardwareVersion;       /* version of hardware */
-  CK_VERSION    firmwareVersion;       /* version of firmware */
-  CK_CHAR       utcTime[16];           /* time */
-} CK_TOKEN_INFO;
-
-/* The flags parameter is defined as follows:
- *      Bit Flag                    Mask        Meaning
- */
-#define CKF_RNG                     0x00000001UL  /* has random # generator */
-#define CKF_WRITE_PROTECTED         0x00000002UL  /* token is write-protected */
-#define CKF_LOGIN_REQUIRED          0x00000004UL  /* user must login */
-#define CKF_USER_PIN_INITIALIZED    0x00000008UL  /* normal user's PIN is set */
-
-/* CKF_RESTORE_KEY_NOT_NEEDED.  If it is set,
- * that means that *every* time the state of cryptographic
- * operations of a session is successfully saved, all keys
- * needed to continue those operations are stored in the state
- */
-#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020UL
-
-/* CKF_CLOCK_ON_TOKEN.  If it is set, that means
- * that the token has some sort of clock.  The time on that
- * clock is returned in the token info structure
- */
-#define CKF_CLOCK_ON_TOKEN          0x00000040UL
-
-/* CKF_PROTECTED_AUTHENTICATION_PATH.  If it is
- * set, that means that there is some way for the user to login
- * without sending a PIN through the Cryptoki library itself
- */
-#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100UL
-
-/* CKF_DUAL_CRYPTO_OPERATIONS.  If it is true,
- * that means that a single session with the token can perform
- * dual simultaneous cryptographic operations (digest and
- * encrypt; decrypt and digest; sign and encrypt; and decrypt
- * and sign)
- */
-#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200UL
-
-/* CKF_TOKEN_INITIALIZED. If it is true, the
- * token has been initialized using C_InitializeToken or an
- * equivalent mechanism outside the scope of PKCS #11.
- * Calling C_InitializeToken when this flag is set will cause
- * the token to be reinitialized.
- */
-#define CKF_TOKEN_INITIALIZED       0x00000400UL
-
-/* CKF_SECONDARY_AUTHENTICATION. If it is
- * true, the token supports secondary authentication for
- * private key objects.
- */
-#define CKF_SECONDARY_AUTHENTICATION  0x00000800UL
-
-/* CKF_USER_PIN_COUNT_LOW. If it is true, an
- * incorrect user login PIN has been entered at least once
- * since the last successful authentication.
- */
-#define CKF_USER_PIN_COUNT_LOW       0x00010000UL
-
-/* CKF_USER_PIN_FINAL_TRY. If it is true,
- * supplying an incorrect user PIN will it to become locked.
- */
-#define CKF_USER_PIN_FINAL_TRY       0x00020000UL
-
-/* CKF_USER_PIN_LOCKED. If it is true, the
- * user PIN has been locked. User login to the token is not
- * possible.
- */
-#define CKF_USER_PIN_LOCKED          0x00040000UL
-
-/* CKF_USER_PIN_TO_BE_CHANGED. If it is true,
- * the user PIN value is the default value set by token
- * initialization or manufacturing, or the PIN has been
- * expired by the card.
- */
-#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000UL
-
-/* CKF_SO_PIN_COUNT_LOW. If it is true, an
- * incorrect SO login PIN has been entered at least once since
- * the last successful authentication.
- */
-#define CKF_SO_PIN_COUNT_LOW         0x00100000UL
-
-/* CKF_SO_PIN_FINAL_TRY. If it is true,
- * supplying an incorrect SO PIN will it to become locked.
- */
-#define CKF_SO_PIN_FINAL_TRY         0x00200000UL
-
-/* CKF_SO_PIN_LOCKED. If it is true, the SO
- * PIN has been locked. SO login to the token is not possible.
- */
-#define CKF_SO_PIN_LOCKED            0x00400000UL
-
-/* CKF_SO_PIN_TO_BE_CHANGED. If it is true,
- * the SO PIN value is the default value set by token
- * initialization or manufacturing, or the PIN has been
- * expired by the card.
- */
-#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000UL
-
-#define CKF_ERROR_STATE              0x01000000UL
-
-typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
-
-
-/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
- * identifies a session
- */
-typedef CK_ULONG          CK_SESSION_HANDLE;
-
-typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
-
-
-/* CK_USER_TYPE enumerates the types of Cryptoki users */
-typedef CK_ULONG          CK_USER_TYPE;
-/* Security Officer */
-#define CKU_SO                  0UL
-/* Normal user */
-#define CKU_USER                1UL
-/* Context specific */
-#define CKU_CONTEXT_SPECIFIC    2UL
-
-/* CK_STATE enumerates the session states */
-typedef CK_ULONG          CK_STATE;
-#define CKS_RO_PUBLIC_SESSION   0UL
-#define CKS_RO_USER_FUNCTIONS   1UL
-#define CKS_RW_PUBLIC_SESSION   2UL
-#define CKS_RW_USER_FUNCTIONS   3UL
-#define CKS_RW_SO_FUNCTIONS     4UL
-
-/* CK_SESSION_INFO provides information about a session */
-typedef struct CK_SESSION_INFO {
-  CK_SLOT_ID    slotID;
-  CK_STATE      state;
-  CK_FLAGS      flags;          /* see below */
-  CK_ULONG      ulDeviceError;  /* device-dependent error code */
-} CK_SESSION_INFO;
-
-/* The flags are defined in the following table:
- *      Bit Flag                Mask        Meaning
- */
-#define CKF_RW_SESSION          0x00000002UL /* session is r/w */
-#define CKF_SERIAL_SESSION      0x00000004UL /* no parallel    */
-
-typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
-
-
-/* CK_OBJECT_HANDLE is a token-specific identifier for an
- * object
- */
-typedef CK_ULONG          CK_OBJECT_HANDLE;
-
-typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
-
-
-/* CK_OBJECT_CLASS is a value that identifies the classes (or
- * types) of objects that Cryptoki recognizes.  It is defined
- * as follows:
- */
-typedef CK_ULONG          CK_OBJECT_CLASS;
-
-/* The following classes of objects are defined: */
-#define CKO_DATA              0x00000000UL
-#define CKO_CERTIFICATE       0x00000001UL
-#define CKO_PUBLIC_KEY        0x00000002UL
-#define CKO_PRIVATE_KEY       0x00000003UL
-#define CKO_SECRET_KEY        0x00000004UL
-#define CKO_HW_FEATURE        0x00000005UL
-#define CKO_DOMAIN_PARAMETERS 0x00000006UL
-#define CKO_MECHANISM         0x00000007UL
-#define CKO_OTP_KEY           0x00000008UL
-
-#define CKO_VENDOR_DEFINED    0x80000000UL
-
-typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
-
-/* CK_HW_FEATURE_TYPE is a value that identifies the hardware feature type
- * of an object with CK_OBJECT_CLASS equal to CKO_HW_FEATURE.
- */
-typedef CK_ULONG          CK_HW_FEATURE_TYPE;
-
-/* The following hardware feature types are defined */
-#define CKH_MONOTONIC_COUNTER  0x00000001UL
-#define CKH_CLOCK              0x00000002UL
-#define CKH_USER_INTERFACE     0x00000003UL
-#define CKH_VENDOR_DEFINED     0x80000000UL
-
-/* CK_KEY_TYPE is a value that identifies a key type */
-typedef CK_ULONG          CK_KEY_TYPE;
-
-/* the following key types are defined: */
-#define CKK_RSA                 0x00000000UL
-#define CKK_DSA                 0x00000001UL
-#define CKK_DH                  0x00000002UL
-#define CKK_ECDSA               0x00000003UL /* Deprecated */
-#define CKK_EC                  0x00000003UL
-#define CKK_X9_42_DH            0x00000004UL
-#define CKK_KEA                 0x00000005UL
-#define CKK_GENERIC_SECRET      0x00000010UL
-#define CKK_RC2                 0x00000011UL
-#define CKK_RC4                 0x00000012UL
-#define CKK_DES                 0x00000013UL
-#define CKK_DES2                0x00000014UL
-#define CKK_DES3                0x00000015UL
-#define CKK_CAST                0x00000016UL
-#define CKK_CAST3               0x00000017UL
-#define CKK_CAST5               0x00000018UL /* Deprecated */
-#define CKK_CAST128             0x00000018UL
-#define CKK_RC5                 0x00000019UL
-#define CKK_IDEA                0x0000001AUL
-#define CKK_SKIPJACK            0x0000001BUL
-#define CKK_BATON               0x0000001CUL
-#define CKK_JUNIPER             0x0000001DUL
-#define CKK_CDMF                0x0000001EUL
-#define CKK_AES                 0x0000001FUL
-#define CKK_BLOWFISH            0x00000020UL
-#define CKK_TWOFISH             0x00000021UL
-#define CKK_SECURID             0x00000022UL
-#define CKK_HOTP                0x00000023UL
-#define CKK_ACTI                0x00000024UL
-#define CKK_CAMELLIA            0x00000025UL
-#define CKK_ARIA                0x00000026UL
-
-#define CKK_MD5_HMAC            0x00000027UL
-#define CKK_SHA_1_HMAC          0x00000028UL
-#define CKK_RIPEMD128_HMAC      0x00000029UL
-#define CKK_RIPEMD160_HMAC      0x0000002AUL
-#define CKK_SHA256_HMAC         0x0000002BUL
-#define CKK_SHA384_HMAC         0x0000002CUL
-#define CKK_SHA512_HMAC         0x0000002DUL
-#define CKK_SHA224_HMAC         0x0000002EUL
-
-#define CKK_SEED                0x0000002FUL
-#define CKK_GOSTR3410           0x00000030UL
-#define CKK_GOSTR3411           0x00000031UL
-#define CKK_GOST28147           0x00000032UL
-
-
-
-#define CKK_VENDOR_DEFINED      0x80000000UL
-
-
-/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
- * type
- */
-typedef CK_ULONG          CK_CERTIFICATE_TYPE;
-
-#define CK_CERTIFICATE_CATEGORY_UNSPECIFIED     0UL
-#define CK_CERTIFICATE_CATEGORY_TOKEN_USER      1UL
-#define CK_CERTIFICATE_CATEGORY_AUTHORITY       2UL
-#define CK_CERTIFICATE_CATEGORY_OTHER_ENTITY    3UL
-
-#define CK_SECURITY_DOMAIN_UNSPECIFIED     0UL
-#define CK_SECURITY_DOMAIN_MANUFACTURER    1UL
-#define CK_SECURITY_DOMAIN_OPERATOR        2UL
-#define CK_SECURITY_DOMAIN_THIRD_PARTY     3UL
-
-
-/* The following certificate types are defined: */
-#define CKC_X_509               0x00000000UL
-#define CKC_X_509_ATTR_CERT     0x00000001UL
-#define CKC_WTLS                0x00000002UL
-#define CKC_VENDOR_DEFINED      0x80000000UL
-
-
-/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
- * type
- */
-typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
-
-/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
- * consists of an array of values.
- */
-#define CKF_ARRAY_ATTRIBUTE     0x40000000UL
-
-/* The following OTP-related defines relate to the CKA_OTP_FORMAT attribute */
-#define CK_OTP_FORMAT_DECIMAL           0UL
-#define CK_OTP_FORMAT_HEXADECIMAL       1UL
-#define CK_OTP_FORMAT_ALPHANUMERIC      2UL
-#define CK_OTP_FORMAT_BINARY            3UL
-
-/* The following OTP-related defines relate to the CKA_OTP_..._REQUIREMENT
- * attributes
- */
-#define CK_OTP_PARAM_IGNORED            0UL
-#define CK_OTP_PARAM_OPTIONAL           1UL
-#define CK_OTP_PARAM_MANDATORY          2UL
-
-/* The following attribute types are defined: */
-#define CKA_CLASS              0x00000000UL
-#define CKA_TOKEN              0x00000001UL
-#define CKA_PRIVATE            0x00000002UL
-#define CKA_LABEL              0x00000003UL
-#define CKA_APPLICATION        0x00000010UL
-#define CKA_VALUE              0x00000011UL
-#define CKA_OBJECT_ID          0x00000012UL
-#define CKA_CERTIFICATE_TYPE   0x00000080UL
-#define CKA_ISSUER             0x00000081UL
-#define CKA_SERIAL_NUMBER      0x00000082UL
-#define CKA_AC_ISSUER          0x00000083UL
-#define CKA_OWNER              0x00000084UL
-#define CKA_ATTR_TYPES         0x00000085UL
-#define CKA_TRUSTED            0x00000086UL
-#define CKA_CERTIFICATE_CATEGORY        0x00000087UL
-#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088UL
-#define CKA_URL                         0x00000089UL
-#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008AUL
-#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008BUL
-#define CKA_NAME_HASH_ALGORITHM         0x0000008CUL
-#define CKA_CHECK_VALUE                 0x00000090UL
-
-#define CKA_KEY_TYPE           0x00000100UL
-#define CKA_SUBJECT            0x00000101UL
-#define CKA_ID                 0x00000102UL
-#define CKA_SENSITIVE          0x00000103UL
-#define CKA_ENCRYPT            0x00000104UL
-#define CKA_DECRYPT            0x00000105UL
-#define CKA_WRAP               0x00000106UL
-#define CKA_UNWRAP             0x00000107UL
-#define CKA_SIGN               0x00000108UL
-#define CKA_SIGN_RECOVER       0x00000109UL
-#define CKA_VERIFY             0x0000010AUL
-#define CKA_VERIFY_RECOVER     0x0000010BUL
-#define CKA_DERIVE             0x0000010CUL
-#define CKA_START_DATE         0x00000110UL
-#define CKA_END_DATE           0x00000111UL
-#define CKA_MODULUS            0x00000120UL
-#define CKA_MODULUS_BITS       0x00000121UL
-#define CKA_PUBLIC_EXPONENT    0x00000122UL
-#define CKA_PRIVATE_EXPONENT   0x00000123UL
-#define CKA_PRIME_1            0x00000124UL
-#define CKA_PRIME_2            0x00000125UL
-#define CKA_EXPONENT_1         0x00000126UL
-#define CKA_EXPONENT_2         0x00000127UL
-#define CKA_COEFFICIENT        0x00000128UL
-#define CKA_PUBLIC_KEY_INFO    0x00000129UL
-#define CKA_PRIME              0x00000130UL
-#define CKA_SUBPRIME           0x00000131UL
-#define CKA_BASE               0x00000132UL
-
-#define CKA_PRIME_BITS         0x00000133UL
-#define CKA_SUBPRIME_BITS      0x00000134UL
-#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
-
-#define CKA_VALUE_BITS         0x00000160UL
-#define CKA_VALUE_LEN          0x00000161UL
-#define CKA_EXTRACTABLE        0x00000162UL
-#define CKA_LOCAL              0x00000163UL
-#define CKA_NEVER_EXTRACTABLE  0x00000164UL
-#define CKA_ALWAYS_SENSITIVE   0x00000165UL
-#define CKA_KEY_GEN_MECHANISM  0x00000166UL
-
-#define CKA_MODIFIABLE         0x00000170UL
-#define CKA_COPYABLE           0x00000171UL
-
-#define CKA_DESTROYABLE        0x00000172UL
-
-#define CKA_ECDSA_PARAMS       0x00000180UL /* Deprecated */
-#define CKA_EC_PARAMS          0x00000180UL
-
-#define CKA_EC_POINT           0x00000181UL
-
-#define CKA_SECONDARY_AUTH     0x00000200UL /* Deprecated */
-#define CKA_AUTH_PIN_FLAGS     0x00000201UL /* Deprecated */
-
-#define CKA_ALWAYS_AUTHENTICATE  0x00000202UL
-
-#define CKA_WRAP_WITH_TRUSTED    0x00000210UL
-#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211UL)
-#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212UL)
-#define CKA_DERIVE_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000213UL)
-
-#define CKA_OTP_FORMAT                0x00000220UL
-#define CKA_OTP_LENGTH                0x00000221UL
-#define CKA_OTP_TIME_INTERVAL         0x00000222UL
-#define CKA_OTP_USER_FRIENDLY_MODE    0x00000223UL
-#define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224UL
-#define CKA_OTP_TIME_REQUIREMENT      0x00000225UL
-#define CKA_OTP_COUNTER_REQUIREMENT   0x00000226UL
-#define CKA_OTP_PIN_REQUIREMENT       0x00000227UL
-#define CKA_OTP_COUNTER               0x0000022EUL
-#define CKA_OTP_TIME                  0x0000022FUL
-#define CKA_OTP_USER_IDENTIFIER       0x0000022AUL
-#define CKA_OTP_SERVICE_IDENTIFIER    0x0000022BUL
-#define CKA_OTP_SERVICE_LOGO          0x0000022CUL
-#define CKA_OTP_SERVICE_LOGO_TYPE     0x0000022DUL
-
-#define CKA_GOSTR3410_PARAMS            0x00000250UL
-#define CKA_GOSTR3411_PARAMS            0x00000251UL
-#define CKA_GOST28147_PARAMS            0x00000252UL
-
-#define CKA_HW_FEATURE_TYPE             0x00000300UL
-#define CKA_RESET_ON_INIT               0x00000301UL
-#define CKA_HAS_RESET                   0x00000302UL
-
-#define CKA_PIXEL_X                     0x00000400UL
-#define CKA_PIXEL_Y                     0x00000401UL
-#define CKA_RESOLUTION                  0x00000402UL
-#define CKA_CHAR_ROWS                   0x00000403UL
-#define CKA_CHAR_COLUMNS                0x00000404UL
-#define CKA_COLOR                       0x00000405UL
-#define CKA_BITS_PER_PIXEL              0x00000406UL
-#define CKA_CHAR_SETS                   0x00000480UL
-#define CKA_ENCODING_METHODS            0x00000481UL
-#define CKA_MIME_TYPES                  0x00000482UL
-#define CKA_MECHANISM_TYPE              0x00000500UL
-#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501UL
-#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502UL
-#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503UL
-#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600UL)
-
-#define CKA_VENDOR_DEFINED              0x80000000UL
-
-/* CK_ATTRIBUTE is a structure that includes the type, length
- * and value of an attribute
- */
-typedef struct CK_ATTRIBUTE {
-  CK_ATTRIBUTE_TYPE type;
-  CK_VOID_PTR       pValue;
-  CK_ULONG          ulValueLen;  /* in bytes */
-} CK_ATTRIBUTE;
-
-typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
-
-/* CK_DATE is a structure that defines a date */
-typedef struct CK_DATE{
-  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
-  CK_CHAR       month[2];  /* the month ("01" - "12") */
-  CK_CHAR       day[2];    /* the day   ("01" - "31") */
-} CK_DATE;
-
-
-/* CK_MECHANISM_TYPE is a value that identifies a mechanism
- * type
- */
-typedef CK_ULONG          CK_MECHANISM_TYPE;
-
-/* the following mechanism types are defined: */
-#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000UL
-#define CKM_RSA_PKCS                   0x00000001UL
-#define CKM_RSA_9796                   0x00000002UL
-#define CKM_RSA_X_509                  0x00000003UL
-
-#define CKM_MD2_RSA_PKCS               0x00000004UL
-#define CKM_MD5_RSA_PKCS               0x00000005UL
-#define CKM_SHA1_RSA_PKCS              0x00000006UL
-
-#define CKM_RIPEMD128_RSA_PKCS         0x00000007UL
-#define CKM_RIPEMD160_RSA_PKCS         0x00000008UL
-#define CKM_RSA_PKCS_OAEP              0x00000009UL
-
-#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000AUL
-#define CKM_RSA_X9_31                  0x0000000BUL
-#define CKM_SHA1_RSA_X9_31             0x0000000CUL
-#define CKM_RSA_PKCS_PSS               0x0000000DUL
-#define CKM_SHA1_RSA_PKCS_PSS          0x0000000EUL
-
-#define CKM_DSA_KEY_PAIR_GEN           0x00000010UL
-#define CKM_DSA                        0x00000011UL
-#define CKM_DSA_SHA1                   0x00000012UL
-#define CKM_DSA_SHA224                 0x00000013UL
-#define CKM_DSA_SHA256                 0x00000014UL
-#define CKM_DSA_SHA384                 0x00000015UL
-#define CKM_DSA_SHA512                 0x00000016UL
-
-#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020UL
-#define CKM_DH_PKCS_DERIVE             0x00000021UL
-
-#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030UL
-#define CKM_X9_42_DH_DERIVE            0x00000031UL
-#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032UL
-#define CKM_X9_42_MQV_DERIVE           0x00000033UL
-
-#define CKM_SHA256_RSA_PKCS            0x00000040UL
-#define CKM_SHA384_RSA_PKCS            0x00000041UL
-#define CKM_SHA512_RSA_PKCS            0x00000042UL
-#define CKM_SHA256_RSA_PKCS_PSS        0x00000043UL
-#define CKM_SHA384_RSA_PKCS_PSS        0x00000044UL
-#define CKM_SHA512_RSA_PKCS_PSS        0x00000045UL
-
-#define CKM_SHA224_RSA_PKCS            0x00000046UL
-#define CKM_SHA224_RSA_PKCS_PSS        0x00000047UL
-
-#define CKM_SHA512_224                 0x00000048UL
-#define CKM_SHA512_224_HMAC            0x00000049UL
-#define CKM_SHA512_224_HMAC_GENERAL    0x0000004AUL
-#define CKM_SHA512_224_KEY_DERIVATION  0x0000004BUL
-#define CKM_SHA512_256                 0x0000004CUL
-#define CKM_SHA512_256_HMAC            0x0000004DUL
-#define CKM_SHA512_256_HMAC_GENERAL    0x0000004EUL
-#define CKM_SHA512_256_KEY_DERIVATION  0x0000004FUL
-
-#define CKM_SHA512_T                   0x00000050UL
-#define CKM_SHA512_T_HMAC              0x00000051UL
-#define CKM_SHA512_T_HMAC_GENERAL      0x00000052UL
-#define CKM_SHA512_T_KEY_DERIVATION    0x00000053UL
-
-#define CKM_RC2_KEY_GEN                0x00000100UL
-#define CKM_RC2_ECB                    0x00000101UL
-#define CKM_RC2_CBC                    0x00000102UL
-#define CKM_RC2_MAC                    0x00000103UL
-
-#define CKM_RC2_MAC_GENERAL            0x00000104UL
-#define CKM_RC2_CBC_PAD                0x00000105UL
-
-#define CKM_RC4_KEY_GEN                0x00000110UL
-#define CKM_RC4                        0x00000111UL
-#define CKM_DES_KEY_GEN                0x00000120UL
-#define CKM_DES_ECB                    0x00000121UL
-#define CKM_DES_CBC                    0x00000122UL
-#define CKM_DES_MAC                    0x00000123UL
-
-#define CKM_DES_MAC_GENERAL            0x00000124UL
-#define CKM_DES_CBC_PAD                0x00000125UL
-
-#define CKM_DES2_KEY_GEN               0x00000130UL
-#define CKM_DES3_KEY_GEN               0x00000131UL
-#define CKM_DES3_ECB                   0x00000132UL
-#define CKM_DES3_CBC                   0x00000133UL
-#define CKM_DES3_MAC                   0x00000134UL
-
-#define CKM_DES3_MAC_GENERAL           0x00000135UL
-#define CKM_DES3_CBC_PAD               0x00000136UL
-#define CKM_DES3_CMAC_GENERAL          0x00000137UL
-#define CKM_DES3_CMAC                  0x00000138UL
-#define CKM_CDMF_KEY_GEN               0x00000140UL
-#define CKM_CDMF_ECB                   0x00000141UL
-#define CKM_CDMF_CBC                   0x00000142UL
-#define CKM_CDMF_MAC                   0x00000143UL
-#define CKM_CDMF_MAC_GENERAL           0x00000144UL
-#define CKM_CDMF_CBC_PAD               0x00000145UL
-
-#define CKM_DES_OFB64                  0x00000150UL
-#define CKM_DES_OFB8                   0x00000151UL
-#define CKM_DES_CFB64                  0x00000152UL
-#define CKM_DES_CFB8                   0x00000153UL
-
-#define CKM_MD2                        0x00000200UL
-
-#define CKM_MD2_HMAC                   0x00000201UL
-#define CKM_MD2_HMAC_GENERAL           0x00000202UL
-
-#define CKM_MD5                        0x00000210UL
-
-#define CKM_MD5_HMAC                   0x00000211UL
-#define CKM_MD5_HMAC_GENERAL           0x00000212UL
-
-#define CKM_SHA_1                      0x00000220UL
-
-#define CKM_SHA_1_HMAC                 0x00000221UL
-#define CKM_SHA_1_HMAC_GENERAL         0x00000222UL
-
-#define CKM_RIPEMD128                  0x00000230UL
-#define CKM_RIPEMD128_HMAC             0x00000231UL
-#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232UL
-#define CKM_RIPEMD160                  0x00000240UL
-#define CKM_RIPEMD160_HMAC             0x00000241UL
-#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242UL
-
-#define CKM_SHA256                     0x00000250UL
-#define CKM_SHA256_HMAC                0x00000251UL
-#define CKM_SHA256_HMAC_GENERAL        0x00000252UL
-#define CKM_SHA224                     0x00000255UL
-#define CKM_SHA224_HMAC                0x00000256UL
-#define CKM_SHA224_HMAC_GENERAL        0x00000257UL
-#define CKM_SHA384                     0x00000260UL
-#define CKM_SHA384_HMAC                0x00000261UL
-#define CKM_SHA384_HMAC_GENERAL        0x00000262UL
-#define CKM_SHA512                     0x00000270UL
-#define CKM_SHA512_HMAC                0x00000271UL
-#define CKM_SHA512_HMAC_GENERAL        0x00000272UL
-#define CKM_SECURID_KEY_GEN            0x00000280UL
-#define CKM_SECURID                    0x00000282UL
-#define CKM_HOTP_KEY_GEN               0x00000290UL
-#define CKM_HOTP                       0x00000291UL
-#define CKM_ACTI                       0x000002A0UL
-#define CKM_ACTI_KEY_GEN               0x000002A1UL
-
-#define CKM_CAST_KEY_GEN               0x00000300UL
-#define CKM_CAST_ECB                   0x00000301UL
-#define CKM_CAST_CBC                   0x00000302UL
-#define CKM_CAST_MAC                   0x00000303UL
-#define CKM_CAST_MAC_GENERAL           0x00000304UL
-#define CKM_CAST_CBC_PAD               0x00000305UL
-#define CKM_CAST3_KEY_GEN              0x00000310UL
-#define CKM_CAST3_ECB                  0x00000311UL
-#define CKM_CAST3_CBC                  0x00000312UL
-#define CKM_CAST3_MAC                  0x00000313UL
-#define CKM_CAST3_MAC_GENERAL          0x00000314UL
-#define CKM_CAST3_CBC_PAD              0x00000315UL
-/* Note that CAST128 and CAST5 are the same algorithm */
-#define CKM_CAST5_KEY_GEN              0x00000320UL
-#define CKM_CAST128_KEY_GEN            0x00000320UL
-#define CKM_CAST5_ECB                  0x00000321UL
-#define CKM_CAST128_ECB                0x00000321UL
-#define CKM_CAST5_CBC                  0x00000322UL /* Deprecated */
-#define CKM_CAST128_CBC                0x00000322UL
-#define CKM_CAST5_MAC                  0x00000323UL /* Deprecated */
-#define CKM_CAST128_MAC                0x00000323UL
-#define CKM_CAST5_MAC_GENERAL          0x00000324UL /* Deprecated */
-#define CKM_CAST128_MAC_GENERAL        0x00000324UL
-#define CKM_CAST5_CBC_PAD              0x00000325UL /* Deprecated */
-#define CKM_CAST128_CBC_PAD            0x00000325UL
-#define CKM_RC5_KEY_GEN                0x00000330UL
-#define CKM_RC5_ECB                    0x00000331UL
-#define CKM_RC5_CBC                    0x00000332UL
-#define CKM_RC5_MAC                    0x00000333UL
-#define CKM_RC5_MAC_GENERAL            0x00000334UL
-#define CKM_RC5_CBC_PAD                0x00000335UL
-#define CKM_IDEA_KEY_GEN               0x00000340UL
-#define CKM_IDEA_ECB                   0x00000341UL
-#define CKM_IDEA_CBC                   0x00000342UL
-#define CKM_IDEA_MAC                   0x00000343UL
-#define CKM_IDEA_MAC_GENERAL           0x00000344UL
-#define CKM_IDEA_CBC_PAD               0x00000345UL
-#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350UL
-#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360UL
-#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362UL
-#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363UL
-#define CKM_XOR_BASE_AND_DATA          0x00000364UL
-#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365UL
-#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370UL
-#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371UL
-#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372UL
-
-#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373UL
-#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374UL
-#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375UL
-#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376UL
-#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377UL
-
-#define CKM_TLS_PRF                    0x00000378UL
-
-#define CKM_SSL3_MD5_MAC               0x00000380UL
-#define CKM_SSL3_SHA1_MAC              0x00000381UL
-#define CKM_MD5_KEY_DERIVATION         0x00000390UL
-#define CKM_MD2_KEY_DERIVATION         0x00000391UL
-#define CKM_SHA1_KEY_DERIVATION        0x00000392UL
-
-#define CKM_SHA256_KEY_DERIVATION      0x00000393UL
-#define CKM_SHA384_KEY_DERIVATION      0x00000394UL
-#define CKM_SHA512_KEY_DERIVATION      0x00000395UL
-#define CKM_SHA224_KEY_DERIVATION      0x00000396UL
-
-#define CKM_PBE_MD2_DES_CBC            0x000003A0UL
-#define CKM_PBE_MD5_DES_CBC            0x000003A1UL
-#define CKM_PBE_MD5_CAST_CBC           0x000003A2UL
-#define CKM_PBE_MD5_CAST3_CBC          0x000003A3UL
-#define CKM_PBE_MD5_CAST5_CBC          0x000003A4UL /* Deprecated */
-#define CKM_PBE_MD5_CAST128_CBC        0x000003A4UL
-#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5UL /* Deprecated */
-#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5UL
-#define CKM_PBE_SHA1_RC4_128           0x000003A6UL
-#define CKM_PBE_SHA1_RC4_40            0x000003A7UL
-#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8UL
-#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9UL
-#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AAUL
-#define CKM_PBE_SHA1_RC2_40_CBC        0x000003ABUL
-
-#define CKM_PKCS5_PBKD2                0x000003B0UL
-
-#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0UL
-
-#define CKM_WTLS_PRE_MASTER_KEY_GEN         0x000003D0UL
-#define CKM_WTLS_MASTER_KEY_DERIVE          0x000003D1UL
-#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   0x000003D2UL
-#define CKM_WTLS_PRF                        0x000003D3UL
-#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  0x000003D4UL
-#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  0x000003D5UL
-
-#define CKM_TLS10_MAC_SERVER                0x000003D6UL
-#define CKM_TLS10_MAC_CLIENT                0x000003D7UL
-#define CKM_TLS12_MAC                       0x000003D8UL
-#define CKM_TLS12_KDF                       0x000003D9UL
-#define CKM_TLS12_MASTER_KEY_DERIVE         0x000003E0UL
-#define CKM_TLS12_KEY_AND_MAC_DERIVE        0x000003E1UL
-#define CKM_TLS12_MASTER_KEY_DERIVE_DH      0x000003E2UL
-#define CKM_TLS12_KEY_SAFE_DERIVE           0x000003E3UL
-#define CKM_TLS_MAC                         0x000003E4UL
-#define CKM_TLS_KDF                         0x000003E5UL
-
-#define CKM_KEY_WRAP_LYNKS             0x00000400UL
-#define CKM_KEY_WRAP_SET_OAEP          0x00000401UL
-
-#define CKM_CMS_SIG                    0x00000500UL
-#define CKM_KIP_DERIVE                 0x00000510UL
-#define CKM_KIP_WRAP                   0x00000511UL
-#define CKM_KIP_MAC                    0x00000512UL
-
-#define CKM_CAMELLIA_KEY_GEN           0x00000550UL
-#define CKM_CAMELLIA_ECB               0x00000551UL
-#define CKM_CAMELLIA_CBC               0x00000552UL
-#define CKM_CAMELLIA_MAC               0x00000553UL
-#define CKM_CAMELLIA_MAC_GENERAL       0x00000554UL
-#define CKM_CAMELLIA_CBC_PAD           0x00000555UL
-#define CKM_CAMELLIA_ECB_ENCRYPT_DATA  0x00000556UL
-#define CKM_CAMELLIA_CBC_ENCRYPT_DATA  0x00000557UL
-#define CKM_CAMELLIA_CTR               0x00000558UL
-
-#define CKM_ARIA_KEY_GEN               0x00000560UL
-#define CKM_ARIA_ECB                   0x00000561UL
-#define CKM_ARIA_CBC                   0x00000562UL
-#define CKM_ARIA_MAC                   0x00000563UL
-#define CKM_ARIA_MAC_GENERAL           0x00000564UL
-#define CKM_ARIA_CBC_PAD               0x00000565UL
-#define CKM_ARIA_ECB_ENCRYPT_DATA      0x00000566UL
-#define CKM_ARIA_CBC_ENCRYPT_DATA      0x00000567UL
-
-#define CKM_SEED_KEY_GEN               0x00000650UL
-#define CKM_SEED_ECB                   0x00000651UL
-#define CKM_SEED_CBC                   0x00000652UL
-#define CKM_SEED_MAC                   0x00000653UL
-#define CKM_SEED_MAC_GENERAL           0x00000654UL
-#define CKM_SEED_CBC_PAD               0x00000655UL
-#define CKM_SEED_ECB_ENCRYPT_DATA      0x00000656UL
-#define CKM_SEED_CBC_ENCRYPT_DATA      0x00000657UL
-
-#define CKM_SKIPJACK_KEY_GEN           0x00001000UL
-#define CKM_SKIPJACK_ECB64             0x00001001UL
-#define CKM_SKIPJACK_CBC64             0x00001002UL
-#define CKM_SKIPJACK_OFB64             0x00001003UL
-#define CKM_SKIPJACK_CFB64             0x00001004UL
-#define CKM_SKIPJACK_CFB32             0x00001005UL
-#define CKM_SKIPJACK_CFB16             0x00001006UL
-#define CKM_SKIPJACK_CFB8              0x00001007UL
-#define CKM_SKIPJACK_WRAP              0x00001008UL
-#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009UL
-#define CKM_SKIPJACK_RELAYX            0x0000100aUL
-#define CKM_KEA_KEY_PAIR_GEN           0x00001010UL
-#define CKM_KEA_KEY_DERIVE             0x00001011UL
-#define CKM_KEA_DERIVE                 0x00001012UL
-#define CKM_FORTEZZA_TIMESTAMP         0x00001020UL
-#define CKM_BATON_KEY_GEN              0x00001030UL
-#define CKM_BATON_ECB128               0x00001031UL
-#define CKM_BATON_ECB96                0x00001032UL
-#define CKM_BATON_CBC128               0x00001033UL
-#define CKM_BATON_COUNTER              0x00001034UL
-#define CKM_BATON_SHUFFLE              0x00001035UL
-#define CKM_BATON_WRAP                 0x00001036UL
-
-#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040UL /* Deprecated */
-#define CKM_EC_KEY_PAIR_GEN            0x00001040UL
-
-#define CKM_ECDSA                      0x00001041UL
-#define CKM_ECDSA_SHA1                 0x00001042UL
-#define CKM_ECDSA_SHA224               0x00001043UL
-#define CKM_ECDSA_SHA256               0x00001044UL
-#define CKM_ECDSA_SHA384               0x00001045UL
-#define CKM_ECDSA_SHA512               0x00001046UL
-
-#define CKM_ECDH1_DERIVE               0x00001050UL
-#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051UL
-#define CKM_ECMQV_DERIVE               0x00001052UL
-
-#define CKM_ECDH_AES_KEY_WRAP          0x00001053UL
-#define CKM_RSA_AES_KEY_WRAP           0x00001054UL
-
-#define CKM_JUNIPER_KEY_GEN            0x00001060UL
-#define CKM_JUNIPER_ECB128             0x00001061UL
-#define CKM_JUNIPER_CBC128             0x00001062UL
-#define CKM_JUNIPER_COUNTER            0x00001063UL
-#define CKM_JUNIPER_SHUFFLE            0x00001064UL
-#define CKM_JUNIPER_WRAP               0x00001065UL
-#define CKM_FASTHASH                   0x00001070UL
-
-#define CKM_AES_KEY_GEN                0x00001080UL
-#define CKM_AES_ECB                    0x00001081UL
-#define CKM_AES_CBC                    0x00001082UL
-#define CKM_AES_MAC                    0x00001083UL
-#define CKM_AES_MAC_GENERAL            0x00001084UL
-#define CKM_AES_CBC_PAD                0x00001085UL
-#define CKM_AES_CTR                    0x00001086UL
-#define CKM_AES_GCM                    0x00001087UL
-#define CKM_AES_CCM                    0x00001088UL
-#define CKM_AES_CTS                    0x00001089UL
-#define CKM_AES_CMAC                   0x0000108AUL
-#define CKM_AES_CMAC_GENERAL           0x0000108BUL
-
-#define CKM_AES_XCBC_MAC               0x0000108CUL
-#define CKM_AES_XCBC_MAC_96            0x0000108DUL
-#define CKM_AES_GMAC                   0x0000108EUL
-
-#define CKM_BLOWFISH_KEY_GEN           0x00001090UL
-#define CKM_BLOWFISH_CBC               0x00001091UL
-#define CKM_TWOFISH_KEY_GEN            0x00001092UL
-#define CKM_TWOFISH_CBC                0x00001093UL
-#define CKM_BLOWFISH_CBC_PAD           0x00001094UL
-#define CKM_TWOFISH_CBC_PAD            0x00001095UL
-
-#define CKM_DES_ECB_ENCRYPT_DATA       0x00001100UL
-#define CKM_DES_CBC_ENCRYPT_DATA       0x00001101UL
-#define CKM_DES3_ECB_ENCRYPT_DATA      0x00001102UL
-#define CKM_DES3_CBC_ENCRYPT_DATA      0x00001103UL
-#define CKM_AES_ECB_ENCRYPT_DATA       0x00001104UL
-#define CKM_AES_CBC_ENCRYPT_DATA       0x00001105UL
-
-#define CKM_GOSTR3410_KEY_PAIR_GEN     0x00001200UL
-#define CKM_GOSTR3410                  0x00001201UL
-#define CKM_GOSTR3410_WITH_GOSTR3411   0x00001202UL
-#define CKM_GOSTR3410_KEY_WRAP         0x00001203UL
-#define CKM_GOSTR3410_DERIVE           0x00001204UL
-#define CKM_GOSTR3411                  0x00001210UL
-#define CKM_GOSTR3411_HMAC             0x00001211UL
-#define CKM_GOST28147_KEY_GEN          0x00001220UL
-#define CKM_GOST28147_ECB              0x00001221UL
-#define CKM_GOST28147                  0x00001222UL
-#define CKM_GOST28147_MAC              0x00001223UL
-#define CKM_GOST28147_KEY_WRAP         0x00001224UL
-
-#define CKM_DSA_PARAMETER_GEN          0x00002000UL
-#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001UL
-#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002UL
-#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN    0x00002003UL
-#define CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN    0x00002004UL
-
-#define CKM_AES_OFB                    0x00002104UL
-#define CKM_AES_CFB64                  0x00002105UL
-#define CKM_AES_CFB8                   0x00002106UL
-#define CKM_AES_CFB128                 0x00002107UL
-
-#define CKM_AES_CFB1                   0x00002108UL
-#define CKM_AES_KEY_WRAP               0x00002109UL     /* WAS: 0x00001090 */
-#define CKM_AES_KEY_WRAP_PAD           0x0000210AUL     /* WAS: 0x00001091 */
-
-#define CKM_RSA_PKCS_TPM_1_1           0x00004001UL
-#define CKM_RSA_PKCS_OAEP_TPM_1_1      0x00004002UL
-
-#define CKM_VENDOR_DEFINED             0x80000000UL
-
-typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
-
-
-/* CK_MECHANISM is a structure that specifies a particular
- * mechanism
- */
-typedef struct CK_MECHANISM {
-  CK_MECHANISM_TYPE mechanism;
-  CK_VOID_PTR       pParameter;
-  CK_ULONG          ulParameterLen;  /* in bytes */
-} CK_MECHANISM;
-
-typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
-
-
-/* CK_MECHANISM_INFO provides information about a particular
- * mechanism
- */
-typedef struct CK_MECHANISM_INFO {
-    CK_ULONG    ulMinKeySize;
-    CK_ULONG    ulMaxKeySize;
-    CK_FLAGS    flags;
-} CK_MECHANISM_INFO;
-
-/* The flags are defined as follows:
- *      Bit Flag               Mask          Meaning */
-#define CKF_HW                 0x00000001UL  /* performed by HW */
-
-/* Specify whether or not a mechanism can be used for a particular task */
-#define CKF_ENCRYPT            0x00000100UL
-#define CKF_DECRYPT            0x00000200UL
-#define CKF_DIGEST             0x00000400UL
-#define CKF_SIGN               0x00000800UL
-#define CKF_SIGN_RECOVER       0x00001000UL
-#define CKF_VERIFY             0x00002000UL
-#define CKF_VERIFY_RECOVER     0x00004000UL
-#define CKF_GENERATE           0x00008000UL
-#define CKF_GENERATE_KEY_PAIR  0x00010000UL
-#define CKF_WRAP               0x00020000UL
-#define CKF_UNWRAP             0x00040000UL
-#define CKF_DERIVE             0x00080000UL
-
-/* Describe a token's EC capabilities not available in mechanism
- * information.
- */
-#define CKF_EC_F_P             0x00100000UL
-#define CKF_EC_F_2M            0x00200000UL
-#define CKF_EC_ECPARAMETERS    0x00400000UL
-#define CKF_EC_NAMEDCURVE      0x00800000UL
-#define CKF_EC_UNCOMPRESS      0x01000000UL
-#define CKF_EC_COMPRESS        0x02000000UL
-
-#define CKF_EXTENSION          0x80000000UL
-
-typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
-
-/* CK_RV is a value that identifies the return value of a
- * Cryptoki function
- */
-typedef CK_ULONG          CK_RV;
-
-#define CKR_OK                                0x00000000UL
-#define CKR_CANCEL                            0x00000001UL
-#define CKR_HOST_MEMORY                       0x00000002UL
-#define CKR_SLOT_ID_INVALID                   0x00000003UL
-
-#define CKR_GENERAL_ERROR                     0x00000005UL
-#define CKR_FUNCTION_FAILED                   0x00000006UL
-
-#define CKR_ARGUMENTS_BAD                     0x00000007UL
-#define CKR_NO_EVENT                          0x00000008UL
-#define CKR_NEED_TO_CREATE_THREADS            0x00000009UL
-#define CKR_CANT_LOCK                         0x0000000AUL
-
-#define CKR_ATTRIBUTE_READ_ONLY               0x00000010UL
-#define CKR_ATTRIBUTE_SENSITIVE               0x00000011UL
-#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012UL
-#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013UL
-
-#define CKR_ACTION_PROHIBITED                 0x0000001BUL
-
-#define CKR_DATA_INVALID                      0x00000020UL
-#define CKR_DATA_LEN_RANGE                    0x00000021UL
-#define CKR_DEVICE_ERROR                      0x00000030UL
-#define CKR_DEVICE_MEMORY                     0x00000031UL
-#define CKR_DEVICE_REMOVED                    0x00000032UL
-#define CKR_ENCRYPTED_DATA_INVALID            0x00000040UL
-#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041UL
-#define CKR_FUNCTION_CANCELED                 0x00000050UL
-#define CKR_FUNCTION_NOT_PARALLEL             0x00000051UL
-
-#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054UL
-
-#define CKR_KEY_HANDLE_INVALID                0x00000060UL
-
-#define CKR_KEY_SIZE_RANGE                    0x00000062UL
-#define CKR_KEY_TYPE_INCONSISTENT             0x00000063UL
-
-#define CKR_KEY_NOT_NEEDED                    0x00000064UL
-#define CKR_KEY_CHANGED                       0x00000065UL
-#define CKR_KEY_NEEDED                        0x00000066UL
-#define CKR_KEY_INDIGESTIBLE                  0x00000067UL
-#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068UL
-#define CKR_KEY_NOT_WRAPPABLE                 0x00000069UL
-#define CKR_KEY_UNEXTRACTABLE                 0x0000006AUL
-
-#define CKR_MECHANISM_INVALID                 0x00000070UL
-#define CKR_MECHANISM_PARAM_INVALID           0x00000071UL
-
-#define CKR_OBJECT_HANDLE_INVALID             0x00000082UL
-#define CKR_OPERATION_ACTIVE                  0x00000090UL
-#define CKR_OPERATION_NOT_INITIALIZED         0x00000091UL
-#define CKR_PIN_INCORRECT                     0x000000A0UL
-#define CKR_PIN_INVALID                       0x000000A1UL
-#define CKR_PIN_LEN_RANGE                     0x000000A2UL
-
-#define CKR_PIN_EXPIRED                       0x000000A3UL
-#define CKR_PIN_LOCKED                        0x000000A4UL
-
-#define CKR_SESSION_CLOSED                    0x000000B0UL
-#define CKR_SESSION_COUNT                     0x000000B1UL
-#define CKR_SESSION_HANDLE_INVALID            0x000000B3UL
-#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4UL
-#define CKR_SESSION_READ_ONLY                 0x000000B5UL
-#define CKR_SESSION_EXISTS                    0x000000B6UL
-
-#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7UL
-#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8UL
-
-#define CKR_SIGNATURE_INVALID                 0x000000C0UL
-#define CKR_SIGNATURE_LEN_RANGE               0x000000C1UL
-#define CKR_TEMPLATE_INCOMPLETE               0x000000D0UL
-#define CKR_TEMPLATE_INCONSISTENT             0x000000D1UL
-#define CKR_TOKEN_NOT_PRESENT                 0x000000E0UL
-#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1UL
-#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2UL
-#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0UL
-#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1UL
-#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2UL
-#define CKR_USER_ALREADY_LOGGED_IN            0x00000100UL
-#define CKR_USER_NOT_LOGGED_IN                0x00000101UL
-#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102UL
-#define CKR_USER_TYPE_INVALID                 0x00000103UL
-
-#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104UL
-#define CKR_USER_TOO_MANY_TYPES               0x00000105UL
-
-#define CKR_WRAPPED_KEY_INVALID               0x00000110UL
-#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112UL
-#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113UL
-#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114UL
-#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115UL
-#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120UL
-
-#define CKR_RANDOM_NO_RNG                     0x00000121UL
-
-#define CKR_DOMAIN_PARAMS_INVALID             0x00000130UL
-
-#define CKR_CURVE_NOT_SUPPORTED               0x00000140UL
-
-#define CKR_BUFFER_TOO_SMALL                  0x00000150UL
-#define CKR_SAVED_STATE_INVALID               0x00000160UL
-#define CKR_INFORMATION_SENSITIVE             0x00000170UL
-#define CKR_STATE_UNSAVEABLE                  0x00000180UL
-
-#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190UL
-#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191UL
-#define CKR_MUTEX_BAD                         0x000001A0UL
-#define CKR_MUTEX_NOT_LOCKED                  0x000001A1UL
-
-#define CKR_NEW_PIN_MODE                      0x000001B0UL
-#define CKR_NEXT_OTP                          0x000001B1UL
-
-#define CKR_EXCEEDED_MAX_ITERATIONS           0x000001B5UL
-#define CKR_FIPS_SELF_TEST_FAILED             0x000001B6UL
-#define CKR_LIBRARY_LOAD_FAILED               0x000001B7UL
-#define CKR_PIN_TOO_WEAK                      0x000001B8UL
-#define CKR_PUBLIC_KEY_INVALID                0x000001B9UL
-
-#define CKR_FUNCTION_REJECTED                 0x00000200UL
-
-#define CKR_VENDOR_DEFINED                    0x80000000UL
-
-/* private extra values */
-#define CKR_LIBRARY_ALREADY_INITIALIZED       0x000000FDUL
-#define CKR_LIBRARY_FAILED_TO_LOAD            0x000000FEUL
-#define CKR_SYMBOL_RESOLUTION_FAILED          0x000000FFUL
-
-/* CK_NOTIFY is an application callback that processes events */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_NOTIFICATION   event,
-  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
-);
-
-
-/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
- * version and pointers of appropriate types to all the
- * Cryptoki functions
- */
-typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
-
-typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
-
-typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
-
-
-/* CK_CREATEMUTEX is an application callback for creating a
- * mutex object
- */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
-  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
-);
-
-
-/* CK_DESTROYMUTEX is an application callback for destroying a
- * mutex object
- */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_LOCKMUTEX is an application callback for locking a mutex */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_UNLOCKMUTEX is an application callback for unlocking a
- * mutex
- */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_C_INITIALIZE_ARGS provides the optional arguments to
- * C_Initialize
- */
-typedef struct CK_C_INITIALIZE_ARGS {
-  CK_CREATEMUTEX CreateMutex;
-  CK_DESTROYMUTEX DestroyMutex;
-  CK_LOCKMUTEX LockMutex;
-  CK_UNLOCKMUTEX UnlockMutex;
-  CK_FLAGS flags;
-  CK_VOID_PTR pReserved;
-} CK_C_INITIALIZE_ARGS;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag                           Mask       Meaning
- */
-#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001UL
-#define CKF_OS_LOCKING_OK                  0x00000002UL
-
-typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
-
-
-/* additional flags for parameters to functions */
-
-/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
-#define CKF_DONT_BLOCK     1
-
-/* CK_RSA_PKCS_MGF_TYPE  is used to indicate the Message
- * Generation Function (MGF) applied to a message block when
- * formatting a message block for the PKCS #1 OAEP encryption
- * scheme.
- */
-typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
-
-typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
-
-/* The following MGFs are defined */
-#define CKG_MGF1_SHA1         0x00000001UL
-#define CKG_MGF1_SHA256       0x00000002UL
-#define CKG_MGF1_SHA384       0x00000003UL
-#define CKG_MGF1_SHA512       0x00000004UL
-#define CKG_MGF1_SHA224       0x00000005UL
-
-/* CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
- * of the encoding parameter when formatting a message block
- * for the PKCS #1 OAEP encryption scheme.
- */
-typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
-
-typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
-
-/* The following encoding parameter sources are defined */
-#define CKZ_DATA_SPECIFIED    0x00000001UL
-
-/* CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
- * CKM_RSA_PKCS_OAEP mechanism.
- */
-typedef struct CK_RSA_PKCS_OAEP_PARAMS {
-        CK_MECHANISM_TYPE hashAlg;
-        CK_RSA_PKCS_MGF_TYPE mgf;
-        CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
-        CK_VOID_PTR pSourceData;
-        CK_ULONG ulSourceDataLen;
-} CK_RSA_PKCS_OAEP_PARAMS;
-
-typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
-
-/* CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
- * CKM_RSA_PKCS_PSS mechanism(s).
- */
-typedef struct CK_RSA_PKCS_PSS_PARAMS {
-        CK_MECHANISM_TYPE    hashAlg;
-        CK_RSA_PKCS_MGF_TYPE mgf;
-        CK_ULONG             sLen;
-} CK_RSA_PKCS_PSS_PARAMS;
-
-typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
-
-typedef CK_ULONG CK_EC_KDF_TYPE;
-
-/* The following EC Key Derivation Functions are defined */
-#define CKD_NULL                 0x00000001UL
-#define CKD_SHA1_KDF             0x00000002UL
-
-/* The following X9.42 DH key derivation functions are defined */
-#define CKD_SHA1_KDF_ASN1        0x00000003UL
-#define CKD_SHA1_KDF_CONCATENATE 0x00000004UL
-#define CKD_SHA224_KDF           0x00000005UL
-#define CKD_SHA256_KDF           0x00000006UL
-#define CKD_SHA384_KDF           0x00000007UL
-#define CKD_SHA512_KDF           0x00000008UL
-#define CKD_CPDIVERSIFY_KDF      0x00000009UL
-
-
-/* CK_ECDH1_DERIVE_PARAMS provides the parameters to the
- * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
- * where each party contributes one key pair.
- */
-typedef struct CK_ECDH1_DERIVE_PARAMS {
-  CK_EC_KDF_TYPE kdf;
-  CK_ULONG ulSharedDataLen;
-  CK_BYTE_PTR pSharedData;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-} CK_ECDH1_DERIVE_PARAMS;
-
-typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
-
-/*
- * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
- * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs.
- */
-typedef struct CK_ECDH2_DERIVE_PARAMS {
-  CK_EC_KDF_TYPE kdf;
-  CK_ULONG ulSharedDataLen;
-  CK_BYTE_PTR pSharedData;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-} CK_ECDH2_DERIVE_PARAMS;
-
-typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
-
-typedef struct CK_ECMQV_DERIVE_PARAMS {
-  CK_EC_KDF_TYPE kdf;
-  CK_ULONG ulSharedDataLen;
-  CK_BYTE_PTR pSharedData;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-  CK_OBJECT_HANDLE publicKey;
-} CK_ECMQV_DERIVE_PARAMS;
-
-typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
-
-/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
- * CKM_X9_42_DH_PARAMETER_GEN mechanisms
- */
-typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
-typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
-
-/* CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
- * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
- * contributes one key pair
- */
-typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
-  CK_X9_42_DH_KDF_TYPE kdf;
-  CK_ULONG ulOtherInfoLen;
-  CK_BYTE_PTR pOtherInfo;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-} CK_X9_42_DH1_DERIVE_PARAMS;
-
-typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
-
-/* CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
- * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
- * mechanisms, where each party contributes two key pairs
- */
-typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
-  CK_X9_42_DH_KDF_TYPE kdf;
-  CK_ULONG ulOtherInfoLen;
-  CK_BYTE_PTR pOtherInfo;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-} CK_X9_42_DH2_DERIVE_PARAMS;
-
-typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
-
-typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
-  CK_X9_42_DH_KDF_TYPE kdf;
-  CK_ULONG ulOtherInfoLen;
-  CK_BYTE_PTR pOtherInfo;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-  CK_OBJECT_HANDLE publicKey;
-} CK_X9_42_MQV_DERIVE_PARAMS;
-
-typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
-
-/* CK_KEA_DERIVE_PARAMS provides the parameters to the
- * CKM_KEA_DERIVE mechanism
- */
-typedef struct CK_KEA_DERIVE_PARAMS {
-  CK_BBOOL      isSender;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pRandomB;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-} CK_KEA_DERIVE_PARAMS;
-
-typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
-
-
-/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
- * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
- * holds the effective keysize
- */
-typedef CK_ULONG          CK_RC2_PARAMS;
-
-typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
-
-
-/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
- * mechanism
- */
-typedef struct CK_RC2_CBC_PARAMS {
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-  CK_BYTE       iv[8];            /* IV for CBC mode */
-} CK_RC2_CBC_PARAMS;
-
-typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
-
-
-/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC2_MAC_GENERAL mechanism
- */
-typedef struct CK_RC2_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
-} CK_RC2_MAC_GENERAL_PARAMS;
-
-typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC2_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
- * CKM_RC5_MAC mechanisms
- */
-typedef struct CK_RC5_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-} CK_RC5_PARAMS;
-
-typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
-
-
-/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
- * mechanism
- */
-typedef struct CK_RC5_CBC_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-  CK_BYTE_PTR   pIv;         /* pointer to IV */
-  CK_ULONG      ulIvLen;     /* length of IV in bytes */
-} CK_RC5_CBC_PARAMS;
-
-typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
-
-
-/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC5_MAC_GENERAL mechanism
- */
-typedef struct CK_RC5_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulWordsize;   /* wordsize in bits */
-  CK_ULONG      ulRounds;     /* number of rounds */
-  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
-} CK_RC5_MAC_GENERAL_PARAMS;
-
-typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC5_MAC_GENERAL_PARAMS_PTR;
-
-/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
- * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
- * the MAC
- */
-typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
-
-typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
-
-typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
-  CK_BYTE      iv[8];
-  CK_BYTE_PTR  pData;
-  CK_ULONG     length;
-} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
-  CK_BYTE      iv[16];
-  CK_BYTE_PTR  pData;
-  CK_ULONG     length;
-} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
- * CKM_SKIPJACK_PRIVATE_WRAP mechanism
- */
-typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
-  CK_ULONG      ulPasswordLen;
-  CK_BYTE_PTR   pPassword;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-  CK_ULONG      ulPAndGLen;
-  CK_ULONG      ulQLen;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pPrimeP;
-  CK_BYTE_PTR   pBaseG;
-  CK_BYTE_PTR   pSubprimeQ;
-} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
-
-typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
-  CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTR;
-
-
-/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
- * CKM_SKIPJACK_RELAYX mechanism
- */
-typedef struct CK_SKIPJACK_RELAYX_PARAMS {
-  CK_ULONG      ulOldWrappedXLen;
-  CK_BYTE_PTR   pOldWrappedX;
-  CK_ULONG      ulOldPasswordLen;
-  CK_BYTE_PTR   pOldPassword;
-  CK_ULONG      ulOldPublicDataLen;
-  CK_BYTE_PTR   pOldPublicData;
-  CK_ULONG      ulOldRandomLen;
-  CK_BYTE_PTR   pOldRandomA;
-  CK_ULONG      ulNewPasswordLen;
-  CK_BYTE_PTR   pNewPassword;
-  CK_ULONG      ulNewPublicDataLen;
-  CK_BYTE_PTR   pNewPublicData;
-  CK_ULONG      ulNewRandomLen;
-  CK_BYTE_PTR   pNewRandomA;
-} CK_SKIPJACK_RELAYX_PARAMS;
-
-typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
-  CK_SKIPJACK_RELAYX_PARAMS_PTR;
-
-
-typedef struct CK_PBE_PARAMS {
-  CK_BYTE_PTR      pInitVector;
-  CK_UTF8CHAR_PTR  pPassword;
-  CK_ULONG         ulPasswordLen;
-  CK_BYTE_PTR      pSalt;
-  CK_ULONG         ulSaltLen;
-  CK_ULONG         ulIteration;
-} CK_PBE_PARAMS;
-
-typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
-
-
-/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
- * CKM_KEY_WRAP_SET_OAEP mechanism
- */
-typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
-  CK_BYTE       bBC;     /* block contents byte */
-  CK_BYTE_PTR   pX;      /* extra data */
-  CK_ULONG      ulXLen;  /* length of extra data in bytes */
-} CK_KEY_WRAP_SET_OAEP_PARAMS;
-
-typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
-
-typedef struct CK_SSL3_RANDOM_DATA {
-  CK_BYTE_PTR  pClientRandom;
-  CK_ULONG     ulClientRandomLen;
-  CK_BYTE_PTR  pServerRandom;
-  CK_ULONG     ulServerRandomLen;
-} CK_SSL3_RANDOM_DATA;
-
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
-  CK_SSL3_RANDOM_DATA RandomInfo;
-  CK_VERSION_PTR pVersion;
-} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-typedef struct CK_SSL3_KEY_MAT_OUT {
-  CK_OBJECT_HANDLE hClientMacSecret;
-  CK_OBJECT_HANDLE hServerMacSecret;
-  CK_OBJECT_HANDLE hClientKey;
-  CK_OBJECT_HANDLE hServerKey;
-  CK_BYTE_PTR      pIVClient;
-  CK_BYTE_PTR      pIVServer;
-} CK_SSL3_KEY_MAT_OUT;
-
-typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_PARAMS {
-  CK_ULONG                ulMacSizeInBits;
-  CK_ULONG                ulKeySizeInBits;
-  CK_ULONG                ulIVSizeInBits;
-  CK_BBOOL                bIsExport;
-  CK_SSL3_RANDOM_DATA     RandomInfo;
-  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-} CK_SSL3_KEY_MAT_PARAMS;
-
-typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
-
-typedef struct CK_TLS_PRF_PARAMS {
-  CK_BYTE_PTR  pSeed;
-  CK_ULONG     ulSeedLen;
-  CK_BYTE_PTR  pLabel;
-  CK_ULONG     ulLabelLen;
-  CK_BYTE_PTR  pOutput;
-  CK_ULONG_PTR pulOutputLen;
-} CK_TLS_PRF_PARAMS;
-
-typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
-
-typedef struct CK_WTLS_RANDOM_DATA {
-  CK_BYTE_PTR pClientRandom;
-  CK_ULONG    ulClientRandomLen;
-  CK_BYTE_PTR pServerRandom;
-  CK_ULONG    ulServerRandomLen;
-} CK_WTLS_RANDOM_DATA;
-
-typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
-
-typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
-  CK_MECHANISM_TYPE   DigestMechanism;
-  CK_WTLS_RANDOM_DATA RandomInfo;
-  CK_BYTE_PTR         pVersion;
-} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
-
-typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-  CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-typedef struct CK_WTLS_PRF_PARAMS {
-  CK_MECHANISM_TYPE DigestMechanism;
-  CK_BYTE_PTR       pSeed;
-  CK_ULONG          ulSeedLen;
-  CK_BYTE_PTR       pLabel;
-  CK_ULONG          ulLabelLen;
-  CK_BYTE_PTR       pOutput;
-  CK_ULONG_PTR      pulOutputLen;
-} CK_WTLS_PRF_PARAMS;
-
-typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
-
-typedef struct CK_WTLS_KEY_MAT_OUT {
-  CK_OBJECT_HANDLE hMacSecret;
-  CK_OBJECT_HANDLE hKey;
-  CK_BYTE_PTR      pIV;
-} CK_WTLS_KEY_MAT_OUT;
-
-typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
-
-typedef struct CK_WTLS_KEY_MAT_PARAMS {
-  CK_MECHANISM_TYPE       DigestMechanism;
-  CK_ULONG                ulMacSizeInBits;
-  CK_ULONG                ulKeySizeInBits;
-  CK_ULONG                ulIVSizeInBits;
-  CK_ULONG                ulSequenceNumber;
-  CK_BBOOL                bIsExport;
-  CK_WTLS_RANDOM_DATA     RandomInfo;
-  CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-} CK_WTLS_KEY_MAT_PARAMS;
-
-typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
-
-typedef struct CK_CMS_SIG_PARAMS {
-  CK_OBJECT_HANDLE      certificateHandle;
-  CK_MECHANISM_PTR      pSigningMechanism;
-  CK_MECHANISM_PTR      pDigestMechanism;
-  CK_UTF8CHAR_PTR       pContentType;
-  CK_BYTE_PTR           pRequestedAttributes;
-  CK_ULONG              ulRequestedAttributesLen;
-  CK_BYTE_PTR           pRequiredAttributes;
-  CK_ULONG              ulRequiredAttributesLen;
-} CK_CMS_SIG_PARAMS;
-
-typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
-
-typedef struct CK_KEY_DERIVATION_STRING_DATA {
-  CK_BYTE_PTR pData;
-  CK_ULONG    ulLen;
-} CK_KEY_DERIVATION_STRING_DATA;
-
-typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
-  CK_KEY_DERIVATION_STRING_DATA_PTR;
-
-
-/* The CK_EXTRACT_PARAMS is used for the
- * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
- * of the base key should be used as the first bit of the
- * derived key
- */
-typedef CK_ULONG CK_EXTRACT_PARAMS;
-
-typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
-
-/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
- * indicate the Pseudo-Random Function (PRF) used to generate
- * key bits using PKCS #5 PBKDF2.
- */
-typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
-
-typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR \
-                        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
-
-#define CKP_PKCS5_PBKD2_HMAC_SHA1          0x00000001UL
-#define CKP_PKCS5_PBKD2_HMAC_GOSTR3411     0x00000002UL
-#define CKP_PKCS5_PBKD2_HMAC_SHA224        0x00000003UL
-#define CKP_PKCS5_PBKD2_HMAC_SHA256        0x00000004UL
-#define CKP_PKCS5_PBKD2_HMAC_SHA384        0x00000005UL
-#define CKP_PKCS5_PBKD2_HMAC_SHA512        0x00000006UL
-#define CKP_PKCS5_PBKD2_HMAC_SHA512_224    0x00000007UL
-#define CKP_PKCS5_PBKD2_HMAC_SHA512_256    0x00000008UL
-
-/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
- * source of the salt value when deriving a key using PKCS #5
- * PBKDF2.
- */
-typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
-
-typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR \
-                        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
-
-/* The following salt value sources are defined in PKCS #5 v2.0. */
-#define CKZ_SALT_SPECIFIED        0x00000001UL
-
-/* CK_PKCS5_PBKD2_PARAMS is a structure that provides the
- * parameters to the CKM_PKCS5_PBKD2 mechanism.
- */
-typedef struct CK_PKCS5_PBKD2_PARAMS {
-        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE           saltSource;
-        CK_VOID_PTR                                pSaltSourceData;
-        CK_ULONG                                   ulSaltSourceDataLen;
-        CK_ULONG                                   iterations;
-        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-        CK_VOID_PTR                                pPrfData;
-        CK_ULONG                                   ulPrfDataLen;
-        CK_UTF8CHAR_PTR                            pPassword;
-        CK_ULONG_PTR                               ulPasswordLen;
-} CK_PKCS5_PBKD2_PARAMS;
-
-typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
-
-/* CK_PKCS5_PBKD2_PARAMS2 is a corrected version of the CK_PKCS5_PBKD2_PARAMS
- * structure that provides the parameters to the CKM_PKCS5_PBKD2 mechanism
- * noting that the ulPasswordLen field is a CK_ULONG and not a CK_ULONG_PTR.
- */
-typedef struct CK_PKCS5_PBKD2_PARAMS2 {
-        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
-        CK_VOID_PTR pSaltSourceData;
-        CK_ULONG ulSaltSourceDataLen;
-        CK_ULONG iterations;
-        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-        CK_VOID_PTR pPrfData;
-        CK_ULONG ulPrfDataLen;
-        CK_UTF8CHAR_PTR pPassword;
-        CK_ULONG ulPasswordLen;
-} CK_PKCS5_PBKD2_PARAMS2;
-
-typedef CK_PKCS5_PBKD2_PARAMS2 CK_PTR CK_PKCS5_PBKD2_PARAMS2_PTR;
-
-typedef CK_ULONG CK_OTP_PARAM_TYPE;
-typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE; /* backward compatibility */
-
-typedef struct CK_OTP_PARAM {
-    CK_OTP_PARAM_TYPE type;
-    CK_VOID_PTR pValue;
-    CK_ULONG ulValueLen;
-} CK_OTP_PARAM;
-
-typedef CK_OTP_PARAM CK_PTR CK_OTP_PARAM_PTR;
-
-typedef struct CK_OTP_PARAMS {
-    CK_OTP_PARAM_PTR pParams;
-    CK_ULONG ulCount;
-} CK_OTP_PARAMS;
-
-typedef CK_OTP_PARAMS CK_PTR CK_OTP_PARAMS_PTR;
-
-typedef struct CK_OTP_SIGNATURE_INFO {
-    CK_OTP_PARAM_PTR pParams;
-    CK_ULONG ulCount;
-} CK_OTP_SIGNATURE_INFO;
-
-typedef CK_OTP_SIGNATURE_INFO CK_PTR CK_OTP_SIGNATURE_INFO_PTR;
-
-#define CK_OTP_VALUE          0UL
-#define CK_OTP_PIN            1UL
-#define CK_OTP_CHALLENGE      2UL
-#define CK_OTP_TIME           3UL
-#define CK_OTP_COUNTER        4UL
-#define CK_OTP_FLAGS          5UL
-#define CK_OTP_OUTPUT_LENGTH  6UL
-#define CK_OTP_OUTPUT_FORMAT  7UL
-
-#define CKF_NEXT_OTP          0x00000001UL
-#define CKF_EXCLUDE_TIME      0x00000002UL
-#define CKF_EXCLUDE_COUNTER   0x00000004UL
-#define CKF_EXCLUDE_CHALLENGE 0x00000008UL
-#define CKF_EXCLUDE_PIN       0x00000010UL
-#define CKF_USER_FRIENDLY_OTP 0x00000020UL
-
-typedef struct CK_KIP_PARAMS {
-    CK_MECHANISM_PTR  pMechanism;
-    CK_OBJECT_HANDLE  hKey;
-    CK_BYTE_PTR       pSeed;
-    CK_ULONG          ulSeedLen;
-} CK_KIP_PARAMS;
-
-typedef CK_KIP_PARAMS CK_PTR CK_KIP_PARAMS_PTR;
-
-typedef struct CK_AES_CTR_PARAMS {
-    CK_ULONG ulCounterBits;
-    CK_BYTE cb[16];
-} CK_AES_CTR_PARAMS;
-
-typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR;
-
-typedef struct CK_GCM_PARAMS {
-    CK_BYTE_PTR       pIv;
-    CK_ULONG          ulIvLen;
-    CK_ULONG          ulIvBits;
-    CK_BYTE_PTR       pAAD;
-    CK_ULONG          ulAADLen;
-    CK_ULONG          ulTagBits;
-} CK_GCM_PARAMS;
-
-typedef CK_GCM_PARAMS CK_PTR CK_GCM_PARAMS_PTR;
-
-typedef struct CK_CCM_PARAMS {
-    CK_ULONG          ulDataLen;
-    CK_BYTE_PTR       pNonce;
-    CK_ULONG          ulNonceLen;
-    CK_BYTE_PTR       pAAD;
-    CK_ULONG          ulAADLen;
-    CK_ULONG          ulMACLen;
-} CK_CCM_PARAMS;
-
-typedef CK_CCM_PARAMS CK_PTR CK_CCM_PARAMS_PTR;
-
-/* Deprecated. Use CK_GCM_PARAMS */
-typedef struct CK_AES_GCM_PARAMS {
-  CK_BYTE_PTR pIv;
-  CK_ULONG ulIvLen;
-  CK_ULONG ulIvBits;
-  CK_BYTE_PTR pAAD;
-  CK_ULONG ulAADLen;
-  CK_ULONG ulTagBits;
-} CK_AES_GCM_PARAMS;
-
-typedef CK_AES_GCM_PARAMS CK_PTR CK_AES_GCM_PARAMS_PTR;
-
-/* Deprecated. Use CK_CCM_PARAMS */
-typedef struct CK_AES_CCM_PARAMS {
-    CK_ULONG          ulDataLen;
-    CK_BYTE_PTR       pNonce;
-    CK_ULONG          ulNonceLen;
-    CK_BYTE_PTR       pAAD;
-    CK_ULONG          ulAADLen;
-    CK_ULONG          ulMACLen;
-} CK_AES_CCM_PARAMS;
-
-typedef CK_AES_CCM_PARAMS CK_PTR CK_AES_CCM_PARAMS_PTR;
-
-typedef struct CK_CAMELLIA_CTR_PARAMS {
-    CK_ULONG          ulCounterBits;
-    CK_BYTE           cb[16];
-} CK_CAMELLIA_CTR_PARAMS;
-
-typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR;
-
-typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS {
-    CK_BYTE           iv[16];
-    CK_BYTE_PTR       pData;
-    CK_ULONG          length;
-} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR \
-                                CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS {
-    CK_BYTE           iv[16];
-    CK_BYTE_PTR       pData;
-    CK_ULONG          length;
-} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR \
-                                CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-typedef struct CK_DSA_PARAMETER_GEN_PARAM {
-    CK_MECHANISM_TYPE  hash;
-    CK_BYTE_PTR        pSeed;
-    CK_ULONG           ulSeedLen;
-    CK_ULONG           ulIndex;
-} CK_DSA_PARAMETER_GEN_PARAM;
-
-typedef CK_DSA_PARAMETER_GEN_PARAM CK_PTR CK_DSA_PARAMETER_GEN_PARAM_PTR;
-
-typedef struct CK_ECDH_AES_KEY_WRAP_PARAMS {
-    CK_ULONG           ulAESKeyBits;
-    CK_EC_KDF_TYPE     kdf;
-    CK_ULONG           ulSharedDataLen;
-    CK_BYTE_PTR        pSharedData;
-} CK_ECDH_AES_KEY_WRAP_PARAMS;
-
-typedef CK_ECDH_AES_KEY_WRAP_PARAMS CK_PTR CK_ECDH_AES_KEY_WRAP_PARAMS_PTR;
-
-typedef CK_ULONG CK_JAVA_MIDP_SECURITY_DOMAIN;
-
-typedef CK_ULONG CK_CERTIFICATE_CATEGORY;
-
-typedef struct CK_RSA_AES_KEY_WRAP_PARAMS {
-    CK_ULONG                      ulAESKeyBits;
-    CK_RSA_PKCS_OAEP_PARAMS_PTR   pOAEPParams;
-} CK_RSA_AES_KEY_WRAP_PARAMS;
-
-typedef CK_RSA_AES_KEY_WRAP_PARAMS CK_PTR CK_RSA_AES_KEY_WRAP_PARAMS_PTR;
-
-typedef struct CK_TLS12_MASTER_KEY_DERIVE_PARAMS {
-    CK_SSL3_RANDOM_DATA       RandomInfo;
-    CK_VERSION_PTR            pVersion;
-    CK_MECHANISM_TYPE         prfHashMechanism;
-} CK_TLS12_MASTER_KEY_DERIVE_PARAMS;
-
-typedef CK_TLS12_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-                                CK_TLS12_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-typedef struct CK_TLS12_KEY_MAT_PARAMS {
-    CK_ULONG                  ulMacSizeInBits;
-    CK_ULONG                  ulKeySizeInBits;
-    CK_ULONG                  ulIVSizeInBits;
-    CK_BBOOL                  bIsExport;
-    CK_SSL3_RANDOM_DATA       RandomInfo;
-    CK_SSL3_KEY_MAT_OUT_PTR   pReturnedKeyMaterial;
-    CK_MECHANISM_TYPE         prfHashMechanism;
-} CK_TLS12_KEY_MAT_PARAMS;
-
-typedef CK_TLS12_KEY_MAT_PARAMS CK_PTR CK_TLS12_KEY_MAT_PARAMS_PTR;
-
-typedef struct CK_TLS_KDF_PARAMS {
-    CK_MECHANISM_TYPE         prfMechanism;
-    CK_BYTE_PTR               pLabel;
-    CK_ULONG                  ulLabelLength;
-    CK_SSL3_RANDOM_DATA       RandomInfo;
-    CK_BYTE_PTR               pContextData;
-    CK_ULONG                  ulContextDataLength;
-} CK_TLS_KDF_PARAMS;
-
-typedef CK_TLS_KDF_PARAMS CK_PTR CK_TLS_KDF_PARAMS_PTR;
-
-typedef struct CK_TLS_MAC_PARAMS {
-    CK_MECHANISM_TYPE         prfHashMechanism;
-    CK_ULONG                  ulMacLength;
-    CK_ULONG                  ulServerOrClient;
-} CK_TLS_MAC_PARAMS;
-
-typedef CK_TLS_MAC_PARAMS CK_PTR CK_TLS_MAC_PARAMS_PTR;
-
-typedef struct CK_GOSTR3410_DERIVE_PARAMS {
-    CK_EC_KDF_TYPE            kdf;
-    CK_BYTE_PTR               pPublicData;
-    CK_ULONG                  ulPublicDataLen;
-    CK_BYTE_PTR               pUKM;
-    CK_ULONG                  ulUKMLen;
-} CK_GOSTR3410_DERIVE_PARAMS;
-
-typedef CK_GOSTR3410_DERIVE_PARAMS CK_PTR CK_GOSTR3410_DERIVE_PARAMS_PTR;
-
-typedef struct CK_GOSTR3410_KEY_WRAP_PARAMS {
-    CK_BYTE_PTR               pWrapOID;
-    CK_ULONG                  ulWrapOIDLen;
-    CK_BYTE_PTR               pUKM;
-    CK_ULONG                  ulUKMLen;
-    CK_OBJECT_HANDLE          hKey;
-} CK_GOSTR3410_KEY_WRAP_PARAMS;
-
-typedef CK_GOSTR3410_KEY_WRAP_PARAMS CK_PTR CK_GOSTR3410_KEY_WRAP_PARAMS_PTR;
-
-typedef struct CK_SEED_CBC_ENCRYPT_DATA_PARAMS {
-    CK_BYTE                   iv[16];
-    CK_BYTE_PTR               pData;
-    CK_ULONG                  length;
-} CK_SEED_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_SEED_CBC_ENCRYPT_DATA_PARAMS CK_PTR \
-                                        CK_SEED_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-#endif /* _PKCS11T_H_ */
-
diff --git a/bind/bind9/lib/isc/inet_aton.c b/bind/bind9/lib/isc/inet_aton.c
index aa54667c..c7769322 100644
--- a/bind/bind9/lib/isc/inet_aton.c
+++ b/bind/bind9/lib/isc/inet_aton.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -59,11 +59,6 @@
  */
 /*! \file */
 
-#if defined(LIBC_SCCS) && !defined(lint)
-static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: inet_aton.c,v 1.23 2008/12/01 23:47:45 tbox Exp $";
-#endif /* LIBC_SCCS and not lint */
-
 #include <config.h>
 
 #include <ctype.h>
diff --git a/bind/bind9/lib/isc/inet_ntop.c b/bind/bind9/lib/isc/inet_ntop.c
index 60280c43..4b6d33d6 100644
--- a/bind/bind9/lib/isc/inet_ntop.c
+++ b/bind/bind9/lib/isc/inet_ntop.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/inet_pton.c b/bind/bind9/lib/isc/inet_pton.c
index bde88e3b..e1c8a601 100644
--- a/bind/bind9/lib/isc/inet_pton.c
+++ b/bind/bind9/lib/isc/inet_pton.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/iterated_hash.c b/bind/bind9/lib/isc/iterated_hash.c
index cf4e67f9..303bcec3 100644
--- a/bind/bind9/lib/isc/iterated_hash.c
+++ b/bind/bind9/lib/isc/iterated_hash.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -18,7 +18,7 @@
 #include <isc/iterated_hash.h>
 
 int
-isc_iterated_hash(unsigned char out[ISC_SHA1_DIGESTLENGTH],
+isc_iterated_hash(unsigned char out[NSEC3_MAX_HASH_LENGTH],
 		  unsigned int hashalg, int iterations,
 		  const unsigned char *salt, int saltlength,
 		  const unsigned char *in, int inlength)
diff --git a/bind/bind9/lib/isc/lex.c b/bind/bind9/lib/isc/lex.c
index 698d93e6..b4e0a7be 100644
--- a/bind/bind9/lib/isc/lex.c
+++ b/bind/bind9/lib/isc/lex.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -124,14 +124,14 @@ void
 isc_lex_destroy(isc_lex_t **lexp) {
 	isc_lex_t *lex;
 
-	/*
-	 * Destroy the lexer.
-	 */
-
 	REQUIRE(lexp != NULL);
+	REQUIRE(VALID_LEX((*lexp)));
+
 	lex = *lexp;
-	REQUIRE(VALID_LEX(lex));
 
+	/*
+	 * Destroy the lexer.
+	 */
 	while (!EMPTY(lex->sources))
 		RUNTIME_CHECK(isc_lex_close(lex) == ISC_R_SUCCESS);
 	if (lex->data != NULL)
@@ -937,17 +937,19 @@ isc_lex_getoctaltoken(isc_lex_t *lex, isc_token_t *token, bool eol)
 void
 isc_lex_ungettoken(isc_lex_t *lex, isc_token_t *tokenp) {
 	inputsource *source;
-	/*
-	 * Unget the current token.
-	 */
 
 	REQUIRE(VALID_LEX(lex));
-	source = HEAD(lex->sources);
-	REQUIRE(source != NULL);
+	REQUIRE(HEAD(lex->sources) != NULL);
 	REQUIRE(tokenp != NULL);
+
+	source = HEAD(lex->sources);
+
 	REQUIRE(isc_buffer_consumedlength(source->pushback) != 0 ||
 		tokenp->type == isc_tokentype_eof);
 
+	/*
+	 * Unget the current token.
+	 */
 	UNUSED(tokenp);
 
 	isc_buffer_first(source->pushback);
@@ -962,9 +964,11 @@ isc_lex_getlasttokentext(isc_lex_t *lex, isc_token_t *tokenp, isc_region_t *r)
 	inputsource *source;
 
 	REQUIRE(VALID_LEX(lex));
-	source = HEAD(lex->sources);
-	REQUIRE(source != NULL);
+	REQUIRE(HEAD(lex->sources) != NULL);
 	REQUIRE(tokenp != NULL);
+
+	source = HEAD(lex->sources);
+
 	REQUIRE(isc_buffer_consumedlength(source->pushback) != 0 ||
 		tokenp->type == isc_tokentype_eof);
 
diff --git a/bind/bind9/lib/isc/lfsr.c b/bind/bind9/lib/isc/lfsr.c
index 3b0b47fe..b830449c 100644
--- a/bind/bind9/lib/isc/lfsr.c
+++ b/bind/bind9/lib/isc/lfsr.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/lib.c b/bind/bind9/lib/isc/lib.c
index 018cc3e8..b29b4dcb 100644
--- a/bind/bind9/lib/isc/lib.c
+++ b/bind/bind9/lib/isc/lib.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/log.c b/bind/bind9/lib/isc/log.c
index 7ab4d350..39318c38 100644
--- a/bind/bind9/lib/isc/log.c
+++ b/bind/bind9/lib/isc/log.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -1360,7 +1360,7 @@ isc_log_open(isc_logchannel_t *channel) {
 	return (result);
 }
 
-bool
+ISC_NO_SANITIZE_THREAD bool
 isc_log_wouldlog(isc_log_t *lctx, int level) {
 	/*
 	 * Try to avoid locking the mutex for messages which can't
diff --git a/bind/bind9/lib/isc/md5.c b/bind/bind9/lib/isc/md5.c
index 249f3da2..9a4103d9 100644
--- a/bind/bind9/lib/isc/md5.c
+++ b/bind/bind9/lib/isc/md5.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/mem.c b/bind/bind9/lib/isc/mem.c
index 145a02ee..152454da 100644
--- a/bind/bind9/lib/isc/mem.c
+++ b/bind/bind9/lib/isc/mem.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -609,6 +609,9 @@ more_frags(isc__mem_t *ctx, size_t new_size) {
 			return (false);
 		}
 	}
+	if (ctx->basic_blocks == NULL) {
+		return false;
+	}
 
 	total_size = ctx->mem_target;
 	tmp = ctx->basic_blocks;
@@ -1397,7 +1400,13 @@ isc__mem_waterack(isc_mem_t *ctx0, int flag) {
 
 #if ISC_MEM_TRACKLINES
 static void
-print_active(isc__mem_t *mctx, FILE *out) {
+print_active(isc__mem_t *mctx0, FILE *out) {
+	isc__mem_t *mctx;
+
+	REQUIRE(VALID_CONTEXT(mctx0));
+
+	mctx = mctx0;
+
 	if (mctx->debuglist != NULL) {
 		debuglink_t *dl;
 		unsigned int i, j;
@@ -1825,11 +1834,13 @@ isc__mem_setwater(isc_mem_t *ctx0, isc_mem_water_t water, void *water_arg,
 		(oldwater)(oldwater_arg, ISC_MEM_LOWATER);
 }
 
-bool
+ISC_NO_SANITIZE_THREAD bool
 isc__mem_isovermem(isc_mem_t *ctx0) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	isc__mem_t *ctx;
 
-	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	ctx = (isc__mem_t *)ctx0;
 
 	/*
 	 * We don't bother to lock the context because 100% accuracy isn't
@@ -1841,9 +1852,11 @@ isc__mem_isovermem(isc_mem_t *ctx0) {
 
 void
 isc_mem_setname(isc_mem_t *ctx0, const char *name, void *tag) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	isc__mem_t *ctx;
 
-	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	ctx = (isc__mem_t *)ctx0;
 
 	LOCK(&ctx->lock);
 	strlcpy(ctx->name, name, sizeof(ctx->name));
@@ -1853,9 +1866,11 @@ isc_mem_setname(isc_mem_t *ctx0, const char *name, void *tag) {
 
 const char *
 isc_mem_getname(isc_mem_t *ctx0) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	isc__mem_t *ctx;
 
-	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	ctx = (isc__mem_t *)ctx0;
 
 	if (ctx->name[0] == 0)
 		return ("");
@@ -1865,9 +1880,11 @@ isc_mem_getname(isc_mem_t *ctx0) {
 
 void *
 isc_mem_gettag(isc_mem_t *ctx0) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	isc__mem_t *ctx;
 
-	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	ctx = (isc__mem_t *)ctx0;
 
 	return (ctx->tag);
 }
@@ -1878,13 +1895,15 @@ isc_mem_gettag(isc_mem_t *ctx0) {
 
 isc_result_t
 isc__mempool_create(isc_mem_t *mctx0, size_t size, isc_mempool_t **mpctxp) {
-	isc__mem_t *mctx = (isc__mem_t *)mctx0;
+	isc__mem_t *mctx;
 	isc__mempool_t *mpctx;
 
-	REQUIRE(VALID_CONTEXT(mctx));
+	REQUIRE(VALID_CONTEXT(mctx0));
 	REQUIRE(size > 0U);
 	REQUIRE(mpctxp != NULL && *mpctxp == NULL);
 
+	mctx = (isc__mem_t *)mctx0;
+
 	/*
 	 * Allocate space for this pool, initialize values, and if all works
 	 * well, attach to the memory context.
@@ -1928,10 +1947,12 @@ isc__mempool_create(isc_mem_t *mctx0, size_t size, isc_mempool_t **mpctxp) {
 
 void
 isc__mempool_setname(isc_mempool_t *mpctx0, const char *name) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc__mempool_t *mpctx;
 
 	REQUIRE(name != NULL);
-	REQUIRE(VALID_MEMPOOL(mpctx));
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	mpctx = (isc__mempool_t *)mpctx0;
 
 #if ISC_MEMPOOL_NAMES
 	if (mpctx->lock != NULL)
@@ -1955,8 +1976,9 @@ isc__mempool_destroy(isc_mempool_t **mpctxp) {
 	element *item;
 
 	REQUIRE(mpctxp != NULL);
+	REQUIRE(VALID_MEMPOOL((*mpctxp)));
+
 	mpctx = (isc__mempool_t *)*mpctxp;
-	REQUIRE(VALID_MEMPOOL(mpctx));
 #if ISC_MEMPOOL_NAMES
 	if (mpctx->allocated > 0)
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -2013,23 +2035,27 @@ isc__mempool_destroy(isc_mempool_t **mpctxp) {
 
 void
 isc__mempool_associatelock(isc_mempool_t *mpctx0, isc_mutex_t *lock) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc__mempool_t *mpctx;
 
-	REQUIRE(VALID_MEMPOOL(mpctx));
-	REQUIRE(mpctx->lock == NULL);
+	REQUIRE(VALID_MEMPOOL(mpctx0));
 	REQUIRE(lock != NULL);
 
+	mpctx = (isc__mempool_t *)mpctx0;
+	REQUIRE(mpctx->lock == NULL);
+
 	mpctx->lock = lock;
 }
 
 void *
 isc___mempool_get(isc_mempool_t *mpctx0 FLARG) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc__mempool_t *mpctx;
 	element *item;
 	isc__mem_t *mctx;
 	unsigned int i;
 
-	REQUIRE(VALID_MEMPOOL(mpctx));
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	mpctx = (isc__mempool_t *)mpctx0;
 
 	mctx = mpctx->mctx;
 
@@ -2098,13 +2124,15 @@ isc___mempool_get(isc_mempool_t *mpctx0 FLARG) {
 /* coverity[+free : arg-1] */
 void
 isc___mempool_put(isc_mempool_t *mpctx0, void *mem FLARG) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc__mempool_t *mpctx;
 	isc__mem_t *mctx;
 	element *item;
 
-	REQUIRE(VALID_MEMPOOL(mpctx));
+	REQUIRE(VALID_MEMPOOL(mpctx0));
 	REQUIRE(mem != NULL);
 
+	mpctx = (isc__mempool_t *)mpctx0;
+
 	mctx = mpctx->mctx;
 
 	if (mpctx->lock != NULL)
@@ -2156,9 +2184,11 @@ isc___mempool_put(isc_mempool_t *mpctx0, void *mem FLARG) {
 
 void
 isc__mempool_setfreemax(isc_mempool_t *mpctx0, unsigned int limit) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc__mempool_t *mpctx;
 
-	REQUIRE(VALID_MEMPOOL(mpctx));
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	mpctx = (isc__mempool_t *)mpctx0;
 
 	if (mpctx->lock != NULL)
 		LOCK(mpctx->lock);
@@ -2171,10 +2201,12 @@ isc__mempool_setfreemax(isc_mempool_t *mpctx0, unsigned int limit) {
 
 unsigned int
 isc_mempool_getfreemax(isc_mempool_t *mpctx0) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc__mempool_t *mpctx;
 	unsigned int freemax;
 
-	REQUIRE(VALID_MEMPOOL(mpctx));
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	mpctx = (isc__mempool_t *)mpctx0;
 
 	if (mpctx->lock != NULL)
 		LOCK(mpctx->lock);
@@ -2189,10 +2221,12 @@ isc_mempool_getfreemax(isc_mempool_t *mpctx0) {
 
 unsigned int
 isc_mempool_getfreecount(isc_mempool_t *mpctx0) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc__mempool_t *mpctx;
 	unsigned int freecount;
 
-	REQUIRE(VALID_MEMPOOL(mpctx));
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	mpctx = (isc__mempool_t *)mpctx0;
 
 	if (mpctx->lock != NULL)
 		LOCK(mpctx->lock);
@@ -2207,11 +2241,12 @@ isc_mempool_getfreecount(isc_mempool_t *mpctx0) {
 
 void
 isc__mempool_setmaxalloc(isc_mempool_t *mpctx0, unsigned int limit) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc__mempool_t *mpctx;
 
 	REQUIRE(limit > 0);
+	REQUIRE(VALID_MEMPOOL(mpctx0));
 
-	REQUIRE(VALID_MEMPOOL(mpctx));
+	mpctx = (isc__mempool_t *)mpctx0;
 
 	if (mpctx->lock != NULL)
 		LOCK(mpctx->lock);
@@ -2224,10 +2259,12 @@ isc__mempool_setmaxalloc(isc_mempool_t *mpctx0, unsigned int limit) {
 
 unsigned int
 isc_mempool_getmaxalloc(isc_mempool_t *mpctx0) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc__mempool_t *mpctx;
 	unsigned int maxalloc;
 
-	REQUIRE(VALID_MEMPOOL(mpctx));
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	mpctx = (isc__mempool_t *)mpctx0;
 
 	if (mpctx->lock != NULL)
 		LOCK(mpctx->lock);
@@ -2242,10 +2279,12 @@ isc_mempool_getmaxalloc(isc_mempool_t *mpctx0) {
 
 unsigned int
 isc__mempool_getallocated(isc_mempool_t *mpctx0) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc__mempool_t *mpctx;
 	unsigned int allocated;
 
-	REQUIRE(VALID_MEMPOOL(mpctx));
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	mpctx = (isc__mempool_t *)mpctx0;
 
 	if (mpctx->lock != NULL)
 		LOCK(mpctx->lock);
@@ -2260,10 +2299,12 @@ isc__mempool_getallocated(isc_mempool_t *mpctx0) {
 
 void
 isc__mempool_setfillcount(isc_mempool_t *mpctx0, unsigned int limit) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc__mempool_t *mpctx;
 
 	REQUIRE(limit > 0);
-	REQUIRE(VALID_MEMPOOL(mpctx));
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	mpctx = (isc__mempool_t *)mpctx0;
 
 	if (mpctx->lock != NULL)
 		LOCK(mpctx->lock);
@@ -2276,11 +2317,12 @@ isc__mempool_setfillcount(isc_mempool_t *mpctx0, unsigned int limit) {
 
 unsigned int
 isc_mempool_getfillcount(isc_mempool_t *mpctx0) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
-
+	isc__mempool_t *mpctx;
 	unsigned int fillcount;
 
-	REQUIRE(VALID_MEMPOOL(mpctx));
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	mpctx = (isc__mempool_t *)mpctx0;
 
 	if (mpctx->lock != NULL)
 		LOCK(mpctx->lock);
@@ -2301,11 +2343,13 @@ isc__mem_register(void) {
 void
 isc__mem_printactive(isc_mem_t *ctx0, FILE *file) {
 #if ISC_MEM_TRACKLINES
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	isc__mem_t *ctx;
 
-	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(VALID_CONTEXT(ctx0));
 	REQUIRE(file != NULL);
 
+	ctx = (isc__mem_t *)ctx0;
+
 	print_active(ctx, file);
 #else
 	UNUSED(ctx0);
diff --git a/bind/bind9/lib/isc/mips/Makefile.in b/bind/bind9/lib/isc/mips/Makefile.in
index 419cf9f8..8d1b6f1c 100644
--- a/bind/bind9/lib/isc/mips/Makefile.in
+++ b/bind/bind9/lib/isc/mips/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/mips/include/Makefile.in b/bind/bind9/lib/isc/mips/include/Makefile.in
index d33c0fcb..f87423b4 100644
--- a/bind/bind9/lib/isc/mips/include/Makefile.in
+++ b/bind/bind9/lib/isc/mips/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/mips/include/isc/Makefile.in b/bind/bind9/lib/isc/mips/include/isc/Makefile.in
index 97b6b417..452877db 100644
--- a/bind/bind9/lib/isc/mips/include/isc/Makefile.in
+++ b/bind/bind9/lib/isc/mips/include/isc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/mips/include/isc/atomic.h b/bind/bind9/lib/isc/mips/include/isc/atomic.h
index caba82fb..8018b51e 100644
--- a/bind/bind9/lib/isc/mips/include/isc/atomic.h
+++ b/bind/bind9/lib/isc/mips/include/isc/atomic.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/mutexblock.c b/bind/bind9/lib/isc/mutexblock.c
index 6a629e7e..58605f95 100644
--- a/bind/bind9/lib/isc/mutexblock.c
+++ b/bind/bind9/lib/isc/mutexblock.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/netaddr.c b/bind/bind9/lib/isc/netaddr.c
index 29f19baa..f8e27e10 100644
--- a/bind/bind9/lib/isc/netaddr.c
+++ b/bind/bind9/lib/isc/netaddr.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/netscope.c b/bind/bind9/lib/isc/netscope.c
index 1c51d35e..60d8ca72 100644
--- a/bind/bind9/lib/isc/netscope.c
+++ b/bind/bind9/lib/isc/netscope.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -13,10 +13,11 @@
 
 #include <config.h>
 
-#include <isc/string.h>
 #include <isc/net.h>
 #include <isc/netscope.h>
 #include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 isc_result_t
 isc_netscope_pton(int af, char *scopename, void *addr, uint32_t *zoneid) {
@@ -24,10 +25,14 @@ isc_netscope_pton(int af, char *scopename, void *addr, uint32_t *zoneid) {
 #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
 	unsigned int ifid;
 	struct in6_addr *in6;
-#endif
-	uint32_t zone;
+#endif /* ifdef HAVE_IF_NAMETOINDEX */
+	uint32_t zone = 0;
 	uint64_t llz;
 
+#ifndef HAVE_IF_NAMETOINDEX
+	UNUSED(addr);
+#endif
+
 	/* at this moment, we only support AF_INET6 */
 	if (af != AF_INET6)
 		return (ISC_R_FAILURE);
diff --git a/bind/bind9/lib/isc/nls/Makefile.in b/bind/bind9/lib/isc/nls/Makefile.in
index 704deadb..cc61dee4 100644
--- a/bind/bind9/lib/isc/nls/Makefile.in
+++ b/bind/bind9/lib/isc/nls/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/nls/msgcat.c b/bind/bind9/lib/isc/nls/msgcat.c
index dd3d177f..7121b97c 100644
--- a/bind/bind9/lib/isc/nls/msgcat.c
+++ b/bind/bind9/lib/isc/nls/msgcat.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/noatomic/Makefile.in b/bind/bind9/lib/isc/noatomic/Makefile.in
index 419cf9f8..8d1b6f1c 100644
--- a/bind/bind9/lib/isc/noatomic/Makefile.in
+++ b/bind/bind9/lib/isc/noatomic/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/noatomic/include/Makefile.in b/bind/bind9/lib/isc/noatomic/include/Makefile.in
index d33c0fcb..f87423b4 100644
--- a/bind/bind9/lib/isc/noatomic/include/Makefile.in
+++ b/bind/bind9/lib/isc/noatomic/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/noatomic/include/isc/Makefile.in b/bind/bind9/lib/isc/noatomic/include/isc/Makefile.in
index 97b6b417..452877db 100644
--- a/bind/bind9/lib/isc/noatomic/include/isc/Makefile.in
+++ b/bind/bind9/lib/isc/noatomic/include/isc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/noatomic/include/isc/atomic.h b/bind/bind9/lib/isc/noatomic/include/isc/atomic.h
index 5953e4b9..b6d1eb41 100644
--- a/bind/bind9/lib/isc/noatomic/include/isc/atomic.h
+++ b/bind/bind9/lib/isc/noatomic/include/isc/atomic.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/nothreads/Makefile.in b/bind/bind9/lib/isc/nothreads/Makefile.in
index c7947736..8e8d0e0e 100644
--- a/bind/bind9/lib/isc/nothreads/Makefile.in
+++ b/bind/bind9/lib/isc/nothreads/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/nothreads/condition.c b/bind/bind9/lib/isc/nothreads/condition.c
index a549c309..4c6a0acb 100644
--- a/bind/bind9/lib/isc/nothreads/condition.c
+++ b/bind/bind9/lib/isc/nothreads/condition.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/nothreads/include/Makefile.in b/bind/bind9/lib/isc/nothreads/include/Makefile.in
index d33c0fcb..f87423b4 100644
--- a/bind/bind9/lib/isc/nothreads/include/Makefile.in
+++ b/bind/bind9/lib/isc/nothreads/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/nothreads/include/isc/Makefile.in b/bind/bind9/lib/isc/nothreads/include/isc/Makefile.in
index 185534f9..ffa3e39a 100644
--- a/bind/bind9/lib/isc/nothreads/include/isc/Makefile.in
+++ b/bind/bind9/lib/isc/nothreads/include/isc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/nothreads/include/isc/condition.h b/bind/bind9/lib/isc/nothreads/include/isc/condition.h
index 0bea23d2..9740298a 100644
--- a/bind/bind9/lib/isc/nothreads/include/isc/condition.h
+++ b/bind/bind9/lib/isc/nothreads/include/isc/condition.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/nothreads/include/isc/mutex.h b/bind/bind9/lib/isc/nothreads/include/isc/mutex.h
index a9c55f6f..205771c3 100644
--- a/bind/bind9/lib/isc/nothreads/include/isc/mutex.h
+++ b/bind/bind9/lib/isc/nothreads/include/isc/mutex.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/nothreads/include/isc/once.h b/bind/bind9/lib/isc/nothreads/include/isc/once.h
index c2918141..e90999ac 100644
--- a/bind/bind9/lib/isc/nothreads/include/isc/once.h
+++ b/bind/bind9/lib/isc/nothreads/include/isc/once.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/nothreads/include/isc/thread.h b/bind/bind9/lib/isc/nothreads/include/isc/thread.h
index 8486c3f9..ada9253c 100644
--- a/bind/bind9/lib/isc/nothreads/include/isc/thread.h
+++ b/bind/bind9/lib/isc/nothreads/include/isc/thread.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/nothreads/mutex.c b/bind/bind9/lib/isc/nothreads/mutex.c
index e092ac9b..72179e3a 100644
--- a/bind/bind9/lib/isc/nothreads/mutex.c
+++ b/bind/bind9/lib/isc/nothreads/mutex.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/nothreads/thread.c b/bind/bind9/lib/isc/nothreads/thread.c
index 671261f7..a733c73a 100644
--- a/bind/bind9/lib/isc/nothreads/thread.c
+++ b/bind/bind9/lib/isc/nothreads/thread.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/ondestroy.c b/bind/bind9/lib/isc/ondestroy.c
index 64d4d917..5ddd3eca 100644
--- a/bind/bind9/lib/isc/ondestroy.c
+++ b/bind/bind9/lib/isc/ondestroy.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: ondestroy.c,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
-
 /*! \file */
 
 #include <config.h>
@@ -42,11 +40,10 @@ isc_ondestroy_register(isc_ondestroy_t *ondest, isc_task_t *task,
 	REQUIRE(VALID_ONDESTROY(ondest));
 	REQUIRE(task != NULL);
 	REQUIRE(eventp != NULL);
+	REQUIRE((*eventp) != NULL);
 
 	theevent = *eventp;
 
-	REQUIRE(theevent != NULL);
-
 	isc_task_attach(task, &thetask);
 
 	theevent->ev_sender = thetask;
diff --git a/bind/bind9/lib/isc/parseint.c b/bind/bind9/lib/isc/parseint.c
index 58593695..30a57fbd 100644
--- a/bind/bind9/lib/isc/parseint.c
+++ b/bind/bind9/lib/isc/parseint.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/pk11.c b/bind/bind9/lib/isc/pk11.c
index 012afd96..9b914840 100644
--- a/bind/bind9/lib/isc/pk11.c
+++ b/bind/bind9/lib/isc/pk11.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -962,13 +962,15 @@ pk11_get_best_token(pk11_optype_t optype) {
 	return (token->slotid);
 }
 
-unsigned int
-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
+isc_result_t
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) {
 	unsigned int bitcnt, i;
 	CK_BYTE top;
 
-	if (bytecnt == 0)
-		return (0);
+	if (bytecnt == 0) {
+		*bits = 0;
+		return (ISC_R_SUCCESS);
+	}
 	bitcnt = bytecnt * 8;
 	for (i = 0; i < bytecnt; i++) {
 		top = data[i];
@@ -976,26 +978,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
 			bitcnt -= 8;
 			continue;
 		}
-		if (top & 0x80)
-			return (bitcnt);
-		if (top & 0x40)
-			return (bitcnt - 1);
-		if (top & 0x20)
-			return (bitcnt - 2);
-		if (top & 0x10)
-			return (bitcnt - 3);
-		if (top & 0x08)
-			return (bitcnt - 4);
-		if (top & 0x04)
-			return (bitcnt - 5);
-		if (top & 0x02)
-			return (bitcnt - 6);
-		if (top & 0x01)
-			return (bitcnt - 7);
+		if (top & 0x80) {
+			*bits = bitcnt;
+			return (ISC_R_SUCCESS);
+		}
+		if (top & 0x40) {
+			*bits = bitcnt - 1;
+			return (ISC_R_SUCCESS);
+		}
+		if (top & 0x20) {
+			*bits = bitcnt - 2;
+			return (ISC_R_SUCCESS);
+		}
+		if (top & 0x10) {
+			*bits = bitcnt - 3;
+			return (ISC_R_SUCCESS);
+		}
+		if (top & 0x08) {
+			*bits = bitcnt - 4;
+			return (ISC_R_SUCCESS);
+		}
+		if (top & 0x04) {
+			*bits = bitcnt - 5;
+			return (ISC_R_SUCCESS);
+		}
+		if (top & 0x02) {
+			*bits = bitcnt - 6;
+			return (ISC_R_SUCCESS);
+		}
+		if (top & 0x01) {
+			*bits = bitcnt - 7;
+			return (ISC_R_SUCCESS);
+		}
 		break;
 	}
-	INSIST(0);
-	ISC_UNREACHABLE();
+	return (ISC_R_RANGE);
 }
 
 CK_ATTRIBUTE *
diff --git a/bind/bind9/lib/isc/pk11_result.c b/bind/bind9/lib/isc/pk11_result.c
index 33143f89..94e9aba6 100644
--- a/bind/bind9/lib/isc/pk11_result.c
+++ b/bind/bind9/lib/isc/pk11_result.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/pool.c b/bind/bind9/lib/isc/pool.c
index 8ce79901..cef89d62 100644
--- a/bind/bind9/lib/isc/pool.c
+++ b/bind/bind9/lib/isc/pool.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/portset.c b/bind/bind9/lib/isc/portset.c
index b3af46da..7f8530c6 100644
--- a/bind/bind9/lib/isc/portset.c
+++ b/bind/bind9/lib/isc/portset.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/powerpc/Makefile.in b/bind/bind9/lib/isc/powerpc/Makefile.in
index 419cf9f8..8d1b6f1c 100644
--- a/bind/bind9/lib/isc/powerpc/Makefile.in
+++ b/bind/bind9/lib/isc/powerpc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/powerpc/include/Makefile.in b/bind/bind9/lib/isc/powerpc/include/Makefile.in
index d33c0fcb..f87423b4 100644
--- a/bind/bind9/lib/isc/powerpc/include/Makefile.in
+++ b/bind/bind9/lib/isc/powerpc/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/powerpc/include/isc/Makefile.in b/bind/bind9/lib/isc/powerpc/include/isc/Makefile.in
index 97b6b417..452877db 100644
--- a/bind/bind9/lib/isc/powerpc/include/isc/Makefile.in
+++ b/bind/bind9/lib/isc/powerpc/include/isc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/powerpc/include/isc/atomic.h b/bind/bind9/lib/isc/powerpc/include/isc/atomic.h
index 9899934a..13bee19d 100644
--- a/bind/bind9/lib/isc/powerpc/include/isc/atomic.h
+++ b/bind/bind9/lib/isc/powerpc/include/isc/atomic.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/print.c b/bind/bind9/lib/isc/print.c
index 152f53ac..072ccbde 100644
--- a/bind/bind9/lib/isc/print.c
+++ b/bind/bind9/lib/isc/print.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -163,7 +163,6 @@ isc__print_printf(void (*emit)(char, void *), void *arg,
 	int left;
 	int plus;
 	int space;
-	int neg;
 	int64_t tmpi;
 	uint64_t tmpui;
 	unsigned long width;
@@ -200,7 +199,7 @@ isc__print_printf(void (*emit)(char, void *), void *arg,
 		/*
 		 * Reset flags.
 		 */
-		dot = neg = space = plus = left = zero = alt = h = l = q = z = 0;
+		dot = space = plus = left = zero = alt = h = l = q = z = 0;
 		width = precision = 0;
 		head = "";
 		pad = zeropad = 0;
diff --git a/bind/bind9/lib/isc/pthreads/Makefile.in b/bind/bind9/lib/isc/pthreads/Makefile.in
index af4fd6ec..39b7bac2 100644
--- a/bind/bind9/lib/isc/pthreads/Makefile.in
+++ b/bind/bind9/lib/isc/pthreads/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/pthreads/condition.c b/bind/bind9/lib/isc/pthreads/condition.c
index a7f19281..a426f6dc 100644
--- a/bind/bind9/lib/isc/pthreads/condition.c
+++ b/bind/bind9/lib/isc/pthreads/condition.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/pthreads/include/Makefile.in b/bind/bind9/lib/isc/pthreads/include/Makefile.in
index d33c0fcb..f87423b4 100644
--- a/bind/bind9/lib/isc/pthreads/include/Makefile.in
+++ b/bind/bind9/lib/isc/pthreads/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/pthreads/include/isc/Makefile.in b/bind/bind9/lib/isc/pthreads/include/isc/Makefile.in
index 185534f9..ffa3e39a 100644
--- a/bind/bind9/lib/isc/pthreads/include/isc/Makefile.in
+++ b/bind/bind9/lib/isc/pthreads/include/isc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/pthreads/include/isc/condition.h b/bind/bind9/lib/isc/pthreads/include/isc/condition.h
index 28338c7f..a389c0dd 100644
--- a/bind/bind9/lib/isc/pthreads/include/isc/condition.h
+++ b/bind/bind9/lib/isc/pthreads/include/isc/condition.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/pthreads/include/isc/mutex.h b/bind/bind9/lib/isc/pthreads/include/isc/mutex.h
index 6c34a69c..805f8998 100644
--- a/bind/bind9/lib/isc/pthreads/include/isc/mutex.h
+++ b/bind/bind9/lib/isc/pthreads/include/isc/mutex.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -128,11 +128,10 @@ isc_mutex_unlock_profile(isc_mutex_t *mp, const char * _file, int _line);
 
 void
 isc_mutex_statsprofile(FILE *fp);
+#endif /* ISC_MUTEX_PROFILE */
 
 isc_result_t
 isc_mutex_init_errcheck(isc_mutex_t *mp);
 
-#endif /* ISC_MUTEX_PROFILE */
-
 ISC_LANG_ENDDECLS
 #endif /* ISC_MUTEX_H */
diff --git a/bind/bind9/lib/isc/pthreads/include/isc/once.h b/bind/bind9/lib/isc/pthreads/include/isc/once.h
index a0e95593..00d031c5 100644
--- a/bind/bind9/lib/isc/pthreads/include/isc/once.h
+++ b/bind/bind9/lib/isc/pthreads/include/isc/once.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -24,7 +24,7 @@ typedef pthread_once_t isc_once_t;
 
 #ifdef ISC_PLATFORM_BRACEPTHREADONCEINIT
 /*!
- * This accomodates systems that define PTHRAD_ONCE_INIT improperly.
+ * This accommodates systems that define PTHRAD_ONCE_INIT improperly.
  */
 #define ISC_ONCE_INIT { PTHREAD_ONCE_INIT }
 #else
diff --git a/bind/bind9/lib/isc/pthreads/include/isc/thread.h b/bind/bind9/lib/isc/pthreads/include/isc/thread.h
index 798af338..50845da3 100644
--- a/bind/bind9/lib/isc/pthreads/include/isc/thread.h
+++ b/bind/bind9/lib/isc/pthreads/include/isc/thread.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/pthreads/mutex.c b/bind/bind9/lib/isc/pthreads/mutex.c
index cd45e6b1..bad8dac0 100644
--- a/bind/bind9/lib/isc/pthreads/mutex.c
+++ b/bind/bind9/lib/isc/pthreads/mutex.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/pthreads/thread.c b/bind/bind9/lib/isc/pthreads/thread.c
index 94fb2c2b..9a6360f4 100644
--- a/bind/bind9/lib/isc/pthreads/thread.c
+++ b/bind/bind9/lib/isc/pthreads/thread.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/quota.c b/bind/bind9/lib/isc/quota.c
index 720127a8..b2e3d033 100644
--- a/bind/bind9/lib/isc/quota.c
+++ b/bind/bind9/lib/isc/quota.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/radix.c b/bind/bind9/lib/isc/radix.c
index 3781861c..e3e13145 100644
--- a/bind/bind9/lib/isc/radix.c
+++ b/bind/bind9/lib/isc/radix.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -250,35 +250,38 @@ isc_radix_search(isc_radix_tree_t *radix, isc_radix_node_t **target,
 
 	*target = NULL;
 
-	if (radix->head == NULL) {
+	node = radix->head;
+
+	if (node == NULL) {
 		return (ISC_R_NOTFOUND);
 	}
 
-	node = radix->head;
 	addr = isc_prefix_touchar(prefix);
 	bitlen = prefix->bitlen;
 
-	while (node->bit < bitlen) {
-		if (node->prefix)
+	while (node != NULL && node->bit < bitlen) {
+		if (node->prefix) {
 			stack[cnt++] = node;
+		}
 
 		if (BIT_TEST(addr[node->bit >> 3], 0x80 >> (node->bit & 0x07)))
+		{
 			node = node->r;
-		else
+		} else {
 			node = node->l;
-
-		if (node == NULL)
-			break;
+		}
 	}
 
-	if (node && node->prefix)
+	if (node != NULL && node->prefix) {
 		stack[cnt++] = node;
+	}
 
 	while (cnt-- > 0) {
 		node = stack[cnt];
 
-		if (prefix->bitlen < node->bit)
+		if (prefix->bitlen < node->bit) {
 			continue;
+		}
 
 		if (_comp_with_mask(isc_prefix_tochar(node->prefix),
 				    isc_prefix_tochar(prefix),
diff --git a/bind/bind9/lib/isc/random.c b/bind/bind9/lib/isc/random.c
index 6406114a..176d2991 100644
--- a/bind/bind9/lib/isc/random.c
+++ b/bind/bind9/lib/isc/random.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/ratelimiter.c b/bind/bind9/lib/isc/ratelimiter.c
index 3fd211f6..d8f9652b 100644
--- a/bind/bind9/lib/isc/ratelimiter.c
+++ b/bind/bind9/lib/isc/ratelimiter.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -252,11 +252,14 @@ isc_ratelimiter_shutdown(isc_ratelimiter_t *rl) {
 	(void)isc_timer_reset(rl->timer, isc_timertype_inactive,
 			      NULL, NULL, false);
 	while ((ev = ISC_LIST_HEAD(rl->pending)) != NULL) {
+		task = ev->ev_sender;
 		ISC_LIST_UNLINK(rl->pending, ev, ev_ratelink);
 		ev->ev_attributes |= ISC_EVENTATTR_CANCELED;
 		task = ev->ev_sender;
 		isc_task_send(task, &ev);
 	}
+	task = NULL;
+	isc_task_attach(rl->task, &task);
 	isc_timer_detach(&rl->timer);
 
 	/*
@@ -276,6 +279,7 @@ ratelimiter_shutdowncomplete(isc_task_t *task, isc_event_t *event) {
 	UNUSED(task);
 
 	isc_ratelimiter_detach(&rl);
+	isc_task_detach(&task);
 }
 
 static void
diff --git a/bind/bind9/lib/isc/refcount.c b/bind/bind9/lib/isc/refcount.c
index 033af7b4..0d961eff 100644
--- a/bind/bind9/lib/isc/refcount.c
+++ b/bind/bind9/lib/isc/refcount.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -19,6 +19,21 @@
 #include <isc/result.h>
 #include <isc/util.h>
 
+#if defined(ISC_PLATFORM_USETHREADS) && !defined(ISC_REFCOUNT_HAVEATOMIC)
+unsigned int
+isc_refcount_current(isc_refcount_t *ref) {
+	isc_result_t result;
+	unsigned int answer;
+
+	result = isc_mutex_lock(&ref->lock);
+	ISC_ERROR_RUNTIMECHECK(result == ISC_R_SUCCESS);
+	answer = ref->refs;
+	result = isc_mutex_unlock(&ref->lock);
+	ISC_ERROR_RUNTIMECHECK(result == ISC_R_SUCCESS);
+	return (answer);
+}
+#endif
+
 isc_result_t
 isc_refcount_init(isc_refcount_t *ref, unsigned int n) {
 	REQUIRE(ref != NULL);
diff --git a/bind/bind9/lib/isc/regex.c b/bind/bind9/lib/isc/regex.c
index 63261bbb..99809cc2 100644
--- a/bind/bind9/lib/isc/regex.c
+++ b/bind/bind9/lib/isc/regex.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -131,7 +131,7 @@ isc_regex_validate(const char *c) {
 					--group;
 				++c;
 				break;
-			case '|':	/* alternative seperator */
+			case '|':	/* alternative separator */
 				if (!have_atom)
 					FAIL("no atom");
 				have_atom = false;
diff --git a/bind/bind9/lib/isc/region.c b/bind/bind9/lib/isc/region.c
index 2f858427..5460a1d7 100644
--- a/bind/bind9/lib/isc/region.c
+++ b/bind/bind9/lib/isc/region.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/result.c b/bind/bind9/lib/isc/result.c
index a9db1326..887b08cd 100644
--- a/bind/bind9/lib/isc/result.c
+++ b/bind/bind9/lib/isc/result.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/rwlock.c b/bind/bind9/lib/isc/rwlock.c
index 43062755..e9c4b33e 100644
--- a/bind/bind9/lib/isc/rwlock.c
+++ b/bind/bind9/lib/isc/rwlock.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -31,6 +31,37 @@
 
 #ifdef ISC_PLATFORM_USETHREADS
 
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+
+#define rwl_init(o, a) atomic_init(&rwl->o, a)
+#define rwl_load(o) atomic_load(&rwl->o)
+#define rwl_store(o, a) atomic_store(&rwl->o, (a))
+#define rwl_add(o, a) atomic_fetch_add(&rwl->o, (a))
+#define rwl_sub(o, a) atomic_fetch_sub(&rwl->o, (a))
+#define rwl_cmpxchg(o, e, d) atomic_compare_exchange_strong(&rwl->o, &(e), (d))
+
+#elif defined(ISC_RWLOCK_USEATOMIC)
+
+#define rwl_init(o, a) rwl->o = (a);
+#define rwl_load(o) isc_atomic_xadd(&rwl->o, 0)
+#define rwl_store(o, a) isc_atomic_store(&rwl->o, (a))
+#define rwl_add(o, a) isc_atomic_xadd(&rwl->o, (a))
+#define rwl_sub(o, a) isc_atomic_xadd(&rwl->o, -(a))
+#define rwl_cmpxchg(o, e, d) e = isc_atomic_cmpxchg(&rwl->o, e, d)
+
+#else
+
+#define rwl_init(o, a) rwl->o = (a)
+#define rwl_load(o) (rwl->o)
+#define rwl_store(o, a) rwl->o = (a)
+#define rwl_add(o, a) rwl->o += (a)
+#define rwl_sub(o, a) rwl->o -= (a)
+#define rwl_cmpxchg(o, e, d) \
+	if (rwl->o == e) { e = rwl->o; rwl->o = d; } else { e = rwl->o; }
+
+#endif
+
+
 #ifndef RWLOCK_DEFAULT_READ_QUOTA
 #define RWLOCK_DEFAULT_READ_QUOTA 4
 #endif
@@ -68,9 +99,9 @@ print_lock(const char *operation, isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 				ISC_MSG_READ, "read") :
 		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
 				ISC_MSG_WRITE, "write")),
-		rwl->write_requests, rwl->write_completions,
-		rwl->cnt_and_flag, rwl->readers_waiting,
-		rwl->write_granted, rwl->write_quota);
+		rwl_load(write_requests), rwl_load(write_completions),
+		rwl_load(cnt_and_flag), rwl->readers_waiting,
+		rwl_load(write_granted), rwl->write_quota);
 #else
 	fprintf(stderr,
 		isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
@@ -108,19 +139,21 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
 	 */
 	rwl->magic = 0;
 
-	rwl->spins = 0;
+	rwl_init(spins, 0);
 #if defined(ISC_RWLOCK_USEATOMIC)
-	rwl->write_requests = 0;
-	rwl->write_completions = 0;
-	rwl->cnt_and_flag = 0;
+	rwl_init(write_requests, 0);
+	rwl_init(write_completions, 0);
+	rwl_init(cnt_and_flag, 0);
+	rwl_init(write_granted, 0);
+
 	rwl->readers_waiting = 0;
-	rwl->write_granted = 0;
 	if (read_quota != 0) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "read quota is not supported");
 	}
-	if (write_quota == 0)
+	if (write_quota == 0) {
 		write_quota = RWLOCK_DEFAULT_WRITE_QUOTA;
+	}
 	rwl->write_quota = write_quota;
 #else
 	rwl->type = isc_rwlocktype_read;
@@ -179,8 +212,8 @@ isc_rwlock_destroy(isc_rwlock_t *rwl) {
 	REQUIRE(VALID_RWLOCK(rwl));
 
 #if defined(ISC_RWLOCK_USEATOMIC)
-	REQUIRE(rwl->write_requests == rwl->write_completions &&
-		rwl->cnt_and_flag == 0 && rwl->readers_waiting == 0);
+	REQUIRE(rwl_load(write_requests) == rwl_load(write_completions) &&
+		rwl_load(cnt_and_flag) == 0 && rwl->readers_waiting == 0);
 #else
 	LOCK(&rwl->lock);
 	REQUIRE(rwl->active == 0 &&
@@ -264,7 +297,7 @@ isc_rwlock_destroy(isc_rwlock_t *rwl) {
 
 static isc_result_t
 isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	int32_t cntflag;
+	int_fast32_t cntflag;
 
 	REQUIRE(VALID_RWLOCK(rwl));
 
@@ -274,10 +307,12 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 #endif
 
 	if (type == isc_rwlocktype_read) {
-		if (rwl->write_requests != rwl->write_completions) {
+		if (rwl_load(write_requests) != rwl_load(write_completions)) {
 			/* there is a waiting or active writer */
 			LOCK(&rwl->lock);
-			if (rwl->write_requests != rwl->write_completions) {
+			if (rwl_load(write_requests) !=
+			    rwl_load(write_completions))
+			{
 				rwl->readers_waiting++;
 				WAIT(&rwl->readable, &rwl->lock);
 				rwl->readers_waiting--;
@@ -285,23 +320,20 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 			UNLOCK(&rwl->lock);
 		}
 
-#if defined(ISC_RWLOCK_USESTDATOMIC)
-		cntflag = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
-						    READER_INCR,
-						    memory_order_relaxed);
-#else
-		cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
-#endif
+		cntflag = rwl_add(cnt_and_flag, READER_INCR);
+
 		POST(cntflag);
 		while (1) {
-			if ((rwl->cnt_and_flag & WRITER_ACTIVE) == 0)
+			if ((rwl_load(cnt_and_flag) & WRITER_ACTIVE) == 0) {
 				break;
+			}
 
 			/* A writer is still working */
 			LOCK(&rwl->lock);
 			rwl->readers_waiting++;
-			if ((rwl->cnt_and_flag & WRITER_ACTIVE) != 0)
+			if ((rwl_load(cnt_and_flag) & WRITER_ACTIVE) != 0) {
 				WAIT(&rwl->readable, &rwl->lock);
+			}
 			rwl->readers_waiting--;
 			UNLOCK(&rwl->lock);
 
@@ -336,20 +368,15 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 		 * quota, reset the condition (race among readers doesn't
 		 * matter).
 		 */
-		rwl->write_granted = 0;
+		rwl_store(write_granted, 0);
 	} else {
-		int32_t prev_writer;
+		int_fast32_t prev_writer;
 
 		/* enter the waiting queue, and wait for our turn */
-#if defined(ISC_RWLOCK_USESTDATOMIC)
-		prev_writer = atomic_fetch_add_explicit(&rwl->write_requests, 1,
-							memory_order_relaxed);
-#else
-		prev_writer = isc_atomic_xadd(&rwl->write_requests, 1);
-#endif
-		while (rwl->write_completions != prev_writer) {
+		prev_writer = rwl_add(write_requests, 1);
+		while (rwl_load(write_completions) != prev_writer) {
 			LOCK(&rwl->lock);
-			if (rwl->write_completions != prev_writer) {
+			if (rwl_load(write_completions) != prev_writer) {
 				WAIT(&rwl->writeable, &rwl->lock);
 				UNLOCK(&rwl->lock);
 				continue;
@@ -359,29 +386,22 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 		}
 
 		while (1) {
-#if defined(ISC_RWLOCK_USESTDATOMIC)
 			int_fast32_t cntflag2 = 0;
-			atomic_compare_exchange_strong_explicit
-				(&rwl->cnt_and_flag, &cntflag2, WRITER_ACTIVE,
-				 memory_order_relaxed, memory_order_relaxed);
-#else
-			int32_t cntflag2;
-			cntflag2 = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
-						      WRITER_ACTIVE);
-#endif
+			rwl_cmpxchg(cnt_and_flag, cntflag2, WRITER_ACTIVE);
 
 			if (cntflag2 == 0)
 				break;
 
 			/* Another active reader or writer is working. */
 			LOCK(&rwl->lock);
-			if (rwl->cnt_and_flag != 0)
+			if (rwl_load(cnt_and_flag) != 0) {
 				WAIT(&rwl->writeable, &rwl->lock);
+			}
 			UNLOCK(&rwl->lock);
 		}
 
-		INSIST((rwl->cnt_and_flag & WRITER_ACTIVE) != 0);
-		rwl->write_granted++;
+		INSIST((rwl_load(cnt_and_flag) & WRITER_ACTIVE) != 0);
+		rwl_add(write_granted, 1);
 	}
 
 #ifdef ISC_RWLOCK_TRACE
@@ -394,8 +414,8 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 
 isc_result_t
 isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	int32_t cnt = 0;
-	int32_t max_cnt = rwl->spins * 2 + 10;
+	int_fast32_t cnt = 0;
+	int_fast32_t max_cnt = rwl_load(spins) * 2 + 10;
 	isc_result_t result = ISC_R_SUCCESS;
 
 	if (max_cnt > RWLOCK_MAX_ADAPTIVE_COUNT)
@@ -411,14 +431,14 @@ isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 #endif
 	} while (isc_rwlock_trylock(rwl, type) != ISC_R_SUCCESS);
 
-	rwl->spins += (cnt - rwl->spins) / 8;
+	rwl_add(spins, (cnt - rwl_load(spins)) / 8);
 
 	return (result);
 }
 
 isc_result_t
 isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	int32_t cntflag;
+	int_fast32_t cntflag;
 
 	REQUIRE(VALID_RWLOCK(rwl));
 
@@ -429,36 +449,26 @@ isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 
 	if (type == isc_rwlocktype_read) {
 		/* If a writer is waiting or working, we fail. */
-		if (rwl->write_requests != rwl->write_completions)
+		if (rwl_load(write_requests) != rwl_load(write_completions)) {
 			return (ISC_R_LOCKBUSY);
+		}
 
 		/* Otherwise, be ready for reading. */
-#if defined(ISC_RWLOCK_USESTDATOMIC)
-		cntflag = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
-						    READER_INCR,
-						    memory_order_relaxed);
-#else
-		cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
-#endif
+		cntflag = rwl_add(cnt_and_flag, READER_INCR);
 		if ((cntflag & WRITER_ACTIVE) != 0) {
 			/*
 			 * A writer is working.  We lose, and cancel the read
 			 * request.
 			 */
-#if defined(ISC_RWLOCK_USESTDATOMIC)
-			cntflag = atomic_fetch_sub_explicit
-				(&rwl->cnt_and_flag, READER_INCR,
-				 memory_order_relaxed);
-#else
-			cntflag = isc_atomic_xadd(&rwl->cnt_and_flag,
-						  -READER_INCR);
-#endif
+			cntflag = rwl_sub(cnt_and_flag, READER_INCR);
 			/*
 			 * If no other readers are waiting and we've suspended
 			 * new writers in this short period, wake them up.
 			 */
 			if (cntflag == READER_INCR &&
-			    rwl->write_completions != rwl->write_requests) {
+			    rwl_load(write_completions) !=
+			    rwl_load(write_requests))
+			{
 				LOCK(&rwl->lock);
 				BROADCAST(&rwl->writeable);
 				UNLOCK(&rwl->lock);
@@ -468,31 +478,19 @@ isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 		}
 	} else {
 		/* Try locking without entering the waiting queue. */
-#if defined(ISC_RWLOCK_USESTDATOMIC)
 		int_fast32_t zero = 0;
-		if (!atomic_compare_exchange_strong_explicit
-		    (&rwl->cnt_and_flag, &zero, WRITER_ACTIVE,
-		     memory_order_relaxed, memory_order_relaxed))
-			return (ISC_R_LOCKBUSY);
-#else
-		cntflag = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
-					     WRITER_ACTIVE);
-		if (cntflag != 0)
+		rwl_cmpxchg(cnt_and_flag, zero, WRITER_ACTIVE);
+
+		if (zero != 0) {
 			return (ISC_R_LOCKBUSY);
-#endif
+		}
 
 		/*
 		 * XXXJT: jump into the queue, possibly breaking the writer
 		 * order.
 		 */
-#if defined(ISC_RWLOCK_USESTDATOMIC)
-		(void)atomic_fetch_sub_explicit(&rwl->write_completions, 1,
-						memory_order_relaxed);
-#else
-		(void)isc_atomic_xadd(&rwl->write_completions, -1);
-#endif
-
-		rwl->write_granted++;
+		rwl_sub(write_completions, 1);
+		rwl_add(write_granted, 1);
 	}
 
 #ifdef ISC_RWLOCK_TRACE
@@ -505,107 +503,60 @@ isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 
 isc_result_t
 isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
-	REQUIRE(VALID_RWLOCK(rwl));
+	int_fast32_t reader_incr = READER_INCR;
 
-#if defined(ISC_RWLOCK_USESTDATOMIC)
-	{
-		int_fast32_t reader_incr = READER_INCR;
+	REQUIRE(VALID_RWLOCK(rwl));
 
-		/* Try to acquire write access. */
-		atomic_compare_exchange_strong_explicit
-			(&rwl->cnt_and_flag, &reader_incr, WRITER_ACTIVE,
-			 memory_order_relaxed, memory_order_relaxed);
-		/*
-		 * There must have been no writer, and there must have
-		 * been at least one reader.
-		 */
-		INSIST((reader_incr & WRITER_ACTIVE) == 0 &&
-		       (reader_incr & ~WRITER_ACTIVE) != 0);
+	/* Try to acquire write access. */
+	rwl_cmpxchg(cnt_and_flag, reader_incr, WRITER_ACTIVE);
 
-		if (reader_incr == READER_INCR) {
-			/*
-			 * We are the only reader and have been upgraded.
-			 * Now jump into the head of the writer waiting queue.
-			 */
-			(void)atomic_fetch_sub_explicit(&rwl->write_completions,
-						       1, memory_order_relaxed);
-		} else {
-			return (ISC_R_LOCKBUSY);
-		}
-	}
-#else
-	{
-		int32_t prevcnt;
+	/*
+	 * There must have been no writer, and there must have
+	 * been at least one reader.
+	 */
+	INSIST((reader_incr & WRITER_ACTIVE) == 0 &&
+	       (reader_incr & ~WRITER_ACTIVE) != 0);
 
-		/* Try to acquire write access. */
-		prevcnt = isc_atomic_cmpxchg(&rwl->cnt_and_flag,
-					     READER_INCR, WRITER_ACTIVE);
+	if (reader_incr == READER_INCR) {
 		/*
-		 * There must have been no writer, and there must have
-		 * been at least one reader.
+		 * We are the only reader and have been upgraded.
+		 * Now jump into the head of the writer waiting queue.
 		 */
-		INSIST((prevcnt & WRITER_ACTIVE) == 0 &&
-		       (prevcnt & ~WRITER_ACTIVE) != 0);
-
-		if (prevcnt == READER_INCR) {
-			/*
-			 * We are the only reader and have been upgraded.
-			 * Now jump into the head of the writer waiting queue.
-			 */
-			(void)isc_atomic_xadd(&rwl->write_completions, -1);
-		} else
-			return (ISC_R_LOCKBUSY);
+		rwl_sub(write_completions, 1);
+	} else {
+		return (ISC_R_LOCKBUSY);
 	}
-#endif
 
 	return (ISC_R_SUCCESS);
 }
 
 void
 isc_rwlock_downgrade(isc_rwlock_t *rwl) {
-	int32_t prev_readers;
+	int_fast32_t prev_readers;
 
 	REQUIRE(VALID_RWLOCK(rwl));
 
-#if defined(ISC_RWLOCK_USESTDATOMIC)
-	{
-		/* Become an active reader. */
-		prev_readers = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
-							 READER_INCR,
-							 memory_order_relaxed);
-		/* We must have been a writer. */
-		INSIST((prev_readers & WRITER_ACTIVE) != 0);
-
-		/* Complete write */
-		(void)atomic_fetch_sub_explicit(&rwl->cnt_and_flag,
-						WRITER_ACTIVE,
-						memory_order_relaxed);
-		(void)atomic_fetch_add_explicit(&rwl->write_completions, 1,
-						memory_order_relaxed);
-	}
-#else
-	{
-		/* Become an active reader. */
-		prev_readers = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
-		/* We must have been a writer. */
-		INSIST((prev_readers & WRITER_ACTIVE) != 0);
-
-		/* Complete write */
-		(void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
-		(void)isc_atomic_xadd(&rwl->write_completions, 1);
-	}
-#endif
+	/* Become an active reader. */
+	prev_readers = rwl_add(cnt_and_flag, READER_INCR);
+
+	/* We must have been a writer. */
+	INSIST((prev_readers & WRITER_ACTIVE) != 0);
+
+	/* Complete write */
+	rwl_sub(cnt_and_flag, WRITER_ACTIVE);
+	rwl_add(write_completions, 1);
 
 	/* Resume other readers */
 	LOCK(&rwl->lock);
-	if (rwl->readers_waiting > 0)
+	if (rwl->readers_waiting > 0) {
 		BROADCAST(&rwl->readable);
+	}
 	UNLOCK(&rwl->lock);
 }
 
 isc_result_t
 isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	int32_t prev_cnt;
+	int_fast32_t prev_cnt;
 
 	REQUIRE(VALID_RWLOCK(rwl));
 
@@ -615,20 +566,16 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 #endif
 
 	if (type == isc_rwlocktype_read) {
-#if defined(ISC_RWLOCK_USESTDATOMIC)
-		prev_cnt = atomic_fetch_sub_explicit(&rwl->cnt_and_flag,
-						     READER_INCR,
-						     memory_order_relaxed);
-#else
-		prev_cnt = isc_atomic_xadd(&rwl->cnt_and_flag, -READER_INCR);
-#endif
+		prev_cnt = rwl_sub(cnt_and_flag, READER_INCR);
 		/*
 		 * If we're the last reader and any writers are waiting, wake
 		 * them up.  We need to wake up all of them to ensure the
 		 * FIFO order.
 		 */
 		if (prev_cnt == READER_INCR &&
-		    rwl->write_completions != rwl->write_requests) {
+		    rwl_load(write_completions) !=
+		    rwl_load(write_requests))
+		{
 			LOCK(&rwl->lock);
 			BROADCAST(&rwl->writeable);
 			UNLOCK(&rwl->lock);
@@ -640,20 +587,12 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 		 * Reset the flag, and (implicitly) tell other writers
 		 * we are done.
 		 */
-#if defined(ISC_RWLOCK_USESTDATOMIC)
-		(void)atomic_fetch_sub_explicit(&rwl->cnt_and_flag,
-						WRITER_ACTIVE,
-						memory_order_relaxed);
-		(void)atomic_fetch_add_explicit(&rwl->write_completions, 1,
-						memory_order_relaxed);
-#else
-		(void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
-		(void)isc_atomic_xadd(&rwl->write_completions, 1);
-#endif
+		rwl_sub(cnt_and_flag, WRITER_ACTIVE);
+		rwl_add(write_completions, 1);
 
-		if (rwl->write_granted >= rwl->write_quota ||
-		    rwl->write_requests == rwl->write_completions ||
-		    (rwl->cnt_and_flag & ~WRITER_ACTIVE) != 0) {
+		if ((uint32_t)rwl_load(write_granted) >= rwl->write_quota ||
+		    rwl_load(write_requests) == rwl_load(write_completions) ||
+		    (rwl_load(cnt_and_flag) & ~WRITER_ACTIVE) != 0) {
 			/*
 			 * We have passed the write quota, no writer is
 			 * waiting, or some readers are almost ready, pending
@@ -670,7 +609,7 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 			UNLOCK(&rwl->lock);
 		}
 
-		if (rwl->write_requests != rwl->write_completions &&
+		if (rwl_load(write_requests) != rwl_load(write_completions) &&
 		    wakeup_writers) {
 			LOCK(&rwl->lock);
 			BROADCAST(&rwl->writeable);
@@ -759,10 +698,10 @@ doit(isc_rwlock_t *rwl, isc_rwlocktype_t type, bool nonblock) {
 	return (result);
 }
 
-isc_result_t
+ISC_NO_SANITIZE_THREAD isc_result_t
 isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	int32_t cnt = 0;
-	int32_t max_cnt = rwl->spins * 2 + 10;
+	int_fast32_t cnt = 0;
+	int_fast32_t max_cnt = rwl_load(spins) * 2 + 10;
 	isc_result_t result = ISC_R_SUCCESS;
 
 	if (max_cnt > RWLOCK_MAX_ADAPTIVE_COUNT)
@@ -778,7 +717,7 @@ isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 #endif
 	} while (doit(rwl, type, true) != ISC_R_SUCCESS);
 
-	rwl->spins += (cnt - rwl->spins) / 8;
+	rwl_add(spins, (cnt - rwl_load(spins)) /8);
 
 	return (result);
 }
diff --git a/bind/bind9/lib/isc/safe.c b/bind/bind9/lib/isc/safe.c
index 7a464b61..06a61ce7 100644
--- a/bind/bind9/lib/isc/safe.c
+++ b/bind/bind9/lib/isc/safe.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/serial.c b/bind/bind9/lib/isc/serial.c
index 860a0c6f..b43fd8af 100644
--- a/bind/bind9/lib/isc/serial.c
+++ b/bind/bind9/lib/isc/serial.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/sha1.c b/bind/bind9/lib/isc/sha1.c
index 4f133c6d..4b4ce44b 100644
--- a/bind/bind9/lib/isc/sha1.c
+++ b/bind/bind9/lib/isc/sha1.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id$ */
-
 /*	$NetBSD: sha1.c,v 1.5 2000/01/22 22:19:14 mycroft Exp $	*/
 /*	$OpenBSD: sha1.c,v 1.9 1997/07/23 21:12:32 kstailey Exp $	*/
 
diff --git a/bind/bind9/lib/isc/sha2.c b/bind/bind9/lib/isc/sha2.c
index 8e502bfe..951d1bb8 100644
--- a/bind/bind9/lib/isc/sha2.c
+++ b/bind/bind9/lib/isc/sha2.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id$ */
-
 /*	$FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $	*/
 /*	$KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $	*/
 
@@ -887,7 +885,7 @@ isc_sha224_update(isc_sha224_t *context, const uint8_t* data, size_t len) {
 }
 
 void
-isc_sha224_final(uint8_t digest[], isc_sha224_t *context) {
+isc_sha224_final(uint8_t digest[ISC_SHA224_DIGESTLENGTH], isc_sha224_t *context) {
 	uint8_t sha256_digest[ISC_SHA256_DIGESTLENGTH];
 	isc_sha256_final(sha256_digest, (isc_sha256_t *)context);
 	memmove(digest, sha256_digest, ISC_SHA224_DIGESTLENGTH);
@@ -1150,7 +1148,7 @@ isc_sha256_update(isc_sha256_t *context, const uint8_t *data, size_t len) {
 }
 
 void
-isc_sha256_final(uint8_t digest[], isc_sha256_t *context) {
+isc_sha256_final(uint8_t digest[ISC_SHA256_DIGESTLENGTH], isc_sha256_t *context) {
 	uint32_t	*d = (uint32_t*)digest;
 	unsigned int	usedspace;
 
@@ -1513,7 +1511,7 @@ void isc_sha512_last(isc_sha512_t *context) {
 	isc_sha512_transform(context, (uint64_t*)context->buffer);
 }
 
-void isc_sha512_final(uint8_t digest[], isc_sha512_t *context) {
+void isc_sha512_final(uint8_t digest[ISC_SHA512_DIGESTLENGTH], isc_sha512_t *context) {
 	uint64_t	*d = (uint64_t*)digest;
 
 	/* Sanity check: */
@@ -1566,7 +1564,7 @@ isc_sha384_update(isc_sha384_t *context, const uint8_t* data, size_t len) {
 }
 
 void
-isc_sha384_final(uint8_t digest[], isc_sha384_t *context) {
+isc_sha384_final(uint8_t digest[ISC_SHA384_DIGESTLENGTH], isc_sha384_t *context) {
 	uint64_t	*d = (uint64_t*)digest;
 
 	/* Sanity check: */
@@ -1603,7 +1601,7 @@ isc_sha384_final(uint8_t digest[], isc_sha384_t *context) {
 static const char *sha2_hex_digits = "0123456789abcdef";
 
 char *
-isc_sha224_end(isc_sha224_t *context, char buffer[]) {
+isc_sha224_end(isc_sha224_t *context, char buffer[ISC_SHA224_DIGESTSTRINGLENGTH]) {
 	uint8_t	digest[ISC_SHA224_DIGESTLENGTH], *d = digest;
 	unsigned int	i;
 
@@ -1644,7 +1642,7 @@ isc_sha224_data(const uint8_t *data, size_t len,
 }
 
 char *
-isc_sha256_end(isc_sha256_t *context, char buffer[]) {
+isc_sha256_end(isc_sha256_t *context, char buffer[ISC_SHA256_DIGESTSTRINGLENGTH]) {
 	uint8_t	digest[ISC_SHA256_DIGESTLENGTH], *d = digest;
 	unsigned int	i;
 
@@ -1685,7 +1683,7 @@ isc_sha256_data(const uint8_t* data, size_t len,
 }
 
 char *
-isc_sha512_end(isc_sha512_t *context, char buffer[]) {
+isc_sha512_end(isc_sha512_t *context, char buffer[ISC_SHA512_DIGESTSTRINGLENGTH]) {
 	uint8_t	digest[ISC_SHA512_DIGESTLENGTH], *d = digest;
 	unsigned int	i;
 
@@ -1726,7 +1724,7 @@ isc_sha512_data(const uint8_t *data, size_t len,
 }
 
 char *
-isc_sha384_end(isc_sha384_t *context, char buffer[]) {
+isc_sha384_end(isc_sha384_t *context, char buffer[ISC_SHA384_DIGESTSTRINGLENGTH]) {
 	uint8_t	digest[ISC_SHA384_DIGESTLENGTH], *d = digest;
 	unsigned int	i;
 
diff --git a/bind/bind9/lib/isc/siphash.c b/bind/bind9/lib/isc/siphash.c
index bd62a522..c0476588 100644
--- a/bind/bind9/lib/isc/siphash.c
+++ b/bind/bind9/lib/isc/siphash.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/sockaddr.c b/bind/bind9/lib/isc/sockaddr.c
index c2c599e1..c641cde0 100644
--- a/bind/bind9/lib/isc/sockaddr.c
+++ b/bind/bind9/lib/isc/sockaddr.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -126,13 +126,16 @@ isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target) {
 	case AF_INET6:
 		snprintf(pbuf, sizeof(pbuf), "%u", ntohs(sockaddr->type.sin6.sin6_port));
 		break;
-#ifdef ISC_PLAFORM_HAVESYSUNH
+#ifdef ISC_PLATFORM_HAVESYSUNH
 	case AF_UNIX:
 		plen = strlen(sockaddr->type.sunix.sun_path);
 		if (plen >= isc_buffer_availablelength(target))
 			return (ISC_R_NOSPACE);
 
-		isc_buffer_putmem(target, sockaddr->type.sunix.sun_path, plen);
+		isc_buffer_putmem(
+			target,
+			(const unsigned char *)sockaddr->type.sunix.sun_path,
+			plen);
 
 		/*
 		 * Null terminate after used region.
diff --git a/bind/bind9/lib/isc/socket_api.c b/bind/bind9/lib/isc/socket_api.c
index 5de98a9a..5c582e04 100644
--- a/bind/bind9/lib/isc/socket_api.c
+++ b/bind/bind9/lib/isc/socket_api.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/sparc64/Makefile.in b/bind/bind9/lib/isc/sparc64/Makefile.in
index 419cf9f8..8d1b6f1c 100644
--- a/bind/bind9/lib/isc/sparc64/Makefile.in
+++ b/bind/bind9/lib/isc/sparc64/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/sparc64/include/Makefile.in b/bind/bind9/lib/isc/sparc64/include/Makefile.in
index d33c0fcb..f87423b4 100644
--- a/bind/bind9/lib/isc/sparc64/include/Makefile.in
+++ b/bind/bind9/lib/isc/sparc64/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/sparc64/include/isc/Makefile.in b/bind/bind9/lib/isc/sparc64/include/isc/Makefile.in
index 60756338..1c96b673 100644
--- a/bind/bind9/lib/isc/sparc64/include/isc/Makefile.in
+++ b/bind/bind9/lib/isc/sparc64/include/isc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/sparc64/include/isc/atomic.h b/bind/bind9/lib/isc/sparc64/include/isc/atomic.h
index 21ec67e8..9c29325f 100644
--- a/bind/bind9/lib/isc/sparc64/include/isc/atomic.h
+++ b/bind/bind9/lib/isc/sparc64/include/isc/atomic.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/stats.c b/bind/bind9/lib/isc/stats.c
index bb6e0aaa..8eaab400 100644
--- a/bind/bind9/lib/isc/stats.c
+++ b/bind/bind9/lib/isc/stats.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -215,6 +215,11 @@ isc_stats_ncounters(isc_stats_t *stats) {
 	return (stats->ncounters);
 }
 
+/*
+ * Inline the code if we can use atomic operations.
+ */
+#if defined(ISC_PLATFORM_HAVESTDATOMIC) || defined(ISC_STATS_HAVEATOMICQ) || \
+    defined(ISC_STATS_USEMULTIFIELDS)
 static inline void
 incrementcounter(isc_stats_t *stats, int counter) {
 #if ISC_PLATFORM_HAVESTDATOMIC
@@ -235,8 +240,6 @@ incrementcounter(isc_stats_t *stats, int counter) {
 	if (prev == (int32_t)0xffffffff) {
 		isc_atomic_xadd((int32_t *)&stats->counters[counter].hi, 1);
 	}
-#else
-	stats->counters[counter]++;
 #endif
 }
 
@@ -254,8 +257,6 @@ decrementcounter(isc_stats_t *stats, int counter) {
 		(void)isc_atomic_xadd((int32_t *)&stats->counters[counter].hi,
 				      -1);
 	}
-#else
-	stats->counters[counter]--;
 #endif
 }
 
@@ -270,13 +271,8 @@ getcounter(isc_stats_t *stats, const int counter) {
 					  0));
 #else
 	uint64_t curr_value;
-# if ISC_STATS_USEMULTIFIELDS
 	curr_value = ((uint64_t)stats->counters[counter].hi << 32) |
 			stats->counters[counter].lo;
-# else
-	curr_value = stats->counters[counter];
-# endif
-
 	return (curr_value);
 #endif
 }
@@ -297,11 +293,33 @@ setcounter(isc_stats_t *stats,
 			 (uint32_t)((value >> 32) & 0xffffffff));
 	isc_atomic_store((int32_t *)&stats->counters[counter].lo,
 			 (uint32_t)(value & 0xffffffff));
-# else
-	stats->counters[counter] = value;
 # endif
 #endif
 }
+#else
+ISC_NO_SANITIZE_THREAD static ISC_NO_SANITIZE_INLINE void
+incrementcounter(isc_stats_t *stats, int counter) {
+	stats->counters[counter]++;
+}
+
+ISC_NO_SANITIZE_THREAD static ISC_NO_SANITIZE_INLINE void
+decrementcounter(isc_stats_t *stats, int counter) {
+	stats->counters[counter]--;
+}
+
+ISC_NO_SANITIZE_THREAD static ISC_NO_SANITIZE_INLINE uint64_t
+getcounter(isc_stats_t *stats, const int counter) {
+	return (stats->counters[counter]);
+}
+
+ISC_NO_SANITIZE_THREAD static ISC_NO_SANITIZE_INLINE void
+setcounter(isc_stats_t *stats,
+	   const isc_statscounter_t counter,
+	   const uint64_t value)
+{
+	stats->counters[counter] = value;
+}
+#endif
 
 static void
 copy_counters(isc_stats_t *stats, uint64_t *counters) {
diff --git a/bind/bind9/lib/isc/string.c b/bind/bind9/lib/isc/string.c
index 6728cfbd..d2b25851 100644
--- a/bind/bind9/lib/isc/string.c
+++ b/bind/bind9/lib/isc/string.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/strtoul.c b/bind/bind9/lib/isc/strtoul.c
index acc541a7..baa4ba3d 100644
--- a/bind/bind9/lib/isc/strtoul.c
+++ b/bind/bind9/lib/isc/strtoul.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/symtab.c b/bind/bind9/lib/isc/symtab.c
index b6466d3e..cde65a54 100644
--- a/bind/bind9/lib/isc/symtab.c
+++ b/bind/bind9/lib/isc/symtab.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/task.c b/bind/bind9/lib/isc/task.c
index f9c4354b..04863935 100644
--- a/bind/bind9/lib/isc/task.c
+++ b/bind/bind9/lib/isc/task.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -339,14 +339,16 @@ isc_result_t
 isc__task_create(isc_taskmgr_t *manager0, unsigned int quantum,
 		 isc_task_t **taskp)
 {
-	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
+	isc__taskmgr_t *manager;
 	isc__task_t *task;
 	bool exiting;
 	isc_result_t result;
 
-	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(VALID_MANAGER(manager0));
 	REQUIRE(taskp != NULL && *taskp == NULL);
 
+	manager = (isc__taskmgr_t *)manager0;
+
 	task = isc_mem_get(manager->mctx, sizeof(*task));
 	if (task == NULL)
 		return (ISC_R_NOMEMORY);
@@ -542,16 +544,16 @@ task_send(isc__task_t *task, isc_event_t **eventp) {
 	bool was_idle = false;
 	isc_event_t *event;
 
+	REQUIRE(eventp != NULL);
+	REQUIRE((*eventp) != NULL);
+	REQUIRE((*eventp)->ev_type > 0);
+	REQUIRE(task->state != task_state_done);
+	REQUIRE(!ISC_LINK_LINKED((*eventp), ev_ratelink));
+
 	/*
 	 * Caller must be holding the task lock.
 	 */
-
-	REQUIRE(eventp != NULL);
 	event = *eventp;
-	REQUIRE(event != NULL);
-	REQUIRE(event->ev_type > 0);
-	REQUIRE(task->state != task_state_done);
-	REQUIRE(!ISC_LINK_LINKED(event, ev_ratelink));
 
 	XTRACE("task_send");
 
@@ -811,19 +813,21 @@ isc_result_t
 isc__task_onshutdown(isc_task_t *task0, isc_taskaction_t action,
 		     void *arg)
 {
-	isc__task_t *task = (isc__task_t *)task0;
+	isc__task_t *task;
 	bool disallowed = false;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_event_t *event;
 
+	REQUIRE(VALID_TASK(task0));
+	REQUIRE(action != NULL);
+
+	task = (isc__task_t *)task0;
+
 	/*
 	 * Send a shutdown event with action 'action' and argument 'arg' when
 	 * 'task' is shutdown.
 	 */
 
-	REQUIRE(VALID_TASK(task));
-	REQUIRE(action != NULL);
-
 	event = isc_event_allocate(task->manager->mctx,
 				   NULL,
 				   ISC_TASKEVENT_SHUTDOWN,
@@ -897,29 +901,35 @@ isc__task_setname(isc_task_t *task0, const char *name, void *tag) {
 
 const char *
 isc__task_getname(isc_task_t *task0) {
-	isc__task_t *task = (isc__task_t *)task0;
+	isc__task_t *task;
 
-	REQUIRE(VALID_TASK(task));
+	REQUIRE(VALID_TASK(task0));
+
+	task = (isc__task_t *)task0;
 
 	return (task->name);
 }
 
 void *
 isc__task_gettag(isc_task_t *task0) {
-	isc__task_t *task = (isc__task_t *)task0;
+	isc__task_t *task;
 
-	REQUIRE(VALID_TASK(task));
+	REQUIRE(VALID_TASK(task0));
+
+	task = (isc__task_t *)task0;
 
 	return (task->tag);
 }
 
 void
 isc__task_getcurrenttime(isc_task_t *task0, isc_stdtime_t *t) {
-	isc__task_t *task = (isc__task_t *)task0;
+	isc__task_t *task;
 
-	REQUIRE(VALID_TASK(task));
+	REQUIRE(VALID_TASK(task0));
 	REQUIRE(t != NULL);
 
+	task = (isc__task_t *)task0;
+
 	LOCK(&task->lock);
 	*t = task->now;
 	UNLOCK(&task->lock);
@@ -927,11 +937,13 @@ isc__task_getcurrenttime(isc_task_t *task0, isc_stdtime_t *t) {
 
 void
 isc__task_getcurrenttimex(isc_task_t *task0, isc_time_t *t) {
-	isc__task_t *task = (isc__task_t *)task0;
+	isc__task_t *task;
 
-	REQUIRE(VALID_TASK(task));
+	REQUIRE(VALID_TASK(task0));
 	REQUIRE(t != NULL);
 
+	task = (isc__task_t *)task0;
+
 	LOCK(&task->lock);
 	*t = task->tnow;
 	UNLOCK(&task->lock);
@@ -1722,14 +1734,14 @@ isc_taskmgr_excltask(isc_taskmgr_t *mgr0, isc_task_t **taskp) {
 isc_result_t
 isc__task_beginexclusive(isc_task_t *task0) {
 #ifdef USE_WORKER_THREADS
-	isc__task_t *task = (isc__task_t *)task0;
+	isc__task_t *task;
 	isc__taskmgr_t *manager;
 
-	REQUIRE(VALID_TASK(task));
-
-	manager = task->manager;
+	REQUIRE(VALID_TASK(task0));
 
+	task = (isc__task_t *)task0;
 	REQUIRE(task->state == task_state_running);
+	manager = task->manager;
 /*
  *  TODO REQUIRE(task == task->manager->excl);
  *  it should be here, it fails on shutdown server->task
@@ -1754,13 +1766,15 @@ isc__task_beginexclusive(isc_task_t *task0) {
 void
 isc__task_endexclusive(isc_task_t *task0) {
 #ifdef USE_WORKER_THREADS
-	isc__task_t *task = (isc__task_t *)task0;
+	isc__task_t *task;
 	isc__taskmgr_t *manager;
 
-	REQUIRE(VALID_TASK(task));
-	manager = task->manager;
+	REQUIRE(VALID_TASK(task0));
 
+	task = (isc__task_t *)task0;
 	REQUIRE(task->state == task_state_running);
+	manager = task->manager;
+
 	LOCK(&manager->lock);
 	REQUIRE(manager->exclusive_requested);
 	manager->exclusive_requested = false;
diff --git a/bind/bind9/lib/isc/task_p.h b/bind/bind9/lib/isc/task_p.h
index 1fa3bb10..78d348c2 100644
--- a/bind/bind9/lib/isc/task_p.h
+++ b/bind/bind9/lib/isc/task_p.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id$ */
-
 #ifndef ISC_TASK_P_H
 #define ISC_TASK_P_H
 
diff --git a/bind/bind9/lib/isc/taskpool.c b/bind/bind9/lib/isc/taskpool.c
index 5dfc1d1f..ab9e840d 100644
--- a/bind/bind9/lib/isc/taskpool.c
+++ b/bind/bind9/lib/isc/taskpool.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/Makefile.in b/bind/bind9/lib/isc/tests/Makefile.in
index 36d22070..66b99c5f 100644
--- a/bind/bind9/lib/isc/tests/Makefile.in
+++ b/bind/bind9/lib/isc/tests/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/aes_test.c b/bind/bind9/lib/isc/tests/aes_test.c
index 0d946e0b..3c0ced39 100644
--- a/bind/bind9/lib/isc/tests/aes_test.c
+++ b/bind/bind9/lib/isc/tests/aes_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/atomic_test.c b/bind/bind9/lib/isc/tests/atomic_test.c
index fb0be95d..ae41c859 100644
--- a/bind/bind9/lib/isc/tests/atomic_test.c
+++ b/bind/bind9/lib/isc/tests/atomic_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/buffer_test.c b/bind/bind9/lib/isc/tests/buffer_test.c
index 690e533b..089e50f5 100644
--- a/bind/bind9/lib/isc/tests/buffer_test.c
+++ b/bind/bind9/lib/isc/tests/buffer_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/counter_test.c b/bind/bind9/lib/isc/tests/counter_test.c
index d606a970..3df41b93 100644
--- a/bind/bind9/lib/isc/tests/counter_test.c
+++ b/bind/bind9/lib/isc/tests/counter_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/errno_test.c b/bind/bind9/lib/isc/tests/errno_test.c
index af403b81..b8c1c57c 100644
--- a/bind/bind9/lib/isc/tests/errno_test.c
+++ b/bind/bind9/lib/isc/tests/errno_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/file_test.c b/bind/bind9/lib/isc/tests/file_test.c
index 3db0a62c..a16c02ea 100644
--- a/bind/bind9/lib/isc/tests/file_test.c
+++ b/bind/bind9/lib/isc/tests/file_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/hash_test.c b/bind/bind9/lib/isc/tests/hash_test.c
index 31ced94f..c61b076b 100644
--- a/bind/bind9/lib/isc/tests/hash_test.c
+++ b/bind/bind9/lib/isc/tests/hash_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -56,7 +56,7 @@ unsigned char key[20];
  *
  * 'out' MUST point to an array of at least len * 2 + 1
  *
- * Return values: ISC_R_SUCCESS if the operation is sucessful
+ * Return values: ISC_R_SUCCESS if the operation is successful
  */
 static isc_result_t
 tohexstr(unsigned char *d, unsigned int len, char *out, size_t out_size) {
@@ -336,7 +336,7 @@ isc_sha224_test(void **state) {
 		isc_sha224_final(digest, &sha224);
 		/*
 		*API inconsistency BUG HERE
-		* in order to be consistant with the other isc_hash_final
+		* in order to be consistent with the other isc_hash_final
 		* functions the call should be
 		* isc_sha224_final(&sha224, digest);
 		 */
@@ -466,7 +466,7 @@ isc_sha256_test(void **state) {
 		isc_sha256_final(digest, &sha256);
 		/*
 		*API inconsistency BUG HERE
-		* in order to be consistant with the other isc_hash_final
+		* in order to be consistent with the other isc_hash_final
 		* functions the call should be
 		* isc_sha224_final(&sha224, digest);
 		 */
@@ -610,7 +610,7 @@ isc_sha384_test(void **state) {
 		isc_sha384_final(digest, &sha384);
 		/*
 		*API inconsistency BUG HERE
-		* in order to be consistant with the other isc_hash_final
+		* in order to be consistent with the other isc_hash_final
 		* functions the call should be
 		* isc_sha224_final(&sha224, digest);
 		 */
@@ -755,7 +755,7 @@ isc_sha512_test(void **state) {
 		isc_sha512_final(digest, &sha512);
 		/*
 		*API inconsistency BUG HERE
-		* in order to be consistant with the other isc_hash_final
+		* in order to be consistent with the other isc_hash_final
 		* functions the call should be
 		* isc_sha224_final(&sha224, digest);
 		 */
diff --git a/bind/bind9/lib/isc/tests/heap_test.c b/bind/bind9/lib/isc/tests/heap_test.c
index a3898852..ef22008d 100644
--- a/bind/bind9/lib/isc/tests/heap_test.c
+++ b/bind/bind9/lib/isc/tests/heap_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -78,10 +78,10 @@ isc_heap_delete_test(void **state) {
 	assert_int_equal(e1.index, 0);
 
 	isc_heap_destroy(&heap);
-	assert_int_equal(heap, NULL);
+	assert_null(heap);
 
 	isc_mem_detach(&mctx);
-	assert_int_equal(mctx, NULL);
+	assert_null(mctx);
 }
 
 int
diff --git a/bind/bind9/lib/isc/tests/ht_test.c b/bind/bind9/lib/isc/tests/ht_test.c
index 9a9cb58e..79e4260c 100644
--- a/bind/bind9/lib/isc/tests/ht_test.c
+++ b/bind/bind9/lib/isc/tests/ht_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/inet_ntop_test.c b/bind/bind9/lib/isc/tests/inet_ntop_test.c
index baf99a09..167e3f6f 100644
--- a/bind/bind9/lib/isc/tests/inet_ntop_test.c
+++ b/bind/bind9/lib/isc/tests/inet_ntop_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/isctest.c b/bind/bind9/lib/isc/tests/isctest.c
index a9359915..de527664 100644
--- a/bind/bind9/lib/isc/tests/isctest.c
+++ b/bind/bind9/lib/isc/tests/isctest.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/isctest.h b/bind/bind9/lib/isc/tests/isctest.h
index e553b8a9..d8b2fc5f 100644
--- a/bind/bind9/lib/isc/tests/isctest.h
+++ b/bind/bind9/lib/isc/tests/isctest.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/lex_test.c b/bind/bind9/lib/isc/tests/lex_test.c
index 8c793617..20b4d40d 100644
--- a/bind/bind9/lib/isc/tests/lex_test.c
+++ b/bind/bind9/lib/isc/tests/lex_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/mem_test.c b/bind/bind9/lib/isc/tests/mem_test.c
index 0b63bed8..c614ec08 100644
--- a/bind/bind9/lib/isc/tests/mem_test.c
+++ b/bind/bind9/lib/isc/tests/mem_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/netaddr_test.c b/bind/bind9/lib/isc/tests/netaddr_test.c
index a3e7e9e8..ec466660 100644
--- a/bind/bind9/lib/isc/tests/netaddr_test.c
+++ b/bind/bind9/lib/isc/tests/netaddr_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/parse_test.c b/bind/bind9/lib/isc/tests/parse_test.c
index 9b2a3ac0..208477a3 100644
--- a/bind/bind9/lib/isc/tests/parse_test.c
+++ b/bind/bind9/lib/isc/tests/parse_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/pool_test.c b/bind/bind9/lib/isc/tests/pool_test.c
index a9ef7397..6418a775 100644
--- a/bind/bind9/lib/isc/tests/pool_test.c
+++ b/bind/bind9/lib/isc/tests/pool_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/print_test.c b/bind/bind9/lib/isc/tests/print_test.c
index 0e5b8f35..fa3664a5 100644
--- a/bind/bind9/lib/isc/tests/print_test.c
+++ b/bind/bind9/lib/isc/tests/print_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/queue_test.c b/bind/bind9/lib/isc/tests/queue_test.c
index c5aa125d..b8b3cb66 100644
--- a/bind/bind9/lib/isc/tests/queue_test.c
+++ b/bind/bind9/lib/isc/tests/queue_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/radix_test.c b/bind/bind9/lib/isc/tests/radix_test.c
index c7300a02..a87c96c6 100644
--- a/bind/bind9/lib/isc/tests/radix_test.c
+++ b/bind/bind9/lib/isc/tests/radix_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -96,7 +96,7 @@ isc_radix_search_test(void **state) {
 	node = NULL;
 	result = isc_radix_search(radix, &node, &prefix);
 	assert_int_equal(result, ISC_R_SUCCESS);
-	assert_int_equal(node->data[0], (void *)2);
+	assert_ptr_equal(node->data[0], (void *)2);
 
 	isc_refcount_destroy(&prefix.refcount);
 
diff --git a/bind/bind9/lib/isc/tests/random_test.c b/bind/bind9/lib/isc/tests/random_test.c
index 024199b6..375813a1 100644
--- a/bind/bind9/lib/isc/tests/random_test.c
+++ b/bind/bind9/lib/isc/tests/random_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -659,7 +659,7 @@ isc_rng_runs_bytes(void **state) {
 	random_test(runs);
 }
 
-/* Block frequncy test for the RNG */
+/* Block frequency test for the RNG */
 static void
 isc_rng_blockfrequency_bytes(void **state) {
 	UNUSED(state);
diff --git a/bind/bind9/lib/isc/tests/regex_test.c b/bind/bind9/lib/isc/tests/regex_test.c
index 66b6acfd..9b8caa15 100644
--- a/bind/bind9/lib/isc/tests/regex_test.c
+++ b/bind/bind9/lib/isc/tests/regex_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/result_test.c b/bind/bind9/lib/isc/tests/result_test.c
index 6cb3d3bb..8c9f2287 100644
--- a/bind/bind9/lib/isc/tests/result_test.c
+++ b/bind/bind9/lib/isc/tests/result_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/safe_test.c b/bind/bind9/lib/isc/tests/safe_test.c
index 266ac752..82611c38 100644
--- a/bind/bind9/lib/isc/tests/safe_test.c
+++ b/bind/bind9/lib/isc/tests/safe_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/siphash_test.c b/bind/bind9/lib/isc/tests/siphash_test.c
index 1e9ed040..ec85cf77 100644
--- a/bind/bind9/lib/isc/tests/siphash_test.c
+++ b/bind/bind9/lib/isc/tests/siphash_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/sockaddr_test.c b/bind/bind9/lib/isc/tests/sockaddr_test.c
index 23df3cfb..fccc4889 100644
--- a/bind/bind9/lib/isc/tests/sockaddr_test.c
+++ b/bind/bind9/lib/isc/tests/sockaddr_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/socket_test.c b/bind/bind9/lib/isc/tests/socket_test.c
index 3827fac2..be83effc 100644
--- a/bind/bind9/lib/isc/tests/socket_test.c
+++ b/bind/bind9/lib/isc/tests/socket_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -27,6 +27,7 @@
 #define UNIT_TESTING
 #include <cmocka.h>
 
+#include <isc/mutex.h>
 #include <isc/platform.h>
 #include <isc/socket.h>
 #include <isc/print.h>
@@ -38,6 +39,9 @@
 static bool recv_dscp;
 static unsigned int recv_dscp_value;
 static bool recv_trunc;
+isc_socket_t *s1 = NULL, *s2 = NULL, *s3 = NULL;
+isc_task_t *test_task = NULL;
+static isc_mutex_t lock;
 
 /*
  * Helper functions
@@ -59,6 +63,19 @@ static int
 _teardown(void **state) {
 	UNUSED(state);
 
+	if (s1 != NULL) {
+		isc_socket_detach(&s1);
+	}
+	if (s2 != NULL) {
+		isc_socket_detach(&s2);
+	}
+	if (s3 != NULL) {
+		isc_socket_detach(&s3);
+	}
+	if (test_task != NULL) {
+		isc_task_detach(&test_task);
+	}
+
 	isc_test_end();
 
 	return (0);
@@ -72,8 +89,10 @@ typedef struct {
 
 static void
 completion_init(completion_t *completion) {
+	LOCK(&lock);
 	completion->done = false;
 	completion->socket = NULL;
+	UNLOCK(&lock);
 }
 
 static void
@@ -83,11 +102,13 @@ accept_done(isc_task_t *task, isc_event_t *event) {
 
 	UNUSED(task);
 
+	LOCK(&lock);
 	completion->result = nevent->result;
 	completion->done = true;
 	if (completion->result == ISC_R_SUCCESS) {
 		completion->socket = nevent->newsocket;
 	}
+	UNLOCK(&lock);
 
 	isc_event_free(&event);
 }
@@ -99,6 +120,7 @@ event_done(isc_task_t *task, isc_event_t *event) {
 	completion_t *completion = event->ev_arg;
 	UNUSED(task);
 
+	LOCK(&lock);
 	switch (event->ev_type) {
 	case ISC_SOCKEVENT_RECVDONE:
 	case ISC_SOCKEVENT_SENDDONE:
@@ -120,22 +142,30 @@ event_done(isc_task_t *task, isc_event_t *event) {
 		assert_false(true);
 	}
 	completion->done = true;
+	UNLOCK(&lock);
 	isc_event_free(&event);
 }
 
 static isc_result_t
 waitfor(completion_t *completion) {
 	int i = 0;
+
+	LOCK(&lock);
 	while (!completion->done && i++ < 5000) {
+		UNLOCK(&lock);
+
 #ifndef ISC_PLATFORM_USETHREADS
 		while (isc__taskmgr_ready(taskmgr))
 			isc__taskmgr_dispatch(taskmgr);
 #endif
 		isc_test_nap(1000);
+		LOCK(&lock);
 	}
 	if (completion->done) {
+		UNLOCK(&lock);
 		return (ISC_R_SUCCESS);
 	}
+	UNLOCK(&lock);
 	return (ISC_R_FAILURE);
 }
 
@@ -161,12 +191,17 @@ static isc_result_t
 waitfor2(completion_t *c1, completion_t *c2) {
 	int i = 0;
 
+	LOCK(&lock);
 	while (!(c1->done && c2->done) && i++ < 5000) {
+		UNLOCK(&lock);
 		waitbody();
+		LOCK(&lock);
 	}
 	if (c1->done && c2->done) {
+		UNLOCK(&lock);
 		return (ISC_R_SUCCESS);
 	}
+	UNLOCK(&lock);
 	return (ISC_R_FAILURE);
 }
 
@@ -180,14 +215,15 @@ udp_sendto_test(void **state)  {
 	isc_result_t result;
 	isc_sockaddr_t addr1, addr2;
 	struct in_addr in;
-	isc_socket_t *s1 = NULL, *s2 = NULL;
-	isc_task_t *task = NULL;
 	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
 	completion_t completion;
 	isc_region_t r;
 
 	UNUSED(state);
 
+	result = isc_mutex_init(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
 	in.s_addr = inet_addr("127.0.0.1");
 	isc_sockaddr_fromin(&addr1, &in, 0);
 	isc_sockaddr_fromin(&addr2, &in, 0);
@@ -208,7 +244,7 @@ udp_sendto_test(void **state)  {
 	assert_int_equal(result, ISC_R_SUCCESS);
 	assert_true(isc_sockaddr_getport(&addr2) != 0);
 
-	result = isc_task_create(taskmgr, 0, &task);
+	result = isc_task_create(taskmgr, 0, &test_task);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
 	snprintf(sendbuf, sizeof(sendbuf), "Hello");
@@ -216,7 +252,7 @@ udp_sendto_test(void **state)  {
 	r.length = strlen(sendbuf) + 1;
 
 	completion_init(&completion);
-	result = isc_socket_sendto(s1, &r, task, event_done, &completion,
+	result = isc_socket_sendto(s1, &r, test_task, event_done, &completion,
 				   &addr2, NULL);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
@@ -226,18 +262,15 @@ udp_sendto_test(void **state)  {
 	r.base = (void *) recvbuf;
 	r.length = BUFSIZ;
 	completion_init(&completion);
-	result = isc_socket_recv(s2, &r, 1, task, event_done, &completion);
+	result = isc_socket_recv(s2, &r, 1, test_task, event_done, &completion);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
 	assert_true(completion.done);
 	assert_int_equal(completion.result, ISC_R_SUCCESS);
 	assert_string_equal(recvbuf, "Hello");
 
-	isc_task_detach(&task);
-
-	isc_socket_detach(&s1);
-	isc_socket_detach(&s2);
-
+	result = isc_mutex_destroy(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
 }
 
 /* Test UDP sendto/recv with duplicated socket */
@@ -246,14 +279,15 @@ udp_dup_test(void **state) {
 	isc_result_t result;
 	isc_sockaddr_t addr1, addr2;
 	struct in_addr in;
-	isc_socket_t *s1 = NULL, *s2 = NULL, *s3 = NULL;
-	isc_task_t *task = NULL;
 	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
 	completion_t completion;
 	isc_region_t r;
 
 	UNUSED(state);
 
+	result = isc_mutex_init(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
 	in.s_addr = inet_addr("127.0.0.1");
 	isc_sockaddr_fromin(&addr1, &in, 0);
 	isc_sockaddr_fromin(&addr2, &in, 0);
@@ -277,7 +311,7 @@ udp_dup_test(void **state) {
 	result = isc_socket_dup(s2, &s3);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
-	result = isc_task_create(taskmgr, 0, &task);
+	result = isc_task_create(taskmgr, 0, &test_task);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
 	snprintf(sendbuf, sizeof(sendbuf), "Hello");
@@ -285,7 +319,7 @@ udp_dup_test(void **state) {
 	r.length = strlen(sendbuf) + 1;
 
 	completion_init(&completion);
-	result = isc_socket_sendto(s1, &r, task, event_done, &completion,
+	result = isc_socket_sendto(s1, &r, test_task, event_done, &completion,
 				   &addr2, NULL);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
@@ -297,7 +331,7 @@ udp_dup_test(void **state) {
 	r.length = strlen(sendbuf) + 1;
 
 	completion_init(&completion);
-	result = isc_socket_sendto(s1, &r, task, event_done, &completion,
+	result = isc_socket_sendto(s1, &r, test_task, event_done, &completion,
 				   &addr2, NULL);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
@@ -307,7 +341,7 @@ udp_dup_test(void **state) {
 	r.base = (void *) recvbuf;
 	r.length = BUFSIZ;
 	completion_init(&completion);
-	result = isc_socket_recv(s2, &r, 1, task, event_done, &completion);
+	result = isc_socket_recv(s2, &r, 1, test_task, event_done, &completion);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
 	assert_true(completion.done);
@@ -317,19 +351,15 @@ udp_dup_test(void **state) {
 	r.base = (void *) recvbuf;
 	r.length = BUFSIZ;
 	completion_init(&completion);
-	result = isc_socket_recv(s3, &r, 1, task, event_done, &completion);
+	result = isc_socket_recv(s3, &r, 1, test_task, event_done, &completion);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
 	assert_true(completion.done);
 	assert_int_equal(completion.result, ISC_R_SUCCESS);
 	assert_string_equal(recvbuf, "World");
 
-	isc_task_detach(&task);
-
-	isc_socket_detach(&s1);
-	isc_socket_detach(&s2);
-	isc_socket_detach(&s3);
-
+	result = isc_mutex_destroy(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
 }
 
 /* Test UDP sendto/recv (IPv4) */
@@ -338,8 +368,6 @@ udp_dscp_v4_test(void **state) {
 	isc_result_t result;
 	isc_sockaddr_t addr1, addr2;
 	struct in_addr in;
-	isc_socket_t *s1 = NULL, *s2 = NULL;
-	isc_task_t *task = NULL;
 	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
 	completion_t completion;
 	isc_region_t r;
@@ -347,6 +375,8 @@ udp_dscp_v4_test(void **state) {
 
 	UNUSED(state);
 
+	result = isc_mutex_init(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
 
 	in.s_addr = inet_addr("127.0.0.1");
 	isc_sockaddr_fromin(&addr1, &in, 0);
@@ -368,7 +398,7 @@ udp_dscp_v4_test(void **state) {
 	assert_int_equal(result, ISC_R_SUCCESS);
 	assert_true(isc_sockaddr_getport(&addr2) != 0);
 
-	result = isc_task_create(taskmgr, 0, &task);
+	result = isc_task_create(taskmgr, 0, &test_task);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
 	snprintf(sendbuf, sizeof(sendbuf), "Hello");
@@ -393,7 +423,8 @@ udp_dscp_v4_test(void **state) {
 	recv_dscp = false;
 	recv_dscp_value = 0;
 
-	result = isc_socket_sendto2(s1, &r, task, &addr2, NULL, socketevent, 0);
+	result = isc_socket_sendto2(s1, &r, test_task, &addr2, NULL,
+				    socketevent, 0);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
 	assert_true(completion.done);
@@ -402,7 +433,7 @@ udp_dscp_v4_test(void **state) {
 	r.base = (void *) recvbuf;
 	r.length = BUFSIZ;
 	completion_init(&completion);
-	result = isc_socket_recv(s2, &r, 1, task, event_done, &completion);
+	result = isc_socket_recv(s2, &r, 1, test_task, event_done, &completion);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
 	assert_true(completion.done);
@@ -415,11 +446,9 @@ udp_dscp_v4_test(void **state) {
 	} else {
 		assert_false(recv_dscp);
 	}
-	isc_task_detach(&task);
-
-	isc_socket_detach(&s1);
-	isc_socket_detach(&s2);
 
+	result = isc_mutex_destroy(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
 }
 
 #if defined(ISC_PLATFORM_HAVEIPV6) && defined(WANT_IPV6)
@@ -429,8 +458,6 @@ udp_dscp_v6_test(void **state) {
 	isc_result_t result;
 	isc_sockaddr_t addr1, addr2;
 	struct in6_addr in6;
-	isc_socket_t *s1 = NULL, *s2 = NULL;
-	isc_task_t *task = NULL;
 	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
 	completion_t completion;
 	isc_region_t r;
@@ -439,6 +466,8 @@ udp_dscp_v6_test(void **state) {
 
 	UNUSED(state);
 
+	result = isc_mutex_init(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
 
 	n = inet_pton(AF_INET6, "::1", &in6.s6_addr);
 	assert_true(n == 1);
@@ -463,7 +492,7 @@ udp_dscp_v6_test(void **state) {
 	assert_int_equal(result, ISC_R_SUCCESS);
 	assert_true(isc_sockaddr_getport(&addr2) != 0);
 
-	result = isc_task_create(taskmgr, 0, &task);
+	result = isc_task_create(taskmgr, 0, &test_task);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
 	snprintf(sendbuf, sizeof(sendbuf), "Hello");
@@ -486,7 +515,8 @@ udp_dscp_v6_test(void **state) {
 	recv_dscp = false;
 	recv_dscp_value = 0;
 
-	result = isc_socket_sendto2(s1, &r, task, &addr2, NULL, socketevent, 0);
+	result = isc_socket_sendto2(s1, &r, test_task, &addr2, NULL,
+				    socketevent, 0);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
 	assert_true(completion.done);
@@ -495,7 +525,7 @@ udp_dscp_v6_test(void **state) {
 	r.base = (void *) recvbuf;
 	r.length = BUFSIZ;
 	completion_init(&completion);
-	result = isc_socket_recv(s2, &r, 1, task, event_done, &completion);
+	result = isc_socket_recv(s2, &r, 1, test_task, event_done, &completion);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
 	assert_true(completion.done);
@@ -508,11 +538,8 @@ udp_dscp_v6_test(void **state) {
 		assert_false(recv_dscp);
 	}
 
-	isc_task_detach(&task);
-
-	isc_socket_detach(&s1);
-	isc_socket_detach(&s2);
-
+	result = isc_mutex_destroy(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
 }
 #endif
 
@@ -522,14 +549,14 @@ tcp_dscp_v4_test(void **state) {
 	isc_result_t result;
 	isc_sockaddr_t addr1;
 	struct in_addr in;
-	isc_socket_t *s1 = NULL, *s2 = NULL, *s3 = NULL;
-	isc_task_t *task = NULL;
 	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
 	completion_t completion, completion2;
 	isc_region_t r;
 
 	UNUSED(state);
 
+	result = isc_mutex_init(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
 
 	in.s_addr = inet_addr("127.0.0.1");
 	isc_sockaddr_fromin(&addr1, &in, 0);
@@ -549,15 +576,16 @@ tcp_dscp_v4_test(void **state) {
 	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_tcp, &s2);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
-	result = isc_task_create(taskmgr, 0, &task);
+	result = isc_task_create(taskmgr, 0, &test_task);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
 	completion_init(&completion2);
-	result = isc_socket_accept(s1, task, accept_done, &completion2);
+	result = isc_socket_accept(s1, test_task, accept_done, &completion2);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
 	completion_init(&completion);
-	result = isc_socket_connect(s2, &addr1, task, event_done, &completion);
+	result = isc_socket_connect(s2, &addr1, test_task, event_done,
+				    &completion);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor2(&completion, &completion2);
 	assert_true(completion.done);
@@ -576,7 +604,7 @@ tcp_dscp_v4_test(void **state) {
 	recv_dscp_value = 0;
 
 	completion_init(&completion);
-	result = isc_socket_sendto(s2, &r, task, event_done, &completion,
+	result = isc_socket_sendto(s2, &r, test_task, event_done, &completion,
 				   NULL, NULL);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
@@ -586,7 +614,7 @@ tcp_dscp_v4_test(void **state) {
 	r.base = (void *) recvbuf;
 	r.length = BUFSIZ;
 	completion_init(&completion);
-	result = isc_socket_recv(s3, &r, 1, task, event_done, &completion);
+	result = isc_socket_recv(s3, &r, 1, test_task, event_done, &completion);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
 	assert_true(completion.done);
@@ -601,12 +629,8 @@ tcp_dscp_v4_test(void **state) {
 		assert_false(recv_dscp);
 	}
 
-	isc_task_detach(&task);
-
-	isc_socket_detach(&s1);
-	isc_socket_detach(&s2);
-	isc_socket_detach(&s3);
-
+	result = isc_mutex_destroy(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
 }
 
 #if defined(ISC_PLATFORM_HAVEIPV6) && defined(WANT_IPV6)
@@ -616,8 +640,6 @@ tcp_dscp_v6_test(void **state) {
 	isc_result_t result;
 	isc_sockaddr_t addr1;
 	struct in6_addr in6;
-	isc_socket_t *s1 = NULL, *s2 = NULL, *s3 = NULL;
-	isc_task_t *task = NULL;
 	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
 	completion_t completion, completion2;
 	isc_region_t r;
@@ -625,6 +647,8 @@ tcp_dscp_v6_test(void **state) {
 
 	UNUSED(state);
 
+	result = isc_mutex_init(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
 
 	n = inet_pton(AF_INET6, "::1", &in6.s6_addr);
 	assert_true(n == 1);
@@ -647,15 +671,16 @@ tcp_dscp_v6_test(void **state) {
 				   &s2);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
-	result = isc_task_create(taskmgr, 0, &task);
+	result = isc_task_create(taskmgr, 0, &test_task);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
 	completion_init(&completion2);
-	result = isc_socket_accept(s1, task, accept_done, &completion2);
+	result = isc_socket_accept(s1, test_task, accept_done, &completion2);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
 	completion_init(&completion);
-	result = isc_socket_connect(s2, &addr1, task, event_done, &completion);
+	result = isc_socket_connect(s2, &addr1, test_task, event_done,
+				    &completion);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor2(&completion, &completion2);
 	assert_true(completion.done);
@@ -674,7 +699,7 @@ tcp_dscp_v6_test(void **state) {
 	recv_dscp_value = 0;
 
 	completion_init(&completion);
-	result = isc_socket_sendto(s2, &r, task, event_done, &completion,
+	result = isc_socket_sendto(s2, &r, test_task, event_done, &completion,
 				   NULL, NULL);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
@@ -684,7 +709,7 @@ tcp_dscp_v6_test(void **state) {
 	r.base = (void *) recvbuf;
 	r.length = BUFSIZ;
 	completion_init(&completion);
-	result = isc_socket_recv(s3, &r, 1, task, event_done, &completion);
+	result = isc_socket_recv(s3, &r, 1, test_task, event_done, &completion);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
 	assert_true(completion.done);
@@ -703,12 +728,8 @@ tcp_dscp_v6_test(void **state) {
 		assert_false(recv_dscp);
 	}
 
-	isc_task_detach(&task);
-
-	isc_socket_detach(&s1);
-	isc_socket_detach(&s2);
-	isc_socket_detach(&s3);
-
+	result = isc_mutex_destroy(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
 }
 #endif
 
@@ -751,15 +772,16 @@ udp_trunc_test(void **state) {
 	isc_result_t result;
 	isc_sockaddr_t addr1, addr2;
 	struct in_addr in;
-	isc_socket_t *s1 = NULL, *s2 = NULL;
-	isc_task_t *task = NULL;
-	char sendbuf[BUFSIZ*2], recvbuf[BUFSIZ];
+	char sendbuf[BUFSIZ * 2], recvbuf[BUFSIZ];
 	completion_t completion;
 	isc_region_t r;
 	isc_socketevent_t *socketevent;
 
 	UNUSED(state);
 
+	result = isc_mutex_init(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
 	in.s_addr = inet_addr("127.0.0.1");
 	isc_sockaddr_fromin(&addr1, &in, 0);
 	isc_sockaddr_fromin(&addr2, &in, 0);
@@ -779,7 +801,7 @@ udp_trunc_test(void **state) {
 	assert_int_equal(result, ISC_R_SUCCESS);
 	assert_true(isc_sockaddr_getport(&addr2) != 0);
 
-	result = isc_task_create(taskmgr, 0, &task);
+	result = isc_task_create(taskmgr, 0, &test_task);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
 	/*
@@ -796,7 +818,8 @@ udp_trunc_test(void **state) {
 					     event_done, &completion);
 	assert_non_null(socketevent);
 
-	result = isc_socket_sendto2(s1, &r, task, &addr2, NULL, socketevent, 0);
+	result = isc_socket_sendto2(s1, &r, test_task, &addr2, NULL,
+				    socketevent, 0);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
 	assert_true(completion.done);
@@ -806,7 +829,7 @@ udp_trunc_test(void **state) {
 	r.length = BUFSIZ;
 	completion_init(&completion);
 	recv_trunc = false;
-	result = isc_socket_recv(s2, &r, 1, task, event_done, &completion);
+	result = isc_socket_recv(s2, &r, 1, test_task, event_done, &completion);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
 	assert_true(completion.done);
@@ -828,7 +851,8 @@ udp_trunc_test(void **state) {
 					     event_done, &completion);
 	assert_non_null(socketevent);
 
-	result = isc_socket_sendto2(s1, &r, task, &addr2, NULL, socketevent, 0);
+	result = isc_socket_sendto2(s1, &r, test_task, &addr2, NULL,
+				    socketevent, 0);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
 	assert_true(completion.done);
@@ -838,7 +862,7 @@ udp_trunc_test(void **state) {
 	r.length = BUFSIZ;
 	completion_init(&completion);
 	recv_trunc = false;
-	result = isc_socket_recv(s2, &r, 1, task, event_done, &completion);
+	result = isc_socket_recv(s2, &r, 1, test_task, event_done, &completion);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	waitfor(&completion);
 	assert_true(completion.done);
@@ -846,11 +870,8 @@ udp_trunc_test(void **state) {
 	assert_string_equal(recvbuf, "Hello");
 	assert_true(recv_trunc);
 
-	isc_task_detach(&task);
-
-	isc_socket_detach(&s1);
-	isc_socket_detach(&s2);
-
+	result = isc_mutex_destroy(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
 }
 
 /*
diff --git a/bind/bind9/lib/isc/tests/symtab_test.c b/bind/bind9/lib/isc/tests/symtab_test.c
index 9b26d6a8..22e4b01d 100644
--- a/bind/bind9/lib/isc/tests/symtab_test.c
+++ b/bind/bind9/lib/isc/tests/symtab_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/task_test.c b/bind/bind9/lib/isc/tests/task_test.c
index 57448e75..c1c20058 100644
--- a/bind/bind9/lib/isc/tests/task_test.c
+++ b/bind/bind9/lib/isc/tests/task_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -25,8 +25,8 @@
 #include <unistd.h>
 
 #define UNIT_TESTING
-#include <cmocka.h>
 
+#include <isc/cmocka.h>
 #include <isc/commandline.h>
 #include <isc/condition.h>
 #include <isc/mem.h>
@@ -44,16 +44,14 @@
 static bool verbose = false;
 
 static isc_mutex_t lock;
+#ifdef ISC_PLATFORM_USETHREADS
 static isc_condition_t cv;
+#endif
 
 int counter = 0;
 static int active[10];
 static bool done = false;
 
-#ifdef ISC_PLATFORM_USETHREADS
-static isc_condition_t cv;
-#endif
-
 static int
 _setup(void **state) {
 	isc_result_t result;
@@ -63,8 +61,10 @@ _setup(void **state) {
 	result = isc_mutex_init(&lock);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
+#ifdef ISC_PLATFORM_USETHREADS
 	result = isc_condition_init(&cv);
 	assert_int_equal(result, ISC_R_SUCCESS);
+#endif
 
 	result = isc_test_begin(NULL, true, 0);
 	assert_int_equal(result, ISC_R_SUCCESS);
@@ -81,8 +81,10 @@ _setup2(void **state) {
 	result = isc_mutex_init(&lock);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
+#ifdef ISC_PLATFORM_USETHREADS
 	result = isc_condition_init(&cv);
 	assert_int_equal(result, ISC_R_SUCCESS);
+#endif
 
 	/* Two worker threads */
 	result = isc_test_begin(NULL, true, 2);
@@ -100,8 +102,10 @@ _setup4(void **state) {
 	result = isc_mutex_init(&lock);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
+#ifdef ISC_PLATFORM_USETHREADS
 	result = isc_condition_init(&cv);
 	assert_int_equal(result, ISC_R_SUCCESS);
+#endif
 
 	/* Four worker threads */
 	result = isc_test_begin(NULL, true, 4);
@@ -115,7 +119,9 @@ _teardown(void **state) {
 	UNUSED(state);
 
 	isc_test_end();
+#ifdef ISC_PLATFORM_USETHREADS
 	isc_condition_destroy(&cv);
+#endif
 
 	return (0);
 }
@@ -182,26 +188,34 @@ all_events(void **state) {
 				   set, &a, sizeof (isc_event_t));
 	assert_non_null(event);
 
+	LOCK(&lock);
 	assert_int_equal(a, 0);
+	UNLOCK(&lock);
 	isc_task_send(task, &event);
 
 	event = isc_event_allocate(mctx, task, ISC_TASKEVENT_TEST,
 				   set, &b, sizeof (isc_event_t));
 	assert_non_null(event);
 
+	LOCK(&lock);
 	assert_int_equal(b, 0);
+	UNLOCK(&lock);
 	isc_task_send(task, &event);
 
+	LOCK(&lock);
 	while ((a == 0 || b == 0) && i++ < 5000) {
+		UNLOCK(&lock);
 #ifndef ISC_PLATFORM_USETHREADS
-		while (isc__taskmgr_ready(taskmgr))
+			while (isc__taskmgr_ready(taskmgr))
 			isc__taskmgr_dispatch(taskmgr);
 #endif
 		isc_test_nap(1000);
+		LOCK(&lock);
 	}
 
 	assert_int_not_equal(a, 0);
 	assert_int_not_equal(b, 0);
+	UNLOCK(&lock);
 
 	isc_task_destroy(&task);
 	assert_null(task);
@@ -245,7 +259,9 @@ privileged_events(void **state) {
 				   set, &a, sizeof (isc_event_t));
 	assert_non_null(event);
 
+	LOCK(&lock);
 	assert_int_equal(a, 0);
+	UNLOCK(&lock);
 	isc_task_send(task1, &event);
 
 	/* Second event: not privileged */
@@ -253,7 +269,9 @@ privileged_events(void **state) {
 				   set, &b, sizeof (isc_event_t));
 	assert_non_null(event);
 
+	LOCK(&lock);
 	assert_int_equal(b, 0);
+	UNLOCK(&lock);
 	isc_task_send(task2, &event);
 
 	/* Third event: privileged */
@@ -261,7 +279,9 @@ privileged_events(void **state) {
 				   set, &c, sizeof (isc_event_t));
 	assert_non_null(event);
 
+	LOCK(&lock);
 	assert_int_equal(c, 0);
+	UNLOCK(&lock);
 	isc_task_send(task1, &event);
 
 	/* Fourth event: privileged */
@@ -269,7 +289,9 @@ privileged_events(void **state) {
 				   set, &d, sizeof (isc_event_t));
 	assert_non_null(event);
 
+	LOCK(&lock);
 	assert_int_equal(d, 0);
+	UNLOCK(&lock);
 	isc_task_send(task1, &event);
 
 	/* Fifth event: not privileged */
@@ -277,7 +299,9 @@ privileged_events(void **state) {
 				   set, &e, sizeof (isc_event_t));
 	assert_non_null(event);
 
+	LOCK(&lock);
 	assert_int_equal(e, 0);
+	UNLOCK(&lock);
 	isc_task_send(task2, &event);
 
 	assert_int_equal(isc_taskmgr_mode(taskmgr), isc_taskmgrmode_normal);
@@ -289,12 +313,15 @@ privileged_events(void **state) {
 #endif
 
 	/* We're waiting for *all* variables to be set */
+	LOCK(&lock);
 	while ((a == 0 || b == 0 || c == 0 || d == 0 || e == 0) && i++ < 5000) {
+		UNLOCK(&lock);
 #ifndef ISC_PLATFORM_USETHREADS
 		while (isc__taskmgr_ready(taskmgr))
 			isc__taskmgr_dispatch(taskmgr);
 #endif
 		isc_test_nap(1000);
+		LOCK(&lock);
 	}
 
 	/*
@@ -311,6 +338,7 @@ privileged_events(void **state) {
 	assert_true(e >= 4);
 
 	assert_int_equal(counter, 6);
+	UNLOCK(&lock);
 
 	isc_task_setprivilege(task1, false);
 	assert_false(isc_task_privilege(task1));
@@ -364,7 +392,9 @@ privilege_drop(void **state) {
 				   set_and_drop, &a, sizeof (isc_event_t));
 	assert_non_null(event);
 
+	LOCK(&lock);
 	assert_int_equal(a, -1);
+	UNLOCK(&lock);
 	isc_task_send(task1, &event);
 
 	/* Second event: not privileged */
@@ -372,7 +402,9 @@ privilege_drop(void **state) {
 				   set_and_drop, &b, sizeof (isc_event_t));
 	assert_non_null(event);
 
+	LOCK(&lock);
 	assert_int_equal(b, -1);
+	UNLOCK(&lock);
 	isc_task_send(task2, &event);
 
 	/* Third event: privileged */
@@ -380,7 +412,9 @@ privilege_drop(void **state) {
 				   set_and_drop, &c, sizeof (isc_event_t));
 	assert_non_null(event);
 
+	LOCK(&lock);
 	assert_int_equal(c, -1);
+	UNLOCK(&lock);
 	isc_task_send(task1, &event);
 
 	/* Fourth event: privileged */
@@ -388,7 +422,9 @@ privilege_drop(void **state) {
 				   set_and_drop, &d, sizeof (isc_event_t));
 	assert_non_null(event);
 
+	LOCK(&lock);
 	assert_int_equal(d, -1);
+	UNLOCK(&lock);
 	isc_task_send(task1, &event);
 
 	/* Fifth event: not privileged */
@@ -396,7 +432,9 @@ privilege_drop(void **state) {
 				   set_and_drop, &e, sizeof (isc_event_t));
 	assert_non_null(event);
 
+	LOCK(&lock);
 	assert_int_equal(e, -1);
+	UNLOCK(&lock);
 	isc_task_send(task2, &event);
 
 	assert_int_equal(isc_taskmgr_mode(taskmgr), isc_taskmgrmode_normal);
@@ -408,13 +446,16 @@ privilege_drop(void **state) {
 #endif
 
 	/* We're waiting for all variables to be set. */
+	LOCK(&lock);
 	while ((a == -1 || b == -1 || c == -1 || d == -1 || e == -1) &&
 	       i++ < 5000) {
+		UNLOCK(&lock);
 #ifndef ISC_PLATFORM_USETHREADS
 		while (isc__taskmgr_ready(taskmgr))
 			isc__taskmgr_dispatch(taskmgr);
 #endif
 		isc_test_nap(1000);
+		LOCK(&lock);
 	}
 
 	/*
@@ -432,6 +473,7 @@ privilege_drop(void **state) {
 
 	/* ...but all five of them did run. */
 	assert_int_equal(counter, 6);
+	UNLOCK(&lock);
 
 	assert_int_equal(isc_taskmgr_mode(taskmgr), isc_taskmgrmode_normal);
 
@@ -624,7 +666,9 @@ exclusive_cb(isc_task_t *task, isc_event_t *event) {
 		}
 
 		isc_task_endexclusive(task);
+		LOCK(&lock);
 		done = true;
+		UNLOCK(&lock);
 	} else {
 		active[taskno]++;
 		(void) spin(10000000);
@@ -635,12 +679,14 @@ exclusive_cb(isc_task_t *task, isc_event_t *event) {
 		print_message("# task exit %d\n", taskno);
 	}
 
+	LOCK(&lock);
 	if (done) {
 		isc_mem_put(event->ev_destroy_arg, event->ev_arg, sizeof (int));
 		isc_event_free(&event);
 	} else {
 		isc_task_send(task, &event);
 	}
+	UNLOCK(&lock);
 }
 
 static void
@@ -745,6 +791,9 @@ manytasks(void **state) {
 			      (unsigned long)ntasks);
 	}
 
+	result = isc_mutex_init(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
 	result = isc_condition_init(&cv);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
@@ -755,7 +804,9 @@ manytasks(void **state) {
 	result = isc_taskmgr_create(mctx, 4, 0, &taskmgr);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
+	LOCK(&lock);
 	done = false;
+	UNLOCK(&lock);
 
 	event = isc_event_allocate(mctx, (void *)1, 1, maxtask_cb,
 				   (void *)ntasks, sizeof(*event));
@@ -766,10 +817,14 @@ manytasks(void **state) {
 	while (!done) {
 		WAIT(&cv, &lock);
 	}
+	UNLOCK(&lock);
 
 	isc_taskmgr_destroy(&taskmgr);
 	isc_mem_destroy(&mctx);
 	isc_condition_destroy(&cv);
+
+	result = isc_mutex_destroy(&lock);
+	assert_int_equal(result, ISC_R_SUCCESS);
 }
 
 /*
@@ -787,9 +842,11 @@ static void
 sd_sde1(isc_task_t *task, isc_event_t *event) {
 	UNUSED(task);
 
+	LOCK(&lock);
 	assert_int_equal(nevents, 256);
 	assert_int_equal(nsdevents, 1);
 	++nsdevents;
+	UNLOCK(&lock);
 
 	if (verbose) {
 		print_message("# shutdown 1\n");
@@ -797,16 +854,20 @@ sd_sde1(isc_task_t *task, isc_event_t *event) {
 
 	isc_event_free(&event);
 
+	LOCK(&lock);
 	all_done = true;
+	UNLOCK(&lock);
 }
 
 static void
 sd_sde2(isc_task_t *task, isc_event_t *event) {
 	UNUSED(task);
 
+	LOCK(&lock);
 	assert_int_equal(nevents, 256);
 	assert_int_equal(nsdevents, 0);
 	++nsdevents;
+	UNLOCK(&lock);
 
 	if (verbose) {
 		print_message("# shutdown 2\n");
@@ -855,12 +916,11 @@ shutdown(void **state) {
 
 	UNUSED(state);
 
+	LOCK(&lock);
 	nevents = nsdevents = 0;
 	event_type = 3;
 	ready = false;
 
-	LOCK(&lock);
-
 	result = isc_task_create(taskmgr, 0, &task);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
@@ -901,11 +961,15 @@ shutdown(void **state) {
 	SIGNAL(&cv);
 	UNLOCK(&lock);
 
+	LOCK(&lock);
 	while (!all_done) {
+		UNLOCK(&lock);
 		isc_test_nap(1000);
+		LOCK(&lock);
 	}
 
 	assert_int_equal(nsdevents, 2);
+	UNLOCK(&lock);
 }
 
 /*
@@ -944,14 +1008,13 @@ post_shutdown(void **state) {
 
 	UNUSED(state);
 
+	LOCK(&lock);
 	done = false;
 	event_type = 4;
 
 	result = isc_condition_init(&cv);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
-	LOCK(&lock);
-
 	task = NULL;
 	result = isc_task_create(taskmgr, 0, &task);
 	assert_int_equal(result, ISC_R_SUCCESS);
@@ -1039,6 +1102,7 @@ pg_event2(isc_task_t *task, isc_event_t *event) {
 		tag_match = true;
 	}
 
+	LOCK(&lock);
 	if (sender_match && type_match && tag_match) {
 		if ((event->ev_attributes & ISC_EVENTATTR_NOPURGE) != 0) {
 			if (verbose) {
@@ -1058,6 +1122,7 @@ pg_event2(isc_task_t *task, isc_event_t *event) {
 	} else {
 		++eventcnt;
 	}
+	UNLOCK(&lock);
 
 	isc_event_free(&event);
 }
@@ -1085,9 +1150,11 @@ test_purge(int sender, int type, int tag, int exp_purged) {
 	int sender_cnt, type_cnt, tag_cnt, event_cnt, i;
 	int purged = 0;
 
+	LOCK(&lock);
 	started = false;
 	done = false;
 	eventcnt = 0;
+	UNLOCK(&lock);
 
 	result = isc_condition_init(&cv);
 	assert_int_equal(result, ISC_R_SUCCESS);
@@ -1357,7 +1424,9 @@ static void
 pge_event2(isc_task_t *task, isc_event_t *event) {
 	UNUSED(task);
 
+	LOCK(&lock);
 	++eventcnt;
+	UNLOCK(&lock);
 	isc_event_free(&event);
 }
 
@@ -1385,9 +1454,11 @@ try_purgeevent(bool purgeable) {
 	isc_time_t now;
 	isc_interval_t interval;
 
+	LOCK(&lock);
 	started = false;
 	done = false;
 	eventcnt = 0;
+	UNLOCK(&lock);
 
 	result = isc_condition_init(&cv);
 	assert_int_equal(result, ISC_R_SUCCESS);
@@ -1431,12 +1502,14 @@ try_purgeevent(bool purgeable) {
 	SIGNAL(&cv);
 
 	isc_task_shutdown(task);
+	UNLOCK(&lock);
 
 	isc_interval_set(&interval, 5, 0);
 
 	/*
 	 * Wait for shutdown processing to complete.
 	 */
+	LOCK(&lock);
 	while (!done) {
 		result = isc_time_nowplusinterval(&now, &interval);
 		assert_int_equal(result, ISC_R_SUCCESS);
@@ -1448,7 +1521,9 @@ try_purgeevent(bool purgeable) {
 
 	isc_task_detach(&task);
 
+	LOCK(&lock);
 	assert_int_equal(eventcnt, (purgeable ? 0 : 1));
+	UNLOCK(&lock);
 }
 
 /*
@@ -1504,10 +1579,31 @@ main(int argc, char **argv) {
 						_setup, _teardown),
 #endif
 	};
+	struct CMUnitTest selected[sizeof(tests) / sizeof(tests[0])];
+	size_t i;
 	int c;
 
-	while ((c = isc_commandline_parse(argc, argv, "v")) != -1) {
+	memset(selected, 0, sizeof(selected));
+
+	while ((c = isc_commandline_parse(argc, argv, "lt:v")) != -1) {
 		switch (c) {
+		case 'l':
+			for (i = 0; i < (sizeof(tests) / sizeof(tests[0])); i++)
+			{
+				if (tests[i].name != NULL) {
+					fprintf(stdout, "%s\n", tests[i].name);
+				}
+			}
+			return (0);
+		case 't':
+			if (!cmocka_add_test_byname(
+				    tests, isc_commandline_argument, selected))
+			{
+				fprintf(stderr, "unknown test '%s'\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
 		case 'v':
 			verbose = true;
 			break;
@@ -1516,8 +1612,11 @@ main(int argc, char **argv) {
 		}
 	}
 
-
-	return (cmocka_run_group_tests(tests, NULL, NULL));
+	if (selected[0].name != NULL) {
+		return (cmocka_run_group_tests(selected, NULL, NULL));
+	} else {
+		return (cmocka_run_group_tests(tests, NULL, NULL));
+	}
 }
 
 #else /* HAVE_CMOCKA */
diff --git a/bind/bind9/lib/isc/tests/taskpool_test.c b/bind/bind9/lib/isc/tests/taskpool_test.c
index b4cc549b..0dcae254 100644
--- a/bind/bind9/lib/isc/tests/taskpool_test.c
+++ b/bind/bind9/lib/isc/tests/taskpool_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/time_test.c b/bind/bind9/lib/isc/tests/time_test.c
index f9b03d57..c10ac7bf 100644
--- a/bind/bind9/lib/isc/tests/time_test.c
+++ b/bind/bind9/lib/isc/tests/time_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/tests/timer_test.c b/bind/bind9/lib/isc/tests/timer_test.c
index c53c4ca8..b64edbdf 100644
--- a/bind/bind9/lib/isc/tests/timer_test.c
+++ b/bind/bind9/lib/isc/tests/timer_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -13,6 +13,7 @@
 
 #if HAVE_CMOCKA
 
+#include <inttypes.h>
 #include <stdarg.h>
 #include <stddef.h>
 #include <setjmp.h>
@@ -108,6 +109,7 @@ setup_test(isc_timertype_t timertype, isc_time_t *expires,
 {
 	isc_result_t result;
 	isc_task_t *task = NULL;
+
 	isc_time_settoepoch(&endtime);
 	eventcnt = 0;
 
@@ -158,6 +160,7 @@ ticktock(isc_task_t *task, isc_event_t *event) {
 	isc_interval_t interval;
 	isc_eventtype_t expected_event_type;
 
+	LOCK(&mx);
 	++eventcnt;
 
 	if (verbose) {
@@ -165,7 +168,7 @@ ticktock(isc_task_t *task, isc_event_t *event) {
 	}
 
 	expected_event_type = ISC_TIMEREVENT_LIFE;
-	if ((isc_timertype_t) event->ev_arg == isc_timertype_ticker) {
+	if ((uintptr_t)event->ev_arg == isc_timertype_ticker) {
 		expected_event_type = ISC_TIMEREVENT_TICK;
 	}
 
@@ -198,6 +201,7 @@ ticktock(isc_task_t *task, isc_event_t *event) {
 		isc_timer_detach(&timer);
 		isc_task_shutdown(task);
 	}
+	UNLOCK(&mx);
 
 	isc_event_free(&event);
 }
@@ -255,11 +259,13 @@ test_idle(isc_task_t *task, isc_event_t *event) {
 	isc_time_t llim;
 	isc_interval_t interval;
 
+	LOCK(&mx);
 	++eventcnt;
 
 	if (verbose) {
 		print_message("# tick %d\n", eventcnt);
 	}
+	UNLOCK(&mx);
 
 	result = isc_time_now(&now);
 	assert_int_equal(result, ISC_R_SUCCESS);
@@ -319,6 +325,7 @@ test_reset(isc_task_t *task, isc_event_t *event) {
 	isc_time_t expires;
 	isc_interval_t interval;
 
+	LOCK(&mx);
 	++eventcnt;
 
 	if (verbose) {
@@ -367,6 +374,7 @@ test_reset(isc_task_t *task, isc_event_t *event) {
 		isc_timer_detach(&timer);
 		isc_task_shutdown(task);
 	}
+	UNLOCK(&mx);
 
 	isc_event_free(&event);
 }
@@ -425,6 +433,7 @@ tick_event(isc_task_t *task, isc_event_t *event) {
 
 	UNUSED(task);
 
+	LOCK(&mx);
 	++eventcnt;
 	if (verbose) {
 		print_message("# tick_event %d\n", eventcnt);
@@ -443,6 +452,7 @@ tick_event(isc_task_t *task, isc_event_t *event) {
 
 		isc_task_shutdown(task);
 	}
+	UNLOCK(&mx);
 
 	isc_event_free(&event);
 }
@@ -560,10 +570,10 @@ purge(void **state) {
 		assert_int_equal(result, ISC_R_SUCCESS);
 	}
 
-	UNLOCK(&mx);
-
 	assert_int_equal(eventcnt, 1);
 
+	UNLOCK(&mx);
+
 	isc_timer_detach(&tickertimer);
 	isc_timer_detach(&oncetimer);
 	isc_task_destroy(&task1);
diff --git a/bind/bind9/lib/isc/timer.c b/bind/bind9/lib/isc/timer.c
index 2baa9e6e..e6d9aa8c 100644
--- a/bind/bind9/lib/isc/timer.c
+++ b/bind/bind9/lib/isc/timer.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -377,11 +377,15 @@ isc__timer_create(isc_timermgr_t *manager0, isc_timertype_t type,
 		  isc_task_t *task, isc_taskaction_t action, void *arg,
 		  isc_timer_t **timerp)
 {
-	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
+	isc__timermgr_t *manager;
 	isc__timer_t *timer;
 	isc_result_t result;
 	isc_time_t now;
 
+	REQUIRE(VALID_MANAGER(manager0));
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
 	/*
 	 * Create a new 'type' timer managed by 'manager'.  The timers
 	 * parameters are specified by 'expires' and 'interval'.  Events
@@ -389,10 +393,7 @@ isc__timer_create(isc_timermgr_t *manager0, isc_timertype_t type,
 	 * called with 'arg' as the arg value.  The new timer is returned
 	 * in 'timerp'.
 	 */
-
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(task != NULL);
-	REQUIRE(action != NULL);
+	manager = (isc__timermgr_t *)manager0;
 	if (expires == NULL)
 		expires = isc_time_epoch;
 	if (interval == NULL)
@@ -498,7 +499,7 @@ isc__timer_reset(isc_timer_t *timer0, isc_timertype_t type,
 		 const isc_time_t *expires, const isc_interval_t *interval,
 		 bool purge)
 {
-	isc__timer_t *timer = (isc__timer_t *)timer0;
+	isc__timer_t *timer;
 	isc_time_t now;
 	isc__timermgr_t *manager;
 	isc_result_t result;
@@ -509,7 +510,8 @@ isc__timer_reset(isc_timer_t *timer0, isc_timertype_t type,
 	 * are purged from its task's event queue.
 	 */
 
-	REQUIRE(VALID_TIMER(timer));
+	REQUIRE(VALID_TIMER(timer0));
+	timer = (isc__timer_t *)timer0;
 	manager = timer->manager;
 	REQUIRE(VALID_MANAGER(manager));
 
@@ -571,10 +573,11 @@ isc__timer_reset(isc_timer_t *timer0, isc_timertype_t type,
 
 isc_timertype_t
 isc_timer_gettype(isc_timer_t *timer0) {
-	isc__timer_t *timer = (isc__timer_t *)timer0;
+	isc__timer_t *timer;
 	isc_timertype_t t;
 
-	REQUIRE(VALID_TIMER(timer));
+	REQUIRE(VALID_TIMER(timer0));
+	timer = (isc__timer_t *)timer0;
 
 	LOCK(&timer->lock);
 	t = timer->type;
@@ -585,7 +588,7 @@ isc_timer_gettype(isc_timer_t *timer0) {
 
 isc_result_t
 isc__timer_touch(isc_timer_t *timer0) {
-	isc__timer_t *timer = (isc__timer_t *)timer0;
+	isc__timer_t *timer;
 	isc_result_t result;
 	isc_time_t now;
 
@@ -593,7 +596,8 @@ isc__timer_touch(isc_timer_t *timer0) {
 	 * Set the last-touched time of 'timer' to the current time.
 	 */
 
-	REQUIRE(VALID_TIMER(timer));
+	REQUIRE(VALID_TIMER(timer0));
+	timer = (isc__timer_t *)timer0;
 
 	LOCK(&timer->lock);
 
@@ -616,13 +620,14 @@ isc__timer_touch(isc_timer_t *timer0) {
 
 void
 isc__timer_attach(isc_timer_t *timer0, isc_timer_t **timerp) {
-	isc__timer_t *timer = (isc__timer_t *)timer0;
+	isc__timer_t *timer;
 
 	/*
 	 * Attach *timerp to timer.
 	 */
 
-	REQUIRE(VALID_TIMER(timer));
+	REQUIRE(VALID_TIMER(timer0));
+	timer = (isc__timer_t *)timer0;
 	REQUIRE(timerp != NULL && *timerp == NULL);
 
 	LOCK(&timer->lock);
@@ -842,8 +847,8 @@ static void
 set_index(void *what, unsigned int index) {
 	isc__timer_t *timer;
 
+	REQUIRE(VALID_TIMER(what));
 	timer = what;
-	REQUIRE(VALID_TIMER(timer));
 
 	timer->index = index;
 }
@@ -933,9 +938,10 @@ isc__timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 void
 isc_timermgr_poke(isc_timermgr_t *manager0) {
 #ifdef USE_TIMER_THREAD
-	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
+	isc__timermgr_t *manager;
 
-	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(VALID_MANAGER(manager0));
+	manager = (isc__timermgr_t *)manager0;
 
 	SIGNAL(&manager->wakeup);
 #else
diff --git a/bind/bind9/lib/isc/timer_p.h b/bind/bind9/lib/isc/timer_p.h
index 815f6115..ac11582e 100644
--- a/bind/bind9/lib/isc/timer_p.h
+++ b/bind/bind9/lib/isc/timer_p.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: timer_p.h,v 1.12 2009/09/02 23:48:02 tbox Exp $ */
-
 #ifndef ISC_TIMER_P_H
 #define ISC_TIMER_P_H
 
diff --git a/bind/bind9/lib/isc/tm.c b/bind/bind9/lib/isc/tm.c
index 338157ad..d51d0b22 100644
--- a/bind/bind9/lib/isc/tm.c
+++ b/bind/bind9/lib/isc/tm.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/Makefile.in b/bind/bind9/lib/isc/unix/Makefile.in
index bdd7bfd6..eff55250 100644
--- a/bind/bind9/lib/isc/unix/Makefile.in
+++ b/bind/bind9/lib/isc/unix/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/app.c b/bind/bind9/lib/isc/unix/app.c
index a6e9882a..8189c635 100644
--- a/bind/bind9/lib/isc/unix/app.c
+++ b/bind/bind9/lib/isc/unix/app.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -743,8 +743,12 @@ isc__app_ctxrun(isc_appctx_t *ctx0) {
 			return (ISC_R_RELOAD);
 		}
 
-		if (ctx->want_shutdown && ctx->blocked)
+		LOCK(&ctx->lock);
+		if (ctx->want_shutdown && ctx->blocked) {
+			UNLOCK(&ctx->lock);
 			exit(1);
+		}
+		UNLOCK(&ctx->lock);
 	}
 
 	return (ISC_R_SUCCESS);
@@ -930,10 +934,14 @@ isc__app_block(void) {
 #ifdef ISC_PLATFORM_USETHREADS
 	sigset_t sset;
 #endif /* ISC_PLATFORM_USETHREADS */
+
+	LOCK(&isc_g_appctx.lock);
+
 	REQUIRE(isc_g_appctx.running);
 	REQUIRE(!isc_g_appctx.blocked);
 
 	isc_g_appctx.blocked = true;
+	UNLOCK(&isc_g_appctx.lock);
 #ifdef ISC_PLATFORM_USETHREADS
 	blockedthread = pthread_self();
 	RUNTIME_CHECK(sigemptyset(&sset) == 0 &&
@@ -949,10 +957,13 @@ isc__app_unblock(void) {
 	sigset_t sset;
 #endif /* ISC_PLATFORM_USETHREADS */
 
+	LOCK(&isc_g_appctx.lock);
+
 	REQUIRE(isc_g_appctx.running);
 	REQUIRE(isc_g_appctx.blocked);
 
 	isc_g_appctx.blocked = false;
+	UNLOCK(&isc_g_appctx.lock);
 
 #ifdef ISC_PLATFORM_USETHREADS
 	REQUIRE(blockedthread == pthread_self());
@@ -996,7 +1007,9 @@ isc__appctx_destroy(isc_appctx_t **ctxp) {
 	isc__appctx_t *ctx;
 
 	REQUIRE(ctxp != NULL);
+
 	ctx = (isc__appctx_t *)*ctxp;
+
 	REQUIRE(VALID_APPCTX(ctx));
 
 	isc_mem_putanddetach(&ctx->mctx, ctx, sizeof(*ctx));
@@ -1006,27 +1019,33 @@ isc__appctx_destroy(isc_appctx_t **ctxp) {
 
 void
 isc__appctx_settaskmgr(isc_appctx_t *ctx0, isc_taskmgr_t *taskmgr) {
-	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+	isc__appctx_t *ctx;
 
-	REQUIRE(VALID_APPCTX(ctx));
+	REQUIRE(VALID_APPCTX(ctx0));
+
+	ctx = (isc__appctx_t *)ctx0;
 
 	ctx->taskmgr = taskmgr;
 }
 
 void
 isc__appctx_setsocketmgr(isc_appctx_t *ctx0, isc_socketmgr_t *socketmgr) {
-	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+	isc__appctx_t *ctx;
 
-	REQUIRE(VALID_APPCTX(ctx));
+	REQUIRE(VALID_APPCTX(ctx0));
+
+	ctx = (isc__appctx_t *)ctx0;
 
 	ctx->socketmgr = socketmgr;
 }
 
 void
 isc__appctx_settimermgr(isc_appctx_t *ctx0, isc_timermgr_t *timermgr) {
-	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+	isc__appctx_t *ctx;
 
-	REQUIRE(VALID_APPCTX(ctx));
+	REQUIRE(VALID_APPCTX(ctx0));
+
+	ctx = (isc__appctx_t *)ctx0;
 
 	ctx->timermgr = timermgr;
 }
diff --git a/bind/bind9/lib/isc/unix/dir.c b/bind/bind9/lib/isc/unix/dir.c
index dae0e66b..bb87952f 100644
--- a/bind/bind9/lib/isc/unix/dir.c
+++ b/bind/bind9/lib/isc/unix/dir.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/entropy.c b/bind/bind9/lib/isc/unix/entropy.c
index 18eb9388..cf51c0a4 100644
--- a/bind/bind9/lib/isc/unix/entropy.c
+++ b/bind/bind9/lib/isc/unix/entropy.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/errno.c b/bind/bind9/lib/isc/unix/errno.c
index a2445f3e..27715ac4 100644
--- a/bind/bind9/lib/isc/unix/errno.c
+++ b/bind/bind9/lib/isc/unix/errno.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/errno2result.c b/bind/bind9/lib/isc/unix/errno2result.c
index 32502e04..dc294d41 100644
--- a/bind/bind9/lib/isc/unix/errno2result.c
+++ b/bind/bind9/lib/isc/unix/errno2result.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/errno2result.h b/bind/bind9/lib/isc/unix/errno2result.h
index 7733ab33..17319d8c 100644
--- a/bind/bind9/lib/isc/unix/errno2result.h
+++ b/bind/bind9/lib/isc/unix/errno2result.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/file.c b/bind/bind9/lib/isc/unix/file.c
index f6acf2aa..810279bd 100644
--- a/bind/bind9/lib/isc/unix/file.c
+++ b/bind/bind9/lib/isc/unix/file.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/fsaccess.c b/bind/bind9/lib/isc/unix/fsaccess.c
index e3cd0bf7..4373c328 100644
--- a/bind/bind9/lib/isc/unix/fsaccess.c
+++ b/bind/bind9/lib/isc/unix/fsaccess.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/ifiter_getifaddrs.c b/bind/bind9/lib/isc/unix/ifiter_getifaddrs.c
index de6f060d..0b18604c 100644
--- a/bind/bind9/lib/isc/unix/ifiter_getifaddrs.c
+++ b/bind/bind9/lib/isc/unix/ifiter_getifaddrs.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -131,8 +131,8 @@ internal_current(isc_interfaceiter_t *iter) {
 		return (linux_if_inet6_current(iter));
 #endif
 
-	INSIST(ifa != NULL);
-	INSIST(ifa->ifa_name != NULL);
+	REQUIRE(iter->pos != NULL);
+	REQUIRE(iter->pos->ifa_name != NULL);
 
 	if (ifa->ifa_addr == NULL)
 		return (ISC_R_IGNORE);
@@ -207,6 +207,7 @@ internal_next(isc_interfaceiter_t *iter) {
 
 static void
 internal_destroy(isc_interfaceiter_t *iter) {
+	REQUIRE(VALID_IFITER(iter));
 
 #ifdef __linux
 	if (iter->proc != NULL)
diff --git a/bind/bind9/lib/isc/unix/ifiter_ioctl.c b/bind/bind9/lib/isc/unix/ifiter_ioctl.c
index 9702faea..b0f7298d 100644
--- a/bind/bind9/lib/isc/unix/ifiter_ioctl.c
+++ b/bind/bind9/lib/isc/unix/ifiter_ioctl.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/ifiter_sysctl.c b/bind/bind9/lib/isc/unix/ifiter_sysctl.c
index ebbefe90..b039c730 100644
--- a/bind/bind9/lib/isc/unix/ifiter_sysctl.c
+++ b/bind/bind9/lib/isc/unix/ifiter_sysctl.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/include/Makefile.in b/bind/bind9/lib/isc/unix/include/Makefile.in
index 2cbf021b..963ff42a 100644
--- a/bind/bind9/lib/isc/unix/include/Makefile.in
+++ b/bind/bind9/lib/isc/unix/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/include/isc/Makefile.in b/bind/bind9/lib/isc/unix/include/isc/Makefile.in
index 977defe5..e1ded8eb 100644
--- a/bind/bind9/lib/isc/unix/include/isc/Makefile.in
+++ b/bind/bind9/lib/isc/unix/include/isc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/include/isc/dir.h b/bind/bind9/lib/isc/unix/include/isc/dir.h
index 69326a57..481120e6 100644
--- a/bind/bind9/lib/isc/unix/include/isc/dir.h
+++ b/bind/bind9/lib/isc/unix/include/isc/dir.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/include/isc/keyboard.h b/bind/bind9/lib/isc/unix/include/isc/keyboard.h
index 4dc8745f..05fa5116 100644
--- a/bind/bind9/lib/isc/unix/include/isc/keyboard.h
+++ b/bind/bind9/lib/isc/unix/include/isc/keyboard.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/include/isc/net.h b/bind/bind9/lib/isc/unix/include/isc/net.h
index 08be5907..a859b140 100644
--- a/bind/bind9/lib/isc/unix/include/isc/net.h
+++ b/bind/bind9/lib/isc/unix/include/isc/net.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/include/isc/netdb.h b/bind/bind9/lib/isc/unix/include/isc/netdb.h
index 5aaa9f62..2ee0a95a 100644
--- a/bind/bind9/lib/isc/unix/include/isc/netdb.h
+++ b/bind/bind9/lib/isc/unix/include/isc/netdb.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/include/isc/offset.h b/bind/bind9/lib/isc/unix/include/isc/offset.h
index cf57292a..1c989bdc 100644
--- a/bind/bind9/lib/isc/unix/include/isc/offset.h
+++ b/bind/bind9/lib/isc/unix/include/isc/offset.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/include/isc/stat.h b/bind/bind9/lib/isc/unix/include/isc/stat.h
index 24c4ce5e..d17e76db 100644
--- a/bind/bind9/lib/isc/unix/include/isc/stat.h
+++ b/bind/bind9/lib/isc/unix/include/isc/stat.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/include/isc/stdtime.h b/bind/bind9/lib/isc/unix/include/isc/stdtime.h
index cffe39a1..3b08ceaa 100644
--- a/bind/bind9/lib/isc/unix/include/isc/stdtime.h
+++ b/bind/bind9/lib/isc/unix/include/isc/stdtime.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/include/isc/strerror.h b/bind/bind9/lib/isc/unix/include/isc/strerror.h
index fa0e429d..47787297 100644
--- a/bind/bind9/lib/isc/unix/include/isc/strerror.h
+++ b/bind/bind9/lib/isc/unix/include/isc/strerror.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/include/isc/syslog.h b/bind/bind9/lib/isc/unix/include/isc/syslog.h
index e0b8e859..98625bfd 100644
--- a/bind/bind9/lib/isc/unix/include/isc/syslog.h
+++ b/bind/bind9/lib/isc/unix/include/isc/syslog.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/include/isc/time.h b/bind/bind9/lib/isc/unix/include/isc/time.h
index b864c29a..03512c16 100644
--- a/bind/bind9/lib/isc/unix/include/isc/time.h
+++ b/bind/bind9/lib/isc/unix/include/isc/time.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/include/pkcs11/Makefile.in b/bind/bind9/lib/isc/unix/include/pkcs11/Makefile.in
index 420fec13..4ef34cdb 100644
--- a/bind/bind9/lib/isc/unix/include/pkcs11/Makefile.in
+++ b/bind/bind9/lib/isc/unix/include/pkcs11/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/interfaceiter.c b/bind/bind9/lib/isc/unix/interfaceiter.c
index deafe4ed..29cceea9 100644
--- a/bind/bind9/lib/isc/unix/interfaceiter.c
+++ b/bind/bind9/lib/isc/unix/interfaceiter.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -292,9 +292,11 @@ void
 isc_interfaceiter_destroy(isc_interfaceiter_t **iterp)
 {
 	isc_interfaceiter_t *iter;
+
 	REQUIRE(iterp != NULL);
+	REQUIRE(VALID_IFITER((*iterp)));
+
 	iter = *iterp;
-	REQUIRE(VALID_IFITER(iter));
 
 	internal_destroy(iter);
 	if (iter->buf != NULL)
diff --git a/bind/bind9/lib/isc/unix/ipv6.c b/bind/bind9/lib/isc/unix/ipv6.c
index eb77377a..76c4c41f 100644
--- a/bind/bind9/lib/isc/unix/ipv6.c
+++ b/bind/bind9/lib/isc/unix/ipv6.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/keyboard.c b/bind/bind9/lib/isc/unix/keyboard.c
index cb5f1163..5525c953 100644
--- a/bind/bind9/lib/isc/unix/keyboard.c
+++ b/bind/bind9/lib/isc/unix/keyboard.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/meminfo.c b/bind/bind9/lib/isc/unix/meminfo.c
index 2b5510bd..1620aa42 100644
--- a/bind/bind9/lib/isc/unix/meminfo.c
+++ b/bind/bind9/lib/isc/unix/meminfo.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -34,7 +34,14 @@ isc_meminfo_totalphys(void) {
 		return (size);
 #endif
 #if defined(_SC_PHYS_PAGES) && defined(_SC_PAGESIZE)
-	return ((size_t) (sysconf(_SC_PHYS_PAGES) * sysconf(_SC_PAGESIZE)));
-#endif
+	long pages = sysconf(_SC_PHYS_PAGES);
+	long pagesize = sysconf(_SC_PAGESIZE);
+
+	if (pages == -1 || pagesize == -1) {
+		return (0);
+	}
+
+	return ((size_t)pages * pagesize);
+#endif /* if defined(_SC_PHYS_PAGES) && defined(_SC_PAGESIZE) */
 	return (0);
 }
diff --git a/bind/bind9/lib/isc/unix/net.c b/bind/bind9/lib/isc/unix/net.c
index fa3905a6..9e7d43ec 100644
--- a/bind/bind9/lib/isc/unix/net.c
+++ b/bind/bind9/lib/isc/unix/net.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/os.c b/bind/bind9/lib/isc/unix/os.c
index 8cff6b66..cd262653 100644
--- a/bind/bind9/lib/isc/unix/os.c
+++ b/bind/bind9/lib/isc/unix/os.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/pk11_api.c b/bind/bind9/lib/isc/unix/pk11_api.c
index bbc55afe..6d2d2b2c 100644
--- a/bind/bind9/lib/isc/unix/pk11_api.c
+++ b/bind/bind9/lib/isc/unix/pk11_api.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -40,7 +40,7 @@ pkcs_C_Initialize(CK_VOID_PTR pReserved) {
 	CK_C_Initialize sym;
 
 	if (hPK11 != NULL)
-		return (CKR_LIBRARY_ALREADY_INITIALIZED);
+		return (CKR_CRYPTOKI_ALREADY_INITIALIZED);
 
 	hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW);
 
@@ -48,11 +48,11 @@ pkcs_C_Initialize(CK_VOID_PTR pReserved) {
 		snprintf(loaderrmsg, sizeof(loaderrmsg),
 			 "dlopen(\"%s\") failed: %s\n",
 			 pk11_get_lib_name(), dlerror());
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	}
 	sym = (CK_C_Initialize)dlsym(hPK11, "C_Initialize");
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(pReserved);
 }
 
@@ -66,13 +66,13 @@ pkcs_C_Finalize(CK_VOID_PTR pReserved) {
 	CK_RV rv;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	sym = (CK_C_Finalize)dlsym(hPK11, "C_Finalize");
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	rv = (*sym)(pReserved);
 	if ((rv == CKR_OK) && (dlclose(hPK11) != 0))
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	hPK11 = NULL;
 	return (rv);
 }
@@ -85,13 +85,13 @@ pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_GetSlotList)dlsym(hPK11, "C_GetSlotList");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(tokenPresent, pSlotList, pulCount);
 }
 
@@ -101,13 +101,13 @@ pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) {
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_GetTokenInfo)dlsym(hPK11, "C_GetTokenInfo");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(slotID, pInfo);
 }
 
@@ -119,14 +119,14 @@ pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_GetMechanismInfo)dlsym(hPK11,
 						   "C_GetMechanismInfo");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(slotID, type, pInfo);
 }
 
@@ -147,14 +147,14 @@ pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
 		snprintf(loaderrmsg, sizeof(loaderrmsg),
 			 "dlopen(\"%s\") failed: %s\n",
 			 pk11_get_lib_name(), dlerror());
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	}
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_OpenSession)dlsym(hPK11, "C_OpenSession");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(slotID, flags, pApplication, Notify, phSession);
 }
 
@@ -164,13 +164,13 @@ pkcs_C_CloseSession(CK_SESSION_HANDLE hSession) {
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_CloseSession)dlsym(hPK11, "C_CloseSession");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession);
 }
 
@@ -182,13 +182,13 @@ pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_Login)dlsym(hPK11, "C_Login");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, userType, pPin, usPinLen);
 }
 
@@ -198,13 +198,13 @@ pkcs_C_Logout(CK_SESSION_HANDLE hSession) {
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_Logout)dlsym(hPK11, "C_Logout");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession);
 }
 
@@ -216,13 +216,13 @@ pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_CreateObject)dlsym(hPK11, "C_CreateObject");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pTemplate, usCount, phObject);
 }
 
@@ -232,13 +232,13 @@ pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) {
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_DestroyObject)dlsym(hPK11, "C_DestroyObject");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, hObject);
 }
 
@@ -250,14 +250,14 @@ pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_GetAttributeValue)dlsym(hPK11,
 						    "C_GetAttributeValue");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, hObject, pTemplate, usCount);
 }
 
@@ -269,14 +269,14 @@ pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_SetAttributeValue)dlsym(hPK11,
 						    "C_SetAttributeValue");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, hObject, pTemplate, usCount);
 }
 
@@ -288,13 +288,13 @@ pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_FindObjectsInit)dlsym(hPK11, "C_FindObjectsInit");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pTemplate, usCount);
 }
 
@@ -306,13 +306,13 @@ pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_FindObjects)dlsym(hPK11, "C_FindObjects");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount);
 }
 
@@ -323,14 +323,14 @@ pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_FindObjectsFinal)dlsym(hPK11,
 						   "C_FindObjectsFinal");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession);
 }
 
@@ -342,13 +342,13 @@ pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_EncryptInit)dlsym(hPK11, "C_EncryptInit");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pMechanism, hKey);
 }
 
@@ -361,13 +361,13 @@ pkcs_C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_Encrypt)dlsym(hPK11, "C_Encrypt");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pData, ulDataLen,
 		      pEncryptedData, pulEncryptedDataLen);
 }
@@ -378,13 +378,13 @@ pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) {
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_DigestInit)dlsym(hPK11, "C_DigestInit");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pMechanism);
 }
 
@@ -396,13 +396,13 @@ pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_DigestUpdate)dlsym(hPK11, "C_DigestUpdate");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pPart, ulPartLen);
 }
 
@@ -414,13 +414,13 @@ pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_DigestFinal)dlsym(hPK11, "C_DigestFinal");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pDigest, pulDigestLen);
 }
 
@@ -432,13 +432,13 @@ pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_SignInit)dlsym(hPK11, "C_SignInit");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pMechanism, hKey);
 }
 
@@ -451,13 +451,13 @@ pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_Sign)dlsym(hPK11, "C_Sign");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pData, ulDataLen, pSignature, pulSignatureLen);
 }
 
@@ -469,13 +469,13 @@ pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_SignUpdate)dlsym(hPK11, "C_SignUpdate");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pPart, ulPartLen);
 }
 
@@ -487,13 +487,13 @@ pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_SignFinal)dlsym(hPK11, "C_SignFinal");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pSignature, pulSignatureLen);
 }
 
@@ -505,13 +505,13 @@ pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_VerifyInit)dlsym(hPK11, "C_VerifyInit");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pMechanism, hKey);
 }
 
@@ -524,13 +524,13 @@ pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_Verify)dlsym(hPK11, "C_Verify");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pData, ulDataLen, pSignature, ulSignatureLen);
 }
 
@@ -542,13 +542,13 @@ pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_VerifyUpdate)dlsym(hPK11, "C_VerifyUpdate");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pPart, ulPartLen);
 }
 
@@ -560,13 +560,13 @@ pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_VerifyFinal)dlsym(hPK11, "C_VerifyFinal");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pSignature, ulSignatureLen);
 }
 
@@ -579,13 +579,13 @@ pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_GenerateKey)dlsym(hPK11, "C_GenerateKey");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pMechanism, pTemplate, ulCount, phKey);
 }
 
@@ -603,13 +603,13 @@ pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_GenerateKeyPair)dlsym(hPK11, "C_GenerateKeyPair");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession,
 		      pMechanism,
 		      pPublicKeyTemplate,
@@ -629,13 +629,13 @@ pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_DeriveKey)dlsym(hPK11, "C_DeriveKey");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession,
 		      pMechanism,
 		      hBaseKey,
@@ -652,13 +652,13 @@ pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_SeedRandom)dlsym(hPK11, "C_SeedRandom");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, pSeed, ulSeedLen);
 }
 
@@ -670,12 +670,12 @@ pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData,
 	static void *pPK11 = NULL;
 
 	if (hPK11 == NULL)
-		return (CKR_LIBRARY_FAILED_TO_LOAD);
+		return (CKR_LIBRARY_LOAD_FAILED);
 	if ((sym == NULL) || (hPK11 != pPK11)) {
 		pPK11 = hPK11;
 		sym = (CK_C_GenerateRandom)dlsym(hPK11, "C_GenerateRandom");
 	}
 	if (sym == NULL)
-		return (CKR_SYMBOL_RESOLUTION_FAILED);
+		return (CKR_FUNCTION_NOT_SUPPORTED);
 	return (*sym)(hSession, RandomData, ulRandomLen);
 }
diff --git a/bind/bind9/lib/isc/unix/resource.c b/bind/bind9/lib/isc/unix/resource.c
index eaebf025..7bc11818 100644
--- a/bind/bind9/lib/isc/unix/resource.c
+++ b/bind/bind9/lib/isc/unix/resource.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/socket.c b/bind/bind9/lib/isc/unix/socket.c
index df1e5053..2293baa1 100644
--- a/bind/bind9/lib/isc/unix/socket.c
+++ b/bind/bind9/lib/isc/unix/socket.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -957,8 +957,10 @@ watch_fd(isc__socketmgr_t *manager, int fd, int msg) {
 	uint32_t oldevents;
 	int ret;
 	int op;
+	int lockid = FDLOCK_ID(fd);
 
 	oldevents = manager->epoll_events[fd];
+	LOCK(&manager->fdlock[lockid]);
 	if (msg == SELECT_POKE_READ)
 		manager->epoll_events[fd] |= EPOLLIN;
 	else
@@ -969,7 +971,18 @@ watch_fd(isc__socketmgr_t *manager, int fd, int msg) {
 	event.data.fd = fd;
 
 	op = (oldevents == 0U) ? EPOLL_CTL_ADD : EPOLL_CTL_MOD;
+#ifdef USE_WATCHER_THREAD
+	if (manager->fds[fd] != NULL) {
+		LOCK(&manager->fds[fd]->lock);
+	}
+#endif
 	ret = epoll_ctl(manager->epoll_fd, op, fd, &event);
+#ifdef USE_WATCHER_THREAD
+	if (manager->fds[fd] != NULL) {
+		UNLOCK(&manager->fds[fd]->lock);
+	}
+#endif
+	UNLOCK(&manager->fdlock[lockid]);
 	if (ret == -1) {
 		if (errno == EEXIST)
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -1036,13 +1049,15 @@ unwatch_fd(isc__socketmgr_t *manager, int fd, int msg) {
 	struct epoll_event event;
 	int ret;
 	int op;
+	int lockid = FDLOCK_ID(fd);
 
+	LOCK(&manager->fdlock[lockid]);
 	if (msg == SELECT_POKE_READ)
 		manager->epoll_events[fd] &= ~(EPOLLIN);
 	else
 		manager->epoll_events[fd] &= ~(EPOLLOUT);
-
 	event.events = manager->epoll_events[fd];
+	UNLOCK(&manager->fdlock[lockid]);
 	memset(&event.data, 0, sizeof(event.data));
 	event.data.fd = fd;
 
@@ -1121,9 +1136,10 @@ wakeup_socket(isc__socketmgr_t *manager, int fd, int msg) {
 	INSIST(fd >= 0 && fd < (int)manager->maxsocks);
 
 	if (msg == SELECT_POKE_CLOSE) {
-		/* No one should be updating fdstate, so no need to lock it */
+		LOCK(&manager->fdlock[lockid]);
 		INSIST(manager->fdstate[fd] == CLOSE_PENDING);
 		manager->fdstate[fd] = CLOSED;
+		UNLOCK(&manager->fdlock[lockid]);
 		(void)unwatch_fd(manager, fd, SELECT_POKE_READ);
 		(void)unwatch_fd(manager, fd, SELECT_POKE_WRITE);
 		(void)close(fd);
@@ -2569,6 +2585,46 @@ set_tcp_maxseg(isc__socket_t *sock, int size) {
 #endif
 }
 
+static void
+set_ip_nopmtud(isc__socket_t *sock) {
+	/*
+	 * Disable the Path MTU Discovery on the socket
+	 */
+	if (sock->pf == AF_INET6) {
+#if defined(IPV6_DONTFRAG)
+		int off = 0;
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_DONTFRAG,
+				 &off, sizeof(off));
+#endif /* defined(IPV6_DONTFRAG) */
+#if defined(IPV6_MTU_DISCOVER)
+		int action;
+#if defined(IP_PMTUDISC_OMIT)
+		action = IP_PMTUDISC_OMIT;
+#else /* defined(IP_PMTUDISC_OMIT) */
+		action = IP_PMTUDISC_DONT;
+#endif /* defined(IP_PMTUDISC_OMIT) */
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
+				 &action, sizeof(action));
+#endif /* defined(IPV6_MTU_DISCOVER) */
+	} else if (sock->pf == AF_INET) {
+#if defined(IP_DONTFRAG)
+		int off = 0;
+		(void)setsockopt(sock->fd, IPPROTO_IP, IP_DONTFRAG, &off,
+				 sizeof(off));
+#endif /* defined(IP_DONTFRAG) */
+#if defined(IP_MTU_DISCOVER)
+		int action;
+#if defined(IP_PMTUDISC_OMIT)
+		action = IP_PMTUDISC_OMIT;
+#else /* defined(IP_PMTUDISC_OMIT) */
+		action = IP_PMTUDISC_DONT;
+#endif /* defined(IP_PMTUDISC_OMIT) */
+		(void)setsockopt(sock->fd, IPPROTO_IP, IP_MTU_DISCOVER,
+				 &action, sizeof(action));
+#endif /* defined(IP_MTU_DISCOVER) */
+	}
+}
+
 static isc_result_t
 opensocket(isc__socketmgr_t *manager, isc__socket_t *sock,
 	   isc__socket_t *dup_socket)
@@ -2848,40 +2904,6 @@ opensocket(isc__socketmgr_t *manager, isc__socket_t *sock,
 #endif /* ISC_PLATFORM_HAVEIPV6 */
 #endif /* defined(USE_CMSG) */
 
-#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
-		/*
-		 * Turn off Path MTU discovery on IPv4/UDP sockets.
-		 * Prefer IP_PMTUDISC_OMIT over IP_PMTUDISC_DONT
-		 * if it available.
-		 */
-		if (sock->pf == AF_INET) {
-			int action;
-#if defined(IP_PMTUDISC_OMIT)
-			action = IP_PMTUDISC_OMIT;
-			if (setsockopt(sock->fd, IPPROTO_IP,
-				       IP_MTU_DISCOVER, &action,
-				       sizeof(action)) < 0) {
-#endif
-				action = IP_PMTUDISC_DONT;
-				(void)setsockopt(sock->fd, IPPROTO_IP,
-						 IP_MTU_DISCOVER,
-						 &action, sizeof(action));
-#if defined(IP_PMTUDISC_OMIT)
-			}
-#endif
-		}
-#endif
-#if defined(IP_DONTFRAG)
-		/*
-		 * Turn off Path MTU discovery on IPv4/UDP sockets.
-		 */
-		if (sock->pf == AF_INET) {
-			int off = 0;
-			(void)setsockopt(sock->fd, IPPROTO_IP, IP_DONTFRAG,
-					 &off, sizeof(off));
-		}
-#endif
-
 #if defined(SO_RCVBUF)
 		optlen = sizeof(size);
 		if (getsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
@@ -2931,6 +2953,8 @@ opensocket(isc__socketmgr_t *manager, isc__socket_t *sock,
 #endif
 #endif /* defined(USE_CMSG) || defined(SO_RCVBUF) */
 
+	set_ip_nopmtud(sock);
+
 setup_done:
 	inc_stats(manager->stats, sock->statsindex[STATID_OPEN]);
 	if (sock->active == 0) {
@@ -4960,12 +4984,10 @@ isc__socketmgr_destroy(isc_socketmgr_t **managerp) {
 	if (manager->stats != NULL)
 		isc_stats_detach(&manager->stats);
 
-	if (manager->fdlock != NULL) {
-		for (i = 0; i < FDLOCK_COUNT; i++)
-			DESTROYLOCK(&manager->fdlock[i]);
-		isc_mem_put(manager->mctx, manager->fdlock,
-			    FDLOCK_COUNT * sizeof(isc_mutex_t));
-	}
+	for (i = 0; i < FDLOCK_COUNT; i++)
+		DESTROYLOCK(&manager->fdlock[i]);
+	isc_mem_put(manager->mctx, manager->fdlock,
+		    FDLOCK_COUNT * sizeof(isc_mutex_t));
 	DESTROYLOCK(&manager->lock);
 	manager->common.magic = 0;
 	manager->common.impmagic = 0;
@@ -5169,7 +5191,6 @@ socket_send(isc__socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 	    unsigned int flags)
 {
 	int io_state;
-	bool have_lock = false;
 	isc_task_t *ntask = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 
@@ -5195,12 +5216,10 @@ socket_send(isc__socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 		}
 	}
 
-	if (sock->type == isc_sockettype_udp)
+	LOCK(&sock->lock);
+	if (sock->type == isc_sockettype_udp) {
 		io_state = doio_send(sock, dev);
-	else {
-		LOCK(&sock->lock);
-		have_lock = true;
-
+	} else {
 		if (ISC_LIST_EMPTY(sock->send_list))
 			io_state = doio_send(sock, dev);
 		else
@@ -5217,11 +5236,6 @@ socket_send(isc__socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 			isc_task_attach(task, &ntask);
 			dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
 
-			if (!have_lock) {
-				LOCK(&sock->lock);
-				have_lock = true;
-			}
-
 			/*
 			 * Enqueue the request.  If the socket was previously
 			 * not being watched, poke the watcher to start
@@ -5251,8 +5265,7 @@ socket_send(isc__socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 		break;
 	}
 
-	if (have_lock)
-		UNLOCK(&sock->lock);
+	UNLOCK(&sock->lock);
 
 	return (result);
 }
@@ -5285,7 +5298,9 @@ isc__socket_sendto(isc_socket_t *sock0, isc_region_t *region,
 	manager = sock->manager;
 	REQUIRE(VALID_MANAGER(manager));
 
+	LOCK(&sock->lock);
 	INSIST(sock->bound);
+	UNLOCK(&sock->lock);
 
 	dev = allocate_socketevent(manager->mctx, sock,
 				   ISC_SOCKEVENT_SENDDONE, action, arg);
@@ -5418,22 +5433,34 @@ isc__socket_cleanunix(isc_sockaddr_t *sockaddr, bool active) {
 #define S_ISSOCK(mode) 0
 #endif
 
-	if (active) {
-		if (stat(sockaddr->type.sunix.sun_path, &sb) < 0) {
+	if (stat(sockaddr->type.sunix.sun_path, &sb) < 0) {
+		switch (errno) {
+		case ENOENT:
+			if (active) { /* We exited cleanly last time */
+				break;
+			}
+			/* intentional fallthrough */
+		default:
 			isc__strerror(errno, strbuf, sizeof(strbuf));
 			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      ISC_LOGMODULE_SOCKET,
+				      active ? ISC_LOG_ERROR : ISC_LOG_WARNING,
 				      "isc_socket_cleanunix: stat(%s): %s",
 				      sockaddr->type.sunix.sun_path, strbuf);
 			return;
 		}
+	} else {
 		if (!(S_ISSOCK(sb.st_mode) || S_ISFIFO(sb.st_mode))) {
 			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      ISC_LOGMODULE_SOCKET,
+				      active ? ISC_LOG_ERROR : ISC_LOG_WARNING,
 				      "isc_socket_cleanunix: %s: not a socket",
 				      sockaddr->type.sunix.sun_path);
 			return;
 		}
+	}
+
+	if (active) {
 		if (unlink(sockaddr->type.sunix.sun_path) < 0) {
 			isc__strerror(errno, strbuf, sizeof(strbuf));
 			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
@@ -5454,31 +5481,9 @@ isc__socket_cleanunix(isc_sockaddr_t *sockaddr, bool active) {
 		return;
 	}
 
-	if (stat(sockaddr->type.sunix.sun_path, &sb) < 0) {
-		switch (errno) {
-		case ENOENT:    /* We exited cleanly last time */
-			break;
-		default:
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
-				      "isc_socket_cleanunix: stat(%s): %s",
-				      sockaddr->type.sunix.sun_path, strbuf);
-			break;
-		}
-		goto cleanup;
-	}
-
-	if (!(S_ISSOCK(sb.st_mode) || S_ISFIFO(sb.st_mode))) {
-		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
-			      "isc_socket_cleanunix: %s: not a socket",
-			      sockaddr->type.sunix.sun_path);
-		goto cleanup;
-	}
-
-	if (connect(s, (struct sockaddr *)&sockaddr->type.sunix,
-		    sizeof(sockaddr->type.sunix)) < 0) {
+	if (connect(s, (const struct sockaddr *)&sockaddr->type.sunix,
+		    sizeof(sockaddr->type.sunix)) < 0)
+	{
 		switch (errno) {
 		case ECONNREFUSED:
 		case ECONNRESET:
@@ -5502,7 +5507,6 @@ isc__socket_cleanunix(isc_sockaddr_t *sockaddr, bool active) {
 			break;
 		}
 	}
- cleanup:
 	close(s);
 #else
 	UNUSED(sockaddr);
@@ -5638,7 +5642,7 @@ isc__socket_bind(isc_socket_t *sock0, isc_sockaddr_t *sockaddr,
 /*
  * Enable this only for specific OS versions, and only when they have repaired
  * their problems with it.  Until then, this is is broken and needs to be
- * diabled by default.  See RT22589 for details.
+ * disabled by default.  See RT22589 for details.
  */
 #undef ENABLE_ACCEPTFILTER
 
diff --git a/bind/bind9/lib/isc/unix/socket_p.h b/bind/bind9/lib/isc/unix/socket_p.h
index fb4fdb89..5723b9fa 100644
--- a/bind/bind9/lib/isc/unix/socket_p.h
+++ b/bind/bind9/lib/isc/unix/socket_p.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/stdio.c b/bind/bind9/lib/isc/unix/stdio.c
index e60fa659..3912b87e 100644
--- a/bind/bind9/lib/isc/unix/stdio.c
+++ b/bind/bind9/lib/isc/unix/stdio.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/stdtime.c b/bind/bind9/lib/isc/unix/stdtime.c
index 989bde46..7a924ab9 100644
--- a/bind/bind9/lib/isc/unix/stdtime.c
+++ b/bind/bind9/lib/isc/unix/stdtime.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -24,38 +24,6 @@
 #include <isc/stdtime.h>
 #include <isc/util.h>
 
-#ifndef ISC_FIX_TV_USEC
-#define ISC_FIX_TV_USEC 1
-#endif
-
-#define US_PER_S 1000000
-
-#if ISC_FIX_TV_USEC
-static inline void
-fix_tv_usec(struct timeval *tv) {
-	bool fixed = false;
-
-	if (tv->tv_usec < 0) {
-		fixed = true;
-		do {
-			tv->tv_sec -= 1;
-			tv->tv_usec += US_PER_S;
-		} while (tv->tv_usec < 0);
-	} else if (tv->tv_usec >= US_PER_S) {
-		fixed = true;
-		do {
-			tv->tv_sec += 1;
-			tv->tv_usec -= US_PER_S;
-		} while (tv->tv_usec >=US_PER_S);
-	}
-	/*
-	 * Call syslog directly as we are called from the logging functions.
-	 */
-	if (fixed)
-		(void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
-}
-#endif
-
 void
 isc_stdtime_get(isc_stdtime_t *t) {
 	struct timeval tv;
@@ -69,12 +37,5 @@ isc_stdtime_get(isc_stdtime_t *t) {
 
 	RUNTIME_CHECK(gettimeofday(&tv, NULL) != -1);
 
-#if ISC_FIX_TV_USEC
-	fix_tv_usec(&tv);
-	INSIST(tv.tv_usec >= 0);
-#else
-	INSIST(tv.tv_usec >= 0 && tv.tv_usec < US_PER_S);
-#endif
-
 	*t = (unsigned int)tv.tv_sec;
 }
diff --git a/bind/bind9/lib/isc/unix/strerror.c b/bind/bind9/lib/isc/unix/strerror.c
index e4fb7934..503d67a1 100644
--- a/bind/bind9/lib/isc/unix/strerror.c
+++ b/bind/bind9/lib/isc/unix/strerror.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/syslog.c b/bind/bind9/lib/isc/unix/syslog.c
index 4ce32725..cb294d3c 100644
--- a/bind/bind9/lib/isc/unix/syslog.c
+++ b/bind/bind9/lib/isc/unix/syslog.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/unix/time.c b/bind/bind9/lib/isc/unix/time.c
index 8edc9df7..bcca41bd 100644
--- a/bind/bind9/lib/isc/unix/time.c
+++ b/bind/bind9/lib/isc/unix/time.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/utf8.c b/bind/bind9/lib/isc/utf8.c
new file mode 100644
index 00000000..714bc8ec
--- /dev/null
+++ b/bind/bind9/lib/isc/utf8.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/utf8.h>
+#include <isc/util.h>
+
+/*
+ * UTF-8 is defined in "The Unicode Standard -- Version 4.0"
+ * Also see RFC 3629.
+ *
+ * Char. number range  |        UTF-8 octet sequence
+ *    (hexadecimal)    |              (binary)
+ *  --------------------+---------------------------------------------
+ * 0000 0000-0000 007F | 0xxxxxxx
+ * 0000 0080-0000 07FF | 110xxxxx 10xxxxxx
+ * 0000 0800-0000 FFFF | 1110xxxx 10xxxxxx 10xxxxxx
+ * 0001 0000-0010 FFFF | 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
+ */
+bool
+isc_utf8_valid(const unsigned char *buf, size_t len) {
+	REQUIRE(buf != NULL);
+
+	for (size_t i = 0; i < len; i++) {
+		if (buf[i] <= 0x7f) {
+			continue;
+		}
+		if ((i + 1) < len && (buf[i] & 0xe0) == 0xc0 &&
+		    (buf[i + 1] & 0xc0) == 0x80) {
+			unsigned int w;
+			w = (buf[i] & 0x1f) << 6;
+			w |= (buf[++i] & 0x3f);
+			if (w < 0x80) {
+				return (false);
+			}
+			continue;
+		}
+		if ((i + 2) < len && (buf[i] & 0xf0) == 0xe0 &&
+		    (buf[i + 1] & 0xc0) == 0x80 && (buf[i + 2] & 0xc0) == 0x80)
+		{
+			unsigned int w;
+			w = (buf[i] & 0x0f) << 12;
+			w |= (buf[++i] & 0x3f) << 6;
+			w |= (buf[++i] & 0x3f);
+			if (w < 0x0800) {
+				return (false);
+			}
+			continue;
+		}
+		if ((i + 3) < len && (buf[i] & 0xf8) == 0xf0 &&
+		    (buf[i + 1] & 0xc0) == 0x80 &&
+		    (buf[i + 2] & 0xc0) == 0x80 && (buf[i + 3] & 0xc0) == 0x80)
+		{
+			unsigned int w;
+			w = (buf[i] & 0x07) << 18;
+			w |= (buf[++i] & 0x3f) << 12;
+			w |= (buf[++i] & 0x3f) << 6;
+			w |= (buf[++i] & 0x3f);
+			if (w < 0x10000 || w > 0x10FFFF) {
+				return (false);
+			}
+			continue;
+		}
+		return (false);
+	}
+	return (true);
+}
+
+bool
+isc_utf8_bom(const unsigned char *buf, size_t len) {
+	REQUIRE(buf != NULL);
+
+	if (len >= 3U && !memcmp(buf, "\xef\xbb\xbf", 3)) {
+		return (true);
+	}
+	return (false);
+}
diff --git a/bind/bind9/lib/isc/version.c b/bind/bind9/lib/isc/version.c
index 3a83a39f..15924b3f 100644
--- a/bind/bind9/lib/isc/version.c
+++ b/bind/bind9/lib/isc/version.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/DLLMain.c b/bind/bind9/lib/isc/win32/DLLMain.c
index f14260e9..d11fa740 100644
--- a/bind/bind9/lib/isc/win32/DLLMain.c
+++ b/bind/bind9/lib/isc/win32/DLLMain.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/Makefile.in b/bind/bind9/lib/isc/win32/Makefile.in
index 19b46bde..fee81d8d 100644
--- a/bind/bind9/lib/isc/win32/Makefile.in
+++ b/bind/bind9/lib/isc/win32/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/app.c b/bind/bind9/lib/isc/win32/app.c
index 8b8a7b15..bd15f22a 100644
--- a/bind/bind9/lib/isc/win32/app.c
+++ b/bind/bind9/lib/isc/win32/app.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/condition.c b/bind/bind9/lib/isc/win32/condition.c
index 78875081..b336f1ec 100644
--- a/bind/bind9/lib/isc/win32/condition.c
+++ b/bind/bind9/lib/isc/win32/condition.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/dir.c b/bind/bind9/lib/isc/win32/dir.c
index 5db2c235..ead43b03 100644
--- a/bind/bind9/lib/isc/win32/dir.c
+++ b/bind/bind9/lib/isc/win32/dir.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/entropy.c b/bind/bind9/lib/isc/win32/entropy.c
index 2480c025..063934c7 100644
--- a/bind/bind9/lib/isc/win32/entropy.c
+++ b/bind/bind9/lib/isc/win32/entropy.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/errno.c b/bind/bind9/lib/isc/win32/errno.c
index 74ebf0c5..b5986500 100644
--- a/bind/bind9/lib/isc/win32/errno.c
+++ b/bind/bind9/lib/isc/win32/errno.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/errno2result.c b/bind/bind9/lib/isc/win32/errno2result.c
index 11232470..8e218530 100644
--- a/bind/bind9/lib/isc/win32/errno2result.c
+++ b/bind/bind9/lib/isc/win32/errno2result.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/errno2result.h b/bind/bind9/lib/isc/win32/errno2result.h
index 99752ae5..a972334c 100644
--- a/bind/bind9/lib/isc/win32/errno2result.h
+++ b/bind/bind9/lib/isc/win32/errno2result.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/file.c b/bind/bind9/lib/isc/win32/file.c
index 24e562b2..4c537633 100644
--- a/bind/bind9/lib/isc/win32/file.c
+++ b/bind/bind9/lib/isc/win32/file.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/fsaccess.c b/bind/bind9/lib/isc/win32/fsaccess.c
index e64d172a..b3bb456f 100644
--- a/bind/bind9/lib/isc/win32/fsaccess.c
+++ b/bind/bind9/lib/isc/win32/fsaccess.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/Makefile.in b/bind/bind9/lib/isc/win32/include/Makefile.in
index 2cbf021b..963ff42a 100644
--- a/bind/bind9/lib/isc/win32/include/Makefile.in
+++ b/bind/bind9/lib/isc/win32/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/Makefile.in b/bind/bind9/lib/isc/win32/include/isc/Makefile.in
index a7c02432..9a1e538e 100644
--- a/bind/bind9/lib/isc/win32/include/isc/Makefile.in
+++ b/bind/bind9/lib/isc/win32/include/isc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/atomic.h b/bind/bind9/lib/isc/win32/include/isc/atomic.h
index 4b3d92db..fcaee56e 100644
--- a/bind/bind9/lib/isc/win32/include/isc/atomic.h
+++ b/bind/bind9/lib/isc/win32/include/isc/atomic.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/bind_registry.h b/bind/bind9/lib/isc/win32/include/isc/bind_registry.h
index 57970be8..259af913 100644
--- a/bind/bind9/lib/isc/win32/include/isc/bind_registry.h
+++ b/bind/bind9/lib/isc/win32/include/isc/bind_registry.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/bindevt.h b/bind/bind9/lib/isc/win32/include/isc/bindevt.h
index d4088e86..e6dad596 100644
--- a/bind/bind9/lib/isc/win32/include/isc/bindevt.h
+++ b/bind/bind9/lib/isc/win32/include/isc/bindevt.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -19,7 +19,7 @@
  */
 
 /*
- * Values are 32 bit values layed out as follows:
+ * Values are 32 bit values laid out as follows:
  *
  *   3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
  *   1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
diff --git a/bind/bind9/lib/isc/win32/include/isc/condition.h b/bind/bind9/lib/isc/win32/include/isc/condition.h
index 1f5b2d60..56118a1d 100644
--- a/bind/bind9/lib/isc/win32/include/isc/condition.h
+++ b/bind/bind9/lib/isc/win32/include/isc/condition.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/dir.h b/bind/bind9/lib/isc/win32/include/isc/dir.h
index 34e945a3..53411f5d 100644
--- a/bind/bind9/lib/isc/win32/include/isc/dir.h
+++ b/bind/bind9/lib/isc/win32/include/isc/dir.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -15,6 +15,7 @@
 #include <windows.h>
 #include <stdbool.h>
 #include <stdlib.h>
+#include <direct.h>
 
 #include <isc/lang.h>
 #include <isc/platform.h>
diff --git a/bind/bind9/lib/isc/win32/include/isc/ipv6.h b/bind/bind9/lib/isc/win32/include/isc/ipv6.h
index bee1bd0f..236ecf5d 100644
--- a/bind/bind9/lib/isc/win32/include/isc/ipv6.h
+++ b/bind/bind9/lib/isc/win32/include/isc/ipv6.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/keyboard.h b/bind/bind9/lib/isc/win32/include/isc/keyboard.h
index 009523a4..00cfac97 100644
--- a/bind/bind9/lib/isc/win32/include/isc/keyboard.h
+++ b/bind/bind9/lib/isc/win32/include/isc/keyboard.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/mutex.h b/bind/bind9/lib/isc/win32/include/isc/mutex.h
index 6815741b..76503b76 100644
--- a/bind/bind9/lib/isc/win32/include/isc/mutex.h
+++ b/bind/bind9/lib/isc/win32/include/isc/mutex.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/net.h b/bind/bind9/lib/isc/win32/include/isc/net.h
index 9712a6a5..775e83d1 100644
--- a/bind/bind9/lib/isc/win32/include/isc/net.h
+++ b/bind/bind9/lib/isc/win32/include/isc/net.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id$ */
-
 #ifndef ISC_NET_H
 #define ISC_NET_H 1
 
diff --git a/bind/bind9/lib/isc/win32/include/isc/netdb.h b/bind/bind9/lib/isc/win32/include/isc/netdb.h
index c07194d5..214e1f65 100644
--- a/bind/bind9/lib/isc/win32/include/isc/netdb.h
+++ b/bind/bind9/lib/isc/win32/include/isc/netdb.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/ntgroups.h b/bind/bind9/lib/isc/win32/include/isc/ntgroups.h
index e8352fcb..d87c890f 100644
--- a/bind/bind9/lib/isc/win32/include/isc/ntgroups.h
+++ b/bind/bind9/lib/isc/win32/include/isc/ntgroups.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/ntpaths.h b/bind/bind9/lib/isc/win32/include/isc/ntpaths.h
index c0010fcc..2e59b9e8 100644
--- a/bind/bind9/lib/isc/win32/include/isc/ntpaths.h
+++ b/bind/bind9/lib/isc/win32/include/isc/ntpaths.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/offset.h b/bind/bind9/lib/isc/win32/include/isc/offset.h
index 14ef06fa..35c1b916 100644
--- a/bind/bind9/lib/isc/win32/include/isc/offset.h
+++ b/bind/bind9/lib/isc/win32/include/isc/offset.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/once.h b/bind/bind9/lib/isc/win32/include/isc/once.h
index c005b0b0..951705f0 100644
--- a/bind/bind9/lib/isc/win32/include/isc/once.h
+++ b/bind/bind9/lib/isc/win32/include/isc/once.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/platform.h.in b/bind/bind9/lib/isc/win32/include/isc/platform.h.in
index 8ade7051..1f785e0c 100644
--- a/bind/bind9/lib/isc/win32/include/isc/platform.h.in
+++ b/bind/bind9/lib/isc/win32/include/isc/platform.h.in
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/stat.h b/bind/bind9/lib/isc/win32/include/isc/stat.h
index 8b7d6850..858089d6 100644
--- a/bind/bind9/lib/isc/win32/include/isc/stat.h
+++ b/bind/bind9/lib/isc/win32/include/isc/stat.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/stdtime.h b/bind/bind9/lib/isc/win32/include/isc/stdtime.h
index 9ad2e99d..bc6c6309 100644
--- a/bind/bind9/lib/isc/win32/include/isc/stdtime.h
+++ b/bind/bind9/lib/isc/win32/include/isc/stdtime.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/strerror.h b/bind/bind9/lib/isc/win32/include/isc/strerror.h
index ae040a43..6ce741e3 100644
--- a/bind/bind9/lib/isc/win32/include/isc/strerror.h
+++ b/bind/bind9/lib/isc/win32/include/isc/strerror.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -22,7 +22,7 @@ ISC_LANG_BEGINDECLS
 #define ISC_STRERRORSIZE 128
 
 /*
- * Provide a thread safe wrapper to strerrror().
+ * Provide a thread safe wrapper to strerror().
  *
  * Requires:
  * 	'buf' to be non NULL.
diff --git a/bind/bind9/lib/isc/win32/include/isc/syslog.h b/bind/bind9/lib/isc/win32/include/isc/syslog.h
index 66431e5c..9c2b1415 100644
--- a/bind/bind9/lib/isc/win32/include/isc/syslog.h
+++ b/bind/bind9/lib/isc/win32/include/isc/syslog.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/thread.h b/bind/bind9/lib/isc/win32/include/isc/thread.h
index be1343af..556cb151 100644
--- a/bind/bind9/lib/isc/win32/include/isc/thread.h
+++ b/bind/bind9/lib/isc/win32/include/isc/thread.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/isc/time.h b/bind/bind9/lib/isc/win32/include/isc/time.h
index 486f527c..c8a83d97 100644
--- a/bind/bind9/lib/isc/win32/include/isc/time.h
+++ b/bind/bind9/lib/isc/win32/include/isc/time.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -13,6 +13,7 @@
 #ifndef ISC_TIME_H
 #define ISC_TIME_H 1
 
+#include <errno.h>
 #include <inttypes.h>
 #include <stdbool.h>
 #include <windows.h>
@@ -21,6 +22,30 @@
 #include <isc/types.h>
 
 /***
+ *** POSIX Shims
+ ***/
+
+inline struct tm *
+gmtime_r(const time_t *clock, struct tm *result) {
+	errno_t ret = gmtime_s(result, clock);
+	if (ret != 0) {
+		errno = ret;
+		return (NULL);
+	}
+	return (result);
+}
+
+inline struct tm *
+localtime_r(const time_t *clock, struct tm *result) {
+	errno_t ret = localtime_s(result, clock);
+	if (ret != 0) {
+		errno = ret;
+		return (NULL);
+	}
+	return (result);
+}
+
+/***
  *** Intervals
  ***/
 
diff --git a/bind/bind9/lib/isc/win32/include/isc/win32os.h b/bind/bind9/lib/isc/win32/include/isc/win32os.h
index bc18c403..0458bb2a 100644
--- a/bind/bind9/lib/isc/win32/include/isc/win32os.h
+++ b/bind/bind9/lib/isc/win32/include/isc/win32os.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/include/pkcs11/Makefile.in b/bind/bind9/lib/isc/win32/include/pkcs11/Makefile.in
index e9a85d43..36e9472f 100644
--- a/bind/bind9/lib/isc/win32/include/pkcs11/Makefile.in
+++ b/bind/bind9/lib/isc/win32/include/pkcs11/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/interfaceiter.c b/bind/bind9/lib/isc/win32/interfaceiter.c
index 3fd2a9c1..a281460a 100644
--- a/bind/bind9/lib/isc/win32/interfaceiter.c
+++ b/bind/bind9/lib/isc/win32/interfaceiter.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/ipv6.c b/bind/bind9/lib/isc/win32/ipv6.c
index c2a4ac5b..9eb5d522 100644
--- a/bind/bind9/lib/isc/win32/ipv6.c
+++ b/bind/bind9/lib/isc/win32/ipv6.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/keyboard.c b/bind/bind9/lib/isc/win32/keyboard.c
index 6e6f800b..867b16fd 100644
--- a/bind/bind9/lib/isc/win32/keyboard.c
+++ b/bind/bind9/lib/isc/win32/keyboard.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/libgen.h b/bind/bind9/lib/isc/win32/libgen.h
index e74740f6..643cd3bf 100644
--- a/bind/bind9/lib/isc/win32/libgen.h
+++ b/bind/bind9/lib/isc/win32/libgen.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/libisc.def.in b/bind/bind9/lib/isc/win32/libisc.def.in
index ee06bf07..3e6c4b59 100644
--- a/bind/bind9/lib/isc/win32/libisc.def.in
+++ b/bind/bind9/lib/isc/win32/libisc.def.in
@@ -754,6 +754,8 @@ isc_timermgr_destroy
 isc_timermgr_poke
 isc_tm_timegm
 isc_tm_strptime
+isc_utf8_bom
+isc_utf8_valid
 isc_win32os_versioncheck
 openlog
 @IF PKCS11
diff --git a/bind/bind9/lib/isc/win32/libisc.vcxproj.filters.in b/bind/bind9/lib/isc/win32/libisc.vcxproj.filters.in
index fefbc343..ecf0164b 100644
--- a/bind/bind9/lib/isc/win32/libisc.vcxproj.filters.in
+++ b/bind/bind9/lib/isc/win32/libisc.vcxproj.filters.in
@@ -277,6 +277,9 @@
     <ClInclude Include="..\include\isc\types.h">
       <Filter>Library Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="..\include\isc\utf8.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
     <ClInclude Include="..\include\isc\util.h">
       <Filter>Library Header Files</Filter>
     </ClInclude>
@@ -302,12 +305,6 @@
     <ClInclude Include="..\include\pkcs11\pkcs11.h">
       <Filter>Pkcs11 Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="..\include\pkcs11\pkcs11f.h">
-      <Filter>Pkcs11 Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="..\include\pkcs11\pkcs11t.h">
-      <Filter>Pkcs11 Header Files</Filter>
-    </ClInclude>
 @END PKCS11
     <ClInclude Include="include\isc\bind_registry.h">
       <Filter>Win32 Header Files</Filter>
@@ -672,6 +669,9 @@
     <ClCompile Include="..\tm.c">
       <Filter>Library Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="..\utf8.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
 @IF PKCS11
     <ClCompile Include="..\pk11.c">
       <Filter>Library Source Files</Filter>
diff --git a/bind/bind9/lib/isc/win32/libisc.vcxproj.in b/bind/bind9/lib/isc/win32/libisc.vcxproj.in
index 374937a5..66457ba9 100644
--- a/bind/bind9/lib/isc/win32/libisc.vcxproj.in
+++ b/bind/bind9/lib/isc/win32/libisc.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
 @IF PKCS11
       <PreprocessorDefinitions>BIND9;@CRYPTO@@PK11_LIB_LOCATION@WIN32;_DEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
@@ -145,7 +148,8 @@ copy InstallFiles ..\Build\Debug\
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
@@ -385,6 +389,7 @@ copy InstallFiles ..\Build\Release\
     <ClInclude Include="..\include\isc\timer.h" />
     <ClInclude Include="..\include\isc\tm.h" />
     <ClInclude Include="..\include\isc\types.h" />
+    <ClInclude Include="..\include\isc\utf8.h" />
     <ClInclude Include="..\include\isc\util.h" />
     <ClInclude Include="..\include\isc\version.h" />
     <ClInclude Include="..\include\isc\xml.h" />
@@ -394,8 +399,6 @@ copy InstallFiles ..\Build\Release\
     <ClInclude Include="..\include\pk11\pk11.h" />
     <ClInclude Include="..\include\pk11\result.h" />
     <ClInclude Include="..\include\pkcs11\pkcs11.h" />
-    <ClInclude Include="..\include\pkcs11\pkcs11f.h" />
-    <ClInclude Include="..\include\pkcs11\pkcs11t.h" />
 @END PKCS11
 @IF ATOMIC
     <ClInclude Include="include\isc\atomic.h" />
@@ -495,6 +498,7 @@ copy InstallFiles ..\Build\Release\
     <ClCompile Include="..\taskpool.c" />
     <ClCompile Include="..\timer.c" />
     <ClCompile Include="..\tm.c" />
+    <ClCompile Include="..\utf8.c" />
 @IF PKCS11
     <ClCompile Include="..\pk11.c" />
     <ClCompile Include="..\pk11_result.c" />
diff --git a/bind/bind9/lib/isc/win32/meminfo.c b/bind/bind9/lib/isc/win32/meminfo.c
index 51077f6e..3bb3013c 100644
--- a/bind/bind9/lib/isc/win32/meminfo.c
+++ b/bind/bind9/lib/isc/win32/meminfo.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/net.c b/bind/bind9/lib/isc/win32/net.c
index c49bb6be..bcd99ce7 100644
--- a/bind/bind9/lib/isc/win32/net.c
+++ b/bind/bind9/lib/isc/win32/net.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -34,7 +34,7 @@
  * The last resort defaults: use all non well known port space
  */
 #ifndef ISC_NET_PORTRANGELOW
-#define ISC_NET_PORTRANGELOW 1024
+#define ISC_NET_PORTRANGELOW 32768
 #endif	/* ISC_NET_PORTRANGELOW */
 #ifndef ISC_NET_PORTRANGEHIGH
 #define ISC_NET_PORTRANGEHIGH 65535
diff --git a/bind/bind9/lib/isc/win32/netdb.h b/bind/bind9/lib/isc/win32/netdb.h
index a9398c8f..92c90393 100644
--- a/bind/bind9/lib/isc/win32/netdb.h
+++ b/bind/bind9/lib/isc/win32/netdb.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/ntgroups.c b/bind/bind9/lib/isc/win32/ntgroups.c
index 61a62b45..2069cb5a 100644
--- a/bind/bind9/lib/isc/win32/ntgroups.c
+++ b/bind/bind9/lib/isc/win32/ntgroups.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/ntpaths.c b/bind/bind9/lib/isc/win32/ntpaths.c
index df71bfa5..a9eacb88 100644
--- a/bind/bind9/lib/isc/win32/ntpaths.c
+++ b/bind/bind9/lib/isc/win32/ntpaths.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/once.c b/bind/bind9/lib/isc/win32/once.c
index baf178d6..a24e8800 100644
--- a/bind/bind9/lib/isc/win32/once.c
+++ b/bind/bind9/lib/isc/win32/once.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/os.c b/bind/bind9/lib/isc/win32/os.c
index 0f4023f4..3cb42a37 100644
--- a/bind/bind9/lib/isc/win32/os.c
+++ b/bind/bind9/lib/isc/win32/os.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/pk11_api.c b/bind/bind9/lib/isc/win32/pk11_api.c
index 76e4abb4..1b5be45f 100644
--- a/bind/bind9/lib/isc/win32/pk11_api.c
+++ b/bind/bind9/lib/isc/win32/pk11_api.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -78,7 +78,7 @@ pkcs_C_Initialize(CK_VOID_PTR pReserved) {
 
 	if (lib_name == NULL)
 		return (CKR_LIBRARY_FAILED_TO_LOAD);
-	/* Visual Studio convertion issue... */
+	/* Visual Studio conversion issue... */
 	if (*lib_name == ' ')
 		lib_name++;
 
diff --git a/bind/bind9/lib/isc/win32/resource.c b/bind/bind9/lib/isc/win32/resource.c
index 0fbc9a41..8c6d23d2 100644
--- a/bind/bind9/lib/isc/win32/resource.c
+++ b/bind/bind9/lib/isc/win32/resource.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/socket.c b/bind/bind9/lib/isc/win32/socket.c
index 0f733cee..707ecf45 100644
--- a/bind/bind9/lib/isc/win32/socket.c
+++ b/bind/bind9/lib/isc/win32/socket.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -1589,7 +1589,7 @@ consistent(isc_socket_t *sock) {
 /*
  * Maybe free the socket.
  *
- * This function will verify tht the socket is no longer in use in any way,
+ * This function will verify that the socket is no longer in use in any way,
  * either internally or externally.  This is the only place where this
  * check is to be made; if some bit of code believes that IT is done with
  * the socket (e.g., some reference counter reaches zero), it should call
@@ -2443,7 +2443,7 @@ connectdone_is_active(isc_socket_t *sock, isc_socket_connev_t *dev)
 //
 // One specific one is when a TCP SYN scan is used.  In this situation,
 // Windows responds with the SYN-ACK, but the scanner never responds with
-// the 3rd packet, the ACK.  Windows consiers this a partially open connection.
+// the 3rd packet, the ACK.  Windows considers this a partially open connection.
 // Most Unix networking stacks, and Windows without McAfee installed, will
 // not return this to the caller.  However, with this product installed,
 // Windows returns this as a failed status on the Accept() call.  Here, we
@@ -2480,7 +2480,7 @@ restart_accept(isc_socket_t *parent, IoCompletionInfo *lpo)
 		    lpo->acceptbuffer,			/* Buffer for initial Recv */
 		    0,					/* Length of Buffer */
 		    sizeof(SOCKADDR_STORAGE) + 16,	/* Local address length + 16 */
-		    sizeof(SOCKADDR_STORAGE) + 16,	/* Remote address lengh + 16 */
+		    sizeof(SOCKADDR_STORAGE) + 16,	/* Remote address length + 16 */
 		    (LPDWORD)&lpo->received_bytes,	/* Bytes Recved */
 		    (LPOVERLAPPED)lpo			/* Overlapped structure */
 		    );
@@ -3506,7 +3506,7 @@ isc__socket_accept(isc_socket_t *sock,
 		    lpo->acceptbuffer,			/* Buffer for initial Recv */
 		    0,					/* Length of Buffer */
 		    sizeof(SOCKADDR_STORAGE) + 16,		/* Local address length + 16 */
-		    sizeof(SOCKADDR_STORAGE) + 16,		/* Remote address lengh + 16 */
+		    sizeof(SOCKADDR_STORAGE) + 16,		/* Remote address length + 16 */
 		    (LPDWORD)&lpo->received_bytes,	/* Bytes Recved */
 		    (LPOVERLAPPED)lpo			/* Overlapped structure */
 		    );
diff --git a/bind/bind9/lib/isc/win32/stdio.c b/bind/bind9/lib/isc/win32/stdio.c
index a4c81345..6a5e8aab 100644
--- a/bind/bind9/lib/isc/win32/stdio.c
+++ b/bind/bind9/lib/isc/win32/stdio.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/stdtime.c b/bind/bind9/lib/isc/win32/stdtime.c
index bff6fd18..9c4ec14c 100644
--- a/bind/bind9/lib/isc/win32/stdtime.c
+++ b/bind/bind9/lib/isc/win32/stdtime.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/strerror.c b/bind/bind9/lib/isc/win32/strerror.c
index 36c9b798..3d022437 100644
--- a/bind/bind9/lib/isc/win32/strerror.c
+++ b/bind/bind9/lib/isc/win32/strerror.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/syslog.c b/bind/bind9/lib/isc/win32/syslog.c
index 071e1878..008e9d02 100644
--- a/bind/bind9/lib/isc/win32/syslog.c
+++ b/bind/bind9/lib/isc/win32/syslog.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/syslog.h b/bind/bind9/lib/isc/win32/syslog.h
index 01971655..1359c8bb 100644
--- a/bind/bind9/lib/isc/win32/syslog.h
+++ b/bind/bind9/lib/isc/win32/syslog.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/thread.c b/bind/bind9/lib/isc/win32/thread.c
index ebc2f293..f18edc48 100644
--- a/bind/bind9/lib/isc/win32/thread.c
+++ b/bind/bind9/lib/isc/win32/thread.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/time.c b/bind/bind9/lib/isc/win32/time.c
index 84141bf2..69ff6c6e 100644
--- a/bind/bind9/lib/isc/win32/time.c
+++ b/bind/bind9/lib/isc/win32/time.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/unistd.h b/bind/bind9/lib/isc/win32/unistd.h
index 170577e7..85345ca3 100644
--- a/bind/bind9/lib/isc/win32/unistd.h
+++ b/bind/bind9/lib/isc/win32/unistd.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/version.c b/bind/bind9/lib/isc/win32/version.c
index d86c7812..49554fb9 100644
--- a/bind/bind9/lib/isc/win32/version.c
+++ b/bind/bind9/lib/isc/win32/version.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/win32/win32os.c b/bind/bind9/lib/isc/win32/win32os.c
index 9af95c80..23068aed 100644
--- a/bind/bind9/lib/isc/win32/win32os.c
+++ b/bind/bind9/lib/isc/win32/win32os.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/x86_32/Makefile.in b/bind/bind9/lib/isc/x86_32/Makefile.in
index 419cf9f8..8d1b6f1c 100644
--- a/bind/bind9/lib/isc/x86_32/Makefile.in
+++ b/bind/bind9/lib/isc/x86_32/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/x86_32/include/Makefile.in b/bind/bind9/lib/isc/x86_32/include/Makefile.in
index d33c0fcb..f87423b4 100644
--- a/bind/bind9/lib/isc/x86_32/include/Makefile.in
+++ b/bind/bind9/lib/isc/x86_32/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/x86_32/include/isc/Makefile.in b/bind/bind9/lib/isc/x86_32/include/isc/Makefile.in
index 97b6b417..452877db 100644
--- a/bind/bind9/lib/isc/x86_32/include/isc/Makefile.in
+++ b/bind/bind9/lib/isc/x86_32/include/isc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/x86_32/include/isc/atomic.h b/bind/bind9/lib/isc/x86_32/include/isc/atomic.h
index 8bcc8b08..81aec328 100644
--- a/bind/bind9/lib/isc/x86_32/include/isc/atomic.h
+++ b/bind/bind9/lib/isc/x86_32/include/isc/atomic.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -120,7 +120,7 @@ isc_atomic_cmpxchg(int32_t *p, int32_t cmpval, int32_t val) {
 
 #elif defined(ISC_PLATFORM_USESTDASM)
 /*
- * The followings are "generic" assembly code which implements the same
+ * The following are "generic" assembly code which implements the same
  * functionality in case the gcc extension cannot be used.  It should be
  * better to avoid inlining below, since we directly refer to specific
  * positions of the stack frame, which would not actually point to the
diff --git a/bind/bind9/lib/isc/x86_64/Makefile.in b/bind/bind9/lib/isc/x86_64/Makefile.in
index 419cf9f8..8d1b6f1c 100644
--- a/bind/bind9/lib/isc/x86_64/Makefile.in
+++ b/bind/bind9/lib/isc/x86_64/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/x86_64/include/Makefile.in b/bind/bind9/lib/isc/x86_64/include/Makefile.in
index d33c0fcb..f87423b4 100644
--- a/bind/bind9/lib/isc/x86_64/include/Makefile.in
+++ b/bind/bind9/lib/isc/x86_64/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/x86_64/include/isc/Makefile.in b/bind/bind9/lib/isc/x86_64/include/isc/Makefile.in
index 97b6b417..452877db 100644
--- a/bind/bind9/lib/isc/x86_64/include/isc/Makefile.in
+++ b/bind/bind9/lib/isc/x86_64/include/isc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isc/x86_64/include/isc/atomic.h b/bind/bind9/lib/isc/x86_64/include/isc/atomic.h
index b2d7880f..8ce9c660 100644
--- a/bind/bind9/lib/isc/x86_64/include/isc/atomic.h
+++ b/bind/bind9/lib/isc/x86_64/include/isc/atomic.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -25,7 +25,7 @@
 
 #elif defined(ISC_PLATFORM_USESTDASM)
 /*
- * The followings are "generic" assembly code which implements the same
+ * The following are "generic" assembly code which implements the same
  * functionality in case the gcc extension cannot be used.  It should be
  * better to avoid inlining below, since we directly refer to specific
  * registers for arguments, which would not actually correspond to the
diff --git a/bind/bind9/lib/isccc/Makefile.in b/bind/bind9/lib/isccc/Makefile.in
index e7b6f04f..00d1c829 100644
--- a/bind/bind9/lib/isccc/Makefile.in
+++ b/bind/bind9/lib/isccc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/alist.c b/bind/bind9/lib/isccc/alist.c
index 22992d69..7e195cee 100644
--- a/bind/bind9/lib/isccc/alist.c
+++ b/bind/bind9/lib/isccc/alist.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -137,7 +137,9 @@ isccc_alist_delete(isccc_sexpr_t *alist, const char *key)
 		INSIST(rest->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
 		car = CAR(rest);
 		INSIST(car != NULL && car->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+		/* cppcheck-suppress nullPointerRedundantCheck */
 		caar = CAR(car);
+		/* cppcheck-suppress nullPointerRedundantCheck */
 		if (caar->type == ISCCC_SEXPRTYPE_STRING &&
 		    strcmp(caar->value.as_string, key) == 0) {
 			CDR(prev) = CDR(rest);
diff --git a/bind/bind9/lib/isccc/base64.c b/bind/bind9/lib/isccc/base64.c
index 54e8bd0e..53dc945d 100644
--- a/bind/bind9/lib/isccc/base64.c
+++ b/bind/bind9/lib/isccc/base64.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/cc.c b/bind/bind9/lib/isccc/cc.c
index c2740cbc..e012685b 100644
--- a/bind/bind9/lib/isccc/cc.c
+++ b/bind/bind9/lib/isccc/cc.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/ccmsg.c b/bind/bind9/lib/isccc/ccmsg.c
index 4cfa5281..8e90437b 100644
--- a/bind/bind9/lib/isccc/ccmsg.c
+++ b/bind/bind9/lib/isccc/ccmsg.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/include/Makefile.in b/bind/bind9/lib/isccc/include/Makefile.in
index aea49d75..13fa1596 100644
--- a/bind/bind9/lib/isccc/include/Makefile.in
+++ b/bind/bind9/lib/isccc/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/include/isccc/Makefile.in b/bind/bind9/lib/isccc/include/isccc/Makefile.in
index 23903db8..eeb161c6 100644
--- a/bind/bind9/lib/isccc/include/isccc/Makefile.in
+++ b/bind/bind9/lib/isccc/include/isccc/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/include/isccc/alist.h b/bind/bind9/lib/isccc/include/isccc/alist.h
index ea50a443..45b409a5 100644
--- a/bind/bind9/lib/isccc/include/isccc/alist.h
+++ b/bind/bind9/lib/isccc/include/isccc/alist.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/include/isccc/base64.h b/bind/bind9/lib/isccc/include/isccc/base64.h
index c9bf70a9..fb6eea01 100644
--- a/bind/bind9/lib/isccc/include/isccc/base64.h
+++ b/bind/bind9/lib/isccc/include/isccc/base64.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/include/isccc/cc.h b/bind/bind9/lib/isccc/include/isccc/cc.h
index 5da2a729..3f6468ea 100644
--- a/bind/bind9/lib/isccc/include/isccc/cc.h
+++ b/bind/bind9/lib/isccc/include/isccc/cc.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/include/isccc/ccmsg.h b/bind/bind9/lib/isccc/include/isccc/ccmsg.h
index 230d985c..c9b81f72 100644
--- a/bind/bind9/lib/isccc/include/isccc/ccmsg.h
+++ b/bind/bind9/lib/isccc/include/isccc/ccmsg.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/include/isccc/events.h b/bind/bind9/lib/isccc/include/isccc/events.h
index 5b6d23fc..e699bd9c 100644
--- a/bind/bind9/lib/isccc/include/isccc/events.h
+++ b/bind/bind9/lib/isccc/include/isccc/events.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/include/isccc/lib.h b/bind/bind9/lib/isccc/include/isccc/lib.h
index 408dee41..afb8abdd 100644
--- a/bind/bind9/lib/isccc/include/isccc/lib.h
+++ b/bind/bind9/lib/isccc/include/isccc/lib.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/include/isccc/result.h b/bind/bind9/lib/isccc/include/isccc/result.h
index 6ff81ad9..6c79dd71 100644
--- a/bind/bind9/lib/isccc/include/isccc/result.h
+++ b/bind/bind9/lib/isccc/include/isccc/result.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/include/isccc/sexpr.h b/bind/bind9/lib/isccc/include/isccc/sexpr.h
index 10f215c8..b2b874b7 100644
--- a/bind/bind9/lib/isccc/include/isccc/sexpr.h
+++ b/bind/bind9/lib/isccc/include/isccc/sexpr.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/include/isccc/symtab.h b/bind/bind9/lib/isccc/include/isccc/symtab.h
index cd595a11..b155d6f0 100644
--- a/bind/bind9/lib/isccc/include/isccc/symtab.h
+++ b/bind/bind9/lib/isccc/include/isccc/symtab.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/include/isccc/symtype.h b/bind/bind9/lib/isccc/include/isccc/symtype.h
index dbd9ad72..88d77110 100644
--- a/bind/bind9/lib/isccc/include/isccc/symtype.h
+++ b/bind/bind9/lib/isccc/include/isccc/symtype.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/include/isccc/types.h b/bind/bind9/lib/isccc/include/isccc/types.h
index bea22c97..dd4f4c09 100644
--- a/bind/bind9/lib/isccc/include/isccc/types.h
+++ b/bind/bind9/lib/isccc/include/isccc/types.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/include/isccc/util.h b/bind/bind9/lib/isccc/include/isccc/util.h
index 58e69b33..bfacdce4 100644
--- a/bind/bind9/lib/isccc/include/isccc/util.h
+++ b/bind/bind9/lib/isccc/include/isccc/util.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/include/isccc/version.h b/bind/bind9/lib/isccc/include/isccc/version.h
index dcb352f9..34eee819 100644
--- a/bind/bind9/lib/isccc/include/isccc/version.h
+++ b/bind/bind9/lib/isccc/include/isccc/version.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/lib.c b/bind/bind9/lib/isccc/lib.c
index 1222bbe5..f16daeda 100644
--- a/bind/bind9/lib/isccc/lib.c
+++ b/bind/bind9/lib/isccc/lib.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/result.c b/bind/bind9/lib/isccc/result.c
index 75f5ade7..8419bbb8 100644
--- a/bind/bind9/lib/isccc/result.c
+++ b/bind/bind9/lib/isccc/result.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/sexpr.c b/bind/bind9/lib/isccc/sexpr.c
index bb9565b2..e9df1740 100644
--- a/bind/bind9/lib/isccc/sexpr.c
+++ b/bind/bind9/lib/isccc/sexpr.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/symtab.c b/bind/bind9/lib/isccc/symtab.c
index da59a786..e60eb0b4 100644
--- a/bind/bind9/lib/isccc/symtab.c
+++ b/bind/bind9/lib/isccc/symtab.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/tests/Makefile.in b/bind/bind9/lib/isccc/tests/Makefile.in
index a9dd7111..296e43ef 100644
--- a/bind/bind9/lib/isccc/tests/Makefile.in
+++ b/bind/bind9/lib/isccc/tests/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/tests/result_test.c b/bind/bind9/lib/isccc/tests/result_test.c
index 6a86ccc9..eeb335ac 100644
--- a/bind/bind9/lib/isccc/tests/result_test.c
+++ b/bind/bind9/lib/isccc/tests/result_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/version.c b/bind/bind9/lib/isccc/version.c
index a3c1d9bc..80de96cc 100644
--- a/bind/bind9/lib/isccc/version.c
+++ b/bind/bind9/lib/isccc/version.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/win32/DLLMain.c b/bind/bind9/lib/isccc/win32/DLLMain.c
index 8ff10175..f442c2f8 100644
--- a/bind/bind9/lib/isccc/win32/DLLMain.c
+++ b/bind/bind9/lib/isccc/win32/DLLMain.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccc/win32/libisccc.vcxproj.in b/bind/bind9/lib/isccc/win32/libisccc.vcxproj.in
index 86925eff..abffa3d5 100644
--- a/bind/bind9/lib/isccc/win32/libisccc.vcxproj.in
+++ b/bind/bind9/lib/isccc/win32/libisccc.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBISCCC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/lib/isccc/win32/version.c b/bind/bind9/lib/isccc/win32/version.c
index dfdd947a..def13e9d 100644
--- a/bind/bind9/lib/isccc/win32/version.c
+++ b/bind/bind9/lib/isccc/win32/version.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/Makefile.in b/bind/bind9/lib/isccfg/Makefile.in
index b97657d9..b84f0304 100644
--- a/bind/bind9/lib/isccfg/Makefile.in
+++ b/bind/bind9/lib/isccfg/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/aclconf.c b/bind/bind9/lib/isccfg/aclconf.c
index fdc3da02..309bb5bf 100644
--- a/bind/bind9/lib/isccfg/aclconf.c
+++ b/bind/bind9/lib/isccfg/aclconf.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/api b/bind/bind9/lib/isccfg/api
index a063fe11..3bf6e800 100644
--- a/bind/bind9/lib/isccfg/api
+++ b/bind/bind9/lib/isccfg/api
@@ -9,5 +9,5 @@
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
 LIBINTERFACE = 163
-LIBREVISION = 5
+LIBREVISION = 8
 LIBAGE = 0
diff --git a/bind/bind9/lib/isccfg/dnsconf.c b/bind/bind9/lib/isccfg/dnsconf.c
index 5d150c80..b9b3511a 100644
--- a/bind/bind9/lib/isccfg/dnsconf.c
+++ b/bind/bind9/lib/isccfg/dnsconf.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/include/Makefile.in b/bind/bind9/lib/isccfg/include/Makefile.in
index b2d21472..c9ac2952 100644
--- a/bind/bind9/lib/isccfg/include/Makefile.in
+++ b/bind/bind9/lib/isccfg/include/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/include/isccfg/Makefile.in b/bind/bind9/lib/isccfg/include/isccfg/Makefile.in
index e0fde738..f87f6be7 100644
--- a/bind/bind9/lib/isccfg/include/isccfg/Makefile.in
+++ b/bind/bind9/lib/isccfg/include/isccfg/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/include/isccfg/aclconf.h b/bind/bind9/lib/isccfg/include/isccfg/aclconf.h
index 2da770ee..adfc007f 100644
--- a/bind/bind9/lib/isccfg/include/isccfg/aclconf.h
+++ b/bind/bind9/lib/isccfg/include/isccfg/aclconf.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/include/isccfg/cfg.h b/bind/bind9/lib/isccfg/include/isccfg/cfg.h
index 468ca29a..44bf2de7 100644
--- a/bind/bind9/lib/isccfg/include/isccfg/cfg.h
+++ b/bind/bind9/lib/isccfg/include/isccfg/cfg.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/include/isccfg/dnsconf.h b/bind/bind9/lib/isccfg/include/isccfg/dnsconf.h
index 51221d37..95a07b25 100644
--- a/bind/bind9/lib/isccfg/include/isccfg/dnsconf.h
+++ b/bind/bind9/lib/isccfg/include/isccfg/dnsconf.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/include/isccfg/grammar.h b/bind/bind9/lib/isccfg/include/isccfg/grammar.h
index 9e0732a1..35114eb5 100644
--- a/bind/bind9/lib/isccfg/include/isccfg/grammar.h
+++ b/bind/bind9/lib/isccfg/include/isccfg/grammar.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/include/isccfg/log.h b/bind/bind9/lib/isccfg/include/isccfg/log.h
index 5c7fe95c..2d437419 100644
--- a/bind/bind9/lib/isccfg/include/isccfg/log.h
+++ b/bind/bind9/lib/isccfg/include/isccfg/log.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/include/isccfg/namedconf.h b/bind/bind9/lib/isccfg/include/isccfg/namedconf.h
index 0a191c9a..3d35c444 100644
--- a/bind/bind9/lib/isccfg/include/isccfg/namedconf.h
+++ b/bind/bind9/lib/isccfg/include/isccfg/namedconf.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/include/isccfg/version.h b/bind/bind9/lib/isccfg/include/isccfg/version.h
index 2e9a1392..3dcaa971 100644
--- a/bind/bind9/lib/isccfg/include/isccfg/version.h
+++ b/bind/bind9/lib/isccfg/include/isccfg/version.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/log.c b/bind/bind9/lib/isccfg/log.c
index 4fd5e572..50ac8420 100644
--- a/bind/bind9/lib/isccfg/log.c
+++ b/bind/bind9/lib/isccfg/log.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/namedconf.c b/bind/bind9/lib/isccfg/namedconf.c
index 03890a3f..e74c93b9 100644
--- a/bind/bind9/lib/isccfg/namedconf.c
+++ b/bind/bind9/lib/isccfg/namedconf.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -2731,7 +2731,7 @@ doc_minimal(cfg_printer_t *pctx, const cfg_type_t *type) {
 	doc_enum_or_other(pctx, type, &cfg_type_boolean);
 }
 static cfg_type_t cfg_type_minimal = {
-	"mimimal", parse_minimal, cfg_print_ustring, doc_minimal,
+	"minimal", parse_minimal, cfg_print_ustring, doc_minimal,
 	&cfg_rep_string, minimal_enums,
 };
 
@@ -3303,7 +3303,7 @@ static cfg_type_t cfg_type_bracketed_aml = {
 /*%
  * The socket address syntax in the "controls" statement is silly.
  * It allows both socket address families, but also allows "*",
- * whis is gratuitously interpreted as the IPv4 wildcard address.
+ * which is gratuitously interpreted as the IPv4 wildcard address.
  */
 static unsigned int controls_sockaddr_flags =
 	CFG_ADDR_V4OK | CFG_ADDR_V6OK | CFG_ADDR_WILDOK;
diff --git a/bind/bind9/lib/isccfg/parser.c b/bind/bind9/lib/isccfg/parser.c
index 6588988c..dc01a6ee 100644
--- a/bind/bind9/lib/isccfg/parser.c
+++ b/bind/bind9/lib/isccfg/parser.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -1216,7 +1216,12 @@ cfg_print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 static void
 print_qstring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	cfg_print_cstr(pctx, "\"");
-	cfg_print_ustring(pctx, obj);
+	for (size_t i = 0; i < obj->value.string.length; i++) {
+		if (obj->value.string.base[i] == '"') {
+			cfg_print_cstr(pctx, "\\");
+		}
+		cfg_print_chars(pctx, &obj->value.string.base[i], 1);
+	}
 	cfg_print_cstr(pctx, "\"");
 }
 
@@ -2147,6 +2152,9 @@ cfg_map_count(const cfg_obj_t *mapobj) {
 	return (isc_symtab_count(map->symtab));
 }
 
+#if _WIN32
+#pragma warning(disable : 4090)
+#endif
 const char *
 cfg_map_firstclause(const cfg_type_t *map, const void **clauses,
 		    unsigned int *idx)
@@ -2169,8 +2177,14 @@ cfg_map_firstclause(const cfg_type_t *map, const void **clauses,
 			return (NULL);
 	}
 	return ((*clauseset)[*idx].name);
+#if _WIN32
+#pragma warning(default : 4090)
+#endif
 }
 
+#if _WIN32
+#pragma warning(disable : 4090)
+#endif
 const char *
 cfg_map_nextclause(const cfg_type_t *map, const void **clauses,
 		   unsigned int *idx)
@@ -2194,6 +2208,9 @@ cfg_map_nextclause(const cfg_type_t *map, const void **clauses,
 			return (NULL);
 	}
 	return ((*clauseset)[*idx].name);
+#if _WIN32
+#pragma warning(default : 4090)
+#endif
 }
 
 /* Parse an arbitrary token, storing its raw text representation. */
@@ -2505,6 +2522,7 @@ parse_netaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	CHECK(cfg_create_obj(pctx, type, &obj));
 	CHECK(cfg_parse_rawaddr(pctx, flags, &netaddr));
 	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, 0);
+	obj->value.sockaddrdscp.dscp = -1;
 	*ret = obj;
 	return (ISC_R_SUCCESS);
  cleanup:
@@ -2616,15 +2634,6 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
 					 "invalid prefix length");
 			return (ISC_R_RANGE);
 		}
-		result = isc_netaddr_prefixok(&netaddr, prefixlen);
-		if (result != ISC_R_SUCCESS) {
-			char buf[ISC_NETADDR_FORMATSIZE + 1];
-			isc_netaddr_format(&netaddr, buf, sizeof(buf));
-			cfg_parser_error(pctx, CFG_LOG_NOPREP,
-					 "'%s/%u': address/prefix length "
-					 "mismatch", buf, prefixlen);
-			return (ISC_R_FAILURE);
-		}
 	} else {
 		if (expectprefix) {
 			cfg_parser_error(pctx, CFG_LOG_NEAR,
@@ -3017,10 +3026,10 @@ parser_complain(cfg_parser_t *pctx, bool is_warning,
 		snprintf(where, sizeof(where), "%s: ", pctx->buf_name);
 
 	len = vsnprintf(message, sizeof(message), format, args);
-#define ELIPSIS " ... "
+#define ELLIPSIS " ... "
 	if (len >= sizeof(message)) {
-		message[sizeof(message) - sizeof(ELIPSIS)] = 0;
-		strlcat(message, ELIPSIS, sizeof(message));
+		message[sizeof(message) - sizeof(ELLIPSIS)] = 0;
+		strlcat(message, ELLIPSIS, sizeof(message));
 	}
 
 	if ((flags & (CFG_LOG_NEAR|CFG_LOG_BEFORE|CFG_LOG_NOPREP)) != 0) {
diff --git a/bind/bind9/lib/isccfg/tests/Makefile.in b/bind/bind9/lib/isccfg/tests/Makefile.in
index 3064152b..eb013ee0 100644
--- a/bind/bind9/lib/isccfg/tests/Makefile.in
+++ b/bind/bind9/lib/isccfg/tests/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/tests/parser_test.c b/bind/bind9/lib/isccfg/tests/parser_test.c
index 6609ea6a..e9ac61e9 100644
--- a/bind/bind9/lib/isccfg/tests/parser_test.c
+++ b/bind/bind9/lib/isccfg/tests/parser_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -31,6 +31,7 @@
 #include <isc/log.h>
 #include <isc/mem.h>
 #include <isc/print.h>
+#include <isc/string.h>
 #include <isc/types.h>
 #include <isc/util.h>
 
@@ -62,6 +63,7 @@ static isc_logcategory_t categories[] = {
 static void
 cleanup() {
 	if (lctx != NULL) {
+		isc_log_setcontext(NULL);
 		isc_log_destroy(&lctx);
 	}
 	if (mctx != NULL) {
@@ -100,6 +102,92 @@ setup() {
 	return (result);
 }
 
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = setup();
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	cleanup();
+
+	return (0);
+}
+
+/* mimic calling nzf_append() */
+static void
+append(void *arg, const char *str, int len) {
+	char *buf = arg;
+	size_t l = strlen(buf);
+	snprintf(buf + l, 1024 - l, "%.*s", len, str);
+}
+
+static void
+addzoneconf(void **state) {
+	isc_result_t result;
+	isc_buffer_t b;
+	cfg_parser_t *p = NULL;
+	const char *tests[] = {
+		"zone \"test4.baz\" { type master; file \"e.db\"; };",
+		"zone \"test/.baz\" { type master; file \"e.db\"; };",
+		"zone \"test\\\".baz\" { type master; file \"e.db\"; };",
+		"zone \"test\\.baz\" { type master; file \"e.db\"; };",
+		"zone \"test\\\\.baz\" { type master; file \"e.db\"; };",
+		"zone \"test\\032.baz\" { type master; file \"e.db\"; };",
+		"zone \"test\\010.baz\" { type master; file \"e.db\"; };"
+	};
+	char buf[1024];
+
+	UNUSED(state);
+
+	/* Parse with default line numbering */
+	result = cfg_parser_create(mctx, lctx, &p);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+#define ARRAYSIZE(x) (sizeof(x) / sizeof(x[0]))
+
+	for (size_t i = 0; i < ARRAYSIZE(tests); i++) {
+		cfg_obj_t *conf = NULL;
+		const cfg_obj_t *obj = NULL, *zlist = NULL;
+
+		isc_buffer_constinit(&b, tests[i], strlen(tests[i]));
+		isc_buffer_add(&b, strlen(tests[i]));
+
+		result = cfg_parse_buffer3(p, &b, "text1", 0,
+					   &cfg_type_namedconf, &conf);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		/*
+		 * Mimic calling nzf_append() from bin/named/server.c
+		 * and check that the output matches the input.
+		 */
+		result = cfg_map_get(conf, "zone", &zlist);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		obj = cfg_listelt_value(cfg_list_first(zlist));
+		assert_ptr_not_equal(obj, NULL);
+
+		strlcpy(buf, "zone ", sizeof(buf));
+		cfg_printx(obj, CFG_PRINTER_ONELINE, append, buf);
+		strlcat(buf, ";", sizeof(buf));
+		assert_string_equal(tests[i], buf);
+
+		cfg_obj_destroy(p, &conf);
+		cfg_parser_reset(p);
+	}
+
+	cfg_parser_destroy(&p);
+}
+
 /* test cfg_parse_buffer() */
 static void
 parse_buffer_test(void **state) {
@@ -111,8 +199,6 @@ parse_buffer_test(void **state) {
 
 	UNUSED(state);
 
-	setup();
-
 	isc_buffer_init(&buf1, &text[0], sizeof(text) - 1);
 	isc_buffer_add(&buf1, sizeof(text) - 1);
 
@@ -142,8 +228,6 @@ parse_buffer_test(void **state) {
 
 	cfg_parser_destroy(&p1);
 	cfg_parser_destroy(&p2);
-
-	cleanup();
 }
 
 /* test cfg_map_firstclause() */
@@ -189,12 +273,13 @@ cfg_map_nextclause_test(void **state) {
 int
 main(void) {
 	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(addzoneconf),
 		cmocka_unit_test(parse_buffer_test),
 		cmocka_unit_test(cfg_map_firstclause_test),
 		cmocka_unit_test(cfg_map_nextclause_test),
 	};
 
-	return (cmocka_run_group_tests(tests, NULL, NULL));
+	return (cmocka_run_group_tests(tests, _setup, _teardown));
 }
 
 #else /* HAVE_CMOCKA */
diff --git a/bind/bind9/lib/isccfg/version.c b/bind/bind9/lib/isccfg/version.c
index 51ed4b53..da18f0c7 100644
--- a/bind/bind9/lib/isccfg/version.c
+++ b/bind/bind9/lib/isccfg/version.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/win32/DLLMain.c b/bind/bind9/lib/isccfg/win32/DLLMain.c
index 93c2893b..012730cc 100644
--- a/bind/bind9/lib/isccfg/win32/DLLMain.c
+++ b/bind/bind9/lib/isccfg/win32/DLLMain.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/isccfg/win32/libisccfg.vcxproj.in b/bind/bind9/lib/isccfg/win32/libisccfg.vcxproj.in
index bb1f8fc1..984a2b3f 100644
--- a/bind/bind9/lib/isccfg/win32/libisccfg.vcxproj.in
+++ b/bind/bind9/lib/isccfg/win32/libisccfg.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBISCCFG_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;@LIBXML2_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
@@ -78,7 +81,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/lib/isccfg/win32/version.c b/bind/bind9/lib/isccfg/win32/version.c
index 4a69e878..7ffb7b88 100644
--- a/bind/bind9/lib/isccfg/win32/version.c
+++ b/bind/bind9/lib/isccfg/win32/version.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/lwres/Makefile.in b/bind/bind9/lib/lwres/Makefile.in
index 4d0f5050..0efccd17 100644
--- a/bind/bind9/lib/lwres/Makefile.in
+++ b/bind/bind9/lib/lwres/Makefile.in
@@ -2,13 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: Makefile.in,v 1.34 2007/06/19 23:47:22 tbox Exp $
-
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/bind/bind9/lib/lwres/api b/bind/bind9/lib/lwres/api
index 00eb6898..a024d80e 100644
--- a/bind/bind9/lib/lwres/api
+++ b/bind/bind9/lib/lwres/api
@@ -9,5 +9,5 @@
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
 LIBINTERFACE = 161
-LIBREVISION = 3
+LIBREVISION = 4
 LIBAGE = 0
diff --git a/bind/bind9/lib/lwres/assert_p.h b/bind/bind9/lib/lwres/assert_p.h
index 3b44f25b..88f98b0a 100644
--- a/bind/bind9/lib/lwres/assert_p.h
+++ b/bind/bind9/lib/lwres/assert_p.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id$ */
-
 #ifndef LWRES_ASSERT_P_H
 #define LWRES_ASSERT_P_H 1
 
diff --git a/bind/bind9/lib/lwres/compat.c b/bind/bind9/lib/lwres/compat.c
index 5d78067d..124c7f38 100644
--- a/bind/bind9/lib/lwres/compat.c
+++ b/bind/bind9/lib/lwres/compat.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/lwres/context.c b/bind/bind9/lib/lwres/context.c
index 0a03649f..c4472e28 100644
--- a/bind/bind9/lib/lwres/context.c
+++ b/bind/bind9/lib/lwres/context.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: context.c,v 1.55 2009/09/02 23:48:03 tbox Exp $ */
-
 /*! \file context.c
    lwres_context_create() creates a #lwres_context_t structure for use in
    lightweight resolver operations. It holds a socket and other data
diff --git a/bind/bind9/lib/lwres/context_p.h b/bind/bind9/lib/lwres/context_p.h
index dce0319f..968430ff 100644
--- a/bind/bind9/lib/lwres/context_p.h
+++ b/bind/bind9/lib/lwres/context_p.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: context_p.h,v 1.19 2008/12/17 23:47:58 tbox Exp $ */
-
 #ifndef LWRES_CONTEXT_P_H
 #define LWRES_CONTEXT_P_H 1
 
diff --git a/bind/bind9/lib/lwres/gai_strerror.c b/bind/bind9/lib/lwres/gai_strerror.c
index 797fd096..bda8110b 100644
--- a/bind/bind9/lib/lwres/gai_strerror.c
+++ b/bind/bind9/lib/lwres/gai_strerror.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: gai_strerror.c,v 1.22 2007/06/19 23:47:22 tbox Exp $ */
-
 /*! \file gai_strerror.c
  * lwres_gai_strerror() returns an error message corresponding to an
  * error code returned by getaddrinfo(). The following error codes and
diff --git a/bind/bind9/lib/lwres/getaddrinfo.c b/bind/bind9/lib/lwres/getaddrinfo.c
index e26c9440..adba2375 100644
--- a/bind/bind9/lib/lwres/getaddrinfo.c
+++ b/bind/bind9/lib/lwres/getaddrinfo.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -24,8 +24,6 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddrinfo.c,v 1.54 2008/11/25 23:47:23 tbox Exp $ */
-
 /*! \file */
 
 /**
@@ -737,7 +735,7 @@ get_local(const char *name, int socktype, struct addrinfo **res) {
 
 /*!
  * Allocate an addrinfo structure, and a sockaddr structure
- * of the specificed length.  We initialize:
+ * of the specified length.  We initialize:
  *	ai_addrlen
  *	ai_family
  *	ai_addr
diff --git a/bind/bind9/lib/lwres/gethost.c b/bind/bind9/lib/lwres/gethost.c
index 891f7a4f..5f2dc0e3 100644
--- a/bind/bind9/lib/lwres/gethost.c
+++ b/bind/bind9/lib/lwres/gethost.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: gethost.c,v 1.34 2007/06/19 23:47:22 tbox Exp $ */
-
 /*! \file */
 
 /**
diff --git a/bind/bind9/lib/lwres/getipnode.c b/bind/bind9/lib/lwres/getipnode.c
index b185b2cb..37a0bf38 100644
--- a/bind/bind9/lib/lwres/getipnode.c
+++ b/bind/bind9/lib/lwres/getipnode.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/lwres/getnameinfo.c b/bind/bind9/lib/lwres/getnameinfo.c
index f5b674d6..c26ce0bf 100644
--- a/bind/bind9/lib/lwres/getnameinfo.c
+++ b/bind/bind9/lib/lwres/getnameinfo.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/lwres/getrrset.c b/bind/bind9/lib/lwres/getrrset.c
index c00d5e83..559e9637 100644
--- a/bind/bind9/lib/lwres/getrrset.c
+++ b/bind/bind9/lib/lwres/getrrset.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/lwres/herror.c b/bind/bind9/lib/lwres/herror.c
index 25bd65e0..43b50d27 100644
--- a/bind/bind9/lib/lwres/herror.c
+++ b/bind/bind9/lib/lwres/herror.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -59,12 +59,6 @@
 
  */
 
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] =
-	"$Id$";
-#endif /* LIBC_SCCS and not lint */
-
 #include <config.h>
 
 #include <stdio.h>
diff --git a/bind/bind9/lib/lwres/include/Makefile.in b/bind/bind9/lib/lwres/include/Makefile.in
index 51564a99..db74bea5 100644
--- a/bind/bind9/lib/lwres/include/Makefile.in
+++ b/bind/bind9/lib/lwres/include/Makefile.in
@@ -2,13 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: Makefile.in,v 1.8 2007/06/19 23:47:22 tbox Exp $
-
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/bind/bind9/lib/lwres/include/lwres/Makefile.in b/bind/bind9/lib/lwres/include/lwres/Makefile.in
index 2a07df5f..8e92f84f 100644
--- a/bind/bind9/lib/lwres/include/lwres/Makefile.in
+++ b/bind/bind9/lib/lwres/include/lwres/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/lwres/include/lwres/context.h b/bind/bind9/lib/lwres/include/lwres/context.h
index 2acc4a19..02c07efa 100644
--- a/bind/bind9/lib/lwres/include/lwres/context.h
+++ b/bind/bind9/lib/lwres/include/lwres/context.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: context.h,v 1.23 2008/12/17 23:47:58 tbox Exp $ */
-
 #ifndef LWRES_CONTEXT_H
 #define LWRES_CONTEXT_H 1
 
diff --git a/bind/bind9/lib/lwres/include/lwres/int.h b/bind/bind9/lib/lwres/include/lwres/int.h
index 8bc5ce8b..7c43b649 100644
--- a/bind/bind9/lib/lwres/include/lwres/int.h
+++ b/bind/bind9/lib/lwres/include/lwres/int.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/lwres/include/lwres/ipv6.h b/bind/bind9/lib/lwres/include/lwres/ipv6.h
index 87476050..540f9732 100644
--- a/bind/bind9/lib/lwres/include/lwres/ipv6.h
+++ b/bind/bind9/lib/lwres/include/lwres/ipv6.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: ipv6.h,v 1.16 2007/06/19 23:47:23 tbox Exp $ */
-
 #ifndef LWRES_IPV6_H
 #define LWRES_IPV6_H 1
 
diff --git a/bind/bind9/lib/lwres/include/lwres/lang.h b/bind/bind9/lib/lwres/include/lwres/lang.h
index 7396b9a9..fedc2490 100644
--- a/bind/bind9/lib/lwres/include/lwres/lang.h
+++ b/bind/bind9/lib/lwres/include/lwres/lang.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lang.h,v 1.13 2007/06/19 23:47:23 tbox Exp $ */
-
 #ifndef LWRES_LANG_H
 #define LWRES_LANG_H 1
 
diff --git a/bind/bind9/lib/lwres/include/lwres/list.h b/bind/bind9/lib/lwres/include/lwres/list.h
index f235c189..f4c3bf7c 100644
--- a/bind/bind9/lib/lwres/include/lwres/list.h
+++ b/bind/bind9/lib/lwres/include/lwres/list.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: list.h,v 1.14 2007/06/19 23:47:23 tbox Exp $ */
-
 #ifndef LWRES_LIST_H
 #define LWRES_LIST_H 1
 
diff --git a/bind/bind9/lib/lwres/include/lwres/lwbuffer.h b/bind/bind9/lib/lwres/include/lwres/lwbuffer.h
index 056a8131..dbb10c52 100644
--- a/bind/bind9/lib/lwres/include/lwres/lwbuffer.h
+++ b/bind/bind9/lib/lwres/include/lwres/lwbuffer.h
@@ -3,15 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwbuffer.h,v 1.22 2007/06/19 23:47:23 tbox Exp $ */
-
-
 /*! \file lwres/lwbuffer.h
  *
  * A buffer is a region of memory, together with a set of related subregions.
diff --git a/bind/bind9/lib/lwres/include/lwres/lwpacket.h b/bind/bind9/lib/lwres/include/lwres/lwpacket.h
index 656a5cbf..94f8f051 100644
--- a/bind/bind9/lib/lwres/include/lwres/lwpacket.h
+++ b/bind/bind9/lib/lwres/include/lwres/lwpacket.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwpacket.h,v 1.24 2007/06/19 23:47:23 tbox Exp $ */
-
 #ifndef LWRES_LWPACKET_H
 #define LWRES_LWPACKET_H 1
 
diff --git a/bind/bind9/lib/lwres/include/lwres/lwres.h b/bind/bind9/lib/lwres/include/lwres/lwres.h
index 81a0e022..e1e5c4cd 100644
--- a/bind/bind9/lib/lwres/include/lwres/lwres.h
+++ b/bind/bind9/lib/lwres/include/lwres/lwres.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwres.h,v 1.57 2007/06/19 23:47:23 tbox Exp $ */
-
 #ifndef LWRES_LWRES_H
 #define LWRES_LWRES_H 1
 
diff --git a/bind/bind9/lib/lwres/include/lwres/netdb.h.in b/bind/bind9/lib/lwres/include/lwres/netdb.h.in
index 8e65bc84..bca4dd37 100644
--- a/bind/bind9/lib/lwres/include/lwres/netdb.h.in
+++ b/bind/bind9/lib/lwres/include/lwres/netdb.h.in
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: netdb.h.in,v 1.41 2009/01/18 23:48:14 tbox Exp $ */
-
 /*! \file */
 
 #ifndef LWRES_NETDB_H
diff --git a/bind/bind9/lib/lwres/include/lwres/platform.h.in b/bind/bind9/lib/lwres/include/lwres/platform.h.in
index 52c7192d..63fb664a 100644
--- a/bind/bind9/lib/lwres/include/lwres/platform.h.in
+++ b/bind/bind9/lib/lwres/include/lwres/platform.h.in
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: platform.h.in,v 1.21 2007/06/19 23:47:23 tbox Exp $ */
-
 /*! \file */
 
 #ifndef LWRES_PLATFORM_H
@@ -65,7 +63,7 @@
 @LWRES_PLATFORM_HAVEINADDR6@
 
 /*
- * Defined if unistd.h does not cause fd_set to be delared.
+ * Defined if unistd.h does not cause fd_set to be declared.
  */
 @LWRES_PLATFORM_NEEDSYSSELECTH@
 
diff --git a/bind/bind9/lib/lwres/include/lwres/result.h b/bind/bind9/lib/lwres/include/lwres/result.h
index 7397a939..61d7a3e0 100644
--- a/bind/bind9/lib/lwres/include/lwres/result.h
+++ b/bind/bind9/lib/lwres/include/lwres/result.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: result.h,v 1.21 2007/06/19 23:47:23 tbox Exp $ */
-
 #ifndef LWRES_RESULT_H
 #define LWRES_RESULT_H 1
 
diff --git a/bind/bind9/lib/lwres/include/lwres/stdlib.h b/bind/bind9/lib/lwres/include/lwres/stdlib.h
index 856f9544..446f8691 100644
--- a/bind/bind9/lib/lwres/include/lwres/stdlib.h
+++ b/bind/bind9/lib/lwres/include/lwres/stdlib.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/lwres/include/lwres/string.h b/bind/bind9/lib/lwres/include/lwres/string.h
index 76d07478..9df3ce85 100644
--- a/bind/bind9/lib/lwres/include/lwres/string.h
+++ b/bind/bind9/lib/lwres/include/lwres/string.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/lwres/include/lwres/version.h b/bind/bind9/lib/lwres/include/lwres/version.h
index 802f4037..54252a14 100644
--- a/bind/bind9/lib/lwres/include/lwres/version.h
+++ b/bind/bind9/lib/lwres/include/lwres/version.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: version.h,v 1.9 2007/06/19 23:47:23 tbox Exp $ */
-
 /*! \file lwres/version.h */
 
 #include <lwres/platform.h>
diff --git a/bind/bind9/lib/lwres/lwbuffer.c b/bind/bind9/lib/lwres/lwbuffer.c
index 9cdf5eda..67b59637 100644
--- a/bind/bind9/lib/lwres/lwbuffer.c
+++ b/bind/bind9/lib/lwres/lwbuffer.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwbuffer.c,v 1.15 2007/06/19 23:47:22 tbox Exp $ */
-
 /*! \file */
 
 /**
@@ -62,7 +60,7 @@
  *   b-c == optional active region.
  * \endverbatim
  *
- *    lwres_buffer_init() initializes the lwres_buffer_t *b and assocates it
+ *    lwres_buffer_init() initializes the lwres_buffer_t *b and associates it
  *    with the memory region of size length bytes starting at location base.
  *
  *    lwres_buffer_invalidate() marks the buffer *b as invalid. Invalidating
diff --git a/bind/bind9/lib/lwres/lwconfig.c b/bind/bind9/lib/lwres/lwconfig.c
index ef7c8714..e5e5f491 100644
--- a/bind/bind9/lib/lwres/lwconfig.c
+++ b/bind/bind9/lib/lwres/lwconfig.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -217,7 +217,7 @@ lwres_strdup(lwres_context_t *ctx, const char *str) {
 	return (p);
 }
 
-/*% intializes data structure for subsequent config parsing. */
+/*% initializes data structure for subsequent config parsing. */
 void
 lwres_conf_init(lwres_context_t *ctx) {
 	int i;
diff --git a/bind/bind9/lib/lwres/lwinetaton.c b/bind/bind9/lib/lwres/lwinetaton.c
index c2b90afb..c65f176f 100644
--- a/bind/bind9/lib/lwres/lwinetaton.c
+++ b/bind/bind9/lib/lwres/lwinetaton.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -62,7 +62,6 @@
  */
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: lwinetaton.c,v 1.16 2007/06/19 23:47:22 tbox Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -173,19 +172,21 @@ lwres_net_aton(const char *cp, struct in_addr *addr) {
 	case 2:				/* a.b -- 8.24 bits */
 		if (val > 0xffffffU)
 			return (0);
-		val |= parts[0] << 24;
+#define ulshift(x, n) ((unsigned int)(x) << (n))
+		val |= ulshift(parts[0], 24);
 		break;
 
 	case 3:				/* a.b.c -- 8.8.16 bits */
 		if (val > 0xffffU)
 			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16);
+		val |= ulshift(parts[0], 24) | ulshift(parts[1], 16);
 		break;
 
 	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
 		if (val > 0xffU)
 			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
+		val |= ulshift(parts[0], 24) | ulshift(parts[1], 16) |
+			ulshift(parts[2], 8);
 		break;
 	}
 	if (addr != NULL)
diff --git a/bind/bind9/lib/lwres/lwinetntop.c b/bind/bind9/lib/lwres/lwinetntop.c
index 8fc43a16..9301dd41 100644
--- a/bind/bind9/lib/lwres/lwinetntop.c
+++ b/bind/bind9/lib/lwres/lwinetntop.c
@@ -3,18 +3,13 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/*! \file lwinetntop.c
- */
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] =
-	"$Id: lwinetntop.c,v 1.18 2007/06/19 23:47:22 tbox Exp $";
-#endif /* LIBC_SCCS and not lint */
+/*! \file lwinetntop.c */
 
 #include <config.h>
 
diff --git a/bind/bind9/lib/lwres/lwinetpton.c b/bind/bind9/lib/lwres/lwinetpton.c
index ed4a6d93..735b7446 100644
--- a/bind/bind9/lib/lwres/lwinetpton.c
+++ b/bind/bind9/lib/lwres/lwinetpton.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/lwres/lwpacket.c b/bind/bind9/lib/lwres/lwpacket.c
index 473cc447..e8844ece 100644
--- a/bind/bind9/lib/lwres/lwpacket.c
+++ b/bind/bind9/lib/lwres/lwpacket.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwpacket.c,v 1.18 2007/06/19 23:47:22 tbox Exp $ */
-
 /*! \file */
 
 /**
diff --git a/bind/bind9/lib/lwres/lwres_gabn.c b/bind/bind9/lib/lwres/lwres_gabn.c
index 630609bd..3dd83e61 100644
--- a/bind/bind9/lib/lwres/lwres_gabn.c
+++ b/bind/bind9/lib/lwres/lwres_gabn.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwres_gabn.c,v 1.33 2007/06/19 23:47:22 tbox Exp $ */
-
 /*! \file lwres_gabn.c
    These are low-level routines for creating and parsing lightweight
    resolver name-to-address lookup request and response messages.
diff --git a/bind/bind9/lib/lwres/lwres_gnba.c b/bind/bind9/lib/lwres/lwres_gnba.c
index d242f5c0..de6c3aaa 100644
--- a/bind/bind9/lib/lwres/lwres_gnba.c
+++ b/bind/bind9/lib/lwres/lwres_gnba.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwres_gnba.c,v 1.28 2007/09/24 17:18:25 each Exp $ */
-
 /*! \file lwres_gnba.c
    These are low-level routines for creating and parsing lightweight
    resolver address-to-name lookup request and response messages.
diff --git a/bind/bind9/lib/lwres/lwres_grbn.c b/bind/bind9/lib/lwres/lwres_grbn.c
index c736a41e..ca1f40b3 100644
--- a/bind/bind9/lib/lwres/lwres_grbn.c
+++ b/bind/bind9/lib/lwres/lwres_grbn.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwres_grbn.c,v 1.10 2007/06/19 23:47:22 tbox Exp $ */
-
 /*! \file lwres_grbn.c
 
  */
diff --git a/bind/bind9/lib/lwres/lwres_noop.c b/bind/bind9/lib/lwres/lwres_noop.c
index 062c2d1e..75e50875 100644
--- a/bind/bind9/lib/lwres/lwres_noop.c
+++ b/bind/bind9/lib/lwres/lwres_noop.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwres_noop.c,v 1.19 2007/06/19 23:47:22 tbox Exp $ */
-
 /*! \file */
 
 /**
diff --git a/bind/bind9/lib/lwres/lwresutil.c b/bind/bind9/lib/lwres/lwresutil.c
index 3ddc8d56..e2a553f0 100644
--- a/bind/bind9/lib/lwres/lwresutil.c
+++ b/bind/bind9/lib/lwres/lwresutil.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwresutil.c,v 1.34 2007/06/19 23:47:22 tbox Exp $ */
-
 /*! \file */
 
 /**
@@ -53,7 +51,7 @@
  *    they are controlled through the \link lwres_gabn.c lwres_gabn*\endlink functions.
  *
  *    The lightweight resolver uses lwres_getaddrsbyname() to perform
- *    foward lookups. Hostname name is looked up using the resolver
+ *    forward lookups. Hostname name is looked up using the resolver
  *    context ctx for memory allocation. addrtypes is a bitmask
  *    indicating which type of addresses are to be looked up. Current
  *    values for this bitmask are #LWRES_ADDRTYPE_V4 for IPv4 addresses
diff --git a/bind/bind9/lib/lwres/man/Makefile.in b/bind/bind9/lib/lwres/man/Makefile.in
index 62387cb4..6307bec7 100644
--- a/bind/bind9/lib/lwres/man/Makefile.in
+++ b/bind/bind9/lib/lwres/man/Makefile.in
@@ -2,13 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: Makefile.in,v 1.9 2007/06/19 23:47:23 tbox Exp $
-
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/bind/bind9/lib/lwres/man/lwres.3 b/bind/bind9/lib/lwres/man/lwres.3
index a3b17d15..ab55dfc3 100644
--- a/bind/bind9/lib/lwres/man/lwres.3
+++ b/bind/bind9/lib/lwres/man/lwres.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -78,7 +78,7 @@ function\&.
 Finally, there is a low\-level API for converting lookup requests and responses to and from raw lwres protocol packets\&. This API can be used by clients requiring nonblocking operation, and is also used when implementing the server side of the lwres protocol, for example in the
 \fBlwresd\fR
 resolver daemon\&. The use of this low\-level API in clients and servers is outlined in the following sections\&.
-.SH "CLIENT-SIDE LOW-LEVEL API CALL FLOW"
+.SH "CLIENT\-SIDE LOW\-LEVEL API CALL FLOW"
 .PP
 When a client program wishes to make an lwres request using the native low\-level API, it typically performs the following sequence of actions\&.
 .PP
@@ -116,7 +116,7 @@ and storing the packet data\&.
 to parse any packets received\&.
 .PP
 (9) Verify that the opcode and serial match a request, and process the packet specific information contained in the body\&.
-.SH "SERVER-SIDE LOW-LEVEL API CALL FLOW"
+.SH "SERVER\-SIDE LOW\-LEVEL API CALL FLOW"
 .PP
 When implementing the server side of the lightweight resolver protocol using the lwres library, a sequence of actions like the following is typically involved in processing each request packet\&.
 .PP
@@ -172,5 +172,5 @@ bit should be set\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres.docbook b/bind/bind9/lib/lwres/man/lwres.docbook
index 8163d627..93e20b74 100644
--- a/bind/bind9/lib/lwres/man/lwres.docbook
+++ b/bind/bind9/lib/lwres/man/lwres.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -42,6 +42,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/lib/lwres/man/lwres.html b/bind/bind9/lib/lwres/man/lwres.html
index 15dab501..97fdfc9e 100644
--- a/bind/bind9/lib/lwres/man/lwres.html
+++ b/bind/bind9/lib/lwres/man/lwres.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,35 +10,21 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres
-     &#8212; introduction to the lightweight resolver library
-  </p>
+<p>lwres &#8212; introduction to the lightweight resolver library</p>
 </div>
-
-  
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
+<div class="funcsynopsis"><pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre></div>
 </div>
-  </div>
-
-  <div class="refsection">
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       The BIND 9 lightweight resolver library is a simple, name service
       independent stub resolver library.  It provides hostname-to-address
       and address-to-hostname lookup services to applications by
@@ -50,12 +36,10 @@
       The library and resolver daemon communicate using a simple
       UDP-based protocol.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>OVERVIEW</h2>
-
-    <p>
+<p>
       The lwresd library implements multiple name service APIs.
       The standard
       <code class="function">gethostbyname()</code>,
@@ -80,7 +64,7 @@
       library into their base distributions should rename the functions
       in the library proper so that the renaming macros are not needed.
     </p>
-    <p>
+<p>
       The library also provides a native API consisting of the functions
       <code class="function">lwres_getaddrsbyname()</code>
       and
@@ -89,14 +73,14 @@
       control over the lookup process than the standard functions
       provide.
     </p>
-    <p>
+<p>
       In addition to these name service independent address lookup
       functions, the library implements a new, experimental API
       for looking up arbitrary DNS resource records, using the
       <code class="function">lwres_getaddrsbyname()</code>
       function.
     </p>
-    <p>
+<p>
       Finally, there is a low-level API for converting lookup
       requests and responses to and from raw lwres protocol packets.
       This API can be used by clients requiring nonblocking operation,
@@ -106,65 +90,63 @@
       resolver daemon.  The use of this low-level API in clients
       and servers is outlined in the following sections.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2>
-
-    <p>
+<p>
       When a client program wishes to make an lwres request using the
       native low-level API, it typically performs the following
       sequence of actions.
     </p>
-    <p>
+<p>
       (1) Allocate or use an existing <span class="type">lwres_packet_t</span>,
       called <code class="varname">pkt</code> below.
     </p>
-    <p>
+<p>
       (2) Set <code class="varname">pkt.recvlength</code> to the maximum length
       we will accept.
       This is done so the receiver of our packets knows how large our receive
       buffer is.  The "default" is a constant in
       <code class="filename">lwres.h</code>: <code class="constant">LWRES_RECVLENGTH = 4096</code>.
     </p>
-    <p>
+<p>
       (3) Set <code class="varname">pkt.serial</code>
       to a unique serial number.  This value is echoed
       back to the application by the remote server.
     </p>
-    <p>
+<p>
       (4) Set <code class="varname">pkt.pktflags</code>.  Usually this is set to
       0.
     </p>
-    <p>
+<p>
       (5) Set <code class="varname">pkt.result</code> to 0.
     </p>
-    <p>
+<p>
       (6) Call <code class="function">lwres_*request_render()</code>,
       or marshall in the data using the primitives
       such as <code class="function">lwres_packet_render()</code>
       and storing the packet data.
     </p>
-    <p>
+<p>
       (7) Transmit the resulting buffer.
     </p>
-    <p>
+<p>
       (8) Call <code class="function">lwres_*response_parse()</code>
       to parse any packets received.
     </p>
-    <p>
+<p>
       (9) Verify that the opcode and serial match a request, and process the
       packet specific information contained in the body.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2>
-
-    <p>
+<p>
       When implementing the server side of the lightweight resolver
       protocol using the lwres library, a sequence of actions like the
       following is typically involved in processing each request packet.
     </p>
-    <p>
+<p>
       Note that the same <span class="type">lwres_packet_t</span> is used
       in both the <code class="function">_parse()</code> and <code class="function">_render()</code> calls,
       with only a few modifications made
@@ -172,15 +154,15 @@
       recommended
       as it keeps the serial, opcode, and other fields correct.
     </p>
-    <p>
+<p>
       (1) When a packet is received, call <code class="function">lwres_*request_parse()</code> to
       unmarshall it.  This returns a <span class="type">lwres_packet_t</span> (also called <code class="varname">pkt</code>, below)
       as well as a data specific type, such as <span class="type">lwres_gabnrequest_t</span>.
     </p>
-    <p>
+<p>
       (2) Process the request in the data specific type.
     </p>
-    <p>
+<p>
       (3) Set the <code class="varname">pkt.result</code>,
       <code class="varname">pkt.recvlength</code> as above.  All other fields
       can
@@ -190,59 +172,38 @@
       properly.  Otherwise, the <code class="constant">LWRES_LWPACKETFLAG_RESPONSE</code> bit should be
       set.
     </p>
-    <p>
+<p>
       (4) Call the data specific rendering function, such as
       <code class="function">lwres_gabnresponse_render()</code>.
     </p>
-    <p>
+<p>
       (5) Send the resulting packet to the client.
     </p>
-    <p></p>
-  </div>
-  <div class="refsection">
+<p></p>
+</div>
+<div class="refsection">
 <a name="id-1.11"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
 
-    <p><span class="citerefentry">
-        <span class="refentrytitle">lwres_gethostent</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_getipnode</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_getnameinfo</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_noop</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_noop</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_gabn</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_gnba</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_gnba</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_context</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_context</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_config</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_config</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">resolver</span>(5)
-      </span>,
-
-      <span class="citerefentry">
-        <span class="refentrytitle">lwresd</span>(8)
-      </span>.
+      <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>.
 
     </p>
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_buffer.3 b/bind/bind9/lib/lwres/man/lwres_buffer.3
index e0f68af1..13f5d12e 100644
--- a/bind/bind9/lib/lwres/man/lwres_buffer.3
+++ b/bind/bind9/lib/lwres/man/lwres_buffer.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_buffer
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -146,8 +146,9 @@ is an (optional) subregion of the remaining region\&. It extends from the curren
 .PP
 \fBlwres_buffer_init()\fR
 initializes the
-\fBlwres_buffer_t\fR\fI*b\fR
-and assocates it with the memory region of size
+\fBlwres_buffer_t\fR
+\fI*b\fR
+and associates it with the memory region of size
 \fIlength\fR
 bytes starting at location
 \fIbase\&.\fR
@@ -248,5 +249,5 @@ to
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_buffer.docbook b/bind/bind9/lib/lwres/man/lwres_buffer.docbook
index 26d333ba..8b8ee713 100644
--- a/bind/bind9/lib/lwres/man/lwres_buffer.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_buffer.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -38,6 +38,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -273,7 +274,7 @@ void
       initializes the
       <type>lwres_buffer_t</type>
       <parameter>*b</parameter>
-      and assocates it with the memory region of size
+      and associates it with the memory region of size
       <parameter>length</parameter>
       bytes starting at location
       <parameter>base.</parameter>
diff --git a/bind/bind9/lib/lwres/man/lwres_buffer.html b/bind/bind9/lib/lwres/man/lwres_buffer.html
index daa5846e..07ed3e37 100644
--- a/bind/bind9/lib/lwres/man/lwres_buffer.html
+++ b/bind/bind9/lib/lwres/man/lwres_buffer.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,48 +10,20 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_buffer</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_buffer_init, 
-    lwres_buffer_invalidate, 
-    lwres_buffer_add, 
-    lwres_buffer_subtract, 
-    lwres_buffer_clear, 
-    lwres_buffer_first, 
-    lwres_buffer_forward, 
-    lwres_buffer_back, 
-    lwres_buffer_getuint8, 
-    lwres_buffer_putuint8, 
-    lwres_buffer_getuint16, 
-    lwres_buffer_putuint16, 
-    lwres_buffer_getuint32, 
-    lwres_buffer_putuint32, 
-    lwres_buffer_putmem, 
-    lwres_buffer_getmem
-     &#8212; lightweight resolver buffer management
-  </p>
+<p>lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem &#8212; lightweight resolver buffer management</p>
 </div>
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">
 #include &lt;lwres/lwbuffer.h&gt;
 </pre>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
 <td><code class="funcdef">
@@ -69,7 +41,6 @@ void
 </tr>
 </table>
 <div class="funcprototype-spacer"> </div>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
 <td><code class="funcdef">
 void
@@ -90,7 +61,6 @@ void
 </tr>
 </table>
 <div class="funcprototype-spacer"> </div>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
 <td><code class="funcdef">
@@ -104,7 +74,6 @@ void
 </tr>
 </table>
 <div class="funcprototype-spacer"> </div>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
 <td><code class="funcdef">
 void
@@ -112,7 +81,6 @@ void
 <td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
 </tr></table>
 <div class="funcprototype-spacer"> </div>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
 <td><code class="funcdef">
 void
@@ -120,7 +88,6 @@ void
 <td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
 </tr></table>
 <div class="funcprototype-spacer"> </div>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
 <td><code class="funcdef">
@@ -147,7 +114,6 @@ void
 </tr>
 </table>
 <div class="funcprototype-spacer"> </div>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
 <td><code class="funcdef">
 uint8_t
@@ -155,7 +121,6 @@ uint8_t
 <td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
 </tr></table>
 <div class="funcprototype-spacer"> </div>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
 <td><code class="funcdef">
@@ -169,7 +134,6 @@ void
 </tr>
 </table>
 <div class="funcprototype-spacer"> </div>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
 <td><code class="funcdef">
 uint16_t
@@ -177,7 +141,6 @@ uint16_t
 <td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
 </tr></table>
 <div class="funcprototype-spacer"> </div>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
 <td><code class="funcdef">
@@ -191,7 +154,6 @@ void
 </tr>
 </table>
 <div class="funcprototype-spacer"> </div>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
 <td><code class="funcdef">
 uint32_t
@@ -199,7 +161,6 @@ uint32_t
 <td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
 </tr></table>
 <div class="funcprototype-spacer"> </div>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
 <td><code class="funcdef">
@@ -213,7 +174,6 @@ void
 </tr>
 </table>
 <div class="funcprototype-spacer"> </div>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
 <td><code class="funcdef">
@@ -231,7 +191,6 @@ void
 </tr>
 </table>
 <div class="funcprototype-spacer"> </div>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
 <td><code class="funcdef">
@@ -249,22 +208,18 @@ void
 </tr>
 </table>
 <div class="funcprototype-spacer"> </div>
-
 </div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-
-    <p>
+<p>
       These functions provide bounds checked access to a region of memory
       where data is being read or written.
       They are based on, and similar to, the
       <code class="literal">isc_buffer_</code>
       functions in the ISC library.
     </p>
-    <p>
+<p>
       A buffer is a region of memory, together with a set of related
       subregions.
       The <span class="emphasis"><em>used region</em></span> and the
@@ -278,7 +233,7 @@ void
       buffer commands.
       Initially, the used region is empty.
     </p>
-    <p>
+<p>
       The used region is further subdivided into two disjoint regions: the
       <span class="emphasis"><em>consumed region</em></span> and the <span class="emphasis"><em>remaining region</em></span>.
       The union of these two regions is the used region.
@@ -291,7 +246,7 @@ void
       buffer commands.
       Initially, the consumed region is empty.
     </p>
-    <p>
+<p>
       The <span class="emphasis"><em>active region</em></span> is an (optional) subregion of the
       remaining
       region.
@@ -301,7 +256,7 @@ void
       If the current offset advances beyond the chosen offset,
       the active region will also be empty.
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
    /------------entire length---------------\\
    /----- used region -----\\/-- available --\\
    +----------------------------------------+
@@ -311,7 +266,7 @@ void
       </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
   a == base of buffer.
   b == current pointer.  Can be anywhere between a and d.
   c == active pointer.  Meaningful between b and d.
@@ -320,7 +275,7 @@ void
       </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
   a-e == entire length of buffer.
   a-d == used region.
   a-b == consumed region.
@@ -329,21 +284,21 @@ void
 </pre>
 <p>
     </p>
-    <p><code class="function">lwres_buffer_init()</code>
+<p><code class="function">lwres_buffer_init()</code>
       initializes the
       <span class="type">lwres_buffer_t</span>
       <em class="parameter"><code>*b</code></em>
-      and assocates it with the memory region of size
+      and associates it with the memory region of size
       <em class="parameter"><code>length</code></em>
       bytes starting at location
       <em class="parameter"><code>base.</code></em>
     </p>
-    <p><code class="function">lwres_buffer_invalidate()</code>
+<p><code class="function">lwres_buffer_invalidate()</code>
       marks the buffer <em class="parameter"><code>*b</code></em>
       as invalid.  Invalidating a buffer after use is not required,
       but makes it possible to catch its possible accidental use.
     </p>
-    <p>
+<p>
       The functions
       <code class="function">lwres_buffer_add()</code>
       and
@@ -362,7 +317,7 @@ void
       They just change the value of
       <code class="varname">used</code>.
     </p>
-    <p>
+<p>
       A buffer is re-initialised by
       <code class="function">lwres_buffer_clear()</code>.
       The function sets
@@ -372,14 +327,14 @@ void
       <code class="varname">active</code>
       to zero.
     </p>
-    <p><code class="function">lwres_buffer_first</code>
+<p><code class="function">lwres_buffer_first</code>
       makes the consumed region of buffer
       <em class="parameter"><code>*p</code></em>
       empty by setting
       <code class="varname">current</code>
       to zero (the start of the buffer).
     </p>
-    <p><code class="function">lwres_buffer_forward()</code>
+<p><code class="function">lwres_buffer_forward()</code>
       increases the consumed region of buffer
       <em class="parameter"><code>*b</code></em>
       by
@@ -393,7 +348,7 @@ void
       <em class="parameter"><code>n</code></em>
       bytes and checks for underflow.
     </p>
-    <p><code class="function">lwres_buffer_getuint8()</code>
+<p><code class="function">lwres_buffer_getuint8()</code>
       reads an unsigned 8-bit integer from
       <em class="parameter"><code>*b</code></em>
       and returns it.
@@ -403,7 +358,7 @@ void
       to buffer
       <em class="parameter"><code>*b</code></em>.
     </p>
-    <p><code class="function">lwres_buffer_getuint16()</code>
+<p><code class="function">lwres_buffer_getuint16()</code>
       and
       <code class="function">lwres_buffer_getuint32()</code>
       are identical to
@@ -421,7 +376,7 @@ void
       <em class="parameter"><code>b</code></em>,
       in network byte order.
     </p>
-    <p>
+<p>
       Arbitrary amounts of data are read or written from a lightweight
       resolver buffer with
       <code class="function">lwres_buffer_getmem()</code>
@@ -444,6 +399,6 @@ void
       to
       <em class="parameter"><code>base</code></em>.
     </p>
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_config.3 b/bind/bind9/lib/lwres/man/lwres_config.3
index e1763c6c..4f93c71c 100644
--- a/bind/bind9/lib/lwres/man/lwres_config.3
+++ b/bind/bind9/lib/lwres/man/lwres_config.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_config
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -82,7 +82,8 @@ prints the
 structure for resolver context
 \fIctx\fR
 to the
-\fBFILE\fR\fIfp\fR\&.
+\fBFILE\fR
+\fIfp\fR\&.
 .SH "RETURN VALUES"
 .PP
 \fBlwres_conf_parse()\fR
@@ -112,5 +113,5 @@ unless an error occurred when converting the network addresses to a numeric host
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_config.docbook b/bind/bind9/lib/lwres/man/lwres_config.docbook
index ab1eec75..9dd04cec 100644
--- a/bind/bind9/lib/lwres/man/lwres_config.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_config.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -38,6 +38,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/lib/lwres/man/lwres_config.html b/bind/bind9/lib/lwres/man/lwres_config.html
index 6809512d..85dd181c 100644
--- a/bind/bind9/lib/lwres/man/lwres_config.html
+++ b/bind/bind9/lib/lwres/man/lwres_config.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,32 +10,17 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_config</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_conf_init, 
-    lwres_conf_clear, 
-    lwres_conf_parse, 
-    lwres_conf_print, 
-    lwres_conf_get
-     &#8212; lightweight resolver configuration
-  </p>
+<p>lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get &#8212; lightweight resolver configuration</p>
 </div>
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
 <td><code class="funcdef">
@@ -85,28 +70,23 @@ lwres_conf_t *
 </tr></table>
 <div class="funcprototype-spacer"> </div>
 </div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-
-    <p><code class="function">lwres_conf_init()</code>
+<p><code class="function">lwres_conf_init()</code>
       creates an empty
       <span class="type">lwres_conf_t</span>
       structure for lightweight resolver context
       <em class="parameter"><code>ctx</code></em>.
     </p>
-
-    <p><code class="function">lwres_conf_clear()</code>
+<p><code class="function">lwres_conf_clear()</code>
       frees up all the internal memory used by
       that
       <span class="type">lwres_conf_t</span>
       structure in resolver context
       <em class="parameter"><code>ctx</code></em>.
     </p>
-
-    <p><code class="function">lwres_conf_parse()</code>
+<p><code class="function">lwres_conf_parse()</code>
       opens the file
       <em class="parameter"><code>filename</code></em>
       and parses it to initialise the resolver context
@@ -114,8 +94,7 @@ lwres_conf_t *
       <span class="type">lwres_conf_t</span>
       structure.
     </p>
-
-    <p><code class="function">lwres_conf_print()</code>
+<p><code class="function">lwres_conf_print()</code>
       prints the
       <span class="type">lwres_conf_t</span>
       structure for resolver context
@@ -124,13 +103,10 @@ lwres_conf_t *
       <span class="type">FILE</span>
       <em class="parameter"><code>fp</code></em>.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>RETURN VALUES</h2>
-
-
-
-    <p><code class="function">lwres_conf_parse()</code>
+<p><code class="function">lwres_conf_parse()</code>
       returns <span class="errorcode">LWRES_R_SUCCESS</span>
       if it successfully read and parsed
       <em class="parameter"><code>filename</code></em>.
@@ -139,31 +115,24 @@ lwres_conf_t *
       could not be opened or contained incorrect
       resolver statements.
     </p>
-
-    <p><code class="function">lwres_conf_print()</code>
+<p><code class="function">lwres_conf_print()</code>
       returns <span class="errorcode">LWRES_R_SUCCESS</span>
       unless an error occurred when converting the network addresses to a
       numeric host address string.
       If this happens, the function returns
       <span class="errorcode">LWRES_R_FAILURE</span>.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">stdio</span>(3)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">resolver</span>(5)
-      </span>.
+<p><span class="citerefentry"><span class="refentrytitle">stdio</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>FILES</h2>
-
-    <p><code class="filename">/etc/resolv.conf</code>
+<p><code class="filename">/etc/resolv.conf</code>
     </p>
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_context.3 b/bind/bind9/lib/lwres/man/lwres_context.3
index 67f85f94..9ff314bc 100644
--- a/bind/bind9/lib/lwres/man/lwres_context.3
+++ b/bind/bind9/lib/lwres/man/lwres_context.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_context
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -177,5 +177,5 @@ times out waiting for a response\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_context.docbook b/bind/bind9/lib/lwres/man/lwres_context.docbook
index 261f8c6e..9c66d7d7 100644
--- a/bind/bind9/lib/lwres/man/lwres_context.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_context.docbook
@@ -5,14 +5,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -41,6 +41,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/lib/lwres/man/lwres_context.html b/bind/bind9/lib/lwres/man/lwres_context.html
index 528a4aad..ccf8c641 100644
--- a/bind/bind9/lib/lwres/man/lwres_context.html
+++ b/bind/bind9/lib/lwres/man/lwres_context.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,33 +10,17 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_context</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_context_create, 
-    lwres_context_destroy, 
-    lwres_context_nextserial, 
-    lwres_context_initserial, 
-    lwres_context_freemem, 
-    lwres_context_allocmem, 
-    lwres_context_sendrecv
-     &#8212; lightweight resolver context management
-  </p>
+<p>lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv &#8212; lightweight resolver context management</p>
 </div>
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
@@ -146,12 +130,10 @@ void *
 </table>
 <div class="funcprototype-spacer"> </div>
 </div>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-
-    <p><code class="function">lwres_context_create()</code>
+<p><code class="function">lwres_context_create()</code>
       creates a <span class="type">lwres_context_t</span> structure for use in
       lightweight resolver operations.  It holds a socket and other
       data needed for communicating with a resolver daemon.  The new
@@ -162,7 +144,7 @@ void *
       is modified to point to the newly created
       <span class="type">lwres_context_t</span>.
     </p>
-    <p>
+<p>
       When the lightweight resolver needs to perform dynamic memory
       allocation, it will call
       <em class="parameter"><code>malloc_function</code></em>
@@ -173,13 +155,9 @@ void *
       and
       <em class="parameter"><code>free_function</code></em>
       are NULL, memory is allocated using
-      <span class="citerefentry">
-        <span class="refentrytitle">malloc</span>(3)
-      </span>.
+      <span class="citerefentry"><span class="refentrytitle">malloc</span>(3)</span>.
       and
-      <span class="citerefentry">
-        <span class="refentrytitle">free</span>(3)
-      </span>.
+      <span class="citerefentry"><span class="refentrytitle">free</span>(3)</span>.
 
       It is not permitted to have a NULL
       <em class="parameter"><code>malloc_function</code></em> and a non-NULL
@@ -191,24 +169,19 @@ void *
       <em class="parameter"><code>arg</code></em> is unused and should be passed as
       NULL.
     </p>
-
-    <p>
+<p>
       Once memory for the structure has been allocated,
       it is initialized using
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_conf_init</span>(3)
-      </span>
+      <span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>
       and returned via <em class="parameter"><code>*contextp</code></em>.
     </p>
-
-    <p><code class="function">lwres_context_destroy()</code>
+<p><code class="function">lwres_context_destroy()</code>
       destroys a <span class="type">lwres_context_t</span>, closing its socket.
       <em class="parameter"><code>contextp</code></em> is a pointer to a pointer to the
       context that is to be destroyed.  The pointer will be set to
       NULL when the context has been destroyed.
     </p>
-
-    <p>
+<p>
       The context holds a serial number that is used to identify
       resolver request packets and associate responses with the
       corresponding requests.  This serial number is controlled using
@@ -220,8 +193,7 @@ void *
       <code class="function">lwres_context_nextserial()</code> increments the
       serial number and returns the previous value.
     </p>
-
-    <p>
+<p>
       Memory for a lightweight resolver context is allocated and freed
       using <code class="function">lwres_context_allocmem()</code> and
       <code class="function">lwres_context_freemem()</code>.  These use
@@ -234,8 +206,7 @@ void *
       <em class="parameter"><code>len</code></em> bytes of space starting at location
       <em class="parameter"><code>mem</code></em>.
     </p>
-
-    <p><code class="function">lwres_context_sendrecv()</code>
+<p><code class="function">lwres_context_sendrecv()</code>
       performs I/O for the context <em class="parameter"><code>ctx</code></em>.  Data
       are read and written from the context's socket.  It writes data
       from <em class="parameter"><code>sendbase</code></em> &#8212; typically a
@@ -245,24 +216,21 @@ void *
       written to this receive buffer is returned in
       <em class="parameter"><code>*recvd_len</code></em>.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>RETURN VALUES</h2>
-
-
-    <p><code class="function">lwres_context_create()</code>
+<p><code class="function">lwres_context_create()</code>
       returns <span class="errorcode">LWRES_R_NOMEMORY</span> if memory for
       the <span class="type">struct lwres_context</span> could not be allocated,
       <span class="errorcode">LWRES_R_SUCCESS</span> otherwise.
     </p>
-    <p>
+<p>
       Successful calls to the memory allocator
       <code class="function">lwres_context_allocmem()</code>
       return a pointer to the start of the allocated space.
       It returns NULL if memory could not be allocated.
     </p>
-    <p><span class="errorcode">LWRES_R_SUCCESS</span>
+<p><span class="errorcode">LWRES_R_SUCCESS</span>
       is returned when
       <code class="function">lwres_context_sendrecv()</code>
       completes successfully.
@@ -273,22 +241,15 @@ void *
       <code class="function">lwres_context_sendrecv()</code>
       times out waiting for a response.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>,
 
-    <p><span class="citerefentry">
-        <span class="refentrytitle">lwres_conf_init</span>(3)
-      </span>,
-
-      <span class="citerefentry">
-        <span class="refentrytitle">malloc</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">malloc</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">free</span>(3)
-      </span>.
+      <span class="citerefentry"><span class="refentrytitle">free</span>(3)</span>.
     </p>
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_gabn.3 b/bind/bind9/lib/lwres/man/lwres_gabn.3
index 4413a9de..bfa99e0a 100644
--- a/bind/bind9/lib/lwres/man/lwres_gabn.3
+++ b/bind/bind9/lib/lwres/man/lwres_gabn.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_gabn
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -177,7 +177,8 @@ structures referenced via
 .PP
 The getaddrbyname opcode functions
 \fBlwres_gabnrequest_render()\fR,
-\fBlwres_gabnresponse_render()\fR\fBlwres_gabnrequest_parse()\fR
+\fBlwres_gabnresponse_render()\fR
+\fBlwres_gabnrequest_parse()\fR
 and
 \fBlwres_gabnresponse_parse()\fR
 all return
@@ -213,5 +214,5 @@ indicate that the packet is not a response to an earlier query\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_gabn.docbook b/bind/bind9/lib/lwres/man/lwres_gabn.docbook
index 6f4be427..65dd59de 100644
--- a/bind/bind9/lib/lwres/man/lwres_gabn.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_gabn.docbook
@@ -5,14 +5,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -40,6 +40,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/lib/lwres/man/lwres_gabn.html b/bind/bind9/lib/lwres/man/lwres_gabn.html
index ed29049c..c194b146 100644
--- a/bind/bind9/lib/lwres/man/lwres_gabn.html
+++ b/bind/bind9/lib/lwres/man/lwres_gabn.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,32 +10,17 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gabn</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_gabnrequest_render, 
-    lwres_gabnresponse_render, 
-    lwres_gabnrequest_parse, 
-    lwres_gabnresponse_parse, 
-    lwres_gabnresponse_free, 
-    lwres_gabnrequest_free
-     &#8212; lightweight resolver getaddrbyname message handling
-  </p>
+<p>lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free &#8212; lightweight resolver getaddrbyname message handling</p>
 </div>
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
@@ -148,16 +133,15 @@ void
 </table>
 <div class="funcprototype-spacer"> </div>
 </div>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       These are low-level routines for creating and parsing
       lightweight resolver name-to-address lookup request and
       response messages.
     </p>
-    <p>
+<p>
       There are four main functions for the getaddrbyname opcode.
       One render function converts a getaddrbyname request structure &#8212;
       <span class="type">lwres_gabnrequest_t</span> &#8212;
@@ -170,23 +154,23 @@ void
       This is complemented by a parse function which converts a packet in
       canonical format to a getaddrbyname response structure.
     </p>
-    <p>
+<p>
       These structures are defined in
       <code class="filename">&lt;lwres/lwres.h&gt;</code>.
       They are shown below.
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 #define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 typedef struct lwres_addr lwres_addr_t;
 typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 typedef struct {
         uint32_t  flags;
         uint32_t  addrtypes;
@@ -196,7 +180,7 @@ typedef struct {
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 typedef struct {
         uint32_t          flags;
         uint16_t          naliases;
@@ -212,8 +196,7 @@ typedef struct {
 </pre>
 <p>
     </p>
-
-    <p><code class="function">lwres_gabnrequest_render()</code>
+<p><code class="function">lwres_gabnrequest_render()</code>
       uses resolver context <em class="parameter"><code>ctx</code></em> to convert
       getaddrbyname request structure <em class="parameter"><code>req</code></em> to
       canonical format.  The packet header structure
@@ -227,8 +210,7 @@ typedef struct {
       <span class="type">lwres_gabnresponse_t</span> to the lightweight resolver's
       canonical format.
     </p>
-
-    <p><code class="function">lwres_gabnrequest_parse()</code>
+<p><code class="function">lwres_gabnrequest_parse()</code>
       uses context <em class="parameter"><code>ctx</code></em> to convert the contents
       of packet <em class="parameter"><code>pkt</code></em> to a
       <span class="type">lwres_gabnrequest_t</span> structure.  Buffer
@@ -241,8 +223,7 @@ typedef struct {
       semantics as <code class="function">lwres_gabnrequest_parse()</code>
       except it yields a <span class="type">lwres_gabnresponse_t</span> structure.
     </p>
-
-    <p><code class="function">lwres_gabnresponse_free()</code>
+<p><code class="function">lwres_gabnresponse_free()</code>
       and <code class="function">lwres_gabnrequest_free()</code> release the
       memory in resolver context <em class="parameter"><code>ctx</code></em> that was
       allocated to the <span class="type">lwres_gabnresponse_t</span> or
@@ -252,11 +233,10 @@ typedef struct {
       Any memory associated with ancillary buffers and strings for
       those structures is also discarded.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>RETURN VALUES</h2>
-
-    <p>
+<p>
       The getaddrbyname opcode functions
       <code class="function">lwres_gabnrequest_render()</code>,
       <code class="function">lwres_gabnresponse_render()</code>
@@ -291,14 +271,11 @@ typedef struct {
       <span class="type">lwres_lwpacket_t</span>
       indicate that the packet is not a response to an earlier query.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">lwres_packet</span>(3)
-      </span>
+<p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>
     </p>
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_gai_strerror.3 b/bind/bind9/lib/lwres/man/lwres_gai_strerror.3
index 3e43c602..1cc85889 100644
--- a/bind/bind9/lib/lwres/man/lwres_gai_strerror.3
+++ b/bind/bind9/lib/lwres/man/lwres_gai_strerror.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_gai_strerror
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -136,5 +136,5 @@ used by
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_gai_strerror.docbook b/bind/bind9/lib/lwres/man/lwres_gai_strerror.docbook
index 764e3769..ca560b7f 100644
--- a/bind/bind9/lib/lwres/man/lwres_gai_strerror.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_gai_strerror.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -38,6 +38,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/lib/lwres/man/lwres_gai_strerror.html b/bind/bind9/lib/lwres/man/lwres_gai_strerror.html
index c4dd483a..33ee29e6 100644
--- a/bind/bind9/lib/lwres/man/lwres_gai_strerror.html
+++ b/bind/bind9/lib/lwres/man/lwres_gai_strerror.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,28 +10,17 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gai_strerror</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_gai_strerror
-     &#8212; print suitable error string
-  </p>
+<p>lwres_gai_strerror &#8212; print suitable error string</p>
 </div>
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
 <td><code class="funcdef">
@@ -41,13 +30,10 @@ char *
 </tr></table>
 <div class="funcprototype-spacer"> </div>
 </div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-
-    <p><code class="function">lwres_gai_strerror()</code>
+<p><code class="function">lwres_gai_strerror()</code>
       returns an error message corresponding to an error code returned by
       <code class="function">getaddrinfo()</code>.
       The following error codes and their meaning are defined in
@@ -55,77 +41,55 @@ char *
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="errorcode">EAI_ADDRFAMILY</span></span></dt>
-<dd>
-            <p>
+<dd><p>
               address family for hostname not supported
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_AGAIN</span></span></dt>
-<dd>
-            <p>
+<dd><p>
               temporary failure in name resolution
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_BADFLAGS</span></span></dt>
-<dd>
-            <p>
+<dd><p>
               invalid value for
               <code class="constant">ai_flags</code>
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_FAIL</span></span></dt>
-<dd>
-            <p>
+<dd><p>
               non-recoverable failure in name resolution
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_FAMILY</span></span></dt>
-<dd>
-            <p><code class="constant">ai_family</code> not supported
-            </p>
-          </dd>
+<dd><p><code class="constant">ai_family</code> not supported
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_MEMORY</span></span></dt>
-<dd>
-            <p>
+<dd><p>
               memory allocation failure
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_NODATA</span></span></dt>
-<dd>
-            <p>
+<dd><p>
               no address associated with hostname
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_NONAME</span></span></dt>
-<dd>
-            <p>
+<dd><p>
               hostname or servname not provided, or not known
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_SERVICE</span></span></dt>
-<dd>
-            <p>
+<dd><p>
               servname not supported for <code class="constant">ai_socktype</code>
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_SOCKTYPE</span></span></dt>
-<dd>
-            <p><code class="constant">ai_socktype</code> not supported
-            </p>
-          </dd>
+<dd><p><code class="constant">ai_socktype</code> not supported
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_SYSTEM</span></span></dt>
-<dd>
-            <p>
+<dd><p>
               system error returned in errno
-            </p>
-          </dd>
+            </p></dd>
 </dl></div>
 <p>
       The message <span class="errorname">invalid error code</span> is returned if
       <em class="parameter"><code>ecode</code></em>
       is out of range.
     </p>
-    <p><code class="constant">ai_flags</code>,
+<p><code class="constant">ai_flags</code>,
       <code class="constant">ai_family</code>
       and
       <code class="constant">ai_socktype</code>
@@ -134,27 +98,17 @@ char *
       used by
       <code class="function">lwres_getaddrinfo()</code>.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">strerror</span>(3)</span>,
 
-    <p><span class="citerefentry">
-        <span class="refentrytitle">strerror</span>(3)
-      </span>,
-
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_getaddrinfo</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">getaddrinfo</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">getaddrinfo</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">RFC2133</span>
-      </span>.
+      <span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>.
     </p>
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_getaddrinfo.3 b/bind/bind9/lib/lwres/man/lwres_getaddrinfo.3
index 252a3bc6..c8f71fee 100644
--- a/bind/bind9/lib/lwres/man/lwres_getaddrinfo.3
+++ b/bind/bind9/lib/lwres/man/lwres_getaddrinfo.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_getaddrinfo
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -229,7 +229,8 @@ if an error occurs\&. If both
 and
 \fIservname\fR
 are
-\fBNULL\fR\fBlwres_getaddrinfo()\fR
+\fBNULL\fR
+\fBlwres_getaddrinfo()\fR
 returns
 \fBEAI_NONAME\fR\&.
 .SH "SEE ALSO"
@@ -250,5 +251,5 @@ returns
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_getaddrinfo.docbook b/bind/bind9/lib/lwres/man/lwres_getaddrinfo.docbook
index 99ffafc3..a26f5e93 100644
--- a/bind/bind9/lib/lwres/man/lwres_getaddrinfo.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_getaddrinfo.docbook
@@ -5,14 +5,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -41,6 +41,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/lib/lwres/man/lwres_getaddrinfo.html b/bind/bind9/lib/lwres/man/lwres_getaddrinfo.html
index 7fa723f3..8cb9e7cc 100644
--- a/bind/bind9/lib/lwres/man/lwres_getaddrinfo.html
+++ b/bind/bind9/lib/lwres/man/lwres_getaddrinfo.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,28 +10,17 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getaddrinfo</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_getaddrinfo, 
-    lwres_freeaddrinfo
-     &#8212; socket address structure to host and service name
-  </p>
+<p>lwres_getaddrinfo, lwres_freeaddrinfo &#8212; socket address structure to host and service name</p>
 </div>
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
@@ -62,13 +51,12 @@ void
 </tr></table>
 <div class="funcprototype-spacer"> </div>
 </div>
-
-    <p>
+<p>
       If the operating system does not provide a
       <span class="type">struct addrinfo</span>,
       the following structure is used:
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 struct  addrinfo {
         int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
         int             ai_family;      /* PF_xxx */
@@ -82,14 +70,10 @@ struct  addrinfo {
 </pre>
 <p>
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-
-    <p><code class="function">lwres_getaddrinfo()</code>
+<p><code class="function">lwres_getaddrinfo()</code>
       is used to get a list of IP addresses and port numbers for host
       <em class="parameter"><code>hostname</code></em> and service
       <em class="parameter"><code>servname</code></em>.
@@ -106,8 +90,7 @@ struct  addrinfo {
       decimal port number or a service name as listed in
       <code class="filename">/etc/services</code>.
     </p>
-
-    <p><em class="parameter"><code>hints</code></em>
+<p><em class="parameter"><code>hints</code></em>
       is an optional pointer to a
       <span class="type">struct addrinfo</span>.
       This structure can be used to provide hints concerning the type of
@@ -119,8 +102,7 @@ struct  addrinfo {
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">ai_family</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               The protocol family that should be used.
               When
               <code class="constant">ai_family</code>
@@ -129,11 +111,9 @@ struct  addrinfo {
               it means the caller will accept any protocol family supported by
               the
               operating system.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">ai_socktype</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               denotes the type of socket &#8212;
               <span class="type">SOCK_STREAM</span>,
               <span class="type">SOCK_DGRAM</span>
@@ -143,21 +123,18 @@ struct  addrinfo {
               When
               <code class="constant">ai_socktype</code>
               is zero the caller will accept any socket type.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">ai_protocol</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               indicates which transport protocol is wanted: IPPROTO_UDP or
               IPPROTO_TCP.
               If
               <code class="constant">ai_protocol</code>
               is zero the caller will accept any protocol.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">ai_flags</code></span></dt>
 <dd>
-            <p>
+<p>
               Flag bits.
               If the
               <span class="type">AI_CANONNAME</span>
@@ -175,9 +152,7 @@ struct  addrinfo {
               bit indicates that the returned socket address structure is
               intended
               for used in a call to
-              <span class="citerefentry">
-                <span class="refentrytitle">bind</span>(2)
-              </span>.
+              <span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>.
 
               In this case, if the hostname argument is a
               <span class="type">NULL</span>
@@ -188,29 +163,21 @@ struct  addrinfo {
               <span class="type">IN6ADDR_ANY_INIT</span>
               for an IPv6 address.
             </p>
-            <p>
+<p>
               When
               <code class="constant">ai_flags</code>
               does not set the
               <span class="type">AI_PASSIVE</span>
               bit, the returned socket address structure will be ready
               for use in a call to
-              <span class="citerefentry">
-                <span class="refentrytitle">connect</span>(2)
-              </span>
+              <span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>
               for a connection-oriented protocol or
-              <span class="citerefentry">
-                <span class="refentrytitle">connect</span>(2)
-              </span>,
+              <span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>,
 
-              <span class="citerefentry">
-                <span class="refentrytitle">sendto</span>(2)
-              </span>,
+              <span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>,
 
               or
-              <span class="citerefentry">
-                <span class="refentrytitle">sendmsg</span>(2)
-              </span>
+              <span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2)</span>
               if a connectionless protocol was chosen.
               The IP address portion of the socket address structure will be
               set to the loopback address if
@@ -222,7 +189,7 @@ struct  addrinfo {
               is not set in
               <code class="constant">ai_flags</code>.
             </p>
-            <p>
+<p>
               If
               <code class="constant">ai_flags</code>
               is set to
@@ -233,25 +200,22 @@ struct  addrinfo {
               address
               and no name resolution should be attempted.
             </p>
-          </dd>
+</dd>
 </dl></div>
 <p>
     </p>
-
-    <p>
+<p>
       All other elements of the <span class="type">struct addrinfo</span> passed
       via <em class="parameter"><code>hints</code></em> must be zero.
     </p>
-
-    <p>
+<p>
       A <em class="parameter"><code>hints</code></em> of <span class="type">NULL</span> is
       treated as if
       the caller provided a <span class="type">struct addrinfo</span> initialized to zero
       with <code class="constant">ai_family</code>set to
       <code class="constant">PF_UNSPEC</code>.
     </p>
-
-    <p>
+<p>
       After a successful call to
       <code class="function">lwres_getaddrinfo()</code>,
       <em class="parameter"><code>*res</code></em>
@@ -275,9 +239,7 @@ struct  addrinfo {
       returned
       <span class="type">addrinfo</span>
       structure contain the corresponding arguments for a call to
-      <span class="citerefentry">
-        <span class="refentrytitle">socket</span>(2)
-      </span>.
+      <span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>.
       For each
       <span class="type">addrinfo</span>
       structure in the list, the
@@ -285,8 +247,7 @@ struct  addrinfo {
       member points to a filled-in socket address structure of length
       <code class="constant">ai_addrlen</code>.
     </p>
-
-    <p>
+<p>
       All of the information returned by
       <code class="function">lwres_getaddrinfo()</code>
       is dynamically allocated: the addrinfo structures, and the socket
@@ -303,72 +264,42 @@ struct  addrinfo {
       created by a call to
       <code class="function">lwres_getaddrinfo()</code>.
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>RETURN VALUES</h2>
-
-
-    <p><code class="function">lwres_getaddrinfo()</code>
+<p><code class="function">lwres_getaddrinfo()</code>
       returns zero on success or one of the error codes listed in
-      <span class="citerefentry">
-        <span class="refentrytitle">gai_strerror</span>(3)
-      </span>
+      <span class="citerefentry"><span class="refentrytitle">gai_strerror</span>(3)</span>
       if an error occurs.  If both <em class="parameter"><code>hostname</code></em> and
       <em class="parameter"><code>servname</code></em> are <span class="type">NULL</span>
       <code class="function">lwres_getaddrinfo()</code> returns
       <span class="errorcode">EAI_NONAME</span>.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
 
-    <p><span class="citerefentry">
-        <span class="refentrytitle">lwres</span>(3)
-      </span>,
-
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_getaddrinfo</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_freeaddrinfo</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_freeaddrinfo</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_gai_strerror</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_gai_strerror</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">RFC2133</span>
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">getservbyname</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">getservbyname</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">bind</span>(2)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">connect</span>(2)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">sendto</span>(2)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">sendmsg</span>(2)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">socket</span>(2)
-      </span>.
+      <span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>.
     </p>
-
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_gethostent.3 b/bind/bind9/lib/lwres/man/lwres_gethostent.3
index c0e47092..757e3e06 100644
--- a/bind/bind9/lib/lwres/man/lwres_gethostent.3
+++ b/bind/bind9/lib/lwres/man/lwres_gethostent.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_gethostent
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -325,5 +325,5 @@ or
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_gethostent.docbook b/bind/bind9/lib/lwres/man/lwres_gethostent.docbook
index b5c6d05f..c56ec28e 100644
--- a/bind/bind9/lib/lwres/man/lwres_gethostent.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_gethostent.docbook
@@ -5,14 +5,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -39,6 +39,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/lib/lwres/man/lwres_gethostent.html b/bind/bind9/lib/lwres/man/lwres_gethostent.html
index 701c7745..8baeef40 100644
--- a/bind/bind9/lib/lwres/man/lwres_gethostent.html
+++ b/bind/bind9/lib/lwres/man/lwres_gethostent.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,37 +10,17 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gethostent</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_gethostbyname, 
-    lwres_gethostbyname2, 
-    lwres_gethostbyaddr, 
-    lwres_gethostent, 
-    lwres_sethostent, 
-    lwres_endhostent, 
-    lwres_gethostbyname_r, 
-    lwres_gethostbyaddr_r, 
-    lwres_gethostent_r, 
-    lwres_sethostent_r, 
-    lwres_endhostent_r
-     &#8212; lightweight resolver get network host entry
-  </p>
+<p>lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r &#8212; lightweight resolver get network host entry</p>
 </div>
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
 <td><code class="funcdef">
@@ -194,25 +174,21 @@ void
 </tr></table>
 <div class="funcprototype-spacer"> </div>
 </div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       These functions provide hostname-to-address and
       address-to-hostname lookups by means of the lightweight resolver.
       They are similar to the standard
-      <span class="citerefentry">
-        <span class="refentrytitle">gethostent</span>(3)
-      </span>
+      <span class="citerefentry"><span class="refentrytitle">gethostent</span>(3)</span>
       functions provided by most operating systems.
       They use a
       <span class="type">struct hostent</span>
       which is usually defined in
       <code class="filename">&lt;namedb.h&gt;</code>.
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 struct  hostent {
         char    *h_name;        /* official name of host */
         char    **h_aliases;    /* alias list */
@@ -224,56 +200,46 @@ struct  hostent {
 </pre>
 <p>
     </p>
-    <p>
+<p>
       The members of this structure are:
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">h_name</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               The official (canonical) name of the host.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">h_aliases</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               A NULL-terminated array of alternate names (nicknames) for the
               host.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">h_addrtype</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               The type of address being returned &#8212;
               <span class="type">PF_INET</span>
               or
               <span class="type">PF_INET6</span>.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">h_length</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               The length of the address in bytes.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">h_addr_list</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               A <span class="type">NULL</span>
               terminated array of network addresses for the host.
               Host addresses are returned in network byte order.
-            </p>
-          </dd>
+            </p></dd>
 </dl></div>
 <p>
     </p>
-    <p>
+<p>
       For backward compatibility with very old software,
       <code class="constant">h_addr</code>
       is the first address in
       <code class="constant">h_addr_list.</code>
     </p>
-    <p><code class="function">lwres_gethostent()</code>,
+<p><code class="function">lwres_gethostent()</code>,
       <code class="function">lwres_sethostent()</code>,
       <code class="function">lwres_endhostent()</code>,
       <code class="function">lwres_gethostent_r()</code>,
@@ -287,8 +253,7 @@ struct  hostent {
       these functions; it only provides them as stub functions that always
       return failure.
     </p>
-
-    <p><code class="function">lwres_gethostbyname()</code>
+<p><code class="function">lwres_gethostbyname()</code>
       and <code class="function">lwres_gethostbyname2()</code> look up the
       hostname <em class="parameter"><code>name</code></em>.
       <code class="function">lwres_gethostbyname()</code> always looks for an
@@ -302,8 +267,7 @@ struct  hostent {
       <code class="function">lwres_gethostbyname()</code> or
       <code class="function">lwres_gethostbyname2()</code> fail.
     </p>
-
-    <p>
+<p>
       Reverse lookups of addresses are performed by
       <code class="function">lwres_gethostbyaddr()</code>.
       <em class="parameter"><code>addr</code></em> is an address of length
@@ -326,8 +290,7 @@ struct  hostent {
       return <em class="parameter"><code>resbuf</code></em>,
       which is a pointer to the <span class="type">struct hostent</span> it created.
     </p>
-
-    <p><code class="function">lwres_gethostbyaddr_r()</code>
+<p><code class="function">lwres_gethostbyaddr_r()</code>
       is a thread-safe function
       that performs a reverse lookup of address <em class="parameter"><code>addr</code></em>
       which is <em class="parameter"><code>len</code></em> bytes long and is of
@@ -349,13 +312,10 @@ struct  hostent {
       <em class="parameter"><code>resbuf</code></em>, which is a pointer to the
       <code class="function">struct hostent()</code> it created.
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>RETURN VALUES</h2>
-
-    <p>
+<p>
       The functions
       <code class="function">lwres_gethostbyname()</code>,
       <code class="function">lwres_gethostbyname2()</code>,
@@ -370,50 +330,37 @@ struct  hostent {
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               The host or address was not found.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               A recoverable error occurred, e.g., a timeout.
               Retrying the lookup may succeed.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               A non-recoverable error occurred.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">NO_DATA</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               The name exists, but has no address information
               associated with it (or vice versa in the case
               of a reverse lookup).  The code NO_ADDRESS
               is accepted as a synonym for NO_DATA for backwards
               compatibility.
-            </p>
-          </dd>
+            </p></dd>
 </dl></div>
 <p>
     </p>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">lwres_hstrerror</span>(3)
-      </span>
+<p><span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>
       translates these error codes to suitable error messages.
     </p>
-
-    <p><code class="function">lwres_gethostent()</code>
+<p><code class="function">lwres_gethostent()</code>
       and <code class="function">lwres_gethostent_r()</code>
       always return <span class="type">NULL</span>.
     </p>
-
-    <p>
+<p>
       Successful calls to <code class="function">lwres_gethostbyname_r()</code> and
       <code class="function">lwres_gethostbyaddr_r()</code> return
       <em class="parameter"><code>resbuf</code></em>, a pointer to the
@@ -429,29 +376,19 @@ struct  hostent {
       variable
       <span class="type">errno</span> to <span class="errorcode">ERANGE</span>.
     </p>
-
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">gethostent</span>(3)</span>,
 
-    <p><span class="citerefentry">
-        <span class="refentrytitle">gethostent</span>(3)
-      </span>,
-
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_getipnode</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_hstrerror</span>(3)
-      </span>
+      <span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>BUGS</h2>
-
-    <p><code class="function">lwres_gethostbyname()</code>,
+<p><code class="function">lwres_gethostbyname()</code>,
       <code class="function">lwres_gethostbyname2()</code>,
       <code class="function">lwres_gethostbyaddr()</code>
       and
@@ -464,7 +401,7 @@ struct  hostent {
       <code class="function">lwres_gethostbyaddr_r()</code>
       respectively.
     </p>
-    <p>
+<p>
       The resolver daemon does not currently support any non-DNS
       name services such as
       <code class="filename">/etc/hosts</code>
@@ -472,6 +409,6 @@ struct  hostent {
       <span class="type">NIS</span>,
       consequently the above functions don't, either.
     </p>
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_getipnode.3 b/bind/bind9/lib/lwres/man/lwres_getipnode.3
index 7fd138b7..20563a57 100644
--- a/bind/bind9/lib/lwres/man/lwres_getipnode.3
+++ b/bind/bind9/lib/lwres/man/lwres_getipnode.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_getipnode
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -216,5 +216,5 @@ translates these error codes to suitable error messages\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_getipnode.docbook b/bind/bind9/lib/lwres/man/lwres_getipnode.docbook
index 81219a26..459e7a51 100644
--- a/bind/bind9/lib/lwres/man/lwres_getipnode.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_getipnode.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -39,6 +39,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/lib/lwres/man/lwres_getipnode.html b/bind/bind9/lib/lwres/man/lwres_getipnode.html
index a0fad684..603c9239 100644
--- a/bind/bind9/lib/lwres/man/lwres_getipnode.html
+++ b/bind/bind9/lib/lwres/man/lwres_getipnode.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,29 +10,17 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getipnode</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_getipnodebyname, 
-    lwres_getipnodebyaddr, 
-    lwres_freehostent
-     &#8212; lightweight resolver nodename / address translation API
-  </p>
+<p>lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent &#8212; lightweight resolver nodename / address translation API</p>
 </div>
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
@@ -84,25 +72,21 @@ void
 </tr></table>
 <div class="funcprototype-spacer"> </div>
 </div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-
-    <p>
+<p>
       These functions perform thread safe, protocol independent
       nodename-to-address and address-to-nodename
       translation as defined in RFC2553.
     </p>
-
-    <p>
+<p>
       They use a
       <span class="type">struct hostent</span>
       which is defined in
       <code class="filename">namedb.h</code>:
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 struct  hostent {
         char    *h_name;        /* official name of host */
         char    **h_aliases;    /* alias list */
@@ -114,54 +98,42 @@ struct  hostent {
 </pre>
 <p>
     </p>
-
-    <p>
+<p>
       The members of this structure are:
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">h_name</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               The official (canonical) name of the host.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">h_aliases</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               A NULL-terminated array of alternate names (nicknames) for the
               host.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">h_addrtype</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               The type of address being returned - usually
               <span class="type">PF_INET</span>
               or
               <span class="type">PF_INET6</span>.
 
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">h_length</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               The length of the address in bytes.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">h_addr_list</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               A
               <span class="type">NULL</span>
               terminated array of network addresses for the host.
               Host addresses are returned in network byte order.
-            </p>
-          </dd>
+            </p></dd>
 </dl></div>
 <p>
     </p>
-
-    <p><code class="function">lwres_getipnodebyname()</code>
+<p><code class="function">lwres_getipnodebyname()</code>
       looks up addresses of protocol family <em class="parameter"><code>af</code></em>
       for the hostname <em class="parameter"><code>name</code></em>.  The
       <em class="parameter"><code>flags</code></em> parameter contains ORed flag bits
@@ -171,18 +143,15 @@ struct  hostent {
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">AI_V4MAPPED</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               This is used with an
               <em class="parameter"><code>af</code></em>
               of AF_INET6, and causes IPv4 addresses to be returned as
               IPv4-mapped
               IPv6 addresses.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">AI_ALL</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               This is used with an
               <em class="parameter"><code>af</code></em>
               of AF_INET6, and causes all known addresses (IPv6 and IPv4) to
@@ -190,37 +159,31 @@ struct  hostent {
               If AI_V4MAPPED is also set, the IPv4 addresses are return as
               mapped
               IPv6 addresses.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">AI_ADDRCONFIG</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Only return an IPv6 or IPv4 address if here is an active network
               interface of that type.  This is not currently implemented
               in the BIND 9 lightweight resolver, and the flag is ignored.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">AI_DEFAULT</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               This default sets the
               <code class="constant">AI_V4MAPPED</code>
               and
               <code class="constant">AI_ADDRCONFIG</code>
               flag bits.
-            </p>
-          </dd>
+            </p></dd>
 </dl></div>
 <p>
     </p>
-
-    <p><code class="function">lwres_getipnodebyaddr()</code>
+<p><code class="function">lwres_getipnodebyaddr()</code>
       performs a reverse lookup of address <em class="parameter"><code>src</code></em>
       which is <em class="parameter"><code>len</code></em> bytes long.
       <em class="parameter"><code>af</code></em> denotes the protocol family, typically
       <span class="type">PF_INET</span> or <span class="type">PF_INET6</span>.
     </p>
-    <p><code class="function">lwres_freehostent()</code>
+<p><code class="function">lwres_freehostent()</code>
       releases all the memory associated with the <span class="type">struct
       hostent</span> pointer <em class="parameter"><code>he</code></em>.  Any memory
       allocated for the <code class="constant">h_name</code>,
@@ -228,11 +191,10 @@ struct  hostent {
       <code class="constant">h_aliases</code> is freed, as is the memory for
       the <span class="type">hostent</span> structure itself.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>RETURN VALUES</h2>
-
-    <p>
+<p>
       If an error occurs,
       <code class="function">lwres_getipnodebyname()</code>
       and
@@ -247,70 +209,47 @@ struct  hostent {
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               No such host is known.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">NO_ADDRESS</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               The server recognised the request and the name but no address is
               available.  Another type of request to the name server for the
               domain might return an answer.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               A temporary and possibly transient error occurred, such as a
               failure of a server to respond.  The request may succeed if
               retried.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               An unexpected failure occurred, and retrying the request
               is pointless.
-            </p>
-          </dd>
+            </p></dd>
 </dl></div>
 <p>
     </p>
-    <p><span class="citerefentry">
-        <span class="refentrytitle">lwres_hstrerror</span>(3)
-      </span>
+<p><span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>
       translates these error codes to suitable error messages.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">RFC2553</span></span>,
 
-    <p><span class="citerefentry">
-        <span class="refentrytitle">RFC2553</span>
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_gethostent</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_getaddrinfo</span>(3)
-      </span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
 
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_getnameinfo</span>(3)
-      </span>,
-
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_hstrerror</span>(3)
-      </span>.
+      <span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
     </p>
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_getnameinfo.3 b/bind/bind9/lib/lwres/man/lwres_getnameinfo.3
index f29c200a..45eb6f80 100644
--- a/bind/bind9/lib/lwres/man/lwres_getnameinfo.3
+++ b/bind/bind9/lib/lwres/man/lwres_getnameinfo.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_getnameinfo
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -53,7 +53,8 @@ This function is equivalent to the
 function defined in RFC2133\&.
 \fBlwres_getnameinfo()\fR
 returns the hostname for the
-\fBstruct sockaddr\fR\fIsa\fR
+\fBstruct sockaddr\fR
+\fIsa\fR
 which is
 \fIsalen\fR
 bytes long\&. The hostname is of length
@@ -123,5 +124,5 @@ are\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_getnameinfo.docbook b/bind/bind9/lib/lwres/man/lwres_getnameinfo.docbook
index 9c0dc03a..5a592708 100644
--- a/bind/bind9/lib/lwres/man/lwres_getnameinfo.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_getnameinfo.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -38,6 +38,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/lib/lwres/man/lwres_getnameinfo.html b/bind/bind9/lib/lwres/man/lwres_getnameinfo.html
index cf0ee712..72121357 100644
--- a/bind/bind9/lib/lwres/man/lwres_getnameinfo.html
+++ b/bind/bind9/lib/lwres/man/lwres_getnameinfo.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,29 +10,19 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getnameinfo</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_getnameinfo
-     &#8212; lightweight resolver socket address structure to hostname and
+<p>lwres_getnameinfo &#8212; lightweight resolver socket address structure to hostname and
       service name
-    
-  </p>
+    </p>
 </div>
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
@@ -68,17 +58,12 @@ int
 </table>
 <div class="funcprototype-spacer"> </div>
 </div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-
-    <p>
+<p>
        This function is equivalent to the
-      <span class="citerefentry">
-        <span class="refentrytitle">getnameinfo</span>(3)
-      </span> function defined in RFC2133.
+      <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span> function defined in RFC2133.
       <code class="function">lwres_getnameinfo()</code> returns the
       hostname for the
       <span class="type">struct sockaddr</span> <em class="parameter"><code>sa</code></em> which
@@ -90,56 +75,45 @@ int
       hostname is
       1025 bytes: <code class="constant">NI_MAXHOST</code>.
     </p>
-
-    <p> The name of the service associated with the port number in
+<p> The name of the service associated with the port number in
       <em class="parameter"><code>sa</code></em> is returned in <em class="parameter"><code>*serv.</code></em>
       It is <em class="parameter"><code>servlen</code></em> bytes long.  The
       maximum length
       of the service name is <code class="constant">NI_MAXSERV</code> - 32
       bytes.
     </p>
-
-    <p>
+<p>
        The <em class="parameter"><code>flags</code></em> argument sets the
       following
       bits:
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">NI_NOFQDN</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               A fully qualified domain name is not required for local hosts.
               The local part of the fully qualified domain name is returned
               instead.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">NI_NUMERICHOST</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Return the address in numeric form, as if calling inet_ntop(),
               instead of a host name.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">NI_NAMEREQD</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               A name is required. If the hostname cannot be found in the DNS
               and
               this flag is set, a non-zero error code is returned.
               If the hostname is not found and the flag is not set, the
               address is returned in numeric form.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">NI_NUMERICSERV</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               The service name is returned as a digit string representing the
               port number.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">NI_DGRAM</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Specifies that the service being looked up is a datagram
               service,  and causes getservbyport() to be called with a second
               argument of "udp" instead of its default of "tcp".  This is
@@ -147,53 +121,34 @@ int
               for the few ports (512-514) that have different services for UDP
               and
               TCP.
-            </p>
-          </dd>
+            </p></dd>
 </dl></div>
 <p>
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>RETURN VALUES</h2>
-
-    <p><code class="function">lwres_getnameinfo()</code>
+<p><code class="function">lwres_getnameinfo()</code>
       returns 0 on success or a non-zero error code if an error occurs.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">RFC2133</span>
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">getservbyport</span>(3)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres</span>(3)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_getnameinfo</span>(3)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_getnamebyaddr</span>(3)
-      </span>.
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_net_ntop</span>(3)
-      </span>.
+<p><span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">getservbyport</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getnamebyaddr</span>(3)</span>.
+      <span class="citerefentry"><span class="refentrytitle">lwres_net_ntop</span>(3)</span>.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.10"></a><h2>BUGS</h2>
-
-    <p>
+<p>
       RFC2133 fails to define what the nonzero return values of
-      <span class="citerefentry">
-        <span class="refentrytitle">getnameinfo</span>(3)
-      </span>
+      <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span>
       are.
     </p>
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_getrrsetbyname.3 b/bind/bind9/lib/lwres/man/lwres_getrrsetbyname.3
index 91cbcaf6..e4bc8a52 100644
--- a/bind/bind9/lib/lwres/man/lwres_getrrsetbyname.3
+++ b/bind/bind9/lib/lwres/man/lwres_getrrsetbyname.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_getrrsetbyname
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -166,5 +166,5 @@ other failure
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook b/bind/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook
index 7c8940f8..e23f4ee5 100644
--- a/bind/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -38,6 +38,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/lib/lwres/man/lwres_getrrsetbyname.html b/bind/bind9/lib/lwres/man/lwres_getrrsetbyname.html
index 37028b5b..0bf7545a 100644
--- a/bind/bind9/lib/lwres/man/lwres_getrrsetbyname.html
+++ b/bind/bind9/lib/lwres/man/lwres_getrrsetbyname.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,28 +10,17 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getrrsetbyname</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_getrrsetbyname, 
-    lwres_freerrset
-     &#8212; retrieve DNS records
-  </p>
+<p>lwres_getrrsetbyname, lwres_freerrset &#8212; retrieve DNS records</p>
 </div>
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
@@ -66,11 +55,10 @@ void
 </tr></table>
 <div class="funcprototype-spacer"> </div>
 </div>
-
-    <p>
+<p>
       The following structures are used:
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 struct  rdatainfo {
         unsigned int            rdi_length;     /* length of data */
         unsigned char           *rdi_data;      /* record data */
@@ -78,7 +66,7 @@ struct  rdatainfo {
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 struct  rrsetinfo {
         unsigned int            rri_flags;      /* RRSET_VALIDATED... */
         unsigned int            rri_rdclass;    /* class number */
@@ -93,12 +81,10 @@ struct  rrsetinfo {
 </pre>
 <p>
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p><code class="function">lwres_getrrsetbyname()</code>
+<p><code class="function">lwres_getrrsetbyname()</code>
       gets a set of resource records associated with a
       <em class="parameter"><code>hostname</code></em>, <em class="parameter"><code>class</code></em>,
       and <em class="parameter"><code>type</code></em>.
@@ -106,7 +92,7 @@ struct  rrsetinfo {
       null-terminated string.  The <em class="parameter"><code>flags</code></em> field
       is currently unused and must be zero.
     </p>
-    <p>
+<p>
       After a successful call to
       <code class="function">lwres_getrrsetbyname()</code>,
       <em class="parameter"><code>*res</code></em> is a pointer to an
@@ -125,7 +111,7 @@ struct  rrsetinfo {
       bit is set, the data has been DNSSEC validated and the
       signatures verified.
     </p>
-    <p>
+<p>
       All of the information returned by
       <code class="function">lwres_getrrsetbyname()</code> is dynamically
       allocated: the <code class="constant">rrsetinfo</code> and
@@ -142,63 +128,46 @@ struct  rrsetinfo {
       rrset</span> created by a call to
       <code class="function">lwres_getrrsetbyname()</code>.
     </p>
-    <p></p>
-  </div>
-  <div class="refsection">
+<p></p>
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>RETURN VALUES</h2>
-
-    <p><code class="function">lwres_getrrsetbyname()</code>
+<p><code class="function">lwres_getrrsetbyname()</code>
       returns zero on success, and one of the following error codes if
       an error occurred:
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">ERRSET_NONAME</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               the name does not exist
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">ERRSET_NODATA</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               the name exists, but does not have data of the desired type
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">ERRSET_NOMEMORY</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               memory could not be allocated
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">ERRSET_INVAL</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               a parameter is invalid
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">ERRSET_FAIL</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               other failure
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant"></code></span></dt>
-<dd>
-            <p></p>
-          </dd>
+<dd><p></p></dd>
 </dl></div>
 <p>
 
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">lwres</span>(3)
-      </span>.
+<p><span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>.
     </p>
-
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_gnba.3 b/bind/bind9/lib/lwres/man/lwres_gnba.3
index ce6561ad..ff342de6 100644
--- a/bind/bind9/lib/lwres/man/lwres_gnba.3
+++ b/bind/bind9/lib/lwres/man/lwres_gnba.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_gnba
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -162,7 +162,8 @@ structures referenced via
 .PP
 The getnamebyaddr opcode functions
 \fBlwres_gnbarequest_render()\fR,
-\fBlwres_gnbaresponse_render()\fR\fBlwres_gnbarequest_parse()\fR
+\fBlwres_gnbaresponse_render()\fR
+\fBlwres_gnbarequest_parse()\fR
 and
 \fBlwres_gnbaresponse_parse()\fR
 all return
@@ -198,5 +199,5 @@ indicate that the packet is not a response to an earlier query\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_gnba.docbook b/bind/bind9/lib/lwres/man/lwres_gnba.docbook
index 9707ec6f..7cb89887 100644
--- a/bind/bind9/lib/lwres/man/lwres_gnba.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_gnba.docbook
@@ -5,14 +5,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -40,6 +40,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/lib/lwres/man/lwres_gnba.html b/bind/bind9/lib/lwres/man/lwres_gnba.html
index f1e12408..f22e1387 100644
--- a/bind/bind9/lib/lwres/man/lwres_gnba.html
+++ b/bind/bind9/lib/lwres/man/lwres_gnba.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,38 +10,20 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gnba</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_gnbarequest_render, 
-    lwres_gnbaresponse_render, 
-    lwres_gnbarequest_parse, 
-    lwres_gnbaresponse_parse, 
-    lwres_gnbaresponse_free, 
-    lwres_gnbarequest_free
-     &#8212; lightweight resolver getnamebyaddress message handling
-  </p>
+<p>lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free &#8212; lightweight resolver getnamebyaddress message handling</p>
 </div>
-
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">
 #include &lt;lwres/lwres.h&gt;
 </pre>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
 <td><code class="funcdef">
@@ -64,7 +46,6 @@ lwres_result_t
 </tr>
 </table>
 <div class="funcprototype-spacer"> </div>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
 <td><code class="funcdef">
@@ -129,7 +110,6 @@ lwres_result_t
 </tr>
 </table>
 <div class="funcprototype-spacer"> </div>
-
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
 <td><code class="funcdef">
@@ -158,18 +138,15 @@ void
 </table>
 <div class="funcprototype-spacer"> </div>
 </div>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       These are low-level routines for creating and parsing
       lightweight resolver address-to-name lookup request and
       response messages.
     </p>
-    <p>
+<p>
       There are four main functions for the getnamebyaddr opcode.
       One render function converts a getnamebyaddr request structure &#8212;
       <span class="type">lwres_gnbarequest_t</span> &#8212;
@@ -183,17 +160,17 @@ void
       This is complemented by a parse function which converts a packet in
       canonical format to a getnamebyaddr response structure.
     </p>
-    <p>
+<p>
       These structures are defined in
       <code class="filename">lwres/lwres.h</code>.
       They are shown below.
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 #define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 typedef struct {
         uint32_t  flags;
         lwres_addr_t    addr;
@@ -201,7 +178,7 @@ typedef struct {
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 typedef struct {
         uint32_t  flags;
         uint16_t  naliases;
@@ -215,8 +192,7 @@ typedef struct {
 </pre>
 <p>
     </p>
-
-    <p><code class="function">lwres_gnbarequest_render()</code>
+<p><code class="function">lwres_gnbarequest_render()</code>
       uses resolver context <code class="varname">ctx</code> to convert
       getnamebyaddr request structure <code class="varname">req</code> to
       canonical format.  The packet header structure
@@ -228,8 +204,7 @@ typedef struct {
       <span class="type">lwres_gnbaresponse_t</span> to the lightweight resolver's
       canonical format.
     </p>
-
-    <p><code class="function">lwres_gnbarequest_parse()</code>
+<p><code class="function">lwres_gnbarequest_parse()</code>
       uses context <code class="varname">ctx</code> to convert the contents of
       packet <code class="varname">pkt</code> to a
       <span class="type">lwres_gnbarequest_t</span> structure.  Buffer
@@ -241,8 +216,7 @@ typedef struct {
       semantics as <code class="function">lwres_gnbarequest_parse()</code>
       except it yields a <span class="type">lwres_gnbaresponse_t</span> structure.
     </p>
-
-    <p><code class="function">lwres_gnbaresponse_free()</code>
+<p><code class="function">lwres_gnbaresponse_free()</code>
       and <code class="function">lwres_gnbarequest_free()</code> release the
       memory in resolver context <code class="varname">ctx</code> that was
       allocated to the <span class="type">lwres_gnbaresponse_t</span> or
@@ -251,12 +225,10 @@ typedef struct {
       ancillary buffers and strings for those structures is also
       discarded.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>RETURN VALUES</h2>
-
-    <p>
+<p>
       The getnamebyaddr opcode functions
       <code class="function">lwres_gnbarequest_render()</code>,
       <code class="function">lwres_gnbaresponse_render()</code>
@@ -291,14 +263,11 @@ typedef struct {
       <span class="type">lwres_lwpacket_t</span>
       indicate that the packet is not a response to an earlier query.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">lwres_packet</span>(3)
-      </span>.
+<p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>.
     </p>
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_hstrerror.3 b/bind/bind9/lib/lwres/man/lwres_hstrerror.3
index 3b919a14..f3d89b4f 100644
--- a/bind/bind9/lib/lwres/man/lwres_hstrerror.3
+++ b/bind/bind9/lib/lwres/man/lwres_hstrerror.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_hstrerror
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -106,5 +106,5 @@ is not a valid error code\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_hstrerror.docbook b/bind/bind9/lib/lwres/man/lwres_hstrerror.docbook
index 56ad864f..82d2b8ad 100644
--- a/bind/bind9/lib/lwres/man/lwres_hstrerror.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_hstrerror.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -38,6 +38,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/lib/lwres/man/lwres_hstrerror.html b/bind/bind9/lib/lwres/man/lwres_hstrerror.html
index d358fbc5..6e294cd0 100644
--- a/bind/bind9/lib/lwres/man/lwres_hstrerror.html
+++ b/bind/bind9/lib/lwres/man/lwres_hstrerror.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,28 +10,17 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_hstrerror</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_herror, 
-    lwres_hstrerror
-     &#8212; lightweight resolver error message generation
-  </p>
+<p>lwres_herror, lwres_hstrerror &#8212; lightweight resolver error message generation</p>
 </div>
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
 <td><code class="funcdef">
@@ -48,20 +37,16 @@ const char *
 </tr></table>
 <div class="funcprototype-spacer"> </div>
 </div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-
-    <p><code class="function">lwres_herror()</code>
+<p><code class="function">lwres_herror()</code>
       prints the string <em class="parameter"><code>s</code></em> on
       <span class="type">stderr</span> followed by the string generated by
       <code class="function">lwres_hstrerror()</code> for the error code stored
       in the global variable <code class="constant">lwres_h_errno</code>.
     </p>
-
-    <p><code class="function">lwres_hstrerror()</code>
+<p><code class="function">lwres_hstrerror()</code>
       returns an appropriate string for the error code gievn by
       <em class="parameter"><code>err</code></em>.  The values of the error codes and
       messages are as follows:
@@ -69,58 +54,40 @@ const char *
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="errorcode">NETDB_SUCCESS</span></span></dt>
-<dd>
-            <p><span class="errorname">Resolver Error 0 (no error)</span>
-            </p>
-          </dd>
+<dd><p><span class="errorname">Resolver Error 0 (no error)</span>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">HOST_NOT_FOUND</span></span></dt>
-<dd>
-            <p><span class="errorname">Unknown host</span>
-            </p>
-          </dd>
+<dd><p><span class="errorname">Unknown host</span>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">TRY_AGAIN</span></span></dt>
-<dd>
-            <p><span class="errorname">Host name lookup failure</span>
-            </p>
-          </dd>
+<dd><p><span class="errorname">Host name lookup failure</span>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">NO_RECOVERY</span></span></dt>
-<dd>
-            <p><span class="errorname">Unknown server error</span>
-            </p>
-          </dd>
+<dd><p><span class="errorname">Unknown server error</span>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">NO_DATA</span></span></dt>
-<dd>
-            <p><span class="errorname">No address associated with name</span>
-            </p>
-          </dd>
+<dd><p><span class="errorname">No address associated with name</span>
+            </p></dd>
 </dl></div>
 <p>
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>RETURN VALUES</h2>
-
-    <p>
+<p>
       The string <span class="errorname">Unknown resolver error</span> is returned by
       <code class="function">lwres_hstrerror()</code>
       when the value of
       <code class="constant">lwres_h_errno</code>
       is not a valid error code.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">herror</span>(3)</span>,
 
-    <p><span class="citerefentry">
-        <span class="refentrytitle">herror</span>(3)
-      </span>,
-
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_hstrerror</span>(3)
-      </span>.
+      <span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
     </p>
-
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_inetntop.3 b/bind/bind9/lib/lwres/man/lwres_inetntop.3
index bc9745ef..3d24e84f 100644
--- a/bind/bind9/lib/lwres/man/lwres_inetntop.3
+++ b/bind/bind9/lib/lwres/man/lwres_inetntop.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_inetntop
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -84,5 +84,5 @@ is not supported\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_inetntop.docbook b/bind/bind9/lib/lwres/man/lwres_inetntop.docbook
index abc7e180..c9974aa3 100644
--- a/bind/bind9/lib/lwres/man/lwres_inetntop.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_inetntop.docbook
@@ -5,14 +5,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -40,6 +40,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/lib/lwres/man/lwres_inetntop.html b/bind/bind9/lib/lwres/man/lwres_inetntop.html
index 313ba347..cd393aea 100644
--- a/bind/bind9/lib/lwres/man/lwres_inetntop.html
+++ b/bind/bind9/lib/lwres/man/lwres_inetntop.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,27 +10,17 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_inetntop</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_net_ntop
-     &#8212; lightweight resolver IP address presentation
-  </p>
+<p>lwres_net_ntop &#8212; lightweight resolver IP address presentation</p>
 </div>
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/net.h&gt;</pre>
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
@@ -54,13 +44,10 @@ const char *
 </table>
 <div class="funcprototype-spacer"> </div>
 </div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-
-    <p><code class="function">lwres_net_ntop()</code>
+<p><code class="function">lwres_net_ntop()</code>
       converts an IP address of protocol family
       <em class="parameter"><code>af</code></em> &#8212; IPv4 or IPv6 &#8212; at
       location <em class="parameter"><code>src</code></em> from network format to its
@@ -68,21 +55,17 @@ const char *
       that string would be a dotted-decimal.  An IPv6 address would be
       represented in colon notation as described in RFC1884.
     </p>
-
-    <p>
+<p>
       The generated string is copied to <em class="parameter"><code>dst</code></em>
       provided
       <em class="parameter"><code>size</code></em> indicates it is long enough to
       store the
       ASCII representation of the address.
     </p>
-
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>RETURN VALUES</h2>
-
-
-    <p>
+<p>
       If successful, the function returns <em class="parameter"><code>dst</code></em>:
       a pointer to a string containing the presentation format of the
       address.  <code class="function">lwres_net_ntop()</code> returns
@@ -92,21 +75,13 @@ const char *
       not
       supported.
     </p>
-
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">RFC1884</span>
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">inet_ntop</span>(3)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">errno</span>(3)
-      </span>.
+<p><span class="citerefentry"><span class="refentrytitle">RFC1884</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">inet_ntop</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">errno</span>(3)</span>.
     </p>
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_noop.3 b/bind/bind9/lib/lwres/man/lwres_noop.3
index 85ed16d6..d07efd22 100644
--- a/bind/bind9/lib/lwres/man/lwres_noop.3
+++ b/bind/bind9/lib/lwres/man/lwres_noop.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_noop
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -162,7 +162,8 @@ structures referenced via
 .PP
 The no\-op opcode functions
 \fBlwres_nooprequest_render()\fR,
-\fBlwres_noopresponse_render()\fR\fBlwres_nooprequest_parse()\fR
+\fBlwres_noopresponse_render()\fR
+\fBlwres_nooprequest_parse()\fR
 and
 \fBlwres_noopresponse_parse()\fR
 all return
@@ -198,5 +199,5 @@ indicate that the packet is not a response to an earlier query\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_noop.docbook b/bind/bind9/lib/lwres/man/lwres_noop.docbook
index fc882f9c..69992ca6 100644
--- a/bind/bind9/lib/lwres/man/lwres_noop.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_noop.docbook
@@ -5,14 +5,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -40,6 +40,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/lib/lwres/man/lwres_noop.html b/bind/bind9/lib/lwres/man/lwres_noop.html
index 64482ed5..5f045931 100644
--- a/bind/bind9/lib/lwres/man/lwres_noop.html
+++ b/bind/bind9/lib/lwres/man/lwres_noop.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,32 +10,17 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_noop</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_nooprequest_render, 
-    lwres_noopresponse_render, 
-    lwres_nooprequest_parse, 
-    lwres_noopresponse_parse, 
-    lwres_noopresponse_free, 
-    lwres_nooprequest_free
-     &#8212; lightweight resolver no-op message handling
-  </p>
+<p>lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free &#8212; lightweight resolver no-op message handling</p>
 </div>
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">
 #include &lt;lwres/lwres.h&gt;</pre>
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
@@ -149,22 +134,21 @@ void
 </table>
 <div class="funcprototype-spacer"> </div>
 </div>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       These are low-level routines for creating and parsing
       lightweight resolver no-op request and response messages.
     </p>
-    <p>
+<p>
       The no-op message is analogous to a <span class="command"><strong>ping</strong></span>
       packet:
       a packet is sent to the resolver daemon and is simply echoed back.
       The opcode is intended to allow a client to determine if the server is
       operational or not.
     </p>
-    <p>
+<p>
       There are four main functions for the no-op opcode.
       One render function converts a no-op request structure &#8212;
       <span class="type">lwres_nooprequest_t</span> &#8212;
@@ -177,18 +161,18 @@ void
       This is complemented by a parse function which converts a packet in
       canonical format to a no-op response structure.
     </p>
-    <p>
+<p>
       These structures are defined in
       <code class="filename">lwres/lwres.h</code>.
 
       They are shown below.
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 #define LWRES_OPCODE_NOOP       0x00000000U
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 typedef struct {
         uint16_t  datalength;
         unsigned char   *data;
@@ -196,7 +180,7 @@ typedef struct {
 </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 typedef struct {
         uint16_t  datalength;
         unsigned char   *data;
@@ -204,13 +188,12 @@ typedef struct {
 </pre>
 <p>
     </p>
-    <p>
+<p>
       Although the structures have different types, they are identical.
       This is because the no-op opcode simply echos whatever data was sent:
       the response is therefore identical to the request.
     </p>
-
-    <p><code class="function">lwres_nooprequest_render()</code>
+<p><code class="function">lwres_nooprequest_render()</code>
       uses resolver context <em class="parameter"><code>ctx</code></em> to convert
       no-op request structure <em class="parameter"><code>req</code></em> to canonical
       format.  The packet header structure <em class="parameter"><code>pkt</code></em>
@@ -223,8 +206,7 @@ typedef struct {
       <span class="type">lwres_noopresponse_t</span> to the lightweight resolver's
       canonical format.
     </p>
-
-    <p><code class="function">lwres_nooprequest_parse()</code>
+<p><code class="function">lwres_nooprequest_parse()</code>
       uses context <em class="parameter"><code>ctx</code></em> to convert the contents
       of packet <em class="parameter"><code>pkt</code></em> to a
       <span class="type">lwres_nooprequest_t</span> structure.  Buffer
@@ -236,20 +218,17 @@ typedef struct {
       semantics as <code class="function">lwres_nooprequest_parse()</code>
       except it yields a <span class="type">lwres_noopresponse_t</span> structure.
     </p>
-
-    <p><code class="function">lwres_noopresponse_free()</code>
+<p><code class="function">lwres_noopresponse_free()</code>
       and <code class="function">lwres_nooprequest_free()</code> release the
       memory in resolver context <em class="parameter"><code>ctx</code></em> that was
       allocated to the <span class="type">lwres_noopresponse_t</span> or
       <span class="type">lwres_nooprequest_t</span> structures referenced via
       <em class="parameter"><code>structp</code></em>.
     </p>
-
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>RETURN VALUES</h2>
-
-    <p>
+<p>
       The no-op opcode functions
       <code class="function">lwres_nooprequest_render()</code>,
 
@@ -285,14 +264,11 @@ typedef struct {
       <span class="type">lwres_lwpacket_t</span>
       indicate that the packet is not a response to an earlier query.
     </p>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p><span class="citerefentry">
-        <span class="refentrytitle">lwres_packet</span>(3)
-      </span>
+<p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>
     </p>
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_packet.3 b/bind/bind9/lib/lwres/man/lwres_packet.3
index 37d2302c..88170cb6 100644
--- a/bind/bind9/lib/lwres/man/lwres_packet.3
+++ b/bind/bind9/lib/lwres/man/lwres_packet.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_packet
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -100,7 +100,7 @@ the header format\&. There is currently only one format,
 .PP
 \fBpktflags\fR
 .RS 4
-library\-defined flags for this packet: for instance whether the packet is a request or a reply\&. Flag values can be set, but not defined by the caller\&. This field is filled in by the application wit the exception of the LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the lwres_gabn_*() and lwres_gnba_*() calls\&.
+library\-defined flags for this packet: for instance whether the packet is a request or a reply\&. Flag values can be set, but not defined by the caller\&. This field is filled in by the application with the exception of the LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the lwres_gabn_*() and lwres_gnba_*() calls\&.
 .RE
 .PP
 \fBserial\fR
@@ -152,7 +152,8 @@ return the hostname for the given address\&. The lwres_gnba_*() functions should
 .PP
 \fBlwres_lwpacket_renderheader()\fR
 transfers the contents of lightweight resolver packet structure
-\fBlwres_lwpacket_t\fR\fI*pkt\fR
+\fBlwres_lwpacket_t\fR
+\fI*pkt\fR
 in network byte order to the lightweight resolver buffer,
 \fI*b\fR\&.
 .PP
@@ -182,5 +183,5 @@ both functions return
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_packet.docbook b/bind/bind9/lib/lwres/man/lwres_packet.docbook
index 6df91f8d..8eaa5364 100644
--- a/bind/bind9/lib/lwres/man/lwres_packet.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_packet.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -38,6 +38,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -128,7 +129,7 @@ struct lwres_lwpacket {
               is a request or a reply. Flag values can be set, but not defined
               by
               the caller.
-              This field is filled in by the application wit the exception of
+              This field is filled in by the application with the exception of
               the
               LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in
               the
diff --git a/bind/bind9/lib/lwres/man/lwres_packet.html b/bind/bind9/lib/lwres/man/lwres_packet.html
index 4ebbccb6..18450e7a 100644
--- a/bind/bind9/lib/lwres/man/lwres_packet.html
+++ b/bind/bind9/lib/lwres/man/lwres_packet.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,28 +10,17 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_packet</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_lwpacket_renderheader, 
-    lwres_lwpacket_parseheader
-     &#8212; lightweight resolver packet handling functions
-  </p>
+<p>lwres_lwpacket_renderheader, lwres_lwpacket_parseheader &#8212; lightweight resolver packet handling functions</p>
 </div>
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/lwpacket.h&gt;</pre>
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
@@ -60,23 +49,21 @@ lwres_result_t
 </table>
 <div class="funcprototype-spacer"> </div>
 </div>
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
+<p>
       These functions rely on a
       <span class="type">struct lwres_lwpacket</span>
       which is defined in
       <code class="filename">lwres/lwpacket.h</code>.
     </p>
-
-    <pre class="programlisting">
+<pre class="programlisting">
 typedef struct lwres_lwpacket lwres_lwpacket_t;
       </pre>
 <p>
     </p>
-    <pre class="programlisting">
+<pre class="programlisting">
 struct lwres_lwpacket {
         uint32_t          length;
         uint16_t          version;
@@ -91,47 +78,39 @@ struct lwres_lwpacket {
 </pre>
 <p>
     </p>
-
-    <p>
+<p>
       The elements of this structure are:
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">length</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               the overall packet length, including the entire packet header.
               This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
               calls.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">version</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               the header format. There is currently only one format,
               <span class="type">LWRES_LWPACKETVERSION_0</span>.
 
               This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
               calls.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">pktflags</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               library-defined flags for this packet: for instance whether the
               packet
               is a request or a reply. Flag values can be set, but not defined
               by
               the caller.
-              This field is filled in by the application wit the exception of
+              This field is filled in by the application with the exception of
               the
               LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in
               the
               lwres_gabn_*() and lwres_gnba_*() calls.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">serial</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               is set by the requestor and is returned in all replies. If two
               or more
               packets from the same source have the same serial number and are
@@ -140,11 +119,9 @@ struct lwres_lwpacket {
               latter ones
               may be dropped.
               This field must be set by the application.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">opcode</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               indicates the operation.
               Opcodes between 0x00000000 and 0x03ffffff are
               reserved for use by the lightweight resolver library. Opcodes
@@ -152,11 +129,9 @@ struct lwres_lwpacket {
               0x04000000 and 0xffffffff are application defined.
               This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
               calls.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">result</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               is only valid for replies.
               Results between 0x04000000 and 0xffffffff are application
               defined.
@@ -164,91 +139,73 @@ struct lwres_lwpacket {
               library use.
               This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
               calls.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">recvlength</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               is the maximum buffer size that the receiver can handle on
               requests
               and the size of the buffer needed to satisfy a request when the
               buffer
               is too large for replies.
               This field is supplied by the application.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">authtype</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               defines the packet level authentication that is used.
               Authorisation types between 0x1000 and 0xffff are application
               defined
               and types between 0x0000 and 0x0fff are reserved for library
               use.
               Currently these are not used and must be zero.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">authlen</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               gives the length of the authentication data.
               Since packet authentication is currently not used, this must be
               zero.
-            </p>
-          </dd>
+            </p></dd>
 </dl></div>
 <p>
     </p>
-    <p>
+<p>
       The following opcodes are currently defined:
       </p>
 <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><code class="constant">NOOP</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               Success is always returned and the packet contents are echoed.
               The lwres_noop_*() functions should be used for this type.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">GETADDRSBYNAME</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               returns all known addresses for a given name.
               The lwres_gabn_*() functions should be used for this type.
-            </p>
-          </dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">GETNAMEBYADDR</code></span></dt>
-<dd>
-            <p>
+<dd><p>
               return the hostname for the given address.
               The lwres_gnba_*() functions should be used for this type.
-            </p>
-          </dd>
+            </p></dd>
 </dl></div>
 <p>
     </p>
-
-    <p><code class="function">lwres_lwpacket_renderheader()</code>
+<p><code class="function">lwres_lwpacket_renderheader()</code>
       transfers the contents of lightweight resolver packet structure
       <span class="type">lwres_lwpacket_t</span> <em class="parameter"><code>*pkt</code></em> in
       network byte order to the lightweight resolver buffer,
       <em class="parameter"><code>*b</code></em>.
     </p>
-
-    <p><code class="function">lwres_lwpacket_parseheader()</code>
+<p><code class="function">lwres_lwpacket_parseheader()</code>
       performs the converse operation.  It transfers data in network
       byte order from buffer <em class="parameter"><code>*b</code></em> to resolver
       packet <em class="parameter"><code>*pkt</code></em>.  The contents of the buffer
       <em class="parameter"><code>b</code></em> should correspond to a
       <span class="type">lwres_lwpacket_t</span>.
     </p>
-
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>RETURN VALUES</h2>
-
-    <p>
+<p>
       Successful calls to
       <code class="function">lwres_lwpacket_renderheader()</code> and
       <code class="function">lwres_lwpacket_parseheader()</code> return
@@ -258,7 +215,6 @@ struct lwres_lwpacket {
       functions
       return <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>.
     </p>
-
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/lwres_resutil.3 b/bind/bind9/lib/lwres/man/lwres_resutil.3
index 4263c180..c34c94c9 100644
--- a/bind/bind9/lib/lwres/man/lwres_resutil.3
+++ b/bind/bind9/lib/lwres/man/lwres_resutil.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: lwres_resutil
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
 .\"      Date: 2007-06-18
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -181,5 +181,5 @@ if the buffers used for sending queries and receiving replies are too small\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bind/bind9/lib/lwres/man/lwres_resutil.docbook b/bind/bind9/lib/lwres/man/lwres_resutil.docbook
index 641d9071..df366c46 100644
--- a/bind/bind9/lib/lwres/man/lwres_resutil.docbook
+++ b/bind/bind9/lib/lwres/man/lwres_resutil.docbook
@@ -3,14 +3,14 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
 -->
 
 <!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
   <info>
     <date>2007-06-18</date>
   </info>
@@ -38,6 +38,7 @@
       <year>2018</year>
       <year>2019</year>
       <year>2020</year>
+      <year>2021</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/bind/bind9/lib/lwres/man/lwres_resutil.html b/bind/bind9/lib/lwres/man/lwres_resutil.html
index 74685483..961c5d27 100644
--- a/bind/bind9/lib/lwres/man/lwres_resutil.html
+++ b/bind/bind9/lib/lwres/man/lwres_resutil.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -10,30 +10,17 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_resutil</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="id-1"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  
-
-  <div class="refnamediv">
+<div class="refnamediv">
 <h2>Name</h2>
-<p>
-    lwres_string_parse, 
-    lwres_addr_parse, 
-    lwres_getaddrsbyname, 
-    lwres_getnamebyaddr
-     &#8212; lightweight resolver utility functions
-  </p>
+<p>lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr &#8212; lightweight resolver utility functions</p>
 </div>
-  <div class="refsynopsisdiv">
+<div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-    <div class="funcsynopsis">
+<div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
 <table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
 <tr>
@@ -112,13 +99,10 @@ lwres_result_t
 </table>
 <div class="funcprototype-spacer"> </div>
 </div>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-
-    <p><code class="function">lwres_string_parse()</code>
+<p><code class="function">lwres_string_parse()</code>
       retrieves a DNS-encoded string starting the current pointer of
       lightweight resolver buffer <em class="parameter"><code>b</code></em>: i.e.
       <code class="constant">b-&gt;current</code>.  When the function returns,
@@ -129,8 +113,7 @@ lwres_result_t
       string length, the encoded string, and the trailing
       <span class="type">NULL</span> character.
     </p>
-
-    <p><code class="function">lwres_addr_parse()</code>
+<p><code class="function">lwres_addr_parse()</code>
       extracts an address from the buffer <em class="parameter"><code>b</code></em>.
       The buffer's current pointer <code class="constant">b-&gt;current</code>
       is presumed to point at an encoded address: the address preceded
@@ -143,12 +126,10 @@ lwres_result_t
       next byte of available data in the buffer following the encoded
       address.
     </p>
-
-    <p><code class="function">lwres_getaddrsbyname()</code>
+<p><code class="function">lwres_getaddrsbyname()</code>
       and <code class="function">lwres_getnamebyaddr()</code> use the
       <span class="type">lwres_gnbaresponse_t</span> structure defined below:
     </p>
-
 <pre class="programlisting">
 typedef struct {
         uint32_t          flags;
@@ -163,17 +144,13 @@ typedef struct {
         size_t                  baselen;
 } lwres_gabnresponse_t;
 </pre>
-
-    <p>
+<p>
       The contents of this structure are not manipulated directly but
       they are controlled through the
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_gabn</span>(3)
-      </span>
+      <span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>
       functions.
     </p>
-
-    <p>
+<p>
       The lightweight resolver uses
       <code class="function">lwres_getaddrsbyname()</code> to perform
       forward lookups.
@@ -187,8 +164,7 @@ typedef struct {
       <span class="type">LWRES_ADDRTYPE_V6</span> for IPv6 addresses.  Results of the
       lookup are returned in <em class="parameter"><code>*structp</code></em>.
     </p>
-
-    <p><code class="function">lwres_getnamebyaddr()</code>
+<p><code class="function">lwres_getnamebyaddr()</code>
       performs reverse lookups.  Resolver context
       <em class="parameter"><code>ctx</code></em> is used for memory allocation.  The
       address type is indicated by <em class="parameter"><code>addrtype</code></em>:
@@ -199,12 +175,10 @@ typedef struct {
       function call is made available through
       <em class="parameter"><code>*structp</code></em>.
     </p>
-  </div>
-
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.8"></a><h2>RETURN VALUES</h2>
-
-    <p>
+<p>
       Successful calls to
       <code class="function">lwres_string_parse()</code>
       and
@@ -218,18 +192,16 @@ typedef struct {
       if the buffer has less space than expected for the components of the
       encoded string or address.
     </p>
-
-    <p><code class="function">lwres_getaddrsbyname()</code>
+<p><code class="function">lwres_getaddrsbyname()</code>
       returns <span class="errorcode">LWRES_R_SUCCESS</span> on success and it
       returns <span class="errorcode">LWRES_R_NOTFOUND</span> if the hostname
       <em class="parameter"><code>name</code></em> could not be found.
     </p>
-    <p><span class="errorcode">LWRES_R_SUCCESS</span>
+<p><span class="errorcode">LWRES_R_SUCCESS</span>
       is returned by a successful call to
       <code class="function">lwres_getnamebyaddr()</code>.
     </p>
-
-    <p>
+<p>
       Both
       <code class="function">lwres_getaddrsbyname()</code>
       and
@@ -241,20 +213,13 @@ typedef struct {
       if the buffers used for sending queries and receiving replies are too
       small.
     </p>
-
-  </div>
-  <div class="refsection">
+</div>
+<div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">lwres_buffer</span>(3)</span>,
 
-    <p><span class="citerefentry">
-        <span class="refentrytitle">lwres_buffer</span>(3)
-      </span>,
-
-      <span class="citerefentry">
-        <span class="refentrytitle">lwres_gabn</span>(3)
-      </span>.
+      <span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>.
     </p>
-
-  </div>
+</div>
 </div></body>
 </html>
diff --git a/bind/bind9/lib/lwres/man/resolver.5 b/bind/bind9/lib/lwres/man/resolver.5
index 8de3d080..79329e06 100644
--- a/bind/bind9/lib/lwres/man/resolver.5
+++ b/bind/bind9/lib/lwres/man/resolver.5
@@ -2,13 +2,11 @@
 .\"
 .\" This Source Code Form is subject to the terms of the Mozilla Public
 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\" file, you can obtain one at https://mozilla.org/MPL/2.0/.
 .\"
 .\" See the COPYRIGHT file distributed with this work for additional
 .\" information regarding copyright ownership.
 .\"
-.\" $Id: resolver.5,v 1.8 2007/06/19 23:47:23 tbox Exp $
-.\"
 .Dd Jun 30, 2000
 .Dt RESOLVER 5
 .Os BIND9 9
@@ -55,7 +53,7 @@ The available configuration directives are:
 .It Li nameserver
 Internet address of a name server that the resolver should query.
 The IP address of the server can be supplied in the usual notation:
-either in dotted-decimal form for an IPv4 addess or in double colon
+either in dotted-decimal form for an IPv4 address or in double colon
 form described in RFC1884 for an IPv6 address.
 Up to three nameserver directives can be listed.
 See
diff --git a/bind/bind9/lib/lwres/print.c b/bind/bind9/lib/lwres/print.c
index a936519e..96fec0d6 100644
--- a/bind/bind9/lib/lwres/print.c
+++ b/bind/bind9/lib/lwres/print.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/lwres/print_p.h b/bind/bind9/lib/lwres/print_p.h
index 0a86b192..8a764fa2 100644
--- a/bind/bind9/lib/lwres/print_p.h
+++ b/bind/bind9/lib/lwres/print_p.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: print_p.h,v 1.6 2010/08/16 23:46:52 tbox Exp $ */
-
 #ifndef LWRES_PRINT_P_H
 #define LWRES_PRINT_P_H 1
 
diff --git a/bind/bind9/lib/lwres/tests/Makefile.in b/bind/bind9/lib/lwres/tests/Makefile.in
index 6df3e736..4ee55b83 100644
--- a/bind/bind9/lib/lwres/tests/Makefile.in
+++ b/bind/bind9/lib/lwres/tests/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/lwres/tests/config_test.c b/bind/bind9/lib/lwres/tests/config_test.c
index c50883c0..05bbd011 100644
--- a/bind/bind9/lib/lwres/tests/config_test.c
+++ b/bind/bind9/lib/lwres/tests/config_test.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/lwres/unix/Makefile.in b/bind/bind9/lib/lwres/unix/Makefile.in
index 93e2bdca..8d1b6f1c 100644
--- a/bind/bind9/lib/lwres/unix/Makefile.in
+++ b/bind/bind9/lib/lwres/unix/Makefile.in
@@ -2,13 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
-
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/bind/bind9/lib/lwres/unix/include/Makefile.in b/bind/bind9/lib/lwres/unix/include/Makefile.in
index d9a3044f..db74bea5 100644
--- a/bind/bind9/lib/lwres/unix/include/Makefile.in
+++ b/bind/bind9/lib/lwres/unix/include/Makefile.in
@@ -2,13 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
-
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/bind/bind9/lib/lwres/unix/include/lwres/Makefile.in b/bind/bind9/lib/lwres/unix/include/lwres/Makefile.in
index aff3bee3..38f126d9 100644
--- a/bind/bind9/lib/lwres/unix/include/lwres/Makefile.in
+++ b/bind/bind9/lib/lwres/unix/include/lwres/Makefile.in
@@ -2,13 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
-
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/bind/bind9/lib/lwres/unix/include/lwres/net.h b/bind/bind9/lib/lwres/unix/include/lwres/net.h
index 674b39fe..baf9a0f3 100644
--- a/bind/bind9/lib/lwres/unix/include/lwres/net.h
+++ b/bind/bind9/lib/lwres/unix/include/lwres/net.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: net.h,v 1.9 2007/06/19 23:47:23 tbox Exp $ */
-
 #ifndef LWRES_NET_H
 #define LWRES_NET_H 1
 
diff --git a/bind/bind9/lib/lwres/unreachable_p.h b/bind/bind9/lib/lwres/unreachable_p.h
index 525fe6d3..45c03fd5 100644
--- a/bind/bind9/lib/lwres/unreachable_p.h
+++ b/bind/bind9/lib/lwres/unreachable_p.h
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/lwres/version.c b/bind/bind9/lib/lwres/version.c
index 3683f123..b6c28881 100644
--- a/bind/bind9/lib/lwres/version.c
+++ b/bind/bind9/lib/lwres/version.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: version.c,v 1.12 2007/06/19 23:47:22 tbox Exp $ */
-
 /*! \file */
 
 #include <lwres/version.h>
diff --git a/bind/bind9/lib/lwres/win32/DLLMain.c b/bind/bind9/lib/lwres/win32/DLLMain.c
index 46ca8aca..ff53d5bb 100644
--- a/bind/bind9/lib/lwres/win32/DLLMain.c
+++ b/bind/bind9/lib/lwres/win32/DLLMain.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/lwres/win32/Makefile.in b/bind/bind9/lib/lwres/win32/Makefile.in
index 93e2bdca..8d1b6f1c 100644
--- a/bind/bind9/lib/lwres/win32/Makefile.in
+++ b/bind/bind9/lib/lwres/win32/Makefile.in
@@ -2,13 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
-
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/bind/bind9/lib/lwres/win32/include/Makefile.in b/bind/bind9/lib/lwres/win32/include/Makefile.in
index d9a3044f..db74bea5 100644
--- a/bind/bind9/lib/lwres/win32/include/Makefile.in
+++ b/bind/bind9/lib/lwres/win32/include/Makefile.in
@@ -2,13 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
-
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/bind/bind9/lib/lwres/win32/include/lwres/Makefile.in b/bind/bind9/lib/lwres/win32/include/lwres/Makefile.in
index 9d388de9..b82062f1 100644
--- a/bind/bind9/lib/lwres/win32/include/lwres/Makefile.in
+++ b/bind/bind9/lib/lwres/win32/include/lwres/Makefile.in
@@ -2,13 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
-
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/bind/bind9/lib/lwres/win32/include/lwres/net.h b/bind/bind9/lib/lwres/win32/include/lwres/net.h
index 41ffca41..a8d63fc4 100644
--- a/bind/bind9/lib/lwres/win32/include/lwres/net.h
+++ b/bind/bind9/lib/lwres/win32/include/lwres/net.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: net.h,v 1.6 2007/06/19 23:47:23 tbox Exp $ */
-
 #ifndef LWRES_NET_H
 #define LWRES_NET_H 1
 
diff --git a/bind/bind9/lib/lwres/win32/include/lwres/netdb.h b/bind/bind9/lib/lwres/win32/include/lwres/netdb.h
index f0d8a865..ee5f2579 100644
--- a/bind/bind9/lib/lwres/win32/include/lwres/netdb.h
+++ b/bind/bind9/lib/lwres/win32/include/lwres/netdb.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: netdb.h,v 1.7 2007/06/19 23:47:23 tbox Exp $ */
-
 #ifndef LWRES_NETDB_H
 #define LWRES_NETDB_H 1
 
diff --git a/bind/bind9/lib/lwres/win32/include/lwres/platform.h b/bind/bind9/lib/lwres/win32/include/lwres/platform.h
index 1484e47b..480179fb 100644
--- a/bind/bind9/lib/lwres/win32/include/lwres/platform.h
+++ b/bind/bind9/lib/lwres/win32/include/lwres/platform.h
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: platform.h,v 1.7 2007/06/18 23:47:52 tbox Exp $ */
-
 #ifndef LWRES_PLATFORM_H
 #define LWRES_PLATFORM_H 1
 
@@ -57,7 +55,7 @@
 /*@LWRES_PLATFORM_HAVEINADDR6@ */
 
 /*
- * Defined if unistd.h does not cause fd_set to be delared.
+ * Defined if unistd.h does not cause fd_set to be declared.
  */
 /*@LWRES_PLATFORM_NEEDSYSSELECTH@ */
 
diff --git a/bind/bind9/lib/lwres/win32/liblwres.vcxproj.in b/bind/bind9/lib/lwres/win32/liblwres.vcxproj.in
index ee91c46f..6b83266c 100644
--- a/bind/bind9/lib/lwres/win32/liblwres.vcxproj.in
+++ b/bind/bind9/lib/lwres/win32/liblwres.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBLWRES_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <AdditionalIncludeDirectories>.\;..\..\lwres\win32\include;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
@@ -77,7 +80,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/lib/lwres/win32/lwconfig.c b/bind/bind9/lib/lwres/win32/lwconfig.c
index 9a6c426b..eca49a83 100644
--- a/bind/bind9/lib/lwres/win32/lwconfig.c
+++ b/bind/bind9/lib/lwres/win32/lwconfig.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: lwconfig.c,v 1.7 2007/12/14 01:40:42 marka Exp $ */
-
 /*
  * We do this so that we may incorporate everything in the main routines
  * so that we can take advantage of the fixes and changes made there
diff --git a/bind/bind9/lib/lwres/win32/socket.c b/bind/bind9/lib/lwres/win32/socket.c
index c6453dd3..93cd207d 100644
--- a/bind/bind9/lib/lwres/win32/socket.c
+++ b/bind/bind9/lib/lwres/win32/socket.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: socket.c,v 1.3 2007/06/18 23:47:51 tbox Exp $ */
-
 #include <stdio.h>
 #include <isc/print.h>
 #include <lwres/platform.h>
diff --git a/bind/bind9/lib/lwres/win32/version.c b/bind/bind9/lib/lwres/win32/version.c
index f213b33d..5cfd47fd 100644
--- a/bind/bind9/lib/lwres/win32/version.c
+++ b/bind/bind9/lib/lwres/win32/version.c
@@ -3,14 +3,12 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
  */
 
-/* $Id: version.c,v 1.6 2007/06/19 23:47:23 tbox Exp $ */
-
 #include <versions.h>
 
 #include <lwres/version.h>
diff --git a/bind/bind9/lib/samples/Makefile-postinstall.in b/bind/bind9/lib/samples/Makefile-postinstall.in
index aa512f17..8b8feb99 100644
--- a/bind/bind9/lib/samples/Makefile-postinstall.in
+++ b/bind/bind9/lib/samples/Makefile-postinstall.in
@@ -2,13 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: Makefile-postinstall.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
-
 srcdir =	@srcdir@
 #prefix =	@prefix@
 #exec_prefix =	@exec_prefix@
diff --git a/bind/bind9/lib/samples/Makefile.in b/bind/bind9/lib/samples/Makefile.in
index 6abe81c2..cb732572 100644
--- a/bind/bind9/lib/samples/Makefile.in
+++ b/bind/bind9/lib/samples/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/samples/nsprobe.c b/bind/bind9/lib/samples/nsprobe.c
index 2ebb19a1..9bf0e65e 100644
--- a/bind/bind9/lib/samples/nsprobe.c
+++ b/bind/bind9/lib/samples/nsprobe.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -1203,8 +1203,8 @@ main(int argc, char *argv[]) {
 
 	/* Cleanup */
 	for (i = 0; i < MAX_PROBES; i++) {
-		dns_message_destroy(&probes[i].qmessage);
-		dns_message_destroy(&probes[i].rmessage);
+		dns_message_detach(&probes[i].qmessage);
+		dns_message_detach(&probes[i].rmessage);
 	}
 	isc_task_detach(&probe_task);
 	dns_client_destroy(&client);
diff --git a/bind/bind9/lib/samples/resolve.c b/bind/bind9/lib/samples/resolve.c
index 30389fcf..23cffc7c 100644
--- a/bind/bind9/lib/samples/resolve.c
+++ b/bind/bind9/lib/samples/resolve.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/samples/rootkey.sh b/bind/bind9/lib/samples/rootkey.sh
index 3dbfafdb..5fddbca1 100644
--- a/bind/bind9/lib/samples/rootkey.sh
+++ b/bind/bind9/lib/samples/rootkey.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/lib/samples/sample-async.c b/bind/bind9/lib/samples/sample-async.c
index 28c6573c..cbfb5e72 100644
--- a/bind/bind9/lib/samples/sample-async.c
+++ b/bind/bind9/lib/samples/sample-async.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/samples/sample-gai.c b/bind/bind9/lib/samples/sample-gai.c
index 8b56ab9c..9a8de246 100644
--- a/bind/bind9/lib/samples/sample-gai.c
+++ b/bind/bind9/lib/samples/sample-gai.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/samples/sample-request.c b/bind/bind9/lib/samples/sample-request.c
index e60a6df8..3a4123e2 100644
--- a/bind/bind9/lib/samples/sample-request.c
+++ b/bind/bind9/lib/samples/sample-request.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
@@ -115,7 +115,7 @@ make_querymessage(dns_message_t *message, const char *namestr,
 		dns_message_puttempname(message, &qname);
 	if (qrdataset != NULL)
 		dns_message_puttemprdataset(message, &qrdataset);
-	dns_message_destroy(&message);
+	dns_message_detach(&message);
 	return (result);
 }
 
@@ -255,8 +255,8 @@ main(int argc, char *argv[]) {
 	isc_buffer_free(&outputbuf);
 
 	/* Cleanup */
-	dns_message_destroy(&qmessage);
-	dns_message_destroy(&rmessage);
+	dns_message_detach(&qmessage);
+	dns_message_detach(&rmessage);
 	isc_mem_destroy(&mctx);
 	dns_client_destroy(&client);
 	dns_lib_shutdown();
diff --git a/bind/bind9/lib/samples/sample-update.c b/bind/bind9/lib/samples/sample-update.c
index 83f963d0..58d68759 100644
--- a/bind/bind9/lib/samples/sample-update.c
+++ b/bind/bind9/lib/samples/sample-update.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/samples/win32/async.vcxproj.in b/bind/bind9/lib/samples/win32/async.vcxproj.in
index 8d88df73..0a80e25e 100644
--- a/bind/bind9/lib/samples/win32/async.vcxproj.in
+++ b/bind/bind9/lib/samples/win32/async.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/lib/samples/win32/gai.vcxproj.in b/bind/bind9/lib/samples/win32/gai.vcxproj.in
index efdae415..da9650e4 100644
--- a/bind/bind9/lib/samples/win32/gai.vcxproj.in
+++ b/bind/bind9/lib/samples/win32/gai.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/lib/samples/win32/nsprobe.vcxproj.in b/bind/bind9/lib/samples/win32/nsprobe.vcxproj.in
index 8769fac9..9f2070d0 100644
--- a/bind/bind9/lib/samples/win32/nsprobe.vcxproj.in
+++ b/bind/bind9/lib/samples/win32/nsprobe.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/lib/samples/win32/request.vcxproj.in b/bind/bind9/lib/samples/win32/request.vcxproj.in
index df4f000f..d7218615 100644
--- a/bind/bind9/lib/samples/win32/request.vcxproj.in
+++ b/bind/bind9/lib/samples/win32/request.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/lib/samples/win32/resolve.vcxproj.in b/bind/bind9/lib/samples/win32/resolve.vcxproj.in
index ab377570..41b7d31b 100644
--- a/bind/bind9/lib/samples/win32/resolve.vcxproj.in
+++ b/bind/bind9/lib/samples/win32/resolve.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/lib/samples/win32/update.vcxproj.in b/bind/bind9/lib/samples/win32/update.vcxproj.in
index a7dd0a90..eae201ad 100644
--- a/bind/bind9/lib/samples/win32/update.vcxproj.in
+++ b/bind/bind9/lib/samples/win32/update.vcxproj.in
@@ -44,17 +44,20 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -76,7 +79,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/lib/win32/bindevt/bindevt.c b/bind/bind9/lib/win32/bindevt/bindevt.c
index d74a2f1c..1b94db30 100644
--- a/bind/bind9/lib/win32/bindevt/bindevt.c
+++ b/bind/bind9/lib/win32/bindevt/bindevt.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/lib/win32/bindevt/bindevt.mc b/bind/bind9/lib/win32/bindevt/bindevt.mc
index 7d345472..ba9fb848 100644
--- a/bind/bind9/lib/win32/bindevt/bindevt.mc
+++ b/bind/bind9/lib/win32/bindevt/bindevt.mc
@@ -2,7 +2,7 @@
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
diff --git a/bind/bind9/lib/win32/bindevt/bindevt.vcxproj.in b/bind/bind9/lib/win32/bindevt/bindevt.vcxproj.in
index e1dedada..cb153363 100644
--- a/bind/bind9/lib/win32/bindevt/bindevt.vcxproj.in
+++ b/bind/bind9/lib/win32/bindevt/bindevt.vcxproj.in
@@ -44,6 +44,7 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <CustomBuildBeforeTargets>ResourceCompile</CustomBuildBeforeTargets>
     <IgnoreImportLibrary>true</IgnoreImportLibrary>
   </PropertyGroup>
@@ -51,6 +52,7 @@
     <LinkIncremental>false</LinkIncremental>
     <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
     <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
     <CustomBuildBeforeTargets>ResourceCompile</CustomBuildBeforeTargets>
     <IgnoreImportLibrary>true</IgnoreImportLibrary>
   </PropertyGroup>
@@ -58,7 +60,8 @@
     <ClCompile>
       <PrecompiledHeader>
       </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;BINDEVT_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <AdditionalIncludeDirectories>..\include;..\..\..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
@@ -85,7 +88,8 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
     <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>
       </PrecompiledHeader>
       <Optimization>MaxSpeed</Optimization>
diff --git a/bind/bind9/libtool.m4/libtool.m4 b/bind/bind9/libtool.m4/libtool.m4
index a3bc337b..c81e6692 100644
--- a/bind/bind9/libtool.m4/libtool.m4
+++ b/bind/bind9/libtool.m4/libtool.m4
@@ -728,7 +728,6 @@ _LT_CONFIG_SAVE_COMMANDS([
     cat <<_LT_EOF >> "$cfgfile"
 #! $SHELL
 # Generated automatically by $as_me ($PACKAGE) $VERSION
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 
 # Provide generalized library-building support services.
@@ -2887,6 +2886,18 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   dynamic_linker='GNU/Linux ld.so'
   ;;
 
+netbsdelf*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='NetBSD ld.elf_so'
+  ;;
+
 netbsd*)
   version_type=sunos
   need_lib_prefix=no
@@ -3546,7 +3557,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-netbsd*)
+netbsd* | netbsdelf*-gnu)
   if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
     lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
   else
@@ -4052,7 +4063,8 @@ _LT_EOF
   if AC_TRY_EVAL(ac_compile); then
     # Now try to grab the symbols.
     nlist=conftest.nm
-    if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then
+    $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&AS_MESSAGE_LOG_FD
+    if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&AS_MESSAGE_LOG_FD && test -s "$nlist"; then
       # Try sorting and uniquifying the output.
       if sort "$nlist" | uniq > "$nlist"T; then
 	mv -f "$nlist"T "$nlist"
@@ -4424,7 +4436,7 @@ m4_if([$1], [CXX], [
 	    ;;
 	esac
 	;;
-      netbsd*)
+      netbsd* | netbsdelf*-gnu)
 	;;
       *qnx* | *nto*)
         # QNX uses GNU C++, but need to define -shared option too, otherwise
@@ -4936,6 +4948,9 @@ m4_if([$1], [CXX], [
       ;;
     esac
     ;;
+  linux* | k*bsd*-gnu | gnu*)
+    _LT_TAGVAR(link_all_deplibs, $1)=no
+    ;;
   *)
     _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
     ;;
@@ -4998,6 +5013,9 @@ dnl Note also adjust exclude_expsyms for C++ above.
   openbsd* | bitrig*)
     with_gnu_ld=no
     ;;
+  linux* | k*bsd*-gnu | gnu*)
+    _LT_TAGVAR(link_all_deplibs, $1)=no
+    ;;
   esac
 
   _LT_TAGVAR(ld_shlibs, $1)=yes
@@ -5252,7 +5270,7 @@ _LT_EOF
       fi
       ;;
 
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
@@ -5773,6 +5791,7 @@ _LT_EOF
 	if test yes = "$lt_cv_irix_exported_symbol"; then
           _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
 	fi
+	_LT_TAGVAR(link_all_deplibs, $1)=no
       else
 	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
 	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
@@ -5794,7 +5813,7 @@ _LT_EOF
       esac
       ;;
 
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
       else
@@ -6420,7 +6439,7 @@ if test yes != "$_lt_caught_CXX_error"; then
       # Commands to make compiler produce verbose output that lists
       # what "hidden" libraries, object files and flags are used when
       # linking a shared library.
-      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
 
     else
       GXX=no
@@ -6795,7 +6814,7 @@ if test yes != "$_lt_caught_CXX_error"; then
             # explicitly linking system object files so we need to strip them
             # from the output so that they don't get included in the library
             # dependencies.
-            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
             ;;
           *)
             if test yes = "$GXX"; then
@@ -6860,7 +6879,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
 	    ;;
           *)
 	    if test yes = "$GXX"; then
@@ -7199,7 +7218,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	      # Commands to make compiler produce verbose output that lists
 	      # what "hidden" libraries, object files and flags are used when
 	      # linking a shared library.
-	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
 
 	    else
 	      # FIXME: insert proper C++ library support
@@ -7283,7 +7302,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
 	      else
 	        # g++ 2.7 appears to require '-G' NOT '-shared' on this
 	        # platform.
@@ -7294,7 +7313,7 @@ if test yes != "$_lt_caught_CXX_error"; then
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
+	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
 	      fi
 
 	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $wl$libdir'
diff --git a/bind/bind9/make/Makefile.in b/bind/bind9/make/Makefile.in
index 1c2b35ee..839d9cba 100644
--- a/bind/bind9/make/Makefile.in
+++ b/bind/bind9/make/Makefile.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/make/includes.in b/bind/bind9/make/includes.in
index fa86ad1e..66efe688 100644
--- a/bind/bind9/make/includes.in
+++ b/bind/bind9/make/includes.in
@@ -2,13 +2,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id: includes.in,v 1.21 2007/06/19 23:47:24 tbox Exp $
-
 # Search for machine-generated header files in the build tree,
 # and for normal headers in the source tree (${top_srcdir}).
 # We only need to look in OS-specific subdirectories for the
diff --git a/bind/bind9/make/rules.in b/bind/bind9/make/rules.in
index 30605a09..c0b5899b 100644
--- a/bind/bind9/make/rules.in
+++ b/bind/bind9/make/rules.in
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/tsan-suppressions.txt b/bind/bind9/tsan-suppressions.txt
new file mode 100644
index 00000000..b12e0389
--- /dev/null
+++ b/bind/bind9/tsan-suppressions.txt
@@ -0,0 +1,2 @@
+# Uninstrumented library.
+called_from_lib:libfstrm.so
diff --git a/bind/bind9/unit/unittest.sh.in b/bind/bind9/unit/unittest.sh.in
index b7b5ca06..35df5777 100755
--- a/bind/bind9/unit/unittest.sh.in
+++ b/bind/bind9/unit/unittest.sh.in
@@ -3,7 +3,6 @@
 # Find the top of the BIND9 tree.
 export TOP=@abs_top_builddir@
 KYUA=@KYUA@
-UNITTESTS=@UNITTESTS@
 CMOCKA_MESSAGE_OUTPUT=TAP
 export CMOCKA_MESSAGE_OUTPUT
 GDB="$(command -v gdb)"
@@ -12,60 +11,75 @@ kyua_report() {
 	${KYUA} --logfile /dev/null report --results-file "${KYUA_RESULT:-LATEST}"
 }
 
-status=0
-if [ -n "${UNITTESTS}" ] && [ -f Kyuafile ]
-then
-	echo "S:unit:$(date)"
-	echo "T:unit:1:A"
-	echo "I: unit tests (using kyua)"
-	${KYUA} -v parallelism="${TEST_PARALLEL_JOBS:-1}" --logfile kyua.log --loglevel debug test --results-file "${KYUA_RESULT:-NEW}"
-	status=$?
+clear_kyua_work_dir() {
+	KYUA_WORK_DIR="$(grep -i -m1 "failed" "${1}" | sed -n 's|.*\(/tmp/kyua\.[A-Za-z0-9]*\).*|\1|p')"
+	if [ -n "${CI}" ] && [ -d "${KYUA_WORK_DIR}" ]; then
+		find "${KYUA_WORK_DIR}" \( -name 'core*' -o -name '*.core' \) -exec mv -v {} . \;
+		rm -rf "${KYUA_WORK_DIR}"
+	fi
+}
+
+if [ -z "${KYUA}" ]; then
+	exit 0
+fi
 
-	kyua_report
+echo "S:unit:$(date)"
+echo "T:unit:1:A"
+echo "I:unit tests (using kyua)"
 
-	if command -v sysctl >/dev/null; then
-		if [ "$(uname -s)" = "Linux" ] && [ "$(sysctl -n kernel.core_uses_pid)" -ne 1 ]; then
-			echo "kernel.core_uses_pid is not set on the Linux host"
-			echo "kyua may not find core file of broken tests"
-		fi
-	else
-		echo "sysctl command is not present, can't check kernel.core_uses_pid."
-		echo "kyua may not find core file of broken tests"
-	fi
+${KYUA} -v parallelism="${TEST_PARALLEL_JOBS:-1}" --logfile kyua.log --loglevel debug test --results-file "${KYUA_RESULT:-NEW}"
+status=$?
 
-	# Use kyua-debug(1) facility to gather additional data on failed tests.
-	# Some runs will just show verbose information from the run, some will
-	# show backtrace via gdb(1).
-	broken_tests="$(kyua_report | awk '/Broken tests/ { flag=1; next } /Summary/ { flag=0 } flag' | awk '{ print $1 }')"
-	if [ -n "${CI}" ] && [ "$(id -u)" -eq 0 ] && [ -n "${broken_tests}" ] && [ -n "${GDB}" ]; then
-		if grep '^#define USE_LIBTOOL 1$' "${TOP}/config.h" >/dev/null; then
-			# kyua debug command misidentifies broken binary when libtool is used
-			# to configure BIND (see https://github.com/jmmv/kyua/issues/207).
-			# Here we try "trick" kyua use our custom gdb script instead
-			# of using gdb(1) directly. That's why this part needs to be run as root
-			# and, for safety reasons, only in the CI.
-			mv "${GDB}" "${GDB}.orig"
-			cp "${TOP}/unit/gdb" "${GDB}"
-			for test in ${broken_tests}; do
-				echo
-				${KYUA} debug "${test}"
-			done
-			mv "${GDB}.orig" "${GDB}"
-		else
-			for test in ${broken_tests}; do
-				echo
-				${KYUA} debug "${test}"
-			done
-		fi
-	fi
+kyua_report
+
+clear_kyua_work_dir kyua.log
 
-	if [ "${status}" -eq 0 ]
-	then
-		rm -f kyua.log
-		echo "R:PASS"
-	else
-		echo "R:FAIL:status:${status}"
+# Use kyua-debug(1) facility to gather additional data on failed tests.
+# Some runs will just show verbose information from the run, some will
+# show backtrace via gdb(1).
+USER_ID=$(id -u)
+BROKEN_TESTS=$(kyua_report | awk '$2 == "->" && ( $3 == "broken:" || $3 == "failed:" ) { print $1 }')
+# Conditions for getting kyua debug info and GDB backtrace: runs under CI
+# (safety), GDB present, root privileges, failed tests.
+if [ -n "${CI}" ] && [ -n "${GDB}" ] && [ "${USER_ID:-1}" -eq 0 ] && [ -n "${BROKEN_TESTS}" ]; then
+	if [ "$(uname -s)" = "Linux" ] && ! sysctl -n "kernel.core_pattern" | grep -xq "core.%p"; then
+		echo "I:*** kernel.core_pattern is not set to 'core.%p'"
+		echo "I:*** kyua may not be able to find core dumps for broken tests"
+	fi
+	if [ "$(uname -s)" = "FreeBSD" ] && ! sysctl -n "kern.corefile" | grep -xq "core.%P"; then
+		echo "I:*** kern.corefile is not set to 'core.%P'"
+		echo "I:*** kyua may not be able to find core dumps for broken tests"
+	fi
+	if grep '^#define USE_LIBTOOL 1$' "${TOP}/config.h" >/dev/null; then
+		# kyua debug command misidentifies broken binaries when libtool
+		# is used (see https://github.com/jmmv/kyua/issues/207).
+		# Here we try to "trick" kyua to use our custom gdb script instead
+		# of using gdb(1) directly. Hence this part needs to be run as root
+		# and, for safety reasons, only in the CI.
+		mv "${GDB}" "${GDB}.orig"
+		cp "${TOP}/unit/gdb" "${GDB}"
+	fi
+	i=1
+	for test in ${BROKEN_TESTS}; do
+		echo
+		echo "----- $test -----"
+		KYUA_DEBUG_LOG="kyua.debug.log.${i}"
+		${KYUA} debug "${test}" 2>&1 | tee "${KYUA_DEBUG_LOG}"
+		clear_kyua_work_dir "${KYUA_DEBUG_LOG}"
+		i=$((i + 1))
+	done
+	if grep '^#define USE_LIBTOOL 1$' "${TOP}/config.h" >/dev/null; then
+		mv "${GDB}.orig" "${GDB}"
 	fi
-	echo "E:unit:$(date)"
 fi
+
+if [ "${status}" -eq 0 ]
+then
+	rm -f kyua.log
+	echo "R:PASS"
+else
+	echo "R:FAIL:status:${status}"
+fi
+echo "E:unit:$(date)"
+
 exit ${status}
diff --git a/bind/bind9/util/COPYRIGHT b/bind/bind9/util/COPYRIGHT
index e0a6aa6a..db2b6767 100644
--- a/bind/bind9/util/COPYRIGHT
+++ b/bind/bind9/util/COPYRIGHT
@@ -2,7 +2,7 @@ Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
-file, You can obtain one at http://mozilla.org/MPL/2.0/.
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
 
 See the COPYRIGHT file distributed with this work for additional
 information regarding copyright ownership.
diff --git a/bind/bind9/util/COPYRIGHT.BRIEF b/bind/bind9/util/COPYRIGHT.BRIEF
index d8a4983d..bb4b74b3 100644
--- a/bind/bind9/util/COPYRIGHT.BRIEF
+++ b/bind/bind9/util/COPYRIGHT.BRIEF
@@ -1,3 +1,3 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
diff --git a/bind/bind9/util/COPYRIGHT.BSDI b/bind/bind9/util/COPYRIGHT.BSDI
index 94c472d7..3f7baea2 100644
--- a/bind/bind9/util/COPYRIGHT.BSDI
+++ b/bind/bind9/util/COPYRIGHT.BSDI
@@ -2,7 +2,7 @@ Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
-file, You can obtain one at http://mozilla.org/MPL/2.0/.
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
 
 See the COPYRIGHT file distributed with this work for additional
 information regarding copyright ownership.
diff --git a/bind/bind9/util/COPYRIGHT.NAI b/bind/bind9/util/COPYRIGHT.NAI
index 30337954..70045889 100644
--- a/bind/bind9/util/COPYRIGHT.NAI
+++ b/bind/bind9/util/COPYRIGHT.NAI
@@ -2,7 +2,7 @@ Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
-file, You can obtain one at http://mozilla.org/MPL/2.0/.
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
 
 See the COPYRIGHT file distributed with this work for additional
 information regarding copyright ownership.
diff --git a/bind/bind9/util/COPYRIGHT.NOM b/bind/bind9/util/COPYRIGHT.NOM
index e23c9ce9..703af597 100644
--- a/bind/bind9/util/COPYRIGHT.NOM
+++ b/bind/bind9/util/COPYRIGHT.NOM
@@ -2,7 +2,7 @@ Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
-file, You can obtain one at http://mozilla.org/MPL/2.0/.
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
 
 See the COPYRIGHT file distributed with this work for additional
 information regarding copyright ownership.
diff --git a/bind/bind9/util/COPYRIGHT.PORTION b/bind/bind9/util/COPYRIGHT.PORTION
index 574248d0..e61c2b99 100644
--- a/bind/bind9/util/COPYRIGHT.PORTION
+++ b/bind/bind9/util/COPYRIGHT.PORTION
@@ -2,7 +2,7 @@ Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
-file, You can obtain one at http://mozilla.org/MPL/2.0/.
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
 
 See the COPYRIGHT file distributed with this work for additional
 information regarding copyright ownership.
diff --git a/bind/bind9/util/COPYRIGHT.TOP b/bind/bind9/util/COPYRIGHT.TOP
index 36fd94a4..d46a5596 100644
--- a/bind/bind9/util/COPYRIGHT.TOP
+++ b/bind/bind9/util/COPYRIGHT.TOP
@@ -2,4 +2,4 @@ Copyright (C) @SYSYEARS@  Internet Systems Consortium, Inc. ("ISC")
 
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
-file, You can obtain one at http://mozilla.org/MPL/2.0/.
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
diff --git a/bind/bind9/util/altbuild.sh b/bind/bind9/util/altbuild.sh
index 4d9cef9f..5853ca03 100644
--- a/bind/bind9/util/altbuild.sh
+++ b/bind/bind9/util/altbuild.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/api-checker.sh b/bind/bind9/util/api-checker.sh
new file mode 100755
index 00000000..d87fc688
--- /dev/null
+++ b/bind/bind9/util/api-checker.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+# Exit if program $1 is not found in PATH.
+check_program() {
+	if ! command -v "${1}" > /dev/null 2>&1; then
+		echo "'${1}' not found in PATH" >&2
+		exit 1
+	fi
+}
+
+# Check that we were spawned with two arguments and that these arguments are two
+# different directories.
+check_args() {
+	if [ ${#} -ne 2 ] || [ ! -d "${1}" ] || [ ! -d "${2}" ] || [ "${1}" = "${2}" ]; then
+		echo "Usage:"
+		echo ""
+		echo "  ${0} <TESTDIR> <REFDIR>"
+		echo ""
+		echo "Generate API compatibility reports for BIND libraries."
+		echo ""
+		echo "  <TESTDIR> is a directory with current (new) BIND version"
+		echo "  <REFDIR> is a directory with reference (old) BIND version"
+		exit 1
+	fi
+}
+
+check_args "${@}"
+TESTBIND="${1}"
+REFBIND="${2}"
+
+# Ensure the required tools are available in PATH.
+check_program abi-dumper
+check_program abi-compliance-checker
+check_program git
+check_program w3m
+
+# Find all libraries which have designated 'api' file and
+# generate ABI dump file for them.
+while read -r SO; do
+	APIFILE="$(dirname "${SO}")/../api"
+	APIFILE_DIR=$(dirname "${APIFILE}")
+	GIT_HEAD_REV=$(git -C "${APIFILE_DIR}" rev-parse HEAD | cut -c 1-10)
+	GIT_HEAD_UNIX_TIME=$(git -C "${APIFILE_DIR}" log -1 --format=%ct HEAD)
+	# Get LIBINTERFACE, LIBREVISION, LIBAGE from the 'api' file.
+	eval "$(grep -v "^#" "${APIFILE}" | tr -d " ")"
+	VERSION="${LIBINTERFACE}.${LIBREVISION}.${LIBAGE}-${GIT_HEAD_UNIX_TIME}-${GIT_HEAD_REV}"
+	abi-dumper "${SO}" -o abi-"$(basename "${SO}" .so)-${VERSION}".dump -lver "${VERSION}"
+done < <(find "${TESTBIND}"/lib/*/.libs/ "${REFBIND}"/lib/*/.libs/ -name '*.so')
+
+# Generate HTML API compatibility reports for all libraries.
+find . -maxdepth 1 -name 'abi-*.dump' | sort | while read -r OLD; read -r NEW; do
+	SONAME=${OLD/.\/abi-/}
+	SONAME=${SONAME/-*/}
+	if abi-compliance-checker -l "${SONAME}" -old "${OLD}" -new "${NEW}"; then
+		REPORT_PREFIX="PASS"
+	else
+		echo "***** Compatibility problems detected"
+		REPORT_PREFIX="WARN"
+	fi
+	OLD_REPORT_PATH="$(find "compat_reports/${SONAME}" -name '*.html')"
+	NEW_REPORT_PATH="${REPORT_PREFIX}-${SONAME}.html"
+	mv "${OLD_REPORT_PATH}" "${NEW_REPORT_PATH}"
+	echo
+done
+
+# Generate TXT API compatibility reports from HTML reports for all BIND libraries.
+echo "Generate TXT API compatibility reports from HTML reports for all BIND libraries:"
+while read -r HTMLREPORT; do
+	TXTREPORT="${HTMLREPORT/.html/.txt}"
+	echo "  w3m: ${HTMLREPORT} -> ${TXTREPORT}"
+	w3m -dump -cols 75 -O ascii -T text/html "${HTMLREPORT}" > "${TXTREPORT}"
+done < <(find . -maxdepth 1 -name '*-lib*.html')
diff --git a/bind/bind9/util/bindkeys.pl b/bind/bind9/util/bindkeys.pl
index 0fd58560..1bd04bf0 100755
--- a/bind/bind9/util/bindkeys.pl
+++ b/bind/bind9/util/bindkeys.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/branchsync.sh b/bind/bind9/util/branchsync.sh
index aa2baf7a..0a385538 100644
--- a/bind/bind9/util/branchsync.sh
+++ b/bind/bind9/util/branchsync.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/check-ans-prereq.sh b/bind/bind9/util/check-ans-prereq.sh
index 6c21d5c5..cb2b752d 100644
--- a/bind/bind9/util/check-ans-prereq.sh
+++ b/bind/bind9/util/check-ans-prereq.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/check-categories.sh b/bind/bind9/util/check-categories.sh
index dff06679..4c01b705 100644
--- a/bind/bind9/util/check-categories.sh
+++ b/bind/bind9/util/check-categories.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -13,6 +13,7 @@ sed -e 's/.*LOGCATEGORY_\([A-Z_]*\).*/\1/' -e 's/^RRL$/rate-limit/' |
 tr '[A-Z]' '[a-z]' |
 tr _ - | sed 's/^tat$/trust-anchor-telemetry/' | sort -u`
 list2=`sed -n 's;.*<para><command>\(.*\)</command></para>;\1;p' doc/arm/logging-categories.xml | tr '[A-Z]' '[a-z]' | sort -u`
+status=0
 for i in $list1
 do
 	ok=no
@@ -26,6 +27,7 @@ do
 	if test $ok = no
 	then
 		echo "$i missing from documentation."
+		status=1
 	fi
 done
 for i in $list2
@@ -41,5 +43,7 @@ do
 	if test $ok = no
 	then
 		echo "$i not in code."
+		status=1
 	fi
 done
+exit $status
diff --git a/bind/bind9/util/check-changes b/bind/bind9/util/check-changes
index 85eec0e6..94d442fb 100644
--- a/bind/bind9/util/check-changes
+++ b/bind/bind9/util/check-changes
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/check-includes.pl b/bind/bind9/util/check-includes.pl
index 1bf9d4eb..30a1a369 100644
--- a/bind/bind9/util/check-includes.pl
+++ b/bind/bind9/util/check-includes.pl
@@ -4,13 +4,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id$
-
 # Rudimentary, primarily for use by the developers.
 # This just evolved with no serious attempt at making it
 # bulletproof or foolproof.  Or pretty even.  Probably would
diff --git a/bind/bind9/util/check-instincludes.sh b/bind/bind9/util/check-instincludes.sh
index b84f3f8b..bafec40c 100644
--- a/bind/bind9/util/check-instincludes.sh
+++ b/bind/bind9/util/check-instincludes.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/check-line-length.sh b/bind/bind9/util/check-line-length.sh
new file mode 100644
index 00000000..3114dba8
--- /dev/null
+++ b/bind/bind9/util/check-line-length.sh
@@ -0,0 +1,22 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+expand "$1" |
+awk -v file="$1" 'length > 80 {
+    if (logged == 0) {
+        print file ": Line Too Long"
+        logged = 1
+    }
+    print
+}
+END {
+    if (logged == 1) {
+        exit(1)
+    }
+}'
diff --git a/bind/bind9/util/check-make-install.in b/bind/bind9/util/check-make-install.in
new file mode 100644
index 00000000..024f7f2a
--- /dev/null
+++ b/bind/bind9/util/check-make-install.in
@@ -0,0 +1,61 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+abs_top_srcdir=@abs_top_srcdir@
+abs_builddir=@abs_builddir@
+prefix=@prefix@
+includedir=@includedir@
+install_dir="${DESTDIR}@prefix@"
+
+headers_to_install() {
+	find "${abs_top_srcdir}/lib" -name "*.h" -or -name "*.h.in" |
+		grep -v -F /win32/ |
+		grep -v -F include/isc/ipv6.h |
+		sed -n \
+		    -e "s|\.h\.in$|\.h|" \
+		    -e "s|.*include/|${DESTDIR}${includedir}/|p" |
+		sort -u
+}
+
+status=0
+
+for header in $(headers_to_install); do
+	if [ ! -f "${header}" ]; then
+		echo "Missing $header"
+		status=1
+	fi
+done
+
+named_binary_path="${install_dir}/sbin/named"
+if [ ! -x "${named_binary_path}" ]; then
+	echo "ERROR: ${named_binary_path} does not exist or is not executable"
+	status=1
+fi
+
+named_man_page_path="${install_dir}/share/man/man8/named.8"
+if [ ! -f "${named_man_page_path}" ]; then
+	echo "ERROR: ${named_man_page_path} does not exist"
+	status=1
+fi
+
+if [ -n "${DESTDIR}" ]; then
+	for expected_subdir in bin etc include lib sbin share var; do
+		echo "${install_dir}/${expected_subdir}" >> "${abs_builddir}/expected_dirs"
+	done
+	find "${install_dir}" -maxdepth 1 -mindepth 1 -type d | sort > "${abs_builddir}/existing_dirs"
+	if ! diff -u "${abs_builddir}/expected_dirs" "${abs_builddir}/existing_dirs"; then
+		echo "ERROR: Contents of DESTDIR do not match expectations"
+		status=1
+	fi
+	rm -f "${abs_builddir}/expected_dirs" "${abs_builddir}/existing_dirs"
+fi
+
+exit $status
diff --git a/bind/bind9/util/check-pullups.pl b/bind/bind9/util/check-pullups.pl
index 66a878c3..15923d78 100644
--- a/bind/bind9/util/check-pullups.pl
+++ b/bind/bind9/util/check-pullups.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/check-sources.pl b/bind/bind9/util/check-sources.pl
index b18e575b..596a58a0 100644
--- a/bind/bind9/util/check-sources.pl
+++ b/bind/bind9/util/check-sources.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/check-win32util-configure b/bind/bind9/util/check-win32util-configure
index bc07b58d..f592f263 100644
--- a/bind/bind9/util/check-win32util-configure
+++ b/bind/bind9/util/check-win32util-configure
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/checklibs.sh b/bind/bind9/util/checklibs.sh
index c16cc3eb..82dadf0e 100755
--- a/bind/bind9/util/checklibs.sh
+++ b/bind/bind9/util/checklibs.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/commit-arm.sh b/bind/bind9/util/commit-arm.sh
index 14288711..c049682e 100644
--- a/bind/bind9/util/commit-arm.sh
+++ b/bind/bind9/util/commit-arm.sh
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/copyrights b/bind/bind9/util/copyrights
index 01fd3152..28b6ef0e 100644
--- a/bind/bind9/util/copyrights
+++ b/bind/bind9/util/copyrights
@@ -1,4609 +1,4669 @@
-./.dir-locals.el				X	2019,2020
-./.gitattributes				X	2015,2017,2018,2019,2020
-./.gitlab-ci.yml				X	2018,2019,2020
-./CHANGES					X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./CONTRIBUTING					X	2018,2019,2020
-./CONTRIBUTING.md				MKD	2018,2019,2020
-./COPYRIGHT					TXT.TOP	1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./EXCLUDED					X	2017,2018,2019,2020
-./HISTORY					X	2010,2013,2016,2017,2018,2019,2020
-./HISTORY.md					MKD	2017,2018,2019,2020
-./Kyuafile					X	2017,2018,2019,2020
-./LICENSE					X	2016,2018,2019,2020
-./Makefile.in					MAKE	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./OPTIONS					X	2017,2018,2019,2020
-./OPTIONS.md					MKD	2017,2018,2019,2020
-./README					X	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./README.md					MKD	2017,2018,2019,2020
-./acconfig.h					C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2012,2014,2016,2018,2019,2020
-./aclocal.m4					X	1999,2000,2001,2012,2014,2018,2019,2020
-./autogen.sh					SH	2015,2016,2018,2019,2020
-./bin/Makefile.in				MAKE	1998,1999,2000,2001,2004,2007,2009,2012,2013,2014,2016,2018,2019,2020
-./bin/check/Makefile.in				MAKE	2000,2001,2002,2003,2004,2005,2006,2007,2009,2012,2014,2015,2016,2018,2019,2020
-./bin/check/check-tool.c			C	2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/check/check-tool.h			C	2000,2001,2002,2004,2005,2007,2010,2011,2013,2014,2016,2018,2019,2020
+./CHANGES					X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./CONTRIBUTING					X	2018,2019,2020,2021
+./CONTRIBUTING.md				MKD	2018,2019,2020,2021
+./COPYRIGHT					TXT.TOP	1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./EXCLUDED					X	2017,2018,2019,2020,2021
+./HISTORY					X	2010,2013,2016,2017,2018,2019,2020,2021
+./HISTORY.md					MKD	2017,2018,2019,2020,2021
+./Kyuafile					X	2017,2018,2019,2020,2021
+./LICENSE					X	2016,2018,2019,2020,2021
+./Makefile.in					MAKE	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./OPTIONS					X	2017,2018,2019,2020,2021
+./OPTIONS.md					MKD	2017,2018,2019,2020,2021
+./README					X	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./README.md					MKD	2017,2018,2019,2020,2021
+./acconfig.h					C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2012,2014,2016,2018,2019,2020,2021
+./aclocal.m4					X	1999,2000,2001,2012,2014,2018,2019,2020,2021
+./autogen.sh					SH	2015,2016,2018,2019,2020,2021
+./bin/Makefile.in				MAKE	1998,1999,2000,2001,2004,2007,2009,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/check/Makefile.in				MAKE	2000,2001,2002,2003,2004,2005,2006,2007,2009,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/check/check-tool.c			C	2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/check/check-tool.h			C	2000,2001,2002,2004,2005,2007,2010,2011,2013,2014,2016,2018,2019,2020,2021
 ./bin/check/named-checkconf.8			MAN	DOCBOOK
-./bin/check/named-checkconf.c			C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/check/named-checkconf.docbook		SGML	2000,2001,2002,2004,2005,2007,2009,2014,2015,2016,2018,2019,2020
+./bin/check/named-checkconf.c			C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/check/named-checkconf.docbook		SGML	2000,2001,2002,2004,2005,2007,2009,2014,2015,2016,2018,2019,2020,2021
 ./bin/check/named-checkconf.html		HTML	DOCBOOK
 ./bin/check/named-checkzone.8			MAN	DOCBOOK
-./bin/check/named-checkzone.c			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/check/named-checkzone.docbook		SGML	2000,2001,2002,2004,2005,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
+./bin/check/named-checkzone.c			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/check/named-checkzone.docbook		SGML	2000,2001,2002,2004,2005,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
 ./bin/check/named-checkzone.html		HTML	DOCBOOK
-./bin/check/win32/checkconf.dsp.in		X	2001,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020
-./bin/check/win32/checkconf.dsw			X	2001,2013,2018,2019,2020
-./bin/check/win32/checkconf.mak.in		X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020
-./bin/check/win32/checkconf.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/check/win32/checkconf.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/check/win32/checkconf.vcxproj.user	X	2013,2018,2019,2020
-./bin/check/win32/checktool.dsp.in		X	2006,2009,2013,2014,2016,2018,2019,2020
-./bin/check/win32/checktool.dsw			X	2006,2018,2019,2020
-./bin/check/win32/checktool.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/check/win32/checktool.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/check/win32/checktool.vcxproj.user	X	2013,2018,2019,2020
-./bin/check/win32/checkzone.dsp.in		X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020
-./bin/check/win32/checkzone.dsw			X	2001,2013,2018,2019,2020
-./bin/check/win32/checkzone.mak.in		X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020
-./bin/check/win32/checkzone.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/check/win32/checkzone.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/check/win32/checkzone.vcxproj.user	X	2013,2018,2019,2020
-./bin/confgen/Makefile.in			MAKE	2009,2012,2014,2015,2016,2017,2018,2019,2020
+./bin/check/win32/checkconf.dsp.in		X	2001,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/check/win32/checkconf.dsw			X	2001,2013,2018,2019,2020,2021
+./bin/check/win32/checkconf.mak.in		X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/check/win32/checkconf.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/check/win32/checkconf.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/check/win32/checkconf.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/check/win32/checktool.dsp.in		X	2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/check/win32/checktool.dsw			X	2006,2018,2019,2020,2021
+./bin/check/win32/checktool.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/check/win32/checktool.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/check/win32/checktool.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/check/win32/checkzone.dsp.in		X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/check/win32/checkzone.dsw			X	2001,2013,2018,2019,2020,2021
+./bin/check/win32/checkzone.mak.in		X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/check/win32/checkzone.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/check/win32/checkzone.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/check/win32/checkzone.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/confgen/Makefile.in			MAKE	2009,2012,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/confgen/ddns-confgen.8			MAN	DOCBOOK
-./bin/confgen/ddns-confgen.c			C	2009,2011,2014,2016,2018,2019,2020
-./bin/confgen/ddns-confgen.docbook		SGML	2009,2014,2015,2016,2018,2019,2020
+./bin/confgen/ddns-confgen.c			C	2009,2011,2014,2016,2018,2019,2020,2021
+./bin/confgen/ddns-confgen.docbook		SGML	2009,2014,2015,2016,2018,2019,2020,2021
 ./bin/confgen/ddns-confgen.html			HTML	DOCBOOK
-./bin/confgen/include/confgen/os.h		C	2009,2016,2018,2019,2020
-./bin/confgen/keygen.c				C	2009,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/confgen/keygen.h				C	2009,2016,2018,2019,2020
+./bin/confgen/include/confgen/os.h		C	2009,2016,2018,2019,2020,2021
+./bin/confgen/keygen.c				C	2009,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/confgen/keygen.h				C	2009,2016,2018,2019,2020,2021
 ./bin/confgen/rndc-confgen.8			MAN	DOCBOOK
-./bin/confgen/rndc-confgen.c			C	2001,2003,2004,2005,2007,2008,2009,2011,2013,2014,2016,2018,2019,2020
-./bin/confgen/rndc-confgen.docbook		SGML	2001,2003,2004,2005,2007,2009,2013,2014,2015,2016,2018,2019,2020
+./bin/confgen/rndc-confgen.c			C	2001,2003,2004,2005,2007,2008,2009,2011,2013,2014,2016,2018,2019,2020,2021
+./bin/confgen/rndc-confgen.docbook		SGML	2001,2003,2004,2005,2007,2009,2013,2014,2015,2016,2018,2019,2020,2021
 ./bin/confgen/rndc-confgen.html			HTML	DOCBOOK
-./bin/confgen/unix/Makefile.in			MAKE	2009,2012,2016,2018,2019,2020
-./bin/confgen/unix/os.c				C	2009,2016,2018,2019,2020
-./bin/confgen/util.c				C	2009,2015,2016,2018,2019,2020
-./bin/confgen/util.h				C	2009,2016,2018,2019,2020
-./bin/confgen/win32/confgentool.dsp.in		X	2009,2013,2018,2019,2020
-./bin/confgen/win32/confgentool.dsw		X	2009,2018,2019,2020
-./bin/confgen/win32/confgentool.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/confgen/win32/confgentool.vcxproj.in	X	2013,2015,2016,2017,2018,2019,2020
-./bin/confgen/win32/confgentool.vcxproj.user	X	2013,2018,2019,2020
-./bin/confgen/win32/ddnsconfgen.dsp.in		X	2009,2013,2018,2019,2020
-./bin/confgen/win32/ddnsconfgen.dsw		X	2009,2018,2019,2020
-./bin/confgen/win32/ddnsconfgen.mak.in		X	2009,2013,2018,2019,2020
-./bin/confgen/win32/ddnsconfgen.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/confgen/win32/ddnsconfgen.vcxproj.in	X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/confgen/win32/ddnsconfgen.vcxproj.user	X	2013,2018,2019,2020
-./bin/confgen/win32/os.c			C	2009,2016,2018,2019,2020
-./bin/confgen/win32/rndcconfgen.dsp.in		X	2001,2009,2013,2018,2019,2020
-./bin/confgen/win32/rndcconfgen.dsw		X	2001,2004,2005,2006,2009,2018,2019,2020
-./bin/confgen/win32/rndcconfgen.mak.in		X	2001,2004,2005,2006,2009,2013,2018,2019,2020
-./bin/confgen/win32/rndcconfgen.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/confgen/win32/rndcconfgen.vcxproj.in	X	2013,2015,2016,2017,2018,2019,2020
-./bin/confgen/win32/rndcconfgen.vcxproj.user	X	2013,2018,2019,2020
-./bin/delv/Makefile.in				MAKE	2014,2015,2016,2017,2018,2019,2020
+./bin/confgen/unix/Makefile.in			MAKE	2009,2012,2016,2018,2019,2020,2021
+./bin/confgen/unix/os.c				C	2009,2016,2018,2019,2020,2021
+./bin/confgen/util.c				C	2009,2015,2016,2018,2019,2020,2021
+./bin/confgen/util.h				C	2009,2016,2018,2019,2020,2021
+./bin/confgen/win32/confgentool.dsp.in		X	2009,2013,2018,2019,2020,2021
+./bin/confgen/win32/confgentool.dsw		X	2009,2018,2019,2020,2021
+./bin/confgen/win32/confgentool.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/confgen/win32/confgentool.vcxproj.in	X	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/confgen/win32/confgentool.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/confgen/win32/ddnsconfgen.dsp.in		X	2009,2013,2018,2019,2020,2021
+./bin/confgen/win32/ddnsconfgen.dsw		X	2009,2018,2019,2020,2021
+./bin/confgen/win32/ddnsconfgen.mak.in		X	2009,2013,2018,2019,2020,2021
+./bin/confgen/win32/ddnsconfgen.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/confgen/win32/ddnsconfgen.vcxproj.in	X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/confgen/win32/ddnsconfgen.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/confgen/win32/os.c			C	2009,2016,2018,2019,2020,2021
+./bin/confgen/win32/rndcconfgen.dsp.in		X	2001,2009,2013,2018,2019,2020,2021
+./bin/confgen/win32/rndcconfgen.dsw		X	2001,2004,2005,2006,2009,2018,2019,2020,2021
+./bin/confgen/win32/rndcconfgen.mak.in		X	2001,2004,2005,2006,2009,2013,2018,2019,2020,2021
+./bin/confgen/win32/rndcconfgen.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/confgen/win32/rndcconfgen.vcxproj.in	X	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/confgen/win32/rndcconfgen.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/delv/Makefile.in				MAKE	2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/delv/delv.1				MAN	DOCBOOK
-./bin/delv/delv.c				C	2014,2015,2016,2017,2018,2019,2020
-./bin/delv/delv.docbook				SGML	2014,2015,2016,2017,2018,2019,2020
+./bin/delv/delv.c				C	2014,2015,2016,2017,2018,2019,2020,2021
+./bin/delv/delv.docbook				SGML	2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/delv/delv.html				HTML	DOCBOOK
-./bin/delv/win32/delv.dsp.in			X	2014,2016,2018,2019,2020
-./bin/delv/win32/delv.dsw			X	2014,2018,2019,2020
-./bin/delv/win32/delv.mak.in			X	2014,2016,2018,2019,2020
-./bin/delv/win32/delv.vcxproj.filters.in	X	2014,2015,2018,2019,2020
-./bin/delv/win32/delv.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020
-./bin/delv/win32/delv.vcxproj.user		X	2014,2018,2019,2020
-./bin/dig/Makefile.in				MAKE	2000,2001,2002,2004,2005,2007,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020
+./bin/delv/win32/delv.dsp.in			X	2014,2016,2018,2019,2020,2021
+./bin/delv/win32/delv.dsw			X	2014,2018,2019,2020,2021
+./bin/delv/win32/delv.mak.in			X	2014,2016,2018,2019,2020,2021
+./bin/delv/win32/delv.vcxproj.filters.in	X	2014,2015,2018,2019,2020,2021
+./bin/delv/win32/delv.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020,2021
+./bin/delv/win32/delv.vcxproj.user		X	2014,2018,2019,2020,2021
+./bin/dig/Makefile.in				MAKE	2000,2001,2002,2004,2005,2007,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/dig/dig.1					MAN	DOCBOOK
-./bin/dig/dig.c					C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dig/dig.docbook				SGML	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2013,2014,2015,2016,2017,2018,2019,2020
+./bin/dig/dig.c					C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dig/dig.docbook				SGML	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/dig/dig.html				HTML	DOCBOOK
-./bin/dig/dighost.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
+./bin/dig/dighost.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/dig/host.1				MAN	DOCBOOK
-./bin/dig/host.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dig/host.docbook				SGML	2000,2001,2002,2004,2005,2007,2008,2009,2014,2015,2016,2017,2018,2019,2020
+./bin/dig/host.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dig/host.docbook				SGML	2000,2001,2002,2004,2005,2007,2008,2009,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/dig/host.html				HTML	DOCBOOK
-./bin/dig/include/dig/dig.h			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
+./bin/dig/include/dig/dig.h			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/dig/nslookup.1				MAN	DOCBOOK
-./bin/dig/nslookup.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dig/nslookup.docbook			SGML	2004,2005,2006,2007,2010,2013,2014,2015,2016,2017,2018,2019,2020
+./bin/dig/nslookup.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dig/nslookup.docbook			SGML	2004,2005,2006,2007,2010,2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/dig/nslookup.html				HTML	DOCBOOK
-./bin/dig/win32/dig.dsp.in			X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020
-./bin/dig/win32/dig.dsw				X	2001,2018,2019,2020
-./bin/dig/win32/dig.mak.in			X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020
-./bin/dig/win32/dig.vcxproj.filters.in		X	2013,2015,2018,2019,2020
-./bin/dig/win32/dig.vcxproj.in			X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dig/win32/dig.vcxproj.user		X	2013,2018,2019,2020
-./bin/dig/win32/dighost.dsp.in			X	2006,2009,2013,2014,2016,2018,2019,2020
-./bin/dig/win32/dighost.dsw			X	2006,2018,2019,2020
-./bin/dig/win32/dighost.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/dig/win32/dighost.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dig/win32/dighost.vcxproj.user		X	2013,2018,2019,2020
-./bin/dig/win32/host.dsp.in			X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020
-./bin/dig/win32/host.dsw			X	2001,2018,2019,2020
-./bin/dig/win32/host.mak.in			X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020
-./bin/dig/win32/host.vcxproj.filters.in		X	2013,2015,2018,2019,2020
-./bin/dig/win32/host.vcxproj.in			X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dig/win32/host.vcxproj.user		X	2013,2018,2019,2020
-./bin/dig/win32/nslookup.dsp.in			X	2001,2002,2004,2005,2009,2013,2014,2016,2018,2019,2020
-./bin/dig/win32/nslookup.dsw			X	2001,2018,2019,2020
-./bin/dig/win32/nslookup.mak.in			X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020
-./bin/dig/win32/nslookup.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/dig/win32/nslookup.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dig/win32/nslookup.vcxproj.user		X	2013,2018,2019,2020
-./bin/dnssec/Makefile.in			MAKE	2000,2001,2002,2004,2005,2007,2008,2009,2012,2013,2014,2015,2016,2018,2019,2020
+./bin/dig/win32/dig.dsp.in			X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dig/win32/dig.dsw				X	2001,2018,2019,2020,2021
+./bin/dig/win32/dig.mak.in			X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dig/win32/dig.vcxproj.filters.in		X	2013,2015,2018,2019,2020,2021
+./bin/dig/win32/dig.vcxproj.in			X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dig/win32/dig.vcxproj.user		X	2013,2018,2019,2020,2021
+./bin/dig/win32/dighost.dsp.in			X	2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dig/win32/dighost.dsw			X	2006,2018,2019,2020,2021
+./bin/dig/win32/dighost.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/dig/win32/dighost.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dig/win32/dighost.vcxproj.user		X	2013,2018,2019,2020,2021
+./bin/dig/win32/host.dsp.in			X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dig/win32/host.dsw			X	2001,2018,2019,2020,2021
+./bin/dig/win32/host.mak.in			X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dig/win32/host.vcxproj.filters.in		X	2013,2015,2018,2019,2020,2021
+./bin/dig/win32/host.vcxproj.in			X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dig/win32/host.vcxproj.user		X	2013,2018,2019,2020,2021
+./bin/dig/win32/nslookup.dsp.in			X	2001,2002,2004,2005,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dig/win32/nslookup.dsw			X	2001,2018,2019,2020,2021
+./bin/dig/win32/nslookup.mak.in			X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dig/win32/nslookup.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/dig/win32/nslookup.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dig/win32/nslookup.vcxproj.user		X	2013,2018,2019,2020,2021
+./bin/dnssec/Makefile.in			MAKE	2000,2001,2002,2004,2005,2007,2008,2009,2012,2013,2014,2015,2016,2018,2019,2020,2021
 ./bin/dnssec/dnssec-dsfromkey.8			MAN	DOCBOOK
-./bin/dnssec/dnssec-dsfromkey.c			C	2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/dnssec-dsfromkey.docbook		SGML	2008,2009,2010,2011,2012,2014,2015,2016,2018,2019,2020
+./bin/dnssec/dnssec-dsfromkey.c			C	2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/dnssec-dsfromkey.docbook		SGML	2008,2009,2010,2011,2012,2014,2015,2016,2018,2019,2020,2021
 ./bin/dnssec/dnssec-dsfromkey.html		HTML	DOCBOOK
 ./bin/dnssec/dnssec-importkey.8			MAN	DOCBOOK
-./bin/dnssec/dnssec-importkey.c			C	2013,2014,2015,2016,2018,2019,2020
-./bin/dnssec/dnssec-importkey.docbook		SGML	2013,2014,2015,2016,2018,2019,2020
+./bin/dnssec/dnssec-importkey.c			C	2013,2014,2015,2016,2018,2019,2020,2021
+./bin/dnssec/dnssec-importkey.docbook		SGML	2013,2014,2015,2016,2018,2019,2020,2021
 ./bin/dnssec/dnssec-importkey.html		HTML	DOCBOOK
 ./bin/dnssec/dnssec-keyfromlabel.8		MAN	DOCBOOK
-./bin/dnssec/dnssec-keyfromlabel.c		C	2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/dnssec-keyfromlabel.docbook	SGML	2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020
+./bin/dnssec/dnssec-keyfromlabel.c		C	2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/dnssec-keyfromlabel.docbook	SGML	2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/dnssec/dnssec-keyfromlabel.html		HTML	DOCBOOK
 ./bin/dnssec/dnssec-keygen.8			MAN	DOCBOOK
-./bin/dnssec/dnssec-keygen.c			C.NAI	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/dnssec-keygen.docbook		SGML	2000,2001,2002,2003,2004,2005,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020
+./bin/dnssec/dnssec-keygen.c			C.NAI	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/dnssec-keygen.docbook		SGML	2000,2001,2002,2003,2004,2005,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/dnssec/dnssec-keygen.html			HTML	DOCBOOK
 ./bin/dnssec/dnssec-revoke.8			MAN	DOCBOOK
-./bin/dnssec/dnssec-revoke.c			C	2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/dnssec-revoke.docbook		SGML	2009,2011,2014,2015,2016,2018,2019,2020
+./bin/dnssec/dnssec-revoke.c			C	2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/dnssec-revoke.docbook		SGML	2009,2011,2014,2015,2016,2018,2019,2020,2021
 ./bin/dnssec/dnssec-revoke.html			HTML	DOCBOOK
 ./bin/dnssec/dnssec-settime.8			MAN	DOCBOOK
-./bin/dnssec/dnssec-settime.c			C	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/dnssec-settime.docbook		SGML	2009,2010,2011,2014,2015,2016,2017,2018,2019,2020
+./bin/dnssec/dnssec-settime.c			C	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/dnssec-settime.docbook		SGML	2009,2010,2011,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/dnssec/dnssec-settime.html		HTML	DOCBOOK
 ./bin/dnssec/dnssec-signzone.8			MAN	DOCBOOK
-./bin/dnssec/dnssec-signzone.c			C.NAI	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/dnssec-signzone.docbook		SGML	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
+./bin/dnssec/dnssec-signzone.c			C.NAI	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/dnssec-signzone.docbook		SGML	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/dnssec/dnssec-signzone.html		HTML	DOCBOOK
 ./bin/dnssec/dnssec-verify.8			MAN	DOCBOOK
-./bin/dnssec/dnssec-verify.c			C	2012,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/dnssec-verify.docbook		SGML	2012,2014,2015,2016,2018,2019,2020
+./bin/dnssec/dnssec-verify.c			C	2012,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/dnssec-verify.docbook		SGML	2012,2014,2015,2016,2018,2019,2020,2021
 ./bin/dnssec/dnssec-verify.html			HTML	DOCBOOK
-./bin/dnssec/dnssectool.c			C	2000,2001,2003,2004,2005,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/dnssectool.h			C	2000,2001,2003,2004,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/win32/dnssectool.dsp.in		X	2006,2009,2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/dnssectool.dsw		X	2006,2009,2018,2019,2020
-./bin/dnssec/win32/dnssectool.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/dnssec/win32/dnssectool.vcxproj.in	X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/win32/dnssectool.vcxproj.user	X	2013,2018,2019,2020
-./bin/dnssec/win32/dsfromkey.dsp.in		X	2008,2009,2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/dsfromkey.dsw		X	2008,2018,2019,2020
-./bin/dnssec/win32/dsfromkey.mak.in		X	2008,2009,2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/dsfromkey.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/dnssec/win32/dsfromkey.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/win32/dsfromkey.vcxproj.user	X	2013,2018,2019,2020
-./bin/dnssec/win32/importkey.dsp.in		X	2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/importkey.dsw		X	2013,2018,2019,2020
-./bin/dnssec/win32/importkey.mak.in		X	2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/importkey.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/dnssec/win32/importkey.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/win32/importkey.vcxproj.user	X	2013,2018,2019,2020
-./bin/dnssec/win32/keyfromlabel.dsp.in		X	2008,2009,2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/keyfromlabel.dsw		X	2008,2018,2019,2020
-./bin/dnssec/win32/keyfromlabel.mak.in		X	2008,2009,2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/keyfromlabel.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/dnssec/win32/keyfromlabel.vcxproj.in	X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/win32/keyfromlabel.vcxproj.user	X	2013,2018,2019,2020
-./bin/dnssec/win32/keygen.dsp.in		X	2001,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/keygen.dsw			X	2001,2018,2019,2020
-./bin/dnssec/win32/keygen.mak.in		X	2001,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/keygen.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/dnssec/win32/keygen.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/win32/keygen.vcxproj.user		X	2013,2018,2019,2020
-./bin/dnssec/win32/revoke.dsp.in		X	2009,2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/revoke.dsw			X	2009,2018,2019,2020
-./bin/dnssec/win32/revoke.mak.in		X	2009,2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/revoke.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/dnssec/win32/revoke.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/win32/revoke.vcxproj.user		X	2013,2018,2019,2020
-./bin/dnssec/win32/settime.dsp.in		X	2009,2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/settime.dsw			X	2009,2018,2019,2020
-./bin/dnssec/win32/settime.mak.in		X	2009,2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/settime.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/dnssec/win32/settime.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/win32/settime.vcxproj.user		X	2013,2018,2019,2020
-./bin/dnssec/win32/signzone.dsp.in		X	2001,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/signzone.dsw			X	2001,2018,2019,2020
-./bin/dnssec/win32/signzone.mak.in		X	2001,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/signzone.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/dnssec/win32/signzone.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/win32/signzone.vcxproj.user	X	2013,2018,2019,2020
-./bin/dnssec/win32/verify.dsp.in		X	2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/verify.dsw			X	2013,2018,2019,2020
-./bin/dnssec/win32/verify.mak.in		X	2013,2014,2016,2018,2019,2020
-./bin/dnssec/win32/verify.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/dnssec/win32/verify.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/dnssec/win32/verify.vcxproj.user		X	2013,2018,2019,2020
-./bin/named/Makefile.in				MAKE	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/bind9.xsl				SGML	2006,2007,2008,2009,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/named/bind9.xsl.h				X	2007,2008,2009,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/named/builtin.c				C	2001,2002,2003,2004,2005,2007,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/named/client.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/config.c				C	2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/control.c				C	2001,2002,2003,2004,2005,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/named/controlconf.c			C	2001,2002,2003,2004,2005,2006,2007,2008,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/named/convertxsl.pl			PERL	2006,2007,2008,2012,2014,2016,2018,2019,2020
-./bin/named/fuzz.c				C	2016,2018,2019,2020
-./bin/named/geoip.c				C	2013,2014,2016,2018,2019,2020
-./bin/named/include/dlz/dlz_dlopen_driver.h	C	2011,2016,2018,2019,2020
-./bin/named/include/named/builtin.h		C	2001,2004,2005,2007,2016,2018,2019,2020
-./bin/named/include/named/client.h		C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/include/named/config.h		C	2001,2002,2004,2005,2006,2007,2009,2013,2016,2018,2019,2020
-./bin/named/include/named/control.h		C	2001,2002,2003,2004,2005,2006,2007,2009,2010,2011,2012,2014,2015,2016,2018,2019,2020
-./bin/named/include/named/fuzz.h		C	2016,2018,2019,2020
-./bin/named/include/named/geoip.h		C	2013,2016,2018,2019,2020
-./bin/named/include/named/globals.h		C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/include/named/interfacemgr.h	C	1999,2000,2001,2002,2004,2005,2007,2011,2013,2014,2016,2018,2019,2020
-./bin/named/include/named/listenlist.h		C	2000,2001,2004,2005,2007,2013,2016,2018,2019,2020
-./bin/named/include/named/log.h			C	1999,2000,2001,2002,2004,2005,2007,2009,2015,2016,2017,2018,2019,2020
-./bin/named/include/named/logconf.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./bin/named/include/named/lwaddr.h		C	2000,2001,2004,2005,2007,2016,2018,2019,2020
-./bin/named/include/named/lwdclient.h		C	2000,2001,2004,2005,2007,2009,2015,2016,2018,2019,2020
-./bin/named/include/named/lwresd.h		C	2000,2001,2004,2005,2006,2007,2014,2016,2018,2019,2020
-./bin/named/include/named/lwsearch.h		C	2000,2001,2004,2005,2007,2016,2018,2019,2020
-./bin/named/include/named/main.h		C	1999,2000,2001,2002,2004,2005,2007,2009,2013,2015,2016,2018,2019,2020
-./bin/named/include/named/notify.h		C	1999,2000,2001,2004,2005,2007,2009,2016,2018,2019,2020
-./bin/named/include/named/ns_smf_globals.h	C	2005,2007,2014,2016,2018,2019,2020
-./bin/named/include/named/query.h		C	1999,2000,2001,2002,2004,2005,2007,2010,2011,2013,2014,2015,2016,2018,2019,2020
-./bin/named/include/named/seccomp.h		C	2014,2016,2017,2018,2019,2020
-./bin/named/include/named/server.h		C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/include/named/sortlist.h		C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./bin/named/include/named/statschannel.h	C	2008,2016,2018,2019,2020
-./bin/named/include/named/tkeyconf.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./bin/named/include/named/tsigconf.h		C	1999,2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020
-./bin/named/include/named/types.h		C	1999,2000,2001,2004,2005,2006,2007,2008,2009,2015,2016,2018,2019,2020
-./bin/named/include/named/update.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./bin/named/include/named/xfrout.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./bin/named/include/named/zoneconf.h		C	1999,2000,2001,2002,2004,2005,2006,2007,2010,2011,2015,2016,2018,2019,2020
-./bin/named/interfacemgr.c			C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/listenlist.c			C	2000,2001,2004,2005,2007,2013,2016,2018,2019,2020
-./bin/named/log.c				C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2013,2014,2016,2017,2018,2019,2020
-./bin/named/logconf.c				C	1999,2000,2001,2004,2005,2006,2007,2011,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/lwaddr.c				C	2000,2001,2004,2005,2007,2008,2014,2016,2018,2019,2020
-./bin/named/lwdclient.c				C	2000,2001,2004,2005,2007,2015,2016,2018,2019,2020
-./bin/named/lwderror.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020
-./bin/named/lwdgabn.c				C	2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020
-./bin/named/lwdgnba.c				C	2000,2001,2002,2004,2005,2007,2008,2014,2016,2018,2019,2020
-./bin/named/lwdgrbn.c				C	2000,2001,2003,2004,2005,2006,2007,2009,2013,2014,2015,2016,2018,2019,2020
-./bin/named/lwdnoop.c				C	2000,2001,2004,2005,2007,2008,2016,2018,2019,2020
+./bin/dnssec/dnssectool.c			C	2000,2001,2003,2004,2005,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/dnssectool.h			C	2000,2001,2003,2004,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/win32/dnssectool.dsp.in		X	2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/dnssectool.dsw		X	2006,2009,2018,2019,2020,2021
+./bin/dnssec/win32/dnssectool.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/dnssec/win32/dnssectool.vcxproj.in	X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/win32/dnssectool.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/dnssec/win32/dsfromkey.dsp.in		X	2008,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/dsfromkey.dsw		X	2008,2018,2019,2020,2021
+./bin/dnssec/win32/dsfromkey.mak.in		X	2008,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/dsfromkey.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/dnssec/win32/dsfromkey.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/win32/dsfromkey.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/dnssec/win32/importkey.dsp.in		X	2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/importkey.dsw		X	2013,2018,2019,2020,2021
+./bin/dnssec/win32/importkey.mak.in		X	2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/importkey.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/dnssec/win32/importkey.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/win32/importkey.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/dnssec/win32/keyfromlabel.dsp.in		X	2008,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/keyfromlabel.dsw		X	2008,2018,2019,2020,2021
+./bin/dnssec/win32/keyfromlabel.mak.in		X	2008,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/keyfromlabel.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/dnssec/win32/keyfromlabel.vcxproj.in	X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/win32/keyfromlabel.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/dnssec/win32/keygen.dsp.in		X	2001,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/keygen.dsw			X	2001,2018,2019,2020,2021
+./bin/dnssec/win32/keygen.mak.in		X	2001,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/keygen.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/dnssec/win32/keygen.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/win32/keygen.vcxproj.user		X	2013,2018,2019,2020,2021
+./bin/dnssec/win32/revoke.dsp.in		X	2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/revoke.dsw			X	2009,2018,2019,2020,2021
+./bin/dnssec/win32/revoke.mak.in		X	2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/revoke.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/dnssec/win32/revoke.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/win32/revoke.vcxproj.user		X	2013,2018,2019,2020,2021
+./bin/dnssec/win32/settime.dsp.in		X	2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/settime.dsw			X	2009,2018,2019,2020,2021
+./bin/dnssec/win32/settime.mak.in		X	2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/settime.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/dnssec/win32/settime.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/win32/settime.vcxproj.user		X	2013,2018,2019,2020,2021
+./bin/dnssec/win32/signzone.dsp.in		X	2001,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/signzone.dsw			X	2001,2018,2019,2020,2021
+./bin/dnssec/win32/signzone.mak.in		X	2001,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/signzone.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/dnssec/win32/signzone.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/win32/signzone.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/dnssec/win32/verify.dsp.in		X	2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/verify.dsw			X	2013,2018,2019,2020,2021
+./bin/dnssec/win32/verify.mak.in		X	2013,2014,2016,2018,2019,2020,2021
+./bin/dnssec/win32/verify.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/dnssec/win32/verify.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/dnssec/win32/verify.vcxproj.user		X	2013,2018,2019,2020,2021
+./bin/named/Makefile.in				MAKE	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/bind9.xsl				SGML	2006,2007,2008,2009,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/named/bind9.xsl.h				X	2007,2008,2009,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/named/builtin.c				C	2001,2002,2003,2004,2005,2007,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/named/client.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/config.c				C	2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/control.c				C	2001,2002,2003,2004,2005,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/named/controlconf.c			C	2001,2002,2003,2004,2005,2006,2007,2008,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/named/convertxsl.pl			PERL	2006,2007,2008,2012,2014,2016,2018,2019,2020,2021
+./bin/named/fuzz.c				C	2016,2018,2019,2020,2021
+./bin/named/geoip.c				C	2013,2014,2016,2018,2019,2020,2021
+./bin/named/include/dlz/dlz_dlopen_driver.h	C	2011,2016,2018,2019,2020,2021
+./bin/named/include/named/builtin.h		C	2001,2004,2005,2007,2016,2018,2019,2020,2021
+./bin/named/include/named/client.h		C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/include/named/config.h		C	2001,2002,2004,2005,2006,2007,2009,2013,2016,2018,2019,2020,2021
+./bin/named/include/named/control.h		C	2001,2002,2003,2004,2005,2006,2007,2009,2010,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/named/include/named/fuzz.h		C	2016,2018,2019,2020,2021
+./bin/named/include/named/geoip.h		C	2013,2016,2018,2019,2020,2021
+./bin/named/include/named/globals.h		C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/include/named/interfacemgr.h	C	1999,2000,2001,2002,2004,2005,2007,2011,2013,2014,2016,2018,2019,2020,2021
+./bin/named/include/named/listenlist.h		C	2000,2001,2004,2005,2007,2013,2016,2018,2019,2020,2021
+./bin/named/include/named/log.h			C	1999,2000,2001,2002,2004,2005,2007,2009,2015,2016,2017,2018,2019,2020,2021
+./bin/named/include/named/logconf.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./bin/named/include/named/lwaddr.h		C	2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./bin/named/include/named/lwdclient.h		C	2000,2001,2004,2005,2007,2009,2015,2016,2018,2019,2020,2021
+./bin/named/include/named/lwresd.h		C	2000,2001,2004,2005,2006,2007,2014,2016,2018,2019,2020,2021
+./bin/named/include/named/lwsearch.h		C	2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./bin/named/include/named/main.h		C	1999,2000,2001,2002,2004,2005,2007,2009,2013,2015,2016,2018,2019,2020,2021
+./bin/named/include/named/notify.h		C	1999,2000,2001,2004,2005,2007,2009,2016,2018,2019,2020,2021
+./bin/named/include/named/ns_smf_globals.h	C	2005,2007,2014,2016,2018,2019,2020,2021
+./bin/named/include/named/query.h		C	1999,2000,2001,2002,2004,2005,2007,2010,2011,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/named/include/named/seccomp.h		C	2014,2016,2017,2018,2019,2020,2021
+./bin/named/include/named/server.h		C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/include/named/sortlist.h		C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./bin/named/include/named/statschannel.h	C	2008,2016,2018,2019,2020,2021
+./bin/named/include/named/tkeyconf.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./bin/named/include/named/tsigconf.h		C	1999,2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020,2021
+./bin/named/include/named/types.h		C	1999,2000,2001,2004,2005,2006,2007,2008,2009,2015,2016,2018,2019,2020,2021
+./bin/named/include/named/update.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./bin/named/include/named/xfrout.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./bin/named/include/named/zoneconf.h		C	1999,2000,2001,2002,2004,2005,2006,2007,2010,2011,2015,2016,2018,2019,2020,2021
+./bin/named/interfacemgr.c			C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/listenlist.c			C	2000,2001,2004,2005,2007,2013,2016,2018,2019,2020,2021
+./bin/named/log.c				C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2013,2014,2016,2017,2018,2019,2020,2021
+./bin/named/logconf.c				C	1999,2000,2001,2004,2005,2006,2007,2011,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/lwaddr.c				C	2000,2001,2004,2005,2007,2008,2014,2016,2018,2019,2020,2021
+./bin/named/lwdclient.c				C	2000,2001,2004,2005,2007,2015,2016,2018,2019,2020,2021
+./bin/named/lwderror.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./bin/named/lwdgabn.c				C	2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020,2021
+./bin/named/lwdgnba.c				C	2000,2001,2002,2004,2005,2007,2008,2014,2016,2018,2019,2020,2021
+./bin/named/lwdgrbn.c				C	2000,2001,2003,2004,2005,2006,2007,2009,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/named/lwdnoop.c				C	2000,2001,2004,2005,2007,2008,2016,2018,2019,2020,2021
 ./bin/named/lwresd.8				MAN	DOCBOOK
-./bin/named/lwresd.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/named/lwresd.docbook			SGML	2000,2001,2004,2005,2007,2008,2009,2014,2015,2016,2017,2018,2019,2020
+./bin/named/lwresd.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/named/lwresd.docbook			SGML	2000,2001,2004,2005,2007,2008,2009,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/named/lwresd.html				HTML	DOCBOOK
-./bin/named/lwsearch.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020
-./bin/named/main.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
+./bin/named/lwsearch.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./bin/named/main.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/named/named.8				MAN	DOCBOOK
 ./bin/named/named.conf.5			MAN	DOCBOOK
-./bin/named/named.conf.docbook			SGML	2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
+./bin/named/named.conf.docbook			SGML	2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/named/named.conf.html			HTML	DOCBOOK
-./bin/named/named.docbook			SGML	2000,2001,2003,2004,2005,2006,2007,2008,2009,2011,2013,2014,2015,2016,2017,2018,2019,2020
+./bin/named/named.docbook			SGML	2000,2001,2003,2004,2005,2006,2007,2008,2009,2011,2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/named/named.html				HTML	DOCBOOK
-./bin/named/notify.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2016,2018,2019,2020
-./bin/named/query.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/server.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/sortlist.c				C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./bin/named/statschannel.c			C	2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/tkeyconf.c				C	1999,2000,2001,2004,2005,2006,2007,2009,2010,2012,2014,2016,2018,2019,2020
-./bin/named/tsigconf.c				C	1999,2000,2001,2004,2005,2006,2007,2009,2011,2012,2016,2017,2018,2019,2020
-./bin/named/unix/Makefile.in			MAKE	1999,2000,2001,2004,2007,2009,2011,2012,2016,2018,2019,2020
-./bin/named/unix/dlz_dlopen_driver.c		C	2011,2012,2013,2014,2016,2017,2018,2019,2020
-./bin/named/unix/include/named/os.h		C	1999,2000,2001,2002,2004,2005,2007,2008,2009,2014,2016,2017,2018,2019,2020
-./bin/named/unix/os.c				C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/update.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/win32/dlz_dlopen_driver.c		C	2011,2012,2013,2014,2016,2018,2019,2020
-./bin/named/win32/include/named/ntservice.h	C	1999,2000,2001,2002,2003,2004,2007,2016,2018,2019,2020
-./bin/named/win32/include/named/os.h		C	1999,2000,2001,2002,2004,2007,2008,2009,2014,2016,2017,2018,2019,2020
-./bin/named/win32/named.dsp.in			X	2001,2004,2005,2008,2009,2010,2011,2013,2014,2015,2016,2018,2019,2020
-./bin/named/win32/named.dsw			X	2001,2018,2019,2020
-./bin/named/win32/named.mak.in			X	2001,2002,2004,2005,2006,2008,2009,2010,2011,2013,2014,2015,2016,2018,2019,2020
-./bin/named/win32/named.vcxproj.filters.in	X	2013,2015,2016,2018,2019,2020
-./bin/named/win32/named.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/win32/named.vcxproj.user		X	2013,2018,2019,2020
-./bin/named/win32/ntservice.c			C	1999,2000,2001,2002,2004,2006,2007,2009,2011,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/win32/os.c				C	1999,2000,2001,2002,2004,2005,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/xfrout.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/named/zoneconf.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/nsupdate/Makefile.in			MAKE	2000,2001,2002,2004,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020
+./bin/named/notify.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./bin/named/query.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/server.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/sortlist.c				C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./bin/named/statschannel.c			C	2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/tkeyconf.c				C	1999,2000,2001,2004,2005,2006,2007,2009,2010,2012,2014,2016,2018,2019,2020,2021
+./bin/named/tsigconf.c				C	1999,2000,2001,2004,2005,2006,2007,2009,2011,2012,2016,2017,2018,2019,2020,2021
+./bin/named/unix/Makefile.in			MAKE	1999,2000,2001,2004,2007,2009,2011,2012,2016,2018,2019,2020,2021
+./bin/named/unix/dlz_dlopen_driver.c		C	2011,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./bin/named/unix/include/named/os.h		C	1999,2000,2001,2002,2004,2005,2007,2008,2009,2014,2016,2017,2018,2019,2020,2021
+./bin/named/unix/os.c				C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/update.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/win32/dlz_dlopen_driver.c		C	2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/named/win32/include/named/ntservice.h	C	1999,2000,2001,2002,2003,2004,2007,2016,2018,2019,2020,2021
+./bin/named/win32/include/named/os.h		C	1999,2000,2001,2002,2004,2007,2008,2009,2014,2016,2017,2018,2019,2020,2021
+./bin/named/win32/named.dsp.in			X	2001,2004,2005,2008,2009,2010,2011,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/named/win32/named.dsw			X	2001,2018,2019,2020,2021
+./bin/named/win32/named.mak.in			X	2001,2002,2004,2005,2006,2008,2009,2010,2011,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/named/win32/named.vcxproj.filters.in	X	2013,2015,2016,2018,2019,2020,2021
+./bin/named/win32/named.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/win32/named.vcxproj.user		X	2013,2018,2019,2020,2021
+./bin/named/win32/ntservice.c			C	1999,2000,2001,2002,2004,2006,2007,2009,2011,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/win32/os.c				C	1999,2000,2001,2002,2004,2005,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/xfrout.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/named/zoneconf.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/nsupdate/Makefile.in			MAKE	2000,2001,2002,2004,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/nsupdate/nsupdate.1			MAN	DOCBOOK
-./bin/nsupdate/nsupdate.c			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/nsupdate/nsupdate.docbook			SGML	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020
+./bin/nsupdate/nsupdate.c			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/nsupdate/nsupdate.docbook			SGML	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/nsupdate/nsupdate.html			HTML	DOCBOOK
-./bin/nsupdate/win32/nsupdate.dsp.in		X	2001,2004,2005,2009,2013,2014,2016,2018,2019,2020
-./bin/nsupdate/win32/nsupdate.dsw		X	2001,2018,2019,2020
-./bin/nsupdate/win32/nsupdate.mak.in		X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020
-./bin/nsupdate/win32/nsupdate.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/nsupdate/win32/nsupdate.vcxproj.in	X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/nsupdate/win32/nsupdate.vcxproj.user	X	2013,2018,2019,2020
-./bin/pkcs11/Makefile.in			MAKE	2009,2012,2014,2015,2016,2018,2019,2020
-./bin/pkcs11/OLD-PKCS11-NOTES			X	2009,2018,2019,2020
-./bin/pkcs11/openssl-0.9.8zh-patch		X	2015,2018,2019,2020
-./bin/pkcs11/openssl-1.0.0t-patch		X	2015,2018,2019,2020
-./bin/pkcs11/openssl-1.0.1t-patch		X	2016,2018,2019,2020
-./bin/pkcs11/openssl-1.0.2h-patch		X	2016,2018,2019,2020
+./bin/nsupdate/win32/nsupdate.dsp.in		X	2001,2004,2005,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/nsupdate/win32/nsupdate.dsw		X	2001,2018,2019,2020,2021
+./bin/nsupdate/win32/nsupdate.mak.in		X	2001,2002,2004,2005,2006,2009,2013,2014,2016,2018,2019,2020,2021
+./bin/nsupdate/win32/nsupdate.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/nsupdate/win32/nsupdate.vcxproj.in	X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/nsupdate/win32/nsupdate.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/pkcs11/Makefile.in			MAKE	2009,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/pkcs11/OLD-PKCS11-NOTES			X	2009,2018,2019,2020,2021
+./bin/pkcs11/openssl-0.9.8zh-patch		X	2015,2018,2019,2020,2021
+./bin/pkcs11/openssl-1.0.0t-patch		X	2015,2018,2019,2020,2021
+./bin/pkcs11/openssl-1.0.1t-patch		X	2016,2018,2019,2020,2021
+./bin/pkcs11/openssl-1.0.2h-patch		X	2016,2018,2019,2020,2021
 ./bin/pkcs11/pkcs11-destroy.8			MAN	DOCBOOK
-./bin/pkcs11/pkcs11-destroy.c			X	2009,2010,2014,2015,2018,2019,2020
-./bin/pkcs11/pkcs11-destroy.docbook		SGML	2009,2014,2015,2016,2018,2019,2020
+./bin/pkcs11/pkcs11-destroy.c			X	2009,2010,2014,2015,2018,2019,2020,2021
+./bin/pkcs11/pkcs11-destroy.docbook		SGML	2009,2014,2015,2016,2018,2019,2020,2021
 ./bin/pkcs11/pkcs11-destroy.html		HTML	DOCBOOK
 ./bin/pkcs11/pkcs11-keygen.8			MAN	DOCBOOK
-./bin/pkcs11/pkcs11-keygen.c			X	2009,2014,2015,2017,2018,2019,2020
-./bin/pkcs11/pkcs11-keygen.docbook		SGML	2009,2014,2015,2016,2017,2018,2019,2020
+./bin/pkcs11/pkcs11-keygen.c			X	2009,2014,2015,2017,2018,2019,2020,2021
+./bin/pkcs11/pkcs11-keygen.docbook		SGML	2009,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/pkcs11/pkcs11-keygen.html			HTML	DOCBOOK
 ./bin/pkcs11/pkcs11-list.8			MAN	DOCBOOK
-./bin/pkcs11/pkcs11-list.c			C	2009,2014,2015,2016,2018,2019,2020
-./bin/pkcs11/pkcs11-list.docbook		SGML	2009,2014,2015,2016,2018,2019,2020
+./bin/pkcs11/pkcs11-list.c			C	2009,2014,2015,2016,2018,2019,2020,2021
+./bin/pkcs11/pkcs11-list.docbook		SGML	2009,2014,2015,2016,2018,2019,2020,2021
 ./bin/pkcs11/pkcs11-list.html			HTML	DOCBOOK
 ./bin/pkcs11/pkcs11-tokens.8			MAN	DOCBOOK
-./bin/pkcs11/pkcs11-tokens.c			C	2014,2015,2016,2018,2019,2020
-./bin/pkcs11/pkcs11-tokens.docbook		SGML	2014,2015,2016,2018,2019,2020
+./bin/pkcs11/pkcs11-tokens.c			C	2014,2015,2016,2018,2019,2020,2021
+./bin/pkcs11/pkcs11-tokens.docbook		SGML	2014,2015,2016,2018,2019,2020,2021
 ./bin/pkcs11/pkcs11-tokens.html			HTML	DOCBOOK
-./bin/pkcs11/win32/pk11destroy.dsp.in		X	2009,2013,2014,2018,2019,2020
-./bin/pkcs11/win32/pk11destroy.dsw		X	2009,2018,2019,2020
-./bin/pkcs11/win32/pk11destroy.mak.in		X	2009,2013,2014,2018,2019,2020
-./bin/pkcs11/win32/pk11destroy.vcxproj.filters.in	X	2013,2014,2015,2018,2019,2020
-./bin/pkcs11/win32/pk11destroy.vcxproj.in	X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/pkcs11/win32/pk11destroy.vcxproj.user	X	2013,2018,2019,2020
-./bin/pkcs11/win32/pk11keygen.dsp.in		X	2009,2013,2014,2018,2019,2020
-./bin/pkcs11/win32/pk11keygen.dsw		X	2009,2018,2019,2020
-./bin/pkcs11/win32/pk11keygen.mak.in		X	2009,2013,2014,2018,2019,2020
-./bin/pkcs11/win32/pk11keygen.vcxproj.filters.in	X	2013,2014,2015,2018,2019,2020
-./bin/pkcs11/win32/pk11keygen.vcxproj.in	X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/pkcs11/win32/pk11keygen.vcxproj.user	X	2013,2018,2019,2020
-./bin/pkcs11/win32/pk11list.dsp.in		X	2009,2013,2014,2018,2019,2020
-./bin/pkcs11/win32/pk11list.dsw			X	2009,2018,2019,2020
-./bin/pkcs11/win32/pk11list.mak.in		X	2009,2013,2014,2018,2019,2020
-./bin/pkcs11/win32/pk11list.vcxproj.filters.in	X	2013,2014,2015,2018,2019,2020
-./bin/pkcs11/win32/pk11list.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/pkcs11/win32/pk11list.vcxproj.user	X	2013,2018,2019,2020
-./bin/pkcs11/win32/pk11tokens.dsp.in		X	2014,2018,2019,2020
-./bin/pkcs11/win32/pk11tokens.dsw		X	2014,2018,2019,2020
-./bin/pkcs11/win32/pk11tokens.mak.in		X	2014,2018,2019,2020
-./bin/pkcs11/win32/pk11tokens.vcxproj.filters.in	X	2014,2015,2018,2019,2020
-./bin/pkcs11/win32/pk11tokens.vcxproj.in	X	2014,2015,2016,2017,2018,2019,2020
-./bin/pkcs11/win32/pk11tokens.vcxproj.user	X	2014,2018,2019,2020
-./bin/python/Makefile.in			MAKE	2012,2013,2014,2016,2017,2018,2019,2020
+./bin/pkcs11/win32/pk11destroy.dsp.in		X	2009,2013,2014,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11destroy.dsw		X	2009,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11destroy.mak.in		X	2009,2013,2014,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11destroy.vcxproj.filters.in	X	2013,2014,2015,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11destroy.vcxproj.in	X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11destroy.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11keygen.dsp.in		X	2009,2013,2014,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11keygen.dsw		X	2009,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11keygen.mak.in		X	2009,2013,2014,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11keygen.vcxproj.filters.in	X	2013,2014,2015,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11keygen.vcxproj.in	X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11keygen.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11list.dsp.in		X	2009,2013,2014,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11list.dsw			X	2009,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11list.mak.in		X	2009,2013,2014,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11list.vcxproj.filters.in	X	2013,2014,2015,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11list.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11list.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11tokens.dsp.in		X	2014,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11tokens.dsw		X	2014,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11tokens.mak.in		X	2014,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11tokens.vcxproj.filters.in	X	2014,2015,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11tokens.vcxproj.in	X	2014,2015,2016,2017,2018,2019,2020,2021
+./bin/pkcs11/win32/pk11tokens.vcxproj.user	X	2014,2018,2019,2020,2021
+./bin/python/Makefile.in			MAKE	2012,2013,2014,2016,2017,2018,2019,2020,2021
 ./bin/python/dnssec-checkds.8			MAN	DOCBOOK
-./bin/python/dnssec-checkds.docbook		SGML	2012,2013,2014,2015,2016,2017,2018,2019,2020
+./bin/python/dnssec-checkds.docbook		SGML	2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/python/dnssec-checkds.html		HTML	DOCBOOK
-./bin/python/dnssec-checkds.py.in		PYTHON-BIN	2012,2013,2014,2015,2016,2017,2018,2019,2020
+./bin/python/dnssec-checkds.py.in		PYTHON-BIN	2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/python/dnssec-coverage.8			MAN	DOCBOOK
-./bin/python/dnssec-coverage.docbook		SGML	2013,2014,2015,2016,2018,2019,2020
+./bin/python/dnssec-coverage.docbook		SGML	2013,2014,2015,2016,2018,2019,2020,2021
 ./bin/python/dnssec-coverage.html		HTML	DOCBOOK
-./bin/python/dnssec-coverage.py.in		PYTHON-BIN	2013,2014,2015,2016,2017,2018,2019,2020
+./bin/python/dnssec-coverage.py.in		PYTHON-BIN	2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/python/dnssec-keymgr.8			MAN	DOCBOOK
-./bin/python/dnssec-keymgr.docbook		SGML	2016,2017,2018,2019,2020
+./bin/python/dnssec-keymgr.docbook		SGML	2016,2017,2018,2019,2020,2021
 ./bin/python/dnssec-keymgr.html			HTML	DOCBOOK
-./bin/python/dnssec-keymgr.py.in		PYTHON-BIN	2016,2017,2018,2019,2020
-./bin/python/isc/Makefile.in			MAKE	2016,2018,2019,2020
-./bin/python/isc/__init__.py.in			PYTHON	2016,2018,2019,2020
-./bin/python/isc/checkds.py.in			PYTHON	2012,2013,2014,2015,2016,2018,2019,2020
-./bin/python/isc/coverage.py.in			PYTHON	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/python/isc/dnskey.py.in			PYTHON	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/python/isc/eventlist.py.in		PYTHON	2015,2016,2018,2019,2020
-./bin/python/isc/keydict.py.in			PYTHON	2016,2018,2019,2020
-./bin/python/isc/keyevent.py.in			PYTHON	2013,2014,2015,2016,2018,2019,2020
-./bin/python/isc/keymgr.py.in			PYTHON	2016,2018,2019,2020
-./bin/python/isc/keyseries.py.in		PYTHON	2016,2018,2019,2020
-./bin/python/isc/keyzone.py.in			PYTHON	2013,2014,2015,2016,2018,2019,2020
-./bin/python/isc/policy.py.in			PYTHON	2016,2017,2018,2019,2020
-./bin/python/isc/rndc.py.in			PYTHON	2016,2018,2019,2020
-./bin/python/isc/tests/Makefile.in		MAKE	2016,2018,2019,2020
-./bin/python/isc/tests/dnskey_test.py.in	PYTHON	2016,2018,2019,2020
-./bin/python/isc/tests/policy_test.py.in	PYTHON	2016,2017,2018,2019,2020
-./bin/python/isc/tests/test-policies/01-keysize.pol	CONF-C	2016,2018,2019,2020
-./bin/python/isc/tests/test-policies/02-prepublish.pol	CONF-C	2016,2018,2019,2020
-./bin/python/isc/tests/test-policies/03-postpublish.pol	CONF-C	2016,2018,2019,2020
-./bin/python/isc/tests/test-policies/04-combined-pre-post.pol	CONF-C	2016,2018,2019,2020
-./bin/python/isc/tests/test-policies/05-numeric-zone.pol	CONF-C	2017,2018,2019,2020
-./bin/python/isc/tests/testdata/Kexample.com.+007+35529.key	X	2016,2018,2019,2020
-./bin/python/isc/tests/testdata/Kexample.com.+007+35529.private	X	2016,2018,2019,2020
-./bin/python/isc/utils.py.in			PYTHON	2016,2018,2019,2020
-./bin/python/setup.py				PYTHON	2016,2018,2019,2020
-./bin/rndc/Makefile.in				MAKE	2000,2001,2002,2004,2007,2009,2012,2014,2015,2016,2018,2019,2020
-./bin/rndc/include/rndc/os.h			C	2001,2004,2005,2007,2009,2016,2018,2019,2020
+./bin/python/dnssec-keymgr.py.in		PYTHON-BIN	2016,2017,2018,2019,2020,2021
+./bin/python/isc/Makefile.in			MAKE	2016,2018,2019,2020,2021
+./bin/python/isc/__init__.py.in			PYTHON	2016,2018,2019,2020,2021
+./bin/python/isc/checkds.py.in			PYTHON	2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/python/isc/coverage.py.in			PYTHON	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/python/isc/dnskey.py.in			PYTHON	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/python/isc/eventlist.py.in		PYTHON	2015,2016,2018,2019,2020,2021
+./bin/python/isc/keydict.py.in			PYTHON	2016,2018,2019,2020,2021
+./bin/python/isc/keyevent.py.in			PYTHON	2013,2014,2015,2016,2018,2019,2020,2021
+./bin/python/isc/keymgr.py.in			PYTHON	2016,2018,2019,2020,2021
+./bin/python/isc/keyseries.py.in		PYTHON	2016,2018,2019,2020,2021
+./bin/python/isc/keyzone.py.in			PYTHON	2013,2014,2015,2016,2018,2019,2020,2021
+./bin/python/isc/policy.py.in			PYTHON	2016,2017,2018,2019,2020,2021
+./bin/python/isc/rndc.py.in			PYTHON	2016,2018,2019,2020,2021
+./bin/python/isc/tests/Makefile.in		MAKE	2016,2018,2019,2020,2021
+./bin/python/isc/tests/dnskey_test.py.in	PYTHON	2016,2018,2019,2020,2021
+./bin/python/isc/tests/policy_test.py.in	PYTHON	2016,2017,2018,2019,2020,2021
+./bin/python/isc/tests/test-policies/01-keysize.pol	CONF-C	2016,2018,2019,2020,2021
+./bin/python/isc/tests/test-policies/02-prepublish.pol	CONF-C	2016,2018,2019,2020,2021
+./bin/python/isc/tests/test-policies/03-postpublish.pol	CONF-C	2016,2018,2019,2020,2021
+./bin/python/isc/tests/test-policies/04-combined-pre-post.pol	CONF-C	2016,2018,2019,2020,2021
+./bin/python/isc/tests/test-policies/05-numeric-zone.pol	CONF-C	2017,2018,2019,2020,2021
+./bin/python/isc/tests/testdata/Kexample.com.+007+35529.key	X	2016,2018,2019,2020,2021
+./bin/python/isc/tests/testdata/Kexample.com.+007+35529.private	X	2016,2018,2019,2020,2021
+./bin/python/isc/utils.py.in			PYTHON	2016,2018,2019,2020,2021
+./bin/python/setup.py				PYTHON	2016,2018,2019,2020,2021
+./bin/rndc/Makefile.in				MAKE	2000,2001,2002,2004,2007,2009,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/rndc/include/rndc/os.h			C	2001,2004,2005,2007,2009,2016,2018,2019,2020,2021
 ./bin/rndc/rndc.8				MAN	DOCBOOK
-./bin/rndc/rndc.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/rndc/rndc.conf				CONF-C	2000,2001,2004,2007,2013,2014,2016,2018,2019,2020
+./bin/rndc/rndc.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/rndc/rndc.conf				CONF-C	2000,2001,2004,2007,2013,2014,2016,2018,2019,2020,2021
 ./bin/rndc/rndc.conf.5				MAN	DOCBOOK
-./bin/rndc/rndc.conf.docbook			SGML	2000,2001,2004,2005,2007,2013,2014,2015,2016,2018,2019,2020
+./bin/rndc/rndc.conf.docbook			SGML	2000,2001,2004,2005,2007,2013,2014,2015,2016,2018,2019,2020,2021
 ./bin/rndc/rndc.conf.html			HTML	DOCBOOK
-./bin/rndc/rndc.docbook				SGML	2000,2001,2004,2005,2007,2013,2014,2015,2016,2017,2018,2019,2020
+./bin/rndc/rndc.docbook				SGML	2000,2001,2004,2005,2007,2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/rndc/rndc.html				HTML	DOCBOOK
-./bin/rndc/util.c				C	2000,2001,2004,2005,2007,2015,2016,2018,2019,2020
-./bin/rndc/util.h				C	2000,2001,2004,2005,2007,2009,2016,2018,2019,2020
-./bin/rndc/win32/rndc.dsp.in			X	2001,2004,2005,2006,2009,2013,2018,2019,2020
-./bin/rndc/win32/rndc.dsw			X	2001,2018,2019,2020
-./bin/rndc/win32/rndc.mak.in			X	2001,2002,2004,2005,2006,2009,2013,2018,2019,2020
-./bin/rndc/win32/rndc.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/rndc/win32/rndc.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020
-./bin/rndc/win32/rndc.vcxproj.user		X	2013,2018,2019,2020
-./bin/rndc/win32/rndcutil.dsp.in		X	2006,2013,2018,2019,2020
-./bin/rndc/win32/rndcutil.dsw			X	2006,2018,2019,2020
-./bin/rndc/win32/rndcutil.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/rndc/win32/rndcutil.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020
-./bin/rndc/win32/rndcutil.vcxproj.user		X	2013,2018,2019,2020
-./bin/tests/Makefile.in				MAKE	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/bigtest/README			TXT.BRIEF	2013,2016,2018,2019,2020
-./bin/tests/bigtest/buildzones.sh		SH	2013,2016,2018,2019,2020
-./bin/tests/bigtest/rndc.key			X	2013,2018,2019,2020
-./bin/tests/bigtest/tests.sh			SH	2013,2016,2018,2019,2020
-./bin/tests/bigtest/zones			X	2013,2018,2019,2020
-./bin/tests/cfg_test.c				C	2018,2019,2020
-./bin/tests/fromhex.pl				PERL	2015,2016,2018,2019,2020
-./bin/tests/headerdep_test.sh.in		SH	2018,2019,2020
-./bin/tests/makejournal.c			C	2013,2015,2016,2017,2018,2019,2020
-./bin/tests/named.conf				CONF-C	1999,2000,2001,2004,2007,2011,2015,2016,2018,2019,2020
-./bin/tests/optional/Kchild.example.+003+04017.key	X	2018,2019,2020
-./bin/tests/optional/Kchild.example.+003+04017.private	X	2000,2001,2018,2019,2020
-./bin/tests/optional/Makefile.in		MAKE	2018,2019,2020
-./bin/tests/optional/adb_test.c			C	1999,2000,2001,2004,2005,2007,2009,2011,2012,2013,2015,2016,2018,2019,2020
-./bin/tests/optional/backtrace_test.c		C	2009,2013,2015,2016,2018,2019,2020
-./bin/tests/optional/byaddr_test.c		C	2000,2001,2002,2004,2005,2007,2012,2015,2016,2018,2019,2020
-./bin/tests/optional/byname_test.c		C	2000,2001,2004,2005,2007,2009,2012,2015,2016,2017,2018,2019,2020
-./bin/tests/optional/db_test.c			C	1999,2000,2001,2004,2005,2007,2008,2009,2011,2012,2013,2015,2016,2017,2018,2019,2020
-./bin/tests/optional/dst_test.c			C	2018,2019,2020
-./bin/tests/optional/entropy2_test.c		C	2000,2001,2004,2005,2007,2015,2016,2018,2019,2020
-./bin/tests/optional/entropy_test.c		C	2000,2001,2004,2005,2007,2015,2016,2018,2019,2020
-./bin/tests/optional/fsaccess_test.c		C	2000,2001,2004,2005,2007,2012,2015,2016,2018,2019,2020
-./bin/tests/optional/gsstest.c			C	2018,2019,2020
-./bin/tests/optional/gxba_test.c		C	2018,2019,2020
-./bin/tests/optional/gxbn_test.c		C	2018,2019,2020
-./bin/tests/optional/hash_test.c		C	2000,2001,2004,2005,2006,2007,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/optional/inter_test.c		C	2000,2001,2003,2004,2005,2007,2008,2015,2016,2018,2019,2020
-./bin/tests/optional/keyboard_test.c		C	2000,2001,2004,2005,2007,2015,2016,2018,2019,2020
-./bin/tests/optional/lex_test.c			C	1998,1999,2000,2001,2004,2005,2007,2015,2016,2018,2019,2020
-./bin/tests/optional/lfsr_test.c		C	1999,2000,2001,2004,2005,2007,2015,2016,2018,2019,2020
-./bin/tests/optional/log_test.c			C	1999,2000,2001,2004,2007,2011,2014,2015,2016,2018,2019,2020
-./bin/tests/optional/lwres_test.c		C	2018,2019,2020
-./bin/tests/optional/lwresconf_test.c		C	2018,2019,2020
-./bin/tests/optional/master_test.c		C	1999,2000,2001,2004,2007,2009,2015,2016,2017,2018,2019,2020
-./bin/tests/optional/mempool_test.c		C	1999,2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/optional/name_test.c		C	1998,1999,2000,2001,2003,2004,2005,2007,2009,2015,2016,2017,2018,2019,2020
-./bin/tests/optional/nsecify.c			C	1999,2000,2001,2003,2004,2007,2008,2009,2011,2015,2016,2017,2018,2019,2020
-./bin/tests/optional/ratelimiter_test.c		C	1999,2000,2001,2004,2007,2015,2016,2018,2019,2020
-./bin/tests/optional/rbt_test.c			C	1999,2000,2001,2004,2005,2007,2009,2011,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/optional/rbt_test.out		X	1999,2000,2001,2018,2019,2020
+./bin/rndc/util.c				C	2000,2001,2004,2005,2007,2015,2016,2018,2019,2020,2021
+./bin/rndc/util.h				C	2000,2001,2004,2005,2007,2009,2016,2018,2019,2020,2021
+./bin/rndc/win32/rndc.dsp.in			X	2001,2004,2005,2006,2009,2013,2018,2019,2020,2021
+./bin/rndc/win32/rndc.dsw			X	2001,2018,2019,2020,2021
+./bin/rndc/win32/rndc.mak.in			X	2001,2002,2004,2005,2006,2009,2013,2018,2019,2020,2021
+./bin/rndc/win32/rndc.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/rndc/win32/rndc.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/rndc/win32/rndc.vcxproj.user		X	2013,2018,2019,2020,2021
+./bin/rndc/win32/rndcutil.dsp.in		X	2006,2013,2018,2019,2020,2021
+./bin/rndc/win32/rndcutil.dsw			X	2006,2018,2019,2020,2021
+./bin/rndc/win32/rndcutil.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/rndc/win32/rndcutil.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/rndc/win32/rndcutil.vcxproj.user		X	2013,2018,2019,2020,2021
+./bin/tests/Makefile.in				MAKE	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/bigtest/README			TXT.BRIEF	2013,2016,2018,2019,2020,2021
+./bin/tests/bigtest/buildzones.sh		SH	2013,2016,2018,2019,2020,2021
+./bin/tests/bigtest/rndc.key			X	2013,2018,2019,2020,2021
+./bin/tests/bigtest/tests.sh			SH	2013,2016,2018,2019,2020,2021
+./bin/tests/bigtest/zones			X	2013,2018,2019,2020,2021
+./bin/tests/cfg_test.c				C	2018,2019,2020,2021
+./bin/tests/fromhex.pl				PERL	2015,2016,2018,2019,2020,2021
+./bin/tests/headerdep_test.sh.in		SH	2018,2019,2020,2021
+./bin/tests/makejournal.c			C	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/named.conf				CONF-C	1999,2000,2001,2004,2007,2011,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/Kchild.example.+003+04017.key	X	2018,2019,2020,2021
+./bin/tests/optional/Kchild.example.+003+04017.private	X	2000,2001,2018,2019,2020,2021
+./bin/tests/optional/Makefile.in		MAKE	2018,2019,2020,2021
+./bin/tests/optional/adb_test.c			C	1999,2000,2001,2004,2005,2007,2009,2011,2012,2013,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/backtrace_test.c		C	2009,2013,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/byaddr_test.c		C	2000,2001,2002,2004,2005,2007,2012,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/byname_test.c		C	2000,2001,2004,2005,2007,2009,2012,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/optional/db_test.c			C	1999,2000,2001,2004,2005,2007,2008,2009,2011,2012,2013,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/optional/dst_test.c			C	2018,2019,2020,2021
+./bin/tests/optional/entropy2_test.c		C	2000,2001,2004,2005,2007,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/entropy_test.c		C	2000,2001,2004,2005,2007,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/fsaccess_test.c		C	2000,2001,2004,2005,2007,2012,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/gsstest.c			C	2018,2019,2020,2021
+./bin/tests/optional/gxba_test.c		C	2018,2019,2020,2021
+./bin/tests/optional/gxbn_test.c		C	2018,2019,2020,2021
+./bin/tests/optional/hash_test.c		C	2000,2001,2004,2005,2006,2007,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/optional/inter_test.c		C	2000,2001,2003,2004,2005,2007,2008,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/keyboard_test.c		C	2000,2001,2004,2005,2007,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/lex_test.c			C	1998,1999,2000,2001,2004,2005,2007,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/lfsr_test.c		C	1999,2000,2001,2004,2005,2007,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/log_test.c			C	1999,2000,2001,2004,2007,2011,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/lwres_test.c		C	2018,2019,2020,2021
+./bin/tests/optional/lwresconf_test.c		C	2018,2019,2020,2021
+./bin/tests/optional/master_test.c		C	1999,2000,2001,2004,2007,2009,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/optional/mempool_test.c		C	1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/optional/name_test.c		C	1998,1999,2000,2001,2003,2004,2005,2007,2009,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/optional/nsecify.c			C	1999,2000,2001,2003,2004,2007,2008,2009,2011,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/optional/ratelimiter_test.c		C	1999,2000,2001,2004,2007,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/rbt_test.c			C	1999,2000,2001,2004,2005,2007,2009,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/rbt_test.out		X	1999,2000,2001,2018,2019,2020,2021
 ./bin/tests/optional/rbt_test.txt		SH	1999,2000,2001,2004,2007,2012,2016,2018,2019
-./bin/tests/optional/rwlock_test.c		C	1998,1999,2000,2001,2004,2005,2007,2013,2016,2017,2018,2019,2020
-./bin/tests/optional/serial_test.c		C	1999,2000,2001,2003,2004,2007,2015,2016,2018,2019,2020
-./bin/tests/optional/shutdown_test.c		C	1998,1999,2000,2001,2004,2007,2011,2013,2016,2017,2018,2019,2020
-./bin/tests/optional/sig0_test.c		C	2000,2001,2004,2005,2007,2008,2009,2012,2015,2016,2018,2019,2020
-./bin/tests/optional/sock_test.c		C	1998,1999,2000,2001,2004,2007,2008,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/optional/sym_test.c			C	1998,1999,2000,2001,2004,2005,2007,2015,2016,2018,2019,2020
-./bin/tests/optional/task_test.c		C	1998,1999,2000,2001,2004,2007,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/optional/timer_test.c		C	1998,1999,2000,2001,2004,2007,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/optional/zone_test.c		C	1999,2000,2001,2002,2004,2005,2007,2009,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/pkcs11/Makefile.in			MAKE	2014,2016,2018,2019,2020
-./bin/tests/pkcs11/README			X	2014,2016,2018,2019,2020
-./bin/tests/pkcs11/benchmarks/Makefile.in	MAKE	2014,2016,2017,2018,2019,2020
-./bin/tests/pkcs11/benchmarks/create.c		C	2014,2016,2018,2019,2020
-./bin/tests/pkcs11/benchmarks/find.c		C	2014,2015,2016,2018,2019,2020
-./bin/tests/pkcs11/benchmarks/genrsa.c		C	2014,2015,2016,2018,2019,2020
-./bin/tests/pkcs11/benchmarks/login.c		C	2014,2015,2016,2018,2019,2020
-./bin/tests/pkcs11/benchmarks/privrsa.c		C	2014,2016,2018,2019,2020
-./bin/tests/pkcs11/benchmarks/pubrsa.c		C	2014,2016,2018,2019,2020
-./bin/tests/pkcs11/benchmarks/random.c		C	2014,2015,2016,2018,2019,2020
-./bin/tests/pkcs11/benchmarks/session.c		C	2014,2015,2016,2018,2019,2020
-./bin/tests/pkcs11/benchmarks/sha1.c		C	2014,2015,2016,2018,2019,2020
-./bin/tests/pkcs11/benchmarks/sign.c		C	2014,2015,2016,2018,2019,2020
-./bin/tests/pkcs11/benchmarks/verify.c		C	2014,2015,2016,2018,2019,2020
-./bin/tests/pkcs11/pkcs11-hmacmd5.c		C	2014,2015,2016,2018,2019,2020
-./bin/tests/pkcs11/pkcs11-md5sum.c		C	2014,2015,2016,2018,2019,2020
-./bin/tests/prepare-softhsm2.sh			X	2018,2019,2020
-./bin/tests/startperf/README			X	2011,2018,2019,2020
-./bin/tests/startperf/clean.sh			SH	2011,2012,2016,2018,2019,2020
-./bin/tests/startperf/makenames.pl		PERL	2011,2012,2016,2018,2019,2020
-./bin/tests/startperf/mkzonefile.pl		PERL	2011,2012,2016,2018,2019,2020
-./bin/tests/startperf/setup.sh			SH	2011,2012,2016,2018,2019,2020
-./bin/tests/startperf/smallzone.db		ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/Makefile.in			MAKE	2000,2001,2004,2007,2008,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/README			TXT.BRIEF	2000,2001,2004,2010,2011,2013,2015,2016,2018,2019,2020
-./bin/tests/system/acl/clean.sh			SH	2008,2012,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/acl/ns2/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/acl/ns2/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/acl/ns2/named3.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/acl/ns2/named4.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/acl/ns2/named5.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/acl/ns2/named6.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/acl/ns2/named7.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/acl/ns3/example.db		ZONE	2017,2018,2019,2020
-./bin/tests/system/acl/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/acl/ns4/example.db		ZONE	2017,2018,2019,2020
-./bin/tests/system/acl/ns4/existing.db		ZONE	2017,2018,2019,2020
-./bin/tests/system/acl/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/acl/setup.sh			SH	2008,2012,2014,2016,2018,2019,2020
-./bin/tests/system/acl/tests.sh			SH	2008,2012,2013,2014,2016,2017,2018,2019,2020
-./bin/tests/system/additional/clean.sh		SH	2013,2014,2016,2017,2018,2019,2020
-./bin/tests/system/additional/ns1/mx.db		ZONE	2016,2018,2019,2020
-./bin/tests/system/additional/ns1/named.args	X	2013,2014,2018,2019,2020
-./bin/tests/system/additional/ns1/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/additional/ns1/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/additional/ns1/named3.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/additional/ns1/named4.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/additional/ns1/naptr.db	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/additional/ns1/naptr2.db	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/additional/ns1/nid.db	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/additional/ns1/root.db	ZONE	2019,2020
-./bin/tests/system/additional/ns1/rt.db		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/additional/ns1/rt2.db	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/additional/ns1/srv.db	ZONE	2016,2018,2019,2020
-./bin/tests/system/additional/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/additional/ns3/root.hint	ZONE	2017,2018,2019,2020
-./bin/tests/system/additional/setup.sh		SH	2013,2016,2018,2019,2020
-./bin/tests/system/additional/tests.sh		SH	2013,2016,2017,2018,2019,2020
-./bin/tests/system/addzone/clean.sh		SH	2010,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/addzone/ns1/inlineslave.db	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/addzone/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/addzone/ns2/added.db		ZONE	2010,2013,2016,2018,2019,2020
-./bin/tests/system/addzone/ns2/default.nzf.in	X	2010,2018,2019,2020
-./bin/tests/system/addzone/ns2/hints.db		ZONE	2016,2018,2019,2020
-./bin/tests/system/addzone/ns2/inline.db	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/addzone/ns2/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/addzone/ns2/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/addzone/ns2/normal.db	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/addzone/ns2/previous.db	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/addzone/ns2/redirect.db	ZONE	2016,2018,2019,2020
-./bin/tests/system/addzone/ns3/e.db		ZONE	2017,2018,2019,2020
-./bin/tests/system/addzone/ns3/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/addzone/ns3/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/addzone/setup.sh		SH	2010,2012,2013,2014,2016,2017,2018,2019,2020
-./bin/tests/system/addzone/tests.sh		SH	2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/allow-query/clean.sh		SH	2018,2019,2020
-./bin/tests/system/allow-query/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns1/root.db	ZONE	2018,2019,2020
-./bin/tests/system/allow-query/ns2/generic.db	ZONE	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named01.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named02.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named03.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named04.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named05.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named06.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named07.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named08.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named09.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named10.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named11.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named12.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named21.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named22.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named23.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named24.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named25.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named26.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named27.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named28.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named29.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named30.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named31.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named32.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named33.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named34.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named40.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named53.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named54.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named55.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named56.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns2/named57.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/ns3/named.args	X	2018,2019,2020
-./bin/tests/system/allow-query/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/allow-query/setup.sh		SH	2018,2019,2020
-./bin/tests/system/allow-query/tests.sh		SH	2018,2019,2020
-./bin/tests/system/ans.pl			PERL	2011,2012,2014,2016,2017,2018,2019,2020
-./bin/tests/system/autosign/clean.sh		SH	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/autosign/ns1/keygen.sh	SH	2009,2010,2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/autosign/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/autosign/ns1/root.db.in	ZONE	2009,2010,2016,2018,2019,2020
-./bin/tests/system/autosign/ns2/Xbar.+005+30676.key	X	2010,2018,2019,2020
-./bin/tests/system/autosign/ns2/Xbar.+005+30676.private	X	2010,2018,2019,2020
-./bin/tests/system/autosign/ns2/Xbar.+005+30804.key	X	2010,2018,2019,2020
-./bin/tests/system/autosign/ns2/Xbar.+005+30804.private	X	2010,2018,2019,2020
-./bin/tests/system/autosign/ns2/bar.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/autosign/ns2/child.nsec3.example.db	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns2/child.optout.example.db	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns2/dst.example.db.in	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns2/example.db.in	ZONE	2009,2010,2016,2018,2019,2020
-./bin/tests/system/autosign/ns2/insecure.secure.example.db	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns2/keygen.sh	SH	2009,2010,2011,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/autosign/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/autosign/ns2/private.secure.example.db.in	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/autonsec3.example.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/delay.example.db	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/delzsk.example.db.in	ZONE	2018,2019,2020
-./bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in	ZONE	2018,2019,2020
-./bin/tests/system/autosign/ns3/inacksk2.example.db.in	ZONE	2017,2018,2019,2020
-./bin/tests/system/autosign/ns3/inacksk3.example.db.in	ZONE	2017,2018,2019,2020
-./bin/tests/system/autosign/ns3/inaczsk.example.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/inaczsk2.example.db.in	ZONE	2017,2018,2019,2020
-./bin/tests/system/autosign/ns3/inaczsk3.example.db.in	ZONE	2017,2018,2019,2020
-./bin/tests/system/autosign/ns3/insecure.example.db	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in	ZONE	2019,2020
-./bin/tests/system/autosign/ns3/keygen.sh	SH	2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/autosign/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/autosign/ns3/nozsk.example.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/nsec.example.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/nsec3.example.db.in	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/nsec3.optout.example.db.in	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/oldsigs.example.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/optout.example.db.in	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/optout.nsec3.example.db.in	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/optout.optout.example.db.in	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/rsasha256.example.db.in	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/rsasha512.example.db.in	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/secure-to-insecure2.example.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/secure.example.db.in	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/secure.nsec3.example.db.in	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/secure.optout.example.db.in	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/sync.example.db.in	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/ttl1.example.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/ttl2.example.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/ttl3.example.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/autosign/ns3/ttl4.example.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/autosign/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/autosign/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/autosign/prereq.sh		SH	2009,2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/autosign/setup.sh		SH	2009,2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/autosign/tests.sh		SH	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/builtin/clean.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/builtin/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/builtin/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/builtin/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/builtin/setup.sh		SH	2018,2019,2020
-./bin/tests/system/builtin/tests.sh		SH	2011,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/cacheclean/clean.sh		SH	2001,2004,2007,2011,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/cacheclean/dig.batch		X	2001,2018,2019,2020
-./bin/tests/system/cacheclean/knowngood.dig.out	X	2001,2018,2019,2020
-./bin/tests/system/cacheclean/ns1/example.db	ZONE	2001,2004,2007,2012,2016,2018,2019,2020
-./bin/tests/system/cacheclean/ns1/expire-test.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/cacheclean/ns1/flushtest.db	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/cacheclean/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/cacheclean/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/cacheclean/setup.sh		SH	2018,2019,2020
-./bin/tests/system/cacheclean/tests.sh		SH	2001,2004,2007,2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/case/clean.sh		SH	2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/case/dynamic.good		X	2015,2018,2019,2020
-./bin/tests/system/case/ns1/dynamic.db.in	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/case/ns1/example.db		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/case/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/case/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/case/postns1.good		X	2015,2018,2019,2020
-./bin/tests/system/case/postupdate.good		X	2015,2018,2019,2020
-./bin/tests/system/case/setup.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/case/tests.sh		SH	2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/catz/clean.sh		SH	2016,2018,2019,2020
-./bin/tests/system/catz/ns1/catalog.example.db.in	ZONE	2016,2018,2019,2020
-./bin/tests/system/catz/ns1/named.conf.in	CONF-C	2016,2017,2018,2019,2020
-./bin/tests/system/catz/ns2/named.conf.in	CONF-C	2016,2017,2018,2019,2020
-./bin/tests/system/catz/ns3/dom5.example.db	ZONE	2016,2018,2019,2020
-./bin/tests/system/catz/ns3/dom6.example.db	ZONE	2016,2018,2019,2020
-./bin/tests/system/catz/ns3/named.conf.in	CONF-C	2016,2018,2019,2020
-./bin/tests/system/catz/setup.sh		SH	2016,2018,2019,2020
-./bin/tests/system/catz/tests.sh		SH	2016,2017,2018,2019,2020
-./bin/tests/system/chain/README			TXT.BRIEF	2017,2018,2019,2020
-./bin/tests/system/chain/ans3/ans.pl		PERL	2017,2018,2019,2020
-./bin/tests/system/chain/ans4/README.anspy	TXT.BRIEF	2017,2018,2019,2020
-./bin/tests/system/chain/ans4/ans.py		PYTHON	2017,2018,2019,2020
-./bin/tests/system/chain/clean.sh		SH	2011,2012,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/chain/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/chain/ns1/root.db		ZONE	2011,2016,2017,2018,2019,2020
-./bin/tests/system/chain/ns2/example.db		ZONE	2011,2016,2017,2018,2019,2020
-./bin/tests/system/chain/ns2/generic.db		ZONE	2017,2018,2019,2020
-./bin/tests/system/chain/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/chain/ns2/sign.sh		SH	2017,2018,2019,2020
-./bin/tests/system/chain/ns2/sub.db		ZONE	2017,2018,2019,2020
-./bin/tests/system/chain/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/chain/ns5/sub.db		ZONE	2017,2018,2019,2020
-./bin/tests/system/chain/ns7/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/chain/ns7/root.hint		ZONE	2017,2018,2019,2020
-./bin/tests/system/chain/prereq.sh		SH	2017,2018,2019,2020
-./bin/tests/system/chain/setup.sh		SH	2017,2018,2019,2020
-./bin/tests/system/chain/tests.sh		SH	2011,2012,2016,2017,2018,2019,2020
-./bin/tests/system/checkconf/altdb.conf		CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/altdlz.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-also-notify.conf	CONF-C	2012,2013,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-catz-zone.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-dnssec.conf	CONF-C	2012,2013,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-hint.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-in-view-dup.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-inline-slave.conf	CONF-C	2013,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf	CONF-C	2019,2020
-./bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf	CONF-C	2019,2020
-./bin/tests/system/checkconf/bad-ipv4-prefix2.conf	CONF-C	2019,2020
-./bin/tests/system/checkconf/bad-keep-response-order.conf	CONF-C	2015,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-lifetime.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf	CONF-C	2017,2018,2019,2020
-./bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf	CONF-C	2017,2018,2019,2020
-./bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf	CONF-C	2017,2018,2019,2020
-./bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf	CONF-C	2017,2018,2019,2020
-./bin/tests/system/checkconf/bad-many.conf	CONF-C	2005,2012,2015,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-master-request-ixfr.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-maxttlmap.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-noddns.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-options-also-notify.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-rate-limit-acl.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-rate-limit-slip.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-rate-limit-window.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-rpz-zone.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-sharedwritable1.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-sharedwritable2.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-sharedzone1.conf	CONF-C	2013,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-sharedzone2.conf	CONF-C	2013,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-sharedzone3.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-stub-masters-dialup.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-tsig.conf	CONF-C	2012,2013,2016,2018,2019,2020
-./bin/tests/system/checkconf/bad-update-policy1.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-update-policy10.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-update-policy11.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-update-policy12.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-update-policy13.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-update-policy14.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-update-policy15.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-update-policy2.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-update-policy3.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-update-policy4.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-update-policy5.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-update-policy6.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-update-policy7.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-update-policy8.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-update-policy9.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/bad-view-also-notify.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/check-dlv-ksk-key.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/check-dup-records-fail.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/check-dup-records.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/check-mx-cname-fail.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/check-mx-cname.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/check-mx-fail.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/check-mx.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/check-names-fail.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/check-names.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/check-root-ksk-2010.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/check-root-ksk-2017.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/check-root-ksk-both.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/check-srv-cname-fail.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/check-srv-cname.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/clean.sh		SH	2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/dlz-bad.conf	CONF-C	2012,2013,2016,2018,2019,2020
-./bin/tests/system/checkconf/dnssec.1		CONF-C	2011,2016,2018,2019,2020
-./bin/tests/system/checkconf/dnssec.2		CONF-C	2011,2016,2018,2019,2020
-./bin/tests/system/checkconf/dnssec.3		CONF-C	2011,2016,2017,2018,2019,2020
-./bin/tests/system/checkconf/good-acl.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/good-class.conf	CONF-C	2015,2016,2018,2019,2020
-./bin/tests/system/checkconf/good-dlv-dlv.example.com.conf	CONF-C	2017,2018,2019,2020
-./bin/tests/system/checkconf/good-dup-managed-key.conf	CONF-C	2019,2020
-./bin/tests/system/checkconf/good-dup-trusted-key.conf	CONF-C	2019,2020
-./bin/tests/system/checkconf/good-lmdb-mapsize-largest.conf	CONF-C	2017,2018,2019,2020
-./bin/tests/system/checkconf/good-lmdb-mapsize-smallest.conf	CONF-C	2017,2018,2019,2020
-./bin/tests/system/checkconf/good-nested.conf	CONF-C	2015,2016,2018,2019,2020
-./bin/tests/system/checkconf/good-options-also-notify.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/good-response-dot.conf	CONF-C	2017,2018,2019,2020
-./bin/tests/system/checkconf/good-update-policy1.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/good-update-policy10.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/good-update-policy11.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/good-update-policy12.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/good-update-policy2.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/good-update-policy3.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/good-update-policy4.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/good-update-policy5.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/good-update-policy6.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/good-update-policy7.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/good-update-policy8.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/good-update-policy9.conf	CONF-C	2018,2019,2020
-./bin/tests/system/checkconf/good-view-also-notify.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/good.conf		CONF-C	2005,2007,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/checkconf/hint-nofile.conf	CONF-C	2013,2016,2018,2019,2020
-./bin/tests/system/checkconf/in-view-good.conf	CONF-C	2015,2016,2018,2019,2020
-./bin/tests/system/checkconf/inline-bad.conf	CONF-C	2013,2016,2018,2019,2020
-./bin/tests/system/checkconf/inline-good.conf	CONF-C	2013,2016,2018,2019,2020
-./bin/tests/system/checkconf/inline-no.conf	CONF-C	2013,2016,2018,2019,2020
-./bin/tests/system/checkconf/max-cache-size-good.conf	CONF-C	2015,2016,2018,2019,2020
-./bin/tests/system/checkconf/max-ttl.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/maxttl-bad.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/maxttl-bad.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/maxttl.db		ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/notify.conf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/checkconf/portrange-good.conf	CONF-C	2015,2016,2018,2019,2020
-./bin/tests/system/checkconf/range.conf		CONF-C	2013,2016,2018,2019,2020
-./bin/tests/system/checkconf/shared.example.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/checkconf/tests.sh		SH	2005,2007,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/checkconf/view-class-any1.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/view-class-any2.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/view-class-in1.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/view-class-in2.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/checkconf/warn-dlv-auto.conf	CONF-C	2017,2018,2019,2020
-./bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf	CONF-C	2017,2018,2019,2020
-./bin/tests/system/checkconf/warn-duplicate-key.conf	CONF-C	2019,2020
-./bin/tests/system/checkconf/warn-duplicate-root-key.conf	CONF-C	2019,2020
-./bin/tests/system/checkconf/warn-keydir.conf	CONF-C	2013,2016,2018,2019,2020
-./bin/tests/system/checkconf/warn-validation-auto-key.conf	CONF-C	2019,2020
-./bin/tests/system/checkds/clean.sh		SH	2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/checkds/dig.bat		BAT	2016,2018,2019,2020
-./bin/tests/system/checkds/dig.pl		PERL	2014,2016,2018,2019,2020
-./bin/tests/system/checkds/dig.sh		SH	2012,2013,2016,2018,2019,2020
-./bin/tests/system/checkds/missing.example.dlv.example.dlv.db	X	2012,2018,2019,2020
-./bin/tests/system/checkds/missing.example.dnskey.db	X	2012,2018,2019,2020
-./bin/tests/system/checkds/missing.example.ds.db	X	2012,2018,2019,2020
-./bin/tests/system/checkds/none.example.dlv.example.dlv.db	X	2012,2018,2019,2020
-./bin/tests/system/checkds/none.example.dnskey.db	X	2012,2018,2019,2020
-./bin/tests/system/checkds/none.example.ds.db	X	2012,2018,2019,2020
-./bin/tests/system/checkds/ok.example.dlv.example.dlv.db	X	2012,2018,2019,2020
-./bin/tests/system/checkds/ok.example.dnskey.db	X	2012,2018,2019,2020
-./bin/tests/system/checkds/ok.example.ds.db	X	2012,2018,2019,2020
-./bin/tests/system/checkds/tests.sh		SH	2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/checkds/wrong.example.dlv.example.dlv.db	X	2012,2018,2019,2020
-./bin/tests/system/checkds/wrong.example.dnskey.db	X	2012,2018,2019,2020
-./bin/tests/system/checkds/wrong.example.ds.db	X	2012,2018,2019,2020
-./bin/tests/system/checknames/clean.sh		SH	2004,2007,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/checknames/ns1/fail.example.db.in	ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/checknames/ns1/fail.update.db.in	ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/checknames/ns1/ignore.example.db.in	ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/checknames/ns1/ignore.update.db.in	ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/checknames/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/checknames/ns1/root.db	ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/checknames/ns1/warn.example.db.in	ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/checknames/ns1/warn.update.db.in	ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/checknames/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/checknames/ns2/root.hints	ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/checknames/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/checknames/ns3/root.hints	ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/checknames/ns4/master-ignore.update.db.in	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checknames/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/checknames/ns4/root.hints	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checknames/setup.sh		SH	2004,2007,2012,2014,2016,2018,2019,2020
-./bin/tests/system/checknames/tests.sh		SH	2004,2007,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/checkzone/clean.sh		SH	2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/checkzone/setup.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/checkzone/tests.sh		SH	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/checkzone/zones/.gitattributes	X	2015,2018,2019,2020
-./bin/tests/system/checkzone/zones/bad-badclass.raw	X	2015,2018,2019,2020
-./bin/tests/system/checkzone/zones/bad-caa-rr.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/bad-cdnskey.db	ZONE	2019,2020
-./bin/tests/system/checkzone/zones/bad-cds.db	ZONE	2019,2020
-./bin/tests/system/checkzone/zones/bad-dhcid.db	ZONE	2019,2020
-./bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/bad-eid.db	ZONE	2019,2020
-./bin/tests/system/checkzone/zones/bad-generate-tkey.db	ZONE	2018,2019,2020
-./bin/tests/system/checkzone/zones/bad-nimloc.db	ZONE	2019,2020
-./bin/tests/system/checkzone/zones/bad-nsap-empty.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/bad-nsec3-padded.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/bad-tkey.db	ZONE	2018,2019,2020
-./bin/tests/system/checkzone/zones/bad-tsig.db	ZONE	2018,2019,2020
-./bin/tests/system/checkzone/zones/bad-unspec.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/bad1.db	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/bad2.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/bad3.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/bad4.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/badttl.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/crashzone.db	ZONE	2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db	ZONE	2017,2018,2019,2020
-./bin/tests/system/checkzone/zones/good-cdnskey.db	ZONE	2019,2020
-./bin/tests/system/checkzone/zones/good-cds.db	ZONE	2019,2020
-./bin/tests/system/checkzone/zones/good-dns-sd-reverse.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/good-gc-msdcs.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/good-nsap.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db	ZONE	2017,2018,2019,2020
-./bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db	ZONE	2017,2018,2019,2020
-./bin/tests/system/checkzone/zones/good1.db	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/inherit.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/nowarn.inherited.owner.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/ns-address-below-dname.db	ZONE	2017,2018,2019,2020
-./bin/tests/system/checkzone/zones/spf.db	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/test1.db	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/test2.db	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/warn.inherit.origin.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/checkzone/zones/warn.inherited.owner.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/cleanall.sh			SH	2000,2001,2004,2007,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/cleanpkcs11.sh		SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/common/controls.conf		CONF-C	2000,2001,2004,2007,2013,2016,2018,2019,2020
-./bin/tests/system/common/controls.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/common/rndc.conf		CONF-C	2000,2001,2004,2007,2013,2016,2018,2019,2020
-./bin/tests/system/common/rndc.key		CONF-C	2011,2013,2016,2018,2019,2020
-./bin/tests/system/common/root.hint		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/conf.sh.in			SH	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/conf.sh.win32		SH	2016,2017,2018,2019,2020
-./bin/tests/system/cookie/bad-cookie-badaes.conf.in	X	2019,2020
-./bin/tests/system/cookie/bad-cookie-badhex.conf	CONF-C	2014,2015,2016,2018,2019,2020
-./bin/tests/system/cookie/bad-cookie-badsha1.conf	CONF-C	2017,2018,2019,2020
-./bin/tests/system/cookie/bad-cookie-badsha256.conf	CONF-C	2017,2018,2019,2020
-./bin/tests/system/cookie/bad-cookie-badsiphash24.conf	X	2019,2020
-./bin/tests/system/cookie/bad-cookie-toolong.conf	CONF-C	2014,2015,2016,2018,2019,2020
-./bin/tests/system/cookie/clean.sh		SH	2014,2015,2016,2018,2019,2020
-./bin/tests/system/cookie/good-cookie-aes.conf.in	X	2019,2020
-./bin/tests/system/cookie/good-cookie-sha1.conf	CONF-C	2017,2018,2019,2020
-./bin/tests/system/cookie/good-cookie-sha256.conf	CONF-C	2017,2018,2019,2020
-./bin/tests/system/cookie/good-cookie-siphash24.conf	X	2019,2020
-./bin/tests/system/cookie/ns1/example.db	ZONE	2014,2015,2016,2018,2019,2020
-./bin/tests/system/cookie/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/cookie/ns1/root.hint		ZONE	2014,2015,2016,2018,2019,2020
-./bin/tests/system/cookie/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/cookie/ns2/root.db		ZONE	2014,2015,2016,2018,2019,2020
-./bin/tests/system/cookie/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/cookie/ns3/root.hint		ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/cookie/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/cookie/ns4/root.hint		ZONE	2018,2019,2020
-./bin/tests/system/cookie/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/cookie/ns5/root.hint		ZONE	2018,2019,2020
-./bin/tests/system/cookie/ns6/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/cookie/ns6/root.hint		ZONE	2018,2019,2020
-./bin/tests/system/cookie/ns7/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/cookie/ns7/root.db		ZONE	2018,2019,2020
-./bin/tests/system/cookie/ns8/example.db	ZONE	2018,2019,2020
-./bin/tests/system/cookie/ns8/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/cookie/setup.sh		SH	2018,2019,2020
-./bin/tests/system/cookie/tests.sh		SH	2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/coverage/01-ksk-inactive/README	X	2013,2018,2019,2020
-./bin/tests/system/coverage/01-ksk-inactive/expect	X	2013,2018,2019,2020
-./bin/tests/system/coverage/02-zsk-inactive/README	X	2013,2018,2019,2020
-./bin/tests/system/coverage/02-zsk-inactive/expect	X	2013,2018,2019,2020
-./bin/tests/system/coverage/03-ksk-unpublished/README	X	2013,2018,2019,2020
-./bin/tests/system/coverage/03-ksk-unpublished/expect	X	2013,2016,2018,2019,2020
-./bin/tests/system/coverage/04-zsk-unpublished/README	X	2013,2018,2019,2020
-./bin/tests/system/coverage/04-zsk-unpublished/expect	X	2013,2016,2018,2019,2020
-./bin/tests/system/coverage/05-ksk-unpub-active/README	X	2013,2018,2019,2020
-./bin/tests/system/coverage/05-ksk-unpub-active/expect	X	2013,2016,2018,2019,2020
-./bin/tests/system/coverage/06-zsk-unpub-active/README	X	2013,2018,2019,2020
-./bin/tests/system/coverage/06-zsk-unpub-active/expect	X	2013,2016,2018,2019,2020
-./bin/tests/system/coverage/07-ksk-ttl/README	X	2013,2018,2019,2020
-./bin/tests/system/coverage/07-ksk-ttl/expect	X	2013,2016,2018,2019,2020
-./bin/tests/system/coverage/08-zsk-ttl/README	X	2013,2018,2019,2020
-./bin/tests/system/coverage/08-zsk-ttl/expect	X	2013,2016,2018,2019,2020
-./bin/tests/system/coverage/09-check-zsk/README	X	2014,2018,2019,2020
-./bin/tests/system/coverage/09-check-zsk/expect	X	2014,2018,2019,2020
-./bin/tests/system/coverage/10-check-ksk/README	X	2014,2018,2019,2020
-./bin/tests/system/coverage/10-check-ksk/expect	X	2014,2018,2019,2020
-./bin/tests/system/coverage/11-cutoff/README	X	2014,2018,2019,2020
-./bin/tests/system/coverage/11-cutoff/expect	X	2014,2018,2019,2020
-./bin/tests/system/coverage/12-ksk-deletion/expect	X	2018,2019,2020
-./bin/tests/system/coverage/13-dotted-dotless/expect	X	2019,2020
-./bin/tests/system/coverage/clean.sh		SH	2013,2014,2016,2018,2019,2020
-./bin/tests/system/coverage/prereq.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/coverage/setup.sh		SH	2013,2014,2016,2018,2019,2020
-./bin/tests/system/coverage/tests.sh		SH	2013,2014,2016,2018,2019,2020
-./bin/tests/system/database/clean.sh		SH	2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/database/ns1/named1.conf.in	CONF-C	2011,2013,2018,2019,2020
-./bin/tests/system/database/ns1/named2.conf.in	CONF-C	2011,2013,2018,2019,2020
-./bin/tests/system/database/setup.sh		SH	2011,2012,2016,2018,2019,2020
-./bin/tests/system/database/tests.sh		SH	2011,2012,2016,2018,2019,2020
-./bin/tests/system/delzone/clean.sh		SH	2016,2018,2019,2020
-./bin/tests/system/delzone/ns1/inlineslave.db	ZONE	2016,2018,2019,2020
-./bin/tests/system/delzone/ns1/named.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/delzone/ns2/added.db		ZONE	2016,2018,2019,2020
-./bin/tests/system/delzone/ns2/named.args	X	2016,2018,2019,2020
-./bin/tests/system/delzone/ns2/named.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/delzone/ns2/normal.db	ZONE	2016,2018,2019,2020
-./bin/tests/system/delzone/tests.sh		SH	2016,2018,2019,2020
-./bin/tests/system/dialup/clean.sh		SH	2019,2020
-./bin/tests/system/dialup/ns1/example.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/dialup/ns1/named.conf	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/dialup/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/dialup/ns2/hint.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/dialup/ns2/named.conf	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/dialup/ns3/hint.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/dialup/ns3/named.conf	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/dialup/tests.sh		SH	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./bin/tests/system/digcomp.pl			PERL	2000,2001,2004,2007,2012,2013,2016,2018,2019,2020
-./bin/tests/system/digdelv/ans4/startme		X	2017,2018,2019,2020
-./bin/tests/system/digdelv/clean.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/digdelv/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/digdelv/ns1/root.db		ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/digdelv/ns2/example.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/digdelv/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/digdelv/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/digdelv/prereq.sh		SH	2018,2019,2020
-./bin/tests/system/digdelv/setup.sh		SH	2018,2019,2020
-./bin/tests/system/digdelv/tests.sh		SH	2015,2016,2017,2018,2019,2020
-./bin/tests/system/ditch.pl			PERL	2015,2016,2018,2019,2020
-./bin/tests/system/dlv/clean.sh			SH	2004,2007,2010,2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/dlv/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dlv/ns1/root.db.in		ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/dlv/ns1/rootservers.utld.db	ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/dlv/ns1/sign.sh		SH	2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/dlv/ns2/druz.db.in		ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/dlv/ns2/hints		ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/dlv/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dlv/ns2/sign.sh		SH	2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/dlv/ns2/utld.db		ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/dlv/ns3/child.db.in		ZONE	2004,2007,2010,2016,2018,2019,2020
-./bin/tests/system/dlv/ns3/dlv.db.in		ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/dlv/ns3/hints		ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/dlv/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dlv/ns3/sign.sh		SH	2004,2007,2009,2010,2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/dlv/ns4/child.db		ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/dlv/ns4/hints		ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/dlv/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dlv/ns5/hints		ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/dlv/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dlv/ns5/rndc.conf		CONF-C	2004,2007,2013,2016,2018,2019,2020
-./bin/tests/system/dlv/ns6/child.db.in		ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/dlv/ns6/hints		ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/dlv/ns6/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dlv/ns6/sign.sh		SH	2010,2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/dlv/ns7/hints		ZONE	2019,2020
-./bin/tests/system/dlv/ns7/named.conf.in	CONF-C	2019,2020
-./bin/tests/system/dlv/prereq.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/dlv/setup.sh			SH	2004,2007,2009,2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/dlv/tests.sh			SH	2004,2007,2010,2011,2012,2016,2018,2019,2020
-./bin/tests/system/dlz/clean.sh			SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.=	TXT.BRIEF	2015,2016,2018,2019,2020
-./bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.=	TXT.BRIEF	2015,2016,2018,2019,2020
-./bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None=	TXT.BRIEF	2015,2016,2018,2019,2020
-./bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/DNAME=10=example.net.=	TXT.BRIEF	2010,2016,2018,2019,2020
-./bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/NS=10=example.com.=	TXT.BRIEF	2010,2016,2018,2019,2020
-./bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10=	TXT.BRIEF	2010,2016,2018,2019,2020
-./bin/tests/system/dlz/ns1/dns-root/com/example/xfr.d/10.53.0.1	TXT.BRIEF	2010,2016,2018,2019,2020
-./bin/tests/system/dlz/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dlz/prereq.sh		SH	2011,2012,2016,2018,2019,2020
-./bin/tests/system/dlz/setup.sh			SH	2018,2019,2020
-./bin/tests/system/dlz/tests.sh			SH	2010,2011,2012,2013,2015,2016,2018,2019,2020
-./bin/tests/system/dlzexternal/Makefile.in	MAKE	2011,2012,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/dlzexternal/clean.sh		SH	2010,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/dlzexternal/driver.c		C	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/dlzexternal/driver.h		C	2011,2016,2018,2019,2020
-./bin/tests/system/dlzexternal/ns1/dlzs.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dlzexternal/ns1/named.conf.in	CONF-C	2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/dlzexternal/ns1/root.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/dlzexternal/prereq.sh	SH	2010,2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/dlzexternal/setup.sh		SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/dlzexternal/tests.sh		SH	2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/dns64/clean.sh		SH	2010,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/dns64/conf/bad1.conf		CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/dns64/conf/bad18.conf	CONF-C	2019,2020
-./bin/tests/system/dns64/conf/bad19.conf	CONF-C	2019,2020
-./bin/tests/system/dns64/conf/bad2.conf		CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/dns64/conf/bad3.conf		CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/dns64/conf/bad4.conf		CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/dns64/conf/bad5.conf		CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/dns64/conf/bad6.conf		CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/dns64/conf/bad7.conf		CONF-C	2012,2016,2018,2019,2020
-./bin/tests/system/dns64/conf/bad8.conf		CONF-C	2012,2016,2018,2019,2020
-./bin/tests/system/dns64/conf/bad9.conf		CONF-C	2012,2016,2018,2019,2020
-./bin/tests/system/dns64/conf/good1.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/dns64/conf/good2.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/dns64/conf/good3.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/dns64/conf/good4.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/dns64/conf/good5.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/dns64/conf/warn1.conf	CONF-C	2019,2020
-./bin/tests/system/dns64/conf/warn2.conf	CONF-C	2019,2020
-./bin/tests/system/dns64/conf/warn3.conf	CONF-C	2019,2020
-./bin/tests/system/dns64/conf/warn4.conf	CONF-C	2019,2020
-./bin/tests/system/dns64/conf/warn5.conf	CONF-C	2019,2020
-./bin/tests/system/dns64/conf/warn6.conf	CONF-C	2019,2020
-./bin/tests/system/dns64/conf/warn7.conf	CONF-C	2019,2020
-./bin/tests/system/dns64/conf/warn8.conf	CONF-C	2019,2020
-./bin/tests/system/dns64/ns1/example.db		ZONE	2010,2011,2013,2016,2018,2019,2020
-./bin/tests/system/dns64/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dns64/ns1/root.db		ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/dns64/ns1/sign.sh		SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/dns64/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dns64/ns2/rpz.db		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/dns64/prereq.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/dns64/setup.sh		SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/dns64/tests.sh		SH	2010,2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/dnssec/README		TXT.BRIEF	2000,2001,2002,2004,2011,2016,2018,2019,2020
-./bin/tests/system/dnssec/clean.sh		SH	2000,2001,2002,2004,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/dnssec/dnssec_update_test.pl	PERL	2002,2004,2007,2010,2012,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnssec/ns1/root.db.in	ZONE	2000,2001,2004,2007,2010,2013,2014,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns1/sign.sh		SH	2000,2001,2002,2003,2004,2006,2007,2008,2009,2010,2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/algroll.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/badparam.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/cdnskey.secure.db.in	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/cds-auto.secure.db.in	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/cds-update.secure.db.in	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/cds.secure.db.in	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/child.nsec3.example.db	ZONE	2006,2008,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/child.optout.example.db	ZONE	2006,2008,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/dlv.db.in		ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/dst.example.db.in	ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/example.db.in	ZONE	2000,2001,2002,2004,2007,2008,2009,2010,2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/in-addr.arpa.db.in	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/insecure.secure.example.db	ZONE	2000,2001,2004,2007,2013,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/key.db.in		ZONE	2019,2020
-./bin/tests/system/dnssec/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnssec/ns2/private.secure.example.db.in	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/rfc2335.example.db	X	2004,2018,2019,2020
-./bin/tests/system/dnssec/ns2/sign.sh		SH	2000,2001,2002,2003,2004,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/single-nsec3.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns2/template.secure.db.in	ZONE	2019,2020
-./bin/tests/system/dnssec/ns3/auto-nsec.example.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/bogus.example.db.in	ZONE	2000,2001,2004,2007,2014,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in	ZONE	2018,2019,2020
-./bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in	ZONE	2018,2019,2020
-./bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in	ZONE	2018,2019,2020
-./bin/tests/system/dnssec/ns3/dynamic.example.db.in	ZONE	2002,2004,2007,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/expired.example.db.in	ZONE	2011,2012,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/expiring.example.db.in	ZONE	2011,2012,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/future.example.db.in	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/generic.example.db.in	ZONE	2001,2002,2004,2007,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/inline.example.db	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/insecure.below-cname.example.db	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/insecure.example.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/insecure.nsec3.example.db	ZONE	2008,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/insecure.optout.example.db	ZONE	2008,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/key.db.in		ZONE	2019,2020
-./bin/tests/system/dnssec/ns3/kskonly.example.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/lower.example.db.in	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/managed-future.example.db.in	ZONE	2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/multiple.example.db.in	ZONE	2006,2008,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnssec/ns3/nosign.example.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in	ZONE	2006,2008,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/nsec3.example.db.in	ZONE	2006,2008,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in	ZONE	2008,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in	ZONE	2008,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/occluded.example.db.in	ZONE	2018,2019,2020
-./bin/tests/system/dnssec/ns3/optout-unknown.example.db.in	ZONE	2006,2008,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/optout.example.db.in	ZONE	2006,2008,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in	ZONE	2008,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/optout.optout.example.db.in	ZONE	2008,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/publish-inactive.example.db.in	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/rsasha256.example.db.in	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/rsasha512.example.db.in	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/secure.example.db.in	ZONE	2000,2001,2004,2007,2008,2010,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in	ZONE	2008,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/secure.optout.example.db.in	ZONE	2008,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/siginterval.example.db.in	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/siginterval1.conf	CONF-C	2013,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/siginterval2.conf	CONF-C	2013,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/sign.sh		SH	2000,2001,2002,2004,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/split-dnssec.example.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/split-smart.example.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/ttlpatch.example.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/unsupported-algorithm.key	X	2018,2019,2020
-./bin/tests/system/dnssec/ns3/update-nsec3.example.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns3/upper.example.db.in	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns4/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnssec/ns4/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnssec/ns4/named3.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnssec/ns4/named4.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnssec/ns4/named5.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnssec/ns5/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnssec/ns5/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnssec/ns5/sign.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns5/trusted.conf.bad	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns6/named.args	X	2013,2014,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns6/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnssec/ns6/optout-tld.db.in	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns6/sign.sh		SH	2013,2014,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns7/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnssec/ns7/named.nosoa	TXT.BRIEF	2010,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns7/nosoa.secure.example.db	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns7/sign.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns7/split-rrsig.db.in	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/dnssec/ns8/named.conf.in	CONF-C	2019,2020
-./bin/tests/system/dnssec/ns9/named.conf.in	CONF-C	2019,2020
-./bin/tests/system/dnssec/ntadiff.pl		PERL	2015,2016,2018,2019,2020
-./bin/tests/system/dnssec/prereq.sh		SH	2000,2001,2002,2004,2006,2007,2009,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/dnssec/setup.sh		SH	2000,2001,2004,2007,2009,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/dnssec/signer/example.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.key	X	2018,2019,2020
-./bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.private	X	2018,2019,2020
-./bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.key	X	2018,2019,2020
-./bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.private	X	2018,2019,2020
-./bin/tests/system/dnssec/signer/general/bogus-ksk.key	X	2018,2019,2020
-./bin/tests/system/dnssec/signer/general/bogus-zsk.key	X	2018,2019,2020
-./bin/tests/system/dnssec/signer/general/test1.zone	ZONE	2018,2019,2020
-./bin/tests/system/dnssec/signer/general/test2.zone	ZONE	2018,2019,2020
-./bin/tests/system/dnssec/signer/general/test3.zone	ZONE	2018,2019,2020
-./bin/tests/system/dnssec/signer/general/test4.zone	ZONE	2018,2019,2020
-./bin/tests/system/dnssec/signer/general/test5.zone	ZONE	2018,2019,2020
-./bin/tests/system/dnssec/signer/general/test6.zone	ZONE	2018,2019,2020
-./bin/tests/system/dnssec/signer/general/test7.zone	ZONE	2018,2019,2020
-./bin/tests/system/dnssec/signer/general/test8.zone	ZONE	2018,2019,2020
-./bin/tests/system/dnssec/signer/remove.db.in	ZONE	2016,2018,2019,2020
-./bin/tests/system/dnssec/signer/remove2.db.in	ZONE	2016,2018,2019,2020
-./bin/tests/system/dnssec/tests.sh		SH	2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/dnstap/README		TXT.BRIEF	2019,2020
-./bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf	CONF-C	2019,2020
-./bin/tests/system/dnstap/bad-missing-dnstap-output.conf	CONF-C	2019,2020
-./bin/tests/system/dnstap/clean.sh		SH	2015,2016,2017,2018,2019,2020
-./bin/tests/system/dnstap/good-dnstap-in-options.conf	CONF-C	2019,2020
-./bin/tests/system/dnstap/good-dnstap-in-view.conf	CONF-C	2019,2020
-./bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/dnstap/large-answer.fstrm	X	2019,2020
-./bin/tests/system/dnstap/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnstap/ns1/root.db		ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/dnstap/ns2/example.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/dnstap/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnstap/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnstap/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dnstap/setup.sh		SH	2018,2019,2020
-./bin/tests/system/dnstap/tests.sh		SH	2015,2016,2017,2018,2019,2020
-./bin/tests/system/dnstap/ydump.py		PYTHON	2016,2017,2018,2019,2020
-./bin/tests/system/dscp/clean.sh		SH	2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/dscp/ns1/named.args		X	2013,2014,2018,2019,2020
-./bin/tests/system/dscp/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dscp/ns1/root.db		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/dscp/ns2/named.args		X	2013,2014,2018,2019,2020
-./bin/tests/system/dscp/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dscp/ns3/hint.db		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/dscp/ns3/named.args		X	2013,2014,2018,2019,2020
-./bin/tests/system/dscp/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dscp/ns4/named.args		X	2013,2014,2018,2019,2020
-./bin/tests/system/dscp/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dscp/ns4/root.db		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/dscp/ns5/named.args		X	2013,2014,2018,2019,2020
-./bin/tests/system/dscp/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dscp/ns6/hint.db		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/dscp/ns6/named.args		X	2013,2014,2018,2019,2020
-./bin/tests/system/dscp/ns6/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dscp/ns7/named.args		X	2013,2014,2018,2019,2020
-./bin/tests/system/dscp/ns7/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dscp/setup.sh		SH	2018,2019,2020
-./bin/tests/system/dscp/tests.sh		SH	2013,2016,2018,2019,2020
-./bin/tests/system/dsdigest/clean.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/dsdigest/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dsdigest/ns1/root.db.in	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/dsdigest/ns1/sign.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/dsdigest/ns2/bad.db.in	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/dsdigest/ns2/good.db.in	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/dsdigest/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dsdigest/ns2/sign.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/dsdigest/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dsdigest/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dsdigest/prereq.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/dsdigest/setup.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/dsdigest/tests.sh		SH	2012,2016,2018,2019,2020
-./bin/tests/system/dupsigs/check_journal.pl	PERL	2018,2019,2020
-./bin/tests/system/dupsigs/clean.sh		SH	2018,2019,2020
-./bin/tests/system/dupsigs/ns1/named.args	X	2018,2019,2020
-./bin/tests/system/dupsigs/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dupsigs/ns1/reset_keys.sh	SH	2018,2019,2020
-./bin/tests/system/dupsigs/ns1/signing.test.db.in	ZONE	2018,2019,2020
-./bin/tests/system/dupsigs/prereq.sh		SH	2018,2019,2020
-./bin/tests/system/dupsigs/setup.sh		SH	2018,2019,2020
-./bin/tests/system/dupsigs/tests.sh		SH	2018,2019,2020
-./bin/tests/system/dyndb/Makefile.in		MAKE	2015,2016,2018,2019,2020
-./bin/tests/system/dyndb/clean.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/dyndb/driver/AUTHORS		X	2015,2018,2019,2020
-./bin/tests/system/dyndb/driver/COPYING		X	2015,2016,2018,2019,2020
-./bin/tests/system/dyndb/driver/Makefile.in	MAKE	2015,2016,2018,2019,2020
-./bin/tests/system/dyndb/driver/README		X	2015,2018,2019,2020
-./bin/tests/system/dyndb/driver/db.c		X	2015,2016,2017,2018,2019,2020
-./bin/tests/system/dyndb/driver/db.h		X	2015,2018,2019,2020
-./bin/tests/system/dyndb/driver/driver.c	X	2015,2016,2018,2019,2020
-./bin/tests/system/dyndb/driver/instance.c	X	2015,2016,2018,2019,2020
-./bin/tests/system/dyndb/driver/instance.h	X	2015,2016,2018,2019,2020
-./bin/tests/system/dyndb/driver/lock.c		X	2015,2018,2019,2020
-./bin/tests/system/dyndb/driver/lock.h		X	2015,2018,2019,2020
-./bin/tests/system/dyndb/driver/log.c		X	2015,2018,2019,2020
-./bin/tests/system/dyndb/driver/log.h		X	2015,2018,2019,2020
-./bin/tests/system/dyndb/driver/syncptr.c	X	2015,2017,2018,2019,2020
-./bin/tests/system/dyndb/driver/syncptr.h	X	2015,2018,2019,2020
-./bin/tests/system/dyndb/driver/util.h		X	2015,2018,2019,2020
-./bin/tests/system/dyndb/driver/zone.c		X	2015,2018,2019,2020
-./bin/tests/system/dyndb/driver/zone.h		X	2015,2018,2019,2020
-./bin/tests/system/dyndb/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/dyndb/prereq.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/dyndb/setup.sh		SH	2018,2019,2020
-./bin/tests/system/dyndb/tests.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/ecdsa/clean.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/ecdsa/ns1/named.conf		CONF-C	2012,2016,2018,2019,2020
-./bin/tests/system/ecdsa/ns1/root.db.in		ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/ecdsa/ns1/sign.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/ecdsa/ns2/named.conf		CONF-C	2012,2016,2018,2019,2020
-./bin/tests/system/ecdsa/prereq.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/ecdsa/setup.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/ecdsa/tests.sh		SH	2012,2013,2015,2016,2018,2019,2020
-./bin/tests/system/eddsa/clean.sh		SH	2017,2018,2019,2020
-./bin/tests/system/eddsa/ns1/named.conf		CONF-C	2017,2018,2019,2020
-./bin/tests/system/eddsa/ns1/root.db.in		ZONE	2017,2018,2019,2020
-./bin/tests/system/eddsa/ns1/sign.sh		SH	2017,2018,2019,2020
-./bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.key	X	2017,2018,2019,2020
-./bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.private	X	2017,2018,2019,2020
-./bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.key	X	2017,2018,2019,2020
-./bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.private	X	2017,2018,2019,2020
-./bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.key	X	2019,2020
-./bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.private	X	2019,2020
-./bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.key	X	2019,2020
-./bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.private	X	2019,2020
-./bin/tests/system/eddsa/ns2/example.com.db	ZONE	2017,2018,2019,2020
-./bin/tests/system/eddsa/ns2/named.conf		CONF-C	2017,2018,2019,2020
-./bin/tests/system/eddsa/ns2/sign.sh		SH	2017,2018,2019,2020
-./bin/tests/system/eddsa/prereq.sh		SH	2017,2018,2019,2020
-./bin/tests/system/eddsa/setup.sh		SH	2017,2018,2019,2020
-./bin/tests/system/eddsa/tests.sh		SH	2017,2018,2019,2020
-./bin/tests/system/ednscompliance/clean.sh	SH	2014,2015,2016,2018,2019,2020
-./bin/tests/system/ednscompliance/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/ednscompliance/ns1/root.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/ednscompliance/setup.sh	SH	2018,2019,2020
-./bin/tests/system/ednscompliance/tests.sh	SH	2014,2015,2016,2018,2019,2020
-./bin/tests/system/emptyzones/clean.sh		SH	2014,2015,2016,2018,2019,2020
-./bin/tests/system/emptyzones/ns1/empty.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/emptyzones/ns1/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/emptyzones/ns1/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/emptyzones/ns1/rfc1918.zones	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/emptyzones/ns1/root.hint	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/emptyzones/setup.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/emptyzones/tests.sh		SH	2014,2015,2016,2018,2019,2020
-./bin/tests/system/feature-test.c		C	2016,2017,2018,2019,2020
-./bin/tests/system/fetchlimit/ans4/ans.pl	PERL	2015,2016,2018,2019,2020
-./bin/tests/system/fetchlimit/clean.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/fetchlimit/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/fetchlimit/ns1/root.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/fetchlimit/ns2/example.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/fetchlimit/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/fetchlimit/ns3/named.args	X	2015,2018,2019,2020
-./bin/tests/system/fetchlimit/ns3/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/fetchlimit/ns3/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/fetchlimit/ns3/named3.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/fetchlimit/ns3/root.hint	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/fetchlimit/prereq.sh		SH	2018,2019,2020
-./bin/tests/system/fetchlimit/setup.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/fetchlimit/tests.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/clean.sh		SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/conf/bad1.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/conf/bad2.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/conf/bad3.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/conf/bad4.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/conf/bad5.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/conf/bad6.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/conf/good1.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/conf/good2.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/conf/good3.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/conf/good4.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/conf/good5.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/conf/good6.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/conf/good7.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/conf/good8.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/ns1/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/filter-aaaa/ns1/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/filter-aaaa/ns1/root.db	ZONE	2010,2012,2016,2017,2018,2019,2020
-./bin/tests/system/filter-aaaa/ns1/sign.sh	SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/ns1/signed.db.in	ZONE	2010,2012,2016,2017,2018,2019,2020
-./bin/tests/system/filter-aaaa/ns1/signed.db.presigned	X	2014,2017,2018,2019,2020
-./bin/tests/system/filter-aaaa/ns1/unsigned.db	ZONE	2010,2012,2016,2017,2018,2019,2020
-./bin/tests/system/filter-aaaa/ns2/hints	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/ns2/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/filter-aaaa/ns2/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/filter-aaaa/ns3/hints	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/ns3/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/filter-aaaa/ns3/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/filter-aaaa/ns4/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/filter-aaaa/ns4/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/filter-aaaa/ns4/root.db	ZONE	2010,2012,2016,2017,2018,2019,2020
-./bin/tests/system/filter-aaaa/ns4/sign.sh	SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/ns4/signed.db.in	ZONE	2010,2012,2016,2017,2018,2019,2020
-./bin/tests/system/filter-aaaa/ns4/signed.db.presigned	X	2014,2018,2019,2020
-./bin/tests/system/filter-aaaa/ns4/unsigned.db	ZONE	2010,2012,2016,2017,2018,2019,2020
-./bin/tests/system/filter-aaaa/ns5/hints	ZONE	2018,2019,2020
-./bin/tests/system/filter-aaaa/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/filter-aaaa/prereq.sh	SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/setup.sh		SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/filter-aaaa/tests.sh		SH	2010,2012,2015,2016,2017,2018,2019,2020
-./bin/tests/system/formerr/clean.sh		SH	2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/formerr/formerr.pl		PERL	2013,2014,2016,2018,2019,2020
-./bin/tests/system/formerr/nametoolong		X	2013,2018,2019,2020
-./bin/tests/system/formerr/noquestions		X	2013,2018,2019,2020
-./bin/tests/system/formerr/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/formerr/ns1/root.db		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/formerr/setup.sh		SH	2018,2019,2020
-./bin/tests/system/formerr/tests.sh		SH	2013,2015,2016,2018,2019,2020
-./bin/tests/system/formerr/twoquestions		X	2013,2018,2019,2020
-./bin/tests/system/forward/ans6/startme		X	2019,2020
-./bin/tests/system/forward/clean.sh		SH	2000,2001,2004,2007,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/forward/ns1/example.db	X	2000,2001,2018,2019,2020
-./bin/tests/system/forward/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/forward/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/forward/ns2/example.db	X	2000,2001,2018,2019,2020
-./bin/tests/system/forward/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/forward/ns2/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/forward/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/forward/ns3/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/forward/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/forward/ns4/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/forward/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/forward/ns5/root.db		ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/forward/ns7/named.conf.in	CONF-C	2019,2020
-./bin/tests/system/forward/ns7/root.db		ZONE	2019,2020
-./bin/tests/system/forward/prereq.sh		SH	2019,2020
-./bin/tests/system/forward/rfc1918-inherited.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/forward/rfc1918-notinherited.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/forward/setup.sh		SH	2018,2019,2020
-./bin/tests/system/forward/tests.sh		SH	2000,2001,2004,2007,2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/forward/ula-inherited.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/forward/ula-notinherited.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/genzone.sh			SH	2001,2002,2003,2004,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/geoip/clean.sh		SH	2013,2014,2016,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIP.csv		X	2013,2014,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIP.dat		X	2013,2014,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPASNum.csv	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPASNum.dat	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPASNumv6.csv	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPASNumv6.dat	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPCity.csv	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPCity.dat	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPCityv6.csv	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPCityv6.dat	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPDomain.csv	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPDomain.dat	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPISP.csv	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPISP.dat	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPNetSpeed.csv	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPNetSpeed.dat	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPOrg.csv	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPOrg.dat	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPRegion.csv	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPRegion.dat	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPv6.csv	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/GeoIPv6.dat	X	2013,2018,2019,2020
-./bin/tests/system/geoip/data/README		TXT.BRIEF	2013,2014,2016,2018,2019,2020
-./bin/tests/system/geoip/ns2/example.db.in	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/geoip/ns2/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/geoip/ns2/named10.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/geoip/ns2/named11.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/geoip/ns2/named12.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/geoip/ns2/named13.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/geoip/ns2/named14.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/geoip/ns2/named15.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/geoip/ns2/named16.conf.in	CONF-C	2019,2020
-./bin/tests/system/geoip/ns2/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/geoip/ns2/named3.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/geoip/ns2/named4.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/geoip/ns2/named5.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/geoip/ns2/named6.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/geoip/ns2/named7.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/geoip/ns2/named8.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/geoip/ns2/named9.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/geoip/options.conf		CONF-C	2015,2016,2018,2019,2020
-./bin/tests/system/geoip/prereq.sh		SH	2013,2014,2016,2018,2019,2020
-./bin/tests/system/geoip/setup.sh		SH	2013,2014,2016,2018,2019,2020
-./bin/tests/system/geoip/tests.sh		SH	2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/geoip2/clean.sh		SH	2019,2020
-./bin/tests/system/geoip2/conf/bad-areacode.conf	CONF-C	2019,2020
-./bin/tests/system/geoip2/conf/bad-dbname.conf	CONF-C	2019,2020
-./bin/tests/system/geoip2/conf/bad-netspeed.conf	CONF-C	2019,2020
-./bin/tests/system/geoip2/conf/bad-regiondb.conf	CONF-C	2019,2020
-./bin/tests/system/geoip2/conf/bad-threeletter.conf	CONF-C	2019,2020
-./bin/tests/system/geoip2/conf/good-options.conf	CONF-C	2019,2020
-./bin/tests/system/geoip2/data/GeoIP2-City.json	X	2019,2020
-./bin/tests/system/geoip2/data/GeoIP2-City.mmdb	X	2019,2020
-./bin/tests/system/geoip2/data/GeoIP2-Country.json	X	2019,2020
-./bin/tests/system/geoip2/data/GeoIP2-Country.mmdb	X	2019,2020
-./bin/tests/system/geoip2/data/GeoIP2-Domain.json	X	2019,2020
-./bin/tests/system/geoip2/data/GeoIP2-Domain.mmdb	X	2019,2020
-./bin/tests/system/geoip2/data/GeoIP2-ISP.json	X	2019,2020
-./bin/tests/system/geoip2/data/GeoIP2-ISP.mmdb	X	2019,2020
-./bin/tests/system/geoip2/data/GeoLite2-ASN.json	X	2019,2020
-./bin/tests/system/geoip2/data/GeoLite2-ASN.mmdb	X	2019,2020
-./bin/tests/system/geoip2/data/README.md	MKD	2019,2020
-./bin/tests/system/geoip2/data/write-test-data.pl	PERL	2019,2020
-./bin/tests/system/geoip2/ns2/example.db.in	ZONE	2019,2020
-./bin/tests/system/geoip2/ns2/named1.conf.in	CONF-C	2019,2020
-./bin/tests/system/geoip2/ns2/named10.conf.in	CONF-C	2019,2020
-./bin/tests/system/geoip2/ns2/named11.conf.in	CONF-C	2019,2020
-./bin/tests/system/geoip2/ns2/named12.conf.in	CONF-C	2019,2020
-./bin/tests/system/geoip2/ns2/named13.conf.in	CONF-C	2019,2020
-./bin/tests/system/geoip2/ns2/named14.conf.in	CONF-C	2019,2020
-./bin/tests/system/geoip2/ns2/named2.conf.in	CONF-C	2019,2020
-./bin/tests/system/geoip2/ns2/named3.conf.in	CONF-C	2019,2020
-./bin/tests/system/geoip2/ns2/named4.conf.in	CONF-C	2019,2020
-./bin/tests/system/geoip2/ns2/named5.conf.in	CONF-C	2019,2020
-./bin/tests/system/geoip2/ns2/named6.conf.in	CONF-C	2019,2020
-./bin/tests/system/geoip2/ns2/named7.conf.in	CONF-C	2019,2020
-./bin/tests/system/geoip2/ns2/named8.conf.in	CONF-C	2019,2020
-./bin/tests/system/geoip2/ns2/named9.conf.in	CONF-C	2019,2020
-./bin/tests/system/geoip2/prereq.sh		SH	2019,2020
-./bin/tests/system/geoip2/setup.sh		SH	2019,2020
-./bin/tests/system/geoip2/tests.sh		SH	2019,2020
-./bin/tests/system/glue/clean.sh		SH	2000,2001,2004,2007,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/glue/fi.good			X	2000,2001,2018,2019,2020
-./bin/tests/system/glue/noglue.good		X	2000,2001,2018,2019,2020
-./bin/tests/system/glue/ns1/cache.in		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/glue/ns1/mil.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/glue/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/glue/ns1/net.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/glue/ns1/root-servers.nil.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/glue/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/glue/setup.sh		SH	2001,2004,2007,2012,2016,2018,2019,2020
-./bin/tests/system/glue/tests.sh		SH	2000,2001,2003,2004,2007,2012,2013,2016,2018,2019,2020
-./bin/tests/system/glue/xx.good			X	2000,2001,2018,2019,2020
-./bin/tests/system/glue/yy.good			X	2000,2001,2003,2018,2019,2020
-./bin/tests/system/gost/clean.sh		SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/gost/ns1/named.conf		CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/gost/ns1/root.db.in		ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/gost/ns1/sign.sh		SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/gost/ns2/named.conf		CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/gost/prereq.sh		SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/gost/setup.sh		SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/gost/tests.sh		SH	2010,2012,2013,2016,2018,2019,2020
-./bin/tests/system/idna/clean.sh		SH	2018,2019,2020
-./bin/tests/system/idna/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/idna/ns1/root.db		ZONE	2018,2019,2020
-./bin/tests/system/idna/setup.sh		SH	2018,2019,2020
-./bin/tests/system/idna/tests.sh		SH	2018,2019,2020
-./bin/tests/system/ifconfig.bat			BAT	2016,2018,2019,2020
-./bin/tests/system/ifconfig.sh			SH	2000,2001,2002,2003,2004,2007,2008,2009,2010,2012,2013,2016,2018,2019,2020
-./bin/tests/system/inline/checkdsa.sh.in	SH	2013,2014,2016,2018,2019,2020
-./bin/tests/system/inline/clean.sh		SH	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/inline/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/inline/ns1/root.db.in	ZONE	2011,2012,2013,2016,2017,2018,2019,2020
-./bin/tests/system/inline/ns1/sign.sh		SH	2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/inline/ns2/bits.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/inline/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/inline/ns2/nsec3-loop.db.in	ZONE	2017,2018,2019,2020
-./bin/tests/system/inline/ns3/master.db.in	ZONE	2011,2012,2016,2018,2019,2020
-./bin/tests/system/inline/ns3/master2.db.in	ZONE	2011,2012,2016,2018,2019,2020
-./bin/tests/system/inline/ns3/master3.db.in	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/inline/ns3/master4.db.in	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/inline/ns3/master5.db.in	ZONE	2018,2019,2020
-./bin/tests/system/inline/ns3/master6.db.in	ZONE	2019,2020
-./bin/tests/system/inline/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/inline/ns3/sign.sh		SH	2011,2012,2013,2014,2016,2017,2018,2019,2020
-./bin/tests/system/inline/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/inline/ns4/noixfr.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/inline/ns5/named.conf.post	CONF-C	2011,2014,2016,2018,2019,2020
-./bin/tests/system/inline/ns5/named.conf.pre	CONF-C	2011,2016,2018,2019,2020
-./bin/tests/system/inline/ns6/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/inline/ns7/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/inline/ns7/sign.sh		SH	2017,2018,2019,2020
-./bin/tests/system/inline/prereq.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/inline/setup.sh		SH	2011,2012,2013,2014,2016,2017,2018,2019,2020
-./bin/tests/system/inline/tests.sh		SH	2011,2012,2013,2014,2016,2017,2018,2019,2020
-./bin/tests/system/integrity/clean.sh		SH	2017,2018,2019,2020
-./bin/tests/system/integrity/ns1/mx-cname.db	ZONE	2017,2018,2019,2020
-./bin/tests/system/integrity/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/integrity/ns1/srv-cname.db	ZONE	2017,2018,2019,2020
-./bin/tests/system/integrity/setup.sh		SH	2018,2019,2020
-./bin/tests/system/integrity/tests.sh		SH	2017,2018,2019,2020
-./bin/tests/system/ixfr/ans2/startme		X	2011,2018,2019,2020
-./bin/tests/system/ixfr/clean.sh		SH	2001,2004,2007,2011,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/ixfr/ns1/startme		X	2012,2013,2018,2019,2020
-./bin/tests/system/ixfr/ns3/mytest0.db		ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/ixfr/ns3/mytest1.db		ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/ixfr/ns3/mytest2.db		ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/ixfr/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/ixfr/ns3/subtest0.db		ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/ixfr/ns3/subtest1.db		ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/ixfr/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/ixfr/ns5/named.conf.in	CONF-C	2019,2020
-./bin/tests/system/ixfr/prereq.sh		SH	2001,2004,2007,2012,2014,2016,2018,2019,2020
-./bin/tests/system/ixfr/setup.sh		SH	2001,2004,2007,2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/ixfr/tests.sh		SH	2001,2004,2007,2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/keymgr/01-ksk-inactive/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/01-ksk-inactive/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/02-zsk-inactive/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/02-zsk-inactive/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/03-ksk-unpublished/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/03-ksk-unpublished/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/04-zsk-unpublished/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/04-zsk-unpublished/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/05-ksk-unpub-active/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/05-ksk-unpub-active/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/06-zsk-unpub-active/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/06-zsk-unpub-active/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/07-ksk-ttl/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/07-ksk-ttl/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/08-zsk-ttl/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/08-zsk-ttl/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/09-no-keys/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/09-no-keys/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/10-change-roll/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/10-change-roll/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/11-many-simul/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/11-many-simul/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/12-many-active/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/12-many-active/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/13-noroll/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/13-noroll/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/14-wrongalg/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/14-wrongalg/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/15-unspec/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/15-unspec/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/16-wrongalg-unspec/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/16-wrongalg-unspec/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/17-noforce/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/17-noforce/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/18-nonstd-prepub/README	TXT.BRIEF	2016,2018,2019,2020
-./bin/tests/system/keymgr/18-nonstd-prepub/expect	X	2016,2018,2019,2020
-./bin/tests/system/keymgr/18-nonstd-prepub/policy.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/keymgr/19-old-keys/README	TXT.BRIEF	2019,2020
-./bin/tests/system/keymgr/19-old-keys/expect	X	2019,2020
-./bin/tests/system/keymgr/19-old-keys/extra.sh	SH	2019,2020
-./bin/tests/system/keymgr/19-old-keys/policy.conf	CONF-C	2019,2020
-./bin/tests/system/keymgr/clean.sh		SH	2016,2018,2019,2020
-./bin/tests/system/keymgr/policy.conf		CONF-C	2016,2018,2019,2020
-./bin/tests/system/keymgr/policy.good		X	2016,2018,2019,2020
-./bin/tests/system/keymgr/policy.sample		CONF-C	2016,2017,2018,2019,2020
-./bin/tests/system/keymgr/prereq.sh		SH	2016,2018,2019,2020
-./bin/tests/system/keymgr/setup.sh		SH	2016,2018,2019,2020
-./bin/tests/system/keymgr/testpolicy.py		PYTHON	2016,2018,2019,2020
-./bin/tests/system/keymgr/tests.sh		SH	2016,2018,2019,2020
-./bin/tests/system/legacy/build.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/legacy/clean.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/legacy/ns1/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/legacy/ns1/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/legacy/ns1/root.db		ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/legacy/ns1/trusted.conf	X	2014,2018,2019,2020
-./bin/tests/system/legacy/ns10/ednsrefused.db	ZONE	2018,2019,2020
-./bin/tests/system/legacy/ns10/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/legacy/ns10/named.ednsrefused	X	2018,2019,2020
-./bin/tests/system/legacy/ns2/dropedns.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/legacy/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/legacy/ns2/named.dropedns	X	2014,2018,2019,2020
-./bin/tests/system/legacy/ns3/dropedns-notcp.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/legacy/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/legacy/ns3/named.dropedns	X	2014,2018,2019,2020
-./bin/tests/system/legacy/ns3/named.notcp	X	2014,2018,2019,2020
-./bin/tests/system/legacy/ns4/named.args	X	2014,2018,2019,2020
-./bin/tests/system/legacy/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/legacy/ns4/plain.db		ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/legacy/ns5/named.args	X	2014,2018,2019,2020
-./bin/tests/system/legacy/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/legacy/ns5/named.notcp	X	2014,2018,2019,2020
-./bin/tests/system/legacy/ns5/plain-notcp.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/legacy/ns6/edns512.db.in	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/legacy/ns6/edns512.db.signed	X	2014,2018,2019,2020
-./bin/tests/system/legacy/ns6/named.args	X	2014,2018,2019,2020
-./bin/tests/system/legacy/ns6/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/legacy/ns6/sign.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/legacy/ns7/edns512-notcp.db.in	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/legacy/ns7/edns512-notcp.db.signed	X	2014,2018,2019,2020
-./bin/tests/system/legacy/ns7/named.args	X	2014,2018,2019,2020
-./bin/tests/system/legacy/ns7/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/legacy/ns7/named.notcp	X	2014,2018,2019,2020
-./bin/tests/system/legacy/ns7/sign.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/legacy/ns8/ednsformerr.db	ZONE	2018,2019,2020
-./bin/tests/system/legacy/ns8/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/legacy/ns8/named.ednsformerr	X	2018,2019,2020
-./bin/tests/system/legacy/ns9/ednsnotimp.db	ZONE	2018,2019,2020
-./bin/tests/system/legacy/ns9/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/legacy/ns9/named.ednsnotimp	X	2018,2019,2020
-./bin/tests/system/legacy/setup.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/legacy/tests.sh		SH	2014,2015,2016,2018,2019,2020
-./bin/tests/system/limits/clean.sh		SH	2000,2001,2004,2007,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/limits/knowngood.dig.out.1000	X	2000,2001,2018,2019,2020
-./bin/tests/system/limits/knowngood.dig.out.2000	X	2000,2001,2018,2019,2020
-./bin/tests/system/limits/knowngood.dig.out.3000	X	2000,2001,2018,2019,2020
-./bin/tests/system/limits/knowngood.dig.out.4000	X	2000,2001,2018,2019,2020
-./bin/tests/system/limits/knowngood.dig.out.a-maximum-rrset	X	2000,2001,2018,2019,2020
-./bin/tests/system/limits/ns1/example.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/limits/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/limits/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/limits/setup.sh		SH	2018,2019,2020
-./bin/tests/system/limits/tests.sh		SH	2000,2001,2004,2007,2011,2012,2016,2018,2019,2020
-./bin/tests/system/logfileconfig/clean.sh	SH	2011,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/logfileconfig/ns1/controls.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/logfileconfig/ns1/named.dirconf	CONF-C	2011,2013,2016,2018,2019,2020
-./bin/tests/system/logfileconfig/ns1/named.pipeconf	CONF-C	2011,2013,2016,2018,2019,2020
-./bin/tests/system/logfileconfig/ns1/named.plain	CONF-C	2011,2013,2014,2016,2018,2019,2020
-./bin/tests/system/logfileconfig/ns1/named.plainconf	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/logfileconfig/ns1/named.symconf	CONF-C	2011,2013,2016,2018,2019,2020
-./bin/tests/system/logfileconfig/ns1/named.unlimited	CONF-C	2016,2018,2019,2020
-./bin/tests/system/logfileconfig/ns1/named.versconf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/logfileconfig/ns1/rndc.conf.in	CONF-C	2011,2013,2016,2017,2018,2019,2020
-./bin/tests/system/logfileconfig/ns1/root.db	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/logfileconfig/setup.sh	SH	2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/logfileconfig/tests.sh	SH	2011,2012,2013,2014,2016,2017,2018,2019,2020
-./bin/tests/system/lwresd/Makefile.in		MAKE	2000,2001,2002,2004,2007,2009,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/lwresd/clean.sh		SH	2008,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/lwresd/lwresd1/lwresd.conf	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/lwresd/lwresd1/nosearch.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/lwresd/lwresd1/resolv.conf	CONF-SH	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./bin/tests/system/lwresd/lwtest.c		C	2000,2001,2002,2004,2007,2008,2012,2013,2015,2016,2018,2019,2020
-./bin/tests/system/lwresd/ns1/10.10.10.in-addr.arpa.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/lwresd/ns1/e.example1.db	X	2008,2018,2019,2020
-./bin/tests/system/lwresd/ns1/example1.db	ZONE	2000,2001,2002,2003,2004,2007,2008,2016,2018,2019,2020
-./bin/tests/system/lwresd/ns1/example2.db	ZONE	2000,2001,2002,2004,2007,2016,2018,2019,2020
-./bin/tests/system/lwresd/ns1/ip6.arpa.db	ZONE	2000,2001,2002,2004,2007,2016,2018,2019,2020
-./bin/tests/system/lwresd/ns1/ip6.int.db	ZONE	2000,2001,2002,2004,2007,2016,2018,2019,2020
-./bin/tests/system/lwresd/ns1/named.conf	CONF-C	2000,2001,2004,2006,2007,2008,2016,2018,2019,2020
-./bin/tests/system/lwresd/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/lwresd/resolv.conf		CONF-SH	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./bin/tests/system/lwresd/tests.sh		SH	2000,2001,2004,2007,2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/masterfile/clean.sh		SH	2001,2004,2007,2010,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/masterfile/knowngood.dig.out	X	2001,2004,2012,2018,2019,2020
-./bin/tests/system/masterfile/ns1/include.db	ZONE	2001,2004,2007,2012,2016,2018,2019,2020
-./bin/tests/system/masterfile/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/masterfile/ns1/sub.db	ZONE	2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/masterfile/ns1/ttl1.db	ZONE	2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/masterfile/ns1/ttl2.db	ZONE	2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/masterfile/ns2/example.db	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/masterfile/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/masterfile/setup.sh		SH	2018,2019,2020
-./bin/tests/system/masterfile/tests.sh		SH	2001,2004,2007,2010,2012,2015,2016,2018,2019,2020
-./bin/tests/system/masterfile/zone/inheritownerafterinclude.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/masterfile/zone/inheritownerafterinclude.good	X	2015,2018,2019,2020
-./bin/tests/system/masterfile/zone/nameservers.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/masterformat/clean.sh	SH	2005,2007,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/masterformat/ns1/compile.sh	SH	2005,2006,2007,2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/masterformat/ns1/example.db	ZONE	2005,2007,2014,2016,2018,2019,2020
-./bin/tests/system/masterformat/ns1/large.db.in	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/masterformat/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/masterformat/ns1/signed.db	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/masterformat/ns2/formerly-text.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/masterformat/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/masterformat/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/masterformat/prereq.sh	SH	2014,2016,2018,2019,2020
-./bin/tests/system/masterformat/setup.sh	SH	2005,2006,2007,2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/masterformat/tests.sh	SH	2005,2007,2011,2012,2013,2014,2016,2017,2018,2019,2020
-./bin/tests/system/metadata/child.db		ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/metadata/clean.sh		SH	2009,2011,2012,2014,2016,2017,2018,2019,2020
-./bin/tests/system/metadata/parent.db		ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/metadata/prereq.sh		SH	2009,2012,2014,2016,2018,2019,2020
-./bin/tests/system/metadata/setup.sh		SH	2009,2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/metadata/tests.sh		SH	2009,2011,2012,2013,2014,2016,2017,2018,2019,2020
-./bin/tests/system/mkeys/README			TXT.BRIEF	2015,2016,2017,2018,2019,2020
-./bin/tests/system/mkeys/clean.sh		SH	2015,2016,2017,2018,2019,2020
-./bin/tests/system/mkeys/ns1/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/mkeys/ns1/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/mkeys/ns1/named3.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/mkeys/ns1/root.db		ZONE	2015,2016,2017,2018,2019,2020
-./bin/tests/system/mkeys/ns1/sign.sh		SH	2015,2016,2017,2018,2019,2020
-./bin/tests/system/mkeys/ns1/unsupported.key	X	2019,2020
-./bin/tests/system/mkeys/ns2/named.args		X	2015,2016,2017,2018,2019,2020
-./bin/tests/system/mkeys/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/mkeys/ns3/named.args		X	2015,2016,2017,2018,2019,2020
-./bin/tests/system/mkeys/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/mkeys/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/mkeys/ns5/named1.args	X	2017,2018,2019,2020
-./bin/tests/system/mkeys/ns5/named2.args	X	2017,2018,2019,2020
-./bin/tests/system/mkeys/ns6/named.args		X	2019,2020
-./bin/tests/system/mkeys/ns6/named.conf.in	CONF-C	2019,2020
-./bin/tests/system/mkeys/ns6/setup.sh		SH	2019,2020
-./bin/tests/system/mkeys/ns6/unsupported-managed.key	X	2019,2020
-./bin/tests/system/mkeys/ns7/named.conf.in	CONF-C	2019,2020
-./bin/tests/system/mkeys/prereq.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/mkeys/setup.sh		SH	2015,2016,2017,2018,2019,2020
-./bin/tests/system/mkeys/tests.sh		SH	2015,2016,2017,2018,2019,2020
-./bin/tests/system/names/clean.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/names/ns1/example.db		ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/names/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/names/setup.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/names/tests.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/notify/clean.sh		SH	2000,2001,2004,2007,2011,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/notify/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/notify/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/notify/ns2/example1.db	ZONE	2000,2001,2002,2004,2007,2009,2016,2018,2019,2020
-./bin/tests/system/notify/ns2/example2.db	ZONE	2000,2001,2002,2004,2007,2009,2016,2018,2019,2020
-./bin/tests/system/notify/ns2/example3.db	ZONE	2000,2001,2002,2004,2007,2009,2016,2018,2019,2020
-./bin/tests/system/notify/ns2/example4.db	ZONE	2000,2001,2002,2004,2007,2009,2016,2018,2019,2020
-./bin/tests/system/notify/ns2/generic.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/notify/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/notify/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/notify/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/notify/ns4/named.port.in	X	2018,2019,2020
-./bin/tests/system/notify/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/notify/ns5/x21.db		ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/notify/setup.sh		SH	2000,2001,2004,2007,2012,2014,2016,2018,2019,2020
-./bin/tests/system/notify/tests.sh		SH	2000,2001,2004,2007,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/nslookup/clean.sh		SH	2014,2015,2016,2018,2019,2020
-./bin/tests/system/nslookup/ns1/example.net.db	ZONE	2016,2018,2019,2020
-./bin/tests/system/nslookup/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/nslookup/setup.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/nslookup/tests.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/nsupdate/ans4/ans.pl		PERL	2017,2018,2019,2020
-./bin/tests/system/nsupdate/clean.sh		SH	2000,2001,2004,2007,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/nsupdate/commandlist		X	2012,2018,2019,2020
-./bin/tests/system/nsupdate/knowngood.ns1.after	X	2000,2001,2003,2004,2009,2018,2019,2020
-./bin/tests/system/nsupdate/knowngood.ns1.afterstop	X	2001,2004,2018,2019,2020
-./bin/tests/system/nsupdate/knowngood.ns1.before	X	2000,2001,2003,2004,2009,2018,2019,2020
-./bin/tests/system/nsupdate/krb/setup.sh	SH	2018,2019,2020
-./bin/tests/system/nsupdate/ns1/example1.db	ZONE	2000,2001,2002,2004,2007,2009,2016,2018,2019,2020
-./bin/tests/system/nsupdate/ns1/many.test.db.in	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/nsupdate/ns1/max-ttl.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/nsupdate/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/nsupdate/ns1/sample.db.in	ZONE	2016,2018,2019,2020
-./bin/tests/system/nsupdate/ns10/dns.keytab	X	2018,2019,2020
-./bin/tests/system/nsupdate/ns10/example.com.db.in	ZONE	2018,2019,2020
-./bin/tests/system/nsupdate/ns10/in-addr.db.in	ZONE	2018,2019,2020
-./bin/tests/system/nsupdate/ns10/machine.ccache	X	2018,2019,2020
-./bin/tests/system/nsupdate/ns10/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/nsupdate/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/nsupdate/ns2/sample.db.in	ZONE	2016,2018,2019,2020
-./bin/tests/system/nsupdate/ns3/delegation.test.db.in	ZONE	2016,2018,2019,2020
-./bin/tests/system/nsupdate/ns3/dnskey.test.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/nsupdate/ns3/example.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/nsupdate/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/nsupdate/ns3/nsec3param.test.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/nsupdate/ns3/sign.sh		SH	2010,2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/nsupdate/ns3/too-big.test.db.in	ZONE	2016,2018,2019,2020
-./bin/tests/system/nsupdate/ns5/local.db.in	ZONE	2017,2018,2019,2020
-./bin/tests/system/nsupdate/ns5/named.args	X	2017,2018,2019,2020
-./bin/tests/system/nsupdate/ns5/named.conf.in	CONF-C	2017,2018,2019,2020
-./bin/tests/system/nsupdate/ns6/in-addr.db.in	ZONE	2018,2019,2020
-./bin/tests/system/nsupdate/ns6/named.args	X	2018,2019,2020
-./bin/tests/system/nsupdate/ns6/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/nsupdate/ns7/dns.keytab	X	2018,2019,2020
-./bin/tests/system/nsupdate/ns7/example.com.db.in	ZONE	2018,2019,2020
-./bin/tests/system/nsupdate/ns7/in-addr.db.in	ZONE	2018,2019,2020
-./bin/tests/system/nsupdate/ns7/machine.ccache	X	2018,2019,2020
-./bin/tests/system/nsupdate/ns7/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/nsupdate/ns8/dns.keytab	X	2018,2019,2020
-./bin/tests/system/nsupdate/ns8/example.com.db.in	ZONE	2018,2019,2020
-./bin/tests/system/nsupdate/ns8/in-addr.db.in	ZONE	2018,2019,2020
-./bin/tests/system/nsupdate/ns8/machine.ccache	X	2018,2019,2020
-./bin/tests/system/nsupdate/ns8/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/nsupdate/ns9/dns.keytab	X	2018,2019,2020
-./bin/tests/system/nsupdate/ns9/example.com.db.in	ZONE	2018,2019,2020
-./bin/tests/system/nsupdate/ns9/in-addr.db.in	ZONE	2018,2019,2020
-./bin/tests/system/nsupdate/ns9/machine.ccache	X	2018,2019,2020
-./bin/tests/system/nsupdate/ns9/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/nsupdate/prereq.sh		SH	2014,2015,2016,2018,2019,2020
-./bin/tests/system/nsupdate/setup.sh		SH	2000,2001,2004,2007,2009,2010,2011,2012,2014,2016,2017,2018,2019,2020
-./bin/tests/system/nsupdate/tests.sh		SH	2000,2001,2004,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/nsupdate/update_test.pl	PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./bin/tests/system/nsupdate/verylarge.in	X	2013,2018,2019,2020
-./bin/tests/system/nzd2nzf/clean.sh		SH	2016,2018,2019,2020
-./bin/tests/system/nzd2nzf/ns1/added.db		ZONE	2016,2018,2019,2020
-./bin/tests/system/nzd2nzf/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/nzd2nzf/prereq.sh		SH	2016,2018,2019,2020
-./bin/tests/system/nzd2nzf/setup.sh		SH	2016,2018,2019,2020
-./bin/tests/system/nzd2nzf/tests.sh		SH	2016,2018,2019,2020
-./bin/tests/system/org.isc.bind.system		SH	2010,2012,2013,2016,2018,2019,2020
-./bin/tests/system/org.isc.bind.system.plist	X	2010,2018,2019,2020
-./bin/tests/system/packet.pl			PERL	2011,2012,2016,2018,2019,2020
-./bin/tests/system/parallel.sh			SH	2019,2020
-./bin/tests/system/pending/clean.sh		SH	2009,2012,2014,2016,2018,2019,2020
-./bin/tests/system/pending/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/pending/ns1/root.db.in	ZONE	2009,2010,2016,2018,2019,2020
-./bin/tests/system/pending/ns1/sign.sh		SH	2009,2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/pending/ns2/example.com.db.in	ZONE	2009,2010,2016,2018,2019,2020
-./bin/tests/system/pending/ns2/example.db.in	ZONE	2009,2010,2016,2018,2019,2020
-./bin/tests/system/pending/ns2/forgery.db	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/pending/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/pending/ns2/sign.sh		SH	2009,2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/pending/ns3/hostile.db	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/pending/ns3/mail.example.db	ZONE	2009,2016,2018,2019,2020
-./bin/tests/system/pending/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/pending/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/pending/prereq.sh		SH	2009,2012,2014,2016,2018,2019,2020
-./bin/tests/system/pending/setup.sh		SH	2009,2012,2014,2016,2018,2019,2020
-./bin/tests/system/pending/tests.sh		SH	2009,2010,2012,2015,2016,2018,2019,2020
-./bin/tests/system/pipelined/Makefile.in	MAKE	2014,2015,2016,2018,2019,2020
-./bin/tests/system/pipelined/clean.sh		SH	2014,2015,2016,2018,2019,2020
-./bin/tests/system/pipelined/input		X	2014,2015,2018,2019,2020
-./bin/tests/system/pipelined/inputb		X	2014,2015,2018,2019,2020
-./bin/tests/system/pipelined/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/pipelined/ns1/root.db	ZONE	2014,2015,2016,2018,2019,2020
-./bin/tests/system/pipelined/ns2/examplea.db	ZONE	2014,2015,2016,2018,2019,2020
-./bin/tests/system/pipelined/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/pipelined/ns3/exampleb.db	ZONE	2014,2015,2016,2018,2019,2020
-./bin/tests/system/pipelined/ns3/named.args	X	2014,2015,2018,2019,2020
-./bin/tests/system/pipelined/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/pipelined/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/pipelined/pipequeries.c	C	2014,2015,2015,2016,2018,2019,2020
-./bin/tests/system/pipelined/ref		X	2014,2015,2018,2019,2020
-./bin/tests/system/pipelined/refb		X	2014,2015,2018,2019,2020
-./bin/tests/system/pipelined/setup.sh		SH	2014,2015,2016,2018,2019,2020
-./bin/tests/system/pipelined/tests.sh		SH	2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/pkcs11/clean.sh		SH	2010,2012,2014,2016,2017,2018,2019,2020
-./bin/tests/system/pkcs11/ns1/example.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/pkcs11/ns1/named.conf	CONF-C	2018,2019,2020
-./bin/tests/system/pkcs11/prereq.sh		SH	2010,2012,2014,2016,2017,2018,2019,2020
-./bin/tests/system/pkcs11/setup.sh		SH	2010,2012,2013,2014,2016,2017,2018,2019,2020
-./bin/tests/system/pkcs11/tests.sh		SH	2010,2012,2014,2016,2017,2018,2019,2020
-./bin/tests/system/pkcs11/usepkcs11		X	2010,2018,2019,2020
-./bin/tests/system/pkcs11ssl/clean.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/pkcs11ssl/ns1/example.db.in	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/pkcs11ssl/ns1/named.conf	CONF-C	2018,2019,2020
-./bin/tests/system/pkcs11ssl/prereq.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/pkcs11ssl/setup.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/pkcs11ssl/tests.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/pkcs11ssl/usepkcs11		X	2014,2018,2019,2020
-./bin/tests/system/reclimit/README		TXT.BRIEF	2014,2016,2017,2018,2019,2020
-./bin/tests/system/reclimit/ans2/ans.pl		PERL	2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/reclimit/ans4/ans.pl		PERL	2018,2019,2020
-./bin/tests/system/reclimit/ans7/ans.pl		PERL	2014,2016,2018,2019,2020
-./bin/tests/system/reclimit/clean.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/reclimit/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/reclimit/ns1/root.db		ZONE	2014,2016,2017,2018,2019,2020
-./bin/tests/system/reclimit/ns3/hints.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/reclimit/ns3/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/reclimit/ns3/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/reclimit/ns3/named3.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/reclimit/ns3/named4.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/reclimit/prereq.sh		SH	2015,2016,2017,2018,2019,2020
-./bin/tests/system/reclimit/setup.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/reclimit/tests.sh		SH	2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/redirect/clean.sh		SH	2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/redirect/conf/bad1.conf	CONF-C	2011,2016,2018,2019,2020
-./bin/tests/system/redirect/conf/bad2.conf	CONF-C	2011,2016,2018,2019,2020
-./bin/tests/system/redirect/conf/bad3.conf	CONF-C	2011,2016,2018,2019,2020
-./bin/tests/system/redirect/conf/good1.conf	CONF-C	2011,2016,2018,2019,2020
-./bin/tests/system/redirect/conf/good2.conf	CONF-C	2011,2016,2018,2019,2020
-./bin/tests/system/redirect/conf/good3.conf	CONF-C	2011,2016,2018,2019,2020
-./bin/tests/system/redirect/conf/good4.conf	CONF-C	2011,2016,2018,2019,2020
-./bin/tests/system/redirect/ns1/example.db	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/redirect/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/redirect/ns1/redirect.db	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/redirect/ns1/root.db		ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/redirect/ns1/sign.sh		SH	2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/redirect/ns2/example.db.in	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/redirect/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/redirect/ns2/redirect.db.in	ZONE	2011.2013,2013,2016,2018,2019,2020
-./bin/tests/system/redirect/ns3/example.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/redirect/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/redirect/ns3/redirect.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/redirect/ns3/root.db		ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/redirect/ns3/sign.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/redirect/ns4/example.db.in	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/redirect/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/redirect/ns4/root.hint	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/redirect/prereq.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/redirect/setup.sh		SH	2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/redirect/tests.sh		SH	2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/resolver/ans2/ans.pl		PERL	2000,2001,2004,2007,2009,2010,2012,2016,2018,2019,2020
-./bin/tests/system/resolver/ans3/ans.pl		PERL	2000,2001,2004,2007,2009,2012,2016,2018,2019,2020
-./bin/tests/system/resolver/ans8/ans.pl		PERL	2017,2018,2019,2020
-./bin/tests/system/resolver/clean.sh		SH	2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/resolver/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/resolver/ns1/root.hint	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/resolver/ns4/broken.db	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/resolver/ns4/child.server.db	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/resolver/ns4/moves.db	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/resolver/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/resolver/ns4/named.noaa	TXT.BRIEF	2010,2016,2018,2019,2020
-./bin/tests/system/resolver/ns4/root.db		ZONE	2010,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/resolver/ns4/tld1.db		ZONE	2012,2014,2016,2018,2019,2020
-./bin/tests/system/resolver/ns4/tld2.db		ZONE	2012,2014,2016,2018,2019,2020
-./bin/tests/system/resolver/ns5/child.server.db	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/resolver/ns5/moves.db	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/resolver/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/resolver/ns5/root.hint	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/resolver/ns6/broken.db	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/resolver/ns6/delegation-only.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/resolver/ns6/ds.example.net.db.in	ZONE	2016,2018,2019,2020
-./bin/tests/system/resolver/ns6/example.net.db.in	ZONE	2010,2014,2016,2018,2019,2020
-./bin/tests/system/resolver/ns6/keygen.sh	SH	2010,2012,2014,2016,2017,2018,2019,2020
-./bin/tests/system/resolver/ns6/moves.db	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/resolver/ns6/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/resolver/ns6/no-edns-version.tld.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/resolver/ns6/root.db		ZONE	2010,2011,2014,2016,2018,2019,2020
-./bin/tests/system/resolver/ns6/to-be-removed.tld.db.in	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/resolver/ns7/all-cnames.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/resolver/ns7/edns-version.tld.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/resolver/ns7/named.args	X	2011,2012,2014,2018,2019,2020
-./bin/tests/system/resolver/ns7/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/resolver/ns7/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/resolver/ns7/root.hint	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/resolver/ns7/server.db.in	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/resolver/prereq.sh		SH	2000,2001,2004,2007,2012,2014,2016,2018,2019,2020
-./bin/tests/system/resolver/setup.sh		SH	2010,2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/resolver/tests.sh		SH	2000,2001,2004,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/rndc/Makefile.in		MAKE	2014,2015,2016,2018,2019,2020
-./bin/tests/system/rndc/clean.sh		SH	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/rndc/gencheck.c		C	2014,2015,2016,2018,2019,2020
-./bin/tests/system/rndc/ns2/incl.db		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/rndc/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rndc/ns2/secondkey.conf	CONF-C	2012,2013,2016,2018,2019,2020
-./bin/tests/system/rndc/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rndc/ns4/named.conf.in	CONF-C	2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/rndc/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rndc/ns6/named.args		X	2016,2018,2019,2020
-./bin/tests/system/rndc/ns6/named.conf.in	CONF-C	2016,2018,2019,2020
-./bin/tests/system/rndc/setup.sh		SH	2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/rndc/tests.sh		SH	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/rootkeysentinel/clean.sh	SH	2018,2019,2020
-./bin/tests/system/rootkeysentinel/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rootkeysentinel/ns1/root.db.in	ZONE	2018,2019,2020
-./bin/tests/system/rootkeysentinel/ns1/sign.sh	SH	2018,2019,2020
-./bin/tests/system/rootkeysentinel/ns2/example.db.in	ZONE	2018,2019,2020
-./bin/tests/system/rootkeysentinel/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rootkeysentinel/ns2/sign.sh	SH	2018,2019,2020
-./bin/tests/system/rootkeysentinel/ns3/hint.db	ZONE	2018,2019,2020
-./bin/tests/system/rootkeysentinel/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rootkeysentinel/ns4/hint.db	ZONE	2018,2019,2020
-./bin/tests/system/rootkeysentinel/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rootkeysentinel/prereq.sh	SH	2018,2019,2020
-./bin/tests/system/rootkeysentinel/setup.sh	SH	2018,2019,2020
-./bin/tests/system/rootkeysentinel/tests.sh	SH	2018,2019,2020
-./bin/tests/system/rpz/README			TXT.BRIEF	2019,2020
-./bin/tests/system/rpz/clean.sh			SH	2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/rpz/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rpz/ns1/root.db		ZONE	2011,2012,2013,2016,2018,2019,2020
-./bin/tests/system/rpz/ns2/base-tld2s.db	ZONE	2012,2013,2016,2018,2019,2020
-./bin/tests/system/rpz/ns2/bl.tld2.db.in	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/rpz/ns2/blv2.tld2.db.in	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/rpz/ns2/blv3.tld2.db.in	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/rpz/ns2/hints		ZONE	2011,2013,2016,2018,2019,2020
-./bin/tests/system/rpz/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rpz/ns2/tld2.db		ZONE	2011,2012,2013,2016,2018,2019,2020
-./bin/tests/system/rpz/ns3/base.db		ZONE	2011,2012,2013,2016,2018,2019,2020
-./bin/tests/system/rpz/ns3/broken.db.in		ZONE	2019,2020
-./bin/tests/system/rpz/ns3/crash1		X	2011,2013,2018,2019,2020
-./bin/tests/system/rpz/ns3/crash2		X	2011,2012,2013,2018,2019,2020
-./bin/tests/system/rpz/ns3/hints		ZONE	2011,2013,2016,2018,2019,2020
-./bin/tests/system/rpz/ns3/manual-update-rpz-2.db.in	ZONE	2019,2020
-./bin/tests/system/rpz/ns3/manual-update-rpz.db.in	ZONE	2019,2020
-./bin/tests/system/rpz/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rpz/ns4/hints		ZONE	2011,2013,2016,2018,2019,2020
-./bin/tests/system/rpz/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rpz/ns4/tld4.db		ZONE	2011,2012,2013,2016,2018,2019,2020
-./bin/tests/system/rpz/ns5/empty.db.in		ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/rpz/ns5/hints		ZONE	2011,2012,2013,2016,2018,2019,2020
-./bin/tests/system/rpz/ns5/named.args		X	2013,2014,2018,2019,2020
-./bin/tests/system/rpz/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rpz/ns5/tld5.db		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/rpz/ns6/hints		ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/rpz/ns6/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rpz/ns7/hints		ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/rpz/ns7/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rpz/ns9/hints		ZONE	2019,2020
-./bin/tests/system/rpz/ns9/named.conf.in	CONF-C	2019,2020
-./bin/tests/system/rpz/ns9/rpz.db		ZONE	2019,2020
-./bin/tests/system/rpz/prereq.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/rpz/qperf.sh			SH	2012,2013,2016,2018,2019,2020
-./bin/tests/system/rpz/setup.sh			SH	2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/rpz/test1			ZONE	2011,2012,2013,2016,2018,2019,2020
-./bin/tests/system/rpz/test2			ZONE	2011,2012,2013,2016,2018,2019,2020
-./bin/tests/system/rpz/test3			ZONE	2011,2013,2016,2018,2019,2020
-./bin/tests/system/rpz/test4			ZONE	2011,2013,2016,2018,2019,2020
-./bin/tests/system/rpz/test4a			ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/rpz/test5			ZONE	2011,2012,2013,2016,2018,2019,2020
-./bin/tests/system/rpz/test6			ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/rpz/tests.sh			SH	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/rpzrecurse/README		TXT.BRIEF	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ans5/ans.pl	PERL	2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/clean.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns1/db.l0		ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns1/db.l1.l0	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns1/example.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rpzrecurse/ns1/root.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns1/test1.example.net.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns1/test2.example.net.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/db.clientip1	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/db.clientip2	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/db.clientip21	ZONE	2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/db.log1	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/db.log2	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/db.log3	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/db.wildcard1	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/db.wildcard2a	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/db.wildcard2b	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/db.wildcard3	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/named.clientip.conf	CONF-C	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/named.clientip2.conf	CONF-C	2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/named.conf.header.in	CONF-C	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/named.default.conf	CONF-C	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/named.log.conf	CONF-C	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/named.wildcard1.conf	CONF-C	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/named.wildcard2.conf	CONF-C	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/named.wildcard3.conf	CONF-C	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns2/root.hint	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns3/example.db	ZONE	2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns3/named1.conf.in	CONF-C	2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns3/named2.conf.in	CONF-C	2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns3/policy.db	ZONE	2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns3/root.db	ZONE	2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns4/child.example.db	ZONE	2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/ns4/named.conf.in	CONF-C	2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/prereq.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/setup.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/testgen.pl	PERL	2015,2016,2018,2019,2020
-./bin/tests/system/rpzrecurse/tests.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/rrchecker/classlist.good	X	2013,2018,2019,2020
-./bin/tests/system/rrchecker/clean.sh		SH	2013,2014,2016,2017,2018,2019,2020
-./bin/tests/system/rrchecker/privatelist.good	X	2013,2018,2019,2020
-./bin/tests/system/rrchecker/tests.sh		SH	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/rrchecker/typelist.good	X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/rrl/broken.conf		CONF-C	2016,2018,2019,2020
-./bin/tests/system/rrl/clean.sh			SH	2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/rrl/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rrl/ns1/root.db		ZONE	2012,2013,2016,2018,2019,2020
-./bin/tests/system/rrl/ns2/hints		ZONE	2012,2013,2016,2018,2019,2020
-./bin/tests/system/rrl/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rrl/ns2/tld2.db		ZONE	2012,2013,2016,2018,2019,2020
-./bin/tests/system/rrl/ns3/hints		ZONE	2012,2013,2016,2018,2019,2020
-./bin/tests/system/rrl/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rrl/ns3/tld3.db		ZONE	2012,2013,2016,2018,2019,2020
-./bin/tests/system/rrl/ns4/hints		ZONE	2016,2018,2019,2020
-./bin/tests/system/rrl/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rrl/ns4/tld4.db		ZONE	2016,2018,2019,2020
-./bin/tests/system/rrl/setup.sh			SH	2012,2013,2016,2018,2019,2020
-./bin/tests/system/rrl/tests.sh			SH	2012,2013,2015,2016,2018,2019,2020
-./bin/tests/system/rrsetorder/clean.sh		SH	2006,2007,2008,2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.fixed.good	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good1	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good10	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good11	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good12	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good13	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good14	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good15	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good16	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good17	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good18	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good19	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good2	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good20	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good21	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good22	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good23	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good24	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good3	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good4	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good5	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good6	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good7	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good8	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/dig.out.random.good9	X	2006,2018,2019,2020
-./bin/tests/system/rrsetorder/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rrsetorder/ns1/root.db	ZONE	2006,2007,2012,2016,2018,2019,2020
-./bin/tests/system/rrsetorder/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rrsetorder/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rrsetorder/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rrsetorder/setup.sh		SH	2018,2019,2020
-./bin/tests/system/rrsetorder/tests.sh		SH	2006,2007,2008,2011,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/Makefile.in	MAKE	2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/bigkey.c	C	2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/clean.sh	SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/conf/bad01.conf	CONF-C	2012,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/conf/bad02.conf	CONF-C	2012,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/conf/bad03.conf	CONF-C	2012,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/conf/good01.conf	CONF-C	2012,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/conf/good02.conf	CONF-C	2012,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/conf/good03.conf	CONF-C	2012,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rsabigexponent/ns1/root.db.in	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/ns1/sign.sh	SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.key	X	2012,2018,2019,2020
-./bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.private	X	2012,2018,2019,2020
-./bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.key	X	2012,2018,2019,2020
-./bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.private	X	2012,2018,2019,2020
-./bin/tests/system/rsabigexponent/ns2/dsset-example.in	X	2012,2018,2019,2020
-./bin/tests/system/rsabigexponent/ns2/example.db.bad	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/ns2/example.db.in	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rsabigexponent/ns2/sign.sh	SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/rsabigexponent/prereq.sh	SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/setup.sh	SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/rsabigexponent/tests.sh	SH	2012,2016,2018,2019,2020
-./bin/tests/system/run.gdb			X	2019,2020
-./bin/tests/system/run.sh			SH	2000,2001,2004,2007,2010,2012,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/runall.sh			SH	2000,2001,2004,2007,2010,2011,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/runsequential.sh		SH	2018,2019,2020
-./bin/tests/system/runtime/README		TXT.BRIEF	2014,2016,2018,2019,2020
-./bin/tests/system/runtime/clean.sh		SH	2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/runtime/ns2/named-alt1.conf.in	CONF-C	2014,2016,2017,2018,2019,2020
-./bin/tests/system/runtime/ns2/named-alt2.conf.in	CONF-C	2014,2016,2017,2018,2019,2020
-./bin/tests/system/runtime/ns2/named-alt3.conf.in	CONF-C	2014,2016,2017,2018,2019,2020
-./bin/tests/system/runtime/ns2/named-alt4.conf.in	CONF-C	2014,2016,2017,2018,2019,2020
-./bin/tests/system/runtime/ns2/named-alt5.conf.in	CONF-C	2014,2016,2017,2018,2019,2020
-./bin/tests/system/runtime/ns2/named-alt6.conf.in	CONF-C	2014,2016,2017,2018,2019,2020
-./bin/tests/system/runtime/ns2/named-alt9.conf.in	CONF-C	2019,2020
-./bin/tests/system/runtime/ns2/named1.conf.in	CONF-C	2014,2016,2017,2018,2019,2020
-./bin/tests/system/runtime/setup.sh		SH	2015,2016,2017,2018,2019,2020
-./bin/tests/system/runtime/tests.sh		SH	2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/send.pl			PERL	2001,2004,2007,2011,2012,2016,2018,2019,2020
-./bin/tests/system/setup.sh			SH	2000,2001,2004,2007,2012,2014,2016,2018,2019,2020
-./bin/tests/system/sfcache/README		TXT.BRIEF	2014,2016,2018,2019,2020
-./bin/tests/system/sfcache/clean.sh		SH	2014,2015,2016,2018,2019,2020
-./bin/tests/system/sfcache/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/sfcache/ns1/root.db.in	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/sfcache/ns1/sign.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/sfcache/ns2/example.db.in	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/sfcache/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/sfcache/ns2/sign.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/sfcache/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/sfcache/ns5/trusted.conf.bad	CONF-C	2014,2016,2018,2019,2020
-./bin/tests/system/sfcache/prereq.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/sfcache/setup.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/sfcache/tests.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/smartsign/child.db		ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/smartsign/clean.sh		SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/smartsign/parent.db		ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/smartsign/prereq.sh		SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/smartsign/setup.sh		SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/smartsign/tests.sh		SH	2010,2011,2012,2014,2016,2017,2018,2019,2020
-./bin/tests/system/sortlist/clean.sh		SH	2000,2001,2004,2007,2009,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/sortlist/ns1/example.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/sortlist/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/sortlist/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/sortlist/setup.sh		SH	2018,2019,2020
-./bin/tests/system/sortlist/tests.sh		SH	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./bin/tests/system/spf/clean.sh			SH	2013,2014,2016,2018,2019,2020
-./bin/tests/system/spf/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/spf/ns1/spf.db		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/spf/setup.sh			SH	2018,2019,2020
-./bin/tests/system/spf/tests.sh			SH	2013,2014,2016,2018,2019,2020
-./bin/tests/system/start.pl			SH	2001,2004,2005,2006,2007,2008,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/start.sh			SH	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./bin/tests/system/staticstub/clean.sh		SH	2010,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/bad01.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/bad02.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/bad03.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/bad04.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/bad05.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/bad06.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/bad07.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/bad08.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/bad09.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/bad10.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/bad11.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/good01.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/good02.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/good03.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/good04.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/conf/good05.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/knowngood.dig.out.rec	X	2010,2013,2018,2019,2020
-./bin/tests/system/staticstub/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/staticstub/ns1/root.db	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/ns2/named.conf.in	CONF-C	2010,2015,2016,2018,2019,2020
-./bin/tests/system/staticstub/ns3/example.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/ns3/example.org.db	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/ns3/named.conf.in	CONF-C	2010,2013,2015,2016,2018,2019,2020
-./bin/tests/system/staticstub/ns3/sign.sh	SH	2010,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/staticstub/ns3/undelegated.db.in	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/staticstub/ns4/example.com.db	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/ns4/example.info.db	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/ns4/example.org.db	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/staticstub/ns4/sign.sh	SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/staticstub/ns4/sub.example.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/system/staticstub/prereq.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/staticstub/setup.sh		SH	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/staticstub/tests.sh		SH	2010,2011,2012,2013,2015,2016,2018,2019,2020
-./bin/tests/system/statistics/ans4/ans.pl	PERL	2012,2016,2018,2019,2020
-./bin/tests/system/statistics/clean.sh		SH	2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/statistics/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/statistics/ns1/root.db	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/statistics/ns1/zone.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/statistics/ns2/example.db	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/statistics/ns2/internal.db	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/statistics/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/statistics/ns3/internal.db	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/statistics/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/statistics/ns3/root.hint	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/statistics/prereq.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/statistics/setup.sh		SH	2018,2019,2020
-./bin/tests/system/statistics/tests.sh		SH	2012,2015,2016,2018,2019,2020
-./bin/tests/system/statschannel/clean.sh	SH	2015,2016,2018,2019,2020
-./bin/tests/system/statschannel/fetch.pl	PERL	2015,2016,2018,2019,2020
-./bin/tests/system/statschannel/ns2/example.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/statschannel/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/statschannel/prereq.sh	SH	2015,2016,2018,2019,2020
-./bin/tests/system/statschannel/server-json.pl	PERL	2015,2016,2017,2018,2019,2020
-./bin/tests/system/statschannel/server-xml.pl	PERL	2015,2016,2017,2018,2019,2020
-./bin/tests/system/statschannel/setup.sh	SH	2018,2019,2020
-./bin/tests/system/statschannel/tests.sh	SH	2015,2016,2018,2019,2020
-./bin/tests/system/statschannel/traffic-json.pl	PERL	2015,2016,2017,2018,2019,2020
-./bin/tests/system/statschannel/traffic-xml.pl	PERL	2015,2016,2017,2018,2019,2020
-./bin/tests/system/statschannel/traffic.expect.1	X	2015,2018,2019,2020
-./bin/tests/system/statschannel/traffic.expect.2	X	2015,2018,2019,2020
-./bin/tests/system/statschannel/traffic.expect.4	X	2015,2018,2019,2020
-./bin/tests/system/statschannel/traffic.expect.5	X	2015,2016,2018,2019,2020
-./bin/tests/system/statschannel/traffic.expect.6	X	2015,2016,2018,2019,2020
-./bin/tests/system/stop.pl			SH	2001,2004,2005,2006,2007,2012,2016,2018,2019,2020
-./bin/tests/system/stop.sh			SH	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./bin/tests/system/stopall.sh			SH	2018,2019,2020
-./bin/tests/system/stress/clean.sh		SH	2000,2001,2004,2007,2012,2014,2016,2018,2019,2020
-./bin/tests/system/stress/ns1/named.conf	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/stress/ns2/named.conf	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/stress/ns3/named.conf	CONF-C	2000,2001,2004,2007,2013,2016,2018,2019,2020
-./bin/tests/system/stress/ns4/named.conf	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/stress/prereq.sh		SH	2015,2016,2018,2019,2020
-./bin/tests/system/stress/setup.pl		PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./bin/tests/system/stress/setup.sh		SH	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./bin/tests/system/stress/tests.sh		SH	2000,2001,2004,2007,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/stress/update.pl		PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./bin/tests/system/stub/clean.sh		SH	2000,2001,2004,2007,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/stub/knowngood.dig.out.norec	X	2000,2001,2018,2019,2020
-./bin/tests/system/stub/knowngood.dig.out.rec	X	2000,2001,2013,2018,2019,2020
-./bin/tests/system/stub/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/stub/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/stub/ns2/child.example.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/stub/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/stub/ns3/example.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/stub/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/stub/setup.sh		SH	2018,2019,2020
-./bin/tests/system/stub/tests.sh		SH	2000,2001,2004,2007,2011,2012,2013,2016,2018,2019,2020
-./bin/tests/system/tcp/ans6/ans.py		PYTHON	2019,2020
-./bin/tests/system/tcp/clean.sh			SH	2014,2016,2018,2019,2020
-./bin/tests/system/tcp/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/tcp/ns1/root.db		ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/tcp/ns2/example.db		ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/tcp/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/tcp/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/tcp/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/tcp/ns5/named.conf.in	CONF-C	2019,2020
-./bin/tests/system/tcp/prereq.sh		SH	2019,2020
-./bin/tests/system/tcp/setup.sh			SH	2018,2019,2020
-./bin/tests/system/tcp/tests.sh			SH	2014,2016,2018,2019,2020
-./bin/tests/system/testcrypto.sh		SH	2014,2016,2017,2018,2019,2020
-./bin/tests/system/testsock.pl			PERL	2000,2001,2004,2007,2010,2011,2012,2013,2016,2018,2019,2020
-./bin/tests/system/testsock6.pl			PERL	2010,2012,2014,2016,2018,2019,2020
-./bin/tests/system/testsummary.sh		SH	2018,2019,2020
-./bin/tests/system/tkey/Makefile.in		MAKE	2001,2002,2004,2007,2009,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/tkey/clean.sh		SH	2001,2004,2007,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/tkey/keycreate.c		C	2001,2004,2005,2007,2009,2011,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/tkey/keydelete.c		C	2001,2004,2005,2007,2009,2010,2011,2014,2015,2016,2018,2019,2020
-./bin/tests/system/tkey/ns1/example.db		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/tkey/ns1/named.conf.in	CONF-C	2001,2004,2007,2009,2011,2013,2014,2016,2018,2019,2020
-./bin/tests/system/tkey/ns1/setup.sh		SH	2001,2004,2007,2009,2012,2014,2016,2018,2019,2020
-./bin/tests/system/tkey/prereq.sh		SH	2001,2004,2006,2007,2009,2012,2014,2016,2018,2019,2020
-./bin/tests/system/tkey/setup.sh		SH	2001,2004,2007,2009,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/tkey/tests.sh		SH	2001,2004,2007,2009,2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/tsig/clean.sh		SH	2005,2006,2007,2012,2014,2016,2018,2019,2020
-./bin/tests/system/tsig/ns1/example.db		ZONE	2005,2006,2007,2009,2012,2016,2018,2019,2020
-./bin/tests/system/tsig/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/tsig/setup.sh		SH	2016,2018,2019,2020
-./bin/tests/system/tsig/tests.sh		SH	2005,2006,2007,2011,2012,2016,2018,2019,2020
-./bin/tests/system/tsiggss/authsock.pl		PERL	2011,2012,2016,2018,2019,2020
-./bin/tests/system/tsiggss/clean.sh		SH	2010,2011,2014,2015,2016,2018,2019,2020
-./bin/tests/system/tsiggss/ns1/administrator.ccache	X	2010,2018,2019,2020
-./bin/tests/system/tsiggss/ns1/dns.keytab	X	2010,2018,2019,2020
-./bin/tests/system/tsiggss/ns1/example.nil.db.in	X	2011,2018,2019,2020
-./bin/tests/system/tsiggss/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/tsiggss/ns1/testdenied.ccache	X	2010,2018,2019,2020
-./bin/tests/system/tsiggss/prereq.sh		SH	2010,2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/tsiggss/setup.sh		SH	2010,2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/tsiggss/tests.sh		SH	2010,2011,2014,2016,2017,2018,2019,2020
-./bin/tests/system/unknown/clean.sh		SH	2000,2001,2004,2007,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/unknown/large.out		X	2012,2018,2019,2020
-./bin/tests/system/unknown/ns1/broken1.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/unknown/ns1/broken2.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/unknown/ns1/broken3.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/unknown/ns1/broken4.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/unknown/ns1/broken5.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/unknown/ns1/class10.hints	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/unknown/ns1/example-class10.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/unknown/ns1/example-in.db	ZONE	2000,2001,2004,2007,2011,2012,2016,2018,2019,2020
-./bin/tests/system/unknown/ns1/large.db		ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/unknown/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/unknown/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/unknown/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/unknown/ns3/sign.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/unknown/prereq.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/unknown/setup.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/unknown/tests.sh		SH	2000,2001,2004,2007,2011,2012,2013,2016,2018,2019,2020
-./bin/tests/system/unknown/zones/nan.bad	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/upforwd/ans4/ans.pl		PERL	2011,2012,2016,2018,2019,2020
-./bin/tests/system/upforwd/clean.sh		SH	2000,2001,2004,2007,2011,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/upforwd/knowngood.after1	X	2000,2001,2018,2019,2020
-./bin/tests/system/upforwd/knowngood.after2	X	2000,2001,2018,2019,2020
-./bin/tests/system/upforwd/knowngood.before	X	2000,2001,2018,2019,2020
-./bin/tests/system/upforwd/knowngood.ns2.before	X	2000,2001,2018,2019,2020
-./bin/tests/system/upforwd/ns1/example1.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/upforwd/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/upforwd/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/upforwd/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/upforwd/ns3/nomaster.db	ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/upforwd/prereq.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/upforwd/setup.sh		SH	2000,2001,2004,2007,2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/upforwd/tests.sh		SH	2000,2001,2004,2007,2011,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/verify/clean.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/verify/prereq.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/verify/setup.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/verify/tests.sh		SH	2012,2013,2016,2017,2018,2019,2020
-./bin/tests/system/verify/zones/genzones.sh	SH	2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/verify/zones/unsigned.db	ZONE	2012,2016,2018,2019,2020
-./bin/tests/system/views/clean.sh		SH	2000,2001,2004,2005,2007,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/views/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/views/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/views/ns2/1.10.in-addr.arpa.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/views/ns2/clone.db		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/views/ns2/example1.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/views/ns2/example2.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/views/ns2/external/inline.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/views/ns2/internal.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/views/ns2/internal/inline.db	ZONE	2014,2016,2018,2019,2020
-./bin/tests/system/views/ns2/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/views/ns2/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/views/ns3/child.clone.db	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/views/ns3/internal.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/views/ns3/named1.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/views/ns3/named2.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/views/ns5/child.clone.db	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/views/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/views/setup.sh		SH	2000,2001,2004,2007,2012,2014,2016,2018,2019,2020
-./bin/tests/system/views/tests.sh		SH	2000,2001,2004,2007,2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/wildcard/clean.sh		SH	2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/wildcard/ns1/dlv.db.in	ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/wildcard/ns1/named.conf.in	CONF-C	2012,2013,2016,2018,2019,2020
-./bin/tests/system/wildcard/ns1/nsec.db.in	ZONE	2012,2013,2016,2018,2019,2020
-./bin/tests/system/wildcard/ns1/nsec3.db.in	ZONE	2012,2013,2016,2018,2019,2020
-./bin/tests/system/wildcard/ns1/private.nsec.db.in	ZONE	2012,2013,2016,2018,2019,2020
-./bin/tests/system/wildcard/ns1/private.nsec3.db.in	ZONE	2012,2013,2016,2018,2019,2020
-./bin/tests/system/wildcard/ns1/root.db.in	ZONE	2012,2013,2016,2018,2019,2020
-./bin/tests/system/wildcard/ns1/sign.sh		SH	2012,2013,2014,2016,2018,2019,2020
-./bin/tests/system/wildcard/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/wildcard/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/wildcard/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/wildcard/ns5/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/wildcard/prereq.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/wildcard/setup.sh		SH	2012,2014,2016,2018,2019,2020
-./bin/tests/system/wildcard/tests.sh		SH	2012,2013,2016,2018,2019,2020
-./bin/tests/system/win32/bigkey.dsp.in		X	2016,2018,2019,2020
-./bin/tests/system/win32/bigkey.dsw		X	2016,2018,2019,2020
-./bin/tests/system/win32/bigkey.mak.in		X	2016,2018,2019,2020
-./bin/tests/system/win32/bigkey.vcxproj.filters.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/bigkey.vcxproj.in	X	2016,2017,2018,2019,2020
-./bin/tests/system/win32/bigkey.vcxproj.user	X	2016,2018,2019,2020
-./bin/tests/system/win32/feature-test.dsp.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/feature-test.dsw	X	2016,2018,2019,2020
-./bin/tests/system/win32/feature-test.mak.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/feature-test.vcxproj.filters.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/feature-test.vcxproj.in	X	2016,2017,2018,2019,2020
-./bin/tests/system/win32/feature-test.vcxproj.user	X	2016,2018,2019,2020
-./bin/tests/system/win32/gencheck.dsp.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/gencheck.dsw		X	2016,2018,2019,2020
-./bin/tests/system/win32/gencheck.mak.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/gencheck.vcxproj.filters.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/gencheck.vcxproj.in	X	2016,2017,2018,2019,2020
-./bin/tests/system/win32/gencheck.vcxproj.user	X	2016,2018,2019,2020
-./bin/tests/system/win32/keycreate.dsp.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/keycreate.dsw		X	2016,2018,2019,2020
-./bin/tests/system/win32/keycreate.mak.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/keycreate.vcxproj.filters.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/keycreate.vcxproj.in	X	2016,2017,2018,2019,2020
-./bin/tests/system/win32/keycreate.vcxproj.user	X	2016,2018,2019,2020
-./bin/tests/system/win32/keydelete.dsp.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/keydelete.dsw		X	2016,2018,2019,2020
-./bin/tests/system/win32/keydelete.mak.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/keydelete.vcxproj.filters.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/keydelete.vcxproj.in	X	2016,2017,2018,2019,2020
-./bin/tests/system/win32/keydelete.vcxproj.user	X	2016,2018,2019,2020
-./bin/tests/system/win32/lwtest.dsp.in		X	2016,2018,2019,2020
-./bin/tests/system/win32/lwtest.dsw		X	2016,2018,2019,2020
-./bin/tests/system/win32/lwtest.mak.in		X	2016,2018,2019,2020
-./bin/tests/system/win32/lwtest.vcxproj.filters.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/lwtest.vcxproj.in	X	2016,2017,2018,2019,2020
-./bin/tests/system/win32/lwtest.vcxproj.user	X	2016,2018,2019,2020
-./bin/tests/system/win32/pipequeries.dsp.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/pipequeries.dsw	X	2016,2018,2019,2020
-./bin/tests/system/win32/pipequeries.mak.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/pipequeries.vcxproj.filters.in	X	2016,2018,2019,2020
-./bin/tests/system/win32/pipequeries.vcxproj.in	X	2016,2017,2018,2019,2020
-./bin/tests/system/win32/pipequeries.vcxproj.user	X	2016,2018,2019,2020
-./bin/tests/system/xfer/ans5/badkeydata		X	2011,2018,2019,2020
-./bin/tests/system/xfer/ans5/goodaxfr		X	2011,2018,2019,2020
-./bin/tests/system/xfer/ans5/partial		X	2011,2018,2019,2020
-./bin/tests/system/xfer/ans5/unknownkey		X	2011,2018,2019,2020
-./bin/tests/system/xfer/ans5/unsigned		X	2011,2018,2019,2020
-./bin/tests/system/xfer/ans5/wrongkey		X	2011,2018,2019,2020
-./bin/tests/system/xfer/clean.sh		SH	2000,2001,2004,2007,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/xfer/dig1.good		X	2000,2001,2003,2004,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/xfer/dig2.good		X	2000,2001,2003,2004,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tests/system/xfer/knowngood.mapped	X	2016,2018,2019,2020
-./bin/tests/system/xfer/ns1/axfr-too-big.db	ZONE	2016,2018,2019,2020
-./bin/tests/system/xfer/ns1/ixfr-too-big.db.in	ZONE	2016,2018,2019,2020
-./bin/tests/system/xfer/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/xfer/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/xfer/ns2/mapped.db.in	ZONE	2016,2018,2019,2020
-./bin/tests/system/xfer/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/xfer/ns2/slave.db.in		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/xfer/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/xfer/ns4/named.conf.base	CONF-C	2011,2013,2016,2018,2019,2020
-./bin/tests/system/xfer/ns4/root.db.in		ZONE	2011,2016,2018,2019,2020
-./bin/tests/system/xfer/ns6/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/xfer/ns7/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/xfer/ns8/example.db		ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/xfer/ns8/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/xfer/prereq.sh		SH	2011,2012,2014,2016,2018,2019,2020
-./bin/tests/system/xfer/setup.sh		SH	2001,2002,2004,2007,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/xfer/tests.sh		SH	2000,2001,2004,2005,2007,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/xferquota/clean.sh		SH	2000,2001,2004,2007,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/xferquota/ns1/changing1.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/xferquota/ns1/changing2.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/xferquota/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/xferquota/ns1/root.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020
-./bin/tests/system/xferquota/ns2/example.db	ZONE	2000,2001,2002,2003,2004,2007,2009,2016,2018,2019,2020
-./bin/tests/system/xferquota/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/xferquota/setup.pl		PERL	2000,2001,2004,2007,2011,2012,2016,2018,2019,2020
-./bin/tests/system/xferquota/setup.sh		SH	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./bin/tests/system/xferquota/tests.sh		SH	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./bin/tests/system/zero/ans5/ans.pl		PERL	2016,2018,2019,2020
-./bin/tests/system/zero/clean.sh		SH	2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/zero/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/zero/ns1/root.db		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/zero/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/zero/ns2/tld.db		ZONE	2016,2018,2019,2020
-./bin/tests/system/zero/ns3/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/zero/ns3/root.hint		ZONE	2013,2016,2018,2019,2020
-./bin/tests/system/zero/ns4/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/zero/ns4/one.tld.db		ZONE	2016,2018,2019,2020
-./bin/tests/system/zero/prereq.sh		SH	2018,2019,2020
-./bin/tests/system/zero/setup.sh		SH	2013,2014,2016,2018,2019,2020
-./bin/tests/system/zero/tests.sh		SH	2013,2016,2017,2018,2019,2020
-./bin/tests/system/zonechecks/a.db		ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/zonechecks/aaaa.db		ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/zonechecks/bigserial.db	ZONE	2015,2016,2018,2019,2020
-./bin/tests/system/zonechecks/clean.sh		SH	2004,2007,2012,2014,2015,2016,2018,2019,2020
-./bin/tests/system/zonechecks/cname.db		ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/zonechecks/dname.db		ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/zonechecks/noaddress.db	ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/zonechecks/ns1/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/zonechecks/ns2/named.conf.in	CONF-C	2018,2019,2020
-./bin/tests/system/zonechecks/nxdomain.db	ZONE	2004,2007,2016,2018,2019,2020
-./bin/tests/system/zonechecks/prereq.sh		SH	2014,2016,2018,2019,2020
-./bin/tests/system/zonechecks/setup.sh		SH	2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/system/zonechecks/tests.sh		SH	2004,2007,2009,2012,2013,2014,2015,2016,2018,2019,2020
-./bin/tests/testdata/wire/wire_test.data	X	1999,2000,2001,2018,2019,2020
-./bin/tests/testdata/wire/wire_test.data2	X	1999,2000,2001,2018,2019,2020
-./bin/tests/testdata/wire/wire_test.data3	X	1999,2000,2001,2018,2019,2020
-./bin/tests/testdata/wire/wire_test.data4	X	1999,2000,2001,2018,2019,2020
-./bin/tests/virtual-time/Makefile.in		MAKE	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/README			TXT.BRIEF	2010,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-ksk/clean.sh	SH	2010,2012,2015,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-ksk/ns1/example.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-ksk/ns1/named.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-ksk/ns1/root.db	ZONE	2010,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-ksk/ns1/sign.sh	SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-ksk/ns1/wrap.sh	SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-ksk/setup.sh	SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-ksk/tests.sh	SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-zsk/clean.sh	SH	2010,2012,2015,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-zsk/ns1/example.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-zsk/ns1/named.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-zsk/ns1/root.db	ZONE	2010,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-zsk/ns1/sign.sh	SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-zsk/ns1/wrap.sh	SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-zsk/setup.sh	SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/autosign-zsk/tests.sh	SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/cleanall.sh		SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/common/controls.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/virtual-time/common/rndc.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/virtual-time/common/root.hint	ZONE	2010,2016,2018,2019,2020
-./bin/tests/virtual-time/conf.sh.in		SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/run.sh			SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/runall.sh		SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/setup.sh		SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/slave/clean.sh		SH	2010,2012,2015,2016,2018,2019,2020
-./bin/tests/virtual-time/slave/ns1/example.db.in	ZONE	2010,2016,2018,2019,2020
-./bin/tests/virtual-time/slave/ns1/named.conf	CONF-C	2010,2016,2018,2019,2020
-./bin/tests/virtual-time/slave/ns1/root.db	ZONE	2010,2016,2018,2019,2020
-./bin/tests/virtual-time/slave/ns1/wrap.sh	SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/slave/setup.sh		SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/slave/tests.sh		SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/start.pl		PERL	2010,2012,2015,2016,2018,2019,2020
-./bin/tests/virtual-time/start.sh		SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/stop.pl		PERL	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/stop.sh		SH	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/testsock.pl		PERL	2010,2012,2016,2018,2019,2020
-./bin/tests/virtual-time/vtwrapper.c		C	2010,2016,2018,2019,2020
-./bin/tests/win32/backtrace_test.dsp.in		X	2013,2018,2019,2020
-./bin/tests/win32/backtrace_test.dsw		X	2013,2018,2019,2020
-./bin/tests/win32/backtrace_test.mak.in		X	2013,2018,2019,2020
-./bin/tests/win32/backtrace_test.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/tests/win32/backtrace_test.vcxproj.in	X	2013,2015,2016,2017,2018,2019,2020
-./bin/tests/win32/backtrace_test.vcxproj.user	X	2013,2018,2019,2020
-./bin/tests/win32/inter_test.dsp.in		X	2013,2018,2019,2020
-./bin/tests/win32/inter_test.dsw		X	2013,2018,2019,2020
-./bin/tests/win32/inter_test.mak.in		X	2013,2018,2019,2020
-./bin/tests/win32/inter_test.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/tests/win32/inter_test.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020
-./bin/tests/win32/inter_test.vcxproj.user	X	2013,2018,2019,2020
-./bin/tests/win32/makejournal.dsp.in		X	2016,2018,2019,2020
-./bin/tests/win32/makejournal.dsw		X	2016,2018,2019,2020
-./bin/tests/win32/makejournal.mak.in		X	2016,2018,2019,2020
-./bin/tests/win32/makejournal.vcxproj.filters.in	X	2016,2018,2019,2020
-./bin/tests/win32/makejournal.vcxproj.in	X	2016,2017,2018,2019,2020
-./bin/tests/win32/makejournal.vcxproj.user	X	2016,2018,2019,2020
-./bin/tests/win32/rwlock_test.dsp.in		X	2013,2018,2019,2020
-./bin/tests/win32/rwlock_test.dsw		X	2013,2018,2019,2020
-./bin/tests/win32/rwlock_test.mak.in		X	2013,2018,2019,2020
-./bin/tests/win32/rwlock_test.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/tests/win32/rwlock_test.vcxproj.in	X	2013,2015,2016,2017,2018,2019,2020
-./bin/tests/win32/rwlock_test.vcxproj.user	X	2013,2018,2019,2020
-./bin/tests/win32/shutdown_test.dsp.in		X	2013,2018,2019,2020
-./bin/tests/win32/shutdown_test.dsw		X	2013,2018,2019,2020
-./bin/tests/win32/shutdown_test.mak.in		X	2013,2018,2019,2020
-./bin/tests/win32/shutdown_test.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/tests/win32/shutdown_test.vcxproj.in	X	2013,2015,2016,2017,2018,2019,2020
-./bin/tests/win32/shutdown_test.vcxproj.user	X	2013,2018,2019,2020
-./bin/tests/win32/sock_test.dsp.in		X	2013,2018,2019,2020
-./bin/tests/win32/sock_test.dsw			X	2013,2018,2019,2020
-./bin/tests/win32/sock_test.mak.in		X	2013,2018,2019,2020
-./bin/tests/win32/sock_test.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/tests/win32/sock_test.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020
-./bin/tests/win32/sock_test.vcxproj.user	X	2013,2018,2019,2020
-./bin/tests/win32/task_test.dsp.in		X	2013,2018,2019,2020
-./bin/tests/win32/task_test.dsw			X	2013,2018,2019,2020
-./bin/tests/win32/task_test.mak.in		X	2013,2018,2019,2020
-./bin/tests/win32/task_test.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/tests/win32/task_test.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020
-./bin/tests/win32/task_test.vcxproj.user	X	2013,2018,2019,2020
-./bin/tests/win32/timer_test.dsp.in		X	2013,2018,2019,2020
-./bin/tests/win32/timer_test.dsw		X	2013,2018,2019,2020
-./bin/tests/win32/timer_test.mak.in		X	2013,2018,2019,2020
-./bin/tests/win32/timer_test.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/tests/win32/timer_test.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020
-./bin/tests/win32/timer_test.vcxproj.user	X	2013,2018,2019,2020
-./bin/tests/wire_test.c				C	1999,2000,2001,2004,2005,2007,2015,2016,2018,2019,2020
-./bin/tools/Makefile.in				MAKE	2009,2010,2012,2013,2014,2015,2016,2017,2018,2019,2020
+./bin/tests/optional/rwlock_test.c		C	1998,1999,2000,2001,2004,2005,2007,2013,2016,2017,2018,2019,2020,2021
+./bin/tests/optional/serial_test.c		C	1999,2000,2001,2003,2004,2007,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/shutdown_test.c		C	1998,1999,2000,2001,2004,2007,2011,2013,2016,2017,2018,2019,2020,2021
+./bin/tests/optional/sig0_test.c		C	2000,2001,2004,2005,2007,2008,2009,2012,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/sock_test.c		C	1998,1999,2000,2001,2004,2007,2008,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/optional/sym_test.c			C	1998,1999,2000,2001,2004,2005,2007,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/task_test.c		C	1998,1999,2000,2001,2004,2007,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/timer_test.c		C	1998,1999,2000,2001,2004,2007,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/optional/zone_test.c		C	1999,2000,2001,2002,2004,2005,2007,2009,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/pkcs11/Makefile.in			MAKE	2014,2016,2018,2019,2020,2021
+./bin/tests/pkcs11/README			X	2014,2016,2018,2019,2020,2021
+./bin/tests/pkcs11/benchmarks/Makefile.in	MAKE	2014,2016,2017,2018,2019,2020,2021
+./bin/tests/pkcs11/benchmarks/create.c		C	2014,2016,2018,2019,2020,2021
+./bin/tests/pkcs11/benchmarks/find.c		C	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/pkcs11/benchmarks/genrsa.c		C	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/pkcs11/benchmarks/login.c		C	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/pkcs11/benchmarks/privrsa.c		C	2014,2016,2018,2019,2020,2021
+./bin/tests/pkcs11/benchmarks/pubrsa.c		C	2014,2016,2018,2019,2020,2021
+./bin/tests/pkcs11/benchmarks/random.c		C	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/pkcs11/benchmarks/session.c		C	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/pkcs11/benchmarks/sha1.c		C	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/pkcs11/benchmarks/sign.c		C	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/pkcs11/benchmarks/verify.c		C	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/pkcs11/pkcs11-hmacmd5.c		C	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/pkcs11/pkcs11-md5sum.c		C	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/prepare-softhsm2.sh			X	2018,2019,2020,2021
+./bin/tests/startperf/README			X	2011,2018,2019,2020,2021
+./bin/tests/startperf/clean.sh			SH	2011,2012,2016,2018,2019,2020,2021
+./bin/tests/startperf/makenames.pl		PERL	2011,2012,2016,2018,2019,2020,2021
+./bin/tests/startperf/mkzonefile.pl		PERL	2011,2012,2016,2018,2019,2020,2021
+./bin/tests/startperf/setup.sh			SH	2011,2012,2016,2018,2019,2020,2021
+./bin/tests/startperf/smallzone.db		ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/Makefile.in			MAKE	2000,2001,2004,2007,2008,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/README			TXT.BRIEF	2000,2001,2004,2010,2011,2013,2015,2016,2018,2019,2020,2021
+./bin/tests/system/acl/clean.sh			SH	2008,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/acl/ns2/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/acl/ns2/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/acl/ns2/named3.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/acl/ns2/named4.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/acl/ns2/named5.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/acl/ns2/named6.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/acl/ns2/named7.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/acl/ns3/example.db		ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/acl/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/acl/ns4/example.db		ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/acl/ns4/existing.db		ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/acl/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/acl/setup.sh			SH	2008,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/acl/tests.sh			SH	2008,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/additional/clean.sh		SH	2013,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/additional/ns1/mx.db		ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/additional/ns1/named.args	X	2013,2014,2018,2019,2020,2021
+./bin/tests/system/additional/ns1/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/additional/ns1/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/additional/ns1/named3.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/additional/ns1/named4.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/additional/ns1/naptr.db	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/additional/ns1/naptr2.db	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/additional/ns1/nid.db	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/additional/ns1/root.db	ZONE	2019,2020,2021
+./bin/tests/system/additional/ns1/rt.db		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/additional/ns1/rt2.db	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/additional/ns1/srv.db	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/additional/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/additional/ns3/root.hint	ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/additional/setup.sh		SH	2013,2016,2018,2019,2020,2021
+./bin/tests/system/additional/tests.sh		SH	2013,2016,2017,2018,2019,2020,2021
+./bin/tests/system/addzone/clean.sh		SH	2010,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/addzone/ns1/inlineslave.db	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/addzone/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/addzone/ns2/added.db		ZONE	2010,2013,2016,2018,2019,2020,2021
+./bin/tests/system/addzone/ns2/default.nzf.in	X	2010,2018,2019,2020,2021
+./bin/tests/system/addzone/ns2/hints.db		ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/addzone/ns2/inline.db	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/addzone/ns2/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/addzone/ns2/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/addzone/ns2/normal.db	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/addzone/ns2/previous.db	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/addzone/ns2/redirect.db	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/addzone/ns3/e.db		ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/addzone/ns3/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/addzone/ns3/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/addzone/setup.sh		SH	2010,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/addzone/tests.sh		SH	2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/allow-query/clean.sh		SH	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns1/root.db	ZONE	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/generic.db	ZONE	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named01.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named02.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named03.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named04.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named05.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named06.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named07.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named08.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named09.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named10.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named11.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named12.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named21.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named22.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named23.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named24.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named25.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named26.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named27.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named28.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named29.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named30.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named31.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named32.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named33.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named34.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named40.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named53.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named54.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named55.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named56.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns2/named57.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns3/named.args	X	2018,2019,2020,2021
+./bin/tests/system/allow-query/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/allow-query/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/allow-query/tests.sh		SH	2018,2019,2020,2021
+./bin/tests/system/ans.pl			PERL	2011,2012,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/auth/clean.sh		SH	2018,2019,2020,2021
+./bin/tests/system/auth/ns1/chaos.db		ZONE	2018,2019,2020,2021
+./bin/tests/system/auth/ns1/example.com.db	ZONE	2018,2019,2020,2021
+./bin/tests/system/auth/ns1/example.net.db	ZONE	2018,2019,2020,2021
+./bin/tests/system/auth/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/auth/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/auth/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/auth/tests.sh		SH	2018,2019,2020,2021
+./bin/tests/system/autosign/clean.sh		SH	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/autosign/ns1/keygen.sh	SH	2009,2010,2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/autosign/ns1/root.db.in	ZONE	2009,2010,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns2/Xbar.+005+30676.key	X	2010,2018,2019,2020,2021
+./bin/tests/system/autosign/ns2/Xbar.+005+30676.private	X	2010,2018,2019,2020,2021
+./bin/tests/system/autosign/ns2/Xbar.+005+30804.key	X	2010,2018,2019,2020,2021
+./bin/tests/system/autosign/ns2/Xbar.+005+30804.private	X	2010,2018,2019,2020,2021
+./bin/tests/system/autosign/ns2/bar.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns2/child.nsec3.example.db	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns2/child.optout.example.db	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns2/dst.example.db.in	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns2/example.db.in	ZONE	2009,2010,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns2/insecure.secure.example.db	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns2/keygen.sh	SH	2009,2010,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/autosign/ns2/private.secure.example.db.in	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/autonsec3.example.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/delay.example.db	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/delzsk.example.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/inacksk2.example.db.in	ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/inacksk3.example.db.in	ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/inaczsk.example.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/inaczsk2.example.db.in	ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/inaczsk3.example.db.in	ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/insecure.example.db	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in	ZONE	2019,2020,2021
+./bin/tests/system/autosign/ns3/keygen.sh	SH	2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/nozsk.example.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/nsec.example.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/nsec3.example.db.in	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/nsec3.optout.example.db.in	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/oldsigs.example.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/optout.example.db.in	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/optout.nsec3.example.db.in	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/optout.optout.example.db.in	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/rsasha256.example.db.in	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/rsasha512.example.db.in	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/secure-to-insecure2.example.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/secure.example.db.in	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/secure.nsec3.example.db.in	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/secure.optout.example.db.in	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/sync.example.db.in	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/ttl1.example.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/ttl2.example.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/ttl3.example.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns3/ttl4.example.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/autosign/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/autosign/prereq.sh		SH	2009,2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/setup.sh		SH	2009,2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/autosign/tests.sh		SH	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/builtin/clean.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/builtin/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/builtin/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/builtin/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/builtin/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/builtin/tests.sh		SH	2011,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/cacheclean/clean.sh		SH	2001,2004,2007,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/cacheclean/dig.batch		X	2001,2018,2019,2020,2021
+./bin/tests/system/cacheclean/knowngood.dig.out	X	2001,2018,2019,2020,2021
+./bin/tests/system/cacheclean/ns1/example.db	ZONE	2001,2004,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/cacheclean/ns1/expire-test.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/cacheclean/ns1/flushtest.db	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/cacheclean/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/cacheclean/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/cacheclean/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/cacheclean/tests.sh		SH	2001,2004,2007,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/case/clean.sh		SH	2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/case/dynamic.good		X	2015,2018,2019,2020,2021
+./bin/tests/system/case/ns1/dynamic.db.in	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/case/ns1/example.db		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/case/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/case/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/case/postns1.good		X	2015,2018,2019,2020,2021
+./bin/tests/system/case/postupdate.good		X	2015,2018,2019,2020,2021
+./bin/tests/system/case/setup.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/case/tests.sh		SH	2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/catz/clean.sh		SH	2016,2018,2019,2020,2021
+./bin/tests/system/catz/ns1/catalog.example.db.in	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/catz/ns1/named.conf.in	CONF-C	2016,2017,2018,2019,2020,2021
+./bin/tests/system/catz/ns2/named.conf.in	CONF-C	2016,2017,2018,2019,2020,2021
+./bin/tests/system/catz/ns3/dom5.example.db	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/catz/ns3/dom6.example.db	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/catz/ns3/named.conf.in	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/catz/setup.sh		SH	2016,2018,2019,2020,2021
+./bin/tests/system/catz/tests.sh		SH	2016,2017,2018,2019,2020,2021
+./bin/tests/system/chain/README			TXT.BRIEF	2017,2018,2019,2020,2021
+./bin/tests/system/chain/ans3/ans.pl		PERL	2017,2018,2019,2020,2021
+./bin/tests/system/chain/ans4/README.anspy	TXT.BRIEF	2017,2018,2019,2020,2021
+./bin/tests/system/chain/ans4/ans.py		PYTHON	2017,2018,2019,2020,2021
+./bin/tests/system/chain/clean.sh		SH	2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/chain/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/chain/ns1/root.db		ZONE	2011,2016,2017,2018,2019,2020,2021
+./bin/tests/system/chain/ns2/example.db		ZONE	2011,2016,2017,2018,2019,2020,2021
+./bin/tests/system/chain/ns2/generic.db		ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/chain/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/chain/ns2/sign.sh		SH	2017,2018,2019,2020,2021
+./bin/tests/system/chain/ns2/sub.db		ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/chain/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/chain/ns5/sub.db		ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/chain/ns7/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/chain/ns7/root.hint		ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/chain/prereq.sh		SH	2017,2018,2019,2020,2021
+./bin/tests/system/chain/setup.sh		SH	2017,2018,2019,2020,2021
+./bin/tests/system/chain/tests.sh		SH	2011,2012,2016,2017,2018,2019,2020,2021
+./bin/tests/system/checkconf/altdb.conf		CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/altdlz.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-also-notify.conf	CONF-C	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-catz-zone.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-dnssec.conf	CONF-C	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-hint.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-in-view-dup.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-inline-slave.conf	CONF-C	2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf	CONF-C	2019,2020,2021
+./bin/tests/system/checkconf/bad-ipv4-prefix2.conf	CONF-C	2019,2020,2021
+./bin/tests/system/checkconf/bad-keep-response-order.conf	CONF-C	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-lifetime.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf	CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf	CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf	CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf	CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-many.conf	CONF-C	2005,2012,2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-master-request-ixfr.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-maxttlmap.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-noddns.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-options-also-notify.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-rate-limit-acl.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-rate-limit-slip.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-rate-limit-window.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-rpz-zone.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-sharedwritable1.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-sharedwritable2.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-sharedzone1.conf	CONF-C	2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-sharedzone2.conf	CONF-C	2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-sharedzone3.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-stub-masters-dialup.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-tsig.conf	CONF-C	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-update-policy1.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-update-policy10.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-update-policy11.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-update-policy12.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-update-policy13.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-update-policy14.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-update-policy15.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-update-policy2.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-update-policy3.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-update-policy4.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-update-policy5.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-update-policy6.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-update-policy7.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-update-policy8.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-update-policy9.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/bad-view-also-notify.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/check-dlv-ksk-key.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/check-dup-records-fail.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/check-dup-records.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/check-missing-zone.conf	CONF-C	2020,2021
+./bin/tests/system/checkconf/check-mx-cname-fail.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/check-mx-cname.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/check-mx-fail.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/check-mx.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/check-names-fail.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/check-names.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/check-root-ksk-2010.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/check-root-ksk-2017.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/check-root-ksk-both.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/check-srv-cname-fail.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/check-srv-cname.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/clean.sh		SH	2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/dlz-bad.conf	CONF-C	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/dnssec.1		CONF-C	2011,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/dnssec.2		CONF-C	2011,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/dnssec.3		CONF-C	2011,2016,2017,2018,2019,2020,2021
+./bin/tests/system/checkconf/good-acl.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/good-class.conf	CONF-C	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/good-dlv-dlv.example.com.conf	CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/checkconf/good-dup-managed-key.conf	CONF-C	2019,2020,2021
+./bin/tests/system/checkconf/good-dup-trusted-key.conf	CONF-C	2019,2020,2021
+./bin/tests/system/checkconf/good-lmdb-mapsize-largest.conf	CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/checkconf/good-lmdb-mapsize-smallest.conf	CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/checkconf/good-nested.conf	CONF-C	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/good-options-also-notify.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/good-response-dot.conf	CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/checkconf/good-update-policy1.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/good-update-policy10.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/good-update-policy11.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/good-update-policy12.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/good-update-policy2.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/good-update-policy3.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/good-update-policy4.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/good-update-policy5.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/good-update-policy6.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/good-update-policy7.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/good-update-policy8.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/good-update-policy9.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checkconf/good-view-also-notify.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/good.conf		CONF-C	2005,2007,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/checkconf/hint-nofile.conf	CONF-C	2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/in-view-good.conf	CONF-C	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/inline-bad.conf	CONF-C	2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/inline-good.conf	CONF-C	2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/inline-no.conf	CONF-C	2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/max-cache-size-good.conf	CONF-C	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/max-ttl.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/maxttl-bad.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/maxttl-bad.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/maxttl.db		ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/notify.conf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/portrange-good.conf	CONF-C	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/range.conf		CONF-C	2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/shared.example.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/tests.sh		SH	2005,2007,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/checkconf/view-class-any1.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/view-class-any2.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/view-class-in1.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/view-class-in2.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf	CONF-C	2020,2021
+./bin/tests/system/checkconf/warn-dlv-auto.conf	CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf	CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/checkconf/warn-duplicate-key.conf	CONF-C	2019,2020,2021
+./bin/tests/system/checkconf/warn-duplicate-root-key.conf	CONF-C	2019,2020,2021
+./bin/tests/system/checkconf/warn-keydir.conf	CONF-C	2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkconf/warn-validation-auto-key.conf	CONF-C	2019,2020,2021
+./bin/tests/system/checkds/clean.sh		SH	2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkds/dig.bat		BAT	2016,2018,2019,2020,2021
+./bin/tests/system/checkds/dig.pl		PERL	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkds/dig.sh		SH	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkds/missing.example.dlv.example.dlv.db	X	2012,2018,2019,2020,2021
+./bin/tests/system/checkds/missing.example.dnskey.db	X	2012,2018,2019,2020,2021
+./bin/tests/system/checkds/missing.example.ds.db	X	2012,2018,2019,2020,2021
+./bin/tests/system/checkds/none.example.dlv.example.dlv.db	X	2012,2018,2019,2020,2021
+./bin/tests/system/checkds/none.example.dnskey.db	X	2012,2018,2019,2020,2021
+./bin/tests/system/checkds/none.example.ds.db	X	2012,2018,2019,2020,2021
+./bin/tests/system/checkds/ok.example.dlv.example.dlv.db	X	2012,2018,2019,2020,2021
+./bin/tests/system/checkds/ok.example.dnskey.db	X	2012,2018,2019,2020,2021
+./bin/tests/system/checkds/ok.example.ds.db	X	2012,2018,2019,2020,2021
+./bin/tests/system/checkds/tests.sh		SH	2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkds/wrong.example.dlv.example.dlv.db	X	2012,2018,2019,2020,2021
+./bin/tests/system/checkds/wrong.example.dnskey.db	X	2012,2018,2019,2020,2021
+./bin/tests/system/checkds/wrong.example.ds.db	X	2012,2018,2019,2020,2021
+./bin/tests/system/checknames/clean.sh		SH	2004,2007,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/checknames/ns1/fail.example.db.in	ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/checknames/ns1/fail.update.db.in	ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/checknames/ns1/ignore.example.db.in	ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/checknames/ns1/ignore.update.db.in	ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/checknames/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checknames/ns1/root.db	ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/checknames/ns1/warn.example.db.in	ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/checknames/ns1/warn.update.db.in	ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/checknames/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checknames/ns2/root.hints	ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/checknames/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checknames/ns3/root.hints	ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/checknames/ns4/master-ignore.update.db.in	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checknames/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/checknames/ns4/root.hints	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checknames/setup.sh		SH	2004,2007,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/checknames/tests.sh		SH	2004,2007,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/clean.sh		SH	2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/setup.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/tests.sh		SH	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-badclass.raw	X	2015,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-caa-rr.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-cdnskey.db	ZONE	2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-cds.db	ZONE	2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-dhcid.db	ZONE	2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-eid.db	ZONE	2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-generate-tkey.db	ZONE	2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-nimloc.db	ZONE	2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-nsap-empty.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-nsec3-padded.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-tkey.db	ZONE	2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-tsig.db	ZONE	2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/bad-unspec.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/bad1.db	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/bad2.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/bad3.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/bad4.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/badttl.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/crashzone.db	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db	ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/good-cdnskey.db	ZONE	2019,2020,2021
+./bin/tests/system/checkzone/zones/good-cds.db	ZONE	2019,2020,2021
+./bin/tests/system/checkzone/zones/good-dns-sd-reverse.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/good-gc-msdcs.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/good-nsap.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db	ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db	ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/good1.db	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/inherit.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/nowarn.inherited.owner.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/ns-address-below-dname.db	ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/spf.db	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/test1.db	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/test2.db	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/warn.inherit.origin.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/checkzone/zones/warn.inherited.owner.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/cleanall.sh			SH	2000,2001,2004,2007,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/cleanpkcs11.sh		SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/common/controls.conf		CONF-C	2000,2001,2004,2007,2013,2016,2018,2019,2020,2021
+./bin/tests/system/common/controls.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/common/rndc.conf		CONF-C	2000,2001,2004,2007,2013,2016,2018,2019,2020,2021
+./bin/tests/system/common/rndc.key		CONF-C	2011,2013,2016,2018,2019,2020,2021
+./bin/tests/system/common/root.hint		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/conf.sh.in			SH	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/conf.sh.win32		SH	2016,2017,2018,2019,2020,2021
+./bin/tests/system/cookie/ans9/ans.py		PYTHON	2020,2021
+./bin/tests/system/cookie/bad-cookie-badaes.conf.in	X	2019,2020,2021
+./bin/tests/system/cookie/bad-cookie-badhex.conf	CONF-C	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/cookie/bad-cookie-badsha1.conf	CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/cookie/bad-cookie-badsha256.conf	CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/cookie/bad-cookie-badsiphash24.conf	X	2019,2020,2021
+./bin/tests/system/cookie/bad-cookie-toolong.conf	CONF-C	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/cookie/clean.sh		SH	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/cookie/good-cookie-aes.conf.in	X	2019,2020,2021
+./bin/tests/system/cookie/good-cookie-sha1.conf	CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/cookie/good-cookie-sha256.conf	CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/cookie/good-cookie-siphash24.conf	X	2019,2020,2021
+./bin/tests/system/cookie/ns1/example.db	ZONE	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/cookie/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/cookie/ns1/root.hint		ZONE	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/cookie/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/cookie/ns2/root.db		ZONE	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/cookie/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/cookie/ns3/root.hint		ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/cookie/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/cookie/ns4/root.hint		ZONE	2018,2019,2020,2021
+./bin/tests/system/cookie/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/cookie/ns5/root.hint		ZONE	2018,2019,2020,2021
+./bin/tests/system/cookie/ns6/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/cookie/ns6/root.hint		ZONE	2018,2019,2020,2021
+./bin/tests/system/cookie/ns7/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/cookie/ns7/root.db		ZONE	2018,2019,2020,2021
+./bin/tests/system/cookie/ns8/example.db	ZONE	2018,2019,2020,2021
+./bin/tests/system/cookie/ns8/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/cookie/prereq.sh		SH	2020,2021
+./bin/tests/system/cookie/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/cookie/tests.sh		SH	2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/coverage/01-ksk-inactive/README	X	2013,2018,2019,2020,2021
+./bin/tests/system/coverage/01-ksk-inactive/expect	X	2013,2018,2019,2020,2021
+./bin/tests/system/coverage/02-zsk-inactive/README	X	2013,2018,2019,2020,2021
+./bin/tests/system/coverage/02-zsk-inactive/expect	X	2013,2018,2019,2020,2021
+./bin/tests/system/coverage/03-ksk-unpublished/README	X	2013,2018,2019,2020,2021
+./bin/tests/system/coverage/03-ksk-unpublished/expect	X	2013,2016,2018,2019,2020,2021
+./bin/tests/system/coverage/04-zsk-unpublished/README	X	2013,2018,2019,2020,2021
+./bin/tests/system/coverage/04-zsk-unpublished/expect	X	2013,2016,2018,2019,2020,2021
+./bin/tests/system/coverage/05-ksk-unpub-active/README	X	2013,2018,2019,2020,2021
+./bin/tests/system/coverage/05-ksk-unpub-active/expect	X	2013,2016,2018,2019,2020,2021
+./bin/tests/system/coverage/06-zsk-unpub-active/README	X	2013,2018,2019,2020,2021
+./bin/tests/system/coverage/06-zsk-unpub-active/expect	X	2013,2016,2018,2019,2020,2021
+./bin/tests/system/coverage/07-ksk-ttl/README	X	2013,2018,2019,2020,2021
+./bin/tests/system/coverage/07-ksk-ttl/expect	X	2013,2016,2018,2019,2020,2021
+./bin/tests/system/coverage/08-zsk-ttl/README	X	2013,2018,2019,2020,2021
+./bin/tests/system/coverage/08-zsk-ttl/expect	X	2013,2016,2018,2019,2020,2021
+./bin/tests/system/coverage/09-check-zsk/README	X	2014,2018,2019,2020,2021
+./bin/tests/system/coverage/09-check-zsk/expect	X	2014,2018,2019,2020,2021
+./bin/tests/system/coverage/10-check-ksk/README	X	2014,2018,2019,2020,2021
+./bin/tests/system/coverage/10-check-ksk/expect	X	2014,2018,2019,2020,2021
+./bin/tests/system/coverage/11-cutoff/README	X	2014,2018,2019,2020,2021
+./bin/tests/system/coverage/11-cutoff/expect	X	2014,2018,2019,2020,2021
+./bin/tests/system/coverage/12-ksk-deletion/expect	X	2018,2019,2020,2021
+./bin/tests/system/coverage/13-dotted-dotless/expect	X	2019,2020,2021
+./bin/tests/system/coverage/clean.sh		SH	2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/coverage/prereq.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/coverage/setup.sh		SH	2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/coverage/tests.sh		SH	2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/database/clean.sh		SH	2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/database/ns1/named1.conf.in	CONF-C	2011,2013,2018,2019,2020,2021
+./bin/tests/system/database/ns1/named2.conf.in	CONF-C	2011,2013,2018,2019,2020,2021
+./bin/tests/system/database/setup.sh		SH	2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/database/tests.sh		SH	2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/delzone/clean.sh		SH	2016,2018,2019,2020,2021
+./bin/tests/system/delzone/ns1/inlineslave.db	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/delzone/ns1/named.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/delzone/ns2/added.db		ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/delzone/ns2/named.args	X	2016,2018,2019,2020,2021
+./bin/tests/system/delzone/ns2/named.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/delzone/ns2/normal.db	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/delzone/tests.sh		SH	2016,2018,2019,2020,2021
+./bin/tests/system/dialup/clean.sh		SH	2019,2020,2021
+./bin/tests/system/dialup/ns1/example.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dialup/ns1/named.conf	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dialup/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dialup/ns2/hint.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dialup/ns2/named.conf	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dialup/ns3/hint.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dialup/ns3/named.conf	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dialup/tests.sh		SH	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/digcomp.pl			PERL	2000,2001,2004,2007,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/digdelv/ans4/startme		X	2017,2018,2019,2020,2021
+./bin/tests/system/digdelv/ans7/ans.pl		PERL	2020,2021
+./bin/tests/system/digdelv/clean.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/digdelv/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/digdelv/ns1/root.db		ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/digdelv/ns2/example.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/digdelv/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/digdelv/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/digdelv/prereq.sh		SH	2018,2019,2020,2021
+./bin/tests/system/digdelv/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/digdelv/tests.sh		SH	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/ditch.pl			PERL	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/clean.sh			SH	2004,2007,2010,2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dlv/ns1/root.db.in		ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns1/rootservers.utld.db	ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns1/sign.sh		SH	2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns2/druz.db.in		ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns2/hints		ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dlv/ns2/sign.sh		SH	2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns2/utld.db		ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns3/child.db.in		ZONE	2004,2007,2010,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns3/dlv.db.in		ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns3/hints		ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dlv/ns3/sign.sh		SH	2004,2007,2009,2010,2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns4/child.db		ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns4/hints		ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dlv/ns5/hints		ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dlv/ns5/rndc.conf		CONF-C	2004,2007,2013,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns6/child.db.in		ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns6/hints		ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns6/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dlv/ns6/sign.sh		SH	2010,2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/ns7/hints		ZONE	2019,2020,2021
+./bin/tests/system/dlv/ns7/named.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/dlv/prereq.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/setup.sh			SH	2004,2007,2009,2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dlv/tests.sh			SH	2004,2007,2010,2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/dlz/clean.sh			SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.=	TXT.BRIEF	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.=	TXT.BRIEF	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None=	TXT.BRIEF	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/DNAME=10=example.net.=	TXT.BRIEF	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/NS=10=example.com.=	TXT.BRIEF	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10=	TXT.BRIEF	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dlz/ns1/dns-root/com/example/xfr.d/10.53.0.1	TXT.BRIEF	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dlz/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dlz/prereq.sh		SH	2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/dlz/setup.sh			SH	2018,2019,2020,2021
+./bin/tests/system/dlz/tests.sh			SH	2010,2011,2012,2013,2015,2016,2018,2019,2020,2021
+./bin/tests/system/dlzexternal/Makefile.in	MAKE	2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/dlzexternal/clean.sh		SH	2010,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/dlzexternal/driver.c		C	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/dlzexternal/driver.h		C	2011,2016,2018,2019,2020,2021
+./bin/tests/system/dlzexternal/ns1/dlzs.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dlzexternal/ns1/named.conf.in	CONF-C	2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dlzexternal/ns1/root.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/dlzexternal/prereq.sh	SH	2010,2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dlzexternal/setup.sh		SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dlzexternal/tests.sh		SH	2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/clean.sh		SH	2010,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/conf/bad1.conf		CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/conf/bad18.conf	CONF-C	2019,2020,2021
+./bin/tests/system/dns64/conf/bad19.conf	CONF-C	2019,2020,2021
+./bin/tests/system/dns64/conf/bad2.conf		CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/conf/bad3.conf		CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/conf/bad4.conf		CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/conf/bad5.conf		CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/conf/bad6.conf		CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/conf/bad7.conf		CONF-C	2012,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/conf/bad8.conf		CONF-C	2012,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/conf/bad9.conf		CONF-C	2012,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/conf/good1.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/conf/good2.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/conf/good3.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/conf/good4.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/conf/good5.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/conf/warn1.conf	CONF-C	2019,2020,2021
+./bin/tests/system/dns64/conf/warn2.conf	CONF-C	2019,2020,2021
+./bin/tests/system/dns64/conf/warn3.conf	CONF-C	2019,2020,2021
+./bin/tests/system/dns64/conf/warn4.conf	CONF-C	2019,2020,2021
+./bin/tests/system/dns64/conf/warn5.conf	CONF-C	2019,2020,2021
+./bin/tests/system/dns64/conf/warn6.conf	CONF-C	2019,2020,2021
+./bin/tests/system/dns64/conf/warn7.conf	CONF-C	2019,2020,2021
+./bin/tests/system/dns64/conf/warn8.conf	CONF-C	2019,2020,2021
+./bin/tests/system/dns64/ns1/example.db		ZONE	2010,2011,2013,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dns64/ns1/root.db		ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/ns1/sign.sh		SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dns64/ns2/rpz.db		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/prereq.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/setup.sh		SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dns64/tests.sh		SH	2010,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/README		TXT.BRIEF	2000,2001,2002,2004,2011,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ans10/ans.py		PYTHON	2020,2021
+./bin/tests/system/dnssec/clean.sh		SH	2000,2001,2002,2004,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/dnssec/dnssec_update_test.pl	PERL	2002,2004,2007,2010,2012,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns1/root.db.in	ZONE	2000,2001,2004,2007,2010,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns1/sign.sh		SH	2000,2001,2002,2003,2004,2006,2007,2008,2009,2010,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/algroll.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/badparam.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/cdnskey.secure.db.in	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/cds-auto.secure.db.in	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/cds-update.secure.db.in	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/cds.secure.db.in	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/child.nsec3.example.db	ZONE	2006,2008,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/child.optout.example.db	ZONE	2006,2008,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/dlv.db.in		ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/dst.example.db.in	ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/example.db.in	ZONE	2000,2001,2002,2004,2007,2008,2009,2010,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/in-addr.arpa.db.in	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/insecure.secure.example.db	ZONE	2000,2001,2004,2007,2013,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/key.db.in		ZONE	2019,2020,2021
+./bin/tests/system/dnssec/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/private.secure.example.db.in	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/rfc2335.example.db	X	2004,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/sign.sh		SH	2000,2001,2002,2003,2004,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/single-nsec3.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns2/template.secure.db.in	ZONE	2019,2020,2021
+./bin/tests/system/dnssec/ns2/too-many-iterations.db.in	ZONE	2021
+./bin/tests/system/dnssec/ns3/auto-nsec.example.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/bogus.example.db.in	ZONE	2000,2001,2004,2007,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/dynamic.example.db.in	ZONE	2002,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/expired.example.db.in	ZONE	2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/expiring.example.db.in	ZONE	2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/future.example.db.in	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/generic.example.db.in	ZONE	2001,2002,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/inline.example.db	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/insecure.below-cname.example.db	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/insecure.example.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/insecure.nsec3.example.db	ZONE	2008,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/insecure.optout.example.db	ZONE	2008,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/key.db.in		ZONE	2019,2020,2021
+./bin/tests/system/dnssec/ns3/kskonly.example.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/lower.example.db.in	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/managed-future.example.db.in	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/multiple.example.db.in	ZONE	2006,2008,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/nosign.example.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in	ZONE	2006,2008,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/nsec3.example.db.in	ZONE	2006,2008,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in	ZONE	2008,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in	ZONE	2008,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/occluded.example.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/optout-unknown.example.db.in	ZONE	2006,2008,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/optout.example.db.in	ZONE	2006,2008,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in	ZONE	2008,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/optout.optout.example.db.in	ZONE	2008,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/publish-inactive.example.db.in	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/rsasha256.example.db.in	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/rsasha512.example.db.in	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/secure.example.db.in	ZONE	2000,2001,2004,2007,2008,2010,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in	ZONE	2008,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/secure.optout.example.db.in	ZONE	2008,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/siginterval.example.db.in	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/siginterval1.conf	CONF-C	2013,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/siginterval2.conf	CONF-C	2013,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/sign.sh		SH	2000,2001,2002,2004,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/split-dnssec.example.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/split-smart.example.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/ttlpatch.example.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/unsupported-algorithm.key	X	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/update-nsec3.example.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns3/upper.example.db.in	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns4/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns4/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns4/named3.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns4/named4.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns4/named5.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns5/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns5/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns5/sign.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns5/trusted.conf.bad	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns6/named.args	X	2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns6/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns6/optout-tld.db.in	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns6/sign.sh		SH	2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns7/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnssec/ns7/named.nosoa	TXT.BRIEF	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns7/nosoa.secure.example.db	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns7/sign.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns7/split-rrsig.db.in	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/ns8/named.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/dnssec/ns9/named.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/dnssec/ntadiff.pl		PERL	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/prereq.sh		SH	2000,2001,2002,2004,2006,2007,2009,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/setup.sh		SH	2000,2001,2004,2007,2009,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/example.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.key	X	2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.private	X	2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.key	X	2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.private	X	2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.key	X	2021
+./bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.private	X	2021
+./bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.key	X	2021
+./bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.private	X	2021
+./bin/tests/system/dnssec/signer/general/bogus-ksk.key	X	2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/general/bogus-zsk.key	X	2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/general/test1.zone	ZONE	2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/general/test2.zone	ZONE	2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/general/test3.zone	ZONE	2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/general/test4.zone	ZONE	2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/general/test5.zone	ZONE	2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/general/test6.zone	ZONE	2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/general/test7.zone	ZONE	2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/general/test8.zone	ZONE	2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/general/test9.zone	ZONE	2021
+./bin/tests/system/dnssec/signer/remove.db.in	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/signer/remove2.db.in	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/dnssec/tests.sh		SH	2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/dnstap/README		TXT.BRIEF	2019,2020,2021
+./bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf	CONF-C	2019,2020,2021
+./bin/tests/system/dnstap/bad-missing-dnstap-output.conf	CONF-C	2019,2020,2021
+./bin/tests/system/dnstap/clean.sh		SH	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/dnstap/good-dnstap-in-options.conf	CONF-C	2019,2020,2021
+./bin/tests/system/dnstap/good-dnstap-in-view.conf	CONF-C	2019,2020,2021
+./bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/large-answer.fstrm	X	2019,2020,2021
+./bin/tests/system/dnstap/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnstap/ns1/root.db		ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/ns2/example.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dnstap/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnstap/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnstap/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dnstap/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/dnstap/tests.sh		SH	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/dnstap/ydump.py		PYTHON	2016,2017,2018,2019,2020,2021
+./bin/tests/system/dscp/clean.sh		SH	2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/dscp/ns1/named.args		X	2013,2014,2018,2019,2020,2021
+./bin/tests/system/dscp/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dscp/ns1/root.db		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/dscp/ns2/named.args		X	2013,2014,2018,2019,2020,2021
+./bin/tests/system/dscp/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dscp/ns3/hint.db		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/dscp/ns3/named.args		X	2013,2014,2018,2019,2020,2021
+./bin/tests/system/dscp/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dscp/ns4/named.args		X	2013,2014,2018,2019,2020,2021
+./bin/tests/system/dscp/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dscp/ns4/root.db		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/dscp/ns5/named.args		X	2013,2014,2018,2019,2020,2021
+./bin/tests/system/dscp/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dscp/ns6/hint.db		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/dscp/ns6/named.args		X	2013,2014,2018,2019,2020,2021
+./bin/tests/system/dscp/ns6/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dscp/ns7/named.args		X	2013,2014,2018,2019,2020,2021
+./bin/tests/system/dscp/ns7/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dscp/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/dscp/tests.sh		SH	2013,2016,2018,2019,2020,2021
+./bin/tests/system/dsdigest/clean.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dsdigest/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dsdigest/ns1/root.db.in	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/dsdigest/ns1/sign.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dsdigest/ns2/bad.db.in	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/dsdigest/ns2/good.db.in	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/dsdigest/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dsdigest/ns2/sign.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dsdigest/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dsdigest/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dsdigest/prereq.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dsdigest/setup.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/dsdigest/tests.sh		SH	2012,2016,2018,2019,2020,2021
+./bin/tests/system/dupsigs/check_journal.pl	PERL	2018,2019,2020,2021
+./bin/tests/system/dupsigs/clean.sh		SH	2018,2019,2020,2021
+./bin/tests/system/dupsigs/ns1/named.args	X	2018,2019,2020,2021
+./bin/tests/system/dupsigs/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dupsigs/ns1/reset_keys.sh	SH	2018,2019,2020,2021
+./bin/tests/system/dupsigs/ns1/signing.test.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/dupsigs/prereq.sh		SH	2018,2019,2020,2021
+./bin/tests/system/dupsigs/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/dupsigs/tests.sh		SH	2018,2019,2020,2021
+./bin/tests/system/dyndb/Makefile.in		MAKE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dyndb/clean.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/AUTHORS		X	2015,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/COPYING		X	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/Makefile.in	MAKE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/README		X	2015,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/db.c		X	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/db.h		X	2015,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/driver.c	X	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/instance.c	X	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/instance.h	X	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/lock.c		X	2015,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/lock.h		X	2015,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/log.c		X	2015,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/log.h		X	2015,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/syncptr.c	X	2015,2017,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/syncptr.h	X	2015,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/util.h		X	2015,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/zone.c		X	2015,2018,2019,2020,2021
+./bin/tests/system/dyndb/driver/zone.h		X	2015,2018,2019,2020,2021
+./bin/tests/system/dyndb/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/dyndb/prereq.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/dyndb/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/dyndb/tests.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/ecdsa/clean.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/ecdsa/ns1/named.conf		CONF-C	2012,2016,2018,2019,2020,2021
+./bin/tests/system/ecdsa/ns1/root.db.in		ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/ecdsa/ns1/sign.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/ecdsa/ns2/named.conf		CONF-C	2012,2016,2018,2019,2020,2021
+./bin/tests/system/ecdsa/prereq.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/ecdsa/setup.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/ecdsa/tests.sh		SH	2012,2013,2015,2016,2018,2019,2020,2021
+./bin/tests/system/eddsa/clean.sh		SH	2017,2018,2019,2020,2021
+./bin/tests/system/eddsa/ns1/named.conf		CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/eddsa/ns1/root.db.in		ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/eddsa/ns1/sign.sh		SH	2017,2018,2019,2020,2021
+./bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.key	X	2017,2018,2019,2020,2021
+./bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.private	X	2017,2018,2019,2020,2021
+./bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.key	X	2017,2018,2019,2020,2021
+./bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.private	X	2017,2018,2019,2020,2021
+./bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.key	X	2019,2020,2021
+./bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.private	X	2019,2020,2021
+./bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.key	X	2019,2020,2021
+./bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.private	X	2019,2020,2021
+./bin/tests/system/eddsa/ns2/example.com.db	ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/eddsa/ns2/named.conf		CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/eddsa/ns2/sign.sh		SH	2017,2018,2019,2020,2021
+./bin/tests/system/eddsa/prereq.sh		SH	2017,2018,2019,2020,2021
+./bin/tests/system/eddsa/setup.sh		SH	2017,2018,2019,2020,2021
+./bin/tests/system/eddsa/tests.sh		SH	2017,2018,2019,2020,2021
+./bin/tests/system/ednscompliance/clean.sh	SH	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/ednscompliance/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/ednscompliance/ns1/root.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/ednscompliance/setup.sh	SH	2018,2019,2020,2021
+./bin/tests/system/ednscompliance/tests.sh	SH	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/emptyzones/clean.sh		SH	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/emptyzones/ns1/empty.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/emptyzones/ns1/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/emptyzones/ns1/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/emptyzones/ns1/rfc1918.zones	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/emptyzones/ns1/root.hint	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/emptyzones/setup.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/emptyzones/tests.sh		SH	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/feature-test.c		C	2016,2017,2018,2019,2020,2021
+./bin/tests/system/fetchlimit/ans4/ans.pl	PERL	2015,2016,2018,2019,2020,2021
+./bin/tests/system/fetchlimit/clean.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/fetchlimit/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/fetchlimit/ns1/root.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/fetchlimit/ns2/example.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/fetchlimit/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/fetchlimit/ns3/named.args	X	2015,2018,2019,2020,2021
+./bin/tests/system/fetchlimit/ns3/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/fetchlimit/ns3/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/fetchlimit/ns3/named3.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/fetchlimit/ns3/root.hint	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/fetchlimit/prereq.sh		SH	2018,2019,2020,2021
+./bin/tests/system/fetchlimit/setup.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/fetchlimit/tests.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/clean.sh		SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/conf/bad1.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/conf/bad2.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/conf/bad3.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/conf/bad4.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/conf/bad5.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/conf/bad6.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/conf/good1.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/conf/good2.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/conf/good3.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/conf/good4.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/conf/good5.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/conf/good6.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/conf/good7.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/conf/good8.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns1/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns1/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns1/root.db	ZONE	2010,2012,2016,2017,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns1/sign.sh	SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns1/signed.db.in	ZONE	2010,2012,2016,2017,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns1/signed.db.presigned	X	2014,2017,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns1/unsigned.db	ZONE	2010,2012,2016,2017,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns2/hints	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns2/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns2/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns3/hints	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns3/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns3/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns4/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns4/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns4/root.db	ZONE	2010,2012,2016,2017,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns4/sign.sh	SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns4/signed.db.in	ZONE	2010,2012,2016,2017,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns4/signed.db.presigned	X	2014,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns4/unsigned.db	ZONE	2010,2012,2016,2017,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns5/hints	ZONE	2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/prereq.sh	SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/setup.sh		SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/filter-aaaa/tests.sh		SH	2010,2012,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/formerr/clean.sh		SH	2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/formerr/formerr.pl		PERL	2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/formerr/nametoolong		X	2013,2018,2019,2020,2021
+./bin/tests/system/formerr/noquestions		X	2013,2018,2019,2020,2021
+./bin/tests/system/formerr/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/formerr/ns1/root.db		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/formerr/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/formerr/tests.sh		SH	2013,2015,2016,2018,2019,2020,2021
+./bin/tests/system/formerr/twoquestions		X	2013,2018,2019,2020,2021
+./bin/tests/system/forward/ans6/startme		X	2019,2020,2021
+./bin/tests/system/forward/clean.sh		SH	2000,2001,2004,2007,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/forward/ns1/example.db	X	2000,2001,2018,2019,2020,2021
+./bin/tests/system/forward/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/forward/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/forward/ns2/example.db	X	2000,2001,2018,2019,2020,2021
+./bin/tests/system/forward/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/forward/ns2/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/forward/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/forward/ns3/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/forward/ns4/malicious.db	ZONE	2020,2021
+./bin/tests/system/forward/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/forward/ns4/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/forward/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/forward/ns5/rebind.db	ZONE	2020,2021
+./bin/tests/system/forward/ns5/root.db		ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/forward/ns7/named.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/forward/ns7/root.db		ZONE	2019,2020,2021
+./bin/tests/system/forward/prereq.sh		SH	2019,2020,2021
+./bin/tests/system/forward/rfc1918-inherited.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/forward/rfc1918-notinherited.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/forward/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/forward/tests.sh		SH	2000,2001,2004,2007,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/forward/ula-inherited.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/forward/ula-notinherited.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/genzone.sh			SH	2001,2002,2003,2004,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/geoip/clean.sh		SH	2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIP.csv		X	2013,2014,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIP.dat		X	2013,2014,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPASNum.csv	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPASNum.dat	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPASNumv6.csv	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPASNumv6.dat	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPCity.csv	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPCity.dat	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPCityv6.csv	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPCityv6.dat	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPDomain.csv	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPDomain.dat	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPISP.csv	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPISP.dat	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPNetSpeed.csv	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPNetSpeed.dat	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPOrg.csv	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPOrg.dat	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPRegion.csv	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPRegion.dat	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPv6.csv	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/GeoIPv6.dat	X	2013,2018,2019,2020,2021
+./bin/tests/system/geoip/data/README		TXT.BRIEF	2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/example.db.in	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/named10.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/named11.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/named12.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/named13.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/named14.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/named15.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/named16.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/geoip/ns2/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/named3.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/named4.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/named5.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/named6.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/named7.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/named8.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/geoip/ns2/named9.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/geoip/options.conf		CONF-C	2015,2016,2018,2019,2020,2021
+./bin/tests/system/geoip/prereq.sh		SH	2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/geoip/setup.sh		SH	2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/geoip/tests.sh		SH	2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/geoip2/clean.sh		SH	2019,2020,2021
+./bin/tests/system/geoip2/conf/bad-areacode.conf	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/conf/bad-dbname.conf	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/conf/bad-netspeed.conf	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/conf/bad-regiondb.conf	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/conf/bad-threeletter.conf	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/conf/good-options.conf	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/data/GeoIP2-City.json	X	2019,2020,2021
+./bin/tests/system/geoip2/data/GeoIP2-City.mmdb	X	2019,2020,2021
+./bin/tests/system/geoip2/data/GeoIP2-Country.json	X	2019,2020,2021
+./bin/tests/system/geoip2/data/GeoIP2-Country.mmdb	X	2019,2020,2021
+./bin/tests/system/geoip2/data/GeoIP2-Domain.json	X	2019,2020,2021
+./bin/tests/system/geoip2/data/GeoIP2-Domain.mmdb	X	2019,2020,2021
+./bin/tests/system/geoip2/data/GeoIP2-ISP.json	X	2019,2020,2021
+./bin/tests/system/geoip2/data/GeoIP2-ISP.mmdb	X	2019,2020,2021
+./bin/tests/system/geoip2/data/GeoLite2-ASN.json	X	2019,2020,2021
+./bin/tests/system/geoip2/data/GeoLite2-ASN.mmdb	X	2019,2020,2021
+./bin/tests/system/geoip2/data/README.md	MKD	2019,2020,2021
+./bin/tests/system/geoip2/data/write-test-data.pl	PERL	2019,2020,2021
+./bin/tests/system/geoip2/ns2/example.db.in	ZONE	2019,2020,2021
+./bin/tests/system/geoip2/ns2/named1.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/ns2/named10.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/ns2/named11.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/ns2/named12.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/ns2/named13.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/ns2/named14.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/ns2/named2.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/ns2/named3.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/ns2/named4.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/ns2/named5.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/ns2/named6.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/ns2/named7.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/ns2/named8.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/ns2/named9.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/geoip2/prereq.sh		SH	2019,2020,2021
+./bin/tests/system/geoip2/setup.sh		SH	2019,2020,2021
+./bin/tests/system/geoip2/tests.sh		SH	2019,2020,2021
+./bin/tests/system/glue/clean.sh		SH	2000,2001,2004,2007,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/glue/fi.good			X	2000,2001,2018,2019,2020,2021
+./bin/tests/system/glue/noglue.good		X	2000,2001,2018,2019,2020,2021
+./bin/tests/system/glue/ns1/cache.in		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/glue/ns1/mil.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/glue/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/glue/ns1/net.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/glue/ns1/root-servers.nil.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/glue/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/glue/setup.sh		SH	2001,2004,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/glue/tests.sh		SH	2000,2001,2003,2004,2007,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/glue/xx.good			X	2000,2001,2018,2019,2020,2021
+./bin/tests/system/glue/yy.good			X	2000,2001,2003,2018,2019,2020,2021
+./bin/tests/system/gost/clean.sh		SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/gost/ns1/named.conf		CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/gost/ns1/root.db.in		ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/gost/ns1/sign.sh		SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/gost/ns2/named.conf		CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/gost/prereq.sh		SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/gost/setup.sh		SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/gost/tests.sh		SH	2010,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/idna/clean.sh		SH	2018,2019,2020,2021
+./bin/tests/system/idna/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/idna/ns1/root.db		ZONE	2018,2019,2020,2021
+./bin/tests/system/idna/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/idna/tests.sh		SH	2018,2019,2020,2021
+./bin/tests/system/ifconfig.bat			BAT	2016,2018,2019,2020,2021
+./bin/tests/system/ifconfig.sh			SH	2000,2001,2002,2003,2004,2007,2008,2009,2010,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/inline/checkdsa.sh.in	SH	2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/inline/clean.sh		SH	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/inline/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/inline/ns1/root.db.in	ZONE	2011,2012,2013,2016,2017,2018,2019,2020,2021
+./bin/tests/system/inline/ns1/sign.sh		SH	2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/inline/ns2/bits.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/inline/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/inline/ns2/nsec3-loop.db.in	ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/inline/ns3/master.db.in	ZONE	2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/inline/ns3/master2.db.in	ZONE	2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/inline/ns3/master3.db.in	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/inline/ns3/master4.db.in	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/inline/ns3/master5.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/inline/ns3/master6.db.in	ZONE	2019,2020,2021
+./bin/tests/system/inline/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/inline/ns3/sign.sh		SH	2011,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/inline/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/inline/ns4/noixfr.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/inline/ns5/named.conf.post	CONF-C	2011,2014,2016,2018,2019,2020,2021
+./bin/tests/system/inline/ns5/named.conf.pre	CONF-C	2011,2016,2018,2019,2020,2021
+./bin/tests/system/inline/ns6/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/inline/ns7/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/inline/ns7/sign.sh		SH	2017,2018,2019,2020,2021
+./bin/tests/system/inline/ns8/example.com.db.in	ZONE	2020,2021
+./bin/tests/system/inline/ns8/named.conf.in	CONF-C	2020,2021
+./bin/tests/system/inline/ns8/sign.sh		SH	2020,2021
+./bin/tests/system/inline/prereq.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/inline/setup.sh		SH	2011,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/inline/tests.sh		SH	2011,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/integrity/clean.sh		SH	2017,2018,2019,2020,2021
+./bin/tests/system/integrity/ns1/mx-cname.db	ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/integrity/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/integrity/ns1/srv-cname.db	ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/integrity/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/integrity/tests.sh		SH	2017,2018,2019,2020,2021
+./bin/tests/system/ixfr/ans2/startme		X	2011,2018,2019,2020,2021
+./bin/tests/system/ixfr/clean.sh		SH	2001,2004,2007,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/ixfr/ns1/startme		X	2012,2013,2018,2019,2020,2021
+./bin/tests/system/ixfr/ns3/mytest0.db		ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/ixfr/ns3/mytest1.db		ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/ixfr/ns3/mytest2.db		ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/ixfr/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/ixfr/ns3/subtest0.db		ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/ixfr/ns3/subtest1.db		ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/ixfr/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/ixfr/ns5/named.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/ixfr/prereq.sh		SH	2001,2004,2007,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/ixfr/setup.sh		SH	2001,2004,2007,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/ixfr/tests.sh		SH	2001,2004,2007,2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/01-ksk-inactive/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/01-ksk-inactive/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/02-zsk-inactive/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/02-zsk-inactive/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/03-ksk-unpublished/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/03-ksk-unpublished/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/04-zsk-unpublished/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/04-zsk-unpublished/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/05-ksk-unpub-active/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/05-ksk-unpub-active/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/06-zsk-unpub-active/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/06-zsk-unpub-active/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/07-ksk-ttl/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/07-ksk-ttl/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/08-zsk-ttl/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/08-zsk-ttl/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/09-no-keys/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/09-no-keys/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/10-change-roll/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/10-change-roll/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/11-many-simul/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/11-many-simul/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/12-many-active/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/12-many-active/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/13-noroll/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/13-noroll/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/14-wrongalg/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/14-wrongalg/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/15-unspec/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/15-unspec/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/16-wrongalg-unspec/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/16-wrongalg-unspec/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/17-noforce/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/17-noforce/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/18-nonstd-prepub/README	TXT.BRIEF	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/18-nonstd-prepub/expect	X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/18-nonstd-prepub/policy.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/19-old-keys/README	TXT.BRIEF	2019,2020,2021
+./bin/tests/system/keymgr/19-old-keys/expect	X	2019,2020,2021
+./bin/tests/system/keymgr/19-old-keys/extra.sh	SH	2019,2020,2021
+./bin/tests/system/keymgr/19-old-keys/policy.conf	CONF-C	2019,2020,2021
+./bin/tests/system/keymgr/clean.sh		SH	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/policy.conf		CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/policy.good		X	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/policy.sample		CONF-C	2016,2017,2018,2019,2020,2021
+./bin/tests/system/keymgr/prereq.sh		SH	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/setup.sh		SH	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/testpolicy.py		PYTHON	2016,2018,2019,2020,2021
+./bin/tests/system/keymgr/tests.sh		SH	2016,2018,2019,2020,2021
+./bin/tests/system/legacy/build.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/legacy/clean.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/legacy/ns1/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/legacy/ns1/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/legacy/ns1/root.db		ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/legacy/ns1/trusted.conf	X	2014,2018,2019,2020,2021
+./bin/tests/system/legacy/ns10/ednsrefused.db	ZONE	2018,2019,2020,2021
+./bin/tests/system/legacy/ns10/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/legacy/ns10/named.ednsrefused	X	2018,2019,2020,2021
+./bin/tests/system/legacy/ns2/dropedns.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/legacy/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/legacy/ns2/named.dropedns	X	2014,2018,2019,2020,2021
+./bin/tests/system/legacy/ns3/dropedns-notcp.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/legacy/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/legacy/ns3/named.dropedns	X	2014,2018,2019,2020,2021
+./bin/tests/system/legacy/ns3/named.notcp	X	2014,2018,2019,2020,2021
+./bin/tests/system/legacy/ns4/named.args	X	2014,2018,2019,2020,2021
+./bin/tests/system/legacy/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/legacy/ns4/plain.db		ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/legacy/ns5/named.args	X	2014,2018,2019,2020,2021
+./bin/tests/system/legacy/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/legacy/ns5/named.notcp	X	2014,2018,2019,2020,2021
+./bin/tests/system/legacy/ns5/plain-notcp.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/legacy/ns6/edns512.db.in	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/legacy/ns6/edns512.db.signed	X	2014,2018,2019,2020,2021
+./bin/tests/system/legacy/ns6/named.args	X	2014,2018,2019,2020,2021
+./bin/tests/system/legacy/ns6/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/legacy/ns6/sign.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/legacy/ns7/edns512-notcp.db.in	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/legacy/ns7/edns512-notcp.db.signed	X	2014,2018,2019,2020,2021
+./bin/tests/system/legacy/ns7/named.args	X	2014,2018,2019,2020,2021
+./bin/tests/system/legacy/ns7/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/legacy/ns7/named.notcp	X	2014,2018,2019,2020,2021
+./bin/tests/system/legacy/ns7/sign.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/legacy/ns8/ednsformerr.db	ZONE	2018,2019,2020,2021
+./bin/tests/system/legacy/ns8/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/legacy/ns8/named.ednsformerr	X	2018,2019,2020,2021
+./bin/tests/system/legacy/ns9/ednsnotimp.db	ZONE	2018,2019,2020,2021
+./bin/tests/system/legacy/ns9/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/legacy/ns9/named.ednsnotimp	X	2018,2019,2020,2021
+./bin/tests/system/legacy/setup.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/legacy/tests.sh		SH	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/limits/clean.sh		SH	2000,2001,2004,2007,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/limits/knowngood.dig.out.1000	X	2000,2001,2018,2019,2020,2021
+./bin/tests/system/limits/knowngood.dig.out.2000	X	2000,2001,2018,2019,2020,2021
+./bin/tests/system/limits/knowngood.dig.out.3000	X	2000,2001,2018,2019,2020,2021
+./bin/tests/system/limits/knowngood.dig.out.4000	X	2000,2001,2018,2019,2020,2021
+./bin/tests/system/limits/knowngood.dig.out.a-maximum-rrset	X	2000,2001,2018,2019,2020,2021
+./bin/tests/system/limits/ns1/example.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/limits/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/limits/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/limits/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/limits/tests.sh		SH	2000,2001,2004,2007,2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/logfileconfig/clean.sh	SH	2011,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/logfileconfig/ns1/controls.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/logfileconfig/ns1/named.dirconf	CONF-C	2011,2013,2016,2018,2019,2020,2021
+./bin/tests/system/logfileconfig/ns1/named.pipeconf	CONF-C	2011,2013,2016,2018,2019,2020,2021
+./bin/tests/system/logfileconfig/ns1/named.plain	CONF-C	2011,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/logfileconfig/ns1/named.plainconf	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/logfileconfig/ns1/named.symconf	CONF-C	2011,2013,2016,2018,2019,2020,2021
+./bin/tests/system/logfileconfig/ns1/named.unlimited	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/logfileconfig/ns1/named.versconf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/logfileconfig/ns1/rndc.conf.in	CONF-C	2011,2013,2016,2017,2018,2019,2020,2021
+./bin/tests/system/logfileconfig/ns1/root.db	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/logfileconfig/setup.sh	SH	2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/logfileconfig/tests.sh	SH	2011,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/lwresd/Makefile.in		MAKE	2000,2001,2002,2004,2007,2009,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/lwresd/clean.sh		SH	2008,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/lwresd/lwresd1/lwresd.conf	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/lwresd/lwresd1/nosearch.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/lwresd/lwresd1/resolv.conf	CONF-SH	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/lwresd/lwtest.c		C	2000,2001,2002,2004,2007,2008,2012,2013,2015,2016,2018,2019,2020,2021
+./bin/tests/system/lwresd/ns1/10.10.10.in-addr.arpa.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/lwresd/ns1/e.example1.db	X	2008,2018,2019,2020,2021
+./bin/tests/system/lwresd/ns1/example1.db	ZONE	2000,2001,2002,2003,2004,2007,2008,2016,2018,2019,2020,2021
+./bin/tests/system/lwresd/ns1/example2.db	ZONE	2000,2001,2002,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/lwresd/ns1/ip6.arpa.db	ZONE	2000,2001,2002,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/lwresd/ns1/ip6.int.db	ZONE	2000,2001,2002,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/lwresd/ns1/named.conf	CONF-C	2000,2001,2004,2006,2007,2008,2016,2018,2019,2020,2021
+./bin/tests/system/lwresd/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/lwresd/resolv.conf		CONF-SH	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/lwresd/tests.sh		SH	2000,2001,2004,2007,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/masterfile/clean.sh		SH	2001,2004,2007,2010,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/masterfile/knowngood.dig.out	X	2001,2004,2012,2018,2019,2020,2021
+./bin/tests/system/masterfile/ns1/include.db	ZONE	2001,2004,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/masterfile/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/masterfile/ns1/sub.db	ZONE	2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/masterfile/ns1/ttl1.db	ZONE	2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/masterfile/ns1/ttl2.db	ZONE	2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/masterfile/ns2/example.db	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/masterfile/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/masterfile/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/masterfile/tests.sh		SH	2001,2004,2007,2010,2012,2015,2016,2018,2019,2020,2021
+./bin/tests/system/masterfile/zone/inheritownerafterinclude.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/masterfile/zone/inheritownerafterinclude.good	X	2015,2018,2019,2020,2021
+./bin/tests/system/masterfile/zone/nameservers.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/masterformat/clean.sh	SH	2005,2007,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/masterformat/ns1/compile.sh	SH	2005,2006,2007,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/masterformat/ns1/example.db	ZONE	2005,2007,2014,2016,2018,2019,2020,2021
+./bin/tests/system/masterformat/ns1/large.db.in	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/masterformat/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/masterformat/ns1/signed.db	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/masterformat/ns2/formerly-text.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/masterformat/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/masterformat/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/masterformat/prereq.sh	SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/masterformat/setup.sh	SH	2005,2006,2007,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/masterformat/tests.sh	SH	2005,2007,2011,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/metadata/child.db		ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/metadata/clean.sh		SH	2009,2011,2012,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/metadata/parent.db		ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/metadata/prereq.sh		SH	2009,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/metadata/setup.sh		SH	2009,2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/metadata/tests.sh		SH	2009,2011,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/mkeys/README			TXT.BRIEF	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/mkeys/clean.sh		SH	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/mkeys/ns1/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/mkeys/ns1/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/mkeys/ns1/named3.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/mkeys/ns1/root.db		ZONE	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/mkeys/ns1/sign.sh		SH	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/mkeys/ns1/unsupported.key	X	2019,2020,2021
+./bin/tests/system/mkeys/ns2/named.args		X	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/mkeys/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/mkeys/ns3/named.args		X	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/mkeys/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/mkeys/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/mkeys/ns5/named1.args	X	2017,2018,2019,2020,2021
+./bin/tests/system/mkeys/ns5/named2.args	X	2017,2018,2019,2020,2021
+./bin/tests/system/mkeys/ns6/named.args		X	2019,2020,2021
+./bin/tests/system/mkeys/ns6/named.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/mkeys/ns6/setup.sh		SH	2019,2020,2021
+./bin/tests/system/mkeys/ns6/unsupported-managed.key	X	2019,2020,2021
+./bin/tests/system/mkeys/ns7/named.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/mkeys/prereq.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/mkeys/setup.sh		SH	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/mkeys/tests.sh		SH	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/names/clean.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/names/ns1/example.db		ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/names/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/names/setup.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/names/tests.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/notify/clean.sh		SH	2000,2001,2004,2007,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/notify/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/notify/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/notify/ns2/example1.db	ZONE	2000,2001,2002,2004,2007,2009,2016,2018,2019,2020,2021
+./bin/tests/system/notify/ns2/example2.db	ZONE	2000,2001,2002,2004,2007,2009,2016,2018,2019,2020,2021
+./bin/tests/system/notify/ns2/example3.db	ZONE	2000,2001,2002,2004,2007,2009,2016,2018,2019,2020,2021
+./bin/tests/system/notify/ns2/example4.db	ZONE	2000,2001,2002,2004,2007,2009,2016,2018,2019,2020,2021
+./bin/tests/system/notify/ns2/generic.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/notify/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/notify/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/notify/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/notify/ns4/named.port.in	X	2018,2019,2020,2021
+./bin/tests/system/notify/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/notify/ns5/x21.db		ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/notify/setup.sh		SH	2000,2001,2004,2007,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/notify/tests.sh		SH	2000,2001,2004,2007,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/nslookup/clean.sh		SH	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/nslookup/ns1/example.net.db	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/nslookup/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/nslookup/setup.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/nslookup/tests.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/nsupdate/ans4/ans.pl		PERL	2017,2018,2019,2020,2021
+./bin/tests/system/nsupdate/clean.sh		SH	2000,2001,2004,2007,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/nsupdate/commandlist		X	2012,2018,2019,2020,2021
+./bin/tests/system/nsupdate/knowngood.ns1.after	X	2000,2001,2003,2004,2009,2018,2019,2020,2021
+./bin/tests/system/nsupdate/knowngood.ns1.afterstop	X	2001,2004,2018,2019,2020,2021
+./bin/tests/system/nsupdate/knowngood.ns1.before	X	2000,2001,2003,2004,2009,2018,2019,2020,2021
+./bin/tests/system/nsupdate/krb/setup.sh	SH	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns1/example1.db	ZONE	2000,2001,2002,2004,2007,2009,2016,2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns1/many.test.db.in	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns1/max-ttl.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns1/sample.db.in	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns10/dns.keytab	X	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns10/example.com.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns10/in-addr.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns10/machine.ccache	X	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns10/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns2/sample.db.in	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns3/delegation.test.db.in	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns3/dnskey.test.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns3/example.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns3/nsec3param.test.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns3/sign.sh		SH	2010,2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns3/too-big.test.db.in	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns5/local.db.in	ZONE	2017,2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns5/named.args	X	2017,2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns5/named.conf.in	CONF-C	2017,2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns6/in-addr.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns6/named.args	X	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns6/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns7/dns.keytab	X	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns7/example.com.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns7/in-addr.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns7/machine.ccache	X	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns7/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns8/dns-other-than-KRB5_KTNAME.keytab	X	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns8/example.com.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns8/in-addr.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns8/machine.ccache	X	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns8/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns9/dns.keytab	X	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns9/example.com.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns9/in-addr.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns9/machine.ccache	X	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns9/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/nsupdate/prereq.sh		SH	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/nsupdate/setup.sh		SH	2000,2001,2004,2007,2009,2010,2011,2012,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/nsupdate/tests.sh		SH	2000,2001,2004,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/nsupdate/update_test.pl	PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/nsupdate/verylarge.in	X	2013,2018,2019,2020,2021
+./bin/tests/system/nzd2nzf/clean.sh		SH	2016,2018,2019,2020,2021
+./bin/tests/system/nzd2nzf/ns1/added.db		ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/nzd2nzf/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/nzd2nzf/prereq.sh		SH	2016,2018,2019,2020,2021
+./bin/tests/system/nzd2nzf/setup.sh		SH	2016,2018,2019,2020,2021
+./bin/tests/system/nzd2nzf/tests.sh		SH	2016,2018,2019,2020,2021
+./bin/tests/system/org.isc.bind.system		SH	2010,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/org.isc.bind.system.plist	X	2010,2018,2019,2020,2021
+./bin/tests/system/packet.pl			PERL	2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/parallel.sh			SH	2019,2020,2021
+./bin/tests/system/pending/clean.sh		SH	2009,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/pending/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/pending/ns1/root.db.in	ZONE	2009,2010,2016,2018,2019,2020,2021
+./bin/tests/system/pending/ns1/sign.sh		SH	2009,2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/pending/ns2/example.com.db.in	ZONE	2009,2010,2016,2018,2019,2020,2021
+./bin/tests/system/pending/ns2/example.db.in	ZONE	2009,2010,2016,2018,2019,2020,2021
+./bin/tests/system/pending/ns2/forgery.db	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/pending/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/pending/ns2/sign.sh		SH	2009,2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/pending/ns3/hostile.db	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/pending/ns3/mail.example.db	ZONE	2009,2016,2018,2019,2020,2021
+./bin/tests/system/pending/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/pending/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/pending/prereq.sh		SH	2009,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/pending/setup.sh		SH	2009,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/pending/tests.sh		SH	2009,2010,2012,2015,2016,2018,2019,2020,2021
+./bin/tests/system/pipelined/Makefile.in	MAKE	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/pipelined/clean.sh		SH	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/pipelined/input		X	2014,2015,2018,2019,2020,2021
+./bin/tests/system/pipelined/inputb		X	2014,2015,2018,2019,2020,2021
+./bin/tests/system/pipelined/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/pipelined/ns1/root.db	ZONE	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/pipelined/ns2/examplea.db	ZONE	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/pipelined/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/pipelined/ns3/exampleb.db	ZONE	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/pipelined/ns3/named.args	X	2014,2015,2018,2019,2020,2021
+./bin/tests/system/pipelined/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/pipelined/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/pipelined/pipequeries.c	C	2014,2015,2015,2016,2018,2019,2020,2021
+./bin/tests/system/pipelined/ref		X	2014,2015,2018,2019,2020,2021
+./bin/tests/system/pipelined/refb		X	2014,2015,2018,2019,2020,2021
+./bin/tests/system/pipelined/setup.sh		SH	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/pipelined/tests.sh		SH	2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt	X	2020,2021
+./bin/tests/system/pkcs11/clean.sh		SH	2010,2012,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/pkcs11/ns1/example.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/pkcs11/ns1/named.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/pkcs11/setup.sh		SH	2010,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/pkcs11/tests.sh		SH	2010,2012,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/pkcs11/usepkcs11		X	2010,2018,2019,2020,2021
+./bin/tests/system/pkcs11ssl/clean.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/pkcs11ssl/ns1/example.db.in	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/pkcs11ssl/ns1/named.conf	CONF-C	2018,2019,2020,2021
+./bin/tests/system/pkcs11ssl/prereq.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/pkcs11ssl/setup.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/pkcs11ssl/tests.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/pkcs11ssl/usepkcs11		X	2014,2018,2019,2020,2021
+./bin/tests/system/reclimit/README		TXT.BRIEF	2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/reclimit/ans2/ans.pl		PERL	2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/reclimit/ans4/ans.pl		PERL	2018,2019,2020,2021
+./bin/tests/system/reclimit/ans7/ans.pl		PERL	2014,2016,2018,2019,2020,2021
+./bin/tests/system/reclimit/clean.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/reclimit/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/reclimit/ns1/root.db		ZONE	2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/reclimit/ns3/hints.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/reclimit/ns3/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/reclimit/ns3/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/reclimit/ns3/named3.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/reclimit/ns3/named4.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/reclimit/prereq.sh		SH	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/reclimit/setup.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/reclimit/tests.sh		SH	2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/redirect/clean.sh		SH	2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/conf/bad1.conf	CONF-C	2011,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/conf/bad2.conf	CONF-C	2011,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/conf/bad3.conf	CONF-C	2011,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/conf/good1.conf	CONF-C	2011,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/conf/good2.conf	CONF-C	2011,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/conf/good3.conf	CONF-C	2011,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/conf/good4.conf	CONF-C	2011,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/ns1/example.db	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/redirect/ns1/redirect.db	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/ns1/root.db		ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/ns1/sign.sh		SH	2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/ns2/example.db.in	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/redirect/ns2/redirect.db.in	ZONE	2011.2013,2013,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/ns3/example.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/redirect/ns3/redirect.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/ns3/root.db		ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/ns3/sign.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/ns4/example.db.in	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/redirect/ns4/root.hint	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/prereq.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/setup.sh		SH	2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/redirect/tests.sh		SH	2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ans2/ans.pl		PERL	2000,2001,2004,2007,2009,2010,2012,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ans3/ans.pl		PERL	2000,2001,2004,2007,2009,2012,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ans8/ans.pl		PERL	2017,2018,2019,2020,2021
+./bin/tests/system/resolver/clean.sh		SH	2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/resolver/ns1/root.hint	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns4/broken.db	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns4/child.server.db	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns4/moves.db	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/resolver/ns4/named.noaa	TXT.BRIEF	2010,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns4/root.db		ZONE	2010,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/resolver/ns4/sourcens.db	ZONE	2020,2021
+./bin/tests/system/resolver/ns4/tld1.db		ZONE	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns4/tld2.db		ZONE	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns5/child.server.db	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns5/moves.db	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/resolver/ns5/root.hint	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns6/broken.db	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns6/delegation-only.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns6/ds.example.net.db.in	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns6/example.net.db.in	ZONE	2010,2014,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns6/keygen.sh	SH	2010,2012,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/resolver/ns6/moves.db	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns6/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/resolver/ns6/no-edns-version.tld.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns6/root.db		ZONE	2010,2011,2014,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns6/targetns.db	ZONE	2020,2021
+./bin/tests/system/resolver/ns6/to-be-removed.tld.db.in	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns7/all-cnames.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns7/edns-version.tld.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns7/named.args	X	2011,2012,2014,2018,2019,2020,2021
+./bin/tests/system/resolver/ns7/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/resolver/ns7/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/resolver/ns7/root.hint	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/ns7/server.db.in	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/prereq.sh		SH	2000,2001,2004,2007,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/setup.sh		SH	2010,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/resolver/tests.sh		SH	2000,2001,2004,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/rndc/Makefile.in		MAKE	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/rndc/clean.sh		SH	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/rndc/gencheck.c		C	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/rndc/ns2/incl.db		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/rndc/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rndc/ns2/secondkey.conf	CONF-C	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rndc/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rndc/ns4/named.conf.in	CONF-C	2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/rndc/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rndc/ns6/named.args		X	2016,2018,2019,2020,2021
+./bin/tests/system/rndc/ns6/named.conf.in	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/rndc/setup.sh		SH	2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/rndc/tests.sh		SH	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/rootkeysentinel/clean.sh	SH	2018,2019,2020,2021
+./bin/tests/system/rootkeysentinel/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rootkeysentinel/ns1/root.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/rootkeysentinel/ns1/sign.sh	SH	2018,2019,2020,2021
+./bin/tests/system/rootkeysentinel/ns2/example.db.in	ZONE	2018,2019,2020,2021
+./bin/tests/system/rootkeysentinel/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rootkeysentinel/ns2/sign.sh	SH	2018,2019,2020,2021
+./bin/tests/system/rootkeysentinel/ns3/hint.db	ZONE	2018,2019,2020,2021
+./bin/tests/system/rootkeysentinel/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rootkeysentinel/ns4/hint.db	ZONE	2018,2019,2020,2021
+./bin/tests/system/rootkeysentinel/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rootkeysentinel/prereq.sh	SH	2018,2019,2020,2021
+./bin/tests/system/rootkeysentinel/setup.sh	SH	2018,2019,2020,2021
+./bin/tests/system/rootkeysentinel/tests.sh	SH	2018,2019,2020,2021
+./bin/tests/system/rpz/README			TXT.BRIEF	2019,2020,2021
+./bin/tests/system/rpz/clean.sh			SH	2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rpz/ns1/root.db		ZONE	2011,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns2/base-tld2s.db	ZONE	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns2/bl.tld2.db.in	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns2/blv2.tld2.db.in	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns2/blv3.tld2.db.in	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns2/hints		ZONE	2011,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rpz/ns2/tld2.db		ZONE	2011,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns3/base.db		ZONE	2011,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns3/broken.db.in		ZONE	2019,2020,2021
+./bin/tests/system/rpz/ns3/crash1		X	2011,2013,2018,2019,2020,2021
+./bin/tests/system/rpz/ns3/crash2		X	2011,2012,2013,2018,2019,2020,2021
+./bin/tests/system/rpz/ns3/hints		ZONE	2011,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns3/manual-update-rpz-2.db.in	ZONE	2019,2020,2021
+./bin/tests/system/rpz/ns3/manual-update-rpz.db.in	ZONE	2019,2020,2021
+./bin/tests/system/rpz/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rpz/ns4/hints		ZONE	2011,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rpz/ns4/tld4.db		ZONE	2011,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns5/empty.db.in		ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns5/hints		ZONE	2011,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns5/named.args		X	2013,2014,2018,2019,2020,2021
+./bin/tests/system/rpz/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rpz/ns5/tld5.db		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns6/hints		ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns6/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rpz/ns7/hints		ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/ns7/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rpz/ns9/hints		ZONE	2019,2020,2021
+./bin/tests/system/rpz/ns9/named.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/rpz/ns9/rpz.db		ZONE	2019,2020,2021
+./bin/tests/system/rpz/prereq.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/qperf.sh			SH	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/setup.sh			SH	2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/test1			ZONE	2011,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/test2			ZONE	2011,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/test3			ZONE	2011,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/test4			ZONE	2011,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/test4a			ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/test5			ZONE	2011,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/test6			ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/rpz/tests.sh			SH	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/README		TXT.BRIEF	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ans5/ans.pl	PERL	2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/clean.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns1/db.l0		ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns1/db.l1.l0	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns1/example.com.db	ZONE	2020,2021
+./bin/tests/system/rpzrecurse/ns1/example.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns1/root.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns1/test1.example.net.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns1/test2.example.net.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/db.clientip1	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/db.clientip2	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/db.clientip21	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/db.given	ZONE	2020,2021
+./bin/tests/system/rpzrecurse/ns2/db.log1	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/db.log2	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/db.log3	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/db.passthru	ZONE	2020,2021
+./bin/tests/system/rpzrecurse/ns2/db.wildcard1	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/db.wildcard2a	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/db.wildcard2b	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/db.wildcard3	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/named.clientip.conf	CONF-C	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/named.clientip2.conf	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/named.conf.header.in	CONF-C	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/named.default.conf	CONF-C	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/named.log.conf	CONF-C	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/named.wildcard1.conf	CONF-C	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/named.wildcard2.conf	CONF-C	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/named.wildcard3.conf	CONF-C	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns2/named.wildcard4.conf	CONF-C	2020,2021
+./bin/tests/system/rpzrecurse/ns2/root.hint	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns3/example.db	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns3/named1.conf.in	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns3/named2.conf.in	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns3/policy.db	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns3/root.db	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns4/child.example.db	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/ns4/named.conf.in	CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/prereq.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/setup.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/testgen.pl	PERL	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rpzrecurse/tests.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/rrchecker/classlist.good	X	2013,2018,2019,2020,2021
+./bin/tests/system/rrchecker/clean.sh		SH	2013,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/rrchecker/privatelist.good	X	2013,2018,2019,2020,2021
+./bin/tests/system/rrchecker/tests.sh		SH	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/rrchecker/typelist.good	X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/rrl/broken.conf		CONF-C	2016,2018,2019,2020,2021
+./bin/tests/system/rrl/clean.sh			SH	2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/rrl/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rrl/ns1/root.db		ZONE	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rrl/ns2/hints		ZONE	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rrl/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rrl/ns2/tld2.db		ZONE	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rrl/ns3/hints		ZONE	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rrl/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rrl/ns3/tld3.db		ZONE	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rrl/ns4/hints		ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/rrl/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rrl/ns4/tld4.db		ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/rrl/setup.sh			SH	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/rrl/tests.sh			SH	2012,2013,2015,2016,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/clean.sh		SH	2006,2007,2008,2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.fixed.good	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good1	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good10	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good11	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good12	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good13	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good14	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good15	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good16	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good17	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good18	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good19	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good2	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good20	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good21	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good22	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good23	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good24	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good3	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good4	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good5	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good6	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good7	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good8	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/dig.out.random.good9	X	2006,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rrsetorder/ns1/root.db	ZONE	2006,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/rrsetorder/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rrsetorder/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rrsetorder/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rrsetorder/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/rrsetorder/tests.sh		SH	2006,2007,2008,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/Makefile.in	MAKE	2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/README.md	TXT.BRIEF	2021
+./bin/tests/system/rsabigexponent/bigkey.c	C	2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/clean.sh	SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/conf/bad01.conf	CONF-C	2012,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/conf/bad02.conf	CONF-C	2012,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/conf/bad03.conf	CONF-C	2012,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/conf/good01.conf	CONF-C	2012,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/conf/good02.conf	CONF-C	2012,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/conf/good03.conf	CONF-C	2012,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/ns1/root.db.in	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/ns1/sign.sh	SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.key	X	2012,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.private	X	2012,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.key	X	2012,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.private	X	2012,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/ns2/dsset-example.in	X	2012,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/ns2/example.db.bad	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/ns2/example.db.in	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/ns2/sign.sh	SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/prereq.sh	SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/setup.sh	SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/rsabigexponent/tests.sh	SH	2012,2016,2018,2019,2020,2021
+./bin/tests/system/run.gdb			X	2019,2020,2021
+./bin/tests/system/run.sh			SH	2000,2001,2004,2007,2010,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/runall.sh			SH	2000,2001,2004,2007,2010,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/runsequential.sh		SH	2018,2019,2020,2021
+./bin/tests/system/runtime/README		TXT.BRIEF	2014,2016,2018,2019,2020,2021
+./bin/tests/system/runtime/clean.sh		SH	2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/runtime/ns2/named-alt1.conf.in	CONF-C	2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/runtime/ns2/named-alt2.conf.in	CONF-C	2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/runtime/ns2/named-alt3.conf.in	CONF-C	2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/runtime/ns2/named-alt4.conf.in	CONF-C	2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/runtime/ns2/named-alt5.conf.in	CONF-C	2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/runtime/ns2/named-alt6.conf.in	CONF-C	2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/runtime/ns2/named-alt9.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/runtime/ns2/named1.conf.in	CONF-C	2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/runtime/setup.sh		SH	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/runtime/tests.sh		SH	2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/send.pl			PERL	2001,2004,2007,2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/setup.sh			SH	2000,2001,2004,2007,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/sfcache/README		TXT.BRIEF	2014,2016,2018,2019,2020,2021
+./bin/tests/system/sfcache/clean.sh		SH	2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/sfcache/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/sfcache/ns1/root.db.in	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/sfcache/ns1/sign.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/sfcache/ns2/example.db.in	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/sfcache/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/sfcache/ns2/sign.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/sfcache/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/sfcache/ns5/trusted.conf.bad	CONF-C	2014,2016,2018,2019,2020,2021
+./bin/tests/system/sfcache/prereq.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/sfcache/setup.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/sfcache/tests.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/smartsign/child.db		ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/smartsign/clean.sh		SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/smartsign/parent.db		ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/smartsign/prereq.sh		SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/smartsign/setup.sh		SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/smartsign/tests.sh		SH	2010,2011,2012,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/sortlist/clean.sh		SH	2000,2001,2004,2007,2009,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/sortlist/ns1/example.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/sortlist/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/sortlist/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/sortlist/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/sortlist/tests.sh		SH	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/spf/clean.sh			SH	2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/spf/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/spf/ns1/spf.db		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/spf/setup.sh			SH	2018,2019,2020,2021
+./bin/tests/system/spf/tests.sh			SH	2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/start.pl			SH	2001,2004,2005,2006,2007,2008,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/start.sh			SH	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/clean.sh		SH	2010,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/bad01.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/bad02.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/bad03.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/bad04.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/bad05.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/bad06.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/bad07.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/bad08.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/bad09.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/bad10.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/bad11.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/good01.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/good02.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/good03.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/good04.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/conf/good05.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/knowngood.dig.out.rec	X	2010,2013,2018,2019,2020,2021
+./bin/tests/system/staticstub/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/staticstub/ns1/root.db	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/ns2/named.conf.in	CONF-C	2010,2015,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/ns3/example.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/ns3/example.org.db	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/ns3/named.conf.in	CONF-C	2010,2013,2015,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/ns3/sign.sh	SH	2010,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/ns3/undelegated.db.in	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/ns4/example.com.db	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/ns4/example.info.db	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/ns4/example.org.db	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/staticstub/ns4/sign.sh	SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/ns4/sub.example.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/prereq.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/setup.sh		SH	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/staticstub/tests.sh		SH	2010,2011,2012,2013,2015,2016,2018,2019,2020,2021
+./bin/tests/system/statistics/ans4/ans.pl	PERL	2012,2016,2018,2019,2020,2021
+./bin/tests/system/statistics/clean.sh		SH	2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/statistics/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/statistics/ns1/root.db	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/statistics/ns1/zone.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/statistics/ns2/example.db	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/statistics/ns2/internal.db	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/statistics/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/statistics/ns3/internal.db	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/statistics/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/statistics/ns3/root.hint	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/statistics/prereq.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/statistics/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/statistics/tests.sh		SH	2012,2015,2016,2018,2019,2020,2021
+./bin/tests/system/statschannel/clean.sh	SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/statschannel/fetch.pl	PERL	2015,2016,2018,2019,2020,2021
+./bin/tests/system/statschannel/ns2/example.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/statschannel/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/statschannel/prereq.sh	SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/statschannel/server-json.pl	PERL	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/statschannel/server-xml.pl	PERL	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/statschannel/setup.sh	SH	2018,2019,2020,2021
+./bin/tests/system/statschannel/tests.sh	SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/statschannel/traffic-json.pl	PERL	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/statschannel/traffic-xml.pl	PERL	2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/statschannel/traffic.expect.1	X	2015,2018,2019,2020,2021
+./bin/tests/system/statschannel/traffic.expect.2	X	2015,2018,2019,2020,2021
+./bin/tests/system/statschannel/traffic.expect.4	X	2015,2018,2019,2020,2021
+./bin/tests/system/statschannel/traffic.expect.5	X	2015,2016,2018,2019,2020,2021
+./bin/tests/system/statschannel/traffic.expect.6	X	2015,2016,2018,2019,2020,2021
+./bin/tests/system/stop.pl			SH	2001,2004,2005,2006,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/stop.sh			SH	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/stopall.sh			SH	2018,2019,2020,2021
+./bin/tests/system/stress/clean.sh		SH	2000,2001,2004,2007,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/stress/ns1/named.conf	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/stress/ns2/named.conf	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/stress/ns3/named.conf	CONF-C	2000,2001,2004,2007,2013,2016,2018,2019,2020,2021
+./bin/tests/system/stress/ns4/named.conf	CONF-C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/stress/prereq.sh		SH	2015,2016,2018,2019,2020,2021
+./bin/tests/system/stress/setup.pl		PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/stress/setup.sh		SH	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/stress/tests.sh		SH	2000,2001,2004,2007,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/stress/update.pl		PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/stub/clean.sh		SH	2000,2001,2004,2007,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/stub/knowngood.dig.out.norec	X	2000,2001,2018,2019,2020,2021
+./bin/tests/system/stub/knowngood.dig.out.rec	X	2000,2001,2013,2018,2019,2020,2021
+./bin/tests/system/stub/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/stub/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/stub/ns2/child.example.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/stub/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/stub/ns3/example.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/stub/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/stub/ns4/example.db		ZONE	2020,2021
+./bin/tests/system/stub/ns4/named.conf.in	CONF-C	2020,2021
+./bin/tests/system/stub/ns5/named.conf.in	CONF-C	2020,2021
+./bin/tests/system/stub/setup.sh		SH	2018,2019,2020,2021
+./bin/tests/system/stub/tests.sh		SH	2000,2001,2004,2007,2011,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/tcp/ans6/ans.py		PYTHON	2019,2020,2021
+./bin/tests/system/tcp/clean.sh			SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/tcp/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/tcp/ns1/root.db		ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/tcp/ns2/example.db		ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/tcp/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/tcp/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/tcp/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/tcp/ns5/named.conf.in	CONF-C	2019,2020,2021
+./bin/tests/system/tcp/prereq.sh		SH	2019,2020,2021
+./bin/tests/system/tcp/setup.sh			SH	2018,2019,2020,2021
+./bin/tests/system/tcp/tests.sh			SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/testcrypto.sh		SH	2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/testsock.pl			PERL	2000,2001,2004,2007,2010,2011,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/testsock6.pl			PERL	2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/testsummary.sh		SH	2018,2019,2020,2021
+./bin/tests/system/tkey/Makefile.in		MAKE	2001,2002,2004,2007,2009,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/tkey/clean.sh		SH	2001,2004,2007,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/tkey/keycreate.c		C	2001,2004,2005,2007,2009,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/tkey/keydelete.c		C	2001,2004,2005,2007,2009,2010,2011,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/tkey/ns1/example.db		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/tkey/ns1/named.conf.in	CONF-C	2001,2004,2007,2009,2011,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/tkey/ns1/setup.sh		SH	2001,2004,2007,2009,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/tkey/prereq.sh		SH	2001,2004,2006,2007,2009,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/tkey/setup.sh		SH	2001,2004,2007,2009,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/tkey/tests.sh		SH	2001,2004,2007,2009,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/tsig/ans2/ans.pl		PERL	2020,2021
+./bin/tests/system/tsig/badlocation		X	2020,2021
+./bin/tests/system/tsig/badtime			X	2020,2021
+./bin/tests/system/tsig/clean.sh		SH	2005,2006,2007,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/tsig/ns1/example.db		ZONE	2005,2006,2007,2009,2012,2016,2018,2019,2020,2021
+./bin/tests/system/tsig/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/tsig/prereq.sh		SH	2020,2021
+./bin/tests/system/tsig/setup.sh		SH	2016,2018,2019,2020,2021
+./bin/tests/system/tsig/tests.sh		SH	2005,2006,2007,2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/tsiggss/authsock.pl		PERL	2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/tsiggss/clean.sh		SH	2010,2011,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/tsiggss/ns1/administrator.ccache	X	2010,2018,2019,2020,2021
+./bin/tests/system/tsiggss/ns1/dns.keytab	X	2010,2018,2019,2020,2021
+./bin/tests/system/tsiggss/ns1/example.nil.db.in	X	2011,2018,2019,2020,2021
+./bin/tests/system/tsiggss/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/tsiggss/ns1/testdenied.ccache	X	2010,2018,2019,2020,2021
+./bin/tests/system/tsiggss/prereq.sh		SH	2010,2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/tsiggss/setup.sh		SH	2010,2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/tsiggss/tests.sh		SH	2010,2011,2014,2016,2017,2018,2019,2020,2021
+./bin/tests/system/unknown/clean.sh		SH	2000,2001,2004,2007,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/unknown/large.out		X	2012,2018,2019,2020,2021
+./bin/tests/system/unknown/ns1/broken1.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/unknown/ns1/broken2.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/unknown/ns1/broken3.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/unknown/ns1/broken4.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/unknown/ns1/broken5.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/unknown/ns1/class10.hints	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/unknown/ns1/example-class10.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/unknown/ns1/example-in.db	ZONE	2000,2001,2004,2007,2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/unknown/ns1/large.db		ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/unknown/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/unknown/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/unknown/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/unknown/ns3/sign.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/unknown/prereq.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/unknown/setup.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/unknown/tests.sh		SH	2000,2001,2004,2007,2011,2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/unknown/zones/nan.bad	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/upforwd/ans4/ans.pl		PERL	2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/upforwd/clean.sh		SH	2000,2001,2004,2007,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/upforwd/knowngood.after1	X	2000,2001,2018,2019,2020,2021
+./bin/tests/system/upforwd/knowngood.after2	X	2000,2001,2018,2019,2020,2021
+./bin/tests/system/upforwd/knowngood.before	X	2000,2001,2018,2019,2020,2021
+./bin/tests/system/upforwd/knowngood.ns2.before	X	2000,2001,2018,2019,2020,2021
+./bin/tests/system/upforwd/ns1/example1.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/upforwd/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/upforwd/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/upforwd/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/upforwd/ns3/nomaster.db	ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/upforwd/prereq.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/upforwd/setup.sh		SH	2000,2001,2004,2007,2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/upforwd/tests.sh		SH	2000,2001,2004,2007,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/verify/clean.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/verify/prereq.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/verify/setup.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/verify/tests.sh		SH	2012,2013,2016,2017,2018,2019,2020,2021
+./bin/tests/system/verify/zones/genzones.sh	SH	2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/verify/zones/unsigned.db	ZONE	2012,2016,2018,2019,2020,2021
+./bin/tests/system/views/clean.sh		SH	2000,2001,2004,2005,2007,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/views/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/views/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/views/ns2/1.10.in-addr.arpa.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/views/ns2/clone.db		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/views/ns2/example1.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/views/ns2/example2.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/views/ns2/external/inline.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/views/ns2/internal.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/views/ns2/internal/inline.db	ZONE	2014,2016,2018,2019,2020,2021
+./bin/tests/system/views/ns2/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/views/ns2/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/views/ns3/child.clone.db	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/views/ns3/internal.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/views/ns3/named1.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/views/ns3/named2.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/views/ns5/child.clone.db	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/views/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/views/setup.sh		SH	2000,2001,2004,2007,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/views/tests.sh		SH	2000,2001,2004,2007,2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/wildcard/clean.sh		SH	2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/wildcard/ns1/dlv.db.in	ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/wildcard/ns1/named.conf.in	CONF-C	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/wildcard/ns1/nsec.db.in	ZONE	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/wildcard/ns1/nsec3.db.in	ZONE	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/wildcard/ns1/private.nsec.db.in	ZONE	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/wildcard/ns1/private.nsec3.db.in	ZONE	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/wildcard/ns1/root.db.in	ZONE	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/wildcard/ns1/sign.sh		SH	2012,2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/wildcard/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/wildcard/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/wildcard/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/wildcard/ns5/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/wildcard/prereq.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/wildcard/setup.sh		SH	2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/wildcard/tests.sh		SH	2012,2013,2016,2018,2019,2020,2021
+./bin/tests/system/win32/bigkey.dsp.in		X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/bigkey.dsw		X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/bigkey.mak.in		X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/bigkey.vcxproj.filters.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/bigkey.vcxproj.in	X	2016,2017,2018,2019,2020,2021
+./bin/tests/system/win32/bigkey.vcxproj.user	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/feature-test.dsp.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/feature-test.dsw	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/feature-test.mak.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/feature-test.vcxproj.filters.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/feature-test.vcxproj.in	X	2016,2017,2018,2019,2020,2021
+./bin/tests/system/win32/feature-test.vcxproj.user	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/gencheck.dsp.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/gencheck.dsw		X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/gencheck.mak.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/gencheck.vcxproj.filters.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/gencheck.vcxproj.in	X	2016,2017,2018,2019,2020,2021
+./bin/tests/system/win32/gencheck.vcxproj.user	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/keycreate.dsp.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/keycreate.dsw		X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/keycreate.mak.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/keycreate.vcxproj.filters.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/keycreate.vcxproj.in	X	2016,2017,2018,2019,2020,2021
+./bin/tests/system/win32/keycreate.vcxproj.user	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/keydelete.dsp.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/keydelete.dsw		X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/keydelete.mak.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/keydelete.vcxproj.filters.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/keydelete.vcxproj.in	X	2016,2017,2018,2019,2020,2021
+./bin/tests/system/win32/keydelete.vcxproj.user	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/lwtest.dsp.in		X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/lwtest.dsw		X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/lwtest.mak.in		X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/lwtest.vcxproj.filters.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/lwtest.vcxproj.in	X	2016,2017,2018,2019,2020,2021
+./bin/tests/system/win32/lwtest.vcxproj.user	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/pipequeries.dsp.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/pipequeries.dsw	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/pipequeries.mak.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/pipequeries.vcxproj.filters.in	X	2016,2018,2019,2020,2021
+./bin/tests/system/win32/pipequeries.vcxproj.in	X	2016,2017,2018,2019,2020,2021
+./bin/tests/system/win32/pipequeries.vcxproj.user	X	2016,2018,2019,2020,2021
+./bin/tests/system/xfer/ans5/badkeydata		X	2011,2018,2019,2020,2021
+./bin/tests/system/xfer/ans5/badmessageid	X	2020,2021
+./bin/tests/system/xfer/ans5/goodaxfr		X	2011,2018,2019,2020,2021
+./bin/tests/system/xfer/ans5/partial		X	2011,2018,2019,2020,2021
+./bin/tests/system/xfer/ans5/unknownkey		X	2011,2018,2019,2020,2021
+./bin/tests/system/xfer/ans5/unsigned		X	2011,2018,2019,2020,2021
+./bin/tests/system/xfer/ans5/wrongkey		X	2011,2018,2019,2020,2021
+./bin/tests/system/xfer/clean.sh		SH	2000,2001,2004,2007,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/xfer/dig1.good		X	2000,2001,2003,2004,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/xfer/dig2.good		X	2000,2001,2003,2004,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/system/xfer/knowngood.mapped	X	2016,2018,2019,2020,2021
+./bin/tests/system/xfer/ns1/axfr-too-big.db	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/xfer/ns1/ixfr-too-big.db.in	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/xfer/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/xfer/ns1/root.db		ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/xfer/ns2/mapped.db.in	ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/xfer/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/xfer/ns2/slave.db.in		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/xfer/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/xfer/ns4/named.conf.base	CONF-C	2011,2013,2016,2018,2019,2020,2021
+./bin/tests/system/xfer/ns4/root.db.in		ZONE	2011,2016,2018,2019,2020,2021
+./bin/tests/system/xfer/ns6/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/xfer/ns7/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/xfer/ns8/example.db		ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/xfer/ns8/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/xfer/prereq.sh		SH	2011,2012,2014,2016,2018,2019,2020,2021
+./bin/tests/system/xfer/setup.sh		SH	2001,2002,2004,2007,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/xfer/tests.sh		SH	2000,2001,2004,2005,2007,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/xferquota/clean.sh		SH	2000,2001,2004,2007,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/xferquota/ns1/changing1.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/xferquota/ns1/changing2.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/xferquota/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/xferquota/ns1/root.db	ZONE	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/xferquota/ns2/example.db	ZONE	2000,2001,2002,2003,2004,2007,2009,2016,2018,2019,2020,2021
+./bin/tests/system/xferquota/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/xferquota/setup.pl		PERL	2000,2001,2004,2007,2011,2012,2016,2018,2019,2020,2021
+./bin/tests/system/xferquota/setup.sh		SH	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/xferquota/tests.sh		SH	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./bin/tests/system/zero/ans5/ans.pl		PERL	2016,2018,2019,2020,2021
+./bin/tests/system/zero/clean.sh		SH	2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/zero/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/zero/ns1/root.db		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/zero/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/zero/ns2/tld.db		ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/zero/ns3/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/zero/ns3/root.hint		ZONE	2013,2016,2018,2019,2020,2021
+./bin/tests/system/zero/ns4/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/zero/ns4/one.tld.db		ZONE	2016,2018,2019,2020,2021
+./bin/tests/system/zero/prereq.sh		SH	2018,2019,2020,2021
+./bin/tests/system/zero/setup.sh		SH	2013,2014,2016,2018,2019,2020,2021
+./bin/tests/system/zero/tests.sh		SH	2013,2016,2017,2018,2019,2020,2021
+./bin/tests/system/zonechecks/a.db		ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/zonechecks/aaaa.db		ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/zonechecks/bigserial.db	ZONE	2015,2016,2018,2019,2020,2021
+./bin/tests/system/zonechecks/clean.sh		SH	2004,2007,2012,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/zonechecks/cname.db		ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/zonechecks/dname.db		ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/zonechecks/noaddress.db	ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/zonechecks/ns1/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/zonechecks/ns2/named.conf.in	CONF-C	2018,2019,2020,2021
+./bin/tests/system/zonechecks/nxdomain.db	ZONE	2004,2007,2016,2018,2019,2020,2021
+./bin/tests/system/zonechecks/prereq.sh		SH	2014,2016,2018,2019,2020,2021
+./bin/tests/system/zonechecks/setup.sh		SH	2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/system/zonechecks/tests.sh		SH	2004,2007,2009,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./bin/tests/testdata/wire/wire_test.data	X	1999,2000,2001,2018,2019,2020,2021
+./bin/tests/testdata/wire/wire_test.data2	X	1999,2000,2001,2018,2019,2020,2021
+./bin/tests/testdata/wire/wire_test.data3	X	1999,2000,2001,2018,2019,2020,2021
+./bin/tests/testdata/wire/wire_test.data4	X	1999,2000,2001,2018,2019,2020,2021
+./bin/tests/virtual-time/Makefile.in		MAKE	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/README			TXT.BRIEF	2010,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-ksk/clean.sh	SH	2010,2012,2015,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-ksk/ns1/example.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-ksk/ns1/named.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-ksk/ns1/root.db	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-ksk/ns1/sign.sh	SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-ksk/ns1/wrap.sh	SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-ksk/setup.sh	SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-ksk/tests.sh	SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-zsk/clean.sh	SH	2010,2012,2015,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-zsk/ns1/example.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-zsk/ns1/named.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-zsk/ns1/root.db	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-zsk/ns1/sign.sh	SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-zsk/ns1/wrap.sh	SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-zsk/setup.sh	SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/autosign-zsk/tests.sh	SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/cleanall.sh		SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/common/controls.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/common/rndc.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/common/root.hint	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/conf.sh.in		SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/run.sh			SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/runall.sh		SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/setup.sh		SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/slave/clean.sh		SH	2010,2012,2015,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/slave/ns1/example.db.in	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/slave/ns1/named.conf	CONF-C	2010,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/slave/ns1/root.db	ZONE	2010,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/slave/ns1/wrap.sh	SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/slave/setup.sh		SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/slave/tests.sh		SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/start.pl		PERL	2010,2012,2015,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/start.sh		SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/stop.pl		PERL	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/stop.sh		SH	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/testsock.pl		PERL	2010,2012,2016,2018,2019,2020,2021
+./bin/tests/virtual-time/vtwrapper.c		C	2010,2016,2018,2019,2020,2021
+./bin/tests/win32/backtrace_test.dsp.in		X	2013,2018,2019,2020,2021
+./bin/tests/win32/backtrace_test.dsw		X	2013,2018,2019,2020,2021
+./bin/tests/win32/backtrace_test.mak.in		X	2013,2018,2019,2020,2021
+./bin/tests/win32/backtrace_test.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/tests/win32/backtrace_test.vcxproj.in	X	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/win32/backtrace_test.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/tests/win32/inter_test.dsp.in		X	2013,2018,2019,2020,2021
+./bin/tests/win32/inter_test.dsw		X	2013,2018,2019,2020,2021
+./bin/tests/win32/inter_test.mak.in		X	2013,2018,2019,2020,2021
+./bin/tests/win32/inter_test.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/tests/win32/inter_test.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/win32/inter_test.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/tests/win32/makejournal.dsp.in		X	2016,2018,2019,2020,2021
+./bin/tests/win32/makejournal.dsw		X	2016,2018,2019,2020,2021
+./bin/tests/win32/makejournal.mak.in		X	2016,2018,2019,2020,2021
+./bin/tests/win32/makejournal.vcxproj.filters.in	X	2016,2018,2019,2020,2021
+./bin/tests/win32/makejournal.vcxproj.in	X	2016,2017,2018,2019,2020,2021
+./bin/tests/win32/makejournal.vcxproj.user	X	2016,2018,2019,2020,2021
+./bin/tests/win32/rwlock_test.dsp.in		X	2013,2018,2019,2020,2021
+./bin/tests/win32/rwlock_test.dsw		X	2013,2018,2019,2020,2021
+./bin/tests/win32/rwlock_test.mak.in		X	2013,2018,2019,2020,2021
+./bin/tests/win32/rwlock_test.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/tests/win32/rwlock_test.vcxproj.in	X	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/win32/rwlock_test.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/tests/win32/shutdown_test.dsp.in		X	2013,2018,2019,2020,2021
+./bin/tests/win32/shutdown_test.dsw		X	2013,2018,2019,2020,2021
+./bin/tests/win32/shutdown_test.mak.in		X	2013,2018,2019,2020,2021
+./bin/tests/win32/shutdown_test.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/tests/win32/shutdown_test.vcxproj.in	X	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/win32/shutdown_test.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/tests/win32/sock_test.dsp.in		X	2013,2018,2019,2020,2021
+./bin/tests/win32/sock_test.dsw			X	2013,2018,2019,2020,2021
+./bin/tests/win32/sock_test.mak.in		X	2013,2018,2019,2020,2021
+./bin/tests/win32/sock_test.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/tests/win32/sock_test.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/win32/sock_test.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/tests/win32/task_test.dsp.in		X	2013,2018,2019,2020,2021
+./bin/tests/win32/task_test.dsw			X	2013,2018,2019,2020,2021
+./bin/tests/win32/task_test.mak.in		X	2013,2018,2019,2020,2021
+./bin/tests/win32/task_test.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/tests/win32/task_test.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/win32/task_test.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/tests/win32/timer_test.dsp.in		X	2013,2018,2019,2020,2021
+./bin/tests/win32/timer_test.dsw		X	2013,2018,2019,2020,2021
+./bin/tests/win32/timer_test.mak.in		X	2013,2018,2019,2020,2021
+./bin/tests/win32/timer_test.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/tests/win32/timer_test.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/tests/win32/timer_test.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/tests/wire_test.c				C	1999,2000,2001,2004,2005,2007,2015,2016,2018,2019,2020,2021
+./bin/tools/Makefile.in				MAKE	2009,2010,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/tools/arpaname.1				MAN	DOCBOOK
-./bin/tools/arpaname.c				C	2009,2015,2016,2018,2019,2020
-./bin/tools/arpaname.docbook			SGML	2009,2014,2015,2016,2018,2019,2020
+./bin/tools/arpaname.c				C	2009,2015,2016,2018,2019,2020,2021
+./bin/tools/arpaname.docbook			SGML	2009,2014,2015,2016,2018,2019,2020,2021
 ./bin/tools/arpaname.html			HTML	DOCBOOK
 ./bin/tools/dnstap-read.1			MAN	DOCBOOK
-./bin/tools/dnstap-read.c			C	2015,2016,2018,2019,2020
-./bin/tools/dnstap-read.docbook			SGML	2015,2016,2018,2019,2020
+./bin/tools/dnstap-read.c			C	2015,2016,2018,2019,2020,2021
+./bin/tools/dnstap-read.docbook			SGML	2015,2016,2018,2019,2020,2021
 ./bin/tools/dnstap-read.html			HTML	DOCBOOK
 ./bin/tools/genrandom.8				MAN	DOCBOOK
-./bin/tools/genrandom.c				C	2000,2001,2002,2003,2004,2005,2007,2009,2010,2012,2014,2016,2018,2019,2020
-./bin/tools/genrandom.docbook			SGML	2009,2010,2011,2014,2015,2016,2018,2019,2020
+./bin/tools/genrandom.c				C	2000,2001,2002,2003,2004,2005,2007,2009,2010,2012,2014,2016,2018,2019,2020,2021
+./bin/tools/genrandom.docbook			SGML	2009,2010,2011,2014,2015,2016,2018,2019,2020,2021
 ./bin/tools/genrandom.html			HTML	DOCBOOK
 ./bin/tools/isc-hmac-fixup.8			MAN	DOCBOOK
-./bin/tools/isc-hmac-fixup.c			C	2010,2014,2015,2016,2018,2019,2020
-./bin/tools/isc-hmac-fixup.docbook		SGML	2010,2013,2014,2015,2016,2017,2018,2019,2020
+./bin/tools/isc-hmac-fixup.c			C	2010,2014,2015,2016,2018,2019,2020,2021
+./bin/tools/isc-hmac-fixup.docbook		SGML	2010,2013,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/tools/isc-hmac-fixup.html			HTML	DOCBOOK
 ./bin/tools/mdig.1				MAN	DOCBOOK
-./bin/tools/mdig.c				C	2015,2016,2017,2018,2019,2020
-./bin/tools/mdig.docbook			SGML	2015,2016,2017,2018,2019,2020
+./bin/tools/mdig.c				C	2015,2016,2017,2018,2019,2020,2021
+./bin/tools/mdig.docbook			SGML	2015,2016,2017,2018,2019,2020,2021
 ./bin/tools/mdig.html				HTML	DOCBOOK
 ./bin/tools/named-journalprint.8		MAN	DOCBOOK
-./bin/tools/named-journalprint.c		C	2000,2001,2004,2005,2006,2007,2008,2009,2015,2016,2018,2019,2020
-./bin/tools/named-journalprint.docbook		SGML	2009,2014,2015,2016,2017,2018,2019,2020
+./bin/tools/named-journalprint.c		C	2000,2001,2004,2005,2006,2007,2008,2009,2015,2016,2018,2019,2020,2021
+./bin/tools/named-journalprint.docbook		SGML	2009,2014,2015,2016,2017,2018,2019,2020,2021
 ./bin/tools/named-journalprint.html		HTML	DOCBOOK
 ./bin/tools/named-nzd2nzf.8			MAN	DOCBOOK
-./bin/tools/named-nzd2nzf.c			C	2016,2017,2018,2019,2020
-./bin/tools/named-nzd2nzf.docbook		SGML	2016,2018,2019,2020
+./bin/tools/named-nzd2nzf.c			C	2016,2017,2018,2019,2020,2021
+./bin/tools/named-nzd2nzf.docbook		SGML	2016,2018,2019,2020,2021
 ./bin/tools/named-nzd2nzf.html			HTML	DOCBOOK
 ./bin/tools/named-rrchecker.1			MAN	DOCBOOK
-./bin/tools/named-rrchecker.c			C	2013,2015,2016,2017,2018,2019,2020
-./bin/tools/named-rrchecker.docbook		SGML	2013,2014,2015,2016,2018,2019,2020
+./bin/tools/named-rrchecker.c			C	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/tools/named-rrchecker.docbook		SGML	2013,2014,2015,2016,2018,2019,2020,2021
 ./bin/tools/named-rrchecker.html		HTML	DOCBOOK
 ./bin/tools/nsec3hash.8				MAN	DOCBOOK
-./bin/tools/nsec3hash.c				C	2006,2008,2009,2011,2014,2016,2018,2019,2020
-./bin/tools/nsec3hash.docbook			SGML	2009,2014,2015,2016,2018,2019,2020
+./bin/tools/nsec3hash.c				C	2006,2008,2009,2011,2014,2016,2018,2019,2020,2021
+./bin/tools/nsec3hash.docbook			SGML	2009,2014,2015,2016,2018,2019,2020,2021
 ./bin/tools/nsec3hash.html			HTML	DOCBOOK
-./bin/tools/win32/arpaname.dsp.in		X	2009,2013,2018,2019,2020
-./bin/tools/win32/arpaname.dsw			X	2009,2018,2019,2020
-./bin/tools/win32/arpaname.mak.in		X	2009,2013,2018,2019,2020
-./bin/tools/win32/arpaname.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/tools/win32/arpaname.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020
-./bin/tools/win32/arpaname.vcxproj.user		X	2013,2018,2019,2020
-./bin/tools/win32/genrandom.dsp.in		X	2009,2013,2018,2019,2020
-./bin/tools/win32/genrandom.dsw			X	2009,2018,2019,2020
-./bin/tools/win32/genrandom.mak.in		X	2009,2013,2018,2019,2020
-./bin/tools/win32/genrandom.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/tools/win32/genrandom.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020
-./bin/tools/win32/genrandom.vcxproj.user	X	2013,2018,2019,2020
-./bin/tools/win32/ischmacfixup.dsp.in		X	2010,2013,2014,2016,2018,2019,2020
-./bin/tools/win32/ischmacfixup.dsw		X	2010,2018,2019,2020
-./bin/tools/win32/ischmacfixup.mak.in		X	2010,2013,2014,2016,2018,2019,2020
-./bin/tools/win32/ischmacfixup.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/tools/win32/ischmacfixup.vcxproj.in	X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tools/win32/ischmacfixup.vcxproj.user	X	2013,2018,2019,2020
-./bin/tools/win32/journalprint.dsp.in		X	2009,2013,2018,2019,2020
-./bin/tools/win32/journalprint.dsw		X	2009,2018,2019,2020
-./bin/tools/win32/journalprint.mak.in		X	2009,2010,2013,2018,2019,2020
-./bin/tools/win32/journalprint.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/tools/win32/journalprint.vcxproj.in	X	2013,2015,2016,2017,2018,2019,2020
-./bin/tools/win32/journalprint.vcxproj.user	X	2013,2018,2019,2020
-./bin/tools/win32/mdig.dsp.in			X	2015,2016,2018,2019,2020
-./bin/tools/win32/mdig.dsw			X	2015,2018,2019,2020
-./bin/tools/win32/mdig.mak.in			X	2015,2016,2018,2019,2020
-./bin/tools/win32/mdig.vcxproj.filters.in	X	2015,2018,2019,2020
-./bin/tools/win32/mdig.vcxproj.in		X	2015,2016,2017,2018,2019,2020
-./bin/tools/win32/mdig.vcxproj.user		X	2015,2018,2019,2020
-./bin/tools/win32/nsec3hash.dsp.in		X	2009,2013,2014,2016,2018,2019,2020
-./bin/tools/win32/nsec3hash.dsw			X	2009,2018,2019,2020
-./bin/tools/win32/nsec3hash.mak.in		X	2009,2013,2014,2016,2018,2019,2020
-./bin/tools/win32/nsec3hash.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/tools/win32/nsec3hash.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tools/win32/nsec3hash.vcxproj.user	X	2013,2018,2019,2020
-./bin/tools/win32/rrchecker.dsp.in		X	2013,2018,2019,2020
-./bin/tools/win32/rrchecker.dsw			X	2013,2018,2019,2020
-./bin/tools/win32/rrchecker.mak.in		X	2013,2018,2019,2020
-./bin/tools/win32/rrchecker.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/tools/win32/rrchecker.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./bin/tools/win32/rrchecker.vcxproj.user	X	2013,2018,2019,2020
-./bin/win32/BINDInstall/AccountInfo.cpp		C.PORTION	2001,2002,2004,2007,2009,2013,2016,2017,2018,2019,2020
-./bin/win32/BINDInstall/AccountInfo.h		C	2001,2004,2007,2016,2018,2019,2020
-./bin/win32/BINDInstall/BINDInstall.cpp		C.PORTION	2001,2004,2007,2009,2016,2018,2019,2020
-./bin/win32/BINDInstall/BINDInstall.dsp.in	X	2001,2007,2009,2013,2014,2018,2019,2020
-./bin/win32/BINDInstall/BINDInstall.dsw		X	2001,2018,2019,2020
-./bin/win32/BINDInstall/BINDInstall.h		C.PORTION	2001,2004,2007,2016,2018,2019,2020
-./bin/win32/BINDInstall/BINDInstall.mak.in	X	2001,2006,2007,2009,2013,2014,2018,2019,2020
-./bin/win32/BINDInstall/BINDInstall.rc		X	2001,2005,2009,2014,2018,2019,2020
-./bin/win32/BINDInstall/BINDInstall.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./bin/win32/BINDInstall/BINDInstall.vcxproj.in	X	2013,2014,2015,2016,2018,2019,2020
-./bin/win32/BINDInstall/BINDInstall.vcxproj.user	X	2013,2018,2019,2020
-./bin/win32/BINDInstall/BINDInstallDlg.cpp	C.PORTION	2001,2003,2004,2005,2006,2007,2008,2009,2010,2013,2014,2015,2016,2017,2018,2019,2020
-./bin/win32/BINDInstall/BINDInstallDlg.h	C.PORTION	2001,2004,2007,2009,2015,2016,2017,2018,2019,2020
-./bin/win32/BINDInstall/DirBrowse.cpp		C.PORTION	2001,2004,2007,2016,2018,2019,2020
-./bin/win32/BINDInstall/DirBrowse.h		C.PORTION	2001,2004,2007,2016,2018,2019,2020
-./bin/win32/BINDInstall/StdAfx.cpp		X	2001,2018,2019,2020
-./bin/win32/BINDInstall/StdAfx.h		X	2001,2006,2011,2013,2018,2019,2020
-./bin/win32/BINDInstall/VersionInfo.cpp		X	2001,2008,2015,2017,2018,2019,2020
-./bin/win32/BINDInstall/VersionInfo.h		X	2001,2018,2019,2020
-./bin/win32/BINDInstall/res/BINDInstall.ico	X	2001,2018,2019,2020
-./bin/win32/BINDInstall/res/BINDInstall.rc2	X	2001,2018,2019,2020
-./bin/win32/BINDInstall/resource.h		X	2001,2005,2009,2018,2019,2020
-./bind.keys					X	2009,2010,2011,2017,2018,2019,2020
-./bind.keys.h					X	2009,2010,2011,2012,2014,2017,2018,2019,2020
-./cocci/unreachable.spatch			X	2018,2019,2020
-./config.guess					X	1998,1999,2000,2001,2004,2009,2013,2018,2019,2020
-./config.h.in					X	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./config.h.win32				C	1999,2000,2001,2004,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./config.sub					X	1998,1999,2000,2001,2004,2013,2018,2019,2020
-./config.threads.in				X	2005,2006,2010,2011,2012,2013,2018,2019,2020
-./configure					X	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./configure.ac					SH	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./conftools/perllib/dnsconf/DNSConf-macros.h	C	2000,2001,2004,2007,2016,2018,2019,2020
-./conftools/perllib/dnsconf/DNSConf.i		C	2000,2001,2004,2007,2016,2018,2019,2020
-./conftools/perllib/dnsconf/Makefile.PL		PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./conftools/perllib/dnsconf/named1.conf		CONF-C	2000,2001,2004,2007,2016,2018,2019,2020
-./conftools/perllib/dnsconf/test.pl		PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./contrib/README				X	2014,2015,2016,2017,2018,2019,2020
-./contrib/dane/mkdane.sh			X	2012,2018,2019,2020
-./contrib/dane/tlsa6698.pem			X	2012,2018,2019,2020
-./contrib/dlz/bin/dlzbdb/Makefile.in		X	2005,2007,2009,2011,2012,2015,2016,2018,2019,2020
-./contrib/dlz/bin/dlzbdb/dlzbdb.c		X	2005,2016,2018,2019,2020
-./contrib/dlz/config.dlz.in			X	2005,2006,2008,2010,2011,2014,2016,2017,2018,2019,2020
-./contrib/dlz/drivers/dlz_bdb_driver.c		X	2005,2008,2010,2011,2012,2016,2018,2019,2020
-./contrib/dlz/drivers/dlz_bdbhpt_driver.c	X	2005,2010,2011,2012,2016,2018,2019,2020
-./contrib/dlz/drivers/dlz_dlopen_driver.c	X	2010,2011,2018,2019,2020
-./contrib/dlz/drivers/dlz_drivers.c		X	2005,2010,2011,2018,2019,2020
-./contrib/dlz/drivers/dlz_filesystem_driver.c	X	2005,2010,2011,2012,2016,2018,2019,2020
-./contrib/dlz/drivers/dlz_ldap_driver.c		X	2005,2010,2011,2012,2016,2018,2019,2020
-./contrib/dlz/drivers/dlz_mysql_driver.c	X	2005,2007,2009,2010,2011,2012,2016,2018,2019,2020
-./contrib/dlz/drivers/dlz_odbc_driver.c		X	2005,2010,2011,2012,2014,2016,2018,2019,2020
-./contrib/dlz/drivers/dlz_postgres_driver.c	X	2005,2007,2010,2011,2012,2014,2016,2018,2019,2020
-./contrib/dlz/drivers/dlz_stub_driver.c		X	2005,2010,2011,2012,2016,2018,2019,2020
-./contrib/dlz/drivers/include/dlz/dlz_bdb_driver.h	X	2005,2018,2019,2020
-./contrib/dlz/drivers/include/dlz/dlz_bdbhpt_driver.h	X	2005,2018,2019,2020
-./contrib/dlz/drivers/include/dlz/dlz_dlopen_driver.h	X	2010,2011,2018,2019,2020
-./contrib/dlz/drivers/include/dlz/dlz_drivers.h	X	2005,2018,2019,2020
-./contrib/dlz/drivers/include/dlz/dlz_filesystem_driver.h	X	2005,2018,2019,2020
-./contrib/dlz/drivers/include/dlz/dlz_ldap_driver.h	X	2005,2018,2019,2020
-./contrib/dlz/drivers/include/dlz/dlz_mysql_driver.h	X	2005,2018,2019,2020
-./contrib/dlz/drivers/include/dlz/dlz_odbc_driver.h	X	2005,2018,2019,2020
-./contrib/dlz/drivers/include/dlz/dlz_postgres_driver.h	X	2005,2018,2019,2020
-./contrib/dlz/drivers/include/dlz/dlz_stub_driver.h	X	2005,2018,2019,2020
-./contrib/dlz/drivers/include/dlz/sdlz_helper.h	X	2005,2018,2019,2020
-./contrib/dlz/drivers/rules.in			X	2005,2010,2018,2019,2020
-./contrib/dlz/drivers/sdlz_helper.c		X	2005,2010,2011,2012,2016,2018,2019,2020
-./contrib/dlz/example/Makefile			X	2010,2013,2018,2019,2020
-./contrib/dlz/example/README			X	2011,2012,2013,2014,2018,2019,2020
-./contrib/dlz/example/dlz_example.c		X	2010,2011,2012,2013,2014,2018,2019,2020
-./contrib/dlz/example/named.conf		X	2011,2014,2018,2019,2020
-./contrib/dlz/example/win32/DLLMain.c		X	2011,2016,2018,2019,2020
-./contrib/dlz/example/win32/dxdriver.def	X	2011,2018,2019,2020
-./contrib/dlz/example/win32/dxdriver.dsp	X	2018,2019,2020
-./contrib/dlz/example/win32/dxdriver.dsw	X	2011,2018,2019,2020
-./contrib/dlz/example/win32/dxdriver.mak	X	2018,2019,2020
-./contrib/dlz/modules/bdbhpt/Makefile		X	2013,2018,2019,2020
-./contrib/dlz/modules/bdbhpt/README.md		X	2013,2015,2018,2019,2020
-./contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c	X	2013,2015,2018,2019,2020
-./contrib/dlz/modules/bdbhpt/testing/README	X	2015,2018,2019,2020
-./contrib/dlz/modules/bdbhpt/testing/bdbhpt-populate.pl	X	2013,2018,2019,2020
+./bin/tools/win32/arpaname.dsp.in		X	2009,2013,2018,2019,2020,2021
+./bin/tools/win32/arpaname.dsw			X	2009,2018,2019,2020,2021
+./bin/tools/win32/arpaname.mak.in		X	2009,2013,2018,2019,2020,2021
+./bin/tools/win32/arpaname.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/tools/win32/arpaname.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/tools/win32/arpaname.vcxproj.user		X	2013,2018,2019,2020,2021
+./bin/tools/win32/genrandom.dsp.in		X	2009,2013,2018,2019,2020,2021
+./bin/tools/win32/genrandom.dsw			X	2009,2018,2019,2020,2021
+./bin/tools/win32/genrandom.mak.in		X	2009,2013,2018,2019,2020,2021
+./bin/tools/win32/genrandom.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/tools/win32/genrandom.vcxproj.in		X	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/tools/win32/genrandom.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/tools/win32/ischmacfixup.dsp.in		X	2010,2013,2014,2016,2018,2019,2020,2021
+./bin/tools/win32/ischmacfixup.dsw		X	2010,2018,2019,2020,2021
+./bin/tools/win32/ischmacfixup.mak.in		X	2010,2013,2014,2016,2018,2019,2020,2021
+./bin/tools/win32/ischmacfixup.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/tools/win32/ischmacfixup.vcxproj.in	X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tools/win32/ischmacfixup.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/tools/win32/journalprint.dsp.in		X	2009,2013,2018,2019,2020,2021
+./bin/tools/win32/journalprint.dsw		X	2009,2018,2019,2020,2021
+./bin/tools/win32/journalprint.mak.in		X	2009,2010,2013,2018,2019,2020,2021
+./bin/tools/win32/journalprint.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/tools/win32/journalprint.vcxproj.in	X	2013,2015,2016,2017,2018,2019,2020,2021
+./bin/tools/win32/journalprint.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/tools/win32/mdig.dsp.in			X	2015,2016,2018,2019,2020,2021
+./bin/tools/win32/mdig.dsw			X	2015,2018,2019,2020,2021
+./bin/tools/win32/mdig.mak.in			X	2015,2016,2018,2019,2020,2021
+./bin/tools/win32/mdig.vcxproj.filters.in	X	2015,2018,2019,2020,2021
+./bin/tools/win32/mdig.vcxproj.in		X	2015,2016,2017,2018,2019,2020,2021
+./bin/tools/win32/mdig.vcxproj.user		X	2015,2018,2019,2020,2021
+./bin/tools/win32/nsec3hash.dsp.in		X	2009,2013,2014,2016,2018,2019,2020,2021
+./bin/tools/win32/nsec3hash.dsw			X	2009,2018,2019,2020,2021
+./bin/tools/win32/nsec3hash.mak.in		X	2009,2013,2014,2016,2018,2019,2020,2021
+./bin/tools/win32/nsec3hash.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/tools/win32/nsec3hash.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tools/win32/nsec3hash.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/tools/win32/rrchecker.dsp.in		X	2013,2018,2019,2020,2021
+./bin/tools/win32/rrchecker.dsw			X	2013,2018,2019,2020,2021
+./bin/tools/win32/rrchecker.mak.in		X	2013,2018,2019,2020,2021
+./bin/tools/win32/rrchecker.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/tools/win32/rrchecker.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/tools/win32/rrchecker.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/win32/BINDInstall/AccountInfo.cpp		C.PORTION	2001,2002,2004,2007,2009,2013,2016,2017,2018,2019,2020,2021
+./bin/win32/BINDInstall/AccountInfo.h		C	2001,2004,2007,2016,2018,2019,2020,2021
+./bin/win32/BINDInstall/BINDInstall.cpp		C.PORTION	2001,2004,2007,2009,2016,2018,2019,2020,2021
+./bin/win32/BINDInstall/BINDInstall.dsp.in	X	2001,2007,2009,2013,2014,2018,2019,2020,2021
+./bin/win32/BINDInstall/BINDInstall.dsw		X	2001,2018,2019,2020,2021
+./bin/win32/BINDInstall/BINDInstall.h		C.PORTION	2001,2004,2007,2016,2018,2019,2020,2021
+./bin/win32/BINDInstall/BINDInstall.mak.in	X	2001,2006,2007,2009,2013,2014,2018,2019,2020,2021
+./bin/win32/BINDInstall/BINDInstall.rc		X	2001,2005,2009,2014,2018,2019,2020,2021
+./bin/win32/BINDInstall/BINDInstall.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./bin/win32/BINDInstall/BINDInstall.vcxproj.in	X	2013,2014,2015,2016,2018,2019,2020,2021
+./bin/win32/BINDInstall/BINDInstall.vcxproj.user	X	2013,2018,2019,2020,2021
+./bin/win32/BINDInstall/BINDInstallDlg.cpp	C.PORTION	2001,2003,2004,2005,2006,2007,2008,2009,2010,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./bin/win32/BINDInstall/BINDInstallDlg.h	C.PORTION	2001,2004,2007,2009,2015,2016,2017,2018,2019,2020,2021
+./bin/win32/BINDInstall/DirBrowse.cpp		C.PORTION	2001,2004,2007,2016,2018,2019,2020,2021
+./bin/win32/BINDInstall/DirBrowse.h		C.PORTION	2001,2004,2007,2016,2018,2019,2020,2021
+./bin/win32/BINDInstall/StdAfx.cpp		X	2001,2018,2019,2020,2021
+./bin/win32/BINDInstall/StdAfx.h		X	2001,2006,2011,2013,2018,2019,2020,2021
+./bin/win32/BINDInstall/VersionInfo.cpp		X	2001,2008,2015,2017,2018,2019,2020,2021
+./bin/win32/BINDInstall/VersionInfo.h		X	2001,2018,2019,2020,2021
+./bin/win32/BINDInstall/res/BINDInstall.ico	X	2001,2018,2019,2020,2021
+./bin/win32/BINDInstall/res/BINDInstall.rc2	X	2001,2018,2019,2020,2021
+./bin/win32/BINDInstall/resource.h		X	2001,2005,2009,2018,2019,2020,2021
+./bind.keys					X	2009,2010,2011,2017,2018,2019,2020,2021
+./bind.keys.h					X	2009,2010,2011,2012,2014,2017,2018,2019,2020,2021
+./cocci/unreachable.spatch			X	2018,2019,2020,2021
+./config.guess					X	1998,1999,2000,2001,2004,2009,2013,2018,2019,2020,2021
+./config.h.in					X	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./config.h.win32				C	1999,2000,2001,2004,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./config.sub					X	1998,1999,2000,2001,2004,2013,2018,2019,2020,2021
+./config.threads.in				X	2005,2006,2010,2011,2012,2013,2018,2019,2020,2021
+./configure					X	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./configure.ac					SH	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./conftools/perllib/dnsconf/DNSConf-macros.h	C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./conftools/perllib/dnsconf/DNSConf.i		C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./conftools/perllib/dnsconf/Makefile.PL		PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./conftools/perllib/dnsconf/named1.conf		CONF-C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./conftools/perllib/dnsconf/test.pl		PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./contrib/README				X	2014,2015,2016,2017,2018,2019,2020,2021
+./contrib/dane/mkdane.sh			X	2012,2018,2019,2020,2021
+./contrib/dane/tlsa6698.pem			X	2012,2018,2019,2020,2021
+./contrib/dlz/bin/dlzbdb/Makefile.in		X	2005,2007,2009,2011,2012,2015,2016,2018,2019,2020,2021
+./contrib/dlz/bin/dlzbdb/dlzbdb.c		X	2005,2016,2018,2019,2020,2021
+./contrib/dlz/config.dlz.in			X	2005,2006,2008,2010,2011,2014,2016,2017,2018,2019,2020,2021
+./contrib/dlz/drivers/dlz_bdb_driver.c		X	2005,2008,2010,2011,2012,2016,2018,2019,2020,2021
+./contrib/dlz/drivers/dlz_bdbhpt_driver.c	X	2005,2010,2011,2012,2016,2018,2019,2020,2021
+./contrib/dlz/drivers/dlz_dlopen_driver.c	X	2010,2011,2018,2019,2020,2021
+./contrib/dlz/drivers/dlz_drivers.c		X	2005,2010,2011,2018,2019,2020,2021
+./contrib/dlz/drivers/dlz_filesystem_driver.c	X	2005,2010,2011,2012,2016,2018,2019,2020,2021
+./contrib/dlz/drivers/dlz_ldap_driver.c		X	2005,2010,2011,2012,2016,2018,2019,2020,2021
+./contrib/dlz/drivers/dlz_mysql_driver.c	X	2005,2007,2009,2010,2011,2012,2016,2018,2019,2020,2021
+./contrib/dlz/drivers/dlz_odbc_driver.c		X	2005,2010,2011,2012,2014,2016,2018,2019,2020,2021
+./contrib/dlz/drivers/dlz_postgres_driver.c	X	2005,2007,2010,2011,2012,2014,2016,2018,2019,2020,2021
+./contrib/dlz/drivers/dlz_stub_driver.c		X	2005,2010,2011,2012,2016,2018,2019,2020,2021
+./contrib/dlz/drivers/include/dlz/dlz_bdb_driver.h	X	2005,2018,2019,2020,2021
+./contrib/dlz/drivers/include/dlz/dlz_bdbhpt_driver.h	X	2005,2018,2019,2020,2021
+./contrib/dlz/drivers/include/dlz/dlz_dlopen_driver.h	X	2010,2011,2018,2019,2020,2021
+./contrib/dlz/drivers/include/dlz/dlz_drivers.h	X	2005,2018,2019,2020,2021
+./contrib/dlz/drivers/include/dlz/dlz_filesystem_driver.h	X	2005,2018,2019,2020,2021
+./contrib/dlz/drivers/include/dlz/dlz_ldap_driver.h	X	2005,2018,2019,2020,2021
+./contrib/dlz/drivers/include/dlz/dlz_mysql_driver.h	X	2005,2018,2019,2020,2021
+./contrib/dlz/drivers/include/dlz/dlz_odbc_driver.h	X	2005,2018,2019,2020,2021
+./contrib/dlz/drivers/include/dlz/dlz_postgres_driver.h	X	2005,2018,2019,2020,2021
+./contrib/dlz/drivers/include/dlz/dlz_stub_driver.h	X	2005,2018,2019,2020,2021
+./contrib/dlz/drivers/include/dlz/sdlz_helper.h	X	2005,2018,2019,2020,2021
+./contrib/dlz/drivers/rules.in			X	2005,2010,2018,2019,2020,2021
+./contrib/dlz/drivers/sdlz_helper.c		X	2005,2010,2011,2012,2016,2018,2019,2020,2021
+./contrib/dlz/example/Makefile			X	2010,2013,2018,2019,2020,2021
+./contrib/dlz/example/README			X	2011,2012,2013,2014,2018,2019,2020,2021
+./contrib/dlz/example/dlz_example.c		X	2010,2011,2012,2013,2014,2018,2019,2020,2021
+./contrib/dlz/example/named.conf		X	2011,2014,2018,2019,2020,2021
+./contrib/dlz/example/win32/DLLMain.c		X	2011,2016,2018,2019,2020,2021
+./contrib/dlz/example/win32/dxdriver.def	X	2011,2018,2019,2020,2021
+./contrib/dlz/example/win32/dxdriver.dsp	X	2018,2019,2020,2021
+./contrib/dlz/example/win32/dxdriver.dsw	X	2011,2018,2019,2020,2021
+./contrib/dlz/example/win32/dxdriver.mak	X	2018,2019,2020,2021
+./contrib/dlz/modules/bdbhpt/Makefile		X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/bdbhpt/README.md		X	2013,2015,2018,2019,2020,2021
+./contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c	X	2013,2015,2018,2019,2020,2021
+./contrib/dlz/modules/bdbhpt/testing/README	X	2015,2018,2019,2020,2021
+./contrib/dlz/modules/bdbhpt/testing/bdbhpt-populate.pl	X	2013,2018,2019,2020,2021
 ./contrib/dlz/modules/bdbhpt/testing/dns-data.txt	X	2013,2015,2018,2019
-./contrib/dlz/modules/bdbhpt/testing/named.conf	X	2015,2018,2019,2020
-./contrib/dlz/modules/common/dlz_dbi.c		X	2013,2014,2016,2018,2019,2020
-./contrib/dlz/modules/filesystem/Makefile	X	2013,2018,2019,2020
-./contrib/dlz/modules/filesystem/dir.c		X	2013,2018,2019,2020
-./contrib/dlz/modules/filesystem/dir.h		X	2013,2018,2019,2020
-./contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c	X	2013,2015,2016,2018,2019,2020
-./contrib/dlz/modules/include/dlz_dbi.h		X	2013,2018,2019,2020
-./contrib/dlz/modules/include/dlz_list.h	X	2013,2016,2018,2019,2020
-./contrib/dlz/modules/include/dlz_minimal.h	X	2013,2014,2018,2019,2020
-./contrib/dlz/modules/include/dlz_pthread.h	X	2013,2014,2015,2018,2019,2020
-./contrib/dlz/modules/ldap/Makefile		X	2013,2018,2019,2020
-./contrib/dlz/modules/ldap/dlz_ldap_dynamic.c	X	2013,2016,2018,2019,2020
-./contrib/dlz/modules/ldap/testing/README	X	2013,2018,2019,2020
-./contrib/dlz/modules/ldap/testing/dlz.schema	X	2013,2018,2019,2020
-./contrib/dlz/modules/ldap/testing/example.ldif	X	2013,2018,2019,2020
-./contrib/dlz/modules/ldap/testing/named.conf	X	2013,2018,2019,2020
-./contrib/dlz/modules/ldap/testing/slapd.conf	X	2013,2018,2019,2020
-./contrib/dlz/modules/mysql/Makefile.in		X	2013,2017,2018,2019,2020
-./contrib/dlz/modules/mysql/dlz_mysql_dynamic.c	X	2013,2016,2018,2019,2020
-./contrib/dlz/modules/mysql/testing/README	X	2013,2018,2019,2020
-./contrib/dlz/modules/mysql/testing/dlz.data	X	2013,2017,2018,2019,2020
-./contrib/dlz/modules/mysql/testing/dlz.schema	X	2013,2018,2019,2020
-./contrib/dlz/modules/mysql/testing/named.conf	X	2013,2018,2019,2020
-./contrib/dlz/modules/mysqldyn/Makefile.in	X	2014,2015,2017,2018,2019,2020
-./contrib/dlz/modules/mysqldyn/README		X	2014,2018,2019,2020
-./contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c	X	2014,2015,2018,2019,2020
-./contrib/dlz/modules/mysqldyn/testing/README	X	2014,2018,2019,2020
-./contrib/dlz/modules/mysqldyn/testing/dlz.data	X	2014,2018,2019,2020
-./contrib/dlz/modules/mysqldyn/testing/dlz.schema	X	2014,2018,2019,2020
-./contrib/dlz/modules/mysqldyn/testing/named.conf	X	2014,2018,2019,2020
-./contrib/dlz/modules/perl/Makefile		X	2013,2018,2019,2020
-./contrib/dlz/modules/perl/README		X	2013,2018,2019,2020
-./contrib/dlz/modules/perl/dlz_perl_callback.xs	X	2013,2018,2019,2020
-./contrib/dlz/modules/perl/dlz_perl_callback_clientinfo.xs	X	2013,2018,2019,2020
-./contrib/dlz/modules/perl/dlz_perl_driver.c	X	2013,2015,2016,2018,2019,2020
-./contrib/dlz/modules/perl/dlz_perl_driver.h	X	2013,2018,2019,2020
-./contrib/dlz/modules/perl/testing/dlz_perl_example.pm	X	2013,2018,2019,2020
-./contrib/dlz/modules/perl/testing/named.conf	X	2013,2018,2019,2020
-./contrib/dlz/modules/sqlite3/Makefile		X	2014,2018,2019,2020
-./contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c	X	2014,2016,2018,2019,2020
-./contrib/dlz/modules/sqlite3/testing/README	X	2014,2018,2019,2020
-./contrib/dlz/modules/sqlite3/testing/dlz.data	X	2014,2018,2019,2020
-./contrib/dlz/modules/sqlite3/testing/dlz.schema	X	2014,2018,2019,2020
-./contrib/dlz/modules/sqlite3/testing/named.conf	X	2014,2018,2019,2020
-./contrib/dlz/modules/wildcard/Makefile		X	2013,2018,2019,2020
-./contrib/dlz/modules/wildcard/README		X	2013,2018,2019,2020
-./contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c	X	2013,2015,2016,2018,2019,2020
-./contrib/dlz/modules/wildcard/testing/named.conf	X	2013,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/Makefile.in		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/README		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/RELEASE_NOTES	X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/aclocal.m4		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/acx_pthread.m4	X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/config.guess	X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/config.sub		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/configure		X	2016,2017,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/configure.in	X	2016,2017,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/contrib/queryparse/INSTALL	X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/contrib/queryparse/USAGE	X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/contrib/queryparse/queryparse	X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/contrib/queryparse/queryparse.1	X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/datafile.c		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/datafile.h		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/dns.c		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/dns.h		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/dnsperf.1		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/dnsperf.c		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/doc/caching-dns-performance.pdf	X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/doc/dnsperf.pdf	X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/doc/resperf.pdf	X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/install-sh		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/log.c		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/log.h		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/net.c		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/net.h		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/opt.c		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/opt.h		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/os.c		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/os.h		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/resperf-report	X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/resperf.1		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/resperf.c		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/util.h		X	2016,2018,2019,2020
-./contrib/dnsperf-2.1.0.0-1/version.h		X	2016,2018,2019,2020
-./contrib/dnspriv/README.md			MKD	2017,2018,2019,2020
-./contrib/dnspriv/named.conf			CONF-C	2017,2018,2019,2020
-./contrib/dnspriv/nginx.conf			SH	2017,2018,2019,2020
-./contrib/idn/README.idnkit			X	2005,2009,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/ChangeLog		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/DISTFILES		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/INSTALL		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/INSTALL.ja		X	2003,2018,2019,2020
+./contrib/dlz/modules/bdbhpt/testing/named.conf	X	2015,2018,2019,2020,2021
+./contrib/dlz/modules/common/dlz_dbi.c		X	2013,2014,2016,2018,2019,2020,2021
+./contrib/dlz/modules/filesystem/Makefile	X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/filesystem/dir.c		X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/filesystem/dir.h		X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c	X	2013,2015,2016,2018,2019,2020,2021
+./contrib/dlz/modules/include/dlz_dbi.h		X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/include/dlz_list.h	X	2013,2016,2018,2019,2020,2021
+./contrib/dlz/modules/include/dlz_minimal.h	X	2013,2014,2018,2019,2020,2021
+./contrib/dlz/modules/include/dlz_pthread.h	X	2013,2014,2015,2018,2019,2020,2021
+./contrib/dlz/modules/ldap/Makefile		X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/ldap/dlz_ldap_dynamic.c	X	2013,2016,2018,2019,2020,2021
+./contrib/dlz/modules/ldap/testing/README	X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/ldap/testing/dlz.schema	X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/ldap/testing/example.ldif	X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/ldap/testing/named.conf	X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/ldap/testing/slapd.conf	X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/mysql/Makefile.in		X	2013,2017,2018,2019,2020,2021
+./contrib/dlz/modules/mysql/dlz_mysql_dynamic.c	X	2013,2016,2018,2019,2020,2021
+./contrib/dlz/modules/mysql/testing/README	X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/mysql/testing/dlz.data	X	2013,2017,2018,2019,2020,2021
+./contrib/dlz/modules/mysql/testing/dlz.schema	X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/mysql/testing/named.conf	X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/mysqldyn/Makefile.in	X	2014,2015,2017,2018,2019,2020,2021
+./contrib/dlz/modules/mysqldyn/README		X	2014,2018,2019,2020,2021
+./contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c	X	2014,2015,2018,2019,2020,2021
+./contrib/dlz/modules/mysqldyn/testing/README	X	2014,2018,2019,2020,2021
+./contrib/dlz/modules/mysqldyn/testing/dlz.data	X	2014,2018,2019,2020,2021
+./contrib/dlz/modules/mysqldyn/testing/dlz.schema	X	2014,2018,2019,2020,2021
+./contrib/dlz/modules/mysqldyn/testing/named.conf	X	2014,2018,2019,2020,2021
+./contrib/dlz/modules/perl/Makefile		X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/perl/README		X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/perl/dlz_perl_callback.xs	X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/perl/dlz_perl_callback_clientinfo.xs	X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/perl/dlz_perl_driver.c	X	2013,2015,2016,2018,2019,2020,2021
+./contrib/dlz/modules/perl/dlz_perl_driver.h	X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/perl/testing/dlz_perl_example.pm	X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/perl/testing/named.conf	X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/sqlite3/Makefile		X	2014,2018,2019,2020,2021
+./contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c	X	2014,2016,2018,2019,2020,2021
+./contrib/dlz/modules/sqlite3/testing/README	X	2014,2018,2019,2020,2021
+./contrib/dlz/modules/sqlite3/testing/dlz.data	X	2014,2018,2019,2020,2021
+./contrib/dlz/modules/sqlite3/testing/dlz.schema	X	2014,2018,2019,2020,2021
+./contrib/dlz/modules/sqlite3/testing/named.conf	X	2014,2018,2019,2020,2021
+./contrib/dlz/modules/wildcard/Makefile		X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/wildcard/README		X	2013,2018,2019,2020,2021
+./contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c	X	2013,2015,2016,2018,2019,2020,2021
+./contrib/dlz/modules/wildcard/testing/named.conf	X	2013,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/Makefile.in		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/README		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/RELEASE_NOTES	X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/aclocal.m4		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/acx_pthread.m4	X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/config.guess	X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/config.sub		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/configure		X	2016,2017,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/configure.in	X	2016,2017,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/contrib/queryparse/INSTALL	X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/contrib/queryparse/USAGE	X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/contrib/queryparse/queryparse	X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/contrib/queryparse/queryparse.1	X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/datafile.c		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/datafile.h		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/dns.c		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/dns.h		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/dnsperf.1		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/dnsperf.c		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/doc/caching-dns-performance.pdf	X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/doc/dnsperf.pdf	X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/doc/resperf.pdf	X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/install-sh		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/log.c		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/log.h		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/net.c		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/net.h		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/opt.c		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/opt.h		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/os.c		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/os.h		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/resperf-report	X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/resperf.1		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/resperf.c		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/util.h		X	2016,2018,2019,2020,2021
+./contrib/dnsperf-2.1.0.0-1/version.h		X	2016,2018,2019,2020,2021
+./contrib/dnspriv/README.md			MKD	2017,2018,2019,2020,2021
+./contrib/dnspriv/named.conf			CONF-C	2017,2018,2019,2020,2021
+./contrib/dnspriv/nginx.conf			SH	2017,2018,2019,2020,2021
+./contrib/idn/README.idnkit			X	2005,2009,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/ChangeLog		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/DISTFILES		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/INSTALL		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/INSTALL.ja		X	2003,2018,2019,2020,2021
 ./contrib/idn/idnkit-1.0-src/LICENSE.txt	X	2003,2018,2019
-./contrib/idn/idnkit-1.0-src/Makefile.in	X	2003,2004,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/NEWS		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/README		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/README.ja		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/acconfig.h		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/aclocal.m4		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/config.guess	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/config.sub		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/configure		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/configure.in	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/Makefile.in	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/config.h.in	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/config.h.win	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/Makefile.in	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/aliaslist.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/api.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/assert.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/checker.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/converter.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/debug.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/delimitermap.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/export.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/filechecker.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/filemapper.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/localencoding.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/log.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/logmacro.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/mapper.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/mapselector.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/nameprep.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/normalizer.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/punycode.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/race.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/res.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/resconf.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/result.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/strhash.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/ucs4.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/ucsmap.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/ucsset.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/unicode.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/unormalize.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/utf8.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/util.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/idn/version.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/mdn/Makefile.in	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/mdn/api.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/mdn/localencoding.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/mdn/log.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/mdn/res.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/mdn/resconf.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/mdn/result.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/mdn/utf8.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/include/mdn/version.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/install-sh		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/Makefile.in	X	2003,2004,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/aliaslist.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/aliaslist.sh	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/api.c		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/checker.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/converter.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/debug.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/delimitermap.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/filechecker.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/filemapper.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/idn.conf.sample.in	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/localencoding.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/log.c		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/make.wnt	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/mapper.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/mapselector.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/nameprep.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/nameprep_template.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/nameprepdata.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/normalizer.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/punycode.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/race.c		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/res.c		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/resconf.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/result.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/strhash.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/Makefile.in	X	2003,2004,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/api-init1.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/api-init2.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/api-init3.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/api-init4-1.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/api-init4-2.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/api-init4-3.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/api-init5-1.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/api-init5-2.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/api-init5-3.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/api.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/checker.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/codeset.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/converter.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/delimitermap.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/iconvchk.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/mapper.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/mapselector.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/nameprep.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/normalizer.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/res.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/resconf.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/setenv.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/setenv.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/testsuite.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/testsuite.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/testutil.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/testutil.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/testygen	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/ucs4.tsy	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/tests/utffilter	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/ucs4.c		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/ucsmap.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/ucsset.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/unicode.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/unicode_template.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/unicodedata_320.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/unormalize.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/utf8.c		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/util.c		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/lib/version.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/ltconfig		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/ltmain.sh		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/make.wnt		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/man/Makefile.in	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/man/idn.conf.5.in	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/man/libidnkit.3.in	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/map/Makefile.in	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/map/jp.map		X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/mkinstalldirs	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.1-patch	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.2-patch	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/Makefile.in	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/idnconv/idnconv.1	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/idnconv/idnconv.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/idnconv/idnslookup.in	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/idnconv/make.wnt	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/idnconv/selectiveencode.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/idnconv/selectiveencode.h	X	2003,2009,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/idnconv/util.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/idnconv/util.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/make.wnt	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/rpm/idnkit.spec	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/runidn/Makefile.in	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/runidn/resolver.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/runidn/resolver.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/runidn/runidn.1	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/runidn/runidn.in	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/runidn/stub.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/tools/runidn/stub.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/util/Makefile	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/util/SparseMap.pm	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/util/UCD.pm	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/win/README.WIN	X	2003,2018,2019,2020
+./contrib/idn/idnkit-1.0-src/Makefile.in	X	2003,2004,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/NEWS		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/README		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/README.ja		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/acconfig.h		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/aclocal.m4		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/config.guess	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/config.sub		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/configure		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/configure.in	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/Makefile.in	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/config.h.in	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/config.h.win	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/Makefile.in	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/aliaslist.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/api.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/assert.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/checker.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/converter.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/debug.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/delimitermap.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/export.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/filechecker.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/filemapper.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/localencoding.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/log.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/logmacro.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/mapper.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/mapselector.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/nameprep.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/normalizer.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/punycode.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/race.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/res.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/resconf.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/result.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/strhash.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/ucs4.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/ucsmap.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/ucsset.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/unicode.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/unormalize.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/utf8.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/util.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/idn/version.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/mdn/Makefile.in	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/mdn/api.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/mdn/localencoding.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/mdn/log.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/mdn/res.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/mdn/resconf.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/mdn/result.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/mdn/utf8.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/include/mdn/version.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/install-sh		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/Makefile.in	X	2003,2004,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/aliaslist.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/aliaslist.sh	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/api.c		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/checker.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/converter.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/debug.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/delimitermap.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/filechecker.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/filemapper.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/idn.conf.sample.in	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/localencoding.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/log.c		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/make.wnt	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/mapper.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/mapselector.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/nameprep.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/nameprep_template.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/nameprepdata.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/normalizer.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/punycode.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/race.c		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/res.c		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/resconf.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/result.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/strhash.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/Makefile.in	X	2003,2004,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/api-init1.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/api-init2.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/api-init3.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/api-init4-1.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/api-init4-2.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/api-init4-3.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/api-init5-1.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/api-init5-2.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/api-init5-3.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/api.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/checker.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/codeset.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/converter.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/delimitermap.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/iconvchk.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/mapper.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/mapselector.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/nameprep.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/normalizer.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/res.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/resconf.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/setenv.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/setenv.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/testsuite.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/testsuite.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/testutil.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/testutil.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/testygen	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/ucs4.tsy	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/tests/utffilter	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/ucs4.c		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/ucsmap.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/ucsset.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/unicode.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/unicode_template.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/unicodedata_320.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/unormalize.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/utf8.c		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/util.c		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/lib/version.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/ltconfig		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/ltmain.sh		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/make.wnt		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/man/Makefile.in	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/man/idn.conf.5.in	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/man/libidnkit.3.in	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/map/Makefile.in	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/map/jp.map		X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/mkinstalldirs	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.1-patch	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.2-patch	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/Makefile.in	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/idnconv/idnconv.1	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/idnconv/idnconv.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/idnconv/idnslookup.in	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/idnconv/make.wnt	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/idnconv/selectiveencode.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/idnconv/selectiveencode.h	X	2003,2009,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/idnconv/util.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/idnconv/util.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/make.wnt	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/rpm/idnkit.spec	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/runidn/Makefile.in	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/runidn/resolver.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/runidn/resolver.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/runidn/runidn.1	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/runidn/runidn.in	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/runidn/stub.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/tools/runidn/stub.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/util/Makefile	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/util/SparseMap.pm	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/util/UCD.pm	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/win/README.WIN	X	2003,2018,2019,2020,2021
 ./contrib/idn/idnkit-1.0-src/wsock/README.txt	X	2003,2018,2019
 ./contrib/idn/idnkit-1.0-src/wsock/README_j.txt	X	2003,2018,2019
-./contrib/idn/idnkit-1.0-src/wsock/common/checkdll.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/common/convert.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/common/dump.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/common/encoding.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/common/hook.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/common/make.wnt	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/common/printf.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/common/wrapcommon.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/config/idnconf.tcl	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/config/make.wnt	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/make.wnt	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/wsock11/dlldef.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/wsock11/dllfunc.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/wsock11/dllload.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/wsock11/dllmain.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/wsock11/dllstub.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/wsock11/make.wnt	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/wsock11/wsock32.def	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/wsock20/dlldef.h	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/wsock20/dllfunc.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/wsock20/dllload.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/wsock20/dllmain.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/wsock20/dllstub.c	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/wsock20/make.wnt	X	2003,2018,2019,2020
-./contrib/idn/idnkit-1.0-src/wsock/wsock20/ws2_32.def	X	2003,2018,2019,2020
-./contrib/kasp/README				X	2016,2018,2019,2020
-./contrib/kasp/kasp.xml				X	2016,2018,2019,2020
-./contrib/kasp/kasp2policy.py			X	2016,2018,2019,2020
-./contrib/kasp/policy.good			X	2016,2018,2019,2020
-./contrib/perftcpdns/Makefile.in		MAKE	2014,2016,2018,2019,2020
-./contrib/perftcpdns/configure			X	2014,2018,2019,2020
-./contrib/perftcpdns/configure.in		SH	2014,2016,2018,2019,2020
-./contrib/perftcpdns/perftcpdns.c		C	2013,2014,2016,2018,2019,2020
-./contrib/queryperf/Makefile.in			X	2001,2004,2018,2019,2020
-./contrib/queryperf/README			X	2001,2018,2019,2020
-./contrib/queryperf/config.h.in			X	2007,2018,2019,2020
-./contrib/queryperf/configure			X	2001,2002,2004,2007,2012,2018,2019,2020
-./contrib/queryperf/configure.in		X	2001,2004,2007,2012,2018,2019,2020
-./contrib/queryperf/input/sample.0		X	2001,2018,2019,2020
-./contrib/queryperf/input/sample.1		X	2001,2018,2019,2020
-./contrib/queryperf/missing/addrinfo.h		X	2004,2018,2019,2020
-./contrib/queryperf/missing/getaddrinfo.c	X	2004,2018,2019,2020
-./contrib/queryperf/missing/getnameinfo.c	X	2004,2018,2019,2020
-./contrib/queryperf/queryperf.c			X	2001,2002,2003,2004,2005,2007,2012,2013,2014,2018,2019,2020
-./contrib/queryperf/utils/gen-data-queryperf.py	X	2003,2008,2016,2018,2019,2020
-./contrib/scripts/check-secure-delegation.pl.in	PERL	2010,2012,2014,2016,2018,2019,2020
-./contrib/scripts/check5011.pl			X	2013,2014,2017,2018,2019,2020
-./contrib/scripts/dnssec-keyset.sh		X	2015,2018,2019,2020
-./contrib/scripts/named-bootconf.sh		SH.PORTION	1999,2000,2001,2004,2006,2007,2012,2014,2016,2018,2019,2020
-./contrib/scripts/nanny.pl			PERL	2000,2001,2004,2007,2012,2014,2016,2018,2019,2020
-./contrib/scripts/zone-edit.sh.in		SH	2010,2012,2014,2016,2018,2019,2020
-./contrib/sdb/bdb/README			X	2002,2018,2019,2020
-./contrib/sdb/bdb/bdb.c				X	2002,2011,2014,2018,2019,2020
-./contrib/sdb/bdb/bdb.h				X	2002,2018,2019,2020
-./contrib/sdb/bdb/zone2bdb.c			X	2002,2008,2009,2018,2019,2020
-./contrib/sdb/dir/dirdb.c			C	2000,2001,2004,2007,2011,2014,2016,2018,2019,2020
-./contrib/sdb/dir/dirdb.h			C	2000,2001,2004,2007,2016,2018,2019,2020
-./contrib/sdb/ldap/INSTALL.ldap			X	2001,2002,2004,2018,2019,2020
-./contrib/sdb/ldap/README.ldap			X	2001,2002,2004,2018,2019,2020
-./contrib/sdb/ldap/README.zone2ldap		X	2001,2015,2018,2019,2020
-./contrib/sdb/ldap/ldapdb.c			X	2001,2002,2003,2004,2011,2014,2018,2019,2020
-./contrib/sdb/ldap/ldapdb.h			X	2001,2018,2019,2020
-./contrib/sdb/ldap/zone2ldap.1			X	2001,2018,2019,2020
-./contrib/sdb/ldap/zone2ldap.c			X	2001,2005,2008,2009,2011,2015,2016,2018,2019,2020
-./contrib/sdb/pgsql/pgsqldb.c			C	2000,2001,2004,2007,2011,2014,2016,2018,2019,2020
-./contrib/sdb/pgsql/pgsqldb.h			C	2000,2001,2004,2007,2016,2018,2019,2020
-./contrib/sdb/pgsql/zonetodb.c			C	2000,2001,2002,2004,2005,2007,2008,2009,2014,2016,2018,2019,2020
-./contrib/sdb/sqlite/README.sdb_sqlite		X	2007,2018,2019,2020
-./contrib/sdb/sqlite/sqlitedb.c			X	2007,2011,2014,2016,2018,2019,2020
-./contrib/sdb/sqlite/sqlitedb.h			X	2007,2016,2018,2019,2020
-./contrib/sdb/sqlite/zone2sqlite.c		X	2007,2008,2009,2010,2013,2014,2016,2018,2019,2020
-./contrib/sdb/tcl/lookup.tcl			TCL	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./contrib/sdb/tcl/tcldb.c			C	2000,2001,2004,2007,2011,2014,2016,2018,2019,2020
-./contrib/sdb/tcl/tcldb.h			C	2000,2001,2004,2007,2016,2018,2019,2020
-./contrib/sdb/time/timedb.c			C	2000,2001,2004,2007,2011,2014,2016,2018,2019,2020
-./contrib/sdb/time/timedb.h			C	2000,2001,2004,2007,2016,2018,2019,2020
-./doc/Makefile.in				MAKE	2000,2001,2004,2005,2006,2007,2012,2015,2016,2018,2019,2020
-./doc/arm/Bv9ARM-book.xml			SGML	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/Bv9ARM.ch01.html			X	2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/Bv9ARM.ch02.html			X	2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/Bv9ARM.ch03.html			X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/Bv9ARM.ch04.html			X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/Bv9ARM.ch05.html			X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/Bv9ARM.ch06.html			X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/Bv9ARM.ch07.html			X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/Bv9ARM.ch08.html			X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/Bv9ARM.ch09.html			X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/Bv9ARM.ch10.html			X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/Bv9ARM.ch11.html			X	2015,2016,2017,2018,2019,2020
-./doc/arm/Bv9ARM.ch12.html			X	2015,2016,2017,2018,2019,2020
-./doc/arm/Bv9ARM.ch13.html			X	2015,2016,2017,2018,2019,2020
-./doc/arm/Bv9ARM.conf				X	2015,2018,2019,2020
-./doc/arm/Bv9ARM.html				X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/Bv9ARM.pdf				X	2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/Makefile.in				MAKE	2001,2002,2004,2005,2006,2007,2009,2012,2014,2015,2016,2018,2019,2020
-./doc/arm/README-SGML				TXT.BRIEF	2000,2001,2004,2015,2016,2018,2019,2020
-./doc/arm/acl.grammar.xml			SGML	2018,2019,2020
-./doc/arm/catz.xml				SGML	2016,2017,2018,2019,2020
-./doc/arm/controls.grammar.xml			SGML	2018,2019,2020
-./doc/arm/delegation-only.zoneopt.xml		SGML	2018,2019,2020
-./doc/arm/dlz.xml				SGML	2012,2013,2014,2015,2016,2018,2019,2020
-./doc/arm/dnssec.xml				SGML	2010,2011,2015,2016,2017,2018,2019,2020
-./doc/arm/dyndb.xml				SGML	2015,2016,2018,2019,2020
-./doc/arm/forward.zoneopt.xml			SGML	2018,2019,2020
-./doc/arm/hint.zoneopt.xml			SGML	2018,2019,2020
-./doc/arm/in-view.zoneopt.xml			SGML	2018,2019,2020
-./doc/arm/isc-logo.pdf				X	2005,2010,2018,2019,2020
-./doc/arm/key.grammar.xml			SGML	2018,2019,2020
-./doc/arm/libdns.xml				SGML	2010,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/logging-categories.xml		SGML	2015,2016,2017,2018,2019,2020
-./doc/arm/logging.grammar.xml			SGML	2018,2019,2020
-./doc/arm/man.arpaname.html			X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.ddns-confgen.html			X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.delv.html				X	2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.dig.html				X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.dnssec-checkds.html		X	2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.dnssec-coverage.html		X	2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.dnssec-dsfromkey.html		X	2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.dnssec-importkey.html		X	2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.dnssec-keyfromlabel.html		X	2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.dnssec-keygen.html		X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.dnssec-keymgr.html		X	2016,2017,2018,2019,2020
-./doc/arm/man.dnssec-revoke.html		X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.dnssec-settime.html		X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.dnssec-signzone.html		X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.dnssec-verify.html		X	2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.dnstap-read.html			X	2015,2016,2017,2018,2019,2020
-./doc/arm/man.genrandom.html			X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.host.html				X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.isc-hmac-fixup.html		X	2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.lwresd.html			X	2015,2016,2017,2018,2019,2020
-./doc/arm/man.mdig.html				X	2016,2017,2018,2019,2020
-./doc/arm/man.named-checkconf.html		X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.named-checkzone.html		X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.named-journalprint.html		X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.named-nzd2nzf.html		X	2016,2017,2018,2019,2020
-./doc/arm/man.named-rrchecker.html		X	2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.named.conf.html			X	2015,2016,2017,2018,2019,2020
-./doc/arm/man.named.html			X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.nsec3hash.html			X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.nslookup.html			X	2016,2017,2018,2019,2020
-./doc/arm/man.nsupdate.html			X	2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.pkcs11-destroy.html		X	2016,2017,2018,2019,2020
-./doc/arm/man.pkcs11-keygen.html		X	2016,2017,2018,2019,2020
-./doc/arm/man.pkcs11-list.html			X	2016,2017,2018,2019,2020
-./doc/arm/man.pkcs11-tokens.html		X	2016,2017,2018,2019,2020
-./doc/arm/man.rndc-confgen.html			X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.rndc.conf.html			X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/man.rndc.html				X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/managed-keys.grammar.xml		SGML	2018,2019,2020
-./doc/arm/managed-keys.xml			SGML	2010,2014,2015,2016,2017,2018,2019,2020
-./doc/arm/master.zoneopt.xml			SGML	2018,2019,2020
-./doc/arm/masters.grammar.xml			SGML	2018,2019,2020
-./doc/arm/notes-9.11.0.xml			SGML	2019,2020
-./doc/arm/notes-9.11.1.xml			SGML	2019,2020
-./doc/arm/notes-9.11.10.xml			SGML	2019,2020
-./doc/arm/notes-9.11.11.xml			SGML	2019,2020
-./doc/arm/notes-9.11.12.xml			SGML	2019,2020
-./doc/arm/notes-9.11.13.xml			SGML	2019,2020
-./doc/arm/notes-9.11.14.xml			SGML	2019,2020
-./doc/arm/notes-9.11.15.xml			SGML	2019,2020
-./doc/arm/notes-9.11.2.xml			SGML	2019,2020
-./doc/arm/notes-9.11.3.xml			SGML	2019,2020
-./doc/arm/notes-9.11.4.xml			SGML	2019,2020
-./doc/arm/notes-9.11.5.xml			SGML	2019,2020
-./doc/arm/notes-9.11.6.xml			SGML	2019,2020
-./doc/arm/notes-9.11.7.xml			SGML	2019,2020
-./doc/arm/notes-9.11.8.xml			SGML	2019,2020
-./doc/arm/notes-9.11.9.xml			SGML	2019,2020
-./doc/arm/notes-download.xml			SGML	2019,2020
-./doc/arm/notes-eol.xml				SGML	2019,2020
-./doc/arm/notes-intro.xml			SGML	2019,2020
-./doc/arm/notes-license.xml			SGML	2019,2020
-./doc/arm/notes-thankyou.xml			SGML	2019,2020
-./doc/arm/notes-wrapper.xml			SGML	2014,2015,2016,2018,2019,2020
-./doc/arm/notes.conf				X	2015,2018,2019,2020
-./doc/arm/notes.html				X	2014,2015,2016,2017,2018,2019,2020
-./doc/arm/notes.pdf				X	2014,2015,2016,2017,2018,2019,2020
-./doc/arm/notes.xml				SGML	2014,2015,2016,2017,2018,2019,2020
-./doc/arm/noteversion.xml.in			SGML	2015,2016,2018,2019,2020
-./doc/arm/options.grammar.xml			SGML	2018,2019,2020
-./doc/arm/pkcs11.xml				SGML	2010,2012,2013,2014,2015,2016,2018,2019,2020
-./doc/arm/pkgversion.xml.in			SGML	2015,2016,2018,2019,2020
-./doc/arm/redirect.zoneopt.xml			SGML	2018,2019,2020
-./doc/arm/releaseinfo.xml.in			SGML	2015,2016,2018,2019,2020
-./doc/arm/server.grammar.xml			SGML	2018,2019,2020
-./doc/arm/slave.zoneopt.xml			SGML	2018,2019,2020
-./doc/arm/static-stub.zoneopt.xml		SGML	2018,2019,2020
-./doc/arm/statistics-channels.grammar.xml	SGML	2018,2019,2020
-./doc/arm/stub.zoneopt.xml			SGML	2018,2019,2020
-./doc/arm/trusted-keys.grammar.xml		SGML	2018,2019,2020
-./doc/design/addressdb				TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020
-./doc/design/cds-child				TXT.BRIEF	2015,2016,2018,2019,2020
-./doc/design/compression			TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/design/database				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/design/db_rules				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/design/decompression			TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/design/dispatch				TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020
-./doc/design/dscp				TXT.BRIEF	2013,2016,2018,2019,2020
-./doc/design/keydone				TXT.BRIEF	2011,2016,2018,2019,2020
-./doc/design/logging				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/design/lwres				TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020
-./doc/design/ncache				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/design/rdataset				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/design/red-black				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/design/resolver				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/design/search				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/design/tasks				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/design/unsupported-algorithms-in-bind9	TXT.BRIEF	2019,2020
-./doc/design/verify				TXT.BRIEF	2012,2016,2018,2019,2020
-./doc/design/windows-nt				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/design/zone				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/dev/DBC					TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/dev/autoconf				TXT.BRIEF	2001,2002,2004,2016,2018,2019,2020
-./doc/dev/coding.html				HTML	1999,2000,2001,2002,2004,2007,2016,2018,2019,2020
-./doc/dev/cvs-usage				TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020
-./doc/dev/dev.md				MKD	2017,2018,2019,2020
-./doc/dev/magic_numbers				TXT.BRIEF	1999,2000,2001,2002,2004,2016,2018,2019,2020
-./doc/dev/rdata.md				MKD	1999,2000,2001,2004,2007,2016,2017,2018,2019,2020
-./doc/dev/release				TXT.BRIEF	2000,2001,2002,2003,2004,2005,2006,2007,2009,2014,2016,2018,2019,2020
-./doc/dev/results				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/dev/style.md				MKD	2017,2018,2019,2020
-./doc/dev/tests					TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020
-./doc/dev/unexpected				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020
-./doc/doxygen/Doxyfile.in			X	2006,2017,2018,2019,2020
-./doc/doxygen/Makefile.in			MAKE	2006,2007,2012,2015,2016,2018,2019,2020
-./doc/doxygen/doxygen-input-filter.in		PERL	2006,2007,2012,2016,2018,2019,2020
-./doc/doxygen/isc-footer.html			HTML	2006,2007,2016,2018,2019,2020
-./doc/doxygen/isc-header.html			HTML	2006,2007,2016,2018,2019,2020
-./doc/doxygen/mainpage				X	2006,2018,2019,2020
-./doc/misc/Makefile.in				MAKE	2001,2004,2007,2009,2012,2016,2017,2018,2019,2020
-./doc/misc/delegation-only.zoneopt		X	2018,2019,2020
-./doc/misc/dnssec				TXT.BRIEF	2000,2001,2002,2004,2016,2018,2019,2020
-./doc/misc/docbook-grammars.pl			PERL	2018,2019,2020
-./doc/misc/docbook-options.pl			PERL	2017,2018,2019,2020
-./doc/misc/docbook-zoneopt.pl			PERL	2018,2019,2020
-./doc/misc/format-options.pl			PERL	2001,2004,2007,2012,2016,2018,2019,2020
-./doc/misc/forward.zoneopt			X	2018,2019,2020
-./doc/misc/hint.zoneopt				X	2018,2019,2020
-./doc/misc/in-view.zoneopt			X	2018,2019,2020
-./doc/misc/ipv6					TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020
-./doc/misc/master.zoneopt			X	2018,2019,2020
-./doc/misc/migration				TXT.BRIEF	2000,2001,2003,2004,2007,2008,2016,2018,2019,2020
-./doc/misc/migration-4to9			TXT.BRIEF	2001,2004,2016,2018,2019,2020
-./doc/misc/options				X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./doc/misc/redirect.zoneopt			X	2018,2019,2020
-./doc/misc/rfc-compliance			TXT.BRIEF	2001,2004,2015,2016,2018,2019,2020
-./doc/misc/roadmap				TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020
-./doc/misc/sdb					TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020
-./doc/misc/slave.zoneopt			X	2018,2019,2020
-./doc/misc/sort-options.pl			PERL	2007,2012,2016,2018,2019,2020
-./doc/misc/static-stub.zoneopt			X	2018,2019,2020
-./doc/misc/stub.zoneopt				X	2018,2019,2020
-./doc/misc/tcp-fast-open			TXT.BRIEF	2016,2017,2018,2019,2020
-./doc/tex/Makefile.in				MAKE	2015,2016,2018,2019,2020
-./doc/tex/armstyle.sty.in			X	2015,2018,2019,2020
-./doc/tex/notestyle.sty				X	2015,2018,2019,2020
-./doc/xsl/Makefile.in				MAKE	2005,2007,2012,2014,2015,2016,2018,2019,2020
-./doc/xsl/arm-param.xsl				SGML	2015,2016,2018,2019,2020
-./doc/xsl/copyright.xsl				SGML	2005,2007,2009,2015,2016,2018,2019,2020
-./doc/xsl/graphics/caution.eps			X	2015,2018,2019,2020
-./doc/xsl/graphics/caution.pdf			X	2015,2018,2019,2020
-./doc/xsl/graphics/important.eps		X	2015,2018,2019,2020
-./doc/xsl/graphics/important.pdf		X	2015,2018,2019,2020
-./doc/xsl/graphics/note.eps			X	2015,2018,2019,2020
-./doc/xsl/graphics/note.pdf			X	2015,2018,2019,2020
-./doc/xsl/graphics/tip.eps			X	2015,2018,2019,2020
-./doc/xsl/graphics/tip.pdf			X	2015,2018,2019,2020
-./doc/xsl/graphics/warning.eps			X	2015,2018,2019,2020
-./doc/xsl/graphics/warning.pdf			X	2015,2018,2019,2020
-./doc/xsl/isc-docbook-chunk.xsl.in		SGML	2005,2007,2014,2015,2016,2018,2019,2020
-./doc/xsl/isc-docbook-html.xsl.in		SGML	2005,2007,2014,2015,2016,2018,2019,2020
-./doc/xsl/isc-docbook-text.xsl			SGML	2005,2007,2015,2016,2018,2019,2020
-./doc/xsl/isc-manpage.xsl.in			SGML	2005,2007,2015,2016,2018,2019,2020
-./doc/xsl/isc-notes-html.xsl.in			SGML	2015,2016,2018,2019,2020
-./doc/xsl/notes-param.xsl			SGML	2015,2016,2018,2019,2020
-./doc/xsl/pre-latex.xsl				SGML	2005,2007,2015,2016,2018,2019,2020
-./docutil/HTML_COPYRIGHT			X	2001,2004,2016,2018,2019,2020
-./docutil/MAN_COPYRIGHT				X	2001,2004,2016,2018,2019,2020
-./docutil/patch-db2latex-duplicate-template-bug	X	2007,2018,2019,2020
-./docutil/patch-db2latex-nested-param-bug	X	2007,2018,2019,2020
-./docutil/patch-db2latex-xsltproc-title-bug	X	2007,2018,2019,2020
-./install-sh					X	1998,1999,2000,2001,2018,2019,2020
+./contrib/idn/idnkit-1.0-src/wsock/common/checkdll.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/common/convert.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/common/dump.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/common/encoding.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/common/hook.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/common/make.wnt	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/common/printf.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/common/wrapcommon.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/config/idnconf.tcl	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/config/make.wnt	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/make.wnt	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/wsock11/dlldef.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/wsock11/dllfunc.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/wsock11/dllload.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/wsock11/dllmain.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/wsock11/dllstub.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/wsock11/make.wnt	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/wsock11/wsock32.def	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/wsock20/dlldef.h	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/wsock20/dllfunc.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/wsock20/dllload.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/wsock20/dllmain.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/wsock20/dllstub.c	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/wsock20/make.wnt	X	2003,2018,2019,2020,2021
+./contrib/idn/idnkit-1.0-src/wsock/wsock20/ws2_32.def	X	2003,2018,2019,2020,2021
+./contrib/kasp/README				X	2016,2018,2019,2020,2021
+./contrib/kasp/kasp.xml				X	2016,2018,2019,2020,2021
+./contrib/kasp/kasp2policy.py			X	2016,2018,2019,2020,2021
+./contrib/kasp/policy.good			X	2016,2018,2019,2020,2021
+./contrib/perftcpdns/Makefile.in		MAKE	2014,2016,2018,2019,2020,2021
+./contrib/perftcpdns/configure			X	2014,2018,2019,2020,2021
+./contrib/perftcpdns/configure.in		SH	2014,2016,2018,2019,2020,2021
+./contrib/perftcpdns/perftcpdns.c		C	2013,2014,2016,2018,2019,2020,2021
+./contrib/queryperf/Makefile.in			X	2001,2004,2018,2019,2020,2021
+./contrib/queryperf/README			X	2001,2018,2019,2020,2021
+./contrib/queryperf/config.h.in			X	2007,2018,2019,2020,2021
+./contrib/queryperf/configure			X	2001,2002,2004,2007,2012,2018,2019,2020,2021
+./contrib/queryperf/configure.in		X	2001,2004,2007,2012,2018,2019,2020,2021
+./contrib/queryperf/input/sample.0		X	2001,2018,2019,2020,2021
+./contrib/queryperf/input/sample.1		X	2001,2018,2019,2020,2021
+./contrib/queryperf/missing/addrinfo.h		X	2004,2018,2019,2020,2021
+./contrib/queryperf/missing/getaddrinfo.c	X	2004,2018,2019,2020,2021
+./contrib/queryperf/missing/getnameinfo.c	X	2004,2018,2019,2020,2021
+./contrib/queryperf/queryperf.c			X	2001,2002,2003,2004,2005,2007,2012,2013,2014,2018,2019,2020,2021
+./contrib/queryperf/utils/gen-data-queryperf.py	X	2003,2008,2016,2018,2019,2020,2021
+./contrib/scripts/catzhash.py			X	2020,2021
+./contrib/scripts/check-secure-delegation.pl.in	PERL	2010,2012,2014,2016,2018,2019,2020,2021
+./contrib/scripts/check5011.pl			X	2013,2014,2017,2018,2019,2020,2021
+./contrib/scripts/dnssec-keyset.sh		X	2015,2018,2019,2020,2021
+./contrib/scripts/named-bootconf.sh		SH.PORTION	1999,2000,2001,2004,2006,2007,2012,2014,2016,2018,2019,2020,2021
+./contrib/scripts/nanny.pl			PERL	2000,2001,2004,2007,2012,2014,2016,2018,2019,2020,2021
+./contrib/scripts/zone-edit.sh.in		SH	2010,2012,2014,2016,2018,2019,2020,2021
+./contrib/sdb/bdb/README			X	2002,2018,2019,2020,2021
+./contrib/sdb/bdb/bdb.c				X	2002,2011,2014,2018,2019,2020,2021
+./contrib/sdb/bdb/bdb.h				X	2002,2018,2019,2020,2021
+./contrib/sdb/bdb/zone2bdb.c			X	2002,2008,2009,2018,2019,2020,2021
+./contrib/sdb/dir/dirdb.c			C	2000,2001,2004,2007,2011,2014,2016,2018,2019,2020,2021
+./contrib/sdb/dir/dirdb.h			C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./contrib/sdb/ldap/INSTALL.ldap			X	2001,2002,2004,2018,2019,2020,2021
+./contrib/sdb/ldap/README.ldap			X	2001,2002,2004,2018,2019,2020,2021
+./contrib/sdb/ldap/README.zone2ldap		X	2001,2015,2018,2019,2020,2021
+./contrib/sdb/ldap/ldapdb.c			X	2001,2002,2003,2004,2011,2014,2018,2019,2020,2021
+./contrib/sdb/ldap/ldapdb.h			X	2001,2018,2019,2020,2021
+./contrib/sdb/ldap/zone2ldap.1			X	2001,2018,2019,2020,2021
+./contrib/sdb/ldap/zone2ldap.c			X	2001,2005,2008,2009,2011,2015,2016,2018,2019,2020,2021
+./contrib/sdb/pgsql/pgsqldb.c			C	2000,2001,2004,2007,2011,2014,2016,2018,2019,2020,2021
+./contrib/sdb/pgsql/pgsqldb.h			C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./contrib/sdb/pgsql/zonetodb.c			C	2000,2001,2002,2004,2005,2007,2008,2009,2014,2016,2018,2019,2020,2021
+./contrib/sdb/sqlite/README.sdb_sqlite		X	2007,2018,2019,2020,2021
+./contrib/sdb/sqlite/sqlitedb.c			X	2007,2011,2014,2016,2018,2019,2020,2021
+./contrib/sdb/sqlite/sqlitedb.h			X	2007,2016,2018,2019,2020,2021
+./contrib/sdb/sqlite/zone2sqlite.c		X	2007,2008,2009,2010,2013,2014,2016,2018,2019,2020,2021
+./contrib/sdb/tcl/lookup.tcl			TCL	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./contrib/sdb/tcl/tcldb.c			C	2000,2001,2004,2007,2011,2014,2016,2018,2019,2020,2021
+./contrib/sdb/tcl/tcldb.h			C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./contrib/sdb/time/timedb.c			C	2000,2001,2004,2007,2011,2014,2016,2018,2019,2020,2021
+./contrib/sdb/time/timedb.h			C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./dangerfile.py					PYTHON	2020,2021
+./doc/Makefile.in				MAKE	2000,2001,2004,2005,2006,2007,2012,2015,2016,2018,2019,2020,2021
+./doc/arm/Bv9ARM-book.xml			SGML	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Bv9ARM.ch01.html			X	2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Bv9ARM.ch02.html			X	2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Bv9ARM.ch03.html			X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Bv9ARM.ch04.html			X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Bv9ARM.ch05.html			X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Bv9ARM.ch06.html			X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Bv9ARM.ch07.html			X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Bv9ARM.ch08.html			X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Bv9ARM.ch09.html			X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Bv9ARM.ch10.html			X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Bv9ARM.ch11.html			X	2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Bv9ARM.ch12.html			X	2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Bv9ARM.ch13.html			X	2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Bv9ARM.conf				X	2015,2018,2019,2020,2021
+./doc/arm/Bv9ARM.html				X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Bv9ARM.pdf				X	2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/Makefile.in				MAKE	2001,2002,2004,2005,2006,2007,2009,2012,2014,2015,2016,2018,2019,2020,2021
+./doc/arm/README-SGML				TXT.BRIEF	2000,2001,2004,2015,2016,2018,2019,2020,2021
+./doc/arm/acl.grammar.xml			SGML	2018,2019,2020,2021
+./doc/arm/catz.xml				SGML	2016,2017,2018,2019,2020,2021
+./doc/arm/controls.grammar.xml			SGML	2018,2019,2020,2021
+./doc/arm/delegation-only.zoneopt.xml		SGML	2018,2019,2020,2021
+./doc/arm/dlz.xml				SGML	2012,2013,2014,2015,2016,2018,2019,2020,2021
+./doc/arm/dnssec.xml				SGML	2010,2011,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/dyndb.xml				SGML	2015,2016,2018,2019,2020,2021
+./doc/arm/forward.zoneopt.xml			SGML	2018,2019,2020,2021
+./doc/arm/hint.zoneopt.xml			SGML	2018,2019,2020,2021
+./doc/arm/in-view.zoneopt.xml			SGML	2018,2019,2020,2021
+./doc/arm/isc-logo.pdf				X	2005,2010,2018,2019,2020,2021
+./doc/arm/key.grammar.xml			SGML	2018,2019,2020,2021
+./doc/arm/libdns.xml				SGML	2010,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/logging-categories.xml		SGML	2015,2016,2017,2018,2019,2020,2021
+./doc/arm/logging.grammar.xml			SGML	2018,2019,2020,2021
+./doc/arm/man.arpaname.html			X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.ddns-confgen.html			X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.delv.html				X	2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.dig.html				X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.dnssec-checkds.html		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.dnssec-coverage.html		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.dnssec-dsfromkey.html		X	2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.dnssec-importkey.html		X	2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.dnssec-keyfromlabel.html		X	2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.dnssec-keygen.html		X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.dnssec-keymgr.html		X	2016,2017,2018,2019,2020,2021
+./doc/arm/man.dnssec-revoke.html		X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.dnssec-settime.html		X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.dnssec-signzone.html		X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.dnssec-verify.html		X	2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.dnstap-read.html			X	2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.genrandom.html			X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.host.html				X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.isc-hmac-fixup.html		X	2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.lwresd.html			X	2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.mdig.html				X	2016,2017,2018,2019,2020,2021
+./doc/arm/man.named-checkconf.html		X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.named-checkzone.html		X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.named-journalprint.html		X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.named-nzd2nzf.html		X	2016,2017,2018,2019,2020,2021
+./doc/arm/man.named-rrchecker.html		X	2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.named.conf.html			X	2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.named.html			X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.nsec3hash.html			X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.nslookup.html			X	2016,2017,2018,2019,2020,2021
+./doc/arm/man.nsupdate.html			X	2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.pkcs11-destroy.html		X	2016,2017,2018,2019,2020,2021
+./doc/arm/man.pkcs11-keygen.html		X	2016,2017,2018,2019,2020,2021
+./doc/arm/man.pkcs11-list.html			X	2016,2017,2018,2019,2020,2021
+./doc/arm/man.pkcs11-tokens.html		X	2016,2017,2018,2019,2020,2021
+./doc/arm/man.rndc-confgen.html			X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.rndc.conf.html			X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/man.rndc.html				X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/managed-keys.grammar.xml		SGML	2018,2019,2020,2021
+./doc/arm/managed-keys.xml			SGML	2010,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/master.zoneopt.xml			SGML	2018,2019,2020,2021
+./doc/arm/masters.grammar.xml			SGML	2018,2019,2020,2021
+./doc/arm/notes-9.11.0.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.1.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.10.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.11.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.12.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.13.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.14.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.15.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.16.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.17.xml			SGML	2020,2021
+./doc/arm/notes-9.11.18.xml			SGML	2020,2021
+./doc/arm/notes-9.11.19.xml			SGML	2020,2021
+./doc/arm/notes-9.11.2.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.20.xml			SGML	2020,2021
+./doc/arm/notes-9.11.21.xml			SGML	2020,2021
+./doc/arm/notes-9.11.22.xml			SGML	2020,2021
+./doc/arm/notes-9.11.23.xml			SGML	2020,2021
+./doc/arm/notes-9.11.24.xml			SGML	2020,2021
+./doc/arm/notes-9.11.25.xml			SGML	2020,2021
+./doc/arm/notes-9.11.26.xml			SGML	2020,2021
+./doc/arm/notes-9.11.27.xml			SGML	2020,2021
+./doc/arm/notes-9.11.28.xml			SGML	2021
+./doc/arm/notes-9.11.29.xml			SGML	2021
+./doc/arm/notes-9.11.3.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.30.xml			SGML	2021
+./doc/arm/notes-9.11.31.xml			SGML	2021
+./doc/arm/notes-9.11.32.xml			SGML	2021
+./doc/arm/notes-9.11.33.xml			SGML	2021
+./doc/arm/notes-9.11.34.xml			SGML	2021
+./doc/arm/notes-9.11.35.xml			SGML	2021
+./doc/arm/notes-9.11.36.xml			SGML	2021
+./doc/arm/notes-9.11.4.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.5.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.6.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.7.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.8.xml			SGML	2019,2020,2021
+./doc/arm/notes-9.11.9.xml			SGML	2019,2020,2021
+./doc/arm/notes-download.xml			SGML	2019,2020,2021
+./doc/arm/notes-eol.xml				SGML	2019,2020,2021
+./doc/arm/notes-intro.xml			SGML	2019,2020,2021
+./doc/arm/notes-license.xml			SGML	2019,2020,2021
+./doc/arm/notes-thankyou.xml			SGML	2019,2020,2021
+./doc/arm/notes-wrapper.xml			SGML	2014,2015,2016,2018,2019,2020,2021
+./doc/arm/notes.conf				X	2015,2018,2019,2020,2021
+./doc/arm/notes.html				X	2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/notes.pdf				X	2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/notes.xml				SGML	2014,2015,2016,2017,2018,2019,2020,2021
+./doc/arm/noteversion.xml.in			SGML	2015,2016,2018,2019,2020,2021
+./doc/arm/options.grammar.xml			SGML	2018,2019,2020,2021
+./doc/arm/pkcs11.xml				SGML	2010,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./doc/arm/pkgversion.xml.in			SGML	2015,2016,2018,2019,2020,2021
+./doc/arm/redirect.zoneopt.xml			SGML	2018,2019,2020,2021
+./doc/arm/releaseinfo.xml.in			SGML	2015,2016,2018,2019,2020,2021
+./doc/arm/server.grammar.xml			SGML	2018,2019,2020,2021
+./doc/arm/slave.zoneopt.xml			SGML	2018,2019,2020,2021
+./doc/arm/static-stub.zoneopt.xml		SGML	2018,2019,2020,2021
+./doc/arm/statistics-channels.grammar.xml	SGML	2018,2019,2020,2021
+./doc/arm/stub.zoneopt.xml			SGML	2018,2019,2020,2021
+./doc/arm/trusted-keys.grammar.xml		SGML	2018,2019,2020,2021
+./doc/design/addressdb				TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020,2021
+./doc/design/cds-child				TXT.BRIEF	2015,2016,2018,2019,2020,2021
+./doc/design/compression			TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/design/database				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/design/db_rules				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/design/decompression			TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/design/dispatch				TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020,2021
+./doc/design/dscp				TXT.BRIEF	2013,2016,2018,2019,2020,2021
+./doc/design/keydone				TXT.BRIEF	2011,2016,2018,2019,2020,2021
+./doc/design/logging				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/design/lwres				TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020,2021
+./doc/design/ncache				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/design/rdataset				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/design/red-black				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/design/resolver				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/design/search				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/design/tasks				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/design/unsupported-algorithms-in-bind9	TXT.BRIEF	2019,2020,2021
+./doc/design/verify				TXT.BRIEF	2012,2016,2018,2019,2020,2021
+./doc/design/windows-nt				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/design/zone				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/dev/DBC					TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/dev/autoconf				TXT.BRIEF	2001,2002,2004,2016,2018,2019,2020,2021
+./doc/dev/coding.html				HTML	1999,2000,2001,2002,2004,2007,2016,2018,2019,2020,2021
+./doc/dev/cvs-usage				TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020,2021
+./doc/dev/dev.md				MKD	2017,2018,2019,2020,2021
+./doc/dev/magic_numbers				TXT.BRIEF	1999,2000,2001,2002,2004,2016,2018,2019,2020,2021
+./doc/dev/rdata.md				MKD	1999,2000,2001,2004,2007,2016,2017,2018,2019,2020,2021
+./doc/dev/release				TXT.BRIEF	2000,2001,2002,2003,2004,2005,2006,2007,2009,2014,2016,2018,2019,2020,2021
+./doc/dev/results				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/dev/style.md				MKD	2017,2018,2019,2020,2021
+./doc/dev/tests					TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020,2021
+./doc/dev/unexpected				TXT.BRIEF	1999,2000,2001,2004,2016,2018,2019,2020,2021
+./doc/doxygen/Doxyfile.in			X	2006,2017,2018,2019,2020,2021
+./doc/doxygen/Makefile.in			MAKE	2006,2007,2012,2015,2016,2018,2019,2020,2021
+./doc/doxygen/doxygen-input-filter.in		PERL	2006,2007,2012,2016,2018,2019,2020,2021
+./doc/doxygen/isc-footer.html			HTML	2006,2007,2016,2018,2019,2020,2021
+./doc/doxygen/isc-header.html			HTML	2006,2007,2016,2018,2019,2020,2021
+./doc/doxygen/mainpage				X	2006,2018,2019,2020,2021
+./doc/misc/Makefile.in				MAKE	2001,2004,2007,2009,2012,2016,2017,2018,2019,2020,2021
+./doc/misc/delegation-only.zoneopt		X	2018,2019,2020,2021
+./doc/misc/dnssec				TXT.BRIEF	2000,2001,2002,2004,2016,2018,2019,2020,2021
+./doc/misc/docbook-grammars.pl			PERL	2018,2019,2020,2021
+./doc/misc/docbook-options.pl			PERL	2017,2018,2019,2020,2021
+./doc/misc/docbook-zoneopt.pl			PERL	2018,2019,2020,2021
+./doc/misc/format-options.pl			PERL	2001,2004,2007,2012,2016,2018,2019,2020,2021
+./doc/misc/forward.zoneopt			X	2018,2019,2020,2021
+./doc/misc/hint.zoneopt				X	2018,2019,2020,2021
+./doc/misc/in-view.zoneopt			X	2018,2019,2020,2021
+./doc/misc/ipv6					TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020,2021
+./doc/misc/master.zoneopt			X	2018,2019,2020,2021
+./doc/misc/migration				TXT.BRIEF	2000,2001,2003,2004,2007,2008,2016,2018,2019,2020,2021
+./doc/misc/migration-4to9			TXT.BRIEF	2001,2004,2016,2018,2019,2020,2021
+./doc/misc/options				X	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./doc/misc/redirect.zoneopt			X	2018,2019,2020,2021
+./doc/misc/rfc-compliance			TXT.BRIEF	2001,2004,2015,2016,2018,2019,2020,2021
+./doc/misc/roadmap				TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020,2021
+./doc/misc/sdb					TXT.BRIEF	2000,2001,2004,2016,2018,2019,2020,2021
+./doc/misc/slave.zoneopt			X	2018,2019,2020,2021
+./doc/misc/sort-options.pl			PERL	2007,2012,2016,2018,2019,2020,2021
+./doc/misc/static-stub.zoneopt			X	2018,2019,2020,2021
+./doc/misc/stub.zoneopt				X	2018,2019,2020,2021
+./doc/misc/tcp-fast-open			TXT.BRIEF	2016,2017,2018,2019,2020,2021
+./doc/tex/Makefile.in				MAKE	2015,2016,2018,2019,2020,2021
+./doc/tex/armstyle.sty.in			X	2015,2018,2019,2020,2021
+./doc/tex/notestyle.sty				X	2015,2018,2019,2020,2021
+./doc/xsl/Makefile.in				MAKE	2005,2007,2012,2014,2015,2016,2018,2019,2020,2021
+./doc/xsl/arm-param.xsl				SGML	2015,2016,2018,2019,2020,2021
+./doc/xsl/copyright.xsl				SGML	2005,2007,2009,2015,2016,2018,2019,2020,2021
+./doc/xsl/graphics/caution.eps			X	2015,2018,2019,2020,2021
+./doc/xsl/graphics/caution.pdf			X	2015,2018,2019,2020,2021
+./doc/xsl/graphics/important.eps		X	2015,2018,2019,2020,2021
+./doc/xsl/graphics/important.pdf		X	2015,2018,2019,2020,2021
+./doc/xsl/graphics/note.eps			X	2015,2018,2019,2020,2021
+./doc/xsl/graphics/note.pdf			X	2015,2018,2019,2020,2021
+./doc/xsl/graphics/tip.eps			X	2015,2018,2019,2020,2021
+./doc/xsl/graphics/tip.pdf			X	2015,2018,2019,2020,2021
+./doc/xsl/graphics/warning.eps			X	2015,2018,2019,2020,2021
+./doc/xsl/graphics/warning.pdf			X	2015,2018,2019,2020,2021
+./doc/xsl/isc-docbook-chunk.xsl.in		SGML	2005,2007,2014,2015,2016,2018,2019,2020,2021
+./doc/xsl/isc-docbook-html.xsl.in		SGML	2005,2007,2014,2015,2016,2018,2019,2020,2021
+./doc/xsl/isc-docbook-text.xsl			SGML	2005,2007,2015,2016,2018,2019,2020,2021
+./doc/xsl/isc-manpage.xsl.in			SGML	2005,2007,2015,2016,2018,2019,2020,2021
+./doc/xsl/isc-notes-html.xsl.in			SGML	2015,2016,2018,2019,2020,2021
+./doc/xsl/notes-param.xsl			SGML	2015,2016,2018,2019,2020,2021
+./doc/xsl/pre-latex.xsl				SGML	2005,2007,2015,2016,2018,2019,2020,2021
+./docutil/HTML_COPYRIGHT			X	2001,2004,2016,2018,2019,2020,2021
+./docutil/MAN_COPYRIGHT				X	2001,2004,2016,2018,2019,2020,2021
+./docutil/patch-db2latex-duplicate-template-bug	X	2007,2018,2019,2020,2021
+./docutil/patch-db2latex-nested-param-bug	X	2007,2018,2019,2020,2021
+./docutil/patch-db2latex-xsltproc-title-bug	X	2007,2018,2019,2020,2021
+./install-sh					X	1998,1999,2000,2001,2018,2019,2020,2021
 ./isc-config.sh.1				MAN	DOCBOOK
-./isc-config.sh.docbook				SGML	2009,2014,2015,2016,2018,2019,2020
+./isc-config.sh.docbook				SGML	2009,2014,2015,2016,2018,2019,2020,2021
 ./isc-config.sh.html				HTML	DOCBOOK
-./isc-config.sh.in				SH	2000,2001,2003,2004,2007,2012,2013,2015,2016,2017,2018,2019,2020
-./lib/Kyuafile					X	2017,2018,2019,2020
-./lib/Makefile.in				MAKE	1998,1999,2000,2001,2003,2004,2007,2012,2013,2014,2016,2018,2019,2020
-./lib/bind9/Makefile.in				MAKE	2001,2004,2007,2009,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/bind9/api					X	2001,2006,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/bind9/check.c				C	2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/bind9/getaddresses.c			C	2001,2002,2004,2005,2007,2014,2015,2016,2017,2018,2019,2020
-./lib/bind9/include/Makefile.in			MAKE	2001,2004,2007,2012,2016,2018,2019,2020
-./lib/bind9/include/bind9/Makefile.in		MAKE	2001,2004,2007,2012,2015,2016,2018,2019,2020
-./lib/bind9/include/bind9/check.h		C	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/bind9/include/bind9/getaddresses.h	C	2001,2004,2005,2006,2007,2009,2016,2017,2018,2019,2020
-./lib/bind9/include/bind9/version.h		C	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/bind9/version.c				C	2001,2004,2005,2007,2016,2018,2019,2020
-./lib/bind9/win32/DLLMain.c			C	2001,2004,2007,2016,2018,2019,2020
-./lib/bind9/win32/libbind9.def			X	2001,2018,2019,2020
-./lib/bind9/win32/libbind9.dsp.in		X	2001,2004,2005,2009,2011,2013,2014,2015,2016,2018,2019,2020
-./lib/bind9/win32/libbind9.dsw			X	2001,2018,2019,2020
-./lib/bind9/win32/libbind9.mak.in		X	2001,2002,2004,2005,2006,2009,2011,2013,2014,2015,2018,2019,2020
-./lib/bind9/win32/libbind9.vcxproj.filters.in	X	2013,2015,2016,2018,2019,2020
-./lib/bind9/win32/libbind9.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./lib/bind9/win32/libbind9.vcxproj.user		X	2013,2018,2019,2020
-./lib/bind9/win32/version.c			C	1998,1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/dns/Kyuafile				X	2017,2018,2019,2020
-./lib/dns/Makefile.in				MAKE	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/acache.c				C	2004,2005,2006,2007,2008,2012,2013,2015,2016,2017,2018,2019,2020
-./lib/dns/acl.c					C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2013,2014,2016,2018,2019,2020
-./lib/dns/adb.c					C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/api					X	1999,2000,2001,2006,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/badcache.c				C	2014,2015,2016,2018,2019,2020
-./lib/dns/byaddr.c				C	2000,2001,2002,2003,2004,2005,2007,2009,2013,2016,2017,2018,2019,2020
-./lib/dns/cache.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/callbacks.c				C	1999,2000,2001,2004,2005,2007,2011,2012,2015,2016,2018,2019,2020
-./lib/dns/catz.c				C	2016,2017,2018,2019,2020
-./lib/dns/client.c				C	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/clientinfo.c				C	2011,2014,2016,2018,2019,2020
-./lib/dns/compress.c				C	1999,2000,2001,2004,2005,2006,2007,2015,2016,2018,2019,2020
-./lib/dns/db.c					C	1999,2000,2001,2003,2004,2005,2007,2008,2009,2011,2012,2013,2015,2016,2018,2019,2020
-./lib/dns/dbiterator.c				C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/dbtable.c				C	1999,2000,2001,2004,2005,2007,2013,2016,2018,2019,2020
-./lib/dns/diff.c				C	2000,2001,2002,2003,2004,2005,2007,2008,2009,2011,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/dispatch.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/dlz.c					C.PORTION	1999,2000,2001,2005,2007,2009,2010,2011,2012,2013,2015,2016,2018,2019,2020
-./lib/dns/dns64.c				C	2010,2011,2014,2016,2017,2018,2019,2020
-./lib/dns/dnssec.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/dnstap.c				C	2015,2016,2017,2018,2019,2020
-./lib/dns/dnstap.proto				X	2015,2018,2019,2020
-./lib/dns/ds.c					C	2002,2003,2004,2005,2006,2007,2010,2012,2014,2016,2018,2019,2020
-./lib/dns/dst_api.c				C.NAI	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/dst_gost.h				C	2014,2016,2018,2019,2020
-./lib/dns/dst_internal.h			C.NAI	2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2016,2017,2018,2019,2020
-./lib/dns/dst_lib.c				C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/dst_openssl.h				C	2002,2004,2005,2007,2008,2009,2011,2012,2015,2016,2018,2019,2020
-./lib/dns/dst_parse.c				C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/dst_parse.h				C.NAI	2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2012,2014,2016,2017,2018,2019,2020
-./lib/dns/dst_pkcs11.h				C	2014,2016,2018,2019,2020
-./lib/dns/dst_result.c				C	1999,2000,2001,2004,2005,2007,2008,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/dyndb.c				C	2015,2016,2017,2018,2019,2020
-./lib/dns/ecdb.c				C	2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/fixedname.c				C	2018,2019,2020
-./lib/dns/forward.c				C	2000,2001,2004,2005,2007,2009,2013,2016,2018,2019,2020
-./lib/dns/gen-unix.h				C	1999,2000,2001,2004,2005,2007,2009,2016,2018,2019,2020
-./lib/dns/gen-win32.h				C	1999,2000,2001,2004,2005,2006,2007,2009,2014,2016,2018,2019,2020
-./lib/dns/gen.c					C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/geoip.c				C	2013,2014,2015,2016,2018,2019,2020
-./lib/dns/geoip2.c				C	2019,2020
-./lib/dns/gssapi_link.c				C	2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/gssapictx.c				C	2000,2001,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/hmac_link.c				C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/include/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007,2012,2016,2018,2019,2020
-./lib/dns/include/dns/Makefile.in		MAKE	1998,1999,2000,2001,2002,2003,2004,2007,2008,2009,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/include/dns/acache.h			C	2004,2006,2007,2013,2016,2018,2019,2020
-./lib/dns/include/dns/acl.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2011,2013,2014,2016,2018,2019,2020
-./lib/dns/include/dns/adb.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2011,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/include/dns/badcache.h		C	2014,2016,2018,2019,2020
-./lib/dns/include/dns/bit.h			C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dns/byaddr.h			C	2000,2001,2002,2003,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dns/cache.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2011,2012,2013,2016,2018,2019,2020
-./lib/dns/include/dns/callbacks.h		C	1999,2000,2001,2002,2004,2005,2006,2007,2011,2012,2013,2016,2018,2019,2020
-./lib/dns/include/dns/catz.h			C	2016,2018,2019,2020
-./lib/dns/include/dns/cert.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dns/client.h			C	2009,2013,2014,2016,2017,2018,2019,2020
-./lib/dns/include/dns/clientinfo.h		C	2011,2014,2016,2018,2019,2020
-./lib/dns/include/dns/compress.h		C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2015,2016,2017,2018,2019,2020
-./lib/dns/include/dns/db.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/include/dns/dbiterator.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dns/dbtable.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dns/diff.h			C	2000,2001,2004,2005,2006,2007,2008,2009,2010,2013,2016,2018,2019,2020
-./lib/dns/include/dns/dispatch.h		C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/include/dns/dlz.h			C.PORTION	1999,2000,2001,2005,2006,2007,2009,2010,2011,2012,2013,2016,2018,2019,2020
-./lib/dns/include/dns/dlz_dlopen.h		C	2011,2012,2013,2016,2017,2018,2019,2020
-./lib/dns/include/dns/dns64.h			C	2010,2014,2016,2018,2019,2020
-./lib/dns/include/dns/dnssec.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/include/dns/dnstap.h			C	2015,2016,2017,2018,2019,2020
-./lib/dns/include/dns/ds.h			C	2002,2004,2005,2006,2007,2010,2012,2014,2016,2018,2019,2020
-./lib/dns/include/dns/dsdigest.h		C	2012,2016,2018,2019,2020
-./lib/dns/include/dns/dyndb.h			C	2015,2016,2018,2019,2020
-./lib/dns/include/dns/ecdb.h			C	2009,2012,2016,2018,2019,2020
-./lib/dns/include/dns/edns.h			C	2014,2015,2016,2018,2019,2020
-./lib/dns/include/dns/events.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2010,2011,2014,2016,2017,2018,2019,2020
-./lib/dns/include/dns/fixedname.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dns/forward.h			C	2000,2001,2004,2005,2006,2007,2009,2013,2016,2018,2019,2020
-./lib/dns/include/dns/geoip.h			C	2013,2014,2016,2018,2019,2020
-./lib/dns/include/dns/ipkeylist.h		C	2016,2018,2019,2020
-./lib/dns/include/dns/iptable.h			C	2007,2012,2014,2016,2018,2019,2020
-./lib/dns/include/dns/journal.h			C	1999,2000,2001,2004,2005,2006,2007,2008,2009,2011,2013,2016,2018,2019,2020
-./lib/dns/include/dns/keydata.h			C	2009,2016,2018,2019,2020
-./lib/dns/include/dns/keyflags.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dns/keytable.h		C	2000,2001,2004,2005,2007,2009,2010,2014,2015,2016,2018,2019,2020
-./lib/dns/include/dns/keyvalues.h		C	1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2012,2016,2017,2018,2019,2020
-./lib/dns/include/dns/lib.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020
-./lib/dns/include/dns/log.h			C	1999,2000,2001,2003,2004,2005,2006,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/include/dns/lookup.h			C	2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020
-./lib/dns/include/dns/master.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2016,2018,2019,2020
-./lib/dns/include/dns/masterdump.h		C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2011,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/include/dns/message.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/include/dns/name.h			C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2009,2010,2011,2012,2013,2015,2016,2017,2018,2019,2020
-./lib/dns/include/dns/ncache.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2013,2016,2018,2019,2020
-./lib/dns/include/dns/nsec.h			C	1999,2000,2001,2003,2004,2005,2006,2007,2008,2011,2012,2016,2018,2019,2020
-./lib/dns/include/dns/nsec3.h			C	2008,2009,2010,2011,2012,2013,2016,2017,2018,2019,2020
-./lib/dns/include/dns/nta.h			C	2014,2015,2016,2018,2019,2020
-./lib/dns/include/dns/opcode.h			C	2002,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dns/order.h			C	2002,2004,2005,2006,2007,2016,2017,2018,2019,2020
-./lib/dns/include/dns/peer.h			C	2000,2001,2003,2004,2005,2006,2007,2008,2009,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/include/dns/portlist.h		C	2003,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dns/private.h			C	2009,2011,2012,2016,2018,2019,2020
-./lib/dns/include/dns/rbt.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/include/dns/rcode.h			C	1999,2000,2001,2004,2005,2006,2007,2008,2016,2018,2019,2020
-./lib/dns/include/dns/rdata.h			C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2016,2017,2018,2019,2020
-./lib/dns/include/dns/rdataclass.h		C	1998,1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dns/rdatalist.h		C	1999,2000,2001,2004,2005,2006,2007,2008,2015,2016,2018,2019,2020
-./lib/dns/include/dns/rdataset.h		C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2018,2019,2020
-./lib/dns/include/dns/rdatasetiter.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dns/rdataslab.h		C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2016,2018,2019,2020
-./lib/dns/include/dns/rdatatype.h		C	1998,1999,2000,2001,2004,2005,2006,2007,2008,2016,2018,2019,2020
-./lib/dns/include/dns/request.h			C	2000,2001,2002,2004,2005,2006,2007,2009,2010,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/include/dns/resolver.h		C	1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/include/dns/result.h			C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/include/dns/rootns.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dns/rpz.h			C	2011,2012,2013,2015,2016,2017,2018,2019,2020
-./lib/dns/include/dns/rriterator.h		C	2009,2011,2016,2018,2019,2020
-./lib/dns/include/dns/rrl.h			C	2013,2015,2016,2017,2018,2019,2020
-./lib/dns/include/dns/sdb.h			C	2000,2001,2004,2005,2006,2007,2009,2011,2012,2016,2018,2019,2020
-./lib/dns/include/dns/sdlz.h			C.PORTION	1999,2000,2001,2005,2006,2007,2009,2010,2011,2012,2016,2018,2019,2020
-./lib/dns/include/dns/secalg.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020
-./lib/dns/include/dns/secproto.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dns/soa.h			C	2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020
-./lib/dns/include/dns/ssu.h			C	2000,2001,2003,2004,2005,2006,2007,2008,2010,2011,2016,2017,2018,2019,2020
-./lib/dns/include/dns/stats.h			C	2000,2001,2004,2005,2006,2007,2008,2009,2012,2014,2015,2016,2018,2019,2020
-./lib/dns/include/dns/tcpmsg.h			C	1999,2000,2001,2004,2005,2006,2007,2015,2016,2018,2019,2020
-./lib/dns/include/dns/time.h			C	1999,2000,2001,2004,2005,2006,2007,2012,2016,2018,2019,2020
-./lib/dns/include/dns/timer.h			C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dns/tkey.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2010,2011,2016,2018,2019,2020
-./lib/dns/include/dns/tsec.h			C	2009,2010,2012,2016,2018,2019,2020
-./lib/dns/include/dns/tsig.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2010,2011,2016,2018,2019,2020
-./lib/dns/include/dns/ttl.h			C	1999,2000,2001,2004,2005,2006,2007,2014,2016,2018,2019,2020
-./lib/dns/include/dns/types.h			C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/include/dns/update.h			C	2011,2015,2016,2018,2019,2020
-./lib/dns/include/dns/validator.h		C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2013,2014,2016,2018,2019,2020
-./lib/dns/include/dns/version.h			C	2001,2004,2005,2006,2007,2012,2013,2016,2018,2019,2020
-./lib/dns/include/dns/view.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/include/dns/xfrin.h			C	1999,2000,2001,2003,2004,2005,2006,2007,2009,2013,2016,2018,2019,2020
-./lib/dns/include/dns/zone.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/include/dns/zonekey.h			C	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dns/zt.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2011,2016,2017,2018,2019,2020
-./lib/dns/include/dst/Makefile.in		MAKE	1998,1999,2000,2001,2004,2007,2012,2015,2016,2018,2019,2020
-./lib/dns/include/dst/dst.h			C	2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/include/dst/gssapi.h			C	2000,2001,2004,2005,2006,2007,2009,2010,2011,2013,2016,2018,2019,2020
-./lib/dns/include/dst/lib.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/include/dst/result.h			C	1999,2000,2001,2004,2005,2006,2007,2008,2012,2014,2016,2018,2019,2020
-./lib/dns/ipkeylist.c				C	2016,2018,2019,2020
-./lib/dns/iptable.c				C	2007,2008,2009,2013,2014,2016,2017,2018,2019,2020
-./lib/dns/journal.c				C	1999,2000,2001,2002,2004,2005,2007,2008,2009,2010,2011,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/key.c					C	2001,2004,2005,2006,2007,2011,2016,2018,2019,2020
-./lib/dns/keydata.c				C	2009,2014,2016,2018,2019,2020
-./lib/dns/keytable.c				C	2000,2001,2004,2005,2007,2009,2010,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/lib.c					C	1999,2000,2001,2004,2005,2007,2009,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/log.c					C	1999,2000,2001,2003,2004,2005,2006,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/lookup.c				C	2000,2001,2003,2004,2005,2007,2013,2016,2018,2019,2020
-./lib/dns/mapapi				X	2013,2018,2019,2020
-./lib/dns/master.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/masterdump.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/message.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/name.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/ncache.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/nsec.c				C	1999,2000,2001,2003,2004,2005,2007,2008,2009,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/nsec3.c				C	2006,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/nta.c					C	2014,2015,2016,2017,2018,2019,2020
-./lib/dns/openssl_link.c			C.NAI	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/openssldh_link.c			C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/openssldsa_link.c			C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/opensslecdsa_link.c			C	2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/openssleddsa_link.c			C	2017,2018,2019,2020
-./lib/dns/opensslgost_link.c			C	2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/opensslrsa_link.c			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/order.c				C	2002,2004,2005,2007,2015,2016,2018,2019,2020
-./lib/dns/peer.c				C	2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/pkcs11.c				C	2014,2016,2018,2019,2020
-./lib/dns/pkcs11dh_link.c			C	2014,2015,2016,2017,2018,2019,2020
-./lib/dns/pkcs11dsa_link.c			C	2014,2015,2016,2017,2018,2019,2020
-./lib/dns/pkcs11ecdsa_link.c			C	2014,2015,2016,2017,2018,2019,2020
-./lib/dns/pkcs11eddsa_link.c			C	2017,2018,2019,2020
-./lib/dns/pkcs11gost_link.c			C	2014,2015,2016,2017,2018,2019,2020
-./lib/dns/pkcs11rsa_link.c			C	2014,2015,2016,2017,2018,2019,2020
-./lib/dns/portlist.c				C	2003,2004,2005,2006,2007,2014,2016,2018,2019,2020
-./lib/dns/private.c				C	2009,2011,2012,2015,2016,2017,2018,2019,2020
-./lib/dns/rbt.c					C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rbtdb.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rbtdb.h				C	1999,2000,2001,2004,2005,2007,2011,2012,2016,2018,2019,2020
-./lib/dns/rbtdb64.c				C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rbtdb64.h				C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rcode.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/any_255/tsig_250.c		C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2011,2012,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/any_255/tsig_250.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/ch_3/a_1.c			C	2005,2007,2009,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/ch_3/a_1.h			C	2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/afsdb_18.c		C	1999,2000,2001,2003,2004,2005,2007,2009,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/afsdb_18.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/amtrelay_260.c		C	2019,2020
-./lib/dns/rdata/generic/amtrelay_260.h		C	2019,2020
-./lib/dns/rdata/generic/avc_258.c		C	2016,2018,2019,2020
-./lib/dns/rdata/generic/avc_258.h		C	2016,2018,2019,2020
-./lib/dns/rdata/generic/caa_257.c		C	2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/caa_257.h		C	2014,2016,2018,2019,2020
-./lib/dns/rdata/generic/cdnskey_60.c		C	2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/cdnskey_60.h		C	2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/cds_59.c		C	2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/cds_59.h		C	2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/cert_37.c		C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2011,2012,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/cert_37.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/cname_5.c		C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/cname_5.h		C	1998,1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/csync_62.c		C	2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/csync_62.h		C	2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/dlv_32769.c		C	2004,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/dlv_32769.h		C	2004,2006,2007,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/dname_39.c		C	1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/dname_39.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/dnskey_48.c		C	2003,2004,2005,2007,2009,2011,2012,2013,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/dnskey_48.h		C	2003,2004,2005,2007,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/doa_259.c		C	2017,2018,2019,2020
-./lib/dns/rdata/generic/doa_259.h		C	2017,2018,2019,2020
-./lib/dns/rdata/generic/ds_43.c			C	2002,2004,2005,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/ds_43.h			C	2002,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/eui48_108.c		C	2013,2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/eui48_108.h		C	2013,2016,2018,2019,2020
-./lib/dns/rdata/generic/eui64_109.c		C	2013,2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/eui64_109.h		C	2013,2016,2018,2019,2020
-./lib/dns/rdata/generic/gpos_27.c		C	1999,2000,2001,2002,2004,2005,2007,2009,2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/gpos_27.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/hinfo_13.c		C	1998,1999,2000,2001,2002,2004,2007,2009,2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/hinfo_13.h		C	1998,1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/hip_55.c		C	2009,2011,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/hip_55.h		C	2009,2016,2018,2019,2020
-./lib/dns/rdata/generic/ipseckey_45.c		C	2005,2007,2009,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/ipseckey_45.h		C	2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/isdn_20.c		C	1999,2000,2001,2002,2004,2005,2007,2009,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/isdn_20.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/key_25.c		C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2011,2012,2013,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/key_25.h		C	1999,2000,2001,2004,2005,2007,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/keydata_65533.c		C	2009,2011,2012,2013,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/keydata_65533.h		C	2009,2016,2018,2019,2020
-./lib/dns/rdata/generic/l32_105.c		C	2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/l32_105.h		C	2013,2016,2018,2019,2020
-./lib/dns/rdata/generic/l64_106.c		C	2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/l64_106.h		C	2013,2016,2018,2019,2020
-./lib/dns/rdata/generic/loc_29.c		C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/loc_29.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/lp_107.c		C	2013,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/lp_107.h		C	2013,2016,2018,2019,2020
-./lib/dns/rdata/generic/mb_7.c			C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/mb_7.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/md_3.c			C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/md_3.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/mf_4.c			C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/mf_4.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/mg_8.c			C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/mg_8.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/minfo_14.c		C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/minfo_14.h		C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/mr_9.c			C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/mr_9.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/mx_15.c			C	1998,1999,2000,2001,2003,2004,2005,2007,2009,2012,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/mx_15.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/naptr_35.c		C	1999,2000,2001,2003,2004,2005,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/naptr_35.h		C	1999,2000,2001,2004,2005,2007,2011,2012,2016,2018,2019,2020
-./lib/dns/rdata/generic/nid_104.c		C	2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/nid_104.h		C	2013,2016,2018,2019,2020
-./lib/dns/rdata/generic/ninfo_56.c		C	2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/ninfo_56.h		C	2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/ns_2.c			C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/ns_2.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/nsec3_50.c		C	2008,2009,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/nsec3_50.h		C	2008,2011,2012,2016,2018,2019,2020
-./lib/dns/rdata/generic/nsec3param_51.c		C	2008,2009,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/nsec3param_51.h		C	2008,2016,2018,2019,2020
-./lib/dns/rdata/generic/nsec_47.c		C	2003,2004,2007,2008,2009,2011,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/nsec_47.h		C	2003,2004,2005,2007,2008,2016,2018,2019,2020
-./lib/dns/rdata/generic/null_10.c		C	1998,1999,2000,2001,2002,2004,2007,2009,2011,2012,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/null_10.h		C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/nxt_30.c		C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/nxt_30.h		C	1999,2000,2001,2002,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/openpgpkey_61.c		C	2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/openpgpkey_61.h		C	2014,2016,2018,2019,2020
-./lib/dns/rdata/generic/opt_41.c		C	1998,1999,2000,2001,2002,2004,2005,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/opt_41.h		C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/proforma.c		C	1998,1999,2000,2001,2002,2004,2007,2009,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/proforma.h		C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/ptr_12.c		C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/ptr_12.h		C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/rkey_57.c		C	2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/rkey_57.h		C	2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/rp_17.c			C	1999,2000,2001,2004,2005,2007,2009,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/rp_17.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/rrsig_46.c		C	2003,2004,2005,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/rrsig_46.h		C	2003,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/rt_21.c			C	1999,2000,2001,2003,2004,2005,2007,2009,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/rt_21.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/sig_24.c		C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2011,2012,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/sig_24.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/sink_40.c		C	2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/sink_40.h		C	2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/smimea_53.c		C	2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/smimea_53.h		C	2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/soa_6.c			C	1998,1999,2000,2001,2002,2004,2007,2009,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/soa_6.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/spf_99.c		C	1998,1999,2000,2001,2002,2004,2005,2007,2009,2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/spf_99.h		C	1998,1999,2000,2001,2004,2005,2007,2014,2016,2018,2019,2020
-./lib/dns/rdata/generic/sshfp_44.c		C	2003,2004,2006,2007,2009,2011,2012,2013,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/sshfp_44.h		C	2003,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/ta_32768.c		C	2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/ta_32768.h		C	2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/talink_58.c		C	2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/talink_58.h		C	2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/tkey_249.c		C	1999,2000,2001,2002,2003,2004,2007,2009,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/tkey_249.h		C	1999,2000,2001,2003,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/tlsa_52.c		C	2012,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/tlsa_52.h		C	2012,2014,2016,2018,2019,2020
-./lib/dns/rdata/generic/txt_16.c		C	1998,1999,2000,2001,2002,2004,2007,2008,2009,2012,2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/txt_16.h		C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/uri_256.c		C	2011,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/generic/uri_256.h		C	2011,2012,2016,2018,2019,2020
-./lib/dns/rdata/generic/x25_19.c		C	1999,2000,2001,2002,2004,2005,2007,2009,2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/generic/x25_19.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/generic/zonemd_63.c		C	2019,2020
-./lib/dns/rdata/generic/zonemd_63.h		C	2019,2020
-./lib/dns/rdata/hs_4/a_1.c			C	1999,2000,2001,2002,2004,2007,2009,2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/hs_4/a_1.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/in_1/a6_38.c			C	1999,2000,2001,2002,2003,2004,2007,2009,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/in_1/a6_38.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/in_1/a_1.c			C	1998,1999,2000,2001,2002,2004,2007,2009,2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/in_1/a_1.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/in_1/aaaa_28.c			C	1999,2000,2001,2002,2004,2005,2007,2009,2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/in_1/aaaa_28.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/in_1/apl_42.c			C	2002,2004,2005,2007,2008,2009,2014,2015,2016,2018,2019,2020
-./lib/dns/rdata/in_1/apl_42.h			C	2002,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/in_1/atma_34.c			C	2018,2019,2020
-./lib/dns/rdata/in_1/atma_34.h			C	2018,2019,2020
-./lib/dns/rdata/in_1/dhcid_49.c			C	2006,2007,2009,2011,2012,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/in_1/dhcid_49.h			C	2006,2007,2016,2018,2019,2020
-./lib/dns/rdata/in_1/eid_31.c			C	2018,2019,2020
-./lib/dns/rdata/in_1/eid_31.h			C	2018,2019,2020
-./lib/dns/rdata/in_1/kx_36.c			C	1999,2000,2001,2003,2004,2005,2007,2009,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/in_1/kx_36.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/in_1/nimloc_32.c		C	2018,2019,2020
-./lib/dns/rdata/in_1/nimloc_32.h		C	2018,2019,2020
-./lib/dns/rdata/in_1/nsap-ptr_23.c		C	1999,2000,2001,2004,2005,2007,2009,2015,2016,2018,2019,2020
-./lib/dns/rdata/in_1/nsap-ptr_23.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/in_1/nsap_22.c			C	1999,2000,2001,2002,2004,2005,2007,2009,2013,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/in_1/nsap_22.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/in_1/px_26.c			C	1999,2000,2001,2003,2004,2005,2007,2009,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/in_1/px_26.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/in_1/srv_33.c			C	1999,2000,2001,2003,2004,2005,2007,2009,2015,2016,2018,2019,2020
-./lib/dns/rdata/in_1/srv_33.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdata/in_1/wks_11.c			C	1999,2000,2001,2002,2004,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdata/in_1/wks_11.h			C	1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/dns/rdata/rdatastructpre.h		C	1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/dns/rdata/rdatastructsuf.h		C	1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/dns/rdatalist.c				C	1999,2000,2001,2003,2004,2005,2007,2008,2010,2011,2012,2014,2015,2016,2018,2019,2020
-./lib/dns/rdatalist_p.h				C	2000,2001,2004,2005,2007,2008,2015,2016,2018,2019,2020
-./lib/dns/rdataset.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rdatasetiter.c			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/rdataslab.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/request.c				C	2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/resolver.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/result.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rootns.c				C	1999,2000,2001,2002,2004,2005,2007,2008,2010,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rpz.c					C	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/rriterator.c				C	2009,2011,2012,2015,2016,2018,2019,2020
-./lib/dns/rrl.c					C	2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/sdb.c					C	2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/sdlz.c				C.PORTION	1999,2000,2001,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/soa.c					C	2000,2001,2004,2005,2007,2009,2016,2018,2019,2020
-./lib/dns/spnego.asn1				X	2006,2018,2019,2020
-./lib/dns/spnego.c				C	2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/spnego.h				C	2006,2007,2016,2018,2019,2020
-./lib/dns/spnego_asn1.c				C	2006,2007,2012,2013,2015,2016,2018,2019,2020
-./lib/dns/spnego_asn1.pl			PERL	2006,2007,2012,2016,2018,2019,2020
-./lib/dns/ssu.c					C	2000,2001,2003,2004,2005,2006,2007,2008,2010,2011,2013,2014,2016,2017,2018,2019,2020
-./lib/dns/ssu_external.c			C	2011,2012,2013,2016,2017,2018,2019,2020
-./lib/dns/stats.c				C	2000,2001,2004,2005,2007,2008,2009,2012,2016,2018,2019,2020
-./lib/dns/tcpmsg.c				C	1999,2000,2001,2004,2005,2006,2007,2015,2016,2018,2019,2020
-./lib/dns/tests/Kdh.+002+18602.key		X	2014,2018,2019,2020
-./lib/dns/tests/Krsa.+005+29235.key		X	2016,2018,2019,2020
-./lib/dns/tests/Kyuafile			X	2017,2018,2019,2020
-./lib/dns/tests/Makefile.in			MAKE	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/tests/acl_test.c			C	2016,2018,2019,2020
-./lib/dns/tests/db_test.c			C	2013,2015,2016,2018,2019,2020
-./lib/dns/tests/dbdiff_test.c			C	2011,2012,2016,2017,2018,2019,2020
-./lib/dns/tests/dbiterator_test.c		C	2011,2012,2016,2018,2019,2020
-./lib/dns/tests/dbversion_test.c		C	2011,2012,2014,2015,2016,2018,2019,2020
-./lib/dns/tests/dh_test.c			C	2014,2016,2018,2019,2020
-./lib/dns/tests/dispatch_test.c			C	2012,2014,2016,2018,2019,2020
-./lib/dns/tests/dnstap_test.c			C	2015,2016,2017,2018,2019,2020
-./lib/dns/tests/dnstest.c			C	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/tests/dnstest.h			C	2011,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/tests/dst_test.c			C	2018,2019,2020
-./lib/dns/tests/geoip_test.c			C	2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/tests/gost_test.c			C	2014,2015,2016,2017,2018,2019,2020
-./lib/dns/tests/keytable_test.c			C	2014,2015,2016,2017,2018,2019,2020
-./lib/dns/tests/master_test.c			C	2011,2012,2013,2015,2016,2017,2018,2019,2020
-./lib/dns/tests/mkraw.pl			PERL	2011,2012,2016,2018,2019,2020
-./lib/dns/tests/name_test.c			C	2014,2015,2016,2017,2018,2019,2020
-./lib/dns/tests/nsec3_test.c			C	2012,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/tests/peer_test.c			C	2014,2016,2018,2019,2020
-./lib/dns/tests/private_test.c			C	2011,2012,2016,2018,2019,2020
-./lib/dns/tests/rbt_serialize_test.c		C	2014,2015,2016,2018,2019,2020
-./lib/dns/tests/rbt_test.c			C	2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/tests/rdata_test.c			C	2012,2013,2015,2016,2017,2018,2019,2020
-./lib/dns/tests/rdataset_test.c			C	2012,2016,2018,2019,2020
-./lib/dns/tests/rdatasetstats_test.c		C	2012,2015,2016,2018,2019,2020
-./lib/dns/tests/resolver_test.c			C	2018,2019,2020
-./lib/dns/tests/result_test.c			C	2018,2019,2020
-./lib/dns/tests/rsa_test.c			C	2016,2018,2019,2020
-./lib/dns/tests/sigs_test.c			C	2018,2019,2020
-./lib/dns/tests/testdata/db/data.db		ZONE	2018,2019,2020
-./lib/dns/tests/testdata/dbiterator/zone1.data	ZONE	2011,2012,2016,2018,2019,2020
-./lib/dns/tests/testdata/dbiterator/zone2.data	X	2011,2018,2019,2020
-./lib/dns/tests/testdata/diff/zone1.data	ZONE	2011,2012,2016,2018,2019,2020
-./lib/dns/tests/testdata/diff/zone2.data	ZONE	2011,2012,2016,2018,2019,2020
-./lib/dns/tests/testdata/diff/zone3.data	ZONE	2011,2012,2016,2018,2019,2020
-./lib/dns/tests/testdata/dnstap/dnstap.saved	X	2015,2017,2018,2019,2020
-./lib/dns/tests/testdata/dnstap/dnstap.text	X	2015,2017,2018,2019,2020
-./lib/dns/tests/testdata/dnstap/query.auth	X	2015,2018,2019,2020
-./lib/dns/tests/testdata/dnstap/query.recursive	X	2015,2018,2019,2020
-./lib/dns/tests/testdata/dnstap/response.auth	X	2015,2018,2019,2020
-./lib/dns/tests/testdata/dnstap/response.recursive	X	2015,2018,2019,2020
-./lib/dns/tests/testdata/dst/Ktest.+001+00002.key	X	2018,2019,2020
-./lib/dns/tests/testdata/dst/Ktest.+001+54622.key	X	2018,2019,2020
-./lib/dns/tests/testdata/dst/Ktest.+001+54622.private	X	2018,2019,2020
-./lib/dns/tests/testdata/dst/Ktest.+003+23616.key	X	2018,2019,2020
-./lib/dns/tests/testdata/dst/Ktest.+003+23616.private	X	2018,2019,2020
-./lib/dns/tests/testdata/dst/Ktest.+003+49667.key	X	2018,2019,2020
-./lib/dns/tests/testdata/dst/test1.data		X	2018,2019,2020
-./lib/dns/tests/testdata/dst/test1.dsasig	X	2018,2019,2020
-./lib/dns/tests/testdata/dst/test1.rsasig	X	2018,2019,2020
-./lib/dns/tests/testdata/dst/test2.data		X	2018,2019,2020
-./lib/dns/tests/testdata/master/master1.data	X	2011,2018,2019,2020
-./lib/dns/tests/testdata/master/master10.data	X	2011,2018,2019,2020
-./lib/dns/tests/testdata/master/master11.data	X	2011,2018,2019,2020
-./lib/dns/tests/testdata/master/master12.data.in	X	2011,2018,2019,2020
-./lib/dns/tests/testdata/master/master13.data.in	X	2011,2018,2019,2020
-./lib/dns/tests/testdata/master/master14.data.in	X	2011,2018,2019,2020
-./lib/dns/tests/testdata/master/master15.data	X	2012,2018,2019,2020
-./lib/dns/tests/testdata/master/master16.data	X	2012,2018,2019,2020
-./lib/dns/tests/testdata/master/master17.data	X	2012,2018,2019,2020
-./lib/dns/tests/testdata/master/master18.data	X	2018,2019,2020
-./lib/dns/tests/testdata/master/master2.data	X	2011,2018,2019,2020
-./lib/dns/tests/testdata/master/master3.data	X	2011,2018,2019,2020
-./lib/dns/tests/testdata/master/master4.data	X	2011,2018,2019,2020
-./lib/dns/tests/testdata/master/master5.data	X	2011,2018,2019,2020
-./lib/dns/tests/testdata/master/master6.data	X	2011,2018,2019,2020
-./lib/dns/tests/testdata/master/master7.data	X	2011,2018,2019,2020
-./lib/dns/tests/testdata/master/master8.data	X	2011,2018,2019,2020
-./lib/dns/tests/testdata/master/master9.data	X	2011,2018,2019,2020
-./lib/dns/tests/testdata/nsec3/1024.db		ZONE	2012,2016,2018,2019,2020
-./lib/dns/tests/testdata/nsec3/2048.db		ZONE	2012,2016,2018,2019,2020
-./lib/dns/tests/testdata/nsec3/4096.db		ZONE	2012,2016,2018,2019,2020
-./lib/dns/tests/testdata/nsec3/min-1024.db	ZONE	2012,2016,2018,2019,2020
-./lib/dns/tests/testdata/nsec3/min-2048.db	ZONE	2012,2016,2018,2019,2020
-./lib/dns/tests/testdata/zt/zone1.db		ZONE	2011,2012,2016,2018,2019,2020
-./lib/dns/tests/testkeys/Kexample.+008+20386.key	X	2018,2019,2020
-./lib/dns/tests/testkeys/Kexample.+008+20386.private	X	2018,2019,2020
-./lib/dns/tests/testkeys/Kexample.+008+37464.key	X	2018,2019,2020
-./lib/dns/tests/testkeys/Kexample.+008+37464.private	X	2018,2019,2020
-./lib/dns/tests/time_test.c			C	2011,2012,2016,2018,2019,2020
-./lib/dns/tests/tsig_test.c			C	2017,2018,2019,2020
-./lib/dns/tests/update_test.c			C	2011,2012,2014,2016,2017,2018,2019,2020
-./lib/dns/tests/zonemgr_test.c			C	2011,2012,2013,2015,2016,2018,2019,2020
-./lib/dns/tests/zt_test.c			C	2011,2012,2016,2018,2019,2020
-./lib/dns/time.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2007,2009,2010,2011,2012,2014,2016,2017,2018,2019,2020
-./lib/dns/timer.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/tkey.c				C	1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/dns/tsec.c				C	2009,2010,2016,2017,2018,2019,2020
-./lib/dns/tsig.c				C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/ttl.c					C	1999,2000,2001,2004,2005,2007,2011,2012,2013,2014,2016,2017,2018,2019,2020
-./lib/dns/update.c				C	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/validator.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/version.c				C	1998,1999,2000,2001,2004,2005,2007,2012,2013,2016,2018,2019,2020
-./lib/dns/view.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/win32/DLLMain.c			C	2001,2004,2007,2016,2018,2019,2020
-./lib/dns/win32/gen.dsp.in			X	2001,2013,2018,2019,2020
-./lib/dns/win32/gen.dsw				X	2001,2018,2019,2020
-./lib/dns/win32/gen.mak.in			X	2001,2006,2013,2018,2019,2020
-./lib/dns/win32/gen.vcxproj.filters.in		X	2013,2015,2018,2019,2020
-./lib/dns/win32/gen.vcxproj.in			X	2013,2015,2016,2017,2018,2019,2020
-./lib/dns/win32/gen.vcxproj.user		X	2013,2018,2019,2020
-./lib/dns/win32/libdns.def.in			X	2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/win32/libdns.dsp.in			X	2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/win32/libdns.dsw			X	2001,2018,2019,2020
-./lib/dns/win32/libdns.mak.in			X	2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/win32/libdns.vcxproj.filters.in	X	2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/win32/libdns.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/win32/libdns.vcxproj.user		X	2013,2018,2019,2020
-./lib/dns/win32/version.c			C	1998,1999,2000,2001,2004,2007,2013,2016,2018,2019,2020
-./lib/dns/xfrin.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/zone.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/zone_p.h				C	2018,2019,2020
-./lib/dns/zonekey.c				C	2001,2003,2004,2005,2007,2016,2018,2019,2020
-./lib/dns/zt.c					C	1999,2000,2001,2002,2004,2005,2006,2007,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/irs/Kyuafile				X	2017,2018,2019,2020
-./lib/irs/Makefile.in				MAKE	2009,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/irs/api					X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/irs/context.c				C	2009,2014,2016,2018,2019,2020
-./lib/irs/dnsconf.c				C	2009,2012,2016,2018,2019,2020
-./lib/irs/gai_strerror.c			C	2009,2014,2016,2018,2019,2020
-./lib/irs/getaddrinfo.c				C	2009,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/irs/getnameinfo.c				C	2009,2011,2012,2013,2014,2016,2017,2018,2019,2020
-./lib/irs/include/Makefile.in			MAKE	2009,2012,2016,2018,2019,2020
-./lib/irs/include/irs/Makefile.in		MAKE	2009,2012,2014,2016,2018,2019,2020
-./lib/irs/include/irs/context.h			C	2009,2016,2018,2019,2020
-./lib/irs/include/irs/dnsconf.h			C	2009,2016,2018,2019,2020
-./lib/irs/include/irs/netdb.h.in		C	2009,2016,2018,2019,2020
-./lib/irs/include/irs/platform.h.in		C	2009,2016,2018,2019,2020
-./lib/irs/include/irs/resconf.h			C	2009,2014,2016,2018,2019,2020
-./lib/irs/include/irs/types.h			C	2009,2016,2018,2019,2020
-./lib/irs/include/irs/version.h			C	2009,2016,2018,2019,2020
-./lib/irs/resconf.c				C	2009,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/irs/tests/Kyuafile			X	2017,2018,2019,2020
-./lib/irs/tests/Makefile.in			MAKE	2016,2017,2018,2019,2020
-./lib/irs/tests/resconf_test.c			C	2016,2018,2019,2020
-./lib/irs/tests/testdata/domain.conf		CONF-SH	2016,2018,2019,2020
-./lib/irs/tests/testdata/nameserver-v4.conf	CONF-SH	2016,2018,2019,2020
-./lib/irs/tests/testdata/nameserver-v6.conf	CONF-SH	2016,2018,2019,2020
-./lib/irs/tests/testdata/options-bad-ndots.conf	CONF-SH	2018,2019,2020
-./lib/irs/tests/testdata/options-debug.conf	CONF-SH	2016,2018,2019,2020
-./lib/irs/tests/testdata/options-empty.conf	CONF-SH	2018,2019,2020
-./lib/irs/tests/testdata/options-ndots.conf	CONF-SH	2016,2018,2019,2020
-./lib/irs/tests/testdata/options-timeout.conf	CONF-SH	2016,2018,2019,2020
-./lib/irs/tests/testdata/options-unknown.conf	CONF-SH	2016,2018,2019,2020
-./lib/irs/tests/testdata/options.conf		CONF-SH	2016,2018,2019,2020
-./lib/irs/tests/testdata/port.conf		CONF-SH	2016,2018,2019,2020
-./lib/irs/tests/testdata/resolv.conf		CONF-SH	2016,2018,2019,2020
-./lib/irs/tests/testdata/search.conf		CONF-SH	2016,2018,2019,2020
-./lib/irs/tests/testdata/sortlist-v4.conf	CONF-SH	2016,2018,2019,2020
-./lib/irs/tests/testdata/timeout.conf		CONF-SH	2016,2018,2019,2020
-./lib/irs/tests/testdata/unknown.conf		CONF-SH	2016,2018,2019,2020
-./lib/irs/version.c				C	2009,2016,2018,2019,2020
-./lib/irs/win32/DLLMain.c			C	2014,2016,2018,2019,2020
-./lib/irs/win32/Makefile.in			MAKE	2014,2016,2018,2019,2020
-./lib/irs/win32/include/Makefile.in		MAKE	2014,2016,2018,2019,2020
-./lib/irs/win32/include/irs/Makefile.in		MAKE	2014,2016,2018,2019,2020
-./lib/irs/win32/include/irs/netdb.h		C	2014,2016,2018,2019,2020
-./lib/irs/win32/include/irs/platform.h		C	2014,2016,2018,2019,2020
-./lib/irs/win32/libirs.def			X	2014,2018,2019,2020
-./lib/irs/win32/libirs.dsp.in			X	2014,2018,2019,2020
-./lib/irs/win32/libirs.dsw			X	2001,2014,2018,2019,2020
-./lib/irs/win32/libirs.mak.in			X	2014,2018,2019,2020
-./lib/irs/win32/libirs.vcxproj.filters.in	X	2014,2015,2016,2018,2019,2020
-./lib/irs/win32/libirs.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020
-./lib/irs/win32/libirs.vcxproj.user		X	2014,2018,2019,2020
-./lib/irs/win32/version.c			C	2014,2016,2018,2019,2020
-./lib/isc/Kyuafile				X	2017,2018,2019,2020
-./lib/isc/Makefile.in				MAKE	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/aes.c					C	2014,2016,2017,2018,2019,2020
-./lib/isc/alpha/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/alpha/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/alpha/include/isc/Makefile.in		MAKE	2007,2012,2015,2016,2018,2019,2020
-./lib/isc/alpha/include/isc/atomic.h		C	2005,2007,2009,2016,2018,2019,2020
-./lib/isc/api					X	1999,2000,2001,2006,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/app_api.c				C	2009,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/assertions.c				C	1997,1998,1999,2000,2001,2004,2005,2007,2008,2009,2015,2016,2018,2019,2020
-./lib/isc/backtrace-emptytbl.c			C	2009,2016,2018,2019,2020
-./lib/isc/backtrace.c				C	2009,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/base32.c				C	2008,2009,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/base64.c				C	1998,1999,2000,2001,2003,2004,2005,2007,2009,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/bind9.c				C	2013,2016,2018,2019,2020
-./lib/isc/buffer.c				C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/bufferlist.c				C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/chacha_private.h			X	2014,2018,2019,2020
-./lib/isc/commandline.c				C.PORTION	1999,2000,2001,2004,2005,2007,2008,2014,2015,2016,2018,2019,2020
-./lib/isc/counter.c				C	2014,2016,2018,2019,2020
-./lib/isc/crc64.c				C	2013,2016,2018,2019,2020
-./lib/isc/entropy.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2009,2010,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/error.c				C	1998,1999,2000,2001,2004,2005,2007,2015,2016,2018,2019,2020
-./lib/isc/event.c				C	1998,1999,2000,2001,2004,2005,2007,2014,2016,2017,2018,2019,2020
-./lib/isc/fsaccess.c				C	2000,2001,2004,2005,2007,2016,2017,2018,2019,2020
-./lib/isc/hash.c				C	2003,2004,2005,2006,2007,2009,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/heap.c				C	1997,1998,1999,2000,2001,2004,2005,2006,2007,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/hex.c					C	2000,2001,2002,2003,2004,2005,2007,2008,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/hmacmd5.c				C	2000,2001,2004,2005,2006,2007,2009,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/hmacsha.c				C	2005,2006,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/ht.c					C	2016,2018,2019,2020
-./lib/isc/httpd.c				C	2006,2007,2008,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/ia64/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/ia64/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/ia64/include/isc/Makefile.in		MAKE	2007,2012,2015,2016,2018,2019,2020
-./lib/isc/ia64/include/isc/atomic.h		C	2006,2007,2009,2012,2016,2018,2019,2020
-./lib/isc/include/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007,2012,2014,2016,2018,2019,2020
-./lib/isc/include/isc/Makefile.in		MAKE	1998,1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/include/isc/aes.h			C	2014,2016,2018,2019,2020
-./lib/isc/include/isc/app.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/include/isc/assertions.h		C	1997,1998,1999,2000,2001,2004,2005,2006,2007,2008,2009,2016,2017,2018,2019,2020
-./lib/isc/include/isc/backtrace.h		C	2009,2016,2018,2019,2020
-./lib/isc/include/isc/base32.h			C	2008,2014,2016,2018,2019,2020
-./lib/isc/include/isc/base64.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isc/include/isc/bind9.h			C	2009,2013,2016,2018,2019,2020
-./lib/isc/include/isc/boolean.h			C	2018,2019,2020
-./lib/isc/include/isc/buffer.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2010,2012,2014,2016,2017,2018,2019,2020
-./lib/isc/include/isc/bufferlist.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isc/include/isc/commandline.h		C	1999,2000,2001,2004,2005,2006,2007,2015,2016,2018,2019,2020
-./lib/isc/include/isc/counter.h			C	2014,2016,2018,2019,2020
-./lib/isc/include/isc/crc64.h			C	2013,2016,2018,2019,2020
-./lib/isc/include/isc/deprecated.h		C	2017,2018,2019,2020
-./lib/isc/include/isc/endian.h			C	2019,2020
-./lib/isc/include/isc/entropy.h			C	2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020
-./lib/isc/include/isc/errno.h			C	2016,2018,2019,2020
-./lib/isc/include/isc/error.h			C	1998,1999,2000,2001,2004,2005,2006,2007,2009,2016,2017,2018,2019,2020
-./lib/isc/include/isc/event.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2014,2016,2017,2018,2019,2020
-./lib/isc/include/isc/eventclass.h		C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/include/isc/file.h			C	2000,2001,2004,2005,2006,2007,2009,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/include/isc/formatcheck.h		C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isc/include/isc/fsaccess.h		C	2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020
-./lib/isc/include/isc/hash.h			C	2003,2004,2005,2006,2007,2009,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/include/isc/heap.h			C	1997,1998,1999,2000,2001,2004,2005,2006,2007,2009,2012,2016,2018,2019,2020
-./lib/isc/include/isc/hex.h			C	2000,2001,2004,2005,2006,2007,2008,2016,2018,2019,2020
-./lib/isc/include/isc/hmacmd5.h			C	2000,2001,2004,2005,2006,2007,2009,2014,2016,2017,2018,2019,2020
-./lib/isc/include/isc/hmacsha.h			C	2005,2006,2007,2009,2014,2016,2017,2018,2019,2020
-./lib/isc/include/isc/ht.h			C	2016,2018,2019,2020
-./lib/isc/include/isc/httpd.h			C	2006,2007,2008,2014,2016,2018,2019,2020
-./lib/isc/include/isc/int.h			C	2018,2019,2020
-./lib/isc/include/isc/interfaceiter.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isc/include/isc/ipv6.h			C	1999,2000,2001,2002,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/include/isc/iterated_hash.h		C	2008,2014,2016,2018,2019,2020
-./lib/isc/include/isc/json.h			C	2013,2015,2016,2018,2019,2020
-./lib/isc/include/isc/lang.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isc/include/isc/lex.h			C	1998,1999,2000,2001,2002,2004,2005,2007,2008,2015,2016,2017,2018,2019,2020
-./lib/isc/include/isc/lfsr.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isc/include/isc/lib.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020
-./lib/isc/include/isc/likely.h			C	2017,2018,2019,2020
-./lib/isc/include/isc/list.h			C	1997,1998,1999,2000,2001,2002,2004,2006,2007,2011,2012,2013,2016,2018,2019,2020
-./lib/isc/include/isc/log.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2014,2016,2018,2019,2020
-./lib/isc/include/isc/magic.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2017,2018,2019,2020
-./lib/isc/include/isc/md5.h			C	2000,2001,2004,2005,2006,2007,2009,2010,2014,2016,2017,2018,2019,2020
-./lib/isc/include/isc/mem.h			C	1997,1998,1999,2000,2001,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2015,2016,2018,2019,2020
-./lib/isc/include/isc/meminfo.h			C	2015,2016,2018,2019,2020
-./lib/isc/include/isc/msgcat.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/include/isc/msgs.h			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2016,2017,2018,2019,2020
-./lib/isc/include/isc/mutexblock.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isc/include/isc/netaddr.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2009,2015,2016,2017,2018,2019,2020
-./lib/isc/include/isc/netscope.h		C	2002,2004,2005,2006,2007,2009,2016,2018,2019,2020
-./lib/isc/include/isc/ondestroy.h		C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isc/include/isc/os.h			C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isc/include/isc/parseint.h		C	2001,2002,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isc/include/isc/platform.h.in		C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/include/isc/pool.h			C	2013,2016,2018,2019,2020
-./lib/isc/include/isc/portset.h			C	2008,2009,2016,2018,2019,2020
-./lib/isc/include/isc/print.h			C	1999,2000,2001,2003,2004,2005,2006,2007,2014,2015,2016,2018,2019,2020
-./lib/isc/include/isc/queue.h			C	2011,2012,2013,2016,2018,2019,2020
-./lib/isc/include/isc/quota.h			C	2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/include/isc/radix.h			C	2007,2008,2013,2014,2016,2018,2019,2020
-./lib/isc/include/isc/random.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2014,2016,2018,2019,2020
-./lib/isc/include/isc/ratelimiter.h		C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2014,2016,2018,2019,2020
-./lib/isc/include/isc/refcount.h		C	2001,2003,2004,2005,2006,2007,2009,2016,2017,2018,2019,2020
-./lib/isc/include/isc/regex.h			C	2013,2016,2018,2019,2020
-./lib/isc/include/isc/region.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2013,2016,2018,2019,2020
-./lib/isc/include/isc/resource.h		C	2000,2001,2004,2005,2006,2007,2008,2016,2018,2019,2020
-./lib/isc/include/isc/result.h			C	1998,1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2014,2015,2016,2018,2019,2020
-./lib/isc/include/isc/resultclass.h		C	1999,2000,2001,2004,2005,2006,2007,2009,2014,2016,2018,2019,2020
-./lib/isc/include/isc/rwlock.h			C	1998,1999,2000,2001,2003,2004,2005,2006,2007,2016,2017,2018,2019,2020
-./lib/isc/include/isc/safe.h			C	2013,2015,2016,2017,2018,2019,2020
-./lib/isc/include/isc/serial.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020
-./lib/isc/include/isc/sha1.h			C	2000,2001,2004,2005,2006,2007,2009,2014,2016,2017,2018,2019,2020
-./lib/isc/include/isc/sha2.h			C	2005,2006,2007,2009,2014,2016,2017,2018,2019,2020
-./lib/isc/include/isc/siphash.h			C	2019,2020
-./lib/isc/include/isc/sockaddr.h		C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2009,2012,2015,2016,2018,2019,2020
-./lib/isc/include/isc/socket.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2016,2018,2019,2020
-./lib/isc/include/isc/stats.h			C	2009,2012,2016,2018,2019,2020
-./lib/isc/include/isc/stdatomic.h		C	2018,2019,2020
-./lib/isc/include/isc/stdio.h			C	2000,2001,2004,2005,2006,2007,2013,2016,2018,2019,2020
-./lib/isc/include/isc/stdlib.h			C	2003,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isc/include/isc/string.h			C	2000,2001,2003,2004,2005,2006,2007,2014,2016,2018,2019,2020
-./lib/isc/include/isc/symtab.h			C	1996,1997,1998,1999,2000,2001,2004,2005,2006,2007,2009,2011,2012,2013,2016,2018,2019,2020
-./lib/isc/include/isc/task.h			C	1998,1999,2000,2001,2003,2004,2005,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/include/isc/taskpool.h		C	1999,2000,2001,2004,2005,2006,2007,2011,2012,2016,2018,2019,2020
-./lib/isc/include/isc/timer.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2012,2013,2014,2016,2018,2019,2020
-./lib/isc/include/isc/tm.h			C	2014,2016,2018,2019,2020
-./lib/isc/include/isc/types.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2016,2018,2019,2020
-./lib/isc/include/isc/util.h			C	1998,1999,2000,2001,2004,2005,2006,2007,2010,2011,2012,2015,2016,2017,2018,2019,2020
-./lib/isc/include/isc/version.h			C	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isc/include/isc/xml.h			C	2006,2007,2016,2018,2019,2020
-./lib/isc/include/pk11/Makefile.in		MAKE	2014,2015,2016,2018,2019,2020
-./lib/isc/include/pk11/README.site		TXT.BRIEF	2016,2017,2018,2019,2020
-./lib/isc/include/pk11/constants.h		C	2014,2016,2017,2018,2019,2020
-./lib/isc/include/pk11/internal.h		C	2014,2016,2018,2019,2020
-./lib/isc/include/pk11/pk11.h			C	2014,2016,2018,2019,2020
-./lib/isc/include/pk11/result.h			C	2014,2016,2018,2019,2020
-./lib/isc/include/pk11/site.h			C	2016,2017,2018,2019,2020
-./lib/isc/include/pkcs11/Makefile.in		MAKE	2014,2015,2016,2017,2018,2019,2020
-./lib/isc/include/pkcs11/eddsa.h		C	2017,2018,2019,2020
-./lib/isc/include/pkcs11/pkcs11.h		X	2014,2016,2018,2019,2020
-./lib/isc/include/pkcs11/pkcs11f.h		X	2014,2016,2018,2019,2020
-./lib/isc/include/pkcs11/pkcs11t.h		X	2014,2016,2018,2019,2020
-./lib/isc/inet_aton.c				C.PORTION	1996,1997,1998,1999,2000,2001,2004,2005,2007,2008,2012,2013,2014,2016,2017,2018,2019,2020
-./lib/isc/inet_ntop.c				C	1996,1997,1998,1999,2000,2001,2004,2005,2007,2009,2016,2017,2018,2019,2020
-./lib/isc/inet_pton.c				C	1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2007,2013,2014,2016,2017,2018,2019,2020
-./lib/isc/iterated_hash.c			C	2006,2008,2009,2016,2018,2019,2020
-./lib/isc/lex.c					C	1998,1999,2000,2001,2002,2003,2004,2005,2007,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/lfsr.c				C	1999,2000,2001,2002,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/lib.c					C	1999,2000,2001,2004,2005,2007,2009,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/log.c					C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2009,2011,2012,2013,2014,2016,2017,2018,2019,2020
-./lib/isc/md5.c					C	2000,2001,2004,2005,2007,2009,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/mem.c					C	1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/mips/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/mips/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/mips/include/isc/Makefile.in		MAKE	2007,2012,2015,2016,2018,2019,2020
-./lib/isc/mips/include/isc/atomic.h		C	2005,2007,2016,2018,2019,2020
-./lib/isc/mutexblock.c				C	1999,2000,2001,2004,2005,2007,2011,2012,2016,2018,2019,2020
-./lib/isc/netaddr.c				C	1999,2000,2001,2002,2004,2005,2007,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/netscope.c				C	2002,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isc/nls/Makefile.in			MAKE	1999,2000,2001,2004,2007,2009,2012,2016,2018,2019,2020
-./lib/isc/nls/msgcat.c				C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/noatomic/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/noatomic/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/noatomic/include/isc/Makefile.in	MAKE	2007,2012,2015,2016,2018,2019,2020
-./lib/isc/noatomic/include/isc/atomic.h		C	2005,2007,2016,2018,2019,2020
-./lib/isc/nothreads/Makefile.in			MAKE	2000,2001,2004,2007,2009,2010,2012,2013,2016,2018,2019,2020
-./lib/isc/nothreads/condition.c			C	2000,2001,2004,2006,2007,2016,2018,2019,2020
-./lib/isc/nothreads/include/Makefile.in		MAKE	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./lib/isc/nothreads/include/isc/Makefile.in	MAKE	2000,2001,2004,2007,2012,2015,2016,2018,2019,2020
-./lib/isc/nothreads/include/isc/condition.h	C	2000,2001,2004,2007,2016,2018,2019,2020
-./lib/isc/nothreads/include/isc/mutex.h		C	2000,2001,2004,2007,2015,2016,2018,2019,2020
-./lib/isc/nothreads/include/isc/once.h		C	2000,2001,2004,2007,2016,2018,2019,2020
-./lib/isc/nothreads/include/isc/thread.h	C	2000,2001,2004,2007,2013,2016,2017,2018,2019,2020
-./lib/isc/nothreads/mutex.c			C	2000,2001,2004,2006,2007,2016,2018,2019,2020
-./lib/isc/nothreads/thread.c			C	2000,2001,2004,2007,2016,2017,2018,2019,2020
-./lib/isc/ondestroy.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/parseint.c				C	2001,2002,2003,2004,2005,2007,2012,2016,2018,2019,2020
-./lib/isc/pk11.c				C	2014,2015,2016,2017,2018,2019,2020
-./lib/isc/pk11_result.c				C	2014,2015,2016,2018,2019,2020
-./lib/isc/pool.c				C	2013,2015,2016,2018,2019,2020
-./lib/isc/portset.c				C	2008,2016,2017,2018,2019,2020
-./lib/isc/powerpc/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/powerpc/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/powerpc/include/isc/Makefile.in	MAKE	2007,2012,2015,2016,2018,2019,2020
-./lib/isc/powerpc/include/isc/atomic.h		C	2005,2007,2009,2011,2012,2016,2017,2018,2019,2020
-./lib/isc/print.c				C	1999,2000,2001,2003,2004,2005,2006,2007,2008,2010,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/pthreads/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007,2009,2012,2016,2018,2019,2020
-./lib/isc/pthreads/condition.c			C	1998,1999,2000,2001,2004,2005,2007,2012,2016,2018,2019,2020
-./lib/isc/pthreads/include/Makefile.in		MAKE	1998,1999,2000,2001,2004,2007,2012,2016,2018,2019,2020
-./lib/isc/pthreads/include/isc/Makefile.in	MAKE	1998,1999,2000,2001,2004,2007,2012,2015,2016,2018,2019,2020
-./lib/isc/pthreads/include/isc/condition.h	C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/pthreads/include/isc/mutex.h		C	1998,1999,2000,2001,2002,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/pthreads/include/isc/once.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/pthreads/include/isc/thread.h		C	1998,1999,2000,2001,2004,2005,2007,2013,2016,2017,2018,2019,2020
-./lib/isc/pthreads/mutex.c			C	2000,2001,2002,2004,2005,2007,2008,2011,2012,2014,2015,2016,2018,2019,2020
-./lib/isc/pthreads/thread.c			C	2000,2001,2003,2004,2005,2007,2013,2016,2017,2018,2019,2020
-./lib/isc/quota.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/radix.c				C	2007,2008,2009,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/random.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2013,2014,2016,2017,2018,2019,2020
-./lib/isc/ratelimiter.c				C	1999,2000,2001,2002,2004,2005,2007,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/refcount.c				C	2005,2007,2016,2017,2018,2019,2020
-./lib/isc/regex.c				C	2013,2014.2015,2015,2016,2018,2019,2020
-./lib/isc/region.c				C	2002,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/result.c				C	1998,1999,2000,2001,2003,2004,2005,2007,2008,2012,2014,2015,2016,2018,2019,2020
-./lib/isc/rwlock.c				C	1998,1999,2000,2001,2003,2004,2005,2007,2009,2011,2012,2015,2016,2017,2018,2019,2020
-./lib/isc/safe.c				C	2013,2015,2016,2017,2018,2019,2020
-./lib/isc/serial.c				C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/sha1.c				C	2000,2001,2003,2004,2005,2007,2009,2011,2012,2014,2016,2017,2018,2019,2020
-./lib/isc/sha2.c				C	2005,2006,2007,2009,2011,2012,2014,2016,2017,2018,2019,2020
-./lib/isc/siphash.c				C	2019,2020
-./lib/isc/sockaddr.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/socket_api.c				C	2009,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/sparc64/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/sparc64/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/sparc64/include/isc/Makefile.in	MAKE	2007,2012,2015,2016,2018,2019,2020
-./lib/isc/sparc64/include/isc/atomic.h		C	2005,2007,2013,2016,2018,2019,2020
-./lib/isc/stats.c				C	2009,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/string.c				C	1999,2000,2001,2003,2004,2005,2006,2007,2011,2012,2014,2015,2016,2018,2019,2020
-./lib/isc/strtoul.c				C	2003,2004,2005,2007,2014,2016,2018,2019,2020
-./lib/isc/symtab.c				C	1996,1997,1998,1999,2000,2001,2004,2005,2007,2011,2012,2013,2016,2018,2019,2020
-./lib/isc/task.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,1018,2018,2019,2020
-./lib/isc/task_p.h				C	2000,2001,2004,2005,2007,2009,2011,2012,2013,2016,2018,2019,2020
-./lib/isc/taskpool.c				C	1999,2000,2001,2004,2005,2007,2011,2012,2013,2016,2018,2019,2020
-./lib/isc/tests/Kyuafile			X	2017,2018,2019,2020
-./lib/isc/tests/Makefile.in			MAKE	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/tests/aes_test.c			C	2014,2016,2018,2019,2020
-./lib/isc/tests/atomic_test.c			C	2018,2019,2020
-./lib/isc/tests/buffer_test.c			C	2014,2015,2016,2018,2019,2020
-./lib/isc/tests/counter_test.c			C	2014,2016,2018,2019,2020
-./lib/isc/tests/errno_test.c			C	2016,2018,2019,2020
-./lib/isc/tests/file_test.c			C	2014,2016,2018,2019,2020
-./lib/isc/tests/hash_test.c			C	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/tests/heap_test.c			C	2017,2018,2019,2020
-./lib/isc/tests/ht_test.c			C	2016,2017,2018,2019,2020
-./lib/isc/tests/inet_ntop_test.c		C	2017,2018,2019,2020
-./lib/isc/tests/isctest.c			C	2011,2012,2013,2014,2016,2017,2018,2019,2020
-./lib/isc/tests/isctest.h			C	2011,2012,2016,2018,2019,2020
-./lib/isc/tests/lex_test.c			C	2013,2016,2018,2019,2020
-./lib/isc/tests/mem_test.c			C	2015,2016,2018,2019,2020
-./lib/isc/tests/netaddr_test.c			C	2016,2018,2019,2020
-./lib/isc/tests/parse_test.c			C	2012,2013,2016,2018,2019,2020
-./lib/isc/tests/pool_test.c			C	2013,2016,2018,2019,2020
-./lib/isc/tests/print_test.c			C	2014,2015,2016,2018,2019,2020
-./lib/isc/tests/queue_test.c			C	2011,2012,2016,2018,2019,2020
-./lib/isc/tests/radix_test.c			C	2014,2016,2018,2019,2020
-./lib/isc/tests/random_test.c			C	2014,2015,2016,2017,2018,2019,2020
-./lib/isc/tests/regex_test.c			C	2013,2015,2016,2018,2019,2020
-./lib/isc/tests/result_test.c			C	2015,2016,2018,2019,2020
-./lib/isc/tests/safe_test.c			C	2013,2015,2016,2017,2018,2019,2020
-./lib/isc/tests/siphash_test.c			C	2019,2020
-./lib/isc/tests/sockaddr_test.c			C	2012,2015,2016,2017,2018,2019,2020
-./lib/isc/tests/socket_test.c			C	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/tests/symtab_test.c			C	2011,2012,2013,2016,2018,2019,2020
-./lib/isc/tests/task_test.c			C	2011,2012,2016,2018,2019,2020
-./lib/isc/tests/taskpool_test.c			C	2011,2012,2016,2018,2019,2020
-./lib/isc/tests/testdata/file/keep		X	2014,2018,2019,2020
-./lib/isc/tests/time_test.c			C	2014,2015,2016,2018,2019,2020
-./lib/isc/tests/timer_test.c			C	2018,2019,2020
-./lib/isc/timer.c				C	1998,1999,2000,2001,2002,2004,2005,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/timer_p.h				C	2000,2001,2004,2005,2007,2009,2016,2018,2019,2020
-./lib/isc/tm.c					C	2014,2016,2018,2019,2020
-./lib/isc/unix/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007,2009,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/unix/app.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2009,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/unix/dir.c				C	1999,2000,2001,2004,2005,2007,2008,2009,2011,2012,2016,2017,2018,2019,2020
-./lib/isc/unix/entropy.c			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2012,2016,2017,2018,2019,2020
-./lib/isc/unix/errno.c				C	2016,2018,2019,2020
-./lib/isc/unix/errno2result.c			C	2000,2001,2002,2004,2005,2007,2011,2012,2013,2016,2018,2019,2020
-./lib/isc/unix/errno2result.h			C	2000,2001,2004,2005,2007,2011,2012,2016,2018,2019,2020
-./lib/isc/unix/file.c				C	2000,2001,2002,2004,2005,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/unix/fsaccess.c			C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isc/unix/ifiter_getifaddrs.c		C	2003,2004,2005,2007,2008,2009,2014,2016,2018,2019,2020
-./lib/isc/unix/ifiter_ioctl.c			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/unix/ifiter_sysctl.c			C	1999,2000,2001,2002,2003,2004,2005,2007,2014,2015,2016,2018,2019,2020
-./lib/isc/unix/include/Makefile.in		MAKE	1998,1999,2000,2001,2004,2007,2012,2014,2016,2018,2019,2020
-./lib/isc/unix/include/isc/Makefile.in		MAKE	1998,1999,2000,2001,2004,2007,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/unix/include/isc/dir.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/unix/include/isc/keyboard.h		C	2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/unix/include/isc/net.h		C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2012,2013,2014,2016,2017,2018,2019,2020
-./lib/isc/unix/include/isc/netdb.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/unix/include/isc/offset.h		C	2000,2001,2004,2005,2007,2008,2016,2018,2019,2020
-./lib/isc/unix/include/isc/stat.h		C	2004,2007,2014,2016,2018,2019,2020
-./lib/isc/unix/include/isc/stdtime.h		C	1999,2000,2001,2004,2005,2007,2011,2012,2016,2018,2019,2020
-./lib/isc/unix/include/isc/strerror.h		C	2001,2004,2005,2007,2008,2016,2018,2019,2020
-./lib/isc/unix/include/isc/syslog.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/unix/include/isc/time.h		C	1998,1999,2000,2001,2004,2005,2006,2007,2008,2009,2012,2014,2015,2016,2018,2019,2020
-./lib/isc/unix/include/pkcs11/Makefile.in	MAKE	2014,2016,2018,2019,2020
-./lib/isc/unix/include/pkcs11/cryptoki.h	X	2014,2018,2019,2020
-./lib/isc/unix/interfaceiter.c			C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2014,2016,2017,2018,2019,2020
-./lib/isc/unix/ipv6.c				C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isc/unix/keyboard.c			C	2000,2001,2004,2007,2016,2018,2019,2020
-./lib/isc/unix/meminfo.c			C	2015,2016,2018,2019,2020
-./lib/isc/unix/net.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/unix/os.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/unix/pk11_api.c			C	2014,2016,2018,2019,2020
-./lib/isc/unix/resource.c			C	2000,2001,2004,2007,2008,2009,2016,2018,2019,2020
-./lib/isc/unix/socket.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/unix/socket_p.h			C	2000,2001,2004,2005,2007,2008,2009,2016,2018,2019,2020
-./lib/isc/unix/stdio.c				C	2000,2001,2004,2007,2011,2012,2013,2014,2016,2018,2019,2020
-./lib/isc/unix/stdtime.c			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/unix/strerror.c			C	2001,2004,2005,2007,2009,2016,2018,2019,2020
-./lib/isc/unix/syslog.c				C	2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/unix/time.c				C	1998,1999,2000,2001,2003,2004,2005,2006,2007,2008,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/version.c				C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/win32/DLLMain.c			C	2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/Makefile.in			MAKE	1999,2000,2001,2004,2007,2009,2012,2014,2015,2016,2018,2019,2020
-./lib/isc/win32/app.c				C	1999,2000,2001,2004,2007,2009,2013,2014,2016,2018,2019,2020
-./lib/isc/win32/condition.c			C	1998,1999,2000,2001,2004,2006,2007,2016,2018,2019,2020
-./lib/isc/win32/dir.c				C	1999,2000,2001,2004,2007,2008,2009,2011,2012,2013,2016,2017,2018,2019,2020
-./lib/isc/win32/entropy.c			C	2000,2001,2002,2004,2007,2009,2013,2016,2018,2019,2020
-./lib/isc/win32/errno.c				C	2016,2018,2019,2020
-./lib/isc/win32/errno2result.c			C	2000,2001,2002,2004,2005,2007,2008,2013,2016,2018,2019,2020
-./lib/isc/win32/errno2result.h			C	2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isc/win32/file.c				C	2000,2001,2002,2004,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/win32/fsaccess.c			C	2000,2001,2002,2004,2007,2013,2016,2017,2018,2019,2020
-./lib/isc/win32/include/Makefile.in		MAKE	1999,2000,2001,2004,2007,2012,2014,2016,2018,2019,2020
-./lib/isc/win32/include/isc/Makefile.in		MAKE	1999,2000,2001,2004,2007,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/win32/include/isc/atomic.h		C	2013,2015,2016,2018,2019,2020
-./lib/isc/win32/include/isc/bind_registry.h	C	2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/include/isc/bindevt.h		C	2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/include/isc/condition.h		C	1998,1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/include/isc/dir.h		C	1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/include/isc/ipv6.h		C	1999,2000,2001,2002,2004,2005,2007,2011,2012,2016,2018,2019,2020
-./lib/isc/win32/include/isc/keyboard.h		C	2000,2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/include/isc/mutex.h		C	1998,1999,2000,2001,2004,2007,2008,2009,2016,2018,2019,2020
-./lib/isc/win32/include/isc/net.h		C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2012,2013,2016,2017,2018,2019,2020
-./lib/isc/win32/include/isc/netdb.h		C	1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/include/isc/ntgroups.h		C	2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/include/isc/ntpaths.h		C	2000,2001,2004,2007,2009,2015,2016,2018,2019,2020
-./lib/isc/win32/include/isc/offset.h		C	2000,2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/include/isc/once.h		C	1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/include/isc/platform.h.in	C	2001,2004,2005,2007,2008,2009,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/win32/include/isc/stat.h		C	2000,2001,2003,2004,2007,2009,2012,2016,2018,2019,2020
-./lib/isc/win32/include/isc/stdtime.h		C	1999,2000,2001,2004,2005,2007,2011,2012,2016,2018,2019,2020
-./lib/isc/win32/include/isc/strerror.h		C	2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/include/isc/syslog.h		C	1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/include/isc/thread.h		C	1998,1999,2000,2001,2004,2005,2007,2009,2013,2016,2017,2018,2019,2020
-./lib/isc/win32/include/isc/time.h		C	1998,1999,2000,2001,2004,2006,2007,2008,2009,2012,2014,2015,2016,2018,2019,2020
-./lib/isc/win32/include/isc/win32os.h		C	2002,2004,2007,2009,2015,2016,2018,2019,2020
-./lib/isc/win32/include/pkcs11/Makefile.in	MAKE	2014,2016,2018,2019,2020
-./lib/isc/win32/include/pkcs11/cryptoki.h	X	2014,2018,2019,2020
-./lib/isc/win32/interfaceiter.c			C	1999,2000,2001,2004,2007,2008,2009,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/win32/ipv6.c				C	1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/keyboard.c			C	2000,2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/libgen.h			C	2009,2016,2018,2019,2020
-./lib/isc/win32/libisc.def.exclude		X	2015,2017,2018,2019,2020
-./lib/isc/win32/libisc.def.in			X	2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/win32/libisc.dsp.in			X	2001,2002,2003,2004,2005,2006,2007,2008,2009,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/win32/libisc.dsw			X	2001,2018,2019,2020
-./lib/isc/win32/libisc.mak.in			X	2001,2002,2003,2004,2005,2006,2007,2008,2009,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/win32/libisc.vcxproj.filters.in	X	2013,2014,2015,2016,2018,2019,2020
-./lib/isc/win32/libisc.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/win32/libisc.vcxproj.user		X	2013,2018,2019,2020
-./lib/isc/win32/meminfo.c			C	2015,2016,2018,2019,2020
-./lib/isc/win32/net.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2009,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/win32/netdb.h				C	2000,2001,2004,2006,2007,2009,2013,2016,2018,2019,2020
-./lib/isc/win32/ntgroups.c			C	2001,2004,2006,2007,2009,2013,2016,2018,2019,2020
-./lib/isc/win32/ntpaths.c			C	2001,2004,2007,2009,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/win32/once.c				C	1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/os.c				C	2000,2001,2002,2004,2007,2013,2016,2018,2019,2020
-./lib/isc/win32/pk11_api.c			C	2014,2016,2018,2019,2020
-./lib/isc/win32/resource.c			C	2000,2001,2004,2007,2008,2016,2018,2019,2020
-./lib/isc/win32/socket.c			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/win32/stdio.c				C	2000,2001,2004,2007,2013,2016,2018,2019,2020
-./lib/isc/win32/stdtime.c			C	1999,2000,2001,2004,2007,2013,2016,2018,2019,2020
-./lib/isc/win32/strerror.c			C	2001,2002,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/syslog.c			C	2001,2002,2003,2004,2007,2014,2016,2018,2019,2020
-./lib/isc/win32/syslog.h			C	2001,2002,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/thread.c			C	1998,1999,2000,2001,2004,2005,2007,2016,2017,2018,2019,2020
-./lib/isc/win32/time.c				C	1998,1999,2000,2001,2003,2004,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isc/win32/unistd.h			C	2000,2001,2004,2007,2008,2009,2016,2018,2019,2020
-./lib/isc/win32/version.c			C	1998,1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/isc/win32/win32os.c			C	2002,2004,2007,2013,2014,2015,2016,2018,2019,2020
-./lib/isc/x86_32/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/x86_32/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/x86_32/include/isc/Makefile.in	MAKE	2007,2012,2015,2016,2018,2019,2020
-./lib/isc/x86_32/include/isc/atomic.h		C	2005,2007,2008,2015,2016,2017,2018,2019,2020
-./lib/isc/x86_64/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/x86_64/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020
-./lib/isc/x86_64/include/isc/Makefile.in	MAKE	2007,2012,2015,2016,2018,2019,2020
-./lib/isc/x86_64/include/isc/atomic.h		C	2005,2007,2008,2015,2016,2017,2018,2019,2020
-./lib/isccc/Kyuafile				X	2018,2019,2020
-./lib/isccc/Makefile.in				MAKE	2001,2003,2004,2007,2009,2011,2012,2014,2015,2016,2018,2019,2020
-./lib/isccc/alist.c				C.NOM	2001,2004,2005,2007,2015,2016,2018,2019,2020
-./lib/isccc/api					X	2001,2006,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isccc/base64.c				C.NOM	2001,2004,2005,2007,2013,2016,2018,2019,2020
-./lib/isccc/cc.c				C.NOM	2001,2002,2003,2004,2005,2006,2007,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/isccc/ccmsg.c				C.NOM	2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isccc/include/Makefile.in			MAKE	2001,2004,2007,2012,2016,2018,2019,2020
-./lib/isccc/include/isccc/Makefile.in		MAKE	2001,2004,2007,2012,2015,2016,2018,2019,2020
-./lib/isccc/include/isccc/alist.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isccc/include/isccc/base64.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isccc/include/isccc/cc.h			C.NOM	2001,2004,2005,2006,2007,2013,2014,2016,2018,2019,2020
-./lib/isccc/include/isccc/ccmsg.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isccc/include/isccc/events.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isccc/include/isccc/lib.h			C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isccc/include/isccc/result.h		C.NOM	2001,2003,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isccc/include/isccc/sexpr.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isccc/include/isccc/symtab.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isccc/include/isccc/symtype.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isccc/include/isccc/types.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isccc/include/isccc/util.h		C.NOM	2001,2004,2005,2006,2007,2014,2016,2018,2019,2020
-./lib/isccc/include/isccc/version.h		C	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isccc/lib.c				C.NOM	2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isccc/result.c				C.NOM	2001,2003,2004,2005,2007,2015,2016,2018,2019,2020
-./lib/isccc/sexpr.c				C.NOM	2001,2004,2005,2007,2014,2015,2016,2018,2019,2020
-./lib/isccc/symtab.c				C.NOM	2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isccc/tests/Kyuafile			X	2018,2019,2020
-./lib/isccc/tests/Makefile.in			MAKE	2018,2019,2020
-./lib/isccc/tests/result_test.c			C	2018,2019,2020
-./lib/isccc/version.c				C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isccc/win32/DLLMain.c			C	2001,2004,2007,2016,2018,2019,2020
-./lib/isccc/win32/libisccc.def			X	2001,2016,2018,2019,2020
-./lib/isccc/win32/libisccc.dsp.in		X	2001,2004,2005,2009,2011,2013,2014,2016,2018,2019,2020
-./lib/isccc/win32/libisccc.dsw			X	2001,2018,2019,2020
-./lib/isccc/win32/libisccc.mak.in		X	2001,2002,2004,2005,2006,2009,2011,2013,2014,2018,2019,2020
-./lib/isccc/win32/libisccc.vcxproj.filters.in	X	2013,2015,2016,2018,2019,2020
-./lib/isccc/win32/libisccc.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isccc/win32/libisccc.vcxproj.user		X	2013,2018,2019,2020
-./lib/isccc/win32/version.c			C	2001,2004,2007,2016,2018,2019,2020
-./lib/isccfg/Kyuafile				X	2017,2018,2019,2020
-./lib/isccfg/Makefile.in			MAKE	2001,2002,2003,2004,2005,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isccfg/aclconf.c				C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isccfg/api				X	2001,2006,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isccfg/dnsconf.c				C	2009,2016,2018,2019,2020
-./lib/isccfg/include/Makefile.in		MAKE	2001,2004,2007,2012,2016,2018,2019,2020
-./lib/isccfg/include/isccfg/Makefile.in		MAKE	2001,2002,2004,2005,2007,2012,2014,2015,2016,2018,2019,2020
-./lib/isccfg/include/isccfg/aclconf.h		C	1999,2000,2001,2004,2005,2006,2007,2010,2011,2012,2013,2014,2016,2018,2019,2020
-./lib/isccfg/include/isccfg/cfg.h		C	2000,2001,2002,2004,2005,2006,2007,2010,2013,2014,2015,2016,2018,2019,2020
-./lib/isccfg/include/isccfg/dnsconf.h		C	2009,2016,2018,2019,2020
-./lib/isccfg/include/isccfg/grammar.h		C	2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isccfg/include/isccfg/log.h		C	2001,2004,2005,2006,2007,2009,2016,2018,2019,2020
-./lib/isccfg/include/isccfg/namedconf.h		C	2002,2004,2005,2006,2007,2009,2010,2014,2016,2018,2019,2020
-./lib/isccfg/include/isccfg/version.h		C	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isccfg/log.c				C	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/isccfg/namedconf.c			C	2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isccfg/parser.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isccfg/tests/Kyuafile			X	2017,2018,2019,2020
-./lib/isccfg/tests/Makefile.in			MAKE	2016,2018,2019,2020
-./lib/isccfg/tests/parser_test.c		C	2016,2018,2019,2020
-./lib/isccfg/version.c				C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/isccfg/win32/DLLMain.c			C	2001,2004,2007,2016,2018,2019,2020
-./lib/isccfg/win32/libisccfg.def		X	2001,2002,2005,2009,2010,2011,2013,2014,2015,2016,2018,2019,2020
-./lib/isccfg/win32/libisccfg.dsp.in		X	2001,2002,2004,2005,2009,2011,2013,2014,2016,2018,2019,2020
-./lib/isccfg/win32/libisccfg.dsw		X	2001,2018,2019,2020
-./lib/isccfg/win32/libisccfg.mak.in		X	2001,2002,2004,2005,2006,2009,2011,2013,2014,2018,2019,2020
-./lib/isccfg/win32/libisccfg.vcxproj.filters.in	X	2013,2014,2015,2016,2018,2019,2020
-./lib/isccfg/win32/libisccfg.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./lib/isccfg/win32/libisccfg.vcxproj.user	X	2013,2018,2019,2020
-./lib/isccfg/win32/version.c			C	1998,1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/lwres/Kyuafile				X	2017,2018,2019,2020
-./lib/lwres/Makefile.in				MAKE	2000,2001,2004,2005,2007,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/lwres/api					X	2000,2001,2006,2008,2009,2010,2011,2012,2013,2014,2015,2017,2018,2019,2020
-./lib/lwres/assert_p.h				C	2000,2001,2004,2005,2007,2011,2012,2016,2018,2019,2020
-./lib/lwres/compat.c				C	2003,2004,2005,2007,2014,2016,2018,2019,2020
-./lib/lwres/context.c				C	2000,2001,2003,2004,2005,2007,2008,2009,2012,2013,2014,2016,2018,2019,2020
-./lib/lwres/context_p.h				C	2000,2001,2004,2005,2007,2008,2016,2018,2019,2020
-./lib/lwres/gai_strerror.c			C	2000,2001,2004,2005,2006,2007,2014,2016,2018,2019,2020
-./lib/lwres/getaddrinfo.c			C.BSDI	1999,2000,2001,2004,2005,2006,2007,2008,2012,2014,2016,2018,2019,2020
-./lib/lwres/gethost.c				C	2000,2001,2004,2005,2007,2013,2014,2015,2016,2018,2019,2020
-./lib/lwres/getipnode.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2012,2014,2016,2018,2019,2020
-./lib/lwres/getnameinfo.c			C.PORTION	1999,2000,2001,2003,2004,2005,2007,2011,2012,2013,2016,2018,2019,2020
-./lib/lwres/getrrset.c				C	2000,2001,2002,2003,2004,2005,2007,2012,2014,2016,2018,2019,2020
-./lib/lwres/herror.c				C.PORTION	2000,2001,2003,2004,2005,2007,2011,2012,2014,2015,2016,2018,2019,2020
-./lib/lwres/include/Makefile.in			MAKE	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./lib/lwres/include/lwres/Makefile.in		MAKE	2000,2001,2004,2007,2012,2014,2016,2018,2019,2020
-./lib/lwres/include/lwres/context.h		C	2000,2001,2004,2005,2006,2007,2008,2016,2018,2019,2020
-./lib/lwres/include/lwres/int.h			C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/lwres/include/lwres/ipv6.h		C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/lwres/include/lwres/lang.h		C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/lwres/include/lwres/list.h		C	1997,1998,1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/lwres/include/lwres/lwbuffer.h		C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/lwres/include/lwres/lwpacket.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/lwres/include/lwres/lwres.h		C	2000,2001,2004,2005,2006,2007,2014,2016,2018,2019,2020
-./lib/lwres/include/lwres/netdb.h.in		C	2000,2001,2004,2005,2007,2009,2014,2016,2018,2019,2020
-./lib/lwres/include/lwres/platform.h.in		C	2000,2001,2004,2005,2007,2014,2016,2018,2019,2020
-./lib/lwres/include/lwres/result.h		C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/lwres/include/lwres/stdlib.h		C	2003,2004,2005,2006,2007,2014,2016,2018,2019,2020
-./lib/lwres/include/lwres/string.h		C	2014,2016,2018,2019,2020
-./lib/lwres/include/lwres/version.h		C	2001,2004,2005,2006,2007,2016,2018,2019,2020
-./lib/lwres/lwbuffer.c				C	2000,2001,2004,2005,2007,2014,2016,2018,2019,2020
-./lib/lwres/lwconfig.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2011,2012,2014,2016,2018,2019,2020
-./lib/lwres/lwinetaton.c			C.PORTION	1996,1997,1998,1999,2000,2001,2003,2004,2005,2007,2012,2013,2014,2016,2018,2019,2020
-./lib/lwres/lwinetntop.c			C	1996,1997,1998,1999,2000,2001,2003,2004,2005,2007,2016,2018,2019,2020
-./lib/lwres/lwinetpton.c			C	1996,1997,1998,1999,2000,2001,2004,2005,2007,2011,2012,2013,2014,2016,2017,2018,2019,2020
-./lib/lwres/lwpacket.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/lwres/lwres_gabn.c			C	2000,2001,2004,2005,2007,2013,2015,2016,2018,2019,2020
-./lib/lwres/lwres_gnba.c			C	2000,2001,2002,2004,2005,2007,2013,2016,2018,2019,2020
-./lib/lwres/lwres_grbn.c			C	2000,2001,2004,2005,2007,2013,2015,2016,2018,2019,2020
-./lib/lwres/lwres_noop.c			C	2000,2001,2004,2005,2007,2013,2016,2018,2019,2020
-./lib/lwres/lwresutil.c				C	2000,2001,2004,2005,2007,2014,2016,2018,2019,2020
-./lib/lwres/man/Makefile.in			MAKE	2001,2004,2007,2012,2015,2016,2018,2019,2020
+./isc-config.sh.in				SH	2000,2001,2003,2004,2007,2012,2013,2015,2016,2017,2018,2019,2020,2021
+./lib/Kyuafile					X	2017,2018,2019,2020,2021
+./lib/Makefile.in				MAKE	1998,1999,2000,2001,2003,2004,2007,2012,2013,2014,2016,2018,2019,2020,2021
+./lib/bind9/Makefile.in				MAKE	2001,2004,2007,2009,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/bind9/api					X	2001,2006,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/bind9/check.c				C	2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/bind9/getaddresses.c			C	2001,2002,2004,2005,2007,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/bind9/include/Makefile.in			MAKE	2001,2004,2007,2012,2016,2018,2019,2020,2021
+./lib/bind9/include/bind9/Makefile.in		MAKE	2001,2004,2007,2012,2015,2016,2018,2019,2020,2021
+./lib/bind9/include/bind9/check.h		C	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/bind9/include/bind9/getaddresses.h	C	2001,2004,2005,2006,2007,2009,2016,2017,2018,2019,2020,2021
+./lib/bind9/include/bind9/version.h		C	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/bind9/version.c				C	2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/bind9/win32/DLLMain.c			C	2001,2004,2007,2016,2018,2019,2020,2021
+./lib/bind9/win32/libbind9.def			X	2001,2018,2019,2020,2021
+./lib/bind9/win32/libbind9.dsp.in		X	2001,2004,2005,2009,2011,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/bind9/win32/libbind9.dsw			X	2001,2018,2019,2020,2021
+./lib/bind9/win32/libbind9.mak.in		X	2001,2002,2004,2005,2006,2009,2011,2013,2014,2015,2018,2019,2020,2021
+./lib/bind9/win32/libbind9.vcxproj.filters.in	X	2013,2015,2016,2018,2019,2020,2021
+./lib/bind9/win32/libbind9.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/bind9/win32/libbind9.vcxproj.user		X	2013,2018,2019,2020,2021
+./lib/bind9/win32/version.c			C	1998,1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/dns/Kyuafile				X	2017,2018,2019,2020,2021
+./lib/dns/Makefile.in				MAKE	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/acache.c				C	2004,2005,2006,2007,2008,2012,2013,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/acl.c					C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2013,2014,2016,2018,2019,2020,2021
+./lib/dns/adb.c					C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/api					X	1999,2000,2001,2006,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/badcache.c				C	2014,2015,2016,2018,2019,2020,2021
+./lib/dns/byaddr.c				C	2000,2001,2002,2003,2004,2005,2007,2009,2013,2016,2017,2018,2019,2020,2021
+./lib/dns/cache.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/callbacks.c				C	1999,2000,2001,2004,2005,2007,2011,2012,2015,2016,2018,2019,2020,2021
+./lib/dns/catz.c				C	2016,2017,2018,2019,2020,2021
+./lib/dns/client.c				C	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/clientinfo.c				C	2011,2014,2016,2018,2019,2020,2021
+./lib/dns/compress.c				C	1999,2000,2001,2004,2005,2006,2007,2015,2016,2018,2019,2020,2021
+./lib/dns/db.c					C	1999,2000,2001,2003,2004,2005,2007,2008,2009,2011,2012,2013,2015,2016,2018,2019,2020,2021
+./lib/dns/dbiterator.c				C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/dbtable.c				C	1999,2000,2001,2004,2005,2007,2013,2016,2018,2019,2020,2021
+./lib/dns/diff.c				C	2000,2001,2002,2003,2004,2005,2007,2008,2009,2011,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/dispatch.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/dlz.c					C.PORTION	1999,2000,2001,2005,2007,2009,2010,2011,2012,2013,2015,2016,2018,2019,2020,2021
+./lib/dns/dns64.c				C	2010,2011,2014,2016,2017,2018,2019,2020,2021
+./lib/dns/dnssec.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/dnstap.c				C	2015,2016,2017,2018,2019,2020,2021
+./lib/dns/dnstap.proto				X	2015,2018,2019,2020,2021
+./lib/dns/ds.c					C	2002,2003,2004,2005,2006,2007,2010,2012,2014,2016,2018,2019,2020,2021
+./lib/dns/dst_api.c				C.NAI	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/dst_gost.h				C	2014,2016,2018,2019,2020,2021
+./lib/dns/dst_internal.h			C.NAI	2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./lib/dns/dst_lib.c				C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/dst_openssl.h				C	2002,2004,2005,2007,2008,2009,2011,2012,2015,2016,2018,2019,2020,2021
+./lib/dns/dst_parse.c				C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/dst_parse.h				C.NAI	2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2012,2014,2016,2017,2018,2019,2020,2021
+./lib/dns/dst_pkcs11.h				C	2014,2016,2018,2019,2020,2021
+./lib/dns/dst_result.c				C	1999,2000,2001,2004,2005,2007,2008,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/dyndb.c				C	2015,2016,2017,2018,2019,2020,2021
+./lib/dns/ecdb.c				C	2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/fixedname.c				C	2018,2019,2020,2021
+./lib/dns/forward.c				C	2000,2001,2004,2005,2007,2009,2013,2016,2018,2019,2020,2021
+./lib/dns/gen-unix.h				C	1999,2000,2001,2004,2005,2007,2009,2016,2018,2019,2020,2021
+./lib/dns/gen-win32.h				C	1999,2000,2001,2004,2005,2006,2007,2009,2014,2016,2018,2019,2020,2021
+./lib/dns/gen.c					C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/geoip.c				C	2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/geoip2.c				C	2019,2020,2021
+./lib/dns/gssapi_link.c				C	2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/gssapictx.c				C	2000,2001,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/hmac_link.c				C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./lib/dns/include/dns/Makefile.in		MAKE	1998,1999,2000,2001,2002,2003,2004,2007,2008,2009,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/include/dns/acache.h			C	2004,2006,2007,2013,2016,2018,2019,2020,2021
+./lib/dns/include/dns/acl.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2011,2013,2014,2016,2018,2019,2020,2021
+./lib/dns/include/dns/adb.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2011,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/include/dns/badcache.h		C	2014,2016,2018,2019,2020,2021
+./lib/dns/include/dns/bit.h			C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dns/byaddr.h			C	2000,2001,2002,2003,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dns/cache.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2011,2012,2013,2016,2018,2019,2020,2021
+./lib/dns/include/dns/callbacks.h		C	1999,2000,2001,2002,2004,2005,2006,2007,2011,2012,2013,2016,2018,2019,2020,2021
+./lib/dns/include/dns/catz.h			C	2016,2018,2019,2020,2021
+./lib/dns/include/dns/cert.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dns/client.h			C	2009,2013,2014,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/clientinfo.h		C	2011,2014,2016,2018,2019,2020,2021
+./lib/dns/include/dns/compress.h		C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/db.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/dbiterator.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dns/dbtable.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dns/diff.h			C	2000,2001,2004,2005,2006,2007,2008,2009,2010,2013,2016,2018,2019,2020,2021
+./lib/dns/include/dns/dispatch.h		C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/dlz.h			C.PORTION	1999,2000,2001,2005,2006,2007,2009,2010,2011,2012,2013,2016,2018,2019,2020,2021
+./lib/dns/include/dns/dlz_dlopen.h		C	2011,2012,2013,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/dns64.h			C	2010,2014,2016,2018,2019,2020,2021
+./lib/dns/include/dns/dnssec.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/include/dns/dnstap.h			C	2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/ds.h			C	2002,2004,2005,2006,2007,2010,2012,2014,2016,2018,2019,2020,2021
+./lib/dns/include/dns/dsdigest.h		C	2012,2016,2018,2019,2020,2021
+./lib/dns/include/dns/dyndb.h			C	2015,2016,2018,2019,2020,2021
+./lib/dns/include/dns/ecdb.h			C	2009,2012,2016,2018,2019,2020,2021
+./lib/dns/include/dns/edns.h			C	2014,2015,2016,2018,2019,2020,2021
+./lib/dns/include/dns/events.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2010,2011,2014,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/fixedname.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dns/forward.h			C	2000,2001,2004,2005,2006,2007,2009,2013,2016,2018,2019,2020,2021
+./lib/dns/include/dns/geoip.h			C	2013,2014,2016,2018,2019,2020,2021
+./lib/dns/include/dns/ipkeylist.h		C	2016,2018,2019,2020,2021
+./lib/dns/include/dns/iptable.h			C	2007,2012,2014,2016,2018,2019,2020,2021
+./lib/dns/include/dns/journal.h			C	1999,2000,2001,2004,2005,2006,2007,2008,2009,2011,2013,2016,2018,2019,2020,2021
+./lib/dns/include/dns/keydata.h			C	2009,2016,2018,2019,2020,2021
+./lib/dns/include/dns/keyflags.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dns/keytable.h		C	2000,2001,2004,2005,2007,2009,2010,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/include/dns/keyvalues.h		C	1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2012,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/lib.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020,2021
+./lib/dns/include/dns/log.h			C	1999,2000,2001,2003,2004,2005,2006,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/lookup.h			C	2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020,2021
+./lib/dns/include/dns/master.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./lib/dns/include/dns/masterdump.h		C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2011,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/message.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/name.h			C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2009,2010,2011,2012,2013,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/ncache.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2013,2016,2018,2019,2020,2021
+./lib/dns/include/dns/nsec.h			C	1999,2000,2001,2003,2004,2005,2006,2007,2008,2011,2012,2016,2018,2019,2020,2021
+./lib/dns/include/dns/nsec3.h			C	2008,2009,2010,2011,2012,2013,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/nta.h			C	2014,2015,2016,2018,2019,2020,2021
+./lib/dns/include/dns/opcode.h			C	2002,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dns/order.h			C	2002,2004,2005,2006,2007,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/peer.h			C	2000,2001,2003,2004,2005,2006,2007,2008,2009,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/include/dns/portlist.h		C	2003,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dns/private.h			C	2009,2011,2012,2016,2018,2019,2020,2021
+./lib/dns/include/dns/rbt.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/rcode.h			C	1999,2000,2001,2004,2005,2006,2007,2008,2016,2018,2019,2020,2021
+./lib/dns/include/dns/rdata.h			C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/rdataclass.h		C	1998,1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dns/rdatalist.h		C	1999,2000,2001,2004,2005,2006,2007,2008,2015,2016,2018,2019,2020,2021
+./lib/dns/include/dns/rdataset.h		C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/include/dns/rdatasetiter.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dns/rdataslab.h		C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2016,2018,2019,2020,2021
+./lib/dns/include/dns/rdatatype.h		C	1998,1999,2000,2001,2004,2005,2006,2007,2008,2016,2018,2019,2020,2021
+./lib/dns/include/dns/request.h			C	2000,2001,2002,2004,2005,2006,2007,2009,2010,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/include/dns/resolver.h		C	1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/result.h			C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/include/dns/rootns.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dns/rpz.h			C	2011,2012,2013,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/rriterator.h		C	2009,2011,2016,2018,2019,2020,2021
+./lib/dns/include/dns/rrl.h			C	2013,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/sdb.h			C	2000,2001,2004,2005,2006,2007,2009,2011,2012,2016,2018,2019,2020,2021
+./lib/dns/include/dns/sdlz.h			C.PORTION	1999,2000,2001,2005,2006,2007,2009,2010,2011,2012,2016,2018,2019,2020,2021
+./lib/dns/include/dns/secalg.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020,2021
+./lib/dns/include/dns/secproto.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dns/soa.h			C	2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020,2021
+./lib/dns/include/dns/ssu.h			C	2000,2001,2003,2004,2005,2006,2007,2008,2010,2011,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/stats.h			C	2000,2001,2004,2005,2006,2007,2008,2009,2012,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/include/dns/tcpmsg.h			C	1999,2000,2001,2004,2005,2006,2007,2015,2016,2018,2019,2020,2021
+./lib/dns/include/dns/time.h			C	1999,2000,2001,2004,2005,2006,2007,2012,2016,2018,2019,2020,2021
+./lib/dns/include/dns/timer.h			C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dns/tkey.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2010,2011,2016,2018,2019,2020,2021
+./lib/dns/include/dns/tsec.h			C	2009,2010,2012,2016,2018,2019,2020,2021
+./lib/dns/include/dns/tsig.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2010,2011,2016,2018,2019,2020,2021
+./lib/dns/include/dns/ttl.h			C	1999,2000,2001,2004,2005,2006,2007,2014,2016,2018,2019,2020,2021
+./lib/dns/include/dns/types.h			C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/update.h			C	2011,2015,2016,2018,2019,2020,2021
+./lib/dns/include/dns/validator.h		C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2013,2014,2016,2018,2019,2020,2021
+./lib/dns/include/dns/version.h			C	2001,2004,2005,2006,2007,2012,2013,2016,2018,2019,2020,2021
+./lib/dns/include/dns/view.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/xfrin.h			C	1999,2000,2001,2003,2004,2005,2006,2007,2009,2013,2016,2018,2019,2020,2021
+./lib/dns/include/dns/zone.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dns/zonekey.h			C	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dns/zt.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2011,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dst/Makefile.in		MAKE	1998,1999,2000,2001,2004,2007,2012,2015,2016,2018,2019,2020,2021
+./lib/dns/include/dst/dst.h			C	2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/include/dst/gssapi.h			C	2000,2001,2004,2005,2006,2007,2009,2010,2011,2013,2016,2018,2019,2020,2021
+./lib/dns/include/dst/lib.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/include/dst/result.h			C	1999,2000,2001,2004,2005,2006,2007,2008,2012,2014,2016,2018,2019,2020,2021
+./lib/dns/ipkeylist.c				C	2016,2018,2019,2020,2021
+./lib/dns/iptable.c				C	2007,2008,2009,2013,2014,2016,2017,2018,2019,2020,2021
+./lib/dns/journal.c				C	1999,2000,2001,2002,2004,2005,2007,2008,2009,2010,2011,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/key.c					C	2001,2004,2005,2006,2007,2011,2016,2018,2019,2020,2021
+./lib/dns/keydata.c				C	2009,2014,2016,2018,2019,2020,2021
+./lib/dns/keytable.c				C	2000,2001,2004,2005,2007,2009,2010,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/lib.c					C	1999,2000,2001,2004,2005,2007,2009,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/log.c					C	1999,2000,2001,2003,2004,2005,2006,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/lookup.c				C	2000,2001,2003,2004,2005,2007,2013,2016,2018,2019,2020,2021
+./lib/dns/mapapi				X	2013,2018,2019,2020,2021
+./lib/dns/master.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/masterdump.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/message.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/name.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/ncache.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/nsec.c				C	1999,2000,2001,2003,2004,2005,2007,2008,2009,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/nsec3.c				C	2006,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/nta.c					C	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/openssl_link.c			C.NAI	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/openssldh_link.c			C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/openssldsa_link.c			C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/opensslecdsa_link.c			C	2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/openssleddsa_link.c			C	2017,2018,2019,2020,2021
+./lib/dns/opensslgost_link.c			C	2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/opensslrsa_link.c			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/order.c				C	2002,2004,2005,2007,2015,2016,2018,2019,2020,2021
+./lib/dns/peer.c				C	2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/pkcs11.c				C	2014,2016,2018,2019,2020,2021
+./lib/dns/pkcs11dh_link.c			C	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/pkcs11dsa_link.c			C	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/pkcs11ecdsa_link.c			C	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/pkcs11eddsa_link.c			C	2017,2018,2019,2020,2021
+./lib/dns/pkcs11gost_link.c			C	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/pkcs11rsa_link.c			C	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/portlist.c				C	2003,2004,2005,2006,2007,2014,2016,2018,2019,2020,2021
+./lib/dns/private.c				C	2009,2011,2012,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rbt.c					C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rbtdb.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rbtdb.h				C	1999,2000,2001,2004,2005,2007,2011,2012,2016,2018,2019,2020,2021
+./lib/dns/rbtdb64.c				C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rbtdb64.h				C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rcode.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/any_255/tsig_250.c		C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2011,2012,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/any_255/tsig_250.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/ch_3/a_1.c			C	2005,2007,2009,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/ch_3/a_1.h			C	2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/afsdb_18.c		C	1999,2000,2001,2003,2004,2005,2007,2009,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/afsdb_18.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/amtrelay_260.c		C	2019,2020,2021
+./lib/dns/rdata/generic/amtrelay_260.h		C	2019,2020,2021
+./lib/dns/rdata/generic/avc_258.c		C	2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/avc_258.h		C	2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/caa_257.c		C	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/caa_257.h		C	2014,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/cdnskey_60.c		C	2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/cdnskey_60.h		C	2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/cds_59.c		C	2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/cds_59.h		C	2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/cert_37.c		C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2011,2012,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/cert_37.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/cname_5.c		C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/cname_5.h		C	1998,1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/csync_62.c		C	2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/csync_62.h		C	2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/dlv_32769.c		C	2004,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/dlv_32769.h		C	2004,2006,2007,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/dname_39.c		C	1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/dname_39.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/dnskey_48.c		C	2003,2004,2005,2007,2009,2011,2012,2013,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/dnskey_48.h		C	2003,2004,2005,2007,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/doa_259.c		C	2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/doa_259.h		C	2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/ds_43.c			C	2002,2004,2005,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/ds_43.h			C	2002,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/eui48_108.c		C	2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/eui48_108.h		C	2013,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/eui64_109.c		C	2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/eui64_109.h		C	2013,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/gpos_27.c		C	1999,2000,2001,2002,2004,2005,2007,2009,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/gpos_27.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/hinfo_13.c		C	1998,1999,2000,2001,2002,2004,2007,2009,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/hinfo_13.h		C	1998,1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/hip_55.c		C	2009,2011,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/hip_55.h		C	2009,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/ipseckey_45.c		C	2005,2007,2009,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/ipseckey_45.h		C	2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/isdn_20.c		C	1999,2000,2001,2002,2004,2005,2007,2009,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/isdn_20.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/key_25.c		C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2011,2012,2013,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/key_25.h		C	1999,2000,2001,2004,2005,2007,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/keydata_65533.c		C	2009,2011,2012,2013,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/keydata_65533.h		C	2009,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/l32_105.c		C	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/l32_105.h		C	2013,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/l64_106.c		C	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/l64_106.h		C	2013,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/loc_29.c		C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/loc_29.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/lp_107.c		C	2013,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/lp_107.h		C	2013,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/mb_7.c			C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/mb_7.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/md_3.c			C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/md_3.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/mf_4.c			C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/mf_4.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/mg_8.c			C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/mg_8.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/minfo_14.c		C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/minfo_14.h		C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/mr_9.c			C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/mr_9.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/mx_15.c			C	1998,1999,2000,2001,2003,2004,2005,2007,2009,2012,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/mx_15.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/naptr_35.c		C	1999,2000,2001,2003,2004,2005,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/naptr_35.h		C	1999,2000,2001,2004,2005,2007,2011,2012,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/nid_104.c		C	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/nid_104.h		C	2013,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/ninfo_56.c		C	2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/ninfo_56.h		C	2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/ns_2.c			C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/ns_2.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/nsec3_50.c		C	2008,2009,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/nsec3_50.h		C	2008,2011,2012,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/nsec3param_51.c		C	2008,2009,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/nsec3param_51.h		C	2008,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/nsec_47.c		C	2003,2004,2007,2008,2009,2011,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/nsec_47.h		C	2003,2004,2005,2007,2008,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/null_10.c		C	1998,1999,2000,2001,2002,2004,2007,2009,2011,2012,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/null_10.h		C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/nxt_30.c		C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/nxt_30.h		C	1999,2000,2001,2002,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/openpgpkey_61.c		C	2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/openpgpkey_61.h		C	2014,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/opt_41.c		C	1998,1999,2000,2001,2002,2004,2005,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/opt_41.h		C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/proforma.c		C	1998,1999,2000,2001,2002,2004,2007,2009,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/proforma.h		C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/ptr_12.c		C	1998,1999,2000,2001,2004,2007,2009,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/ptr_12.h		C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/rkey_57.c		C	2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/rkey_57.h		C	2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/rp_17.c			C	1999,2000,2001,2004,2005,2007,2009,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/rp_17.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/rrsig_46.c		C	2003,2004,2005,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/rrsig_46.h		C	2003,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/rt_21.c			C	1999,2000,2001,2003,2004,2005,2007,2009,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/rt_21.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/sig_24.c		C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2011,2012,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/sig_24.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/sink_40.c		C	2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/sink_40.h		C	2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/smimea_53.c		C	2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/smimea_53.h		C	2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/soa_6.c			C	1998,1999,2000,2001,2002,2004,2007,2009,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/soa_6.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/spf_99.c		C	1998,1999,2000,2001,2002,2004,2005,2007,2009,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/spf_99.h		C	1998,1999,2000,2001,2004,2005,2007,2014,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/sshfp_44.c		C	2003,2004,2006,2007,2009,2011,2012,2013,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/sshfp_44.h		C	2003,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/ta_32768.c		C	2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/ta_32768.h		C	2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/talink_58.c		C	2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/talink_58.h		C	2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/tkey_249.c		C	1999,2000,2001,2002,2003,2004,2007,2009,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/tkey_249.h		C	1999,2000,2001,2003,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/tlsa_52.c		C	2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/tlsa_52.h		C	2012,2014,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/txt_16.c		C	1998,1999,2000,2001,2002,2004,2007,2008,2009,2012,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/txt_16.h		C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/uri_256.c		C	2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/generic/uri_256.h		C	2011,2012,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/x25_19.c		C	1999,2000,2001,2002,2004,2005,2007,2009,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/x25_19.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/generic/zonemd_63.c		C	2019,2020,2021
+./lib/dns/rdata/generic/zonemd_63.h		C	2019,2020,2021
+./lib/dns/rdata/hs_4/a_1.c			C	1999,2000,2001,2002,2004,2007,2009,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/hs_4/a_1.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/a6_38.c			C	1999,2000,2001,2002,2003,2004,2007,2009,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/in_1/a6_38.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/a_1.c			C	1998,1999,2000,2001,2002,2004,2007,2009,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/a_1.h			C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/aaaa_28.c			C	1999,2000,2001,2002,2004,2005,2007,2009,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/aaaa_28.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/apl_42.c			C	2002,2004,2005,2007,2008,2009,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/apl_42.h			C	2002,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/atma_34.c			C	2018,2019,2020,2021
+./lib/dns/rdata/in_1/atma_34.h			C	2018,2019,2020,2021
+./lib/dns/rdata/in_1/dhcid_49.c			C	2006,2007,2009,2011,2012,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/in_1/dhcid_49.h			C	2006,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/eid_31.c			C	2018,2019,2020,2021
+./lib/dns/rdata/in_1/eid_31.h			C	2018,2019,2020,2021
+./lib/dns/rdata/in_1/kx_36.c			C	1999,2000,2001,2003,2004,2005,2007,2009,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/in_1/kx_36.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/nimloc_32.c		C	2018,2019,2020,2021
+./lib/dns/rdata/in_1/nimloc_32.h		C	2018,2019,2020,2021
+./lib/dns/rdata/in_1/nsap-ptr_23.c		C	1999,2000,2001,2004,2005,2007,2009,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/nsap-ptr_23.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/nsap_22.c			C	1999,2000,2001,2002,2004,2005,2007,2009,2013,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/in_1/nsap_22.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/px_26.c			C	1999,2000,2001,2003,2004,2005,2007,2009,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/in_1/px_26.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/srv_33.c			C	1999,2000,2001,2003,2004,2005,2007,2009,2015,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/srv_33.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/in_1/wks_11.c			C	1999,2000,2001,2002,2004,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdata/in_1/wks_11.h			C	1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/rdatastructpre.h		C	1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/dns/rdata/rdatastructsuf.h		C	1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/dns/rdatalist.c				C	1999,2000,2001,2003,2004,2005,2007,2008,2010,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/rdatalist_p.h				C	2000,2001,2004,2005,2007,2008,2015,2016,2018,2019,2020,2021
+./lib/dns/rdataset.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rdatasetiter.c			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/rdataslab.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/request.c				C	2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/resolver.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/result.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rootns.c				C	1999,2000,2001,2002,2004,2005,2007,2008,2010,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rpz.c					C	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/rriterator.c				C	2009,2011,2012,2015,2016,2018,2019,2020,2021
+./lib/dns/rrl.c					C	2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/sdb.c					C	2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/sdlz.c				C.PORTION	1999,2000,2001,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/soa.c					C	2000,2001,2004,2005,2007,2009,2016,2018,2019,2020,2021
+./lib/dns/ssu.c					C	2000,2001,2003,2004,2005,2006,2007,2008,2010,2011,2013,2014,2016,2017,2018,2019,2020,2021
+./lib/dns/ssu_external.c			C	2011,2012,2013,2016,2017,2018,2019,2020,2021
+./lib/dns/stats.c				C	2000,2001,2004,2005,2007,2008,2009,2012,2016,2018,2019,2020,2021
+./lib/dns/tcpmsg.c				C	1999,2000,2001,2004,2005,2006,2007,2015,2016,2018,2019,2020,2021
+./lib/dns/tests/Kdh.+002+18602.key		X	2014,2018,2019,2020,2021
+./lib/dns/tests/Krsa.+005+29235.key		X	2016,2018,2019,2020,2021
+./lib/dns/tests/Kyuafile			X	2017,2018,2019,2020,2021
+./lib/dns/tests/Makefile.in			MAKE	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/tests/acl_test.c			C	2016,2018,2019,2020,2021
+./lib/dns/tests/db_test.c			C	2013,2015,2016,2018,2019,2020,2021
+./lib/dns/tests/dbdiff_test.c			C	2011,2012,2016,2017,2018,2019,2020,2021
+./lib/dns/tests/dbiterator_test.c		C	2011,2012,2016,2018,2019,2020,2021
+./lib/dns/tests/dbversion_test.c		C	2011,2012,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/tests/dh_test.c			C	2014,2016,2018,2019,2020,2021
+./lib/dns/tests/dispatch_test.c			C	2012,2014,2016,2018,2019,2020,2021
+./lib/dns/tests/dnstap_test.c			C	2015,2016,2017,2018,2019,2020,2021
+./lib/dns/tests/dnstest.c			C	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/tests/dnstest.h			C	2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/tests/dst_test.c			C	2018,2019,2020,2021
+./lib/dns/tests/geoip_test.c			C	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/tests/gost_test.c			C	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/tests/keytable_test.c			C	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/tests/master_test.c			C	2011,2012,2013,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/tests/mkraw.pl			PERL	2011,2012,2016,2018,2019,2020,2021
+./lib/dns/tests/name_test.c			C	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/tests/nsec3_test.c			C	2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/tests/peer_test.c			C	2014,2016,2018,2019,2020,2021
+./lib/dns/tests/private_test.c			C	2011,2012,2016,2018,2019,2020,2021
+./lib/dns/tests/rbt_serialize_test.c		C	2014,2015,2016,2018,2019,2020,2021
+./lib/dns/tests/rbt_test.c			C	2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/tests/rdata_test.c			C	2012,2013,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/tests/rdataset_test.c			C	2012,2016,2018,2019,2020,2021
+./lib/dns/tests/rdatasetstats_test.c		C	2012,2015,2016,2018,2019,2020,2021
+./lib/dns/tests/resolver_test.c			C	2018,2019,2020,2021
+./lib/dns/tests/result_test.c			C	2018,2019,2020,2021
+./lib/dns/tests/rsa_test.c			C	2016,2018,2019,2020,2021
+./lib/dns/tests/sigs_test.c			C	2018,2019,2020,2021
+./lib/dns/tests/testdata/db/data.db		ZONE	2018,2019,2020,2021
+./lib/dns/tests/testdata/dbiterator/zone1.data	ZONE	2011,2012,2016,2018,2019,2020,2021
+./lib/dns/tests/testdata/dbiterator/zone2.data	X	2011,2018,2019,2020,2021
+./lib/dns/tests/testdata/diff/zone1.data	ZONE	2011,2012,2016,2018,2019,2020,2021
+./lib/dns/tests/testdata/diff/zone2.data	ZONE	2011,2012,2016,2018,2019,2020,2021
+./lib/dns/tests/testdata/diff/zone3.data	ZONE	2011,2012,2016,2018,2019,2020,2021
+./lib/dns/tests/testdata/dnstap/dnstap.saved	X	2015,2017,2018,2019,2020,2021
+./lib/dns/tests/testdata/dnstap/dnstap.text	X	2015,2017,2018,2019,2020,2021
+./lib/dns/tests/testdata/dnstap/query.auth	X	2015,2018,2019,2020,2021
+./lib/dns/tests/testdata/dnstap/query.recursive	X	2015,2018,2019,2020,2021
+./lib/dns/tests/testdata/dnstap/response.auth	X	2015,2018,2019,2020,2021
+./lib/dns/tests/testdata/dnstap/response.recursive	X	2015,2018,2019,2020,2021
+./lib/dns/tests/testdata/dst/Ktest.+001+00002.key	X	2018,2019,2020,2021
+./lib/dns/tests/testdata/dst/Ktest.+001+54622.key	X	2018,2019,2020,2021
+./lib/dns/tests/testdata/dst/Ktest.+001+54622.private	X	2018,2019,2020,2021
+./lib/dns/tests/testdata/dst/Ktest.+003+23616.key	X	2018,2019,2020,2021
+./lib/dns/tests/testdata/dst/Ktest.+003+23616.private	X	2018,2019,2020,2021
+./lib/dns/tests/testdata/dst/Ktest.+003+49667.key	X	2018,2019,2020,2021
+./lib/dns/tests/testdata/dst/test1.data		X	2018,2019,2020,2021
+./lib/dns/tests/testdata/dst/test1.dsasig	X	2018,2019,2020,2021
+./lib/dns/tests/testdata/dst/test1.rsasig	X	2018,2019,2020,2021
+./lib/dns/tests/testdata/dst/test2.data		X	2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master1.data	X	2011,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master10.data	X	2011,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master11.data	X	2011,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master12.data.in	X	2011,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master13.data.in	X	2011,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master14.data.in	X	2011,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master15.data	X	2012,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master16.data	X	2012,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master17.data	X	2012,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master18.data	X	2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master2.data	X	2011,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master3.data	X	2011,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master4.data	X	2011,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master5.data	X	2011,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master6.data	X	2011,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master7.data	X	2011,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master8.data	X	2011,2018,2019,2020,2021
+./lib/dns/tests/testdata/master/master9.data	X	2011,2018,2019,2020,2021
+./lib/dns/tests/testdata/nsec3/1024.db		ZONE	2012,2016,2018,2019,2020,2021
+./lib/dns/tests/testdata/nsec3/2048.db		ZONE	2012,2016,2018,2019,2020,2021
+./lib/dns/tests/testdata/nsec3/4096.db		ZONE	2012,2016,2018,2019,2020,2021
+./lib/dns/tests/testdata/nsec3/min-1024.db	ZONE	2012,2016,2018,2019,2020,2021
+./lib/dns/tests/testdata/nsec3/min-2048.db	ZONE	2012,2016,2018,2019,2020,2021
+./lib/dns/tests/testdata/zt/zone1.db		ZONE	2011,2012,2016,2018,2019,2020,2021
+./lib/dns/tests/testkeys/Kexample.+008+20386.key	X	2018,2019,2020,2021
+./lib/dns/tests/testkeys/Kexample.+008+20386.private	X	2018,2019,2020,2021
+./lib/dns/tests/testkeys/Kexample.+008+37464.key	X	2018,2019,2020,2021
+./lib/dns/tests/testkeys/Kexample.+008+37464.private	X	2018,2019,2020,2021
+./lib/dns/tests/time_test.c			C	2011,2012,2016,2018,2019,2020,2021
+./lib/dns/tests/tsig_test.c			C	2017,2018,2019,2020,2021
+./lib/dns/tests/update_test.c			C	2011,2012,2014,2016,2017,2018,2019,2020,2021
+./lib/dns/tests/zonemgr_test.c			C	2011,2012,2013,2015,2016,2018,2019,2020,2021
+./lib/dns/tests/zt_test.c			C	2011,2012,2016,2018,2019,2020,2021
+./lib/dns/time.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2007,2009,2010,2011,2012,2014,2016,2017,2018,2019,2020,2021
+./lib/dns/timer.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/tkey.c				C	1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/dns/tsec.c				C	2009,2010,2016,2017,2018,2019,2020,2021
+./lib/dns/tsig.c				C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/ttl.c					C	1999,2000,2001,2004,2005,2007,2011,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./lib/dns/update.c				C	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/validator.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/version.c				C	1998,1999,2000,2001,2004,2005,2007,2012,2013,2016,2018,2019,2020,2021
+./lib/dns/view.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/win32/DLLMain.c			C	2001,2004,2007,2016,2018,2019,2020,2021
+./lib/dns/win32/gen.dsp.in			X	2001,2013,2018,2019,2020,2021
+./lib/dns/win32/gen.dsw				X	2001,2018,2019,2020,2021
+./lib/dns/win32/gen.mak.in			X	2001,2006,2013,2018,2019,2020,2021
+./lib/dns/win32/gen.vcxproj.filters.in		X	2013,2015,2018,2019,2020,2021
+./lib/dns/win32/gen.vcxproj.in			X	2013,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/win32/gen.vcxproj.user		X	2013,2018,2019,2020,2021
+./lib/dns/win32/libdns.def.in			X	2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/win32/libdns.dsp.in			X	2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/win32/libdns.dsw			X	2001,2018,2019,2020,2021
+./lib/dns/win32/libdns.mak.in			X	2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/win32/libdns.vcxproj.filters.in	X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/win32/libdns.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/win32/libdns.vcxproj.user		X	2013,2018,2019,2020,2021
+./lib/dns/win32/version.c			C	1998,1999,2000,2001,2004,2007,2013,2016,2018,2019,2020,2021
+./lib/dns/xfrin.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/zone.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/dns/zone_p.h				C	2018,2019,2020,2021
+./lib/dns/zonekey.c				C	2001,2003,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/dns/zt.c					C	1999,2000,2001,2002,2004,2005,2006,2007,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/irs/Kyuafile				X	2017,2018,2019,2020,2021
+./lib/irs/Makefile.in				MAKE	2009,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/irs/api					X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/irs/context.c				C	2009,2014,2016,2018,2019,2020,2021
+./lib/irs/dnsconf.c				C	2009,2012,2016,2018,2019,2020,2021
+./lib/irs/gai_strerror.c			C	2009,2014,2016,2018,2019,2020,2021
+./lib/irs/getaddrinfo.c				C	2009,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/irs/getnameinfo.c				C	2009,2011,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./lib/irs/include/Makefile.in			MAKE	2009,2012,2016,2018,2019,2020,2021
+./lib/irs/include/irs/Makefile.in		MAKE	2009,2012,2014,2016,2018,2019,2020,2021
+./lib/irs/include/irs/context.h			C	2009,2016,2018,2019,2020,2021
+./lib/irs/include/irs/dnsconf.h			C	2009,2016,2018,2019,2020,2021
+./lib/irs/include/irs/netdb.h.in		C	2009,2016,2018,2019,2020,2021
+./lib/irs/include/irs/platform.h.in		C	2009,2016,2018,2019,2020,2021
+./lib/irs/include/irs/resconf.h			C	2009,2014,2016,2018,2019,2020,2021
+./lib/irs/include/irs/types.h			C	2009,2016,2018,2019,2020,2021
+./lib/irs/include/irs/version.h			C	2009,2016,2018,2019,2020,2021
+./lib/irs/resconf.c				C	2009,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/irs/tests/Kyuafile			X	2017,2018,2019,2020,2021
+./lib/irs/tests/Makefile.in			MAKE	2016,2017,2018,2019,2020,2021
+./lib/irs/tests/resconf_test.c			C	2016,2018,2019,2020,2021
+./lib/irs/tests/testdata/domain.conf		CONF-SH	2016,2018,2019,2020,2021
+./lib/irs/tests/testdata/nameserver-v4.conf	CONF-SH	2016,2018,2019,2020,2021
+./lib/irs/tests/testdata/nameserver-v6.conf	CONF-SH	2016,2018,2019,2020,2021
+./lib/irs/tests/testdata/options-bad-ndots.conf	CONF-SH	2018,2019,2020,2021
+./lib/irs/tests/testdata/options-debug.conf	CONF-SH	2016,2018,2019,2020,2021
+./lib/irs/tests/testdata/options-empty.conf	CONF-SH	2018,2019,2020,2021
+./lib/irs/tests/testdata/options-ndots.conf	CONF-SH	2016,2018,2019,2020,2021
+./lib/irs/tests/testdata/options-timeout.conf	CONF-SH	2016,2018,2019,2020,2021
+./lib/irs/tests/testdata/options-unknown.conf	CONF-SH	2016,2018,2019,2020,2021
+./lib/irs/tests/testdata/options.conf		CONF-SH	2016,2018,2019,2020,2021
+./lib/irs/tests/testdata/port.conf		CONF-SH	2016,2018,2019,2020,2021
+./lib/irs/tests/testdata/resolv.conf		CONF-SH	2016,2018,2019,2020,2021
+./lib/irs/tests/testdata/search.conf		CONF-SH	2016,2018,2019,2020,2021
+./lib/irs/tests/testdata/sortlist-v4.conf	CONF-SH	2016,2018,2019,2020,2021
+./lib/irs/tests/testdata/timeout.conf		CONF-SH	2016,2018,2019,2020,2021
+./lib/irs/tests/testdata/unknown.conf		CONF-SH	2016,2018,2019,2020,2021
+./lib/irs/version.c				C	2009,2016,2018,2019,2020,2021
+./lib/irs/win32/DLLMain.c			C	2014,2016,2018,2019,2020,2021
+./lib/irs/win32/Makefile.in			MAKE	2014,2016,2018,2019,2020,2021
+./lib/irs/win32/include/Makefile.in		MAKE	2014,2016,2018,2019,2020,2021
+./lib/irs/win32/include/irs/Makefile.in		MAKE	2014,2016,2018,2019,2020,2021
+./lib/irs/win32/include/irs/netdb.h		C	2014,2016,2018,2019,2020,2021
+./lib/irs/win32/include/irs/platform.h		C	2014,2016,2018,2019,2020,2021
+./lib/irs/win32/libirs.def			X	2014,2018,2019,2020,2021
+./lib/irs/win32/libirs.dsp.in			X	2014,2018,2019,2020,2021
+./lib/irs/win32/libirs.dsw			X	2001,2014,2018,2019,2020,2021
+./lib/irs/win32/libirs.mak.in			X	2014,2018,2019,2020,2021
+./lib/irs/win32/libirs.vcxproj.filters.in	X	2014,2015,2016,2018,2019,2020,2021
+./lib/irs/win32/libirs.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/irs/win32/libirs.vcxproj.user		X	2014,2018,2019,2020,2021
+./lib/irs/win32/version.c			C	2014,2016,2018,2019,2020,2021
+./lib/isc/Kyuafile				X	2017,2018,2019,2020,2021
+./lib/isc/Makefile.in				MAKE	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/aes.c					C	2014,2016,2017,2018,2019,2020,2021
+./lib/isc/alpha/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/alpha/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/alpha/include/isc/Makefile.in		MAKE	2007,2012,2015,2016,2018,2019,2020,2021
+./lib/isc/alpha/include/isc/atomic.h		C	2005,2007,2009,2016,2018,2019,2020,2021
+./lib/isc/api					X	1999,2000,2001,2006,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/app_api.c				C	2009,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/assertions.c				C	1997,1998,1999,2000,2001,2004,2005,2007,2008,2009,2015,2016,2018,2019,2020,2021
+./lib/isc/backtrace-emptytbl.c			C	2009,2016,2018,2019,2020,2021
+./lib/isc/backtrace.c				C	2009,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/base32.c				C	2008,2009,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/base64.c				C	1998,1999,2000,2001,2003,2004,2005,2007,2009,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/bind9.c				C	2013,2016,2018,2019,2020,2021
+./lib/isc/buffer.c				C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/bufferlist.c				C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/chacha_private.h			X	2014,2018,2019,2020,2021
+./lib/isc/commandline.c				C.PORTION	1999,2000,2001,2004,2005,2007,2008,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/counter.c				C	2014,2016,2018,2019,2020,2021
+./lib/isc/crc64.c				C	2013,2016,2018,2019,2020,2021
+./lib/isc/entropy.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2009,2010,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/error.c				C	1998,1999,2000,2001,2004,2005,2007,2015,2016,2018,2019,2020,2021
+./lib/isc/event.c				C	1998,1999,2000,2001,2004,2005,2007,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/fsaccess.c				C	2000,2001,2004,2005,2007,2016,2017,2018,2019,2020,2021
+./lib/isc/hash.c				C	2003,2004,2005,2006,2007,2009,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/heap.c				C	1997,1998,1999,2000,2001,2004,2005,2006,2007,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/hex.c					C	2000,2001,2002,2003,2004,2005,2007,2008,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/hmacmd5.c				C	2000,2001,2004,2005,2006,2007,2009,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/hmacsha.c				C	2005,2006,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/ht.c					C	2016,2018,2019,2020,2021
+./lib/isc/httpd.c				C	2006,2007,2008,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/ia64/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/ia64/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/ia64/include/isc/Makefile.in		MAKE	2007,2012,2015,2016,2018,2019,2020,2021
+./lib/isc/ia64/include/isc/atomic.h		C	2006,2007,2009,2012,2016,2018,2019,2020,2021
+./lib/isc/include/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007,2012,2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/Makefile.in		MAKE	1998,1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/aes.h			C	2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/app.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/include/isc/assertions.h		C	1997,1998,1999,2000,2001,2004,2005,2006,2007,2008,2009,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/backtrace.h		C	2009,2016,2018,2019,2020,2021
+./lib/isc/include/isc/base32.h			C	2008,2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/base64.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/bind9.h			C	2009,2013,2016,2018,2019,2020,2021
+./lib/isc/include/isc/boolean.h			C	2018,2019,2020,2021
+./lib/isc/include/isc/buffer.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2010,2012,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/bufferlist.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/cmocka.h			C	2020,2021
+./lib/isc/include/isc/commandline.h		C	1999,2000,2001,2004,2005,2006,2007,2015,2016,2018,2019,2020,2021
+./lib/isc/include/isc/counter.h			C	2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/crc64.h			C	2013,2016,2018,2019,2020,2021
+./lib/isc/include/isc/deprecated.h		C	2017,2018,2019,2020,2021
+./lib/isc/include/isc/endian.h			C	2019,2020,2021
+./lib/isc/include/isc/entropy.h			C	2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020,2021
+./lib/isc/include/isc/errno.h			C	2016,2018,2019,2020,2021
+./lib/isc/include/isc/error.h			C	1998,1999,2000,2001,2004,2005,2006,2007,2009,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/event.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/eventclass.h		C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/file.h			C	2000,2001,2004,2005,2006,2007,2009,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/formatcheck.h		C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/fsaccess.h		C	2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020,2021
+./lib/isc/include/isc/hash.h			C	2003,2004,2005,2006,2007,2009,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/heap.h			C	1997,1998,1999,2000,2001,2004,2005,2006,2007,2009,2012,2016,2018,2019,2020,2021
+./lib/isc/include/isc/hex.h			C	2000,2001,2004,2005,2006,2007,2008,2016,2018,2019,2020,2021
+./lib/isc/include/isc/hmacmd5.h			C	2000,2001,2004,2005,2006,2007,2009,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/hmacsha.h			C	2005,2006,2007,2009,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/ht.h			C	2016,2018,2019,2020,2021
+./lib/isc/include/isc/httpd.h			C	2006,2007,2008,2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/int.h			C	2018,2019,2020,2021
+./lib/isc/include/isc/interfaceiter.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/ipv6.h			C	1999,2000,2001,2002,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/iterated_hash.h		C	2008,2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/json.h			C	2013,2015,2016,2018,2019,2020,2021
+./lib/isc/include/isc/lang.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/lex.h			C	1998,1999,2000,2001,2002,2004,2005,2007,2008,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/lfsr.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/lib.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020,2021
+./lib/isc/include/isc/likely.h			C	2017,2018,2019,2020,2021
+./lib/isc/include/isc/list.h			C	1997,1998,1999,2000,2001,2002,2004,2006,2007,2011,2012,2013,2016,2018,2019,2020,2021
+./lib/isc/include/isc/log.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/magic.h			C	1999,2000,2001,2004,2005,2006,2007,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/md5.h			C	2000,2001,2004,2005,2006,2007,2009,2010,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/mem.h			C	1997,1998,1999,2000,2001,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2015,2016,2018,2019,2020,2021
+./lib/isc/include/isc/meminfo.h			C	2015,2016,2018,2019,2020,2021
+./lib/isc/include/isc/msgcat.h			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/msgs.h			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/mutexblock.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/netaddr.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2009,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/netscope.h		C	2002,2004,2005,2006,2007,2009,2016,2018,2019,2020,2021
+./lib/isc/include/isc/ondestroy.h		C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/os.h			C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/parseint.h		C	2001,2002,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/platform.h.in		C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/pool.h			C	2013,2016,2018,2019,2020,2021
+./lib/isc/include/isc/portset.h			C	2008,2009,2016,2018,2019,2020,2021
+./lib/isc/include/isc/print.h			C	1999,2000,2001,2003,2004,2005,2006,2007,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/include/isc/queue.h			C	2011,2012,2013,2016,2018,2019,2020,2021
+./lib/isc/include/isc/quota.h			C	2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/radix.h			C	2007,2008,2013,2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/random.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/ratelimiter.h		C	1999,2000,2001,2002,2004,2005,2006,2007,2009,2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/refcount.h		C	2001,2003,2004,2005,2006,2007,2009,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/regex.h			C	2013,2016,2018,2019,2020,2021
+./lib/isc/include/isc/region.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2013,2016,2018,2019,2020,2021
+./lib/isc/include/isc/resource.h		C	2000,2001,2004,2005,2006,2007,2008,2016,2018,2019,2020,2021
+./lib/isc/include/isc/result.h			C	1998,1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/include/isc/resultclass.h		C	1999,2000,2001,2004,2005,2006,2007,2009,2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/rwlock.h			C	1998,1999,2000,2001,2003,2004,2005,2006,2007,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/safe.h			C	2013,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/serial.h			C	1999,2000,2001,2004,2005,2006,2007,2009,2016,2018,2019,2020,2021
+./lib/isc/include/isc/sha1.h			C	2000,2001,2004,2005,2006,2007,2009,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/sha2.h			C	2005,2006,2007,2009,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/siphash.h			C	2019,2020,2021
+./lib/isc/include/isc/sockaddr.h		C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2009,2012,2015,2016,2018,2019,2020,2021
+./lib/isc/include/isc/socket.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/stats.h			C	2009,2012,2016,2018,2019,2020,2021
+./lib/isc/include/isc/stdatomic.h		C	2018,2019,2020,2021
+./lib/isc/include/isc/stdio.h			C	2000,2001,2004,2005,2006,2007,2013,2016,2018,2019,2020,2021
+./lib/isc/include/isc/stdlib.h			C	2003,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/string.h			C	2000,2001,2003,2004,2005,2006,2007,2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/symtab.h			C	1996,1997,1998,1999,2000,2001,2004,2005,2006,2007,2009,2011,2012,2013,2016,2018,2019,2020,2021
+./lib/isc/include/isc/task.h			C	1998,1999,2000,2001,2003,2004,2005,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/taskpool.h		C	1999,2000,2001,2004,2005,2006,2007,2011,2012,2016,2018,2019,2020,2021
+./lib/isc/include/isc/timer.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2012,2013,2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/tm.h			C	2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/types.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2016,2018,2019,2020,2021
+./lib/isc/include/isc/utf8.h			C	2020,2021
+./lib/isc/include/isc/util.h			C	1998,1999,2000,2001,2004,2005,2006,2007,2010,2011,2012,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/include/isc/version.h			C	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/include/isc/xml.h			C	2006,2007,2016,2018,2019,2020,2021
+./lib/isc/include/pk11/Makefile.in		MAKE	2014,2015,2016,2018,2019,2020,2021
+./lib/isc/include/pk11/README.site		TXT.BRIEF	2016,2017,2018,2019,2020,2021
+./lib/isc/include/pk11/constants.h		C	2014,2016,2017,2018,2019,2020,2021
+./lib/isc/include/pk11/internal.h		C	2014,2016,2018,2019,2020,2021
+./lib/isc/include/pk11/pk11.h			C	2014,2016,2018,2019,2020,2021
+./lib/isc/include/pk11/result.h			C	2014,2016,2018,2019,2020,2021
+./lib/isc/include/pk11/site.h			C	2016,2017,2018,2019,2020,2021
+./lib/isc/include/pkcs11/Makefile.in		MAKE	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/include/pkcs11/eddsa.h		C	2017,2018,2019,2020,2021
+./lib/isc/include/pkcs11/pkcs11.h		X	2014,2016,2018,2019,2020,2021
+./lib/isc/inet_aton.c				C.PORTION	1996,1997,1998,1999,2000,2001,2004,2005,2007,2008,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/inet_ntop.c				C	1996,1997,1998,1999,2000,2001,2004,2005,2007,2009,2016,2017,2018,2019,2020,2021
+./lib/isc/inet_pton.c				C	1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2007,2013,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/iterated_hash.c			C	2006,2008,2009,2016,2018,2019,2020,2021
+./lib/isc/lex.c					C	1998,1999,2000,2001,2002,2003,2004,2005,2007,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/lfsr.c				C	1999,2000,2001,2002,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/lib.c					C	1999,2000,2001,2004,2005,2007,2009,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/log.c					C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2009,2011,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/md5.c					C	2000,2001,2004,2005,2007,2009,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/mem.c					C	1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/mips/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/mips/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/mips/include/isc/Makefile.in		MAKE	2007,2012,2015,2016,2018,2019,2020,2021
+./lib/isc/mips/include/isc/atomic.h		C	2005,2007,2016,2018,2019,2020,2021
+./lib/isc/mutexblock.c				C	1999,2000,2001,2004,2005,2007,2011,2012,2016,2018,2019,2020,2021
+./lib/isc/netaddr.c				C	1999,2000,2001,2002,2004,2005,2007,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/netscope.c				C	2002,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/nls/Makefile.in			MAKE	1999,2000,2001,2004,2007,2009,2012,2016,2018,2019,2020,2021
+./lib/isc/nls/msgcat.c				C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/noatomic/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/noatomic/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/noatomic/include/isc/Makefile.in	MAKE	2007,2012,2015,2016,2018,2019,2020,2021
+./lib/isc/noatomic/include/isc/atomic.h		C	2005,2007,2016,2018,2019,2020,2021
+./lib/isc/nothreads/Makefile.in			MAKE	2000,2001,2004,2007,2009,2010,2012,2013,2016,2018,2019,2020,2021
+./lib/isc/nothreads/condition.c			C	2000,2001,2004,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/nothreads/include/Makefile.in		MAKE	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./lib/isc/nothreads/include/isc/Makefile.in	MAKE	2000,2001,2004,2007,2012,2015,2016,2018,2019,2020,2021
+./lib/isc/nothreads/include/isc/condition.h	C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/nothreads/include/isc/mutex.h		C	2000,2001,2004,2007,2015,2016,2018,2019,2020,2021
+./lib/isc/nothreads/include/isc/once.h		C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/nothreads/include/isc/thread.h	C	2000,2001,2004,2007,2013,2016,2017,2018,2019,2020,2021
+./lib/isc/nothreads/mutex.c			C	2000,2001,2004,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/nothreads/thread.c			C	2000,2001,2004,2007,2016,2017,2018,2019,2020,2021
+./lib/isc/ondestroy.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/parseint.c				C	2001,2002,2003,2004,2005,2007,2012,2016,2018,2019,2020,2021
+./lib/isc/pk11.c				C	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/pk11_result.c				C	2014,2015,2016,2018,2019,2020,2021
+./lib/isc/pool.c				C	2013,2015,2016,2018,2019,2020,2021
+./lib/isc/portset.c				C	2008,2016,2017,2018,2019,2020,2021
+./lib/isc/powerpc/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/powerpc/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/powerpc/include/isc/Makefile.in	MAKE	2007,2012,2015,2016,2018,2019,2020,2021
+./lib/isc/powerpc/include/isc/atomic.h		C	2005,2007,2009,2011,2012,2016,2017,2018,2019,2020,2021
+./lib/isc/print.c				C	1999,2000,2001,2003,2004,2005,2006,2007,2008,2010,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/pthreads/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007,2009,2012,2016,2018,2019,2020,2021
+./lib/isc/pthreads/condition.c			C	1998,1999,2000,2001,2004,2005,2007,2012,2016,2018,2019,2020,2021
+./lib/isc/pthreads/include/Makefile.in		MAKE	1998,1999,2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./lib/isc/pthreads/include/isc/Makefile.in	MAKE	1998,1999,2000,2001,2004,2007,2012,2015,2016,2018,2019,2020,2021
+./lib/isc/pthreads/include/isc/condition.h	C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/pthreads/include/isc/mutex.h		C	1998,1999,2000,2001,2002,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/pthreads/include/isc/once.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/pthreads/include/isc/thread.h		C	1998,1999,2000,2001,2004,2005,2007,2013,2016,2017,2018,2019,2020,2021
+./lib/isc/pthreads/mutex.c			C	2000,2001,2002,2004,2005,2007,2008,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/pthreads/thread.c			C	2000,2001,2003,2004,2005,2007,2013,2016,2017,2018,2019,2020,2021
+./lib/isc/quota.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/radix.c				C	2007,2008,2009,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/random.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2013,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/ratelimiter.c				C	1999,2000,2001,2002,2004,2005,2007,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/refcount.c				C	2005,2007,2016,2017,2018,2019,2020,2021
+./lib/isc/regex.c				C	2013,2014.2015,2015,2016,2018,2019,2020,2021
+./lib/isc/region.c				C	2002,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/result.c				C	1998,1999,2000,2001,2003,2004,2005,2007,2008,2012,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/rwlock.c				C	1998,1999,2000,2001,2003,2004,2005,2007,2009,2011,2012,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/safe.c				C	2013,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/serial.c				C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/sha1.c				C	2000,2001,2003,2004,2005,2007,2009,2011,2012,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/sha2.c				C	2005,2006,2007,2009,2011,2012,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/siphash.c				C	2019,2020,2021
+./lib/isc/sockaddr.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/socket_api.c				C	2009,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/sparc64/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/sparc64/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/sparc64/include/isc/Makefile.in	MAKE	2007,2012,2015,2016,2018,2019,2020,2021
+./lib/isc/sparc64/include/isc/atomic.h		C	2005,2007,2013,2016,2018,2019,2020,2021
+./lib/isc/stats.c				C	2009,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/string.c				C	1999,2000,2001,2003,2004,2005,2006,2007,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/strtoul.c				C	2003,2004,2005,2007,2014,2016,2018,2019,2020,2021
+./lib/isc/symtab.c				C	1996,1997,1998,1999,2000,2001,2004,2005,2007,2011,2012,2013,2016,2018,2019,2020,2021
+./lib/isc/task.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,1018,2018,2019,2020,2021
+./lib/isc/task_p.h				C	2000,2001,2004,2005,2007,2009,2011,2012,2013,2016,2018,2019,2020,2021
+./lib/isc/taskpool.c				C	1999,2000,2001,2004,2005,2007,2011,2012,2013,2016,2018,2019,2020,2021
+./lib/isc/tests/Kyuafile			X	2017,2018,2019,2020,2021
+./lib/isc/tests/Makefile.in			MAKE	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/tests/aes_test.c			C	2014,2016,2018,2019,2020,2021
+./lib/isc/tests/atomic_test.c			C	2018,2019,2020,2021
+./lib/isc/tests/buffer_test.c			C	2014,2015,2016,2018,2019,2020,2021
+./lib/isc/tests/counter_test.c			C	2014,2016,2018,2019,2020,2021
+./lib/isc/tests/errno_test.c			C	2016,2018,2019,2020,2021
+./lib/isc/tests/file_test.c			C	2014,2016,2018,2019,2020,2021
+./lib/isc/tests/hash_test.c			C	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/tests/heap_test.c			C	2017,2018,2019,2020,2021
+./lib/isc/tests/ht_test.c			C	2016,2017,2018,2019,2020,2021
+./lib/isc/tests/inet_ntop_test.c		C	2017,2018,2019,2020,2021
+./lib/isc/tests/isctest.c			C	2011,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/tests/isctest.h			C	2011,2012,2016,2018,2019,2020,2021
+./lib/isc/tests/lex_test.c			C	2013,2016,2018,2019,2020,2021
+./lib/isc/tests/mem_test.c			C	2015,2016,2018,2019,2020,2021
+./lib/isc/tests/netaddr_test.c			C	2016,2018,2019,2020,2021
+./lib/isc/tests/parse_test.c			C	2012,2013,2016,2018,2019,2020,2021
+./lib/isc/tests/pool_test.c			C	2013,2016,2018,2019,2020,2021
+./lib/isc/tests/print_test.c			C	2014,2015,2016,2018,2019,2020,2021
+./lib/isc/tests/queue_test.c			C	2011,2012,2016,2018,2019,2020,2021
+./lib/isc/tests/radix_test.c			C	2014,2016,2018,2019,2020,2021
+./lib/isc/tests/random_test.c			C	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/tests/regex_test.c			C	2013,2015,2016,2018,2019,2020,2021
+./lib/isc/tests/result_test.c			C	2015,2016,2018,2019,2020,2021
+./lib/isc/tests/safe_test.c			C	2013,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/tests/siphash_test.c			C	2019,2020,2021
+./lib/isc/tests/sockaddr_test.c			C	2012,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/tests/socket_test.c			C	2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/tests/symtab_test.c			C	2011,2012,2013,2016,2018,2019,2020,2021
+./lib/isc/tests/task_test.c			C	2011,2012,2016,2018,2019,2020,2021
+./lib/isc/tests/taskpool_test.c			C	2011,2012,2016,2018,2019,2020,2021
+./lib/isc/tests/testdata/file/keep		X	2014,2018,2019,2020,2021
+./lib/isc/tests/time_test.c			C	2014,2015,2016,2018,2019,2020,2021
+./lib/isc/tests/timer_test.c			C	2018,2019,2020,2021
+./lib/isc/timer.c				C	1998,1999,2000,2001,2002,2004,2005,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/timer_p.h				C	2000,2001,2004,2005,2007,2009,2016,2018,2019,2020,2021
+./lib/isc/tm.c					C	2014,2016,2018,2019,2020,2021
+./lib/isc/unix/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007,2009,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/unix/app.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2009,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/unix/dir.c				C	1999,2000,2001,2004,2005,2007,2008,2009,2011,2012,2016,2017,2018,2019,2020,2021
+./lib/isc/unix/entropy.c			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2012,2016,2017,2018,2019,2020,2021
+./lib/isc/unix/errno.c				C	2016,2018,2019,2020,2021
+./lib/isc/unix/errno2result.c			C	2000,2001,2002,2004,2005,2007,2011,2012,2013,2016,2018,2019,2020,2021
+./lib/isc/unix/errno2result.h			C	2000,2001,2004,2005,2007,2011,2012,2016,2018,2019,2020,2021
+./lib/isc/unix/file.c				C	2000,2001,2002,2004,2005,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/unix/fsaccess.c			C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/unix/ifiter_getifaddrs.c		C	2003,2004,2005,2007,2008,2009,2014,2016,2018,2019,2020,2021
+./lib/isc/unix/ifiter_ioctl.c			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/unix/ifiter_sysctl.c			C	1999,2000,2001,2002,2003,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/unix/include/Makefile.in		MAKE	1998,1999,2000,2001,2004,2007,2012,2014,2016,2018,2019,2020,2021
+./lib/isc/unix/include/isc/Makefile.in		MAKE	1998,1999,2000,2001,2004,2007,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/unix/include/isc/dir.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/unix/include/isc/keyboard.h		C	2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/unix/include/isc/net.h		C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/unix/include/isc/netdb.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/unix/include/isc/offset.h		C	2000,2001,2004,2005,2007,2008,2016,2018,2019,2020,2021
+./lib/isc/unix/include/isc/stat.h		C	2004,2007,2014,2016,2018,2019,2020,2021
+./lib/isc/unix/include/isc/stdtime.h		C	1999,2000,2001,2004,2005,2007,2011,2012,2016,2018,2019,2020,2021
+./lib/isc/unix/include/isc/strerror.h		C	2001,2004,2005,2007,2008,2016,2018,2019,2020,2021
+./lib/isc/unix/include/isc/syslog.h		C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/unix/include/isc/time.h		C	1998,1999,2000,2001,2004,2005,2006,2007,2008,2009,2012,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/unix/include/pkcs11/Makefile.in	MAKE	2014,2016,2018,2019,2020,2021
+./lib/isc/unix/include/pkcs11/cryptoki.h	X	2014,2018,2019,2020,2021
+./lib/isc/unix/interfaceiter.c			C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2014,2016,2017,2018,2019,2020,2021
+./lib/isc/unix/ipv6.c				C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/unix/keyboard.c			C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/unix/meminfo.c			C	2015,2016,2018,2019,2020,2021
+./lib/isc/unix/net.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/unix/os.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/unix/pk11_api.c			C	2014,2016,2018,2019,2020,2021
+./lib/isc/unix/resource.c			C	2000,2001,2004,2007,2008,2009,2016,2018,2019,2020,2021
+./lib/isc/unix/socket.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/unix/socket_p.h			C	2000,2001,2004,2005,2007,2008,2009,2016,2018,2019,2020,2021
+./lib/isc/unix/stdio.c				C	2000,2001,2004,2007,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./lib/isc/unix/stdtime.c			C	1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/unix/strerror.c			C	2001,2004,2005,2007,2009,2016,2018,2019,2020,2021
+./lib/isc/unix/syslog.c				C	2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/unix/time.c				C	1998,1999,2000,2001,2003,2004,2005,2006,2007,2008,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/utf8.c				C	2020,2021
+./lib/isc/version.c				C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/DLLMain.c			C	2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/Makefile.in			MAKE	1999,2000,2001,2004,2007,2009,2012,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/win32/app.c				C	1999,2000,2001,2004,2007,2009,2013,2014,2016,2018,2019,2020,2021
+./lib/isc/win32/condition.c			C	1998,1999,2000,2001,2004,2006,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/dir.c				C	1999,2000,2001,2004,2007,2008,2009,2011,2012,2013,2016,2017,2018,2019,2020,2021
+./lib/isc/win32/entropy.c			C	2000,2001,2002,2004,2007,2009,2013,2016,2018,2019,2020,2021
+./lib/isc/win32/errno.c				C	2016,2018,2019,2020,2021
+./lib/isc/win32/errno2result.c			C	2000,2001,2002,2004,2005,2007,2008,2013,2016,2018,2019,2020,2021
+./lib/isc/win32/errno2result.h			C	2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/file.c				C	2000,2001,2002,2004,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/win32/fsaccess.c			C	2000,2001,2002,2004,2007,2013,2016,2017,2018,2019,2020,2021
+./lib/isc/win32/include/Makefile.in		MAKE	1999,2000,2001,2004,2007,2012,2014,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/Makefile.in		MAKE	1999,2000,2001,2004,2007,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/atomic.h		C	2013,2015,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/bind_registry.h	C	2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/bindevt.h		C	2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/condition.h		C	1998,1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/dir.h		C	1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/ipv6.h		C	1999,2000,2001,2002,2004,2005,2007,2011,2012,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/keyboard.h		C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/mutex.h		C	1998,1999,2000,2001,2004,2007,2008,2009,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/net.h		C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2012,2013,2016,2017,2018,2019,2020,2021
+./lib/isc/win32/include/isc/netdb.h		C	1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/ntgroups.h		C	2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/ntpaths.h		C	2000,2001,2004,2007,2009,2015,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/offset.h		C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/once.h		C	1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/platform.h.in	C	2001,2004,2005,2007,2008,2009,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/stat.h		C	2000,2001,2003,2004,2007,2009,2012,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/stdtime.h		C	1999,2000,2001,2004,2005,2007,2011,2012,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/strerror.h		C	2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/syslog.h		C	1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/thread.h		C	1998,1999,2000,2001,2004,2005,2007,2009,2013,2016,2017,2018,2019,2020,2021
+./lib/isc/win32/include/isc/time.h		C	1998,1999,2000,2001,2004,2006,2007,2008,2009,2012,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/win32/include/isc/win32os.h		C	2002,2004,2007,2009,2015,2016,2018,2019,2020,2021
+./lib/isc/win32/include/pkcs11/Makefile.in	MAKE	2014,2016,2018,2019,2020,2021
+./lib/isc/win32/include/pkcs11/cryptoki.h	X	2014,2018,2019,2020,2021
+./lib/isc/win32/interfaceiter.c			C	1999,2000,2001,2004,2007,2008,2009,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/win32/ipv6.c				C	1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/keyboard.c			C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/libgen.h			C	2009,2016,2018,2019,2020,2021
+./lib/isc/win32/libisc.def.exclude		X	2015,2017,2018,2019,2020,2021
+./lib/isc/win32/libisc.def.in			X	2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/win32/libisc.dsp.in			X	2001,2002,2003,2004,2005,2006,2007,2008,2009,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/win32/libisc.dsw			X	2001,2018,2019,2020,2021
+./lib/isc/win32/libisc.mak.in			X	2001,2002,2003,2004,2005,2006,2007,2008,2009,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/win32/libisc.vcxproj.filters.in	X	2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/win32/libisc.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/win32/libisc.vcxproj.user		X	2013,2018,2019,2020,2021
+./lib/isc/win32/meminfo.c			C	2015,2016,2018,2019,2020,2021
+./lib/isc/win32/net.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2009,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/win32/netdb.h				C	2000,2001,2004,2006,2007,2009,2013,2016,2018,2019,2020,2021
+./lib/isc/win32/ntgroups.c			C	2001,2004,2006,2007,2009,2013,2016,2018,2019,2020,2021
+./lib/isc/win32/ntpaths.c			C	2001,2004,2007,2009,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/win32/once.c				C	1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/os.c				C	2000,2001,2002,2004,2007,2013,2016,2018,2019,2020,2021
+./lib/isc/win32/pk11_api.c			C	2014,2016,2018,2019,2020,2021
+./lib/isc/win32/resource.c			C	2000,2001,2004,2007,2008,2016,2018,2019,2020,2021
+./lib/isc/win32/socket.c			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/win32/stdio.c				C	2000,2001,2004,2007,2013,2016,2018,2019,2020,2021
+./lib/isc/win32/stdtime.c			C	1999,2000,2001,2004,2007,2013,2016,2018,2019,2020,2021
+./lib/isc/win32/strerror.c			C	2001,2002,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/syslog.c			C	2001,2002,2003,2004,2007,2014,2016,2018,2019,2020,2021
+./lib/isc/win32/syslog.h			C	2001,2002,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/thread.c			C	1998,1999,2000,2001,2004,2005,2007,2016,2017,2018,2019,2020,2021
+./lib/isc/win32/time.c				C	1998,1999,2000,2001,2003,2004,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/win32/unistd.h			C	2000,2001,2004,2007,2008,2009,2016,2018,2019,2020,2021
+./lib/isc/win32/version.c			C	1998,1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isc/win32/win32os.c			C	2002,2004,2007,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isc/x86_32/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/x86_32/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/x86_32/include/isc/Makefile.in	MAKE	2007,2012,2015,2016,2018,2019,2020,2021
+./lib/isc/x86_32/include/isc/atomic.h		C	2005,2007,2008,2015,2016,2017,2018,2019,2020,2021
+./lib/isc/x86_64/Makefile.in			MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/x86_64/include/Makefile.in		MAKE	2007,2012,2016,2018,2019,2020,2021
+./lib/isc/x86_64/include/isc/Makefile.in	MAKE	2007,2012,2015,2016,2018,2019,2020,2021
+./lib/isc/x86_64/include/isc/atomic.h		C	2005,2007,2008,2015,2016,2017,2018,2019,2020,2021
+./lib/isccc/Kyuafile				X	2018,2019,2020,2021
+./lib/isccc/Makefile.in				MAKE	2001,2003,2004,2007,2009,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./lib/isccc/alist.c				C.NOM	2001,2004,2005,2007,2015,2016,2018,2019,2020,2021
+./lib/isccc/api					X	2001,2006,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isccc/base64.c				C.NOM	2001,2004,2005,2007,2013,2016,2018,2019,2020,2021
+./lib/isccc/cc.c				C.NOM	2001,2002,2003,2004,2005,2006,2007,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isccc/ccmsg.c				C.NOM	2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isccc/include/Makefile.in			MAKE	2001,2004,2007,2012,2016,2018,2019,2020,2021
+./lib/isccc/include/isccc/Makefile.in		MAKE	2001,2004,2007,2012,2015,2016,2018,2019,2020,2021
+./lib/isccc/include/isccc/alist.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isccc/include/isccc/base64.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isccc/include/isccc/cc.h			C.NOM	2001,2004,2005,2006,2007,2013,2014,2016,2018,2019,2020,2021
+./lib/isccc/include/isccc/ccmsg.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isccc/include/isccc/events.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isccc/include/isccc/lib.h			C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isccc/include/isccc/result.h		C.NOM	2001,2003,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isccc/include/isccc/sexpr.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isccc/include/isccc/symtab.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isccc/include/isccc/symtype.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isccc/include/isccc/types.h		C.NOM	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isccc/include/isccc/util.h		C.NOM	2001,2004,2005,2006,2007,2014,2016,2018,2019,2020,2021
+./lib/isccc/include/isccc/version.h		C	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isccc/lib.c				C.NOM	2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isccc/result.c				C.NOM	2001,2003,2004,2005,2007,2015,2016,2018,2019,2020,2021
+./lib/isccc/sexpr.c				C.NOM	2001,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
+./lib/isccc/symtab.c				C.NOM	2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isccc/tests/Kyuafile			X	2018,2019,2020,2021
+./lib/isccc/tests/Makefile.in			MAKE	2018,2019,2020,2021
+./lib/isccc/tests/result_test.c			C	2018,2019,2020,2021
+./lib/isccc/version.c				C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isccc/win32/DLLMain.c			C	2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isccc/win32/libisccc.def			X	2001,2016,2018,2019,2020,2021
+./lib/isccc/win32/libisccc.dsp.in		X	2001,2004,2005,2009,2011,2013,2014,2016,2018,2019,2020,2021
+./lib/isccc/win32/libisccc.dsw			X	2001,2018,2019,2020,2021
+./lib/isccc/win32/libisccc.mak.in		X	2001,2002,2004,2005,2006,2009,2011,2013,2014,2018,2019,2020,2021
+./lib/isccc/win32/libisccc.vcxproj.filters.in	X	2013,2015,2016,2018,2019,2020,2021
+./lib/isccc/win32/libisccc.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isccc/win32/libisccc.vcxproj.user		X	2013,2018,2019,2020,2021
+./lib/isccc/win32/version.c			C	2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isccfg/Kyuafile				X	2017,2018,2019,2020,2021
+./lib/isccfg/Makefile.in			MAKE	2001,2002,2003,2004,2005,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isccfg/aclconf.c				C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isccfg/api				X	2001,2006,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isccfg/dnsconf.c				C	2009,2016,2018,2019,2020,2021
+./lib/isccfg/include/Makefile.in		MAKE	2001,2004,2007,2012,2016,2018,2019,2020,2021
+./lib/isccfg/include/isccfg/Makefile.in		MAKE	2001,2002,2004,2005,2007,2012,2014,2015,2016,2018,2019,2020,2021
+./lib/isccfg/include/isccfg/aclconf.h		C	1999,2000,2001,2004,2005,2006,2007,2010,2011,2012,2013,2014,2016,2018,2019,2020,2021
+./lib/isccfg/include/isccfg/cfg.h		C	2000,2001,2002,2004,2005,2006,2007,2010,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isccfg/include/isccfg/dnsconf.h		C	2009,2016,2018,2019,2020,2021
+./lib/isccfg/include/isccfg/grammar.h		C	2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isccfg/include/isccfg/log.h		C	2001,2004,2005,2006,2007,2009,2016,2018,2019,2020,2021
+./lib/isccfg/include/isccfg/namedconf.h		C	2002,2004,2005,2006,2007,2009,2010,2014,2016,2018,2019,2020,2021
+./lib/isccfg/include/isccfg/version.h		C	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isccfg/log.c				C	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/isccfg/namedconf.c			C	2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isccfg/parser.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isccfg/tests/Kyuafile			X	2017,2018,2019,2020,2021
+./lib/isccfg/tests/Makefile.in			MAKE	2016,2018,2019,2020,2021
+./lib/isccfg/tests/parser_test.c		C	2016,2018,2019,2020,2021
+./lib/isccfg/version.c				C	1998,1999,2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/isccfg/win32/DLLMain.c			C	2001,2004,2007,2016,2018,2019,2020,2021
+./lib/isccfg/win32/libisccfg.def		X	2001,2002,2005,2009,2010,2011,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isccfg/win32/libisccfg.dsp.in		X	2001,2002,2004,2005,2009,2011,2013,2014,2016,2018,2019,2020,2021
+./lib/isccfg/win32/libisccfg.dsw		X	2001,2018,2019,2020,2021
+./lib/isccfg/win32/libisccfg.mak.in		X	2001,2002,2004,2005,2006,2009,2011,2013,2014,2018,2019,2020,2021
+./lib/isccfg/win32/libisccfg.vcxproj.filters.in	X	2013,2014,2015,2016,2018,2019,2020,2021
+./lib/isccfg/win32/libisccfg.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/isccfg/win32/libisccfg.vcxproj.user	X	2013,2018,2019,2020,2021
+./lib/isccfg/win32/version.c			C	1998,1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/lwres/Kyuafile				X	2017,2018,2019,2020,2021
+./lib/lwres/Makefile.in				MAKE	2000,2001,2004,2005,2007,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/lwres/api					X	2000,2001,2006,2008,2009,2010,2011,2012,2013,2014,2015,2017,2018,2019,2020,2021
+./lib/lwres/assert_p.h				C	2000,2001,2004,2005,2007,2011,2012,2016,2018,2019,2020,2021
+./lib/lwres/compat.c				C	2003,2004,2005,2007,2014,2016,2018,2019,2020,2021
+./lib/lwres/context.c				C	2000,2001,2003,2004,2005,2007,2008,2009,2012,2013,2014,2016,2018,2019,2020,2021
+./lib/lwres/context_p.h				C	2000,2001,2004,2005,2007,2008,2016,2018,2019,2020,2021
+./lib/lwres/gai_strerror.c			C	2000,2001,2004,2005,2006,2007,2014,2016,2018,2019,2020,2021
+./lib/lwres/getaddrinfo.c			C.BSDI	1999,2000,2001,2004,2005,2006,2007,2008,2012,2014,2016,2018,2019,2020,2021
+./lib/lwres/gethost.c				C	2000,2001,2004,2005,2007,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/lwres/getipnode.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2009,2012,2014,2016,2018,2019,2020,2021
+./lib/lwres/getnameinfo.c			C.PORTION	1999,2000,2001,2003,2004,2005,2007,2011,2012,2013,2016,2018,2019,2020,2021
+./lib/lwres/getrrset.c				C	2000,2001,2002,2003,2004,2005,2007,2012,2014,2016,2018,2019,2020,2021
+./lib/lwres/herror.c				C.PORTION	2000,2001,2003,2004,2005,2007,2011,2012,2014,2015,2016,2018,2019,2020,2021
+./lib/lwres/include/Makefile.in			MAKE	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./lib/lwres/include/lwres/Makefile.in		MAKE	2000,2001,2004,2007,2012,2014,2016,2018,2019,2020,2021
+./lib/lwres/include/lwres/context.h		C	2000,2001,2004,2005,2006,2007,2008,2016,2018,2019,2020,2021
+./lib/lwres/include/lwres/int.h			C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/lwres/include/lwres/ipv6.h		C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/lwres/include/lwres/lang.h		C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/lwres/include/lwres/list.h		C	1997,1998,1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/lwres/include/lwres/lwbuffer.h		C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/lwres/include/lwres/lwpacket.h		C	1999,2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/lwres/include/lwres/lwres.h		C	2000,2001,2004,2005,2006,2007,2014,2016,2018,2019,2020,2021
+./lib/lwres/include/lwres/netdb.h.in		C	2000,2001,2004,2005,2007,2009,2014,2016,2018,2019,2020,2021
+./lib/lwres/include/lwres/platform.h.in		C	2000,2001,2004,2005,2007,2014,2016,2018,2019,2020,2021
+./lib/lwres/include/lwres/result.h		C	2000,2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/lwres/include/lwres/stdlib.h		C	2003,2004,2005,2006,2007,2014,2016,2018,2019,2020,2021
+./lib/lwres/include/lwres/string.h		C	2014,2016,2018,2019,2020,2021
+./lib/lwres/include/lwres/version.h		C	2001,2004,2005,2006,2007,2016,2018,2019,2020,2021
+./lib/lwres/lwbuffer.c				C	2000,2001,2004,2005,2007,2014,2016,2018,2019,2020,2021
+./lib/lwres/lwconfig.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2011,2012,2014,2016,2018,2019,2020,2021
+./lib/lwres/lwinetaton.c			C.PORTION	1996,1997,1998,1999,2000,2001,2003,2004,2005,2007,2012,2013,2014,2016,2018,2019,2020,2021
+./lib/lwres/lwinetntop.c			C	1996,1997,1998,1999,2000,2001,2003,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/lwres/lwinetpton.c			C	1996,1997,1998,1999,2000,2001,2004,2005,2007,2011,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./lib/lwres/lwpacket.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/lwres/lwres_gabn.c			C	2000,2001,2004,2005,2007,2013,2015,2016,2018,2019,2020,2021
+./lib/lwres/lwres_gnba.c			C	2000,2001,2002,2004,2005,2007,2013,2016,2018,2019,2020,2021
+./lib/lwres/lwres_grbn.c			C	2000,2001,2004,2005,2007,2013,2015,2016,2018,2019,2020,2021
+./lib/lwres/lwres_noop.c			C	2000,2001,2004,2005,2007,2013,2016,2018,2019,2020,2021
+./lib/lwres/lwresutil.c				C	2000,2001,2004,2005,2007,2014,2016,2018,2019,2020,2021
+./lib/lwres/man/Makefile.in			MAKE	2001,2004,2007,2012,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres.3				MAN	DOCBOOK
-./lib/lwres/man/lwres.docbook			SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres.docbook			SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres.html			HTML	DOCBOOK
 ./lib/lwres/man/lwres_buffer.3			MAN	DOCBOOK
-./lib/lwres/man/lwres_buffer.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_buffer.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_buffer.html		HTML	DOCBOOK
 ./lib/lwres/man/lwres_config.3			MAN	DOCBOOK
-./lib/lwres/man/lwres_config.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_config.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_config.html		HTML	DOCBOOK
 ./lib/lwres/man/lwres_context.3			MAN	DOCBOOK
-./lib/lwres/man/lwres_context.docbook		SGML	2000,2001,2003,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_context.docbook		SGML	2000,2001,2003,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_context.html		HTML	DOCBOOK
 ./lib/lwres/man/lwres_gabn.3			MAN	DOCBOOK
-./lib/lwres/man/lwres_gabn.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_gabn.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_gabn.html			HTML	DOCBOOK
 ./lib/lwres/man/lwres_gai_strerror.3		MAN	DOCBOOK
-./lib/lwres/man/lwres_gai_strerror.docbook	SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_gai_strerror.docbook	SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_gai_strerror.html		HTML	DOCBOOK
 ./lib/lwres/man/lwres_getaddrinfo.3		MAN	DOCBOOK
-./lib/lwres/man/lwres_getaddrinfo.docbook	SGML	2000,2001,2003,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_getaddrinfo.docbook	SGML	2000,2001,2003,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_getaddrinfo.html		HTML	DOCBOOK
 ./lib/lwres/man/lwres_gethostent.3		MAN	DOCBOOK
-./lib/lwres/man/lwres_gethostent.docbook	SGML	2001,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_gethostent.docbook	SGML	2001,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_gethostent.html		HTML	DOCBOOK
 ./lib/lwres/man/lwres_getipnode.3		MAN	DOCBOOK
-./lib/lwres/man/lwres_getipnode.docbook		SGML	2000,2001,2003,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_getipnode.docbook		SGML	2000,2001,2003,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_getipnode.html		HTML	DOCBOOK
 ./lib/lwres/man/lwres_getnameinfo.3		MAN	DOCBOOK
-./lib/lwres/man/lwres_getnameinfo.docbook	SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_getnameinfo.docbook	SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_getnameinfo.html		HTML	DOCBOOK
 ./lib/lwres/man/lwres_getrrsetbyname.3		MAN	DOCBOOK
-./lib/lwres/man/lwres_getrrsetbyname.docbook	SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_getrrsetbyname.docbook	SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_getrrsetbyname.html	HTML	DOCBOOK
 ./lib/lwres/man/lwres_gnba.3			MAN	DOCBOOK
-./lib/lwres/man/lwres_gnba.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_gnba.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_gnba.html			HTML	DOCBOOK
 ./lib/lwres/man/lwres_hstrerror.3		MAN	DOCBOOK
-./lib/lwres/man/lwres_hstrerror.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_hstrerror.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_hstrerror.html		HTML	DOCBOOK
 ./lib/lwres/man/lwres_inetntop.3		MAN	DOCBOOK
-./lib/lwres/man/lwres_inetntop.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_inetntop.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_inetntop.html		HTML	DOCBOOK
 ./lib/lwres/man/lwres_noop.3			MAN	DOCBOOK
-./lib/lwres/man/lwres_noop.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_noop.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_noop.html			HTML	DOCBOOK
 ./lib/lwres/man/lwres_packet.3			MAN	DOCBOOK
-./lib/lwres/man/lwres_packet.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_packet.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_packet.html		HTML	DOCBOOK
 ./lib/lwres/man/lwres_resutil.3			MAN	DOCBOOK
-./lib/lwres/man/lwres_resutil.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020
+./lib/lwres/man/lwres_resutil.docbook		SGML	2000,2001,2004,2005,2007,2014,2015,2016,2018,2019,2020,2021
 ./lib/lwres/man/lwres_resutil.html		HTML	DOCBOOK
-./lib/lwres/man/resolver.5			MAN	2000,2001,2004,2007,2016,2018,2019,2020
-./lib/lwres/print.c				C	1999,2000,2001,2003,2004,2005,2007,2011,2012,2014,2015,2016,2017,2018,2019,2020
-./lib/lwres/print_p.h				C	1999,2000,2001,2003,2004,2007,2010,2016,2018,2019,2020
-./lib/lwres/tests/Kyuafile			X	2017,2018,2019,2020
-./lib/lwres/tests/Makefile.in			MAKE	2014,2015,2016,2018,2019,2020
-./lib/lwres/tests/config_test.c			C	2014,2016,2018,2019,2020
-./lib/lwres/tests/testdata/link-local.conf	X	2014,2018,2019,2020
-./lib/lwres/unix/Makefile.in			MAKE	2001,2004,2007,2012,2016,2018,2019,2020
-./lib/lwres/unix/include/Makefile.in		MAKE	2001,2004,2007,2012,2016,2018,2019,2020
-./lib/lwres/unix/include/lwres/Makefile.in	MAKE	2001,2004,2007,2012,2016,2018,2019,2020
-./lib/lwres/unix/include/lwres/net.h		C	2000,2001,2002,2004,2005,2007,2016,2018,2019,2020
-./lib/lwres/unreachable_p.h			C	2018,2019,2020
-./lib/lwres/version.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020
-./lib/lwres/win32/DLLMain.c			C	2001,2004,2007,2016,2018,2019,2020
-./lib/lwres/win32/Makefile.in			MAKE	2001,2004,2007,2012,2016,2018,2019,2020
-./lib/lwres/win32/include/Makefile.in		MAKE	2001,2004,2007,2012,2016,2018,2019,2020
-./lib/lwres/win32/include/lwres/Makefile.in	MAKE	2001,2004,2007,2012,2016,2018,2019,2020
-./lib/lwres/win32/include/lwres/net.h		C	2000,2001,2004,2007,2013,2016,2018,2019,2020
-./lib/lwres/win32/include/lwres/netdb.h		C	2000,2001,2004,2006,2007,2013,2016,2018,2019,2020
-./lib/lwres/win32/include/lwres/platform.h	C	2000,2001,2004,2007,2014,2016,2018,2019,2020
-./lib/lwres/win32/liblwres.def			X	2001,2014,2016,2018,2019,2020
-./lib/lwres/win32/liblwres.dsp.in		X	2001,2002,2004,2005,2007,2011,2013,2014,2016,2018,2019,2020
-./lib/lwres/win32/liblwres.dsw			X	2001,2018,2019,2020
-./lib/lwres/win32/liblwres.mak.in		X	2001,2002,2004,2005,2006,2007,2011,2013,2014,2016,2018,2019,2020
-./lib/lwres/win32/liblwres.vcxproj.filters.in	X	2013,2014,2015,2016,2018,2019,2020
-./lib/lwres/win32/liblwres.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020
-./lib/lwres/win32/liblwres.vcxproj.user		X	2013,2018,2019,2020
-./lib/lwres/win32/lwconfig.c			C	2002,2004,2006,2007,2013,2016,2018,2019,2020
-./lib/lwres/win32/socket.c			C	2007,2015,2016,2018,2019,2020
-./lib/lwres/win32/version.c			C	1998,1999,2000,2001,2004,2007,2016,2018,2019,2020
-./lib/samples/Makefile-postinstall.in		MAKE	2009,2012,2013,2014,2016,2018,2019,2020
-./lib/samples/Makefile.in			MAKE	2009,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/samples/nsprobe.c				C	2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/samples/resolve.c				C	2009,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/samples/rootkey.sh			SH	2013,2016,2018,2019,2020
-./lib/samples/sample-async.c			C	2009,2013,2014,2015,2016,2018,2019,2020
-./lib/samples/sample-gai.c			C	2009,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/samples/sample-request.c			C	2009,2012,2013,2014,2015,2016,2018,2019,2020
-./lib/samples/sample-update.c			C	2009,2010,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/samples/win32/async.dsp.in		X	2014,2016,2018,2019,2020
-./lib/samples/win32/async.dsw			X	2014,2018,2019,2020
-./lib/samples/win32/async.mak.in		X	2014,2016,2018,2019,2020
-./lib/samples/win32/async.vcxproj.filters.in	X	2014,2015,2018,2019,2020
-./lib/samples/win32/async.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020
-./lib/samples/win32/async.vcxproj.user		X	2014,2018,2019,2020
-./lib/samples/win32/gai.dsp.in			X	2014,2018,2019,2020
-./lib/samples/win32/gai.dsw			X	2014,2018,2019,2020
-./lib/samples/win32/gai.mak.in			X	2014,2018,2019,2020
-./lib/samples/win32/gai.vcxproj.filters.in	X	2014,2015,2018,2019,2020
-./lib/samples/win32/gai.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020
-./lib/samples/win32/gai.vcxproj.user		X	2014,2018,2019,2020
-./lib/samples/win32/nsprobe.dsp.in		X	2014,2016,2018,2019,2020
-./lib/samples/win32/nsprobe.dsw			X	2014,2018,2019,2020
-./lib/samples/win32/nsprobe.mak.in		X	2014,2016,2018,2019,2020
-./lib/samples/win32/nsprobe.vcxproj.filters.in	X	2014,2015,2018,2019,2020
-./lib/samples/win32/nsprobe.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020
-./lib/samples/win32/nsprobe.vcxproj.user	X	2014,2018,2019,2020
-./lib/samples/win32/request.dsp.in		X	2014,2016,2018,2019,2020
-./lib/samples/win32/request.dsw			X	2014,2018,2019,2020
-./lib/samples/win32/request.mak.in		X	2014,2016,2018,2019,2020
-./lib/samples/win32/request.vcxproj.filters.in	X	2014,2015,2018,2019,2020
-./lib/samples/win32/request.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020
-./lib/samples/win32/request.vcxproj.user	X	2014,2018,2019,2020
-./lib/samples/win32/resolve.dsp.in		X	2014,2016,2018,2019,2020
-./lib/samples/win32/resolve.dsw			X	2014,2018,2019,2020
-./lib/samples/win32/resolve.mak.in		X	2014,2016,2018,2019,2020
-./lib/samples/win32/resolve.vcxproj.filters.in	X	2014,2015,2018,2019,2020
-./lib/samples/win32/resolve.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020
-./lib/samples/win32/resolve.vcxproj.user	X	2014,2018,2019,2020
-./lib/samples/win32/update.dsp.in		X	2014,2016,2018,2019,2020
-./lib/samples/win32/update.dsw			X	2014,2018,2019,2020
-./lib/samples/win32/update.mak.in		X	2014,2016,2018,2019,2020
-./lib/samples/win32/update.vcxproj.filters.in	X	2014,2015,2018,2019,2020
-./lib/samples/win32/update.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020
-./lib/samples/win32/update.vcxproj.user		X	2014,2018,2019,2020
-./lib/win32/bindevt/bindevt.c			C	2000,2001,2004,2007,2016,2018,2019,2020
-./lib/win32/bindevt/bindevt.dsp.in		X	2001,2013,2018,2019,2020
-./lib/win32/bindevt/bindevt.dsw			X	2001,2018,2019,2020
-./lib/win32/bindevt/bindevt.mak.in		X	2001,2006,2013,2018,2019,2020
-./lib/win32/bindevt/bindevt.mc			MC	2001,2004,2007,2016,2018,2019,2020
-./lib/win32/bindevt/bindevt.vcxproj.filters.in	X	2013,2015,2018,2019,2020
-./lib/win32/bindevt/bindevt.vcxproj.in		X	2013,2014,2015,2016,2018,2019,2020
-./lib/win32/bindevt/bindevt.vcxproj.user	X	2013,2018,2019,2020
-./libtool.m4/ax_restore_flags.m4		X	2019,2020
-./libtool.m4/ax_save_flags.m4			X	2019,2020
-./libtool.m4/compat.m4				X	2019,2020
-./libtool.m4/libtool.m4				X	2012,2018,2019,2020
-./libtool.m4/ltoptions.m4			X	2012,2018,2019,2020
-./libtool.m4/ltsugar.m4				X	2012,2018,2019,2020
-./libtool.m4/ltversion.m4			X	2012,2018,2019,2020
-./libtool.m4/lt~obsolete.m4			X	2012,2018,2019,2020
-./ltmain.sh					X	1999,2000,2001,2003,2004,2006,2009,2012,2018,2019,2020
-./make/Makefile.in				MAKE	1998,1999,2000,2001,2004,2007,2012,2016,2018,2019,2020
-./make/includes.in				MAKE	1999,2000,2001,2004,2005,2007,2012,2014,2016,2018,2019,2020
-./make/mkdep.in					X	1999,2000,2001,2006,2011,2014,2018,2019,2020
-./make/rules.in					MAKE	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./mkinstalldirs					X	1996,2018,2019,2020
-./unit/README					X	2011,2013,2018,2019,2020
-./unit/gdb					X	2020
-./unit/unittest.sh.in				X	2011,2012,2015,2018,2019,2020
-./util/COPYRIGHT				X	1996,1997,1998,1999,2000,2001,2004,2007,2016,2018,2019,2020
-./util/COPYRIGHT.BRIEF				X	1996,1997,1998,1999,2000,2001,2004,2016,2018,2019,2020
-./util/COPYRIGHT.BSDI				X	2000,2001,2004,2007,2016,2018,2019,2020
-./util/COPYRIGHT.NAI				X	1996,1997,1998,1999,2000,2001,2004,2007,2016,2018,2019,2020
-./util/COPYRIGHT.NOM				X	2001,2004,2007,2016,2018,2019,2020
-./util/COPYRIGHT.PORTION			X	1996,1997,1998,1999,2000,2001,2004,2007,2016,2018,2019,2020
-./util/COPYRIGHT.TOP				X	2018,2019,2020
-./util/altbuild.sh				SH	2000,2001,2002,2004,2007,2008,2012,2016,2018,2019,2020
-./util/bindkeys.pl				PERL	2009,2010,2011,2012,2014,2016,2017,2018,2019,2020
-./util/branchsync.sh				SH	2013,2016,2018,2019,2020
-./util/check-ans-prereq.sh			SH	2019,2020
-./util/check-categories.sh			SH	2015,2016,2017,2018,2019,2020
-./util/check-changes				PERL	2002,2004,2007,2012,2016,2018,2019,2020
-./util/check-cocci				X	2018,2019,2020
-./util/check-includes.pl			PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./util/check-instincludes.sh			SH	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./util/check-pullups.pl				PERL	2001,2002,2003,2004,2007,2012,2016,2018,2019,2020
-./util/check-sources.pl				PERL	2000,2001,2004,2007,2012,2013,2016,2018,2019,2020
-./util/check-win32util-configure		SH	2019,2020
-./util/checklibs.sh				SH	2017,2018,2019,2020
-./util/commit-arm.sh				SH	2012,2016,2018,2019,2020
-./util/copyrights				X	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./util/git-replay-merge.sh			SH	2018,2019,2020
-./util/kit.sh					SH	2000,2001,2002,2003,2004,2007,2008,2009,2010,2012,2013,2014,2015,2016,2018,2019,2020
-./util/mandoc2docbook.pl			PERL	2001,2004,2007,2012,2016,2018,2019,2020
-./util/mdnbuildtest.sh				SH	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./util/memleak.pl				PERL	1999,2000,2001,2004,2007,2012,2016,2018,2019,2020
-./util/merge_copyrights				PERL	1998,1999,2000,2001,2003,2004,2005,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./util/mksymtbl.pl				PERL	2009,2012,2016,2018,2019,2020
-./util/models.c					C	2015,2016,2018,2019,2020
-./util/nanny.pl					PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./util/new-func					PERL	2005,2007,2012,2016,2018,2019,2020
-./util/nt-kit					SH	1999,2000,2001,2004,2007,2012,2016,2018,2019,2020
-./util/spacewhack.pl				PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./util/tabify-changes				SH	2004,2007,2012,2016,2018,2019,2020
-./util/update-drafts.pl				PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020
-./util/update_branches				PERL	2005,2007,2012,2016,2018,2019,2020
-./util/update_copyrights			PERL	1998,1999,2000,2001,2004,2005,2006,2007,2008,2009,2010,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./util/xc					SH	2012,2013,2016,2018,2019,2020
-./version					X	1998,1999,2000,2001,2003,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2016,2017,2018,2019,2020
-./win32utils/Configure				PERL	2013,2014,2015,2016,2017,2018,2019,2020
-./win32utils/GeoIP.diff				X	2013,2018,2019,2020
-./win32utils/bind9.sln.in			X	2013,2014,2015,2016,2017,2018,2019,2020
-./win32utils/index.html				HTML	2006,2007,2008,2012,2013,2014,2015,2016,2018,2019,2020
-./win32utils/legacy/BINDBuild.dsw.in		X	2001,2005,2006,2008,2009,2010,2013,2014,2015,2016,2018,2019,2020
-./win32utils/legacy/BuildAll.bat.in		BAT	2001,2002,2004,2005,2006,2007,2008,2009,2010,2013,2014,2015,2016,2018,2019,2020
-./win32utils/legacy/BuildPost.bat.in		BAT	2005,2006,2013,2014,2016,2018,2019,2020
-./win32utils/legacy/BuildSetup.bat.in		BAT	2001,2002,2004,2005,2006,2007,2008,2009,2010,2012,2013,2014,2015,2016,2018,2019,2020
-./win32utils/legacy/makedefs.pl			PERL	2001,2004,2007,2009,2012,2013,2014,2016,2018,2019,2020
+./lib/lwres/man/resolver.5			MAN	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/lwres/print.c				C	1999,2000,2001,2003,2004,2005,2007,2011,2012,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/lwres/print_p.h				C	1999,2000,2001,2003,2004,2007,2010,2016,2018,2019,2020,2021
+./lib/lwres/tests/Kyuafile			X	2017,2018,2019,2020,2021
+./lib/lwres/tests/Makefile.in			MAKE	2014,2015,2016,2018,2019,2020,2021
+./lib/lwres/tests/config_test.c			C	2014,2016,2018,2019,2020,2021
+./lib/lwres/tests/testdata/link-local.conf	X	2014,2018,2019,2020,2021
+./lib/lwres/unix/Makefile.in			MAKE	2001,2004,2007,2012,2016,2018,2019,2020,2021
+./lib/lwres/unix/include/Makefile.in		MAKE	2001,2004,2007,2012,2016,2018,2019,2020,2021
+./lib/lwres/unix/include/lwres/Makefile.in	MAKE	2001,2004,2007,2012,2016,2018,2019,2020,2021
+./lib/lwres/unix/include/lwres/net.h		C	2000,2001,2002,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/lwres/unreachable_p.h			C	2018,2019,2020,2021
+./lib/lwres/version.c				C	2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
+./lib/lwres/win32/DLLMain.c			C	2001,2004,2007,2016,2018,2019,2020,2021
+./lib/lwres/win32/Makefile.in			MAKE	2001,2004,2007,2012,2016,2018,2019,2020,2021
+./lib/lwres/win32/include/Makefile.in		MAKE	2001,2004,2007,2012,2016,2018,2019,2020,2021
+./lib/lwres/win32/include/lwres/Makefile.in	MAKE	2001,2004,2007,2012,2016,2018,2019,2020,2021
+./lib/lwres/win32/include/lwres/net.h		C	2000,2001,2004,2007,2013,2016,2018,2019,2020,2021
+./lib/lwres/win32/include/lwres/netdb.h		C	2000,2001,2004,2006,2007,2013,2016,2018,2019,2020,2021
+./lib/lwres/win32/include/lwres/platform.h	C	2000,2001,2004,2007,2014,2016,2018,2019,2020,2021
+./lib/lwres/win32/liblwres.def			X	2001,2014,2016,2018,2019,2020,2021
+./lib/lwres/win32/liblwres.dsp.in		X	2001,2002,2004,2005,2007,2011,2013,2014,2016,2018,2019,2020,2021
+./lib/lwres/win32/liblwres.dsw			X	2001,2018,2019,2020,2021
+./lib/lwres/win32/liblwres.mak.in		X	2001,2002,2004,2005,2006,2007,2011,2013,2014,2016,2018,2019,2020,2021
+./lib/lwres/win32/liblwres.vcxproj.filters.in	X	2013,2014,2015,2016,2018,2019,2020,2021
+./lib/lwres/win32/liblwres.vcxproj.in		X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/lwres/win32/liblwres.vcxproj.user		X	2013,2018,2019,2020,2021
+./lib/lwres/win32/lwconfig.c			C	2002,2004,2006,2007,2013,2016,2018,2019,2020,2021
+./lib/lwres/win32/socket.c			C	2007,2015,2016,2018,2019,2020,2021
+./lib/lwres/win32/version.c			C	1998,1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/samples/Makefile-postinstall.in		MAKE	2009,2012,2013,2014,2016,2018,2019,2020,2021
+./lib/samples/Makefile.in			MAKE	2009,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/samples/nsprobe.c				C	2009,2010,2011,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/samples/resolve.c				C	2009,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/samples/rootkey.sh			SH	2013,2016,2018,2019,2020,2021
+./lib/samples/sample-async.c			C	2009,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/samples/sample-gai.c			C	2009,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/samples/sample-request.c			C	2009,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./lib/samples/sample-update.c			C	2009,2010,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./lib/samples/win32/async.dsp.in		X	2014,2016,2018,2019,2020,2021
+./lib/samples/win32/async.dsw			X	2014,2018,2019,2020,2021
+./lib/samples/win32/async.mak.in		X	2014,2016,2018,2019,2020,2021
+./lib/samples/win32/async.vcxproj.filters.in	X	2014,2015,2018,2019,2020,2021
+./lib/samples/win32/async.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/samples/win32/async.vcxproj.user		X	2014,2018,2019,2020,2021
+./lib/samples/win32/gai.dsp.in			X	2014,2018,2019,2020,2021
+./lib/samples/win32/gai.dsw			X	2014,2018,2019,2020,2021
+./lib/samples/win32/gai.mak.in			X	2014,2018,2019,2020,2021
+./lib/samples/win32/gai.vcxproj.filters.in	X	2014,2015,2018,2019,2020,2021
+./lib/samples/win32/gai.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/samples/win32/gai.vcxproj.user		X	2014,2018,2019,2020,2021
+./lib/samples/win32/nsprobe.dsp.in		X	2014,2016,2018,2019,2020,2021
+./lib/samples/win32/nsprobe.dsw			X	2014,2018,2019,2020,2021
+./lib/samples/win32/nsprobe.mak.in		X	2014,2016,2018,2019,2020,2021
+./lib/samples/win32/nsprobe.vcxproj.filters.in	X	2014,2015,2018,2019,2020,2021
+./lib/samples/win32/nsprobe.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/samples/win32/nsprobe.vcxproj.user	X	2014,2018,2019,2020,2021
+./lib/samples/win32/request.dsp.in		X	2014,2016,2018,2019,2020,2021
+./lib/samples/win32/request.dsw			X	2014,2018,2019,2020,2021
+./lib/samples/win32/request.mak.in		X	2014,2016,2018,2019,2020,2021
+./lib/samples/win32/request.vcxproj.filters.in	X	2014,2015,2018,2019,2020,2021
+./lib/samples/win32/request.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/samples/win32/request.vcxproj.user	X	2014,2018,2019,2020,2021
+./lib/samples/win32/resolve.dsp.in		X	2014,2016,2018,2019,2020,2021
+./lib/samples/win32/resolve.dsw			X	2014,2018,2019,2020,2021
+./lib/samples/win32/resolve.mak.in		X	2014,2016,2018,2019,2020,2021
+./lib/samples/win32/resolve.vcxproj.filters.in	X	2014,2015,2018,2019,2020,2021
+./lib/samples/win32/resolve.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/samples/win32/resolve.vcxproj.user	X	2014,2018,2019,2020,2021
+./lib/samples/win32/update.dsp.in		X	2014,2016,2018,2019,2020,2021
+./lib/samples/win32/update.dsw			X	2014,2018,2019,2020,2021
+./lib/samples/win32/update.mak.in		X	2014,2016,2018,2019,2020,2021
+./lib/samples/win32/update.vcxproj.filters.in	X	2014,2015,2018,2019,2020,2021
+./lib/samples/win32/update.vcxproj.in		X	2014,2015,2016,2017,2018,2019,2020,2021
+./lib/samples/win32/update.vcxproj.user		X	2014,2018,2019,2020,2021
+./lib/win32/bindevt/bindevt.c			C	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./lib/win32/bindevt/bindevt.dsp.in		X	2001,2013,2018,2019,2020,2021
+./lib/win32/bindevt/bindevt.dsw			X	2001,2018,2019,2020,2021
+./lib/win32/bindevt/bindevt.mak.in		X	2001,2006,2013,2018,2019,2020,2021
+./lib/win32/bindevt/bindevt.mc			MC	2001,2004,2007,2016,2018,2019,2020,2021
+./lib/win32/bindevt/bindevt.vcxproj.filters.in	X	2013,2015,2018,2019,2020,2021
+./lib/win32/bindevt/bindevt.vcxproj.in		X	2013,2014,2015,2016,2018,2019,2020,2021
+./lib/win32/bindevt/bindevt.vcxproj.user	X	2013,2018,2019,2020,2021
+./libtool.m4/ax_restore_flags.m4		X	2019,2020,2021
+./libtool.m4/ax_save_flags.m4			X	2019,2020,2021
+./libtool.m4/compat.m4				X	2019,2020,2021
+./libtool.m4/libtool.m4				X	2012,2018,2019,2020,2021
+./libtool.m4/ltoptions.m4			X	2012,2018,2019,2020,2021
+./libtool.m4/ltsugar.m4				X	2012,2018,2019,2020,2021
+./libtool.m4/ltversion.m4			X	2012,2018,2019,2020,2021
+./libtool.m4/lt~obsolete.m4			X	2012,2018,2019,2020,2021
+./ltmain.sh					X	1999,2000,2001,2003,2004,2006,2009,2012,2018,2019,2020,2021
+./make/Makefile.in				MAKE	1998,1999,2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./make/includes.in				MAKE	1999,2000,2001,2004,2005,2007,2012,2014,2016,2018,2019,2020,2021
+./make/mkdep.in					X	1999,2000,2001,2006,2011,2014,2018,2019,2020,2021
+./make/rules.in					MAKE	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./mkinstalldirs					X	1996,2018,2019,2020,2021
+./unit/README					X	2011,2013,2018,2019,2020,2021
+./unit/gdb					X	2020,2021
+./unit/unittest.sh.in				X	2011,2012,2015,2018,2019,2020,2021
+./util/COPYRIGHT				X	1996,1997,1998,1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./util/COPYRIGHT.BRIEF				X	1996,1997,1998,1999,2000,2001,2004,2016,2018,2019,2020,2021
+./util/COPYRIGHT.BSDI				X	2000,2001,2004,2007,2016,2018,2019,2020,2021
+./util/COPYRIGHT.NAI				X	1996,1997,1998,1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./util/COPYRIGHT.NOM				X	2001,2004,2007,2016,2018,2019,2020,2021
+./util/COPYRIGHT.PORTION			X	1996,1997,1998,1999,2000,2001,2004,2007,2016,2018,2019,2020,2021
+./util/COPYRIGHT.TOP				X	2018,2019,2020,2021
+./util/altbuild.sh				SH	2000,2001,2002,2004,2007,2008,2012,2016,2018,2019,2020,2021
+./util/api-checker.sh				SH	2020,2021
+./util/bindkeys.pl				PERL	2009,2010,2011,2012,2014,2016,2017,2018,2019,2020,2021
+./util/branchsync.sh				SH	2013,2016,2018,2019,2020,2021
+./util/check-ans-prereq.sh			SH	2019,2020,2021
+./util/check-categories.sh			SH	2015,2016,2017,2018,2019,2020,2021
+./util/check-changes				PERL	2002,2004,2007,2012,2016,2018,2019,2020,2021
+./util/check-cocci				X	2018,2019,2020,2021
+./util/check-includes.pl			PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./util/check-instincludes.sh			SH	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./util/check-line-length.sh			SH	2021
+./util/check-make-install.in			SH	2020,2021
+./util/check-pullups.pl				PERL	2001,2002,2003,2004,2007,2012,2016,2018,2019,2020,2021
+./util/check-sources.pl				PERL	2000,2001,2004,2007,2012,2013,2016,2018,2019,2020,2021
+./util/check-win32util-configure		SH	2019,2020,2021
+./util/checklibs.sh				SH	2017,2018,2019,2020,2021
+./util/commit-arm.sh				SH	2012,2016,2018,2019,2020,2021
+./util/copyrights				X	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./util/git-replay-merge.sh			SH	2018,2019,2020,2021
+./util/kit.sh					SH	2000,2001,2002,2003,2004,2007,2008,2009,2010,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./util/mandoc2docbook.pl			PERL	2001,2004,2007,2012,2016,2018,2019,2020,2021
+./util/mdnbuildtest.sh				SH	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./util/memleak.pl				PERL	1999,2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./util/merge_copyrights				PERL	1998,1999,2000,2001,2003,2004,2005,2006,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./util/mksymtbl.pl				PERL	2009,2012,2016,2018,2019,2020,2021
+./util/models.c					C	2015,2016,2018,2019,2020,2021
+./util/nanny.pl					PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./util/new-func					PERL	2005,2007,2012,2016,2018,2019,2020,2021
+./util/nt-kit					SH	1999,2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./util/pairwise-testing.sh			SH	2020,2021
+./util/parse_tsan.py				PYTHON-BIN	2020,2021
+./util/spacewhack.pl				PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./util/tabify-changes				SH	2004,2007,2012,2016,2018,2019,2020,2021
+./util/update-drafts.pl				PERL	2000,2001,2004,2007,2012,2016,2018,2019,2020,2021
+./util/update_branches				PERL	2005,2007,2012,2016,2018,2019,2020,2021
+./util/update_copyrights			PERL	1998,1999,2000,2001,2004,2005,2006,2007,2008,2009,2010,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
+./util/xc					SH	2012,2013,2016,2018,2019,2020,2021
+./util/xmllint-html.sh				SH	2021
+./version					X	1998,1999,2000,2001,2003,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2016,2017,2018,2019,2020,2021
+./win32utils/Configure				PERL	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./win32utils/GeoIP.diff				X	2013,2018,2019,2020,2021
+./win32utils/bind9.sln.in			X	2013,2014,2015,2016,2017,2018,2019,2020,2021
+./win32utils/index.html				HTML	2006,2007,2008,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./win32utils/legacy/BINDBuild.dsw.in		X	2001,2005,2006,2008,2009,2010,2013,2014,2015,2016,2018,2019,2020,2021
+./win32utils/legacy/BuildAll.bat.in		BAT	2001,2002,2004,2005,2006,2007,2008,2009,2010,2013,2014,2015,2016,2018,2019,2020,2021
+./win32utils/legacy/BuildPost.bat.in		BAT	2005,2006,2013,2014,2016,2018,2019,2020,2021
+./win32utils/legacy/BuildSetup.bat.in		BAT	2001,2002,2004,2005,2006,2007,2008,2009,2010,2012,2013,2014,2015,2016,2018,2019,2020,2021
+./win32utils/legacy/makedefs.pl			PERL	2001,2004,2007,2009,2012,2013,2014,2016,2018,2019,2020,2021
 ./win32utils/legacy/win32-build.txt		TXT.BRIEF	2001,2002,2004,2005,2008,2009,2012,2013,2014,2016,2018,2019
diff --git a/bind/bind9/util/git-replay-merge.sh b/bind/bind9/util/git-replay-merge.sh
index 964c5a16..21d874f8 100755
--- a/bind/bind9/util/git-replay-merge.sh
+++ b/bind/bind9/util/git-replay-merge.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/kit.sh b/bind/bind9/util/kit.sh
index ee5723bc..511daa0f 100644
--- a/bind/bind9/util/kit.sh
+++ b/bind/bind9/util/kit.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/mandoc2docbook.pl b/bind/bind9/util/mandoc2docbook.pl
index d48ead78..901ea88b 100644
--- a/bind/bind9/util/mandoc2docbook.pl
+++ b/bind/bind9/util/mandoc2docbook.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -29,8 +29,6 @@ print <<\END;
  - file, You can obtain one at http://mozilla.org/MPL/2.0/.
 -->
 
-<!-- $Id$ -->
-
 <refentry>
 <refentryinfo>
 END
diff --git a/bind/bind9/util/mdnbuildtest.sh b/bind/bind9/util/mdnbuildtest.sh
index 8fd16686..75de9fd6 100644
--- a/bind/bind9/util/mdnbuildtest.sh
+++ b/bind/bind9/util/mdnbuildtest.sh
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/memleak.pl b/bind/bind9/util/memleak.pl
index 6cb43d0b..d7aeab5e 100644
--- a/bind/bind9/util/memleak.pl
+++ b/bind/bind9/util/memleak.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/merge_copyrights b/bind/bind9/util/merge_copyrights
index bb763aef..19f03796 100644
--- a/bind/bind9/util/merge_copyrights
+++ b/bind/bind9/util/merge_copyrights
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -31,10 +31,7 @@ open(CHANGES, "git ls-files | sed 's;^;./;' | sort |") || die "git ls-files: $!"
 while (<CHANGES>) {
     chomp;
 
-    next if (m%/\.\# |		# CVS old conflict file
-	       /CVS/ |		# CVS directory
-	       /\.git/ |		# git directory
-	       /\.gitignore |   # .gitignore files
+    next if (m%/\. |         # just ignore all hidden files
 	       util/newcopyrights | # our output
 	       \.bak$ |		# created by update_copyrights
 	       /(dnssafe|openssl)/.*\.[ch]$ |	# imported
diff --git a/bind/bind9/util/mksymtbl.pl b/bind/bind9/util/mksymtbl.pl
index 47941da7..d7c4fc65 100755
--- a/bind/bind9/util/mksymtbl.pl
+++ b/bind/bind9/util/mksymtbl.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/models.c b/bind/bind9/util/models.c
index 48e58f4f..9b83f110 100644
--- a/bind/bind9/util/models.c
+++ b/bind/bind9/util/models.c
@@ -3,7 +3,7 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
  *
  * See the COPYRIGHT file distributed with this work for additional
  * information regarding copyright ownership.
diff --git a/bind/bind9/util/nanny.pl b/bind/bind9/util/nanny.pl
index 81a5f957..49173b41 100644
--- a/bind/bind9/util/nanny.pl
+++ b/bind/bind9/util/nanny.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/new-func b/bind/bind9/util/new-func
index 74a2b02a..6f326f38 100644
--- a/bind/bind9/util/new-func
+++ b/bind/bind9/util/new-func
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/nt-kit b/bind/bind9/util/nt-kit
index cdb00d0d..85f5ca5b 100644
--- a/bind/bind9/util/nt-kit
+++ b/bind/bind9/util/nt-kit
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/pairwise-testing.sh b/bind/bind9/util/pairwise-testing.sh
new file mode 100755
index 00000000..1638ebc0
--- /dev/null
+++ b/bind/bind9/util/pairwise-testing.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+set -o pipefail
+
+grep -v -F "pairwise: skip" configure.ac | sed -n -E "s|.*# \[pairwise: (.*)\]|\1|p" | \
+	while read -r SWITCH; do
+	echo "${RANDOM}: ${SWITCH}"
+done > pairwise-model.txt
+
+pict pairwise-model.txt | tr "\t" " " | sed "1d" > pairwise-commands.txt
+
+while read -r -a configure_switches; do
+	runid=${RANDOM}
+	mkdir "pairwise-${runid}"
+	cd "pairwise-${runid}"
+	echo "${configure_switches[@]}" | tee "../pairwise-output.${runid}.txt"
+	../configure --enable-option-checking=fatal "${configure_switches[@]}" >> "../pairwise-output.${runid}.txt" 2>&1
+	make "-j${BUILD_PARALLEL_JOBS:-1}" all >> "../pairwise-output.${runid}.txt" 2>&1
+	cd ..
+	rm -rf "pairwise-${runid}" "pairwise-output.${runid}.txt"
+done < pairwise-commands.txt
diff --git a/bind/bind9/util/parse_tsan.py b/bind/bind9/util/parse_tsan.py
new file mode 100755
index 00000000..00f9cbba
--- /dev/null
+++ b/bind/bind9/util/parse_tsan.py
@@ -0,0 +1,126 @@
+#!/usr/bin/env python3
+############################################################################
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+############################################################################
+
+"""Parse the ThreadSanizer reports, unify them and put them into unique dirs."""
+
+import sys
+import os
+import os.path
+import re
+from hashlib import sha256
+
+
+class State:
+    """Class that holds state of the TSAN parser."""
+
+    # pylint: disable=too-many-instance-attributes
+    # pylint: disable=too-few-public-methods
+
+    inside = False
+    block = ""
+    last_line = None
+
+    mutexes = {}
+    m_index = 1
+    threads = {}
+    t_index = 1
+    pointers = {}
+    p_index = 1
+
+    def __init__(self):
+        self.reset()
+
+    def reset(self):
+        """Reset the object to initial state"""
+
+        self.inside = False
+        self.block = ""
+
+        self.mutexes = {}
+        self.threads = {}
+        self.pointers = {}
+        self.pointers["0x000000000000"] = 0
+
+        self.m_index = 1
+        self.t_index = 1
+        self.p_index = 1
+
+
+TOP = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
+
+OUT = os.path.join(TOP, "tsan")
+
+if not os.path.isdir(OUT):
+    os.mkdir(OUT)
+
+# Regular Expressions
+MUTEX = re.compile(r"M\d+")
+THREAD = re.compile(r"T\d+")
+STACK = re.compile(r"\s\(\S+\+0x\S+\)")
+POINTER = re.compile(r"0x[0-9a-f]+")
+PID = re.compile(r"\(pid=\d+,?\)")
+TID = re.compile(r"tid=\d+,?\s*")
+WORKER = re.compile(r"\s+'(isc-worker|isc-net-)\d+'")
+PATH = re.compile(TOP + "/")
+
+S = State()
+
+with open(sys.argv[1], "r", encoding='utf-8') as f:
+    for line in f.readlines():
+        if line == "==================\n":
+            if not S.inside:
+                S.inside = True
+            else:
+                DNAME = sha256(S.last_line.encode('utf-8')).hexdigest()
+                DNAME = os.path.join(OUT, DNAME)
+                if not os.path.isdir(DNAME):
+                    os.mkdir(DNAME)
+                FNAME = sha256(S.block.encode('utf-8')).hexdigest() + ".tsan"
+                FNAME = os.path.join(DNAME, FNAME)
+                if not os.path.isfile(FNAME):
+                    with open(FNAME, "w", encoding='utf-8') as w:
+                        w.write(S.block)
+                S.reset()
+        else:
+            for m in MUTEX.finditer(line):
+                k = m.group()
+                if k not in S.mutexes:
+                    S.mutexes[k] = S.m_index
+                    S.m_index += 1
+            for m in THREAD.finditer(line):
+                k = m.group()
+                if k not in S.threads:
+                    S.threads[k] = S.t_index
+                    S.t_index += 1
+            for m in POINTER.finditer(line):
+                k = m.group()
+                if k not in S.pointers:
+                    S.pointers[k] = S.p_index
+                    S.p_index += 1
+            for k, v in S.mutexes.items():
+                r = re.compile(k)
+                line = r.sub("M%s" % v, line)
+            for k, v in S.threads.items():
+                r = re.compile(k)
+                line = r.sub("T%s" % v, line)
+            for k, v in S.pointers.items():
+                r = re.compile(k)
+                line = r.sub("0x%s" % str(v).zfill(12), line)
+
+            line = STACK.sub("", line)
+            line = PID.sub("", line)
+            line = TID.sub("", line)
+            line = WORKER.sub("", line)
+            line = PATH.sub("", line)
+
+            S.block += line
+            S.last_line = line
diff --git a/bind/bind9/util/spacewhack.pl b/bind/bind9/util/spacewhack.pl
index 9782f77f..a9e70e4a 100644
--- a/bind/bind9/util/spacewhack.pl
+++ b/bind/bind9/util/spacewhack.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/suppressions.txt b/bind/bind9/util/suppressions.txt
index cc0aa26b..60ce4777 100644
--- a/bind/bind9/util/suppressions.txt
+++ b/bind/bind9/util/suppressions.txt
@@ -3,3 +3,4 @@ preprocessorErrorDirective:*
 invalidPrintfArgType_uint:bin/dig/dig.c
 invalidPrintfArgType_sint:lib/isc/buffer.c
 invalidPrintfArgType_uint:lib/isc/tests/crc64_test.c
+unknownMacro:*
diff --git a/bind/bind9/util/tabify-changes b/bind/bind9/util/tabify-changes
index 04065c89..781104dd 100644
--- a/bind/bind9/util/tabify-changes
+++ b/bind/bind9/util/tabify-changes
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/update-drafts.pl b/bind/bind9/util/update-drafts.pl
index 9a606b14..5fd22e0e 100644
--- a/bind/bind9/util/update-drafts.pl
+++ b/bind/bind9/util/update-drafts.pl
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/update_branches b/bind/bind9/util/update_branches
index 79e95b17..5a3c5e0b 100644
--- a/bind/bind9/util/update_branches
+++ b/bind/bind9/util/update_branches
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/update_copyrights b/bind/bind9/util/update_copyrights
index bc9ab184..296cd372 100644
--- a/bind/bind9/util/update_copyrights
+++ b/bind/bind9/util/update_copyrights
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -150,7 +150,7 @@ foreach $file (keys %file_types) {
 		s/^(\s{0,3}\d*\.)\s(\[\w{1,5}\])\s+(\S+)/$1\t$2\t\t$3/;
 		s/^(\s{0,3}\d*\.)\s(\[\w{6,}\])\s+(\S+)/$1\t$2\t$3/;
 		# Convert 8 spaces into tabs if at start of line
-		# or preceeded by tabs.
+		# or preceded by tabs.
 		s/^(\t*)        /$1\t/ while (/^\t*        /);
 		# Remove trailing white space.
 		s/[ \t]*$//;
@@ -527,7 +527,7 @@ foreach $file (keys %file_types) {
 			# tab if at start of line or proceeded by tabs.
 			s/^(\t*) {1,7}\t/$1\t/ while (/^\t* {1,7}\t/);
 			# Convert 8 spaces into tabs if at start of line
-			# or preceeded by tabs.
+			# or preceded by tabs.
 			s/^(\t*) {8}/$1\t/ while (/^\t* {8}/);
 			# Remove trailing white space.
 			s/[ \t]*$//;
diff --git a/bind/bind9/util/xc b/bind/bind9/util/xc
index 73b7b112..aecdedba 100755
--- a/bind/bind9/util/xc
+++ b/bind/bind9/util/xc
@@ -2,7 +2,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
diff --git a/bind/bind9/util/xmllint-html.sh b/bind/bind9/util/xmllint-html.sh
new file mode 100644
index 00000000..4bd6c830
--- /dev/null
+++ b/bind/bind9/util/xmllint-html.sh
@@ -0,0 +1,21 @@
+#!/bin/sh -f
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+files=`git ls-files '*.html'`
+if test -n "$files"
+then
+	xmllint --noout --nonet --html $files 2>&1 |
+	awk 'BEGIN { status = 0; }
+	     # suppress HTML 5 <section> tag errors
+	     /HTML parser error : Tag section invalid/ { getline; getline; next; }
+	     { print; status = 1; }
+	     END { exit status }'
+fi
diff --git a/bind/bind9/version b/bind/bind9/version
index 723efffb..e74b8ba7 100644
--- a/bind/bind9/version
+++ b/bind/bind9/version
@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Extended Support Version)"
 MAJORVER=9
 MINORVER=11
-PATCHVER=15
+PATCHVER=36
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=
diff --git a/bind/bind9/win32utils/Configure b/bind/bind9/win32utils/Configure
index 953f2aa1..7ac30fb3 100644
--- a/bind/bind9/win32utils/Configure
+++ b/bind/bind9/win32utils/Configure
@@ -4,7 +4,7 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
@@ -488,8 +488,7 @@ my @substdefd = ("CRYPTO",
                  "PK11_LIB_LOCATION",
                  "USE_GSSAPI",
                  "USE_PKCS11",
-                 "USE_PYTHON",
-                 "USE_ISC_SPNEGO");
+                 "USE_PYTHON");
 
 # conditions
 
@@ -520,7 +519,6 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
 my @enablelist = ("developer",
                   "fixed-rrset",
                   "intrinsics",
-                  "isc-spnego",
                   "native-pkcs11",
                   "openssl-hash",
                   "filter-aaaa",
@@ -578,10 +576,9 @@ my @help = (
 "  clean                 (command) clean up generated files\n",
 "  <none>                (command) print a summary of the configuration\n",
 "\nOptional Features:\n",
-"  enable-intrinsics     enable instrinsic/atomic functions [default=yes]\n",
+"  enable-intrinsics     enable intrinsic/atomic functions [default=yes]\n",
 "  enable-native-pkcs11  use native PKCS#11 for all crypto [default=no]\n",
 "  enable-openssl-hash   use OpenSSL for hash functions [default=yes]\n",
-"  enable-isc-spnego     use SPNEGO from lib/dns [default=yes]\n",
 "  enable-filter-aaaa    enable filtering of AAAA records [default=yes]\n",
 "  enable-fixed-rrset    enable fixed rrset ordering [default=no]\n",
 "  enable-developer      enable developer build settings [default=no]\n",
@@ -631,7 +628,6 @@ my $enable_intrinsics = "yes";
 my $enable_native_pkcs11 = "no";
 my $enable_openssl_hash = "auto";
 my $enable_filter_aaaa = "yes";
-my $enable_isc_spnego = "yes";
 my $enable_fixed_rrset = "no";
 my $enable_developer = "no";
 my $enable_querytrace = "no";
@@ -816,8 +812,9 @@ getversion();
 
 sub appargs {
     my $arg = $_[0];
-    # escape backslashes, spaces and double quotes
-    $arg =~ s/([\\ "])/\\$1/g;
+    # escape backslashes and double quotes
+    $arg =~ s/([\\"])/\\$1/g;
+    $arg =~ s/([\s])/\\\\$1/g;
     if (defined($configdefh{"CONFIGARGS"})) {
         $configdefh{"CONFIGARGS"} .= " " . $arg;
     } else {
@@ -853,10 +850,6 @@ sub myenable {
         } elsif ($val =~ /^no$/i) {
             $enable_openssl_hash = "no";
         }
-    } elsif ($key =~ /^isc-spnego$/i) {
-        if ($val =~ /^no$/i) {
-            $enable_isc_spnego = "no";
-        }
     } elsif ($key =~ /^filter-aaaa$/i) {
         if ($val =~ /^no$/i) {
             $enable_filter_aaaa = "no";
@@ -1158,11 +1151,6 @@ if ($verbose) {
     } else {
         print "openssl-hash: disabled\n";
     }
-    if ($enable_isc_spnego eq "yes") {
-        print "isc-spnego: enabled\n";
-    } else {
-        print "isc-spnego: disabled\n";
-    }
     if ($enable_filter_aaaa eq "yes") {
         print "filter-aaaa: enabled\n";
     } else {
@@ -1717,7 +1705,7 @@ if ($use_openssl eq "yes") {
             die "find more than one OpenSSL libcrypto-*.dll DLL candidate\n";
         }
         $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
-    }   
+    }
 
     $configcond{"OPENSSL"} = 1;
     $configdefd{"CRYPTO"} = "OPENSSL";
@@ -2399,16 +2387,6 @@ if ($use_gssapi eq "no") {
     $configdll{"WSHELP_DLL"} = "$wshelp_dll";
 }
 
-# enable-isc-spnego
-if ($use_gssapi ne "yes") {
-    $enable_isc_spnego = "no";
-} elsif ($enable_isc_spnego eq "yes") {
-    if ($use_gssapi eq "no") {
-        die "No GSSAPI for SPNEGO\n";
-    }
-    $configdefd{"USE_ISC_SPNEGO"} = "USE_ISC_SPNEGO";
-}
-
 # with-geoip
 if ($use_geoip eq "no") {
     if ($verbose) {
@@ -3389,6 +3367,13 @@ sub makesrcid {
         close SIN;
     }
 
+    if ($srcid eq "unset_id" and -d "..\\.git") {
+        $data = `git rev-list --max-count=1 HEAD`;
+        if (length($data) > 0) {
+            $srcid = substr($data, 0, 7);
+        }
+    }
+
     # Now set up the output version file
 
     my $ThisDate = scalar localtime();
@@ -3672,7 +3657,6 @@ exit 0;
 #  --enable-symtable incompatible with DLLs (or libtool)
 #  --enable-ipv6 included without a way to disable it
 #  --enable-atomic supported (renamed to intrinsic)
-#  --enable-isc-spnego supported (part of GSSAPI)
 #  --enable-fixed-rrset supported
 #  --enable-querytrace supported
 #  --disable-rpz-nsip supported
diff --git a/bind/bind9/win32utils/index.html b/bind/bind9/win32utils/index.html
index 04e6dfbf..f4b7a0f2 100644
--- a/bind/bind9/win32utils/index.html
+++ b/bind/bind9/win32utils/index.html
@@ -3,7 +3,7 @@
  -
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
  -
  - See the COPYRIGHT file distributed with this work for additional
  - information regarding copyright ownership.
diff --git a/bind/bind9/win32utils/legacy/makedefs.pl b/bind/bind9/win32utils/legacy/makedefs.pl
index 0d7f54f6..53209048 100644
--- a/bind/bind9/win32utils/legacy/makedefs.pl
+++ b/bind/bind9/win32utils/legacy/makedefs.pl
@@ -4,13 +4,11 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# $Id$
-
 # makedefs.pl
 # This script goes through all of the lib header files and creates a .def file
 # for each DLL for Win32. It recurses as necessary through the subdirectories
diff --git a/bind/bind9/win32utils/legacy/win32-build.txt b/bind/bind9/win32utils/legacy/win32-build.txt
index d65ad0a3..174aa237 100644
--- a/bind/bind9/win32utils/legacy/win32-build.txt
+++ b/bind/bind9/win32utils/legacy/win32-build.txt
@@ -1,6 +1,6 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 
    *LEGACY* BIND 9.10 for Win32 Source Build Instructions. 04-Feb-2014